The Home Office consultation on Computer Misuse Act (CMA) reform raises the possibility of a new offence of “possessing or using illegally obtained data”. This is presumably in response to the growing complexity of cyber-crime supply chains. It’s good to see immediate recognition that this will need “appropriate safeguards”. This post looks at why someone in possession of information obtained through crime may not be a criminal and, indeed, may be engaged in activities that society (and victims) should encourage.
Information obtained through cyber-attacks is often left, or made, publicly available. Most simply, the criminal may not wish to send information direct from the victim system to their home base, which could leave a direct trail to their identity. Instead, information is often exfiltrated to third-party storage: either deliberately or accidentally this often has no access restrictions. At a later stage, various ways of converting information into money require the criminal to demonstrate publicly the quality of what they have, either to strengthen a blackmail demand or to demonstrate to potential buyers that they have something of current value.
Incident response teams often seek out these public collections of “illegally obtained data”, to obtain early warning of successful attacks, to directly help victims reduce damage (for example by changing passwords or cancelling credit cards) and because it may help to determine how and when the attack occurred. Obtaining and sharing information “to contain the effects of incidents and recover more efficiently” is recognised by the NIS2 Directive (Recitals 119 and following) as something to be encouraged, so clear safeguards are essential to ensure there is no fear that it might be challenged under any new law. Indeed it is not clear that such a law is needed: there are already criminal offences under s3A of the current CMA (for “making, supplying or obtaining articles for use in offence”, which was justified at the time as covering lists of passwords and credit card numbers) and s170 of the Data Protection Act 2018 (for “unlawful obtaining etc. of personal data”, which includes “retaining”), which may well be sufficient to address the harms identified without creating any new perverse incentives. With so few cases under these provisions being reported, it’s hard to know whether what’s needed is more laws or more investigation and enforcement. In the meantime, it’s essential not to discourage the protective mechanisms we do have.