Computer Systems · Legal and Ethical Issues

CS10 — Computer Misuse Act 1990

📅 Mon 15 Jun 2026 · P1+P2 (double)
~120 minutes
Learning intentions
Success criteria
Warm up — recap from CS9
Answer from memory · check when done
W1
Large AI systems such as language models require enormous computing resources to train. What is the main environmental consequence of this?
W2
Which of the following would most effectively reduce the carbon footprint of a large data centre?
W3
What term completes this sentence? "The total greenhouse gas emissions caused directly or indirectly by an organisation's activities is known as its carbon ______."

Key vocabulary

Computer Misuse Act 1990
The UK law that makes it a criminal offence to access or modify computer systems without authorisation
Unauthorised access
Accessing a computer, network, or data without the permission of the owner or administrator
Section 1 offence
Accessing computer material without authorisation — the most basic offence under the Act
Section 2 offence
Unauthorised access combined with intent to commit or facilitate a further criminal offence
Section 3 offence
An unauthorised act that impairs the operation of a computer, prevents access to data, or damages programs or data
Section 3A offence
Making, supplying, or obtaining a tool or program designed (or likely) to be used to commit a Section 1 or Section 3 offence
Cybercrime
Criminal activity carried out using computers or computer networks, often targeting data, systems, or individuals online
Malware
Malicious software — programs such as viruses, ransomware, or keyloggers designed to cause harm

Background — why the Act was needed

Before 1990, there was no specific law in the UK making it a criminal offence to break into a computer system. Existing laws around theft and criminal damage did not apply cleanly to digital data — after all, you could copy information without removing it, and altering a database was not obviously "criminal damage" to physical property.

The case that highlighted this gap was R v Gold and Schifreen (1988). Two hackers had gained access to British Telecom's Prestel computer network — including the Duke of Edinburgh's personal message box — by guessing passwords. They were initially convicted, but the House of Lords overturned the convictions because the existing law (the Forgery and Counterfeiting Act 1981) simply did not cover what they had done. The hackers walked free.

Parliament responded by passing the Computer Misuse Act 1990, which for the first time created specific criminal offences relating to computers. The Act defined three offences. It was later updated by the Police and Justice Act 2006, which increased penalties and added a fourth offence (Section 3A).

The four offences

Section 1 — Unauthorised access to computer material

This is the most basic offence: deliberately accessing a computer, network, or its data without authorisation and knowing you do not have permission. The intent to access is enough — you do not need to steal, copy, or damage anything. Simply logging in is sufficient.

Examples: using a friend's password to read their emails without asking; accessing a company's server using credentials you are not supposed to have; viewing files on a shared drive that you know are restricted to you.

Maximum penalty: 2 years imprisonment and/or an unlimited fine.

Section 2 — Unauthorised access with intent to commit further offences

Section 2 builds on Section 1. The access is still unauthorised, but here there is an additional intent to commit (or help someone else commit) a separate crime — such as fraud, theft, or blackmail — as a result of gaining that access. The further offence does not need to be carried out; the intent alone is enough.

Examples: breaking into a bank's computer system with the intention of transferring money; accessing a company's customer database to steal personal information and sell it; hacking into an email account to gather blackmail material.

Maximum penalty: 5 years imprisonment and/or an unlimited fine.

Section 3 — Unauthorised acts with intent to impair

Section 3 covers doing something to a computer without permission, where the intent is to impair its operation, prevent or hinder access to any program or data, or to impair data itself. This is broader than simple access — it includes installing malware, deleting files, corrupting data, and launching attacks that prevent a system from functioning.

The original Act used the phrase "unauthorised modification" but the Police and Justice Act 2006 updated this to the broader concept of "unauthorised acts" to capture offences like denial-of-service attacks that do not physically modify stored data.

Examples: installing ransomware on a hospital's computers; deliberately deleting a competitor's database; distributing a virus that corrupts files; flooding a website's server with traffic to make it unreachable (a DDoS attack).

Maximum penalty: 10 years imprisonment and/or an unlimited fine.

