CS10 — Computer Misuse Act 1990
- I can describe what the Computer Misuse Act 1990 is and why it was introduced
- I can describe the three original offences defined by the Act (Sections 1, 2, and 3)
- I can describe the additional offence introduced by the Police and Justice Act 2006 (Section 3A)
- I can state the maximum penalty associated with each section of the Act
- I can explain what "unauthorised access" means in a computing context
- I can distinguish between Section 1, Section 2, and Section 3 offences and give an example of each
- I can state the maximum prison sentences for each section (2 years, 5 years, 10 years)
- I can read a scenario and identify which section(s) of the Act have been broken
- I can describe what Section 3A makes illegal and give an example
Key vocabulary
Background — why the Act was needed
Before 1990, there was no specific law in the UK making it a criminal offence to break into a computer system. Existing laws around theft and criminal damage did not apply cleanly to digital data — after all, you could copy information without removing it, and altering a database was not obviously "criminal damage" to physical property.
The case that highlighted this gap was R v Gold and Schifreen (1988). Two hackers had gained access to British Telecom's Prestel computer network — including the Duke of Edinburgh's personal message box — by guessing passwords. They were initially convicted, but the House of Lords overturned the convictions because the existing law (the Forgery and Counterfeiting Act 1981) simply did not cover what they had done. The hackers walked free.
Parliament responded by passing the Computer Misuse Act 1990, which for the first time created specific criminal offences relating to computers. The Act defined three offences. It was later updated by the Police and Justice Act 2006, which increased penalties and added a fourth offence (Section 3A).
The four offences
Section 1 — Unauthorised access to computer material
This is the most basic offence: deliberately accessing a computer, network, or its data without authorisation and knowing you do not have permission. The intent to access is enough — you do not need to steal, copy, or damage anything. Simply logging in is sufficient.
Examples: using a friend's password to read their emails without asking; accessing a company's server using credentials you are not supposed to have; viewing files on a shared drive that you know are restricted to you.
Maximum penalty: 2 years imprisonment and/or an unlimited fine.
Section 2 — Unauthorised access with intent to commit further offences
Section 2 builds on Section 1. The access is still unauthorised, but here there is an additional intent to commit (or help someone else commit) a separate crime — such as fraud, theft, or blackmail — as a result of gaining that access. The further offence does not need to be carried out; the intent alone is enough.
Examples: breaking into a bank's computer system with the intention of transferring money; accessing a company's customer database to steal personal information and sell it; hacking into an email account to gather blackmail material.
Maximum penalty: 5 years imprisonment and/or an unlimited fine.
Section 3 — Unauthorised acts with intent to impair
Section 3 covers doing something to a computer without permission, where the intent is to impair its operation, prevent or hinder access to any program or data, or to impair data itself. This is broader than simple access — it includes installing malware, deleting files, corrupting data, and launching attacks that prevent a system from functioning.
The original Act used the phrase "unauthorised modification" but the Police and Justice Act 2006 updated this to the broader concept of "unauthorised acts" to capture offences like denial-of-service attacks that do not physically modify stored data.
Examples: installing ransomware on a hospital's computers; deliberately deleting a competitor's database; distributing a virus that corrupts files; flooding a website's server with traffic to make it unreachable (a DDoS attack).
Maximum penalty: 10 years imprisonment and/or an unlimited fine.
Section 3A — Making, supplying, or obtaining tools for computer misuse (added 2006)
Section 3A was introduced by the Police and Justice Act 2006 to close a loophole: it was possible to create and distribute hacking tools without directly committing Section 1 or Section 3 offences. Section 3A makes it illegal to make, supply, or obtain any article (software, tool, script, or device) that is designed or adapted to commit a Section 1 or Section 3 offence, or that the person intends to use for that purpose.
Examples: writing and distributing password cracking software; sharing exploit kits that automatically probe systems for vulnerabilities; creating keyloggers designed to capture login credentials.
