The criminalisation of tools under the Computer Misuse Act 1990: The need to rethink cybercrime offences to effectively protect legitimate activities and deter cybercriminals

Abstract

Fourteen years after its creation in 2006, s3A Computer Misuse Act 1990 remains as problematic, if not more problematic than ever. Established to support the fight against cybercrime, the offence of misuse of tools has not only the paradoxical effect of endangering legitimate security research, as foreseen in 2006, but has also become a threat to established newsgathering practices. Its broad structure, combined with the vagueness of the other CMA offences, and the absence of public interest defences, criminalises the very tools which facilitate the work of, respectively, security researchers, and whistle-blowers and journalists-, leaving these actors exposed to criminal liability for resorting to dual-use hacking tools and obfuscating tools. Ultimately this pattern of over-criminalisation harms the fight against cybercrime and crime, defeating the very objective of deterrence cybercrime offences harbour. It is time, not just for reforming the CMA and in particular s3A, but also for the legislator, both in the UK and at international level, to properly engage with the security industry and civil society.