Section 3A — Making, supplying, or obtaining tools for computer misuse (added 2006)

Section 3A was introduced by the Police and Justice Act 2006 to close a loophole: it was possible to create and distribute hacking tools without directly committing Section 1 or Section 3 offences. Section 3A makes it illegal to make, supply, or obtain any article (software, tool, script, or device) that is designed or adapted to commit a Section 1 or Section 3 offence, or that the person intends to use for that purpose.

Examples: writing and distributing password cracking software; sharing exploit kits that automatically probe systems for vulnerabilities; creating keyloggers designed to capture login credentials.

Maximum penalty: 2 years imprisonment and/or an unlimited fine.

Summary of all four sections

Section 1
Unauthorised access — accessing without permission
Max 2 years
↓ escalates when access is combined with intent to commit further crime
Section 2
Unauthorised access + intent — access with plan to commit another crime
Max 5 years
↓ escalates further when damage or impairment is caused
Section 3
Unauthorised impairment — damaging, disrupting, or destroying data/systems
Max 10 years
↓ separate offence — creating the tools used for the above
Section 3A
Making / supplying tools — creating or distributing hacking tools
Max 2 years
Section What it covers Key element Max penalty
Unauthorised access to computer material Access without permission 2 years
Unauthorised access with intent to commit further offences Access + intent for further crime 5 years
Unauthorised acts with intent to impair Damage, disruption, or deletion 10 years
Making, supplying, or obtaining tools for misuse (added 2006) Creating or distributing hacking tools 2 years

Worked examples

Example 1 — Identifying a Section 1 offence
Scenario
Ahmed is curious about his manager's salary. He uses IT skills to access the HR database using credentials he overheard during a meeting. He reads the salary information but does not copy, change, or remove anything.
1
Was access authorised? No — Ahmed used someone else's credentials without permission. He was not authorised to access the HR database.
2
Was there intent to commit a further crime? No — Ahmed was only curious. There is no evidence of fraud, theft, or any other additional offence planned.
3
Was any data damaged, modified, or deleted? No — Ahmed only viewed the information. No impairment took place.
Section 1 offence. Unauthorised access to computer material. Maximum penalty: 2 years imprisonment.
Example 2 — Identifying a Section 2 offence
Scenario
Priya leaves her job at a marketing firm. The next week, she uses her old login (which was not yet disabled) to access the company's customer database and copy email addresses, intending to contact those customers for her new competing business.
1
Was access authorised? No — Priya is no longer an employee. She has no legitimate right to use her old credentials or access the database.
2
Was there intent to commit a further crime? Yes — copying customer data to contact them for a competing business is a breach of data protection law and potentially fraud. The intent to commit that further offence is clear.
3
Section 1 alone is not sufficient — the additional intent to commit fraud/data theft escalates this to Section 2.
Section 2 offence. Unauthorised access with intent to commit a further offence. Maximum penalty: 5 years imprisonment.
Example 3 — Identifying a Section 3 offence
Scenario
Tom is dismissed from his job. Before his access is revoked, he uses his credentials to log into the company's server and permanently delete the entire customer order database. The company loses three years of records.
1
Was access authorised? Arguably not — Tom was dismissed, so his authorisation should have ended. Even if credentials were still technically active, he had no right to use them after dismissal.
2
Did he perform an unauthorised act that impaired the computer system or data? Yes — deleting the database permanently impairs the company's ability to operate. Data is destroyed.
3
This goes beyond mere access. The deliberate deletion of critical data with intent to cause harm to the organisation is a Section 3 offence.
Section 3 offence. Unauthorised act with intent to impair the operation of a computer or access to data. Maximum penalty: 10 years imprisonment.
Now you try
Lena discovers that the school's network has a test account left active with default credentials. She logs in "just to see what she can access." While inside, she also changes the school's intranet homepage to display a meme image.

Which sections of the Computer Misuse Act 1990 has Lena broken? Explain your reasoning for each.
⚠️ Common mistakes — examiner feedback
📝 Exam tip

The Computer Misuse Act appears in Higher Computing papers regularly — usually as a scenario question asking you to identify which section applies and why. Always work through a checklist:

  1. Was there unauthorised access? → Section 1 at minimum
  2. Was there intent for a further crime? → upgrade to Section 2
  3. Was data damaged, deleted, or was system operation impaired? → Section 3 applies
  4. Was a hacking tool created or distributed? → Section 3A

A scenario can involve more than one section at the same time. If someone breaks in and deletes data, that is Section 1 AND Section 3. Always justify your answer by connecting the scenario to the specific element of the Act — never just state a section without explaining why.

