The Computer Misuse Act must be enforced

The law is clear, short and to the point - but it is not being applied.

The Computer Misuse Act of 1990: a slim document of just 12 pages, a mere stripling compared with other legislation.

The opening clauses of the Act pretty well say it all: "It is an offence to cause a computer to perform any function with intent to secure unauthorised access or to, without authority, change data and/or programs within a computer."

Yes, a 30-word sentence, but a clear one. Every virus, every unauthorised access to sites is an offence.

You would expect 'the authorities' to have their hands full, what with the prisons bulging and the public coffers exploding with fines from prosecutions. You would be wrong.

The latest Home Office figures show that only 19 cases were proceeded against in 2000 in England and Wales where computer misuse was the main offence. And only a further 63 were proceeded against when computer misuse was added to another offence, such as fraud.

The year 1999 was even worse: only 13 principal cases brought. It is not as if the conviction rate is low. Of the 19 principal offences in 2000, 15 were found guilty.

This led to five fines, two community sentences and four jail sentences with the rest conditionally discharged. Not a bad hit rate. But not a deterrent in itself.

It is not only the outcome of the case that deters crime, it is the likelihood of being caught and convicted.

The police, the prosecution service and the courts can only act when the potential crime is reported. Here we enter the vicious circle. Who would report such a crime if they did not hear of convictions or even cases? Who would bother to report the crime when their PC was wrecked by a virus?

They become the helpless victim who has to put it together again at their own expense.

There was some discussion before the Act was passed of making it a duty to report such crimes. But the proposal was turned down for being against the spirit of the law in this land: if you want to be beaten over the head with a stick and do nothing, then that's your right, says the law.

Day in and day out, our virus checkers are trapping viruses, some more malevolent than others. Whatever its payload, every virus is the product of a crime, according to the Act. Perhaps the virus writers act without criminal intent. Let them tell that to the courts.

The Act was only passed after careful consideration by the Law Commission, the regular legal review body. The Commission was looking at the need for a clear new law in this area after concern about hacking and fraud rose in the mid-1980s.

Behind the concern was the question of how these services can be made to work if customers cannot have confidence in the systems they use. That is as valid a point today as when made almost 20 years ago.

Where should we start to break this vicious circle of low reporting rates, low proceeding rates and high misuse? The private sector tends to bury its head in the sand over these issues.

It seems to take the line that it is best not to bring these incidents to the public's attention because to do so could cause it to become more of a target and shake investor confidence.

It has to be down to the public sector to kick off. If every incidence of computer misuse in the public sector were reported for investigation and considered for a prosecution, the climate would soon change.