A knotty problem faced by those seeking to enforce the Computer Misuse Act 1990 has always been the question of what constitutes ‘authorisation’ under the Act. The question is raised both for offences under section 1, of unauthorised access to data, and under section 3 with the offence of unauthorised modification. It must be noted that the statutory definitions are not the same for both offences.

Difficulties had arisen particularly for allegations against employees. First, it was not clear whether the unauthorised access offence was directed outwards only. If it was aimed at outside hackers, would it be applicable against in-house employees? Secondly, ff an employee is authorised generally to access data at a particular level, could he be prosecuted if he accessed particular elements of data within that level, but to which he knew he should not have had access.

There had been decisions whch had made prosecutions more and more difficult, but the case eventually came to the House of Lords in R v Bow Street Stipendiary Magistrates, ex p Government of the United States of America Times 7 Sep 1999. Much of the case relates to extradition, but their Lordships took time to investigate and make clear their views on the issues on Computer Misuse.

The result can be put simply as follows:-

1. There is no assumption that the CMA is directed only against outside hackers.
2. When looking at the issue of authorisation, the court is not restricted to looking only at whether access to a class of data, or data at a particular level was authorised, but should also look at whether the particular data accessed was within or outside the authority of that individual.

Lord Hobhouse described a two stage procedure for examining the authority. Was the accused the person who was entitled to control access of this type, and by control he meant the ability to allow access or forbid it to others. If that was not the case, was he, in addition, in receipt of the authority from that person. If the answer to both questions is no, then the access is unauthorised. It is sad that once again, computer law seems caught up within unanticipated complexity.

As always, an employer, must, if he is to seek to rely upon the Act to restrain his employees, have clear policies in place. It seems now that such policies should perhaps be re-written to make allowance for the new case. There is no simple over-riding way of doing this.

A company might consider the following:

1. Create a structure in which are identified files of different types, and associate with types different security identifications.
2. How is a file’s security status to be identified before being accessed.
3. Are different parts of a database to have different access ratings? Should this be part of the design of some databases?
4. How complicated a structure is needed?
5. Start by first identifying those people in the organsisation who have authority to give others authority, and at what levels, saying that unless authority is given explicitly, access is not authorised.

Employers will also have to recognise the additional complexity that for the more serious offence of unauthorised modification, the meaning of authorisation need not be the same. The definition of what constitutes authoity under the Act apples only to the lesser offence.

Ho hum ...