Updated prosecutorial guidance ‘does not provide certainty’
The UK Crown Prosecution Service’s (CPS) updated guidance on the Computer Misuse Act signals a step towards tackling legal ambiguity for the UK’s cyber defenders. But the CyberUp campaign warns that only a change in the law can offer cyber security and threat intelligence researchers the comfort they need.
February 2020
The UK’s Crown Prosecution Service (CPS) has published updated guidance on the Computer Misuse Act, including a list of Public Interest factors that “should be carefully considered” by prosecutors reviewing cyber crime offences.
Before deciding whether or not to charge a suspect, prosecutors generally need to be assured that the available evidence is sufficient to provide a realistic prospect of conviction, and that the prosecution is needed in the public interest.
The guidance provided today by the CPS adds additional public interest factors for prosecutors to weigh as they consider charging a suspect under the Computer Misuse Act. The additional public interest factors cover the financial, reputation and commercial damage caused to the victim, as well as the actor’s level of sophistication, including steps taken to conceal or disguise their identity.
But the updated guidance falls short of the recommendations made recently by the Criminal Law Reform Now Network (CLRNN), a Law Commission style body set up in 2017 for academics and legal experts to conduct into areas of the law they feel need improving. In its report into the Computer Misuse Act, the CLRNN called for a list of factors pointing towards and against prosecution under the Act. Notably, these would allow for the consideration of actors’ motivations, including whether they were acting to prevent crime, reveal security flaws, or obtain information as part of responsible cyber threat intelligence collection.
Cyber Up campaign spokesperson Ollie Whitehouse commented on the updated guidance:
“It is notable that the CPS have recognised the need to revisit their guidance to prosecutors for the Computer Misuse Act, but unfortunately what they have done does not provide the certainty needed by UK employers trying to compete on the international stage. The breadth that remains in the guidance fails to address the need for legal clarity and the crucial point that some instances of unauthorised access to computers can legitimately be justified, and thus deserve legal protection, remains similarly unaddressed.
“It is clear that the CyberUp campaign’s calls have been validated by industry, academia and government alike. The only way to make the UK’s cyber laws and defences fit for the 21st century is to reform the law. We need legal change so that the UK is able to protect its critical infrastructure without criminalising its industries and partners in today’s and tomorrow’s hyper-connected world.”