Contact to us today by email: [email protected]

  • February 10th, 2017

Hacking | Computer Misuse Act 1990 (Section 3ZA)



The Computer Misuse Act 1990 (“the 1990 Act”) sets out the offences associated with interfering with a computer (that is, hacking) and the associated tools (such as malware) that enable computer systems to be breached. The 1990 Act, which applies UK-wide, makes unauthorised access to, or modification of, computer material unlawful.

Malware and Tor

The new law should be taken very seriously because it creates offences that can carry Life Imprisonment. There is a determination by Government in Europe and USA to make attacks on government institutions or other organisations threatening public health or national security punishable in the harshest way possible.

Malware capable of conducting such attacks can be used in innocent circumstances but it’s presence of a person’s computer at the point of search by Law Enforcement is going to lead to a detailed investigation into a person’s online activity.

Tor and other encryption software may disguise a person’s identity for activity on line, but the system is not infallible and if it can be proved that a particular computer has launched or hosted an on line attack, the presence of malware with that capability will be prima facie evidence of involvement in an offence that carries life imprisonment.

The changes in law brings in sentencing powers previously reserved for the most serious offences of homicide and terrorism and significantly changes the landscape for anyone using encryption to hide their identity whilst experimenting with hacking tools or software.

Law Enforcement have to prove intent to cause the damage but proof of recklessness to about endangering life will be sufficient.

In one recent case, malicious hackers hijacked a 15 years old’s computer having persuaded him to install games software, and showed him how to DOS attack his friend’s for fun. They remotely accessed his computer and used his Tor and hidden malware remotely to conduct an attack on UK power installation and amazon. They removed their tracks after existing.

‘For all evidential purposes, it appeared as if the 15 year old had conducted the attack himself and if he had not been logged his activity with the malicious hackers earlier, he had no way of showing it was not him.’

‘I am seeing more cases like this’, said Mark Jones, ‘because Law Enforcement has been given weapons to tackle cyber attacks on government institutions or in any case where health could endangered by deliberate impairment of computers by Section 3ZA Computer Misuse Act 1990. If you are using Tor or encryption and you are involved with people you may have doubts about on line, you need to be careful. If you think your computer has been hijacked and you are frightened to go to Law Enforcement, you need to create a secure independent copy of your array, preserve the evidence and speak to a solicitor or attorney. It is that serious. If your ’on line identity’ could used to damage life and health or for criminal reasons and the fact that your identity is being shielded will slow down detection but will also hide the real culprits. Law Enforcement have to put the man behind the computer to prove their case which can be done using cell siting of mobile phones. Where your system is hijacked, all the evidence will point to you being on line.’

‘My client was lucky – when the attack took place, he was on a trip , and with the log, it was easy to prove it was not him but he still had a lot of explaining to do.’


Section 3ZA Computer Misuse Act 1990

The new offence in section 3ZA of the 1990 Act addresses the most serious cyber attacks, for example those on essential systems controlling

  • power supply,
  • communications,
  • food or
  • fuel distribution.

A major cyber attack of this nature could have a significant impact, resulting in loss of life, serious illness or injury, severe social disruption or serious damage to the economy, the environment or national security.

However, hitherto the most serious offence under the Act was the section 3 offence of unauthorised access to impair the operation of a computer. The maximum sentence of 10 years’ imprisonment which this offence carried did not sufficiently reflect the level of personal and economic harm that a major cyber attack on critical systems could cause.

The new offence applies where an unauthorised act in relation to a computer results, directly or indirectly, in serious damage to the

  • economy,
  • the environment,
  • national security or
  • human welfare, or
  • significant risk of such damage (where damage to human welfare encompasses loss of life, illness or injury or serious social disruption).

A significant link to the UK is required, so that at least one of the accused or the target computer at the time of the offence or the damage must have been in the UK, or the accused must be a UK national at the time of the offence and the conduct constitute an offence under the law of the country in which it occurred.

The accused must have intended to cause the serious damage, or to have been reckless as to whether it was caused.


Section 3ZA (6) A person guilty of an offence under this section is (unless subsection (7) applies) liable, on conviction on indictment, to imprisonment for a term not exceeding 14 years, or to a fine, or to both.

(7) Where an offence under this section is committed as a result of an act causing or creating a significant risk of—

  • serious damage to human welfare of the kind mentioned in subsection (3)(a) or (3)(b), or
  • serious damage to national security,

a person guilty of the offence is liable, on conviction on indictment, to imprisonment for life, or to a fine, or to both.

For more information visit our dedicated cyber crime website or call 0333 011 0515 for legal advice.

Leave a Reply

Contact to us today - [email protected]

Authorised and regulated by the Solicitors Regulation Authority (203739)