Maximum penalty: 2 years imprisonment and/or an unlimited fine.
Summary of all four sections
| Section | What it covers | Key element | Max penalty |
|---|---|---|---|
| S1 | Unauthorised access to computer material | Access without permission | 2 years |
| S2 | Unauthorised access with intent to commit further offences | Access + intent for further crime | 5 years |
| S3 | Unauthorised acts with intent to impair | Damage, disruption, or deletion | 10 years |
| S3A | Making, supplying, or obtaining tools for misuse (added 2006) | Creating or distributing hacking tools | 2 years |
Worked examples
Which sections of the Computer Misuse Act 1990 has Lena broken? Explain your reasoning for each.
- Confusing Section 1 and Section 2. The key difference is intent. Section 1 = access without permission. Section 2 = access without permission AND an intention to commit another crime. If there is no evidence of a further offence planned, it is Section 1, not Section 2.
- Thinking Section 3 only covers viruses. Section 3 covers any unauthorised act that impairs a system or its data — including deleting files, changing passwords to lock users out, launching DDoS attacks, or installing ransomware. It is not limited to malware.
- Forgetting Section 3A is from a different Act. The Computer Misuse Act 1990 had three sections. Section 3A was added by the Police and Justice Act 2006. Exam questions sometimes ask when it was introduced or which Act added it.
- Assuming you need to take data to break the law. Under Section 1, simply accessing a system without permission is a criminal offence — even if you do not copy, delete, or change anything. "I was just looking" is not a legal defence.
- Mixing up the maximum penalties. The order is 2 years (S1), 5 years (S2), 10 years (S3), 2 years (S3A). Note that S3A has the same maximum as S1 despite being a 2006 addition. Memorise: S1=2, S2=5, S3=10, S3A=2.
The Computer Misuse Act appears in Higher Computing papers regularly — usually as a scenario question asking you to identify which section applies and why. Always work through a checklist:
- Was there unauthorised access? → Section 1 at minimum
- Was there intent for a further crime? → upgrade to Section 2
- Was data damaged, deleted, or was system operation impaired? → Section 3 applies
- Was a hacking tool created or distributed? → Section 3A
A scenario can involve more than one section at the same time. If someone breaks in and deletes data, that is Section 1 AND Section 3. Always justify your answer by connecting the scenario to the specific element of the Act — never just state a section without explaining why.
Expect these question forms:
"Identify which section of the Computer Misuse Act 1990 has been broken. Justify your answer." (2 marks)
"Describe what constitutes a Section 3 offence and give one example." (2 marks)
"State the maximum penalty for a Section 2 offence." (1 mark)
Task Set A
Task Set B
Higher Computing Science → Computer Systems → CS10
Timing (120 min double):
5 min — warm up independently
5 min — key vocabulary discussion: ask "has anyone heard of this Act?"
15 min — background and the Gold/Schifreen case (brief story — good hook)
20 min — walk through Sections 1–3 and 3A together, using the pipeline diagram; pupils copy the summary table
15 min — worked examples together (go through Examples 1 and 2 on board; pupils attempt Example 3 before reveal)
5 min — Now you try (individual, then discuss)
5 min — common mistakes discussion
25 min — Task Set A
5 min — cold call review of A8 and A10
The Gold/Schifreen case is worth a few minutes — pupils generally enjoy the detail that the Duke of Edinburgh's message box was accessed. It grounds the Act in a real event and explains why it was needed. Available on Wikipedia.
Watch for: pupils confusing S1 and S2 (the most common error); pupils who think Section 3 only covers viruses; pupils who forget to mention penalties when asked to describe a section.
B3 is a good whole-class discussion question if time allows after Task Set A — asking pupils to identify all three sections and justify each is good exam practice.
CS11 (next lesson) covers tracking cookies and denial-of-service attacks, so today's Section 3 content on DDoS directly supports that lesson.