The British Police and Justice (2006) bill was granted Royal Assent this week with some interesting changes being introduced to the Computer Misuse Act (1990) under Part 5 (Miscellaneous) which could have serious implications for those on the murkier side of computing.  The Computer Misuse Act obviously needed updating, as most of the threats in existence today were not possible 16 years ago.

Maximum sentencing for unauthorised access to computer material has been raised to 2 years.  The really interesting modifications come under section 3 “Unauthorised acts with intent to impair operation of computer, etc”–a person is guilty of an offence if he knowingly carries out an unauthorised operation with the intent to impair the operation of a computer, prevent access to any program or data held on a computer or to effect the reliability of any data held on a computer.  The intent does not need to be directed at any particular computer, any particular program/data not any data of a particular time.  On conviction of carrying out the aforementioned a prison term of up to 10 years and/or a fine can be passed down.  This section seems to be particularly aimed at those executing malicious code or initiating denial of service attacks.

An interesting insertion is section 3A |”Making, supplying or obtaining articles for use in offence under section 1 or 3”.

(1)  A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article–

(a)   knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or

(b)   intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

(2)  A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.

(3)     In this section “article” includes any program or data held in electronic form.

Therefore those supplying the means by which to carry out any malicious attack will also be liable although the maximum term for doing so is 2 years rather than 10.  It will be interesting to see how these new laws are enforced–will Sony be able to have vendors supplying mod-chips convicted?  Does SPAM “impair the operation of any computer” when it is dumped on to a server in huge quantities?