The US government passed the Computer Fraud and Abuse Act in 1986, years before computers became something everyone had at home and carried around in their pockets every day. The CFAA had a purpose, but its value declined as computing advanced. The abuse it was written to address tended to take a backseat to abuses of the law by prosecutors and private companies to punish people for discovering security flaws or using technology in ways some people never expected.
The law has done more harm than good, criminalizing security research and providing a handy weapon for private companies to deploy against those who point out their security holes.
The same thing has been happening in the UK, thanks to a law that is only four years younger than the justifiably despised CFAA. As Matthew Field and Gareth Corfield report for The Telegraph, security experts are asking the incoming prime minister to put this ancient computer abuse law out of everyone’s misery.
Companies representing Britain’s £10bn cyber defence sector have asked Rishi Sunak and Liz Truss to rewrite the 30-year-old Computer Misuse Act, which they said is no longer fit for purpose.
The signatories include the Internet Services Providers’ Association, which represents BT, Virgin Media and Sky, London-listed cyber security company NCC Group and Ciaran Martin, the former head of Britain’s cyber security agency.
Passed in 1990, the Computer Misuse Act was written to address misuse of an early digital voicemail system. Like the CFAA, it was broadly written, presumably in hopes of addressing unforeseen computer crimes. Instead, it managed to criminalize research (both of the regular and the security variety) by making it illegal to engage in “unauthorized access to computer materials.” Something that people do all the time (like, say, sharing passwords to a streaming account or, you know, probing for security flaws) is something that can be punished with up to ten years in prison.
The law needs to go. It’s incapable of addressing the current computer climate and its ability to criminalize any “unauthorized access” continues to harm cyber security work — something that actually does more to protect computer/internet users than a badly written law that is most often wielded with the worst of intentions. This is the sort of useful thing the law criminalizes:
Legitimate internet researchers in the UK are also prevented from accessing hacked files that are shared on the dark web to warn victims their data has been stolen.
And this threat to researchers is not theoretical.
In 2012, a York University student was sentenced to eight months in prison for accessing Facebook’s internal systems.
Glenn Mangham, who was 26 at the time and had previously warned companies about the bugs he had discovered, later had his sentence halved on appeal.
Unfortunately, legislators move much more swiftly to enact laws than to roll them back. But a 1990 law erected to prevent malicious hacking of voicemail is long due for an overhaul, if not a complete removal.