Expect these question forms:
"Identify which section of the Computer Misuse Act 1990 has been broken. Justify your answer." (2 marks)
"Describe what constitutes a Section 3 offence and give one example." (2 marks)
"State the maximum penalty for a Section 2 offence." (1 mark)

Task Set A

Task Set A — Higher core
Work through all questions.
A1
Callum logs into his sister's social media account using her password, which he guessed. He reads her private messages but does not change or delete anything. Which section of the Computer Misuse Act 1990 has he broken?
A2
A criminal accesses a bank's computer system without permission, intending to redirect customer payments to their own account. Which section of the Act applies?
A3
What is the maximum prison sentence for a Section 1 offence under the Computer Misuse Act 1990?
A4
What is the maximum prison sentence for a Section 3 offence under the Computer Misuse Act 1990?
A5
A hacker installs ransomware on a hospital's computer network, encrypting all patient records and demanding payment to restore access. Which section of the Computer Misuse Act 1990 is most seriously broken?
A6
Section 3A of the Computer Misuse Act was not part of the original 1990 legislation. Which later Act of Parliament introduced it?
A7 — past paper style (2 marks)
Describe what Section 3A of the Computer Misuse Act makes illegal, and give one example of an article that might be covered by it.
A8 — past paper style (3 marks)
Explain the difference between a Section 1 and a Section 2 offence under the Computer Misuse Act 1990. State the maximum penalty for each.
A9
A security firm employee downloads a freely available exploit tool from the internet, intending to use it against a client's system without their knowledge or permission. Which section of the Act applies to obtaining the tool?
A10 — extended response (4 marks)
Describe the Computer Misuse Act 1990, including why it was needed and a brief description of all four sections (including the 2006 addition). State the maximum penalty for each section.
✅ Higher checkpoint — A8 (S1 vs S2 distinction) and A10 (full Act description) are most exam-relevant. Confident on both = ready for prelim and SQA exam.

Task Set B

Task Set B — Extension · Beyond the specification
B1
The Computer Misuse Act 1990 was written before widespread internet use. Discuss one significant challenge in enforcing the Act when cybercrime crosses international borders.
B2
Ethical hackers (penetration testers) are paid to find security weaknesses by attempting to hack into systems. Explain why their work could potentially fall under Section 3A of the Computer Misuse Act, and how the law distinguishes legitimate security testing from criminal activity.
B3
A pupil steals a teacher's password and uses it to access the school's management information system. They change their own marks to better grades. Identify all sections of the Computer Misuse Act 1990 (including any 2006 amendments) that may have been broken, giving a reason for each.
📁 File this in OneNote under:
Higher Computing Science → Computer Systems → CS10
📌 Teacher notes — not for pupils

Timing (120 min double):
5 min — warm up independently
5 min — key vocabulary discussion: ask "has anyone heard of this Act?"
15 min — background and the Gold/Schifreen case (brief story — good hook)
20 min — walk through Sections 1–3 and 3A together, using the pipeline diagram; pupils copy the summary table
15 min — worked examples together (go through Examples 1 and 2 on board; pupils attempt Example 3 before reveal)
5 min — Now you try (individual, then discuss)
5 min — common mistakes discussion
25 min — Task Set A
5 min — cold call review of A8 and A10

The Gold/Schifreen case is worth a few minutes — pupils generally enjoy the detail that the Duke of Edinburgh's message box was accessed. It grounds the Act in a real event and explains why it was needed. Available on Wikipedia.

Watch for: pupils confusing S1 and S2 (the most common error); pupils who think Section 3 only covers viruses; pupils who forget to mention penalties when asked to describe a section.

B3 is a good whole-class discussion question if time allows after Task Set A — asking pupils to identify all three sections and justify each is good exam practice.

CS11 (next lesson) covers tracking cookies and denial-of-service attacks, so today's Section 3 content on DDoS directly supports that lesson.