Cyber continues to be a key threat for both organisations and governments. The UK government has been considering for some time whether to update its cyber laws, and recently published the results of a consultation initiated in February 2023, which sought views on how the Computer Misuse Act 1990 (the “CMA”) should be reformed.
The CMA is the principal legislation which criminalises, amongst other things, unauthorised access to computer systems and data. It has been earmarked for reform since May 2021, with the government keen to ensure that law enforcement agencies have sufficient power under the act to investigate and take action against malicious actors in the cyber space.
With this focus in mind, the government sought opinions on three proposed reforms to the CMA:
- creating a new regime for data preservation orders – which would impact organisations, requiring them to preserve data that may be needed for an investigation;
- criminalising the possession or use of data obtained through a CMA offence; and
- giving law enforcement additional powers relating to domain name and IP address takedown and seizure.
Data preservation
Views were sought on a new power which would allow law enforcement agencies to demand organisations preserve data in order to determine whether such data was required for an investigation. Responses to the proposal focused on the potential costs and time involved.
- Cost. Participants were divided on the question of who should bear the costs associated with such a data preservation order. Some suggested it should be the data owners themselves who bear the costs, whilst others asserted that it should be the law enforcement agency imposing the order. Some even argued that data owners should bear the cost up to a statutory 3-month period, with any costs beyond this period being picked up by the relevant law enforcement agency.
- Time limit. There was near consensus that any preservation order should be time limited to 90 days, which would align with the Budapest Convention on Cybercrime. Some responses went further in advocating for a degree of flexibility beyond this 90 day period, to account for those legal processes which take significantly longer.
The cost of data storage, and the impact on organisations’ bottom line, was explicitly acknowledged by the government as a key concern which they would seek to mitigate before putting the proposal on a legislative footing.
Possession or use of data obtained through a CMA offence
The government proposed criminalising the possession of or use of data which had been obtained as a result of an offence under the CMA.
Those consulted were, largely, resistant to this proposal. Participants pointed out that such a change might inadvertently criminalise cyber security research, which often involves the use of data obtained as a consequence of an offence under the CMA. The government acknowledged this danger, recognising the negative impact such an offence might have on legitimate actors.
Domain name and IP address takedown and seizure
Finally, the government proposed granting law enforcement agencies the power to take control of domains and IP addresses where they are being used for criminal activity. The following three themes emerged from the responses.
- Safeguards. Participants stressed that appropriate safeguards must be applied to the exercise of any such power. Half of the respondents stated that any application for domain name seizure or takedown should: (a) provide sufficient evidence of obvious criminality; and (b) only be granted where a voluntary takedown is unavailable or has been refused.
- Impact on voluntary takedown arrangements. There was a concern that the introduction of a mandatory takedown regime would lead to organisations refusing to implement voluntary arrangements, and only responding to takedown requests as required under legislation.
- Relevant organisations. Respondents largely agreed that law enforcement agencies such as the NCA should be able to exercise this new power. Some respondents however suggested that the power should be available to a wider suite of public bodies (e.g. HMRC, the SFO, the FCA and Ofcom).
The government acknowledged the need to continue to consider the three issues highlighted by the consultation and committed to do so in order to “legislate at the earliest possible opportunity”.
Next steps
Of the three proposed reforms, respondents were most critical of the proposed criminalisation of possession or use of data obtained through a CMA offence. The government acknowledged that “significant further work” is required, suggesting that this proposal is not close to being placed on a legislative footing.
There was caveated support for the remaining two proposals. Whilst timings remain unclear, the government has committed to consider both proposals further, with a particular focus on (a) mitigating the burden of data preservation costs and (b) ensuring that the proposed domain name takedown/seizure regime can be crafted with sufficient safeguards and an appreciation for existing voluntary arrangements.