Computer Misuse Act: The Worrying Landscape of Cybersecurity

Reading time icon 6 min. read


Readers help support VPNCentral. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help VPNCentral effortlessly and without spending any money. Read more

Computer Misuse Act

The UK’s complicated tapestry of laws and legislation that cover computers and personal data, continue to be a contentious topic for both citizens and those tasked with enforcing the law.

The Computer Misuse Act is back under the spotlight this week when ex Police Constable, Mohammed Sardar, received a nine-month suspended sentence and 200 hours of unpaid work at Southwark Crown Court on January 8th.

Sardar, 31, formerly of the East Area Basic Command Unit pleaded guilty to charges related to unauthorized access of police records for personal use. An investigation revealed he had accessed police computers multiple times to view data about people he knew between 2018 to 2021.

Similarly, in December, a lower ranking PSCO in North Yorkshire pleaded guilty to seven charges under the Computer Misuse Act. Daisy Pennock, 26, used the Whitby Police computer system to access the records of someone she knew and shared private case information with a relative. Pennock was sentenced to 60 hours of unpaid work.

Does the Computer Misuse Act work?

Clearly, these are examples of the Computer Misuse Act (CMA) functioning as intended, punishing those in power for abusing their positions to access private data. However, the aging legislation, the bulk of which was enacted in 1990, is not without criticism.

Broadly, the act criminalizes unauthorized access to computers and computer systems, as well as unauthorized acts that could damage or impair their operation. However, many cyber experts believe it is outdated and prevents them from doing their jobs effectively and legally.

Definitions of ‘unauthorized access’ and ‘unauthorized acts’ could potentially criminalize legitimate security research and vulnerability discovery. The CMA’s lack of safe harbor provisions leaves cybersecurity professionals in a legal gray area and discourages them from exploring and reporting critical vulnerabilities.

This is an even bigger concern for white hat hackers that exploit vulnerabilities for fun and to expose the lack of security within many corporations and government systems.

Do police systems have enough security to prevent the crimes of Sardar and Pennock? Would cybersecurity staff or hackers be prosecuted for exposing such vulnerabilities? The red tape might not be worth the hassle, as recent data suggests nearly 17,000 cybersecurity professionals “may have been lost to countries with more permissive cyber laws because of the UK’s 30-year-old law governing cybercrime”.

The UK government is currently considering reforming the Computer Misuse Act to make it more effective for cybersecurity, but the process has stalled since 2023 and has had no amendments since 2015.

The Post Office Scandal

As the Computer Misuse Act debate continues, the ongoing Post Office scandal demonstrates the state’s own incompetence when it comes to cybersecurity and protecting the innocent.

Due to faulty software installed at state-owned Post Offices between 1999 and 2015, hundreds of innocent Post-Masters and staff were convicted for fraud and false accounting when the system made it look like money was being stolen. Nobody in senior positions at the Post Office or government has been held to account, despite conviction quashes and some compensation slowly trickling out for the wrongly accused.

Of course, one of the big ironies in this milieu is that a government that drags its feet on modern legislation has law enforcement themselves breaching computer systems, and allows innocent Post Office workers to be jailed because of glitchy software, itself has no qualms about invading the privacy of the average citizen under the Investigatory Powers Act.

What is the Investigatory Powers Act?

After whistleblower Edward Snowden revealed secret mass surveillance, involving sharing of data between the NSA in the United States and the UK, Britain doubled down and introduced the Investigatory Powers Act. This gave legal backing for the police and intelligence agencies to use mass digital surveillance tactics as part of an investigation, and the data they collect does not have to be targeted at a suspect – a massive invasion of privacy.

The act allows the government to retain this communications data for extended periods, creating a vast database of personal information that can be used for purposes beyond the stated aim of national security.

With limited independent oversight and accountability, it raises concerns about potential abuse of power and makes it difficult to hold authorities accountable for any violations of privacy rights.

As alluded to in a King’s Speech, the government wishes to further expand the act, including the ability to prevent tech companies from making updates to their services that might impede information-sharing with UK intelligence agencies. 

There is also the looming threat that the act could force companies to break encryption when asked or not use it at all. Which, far from protecting the public, leaves people vulnerable to unauthorized access to their data from all types of cybercriminals.

Broadly, one could argue that such vast powers coupled with the government’s track record of mishandling data and technology, puts both personal and national security at heightened risk of data breaches and other threats rather than safeguarding the nation.

Whether it’s the Computer Misuse Act or the Investigatory Powers Act, the current cybersecurity and privacy landscape in the UK is not a good one.

Does using a VPN fall under the Computer Misuse Act?

No, using a VPN is not a breach of the Computer Misuse Act nor is it illegal to use a VPN in the UK. The only time using a VPN falls under the scope of illegality is when it is used to commit or cover up a crime, or as part of the commission of a crime. Even then, the use of a VPN does not necessarily impact the severity of charges or sentencing guidelines in a conviction.

Does a VPN protect you from the Investigatory Powers Act?

Using a VPN provides partial protection from the sweeping powers of the so-called Snooper’s Charter.

The act is enforced via the cooperation of ISPs, who must retain the browsing history, IP addresses, connection timestamps, and metadata of every citizen’s online activity, for a period of 12 months. This allows authorities to access and analyze vast amounts of user data retroactively, even without a warrant.

A VPN is helpful because it encrypts your internet connection and masks your IP address, providing a level of anonymity. An ISP may still know when you are online, but it cannot see the contents of your traffic, web history, or your true location at the time.

However, if encryption does indeed become a focus of the Investigatory Powers Act, we can assume VPNs might soon become the next target of the overbearing yet inept state.