OK Computer: Protecting cyber privacy through criminal law

Despite being a false-start, the recent Apple v FBI litigation brings into sharp focus the intersection of criminality, technology and privacy. Just when the protection of privacy should cede to the investigation of a crime is, it seems, a question best delayed, suggesting the two interests always conflict. However, when an individual’s privacy has been infringed, a criminal investigation and prosecution can play a central role in privacy protection. Here is a snapshot of three offences worth exploring when dealing with privacy breach.


With personal computers and mobile phones indefinitely storing a wealth of data, accessing an online bank or social media account without permission is a grave personal violation.

Computer hacking offences are one way of addressing the harm caused. Set out in sections 1 to 3 of the Computer Misuse Act 1990 (“CMA”), the offences cover unauthorised computer access, including with intent to commit further offences, and unauthorised access to impair computer operation. The provisions are wide enough to capture not only cyber-attacks of the scale carried out by organised perpetrators but also where a person’s online presence has been monitored or accounts hacked by someone they know.

Key to hacking is that a person has knowingly acted, via a computer, without authorisation (section 17). Offenders risk 12 months’ imprisonment if convicted summarily to ten years on indictment.


What is a “computer”?

“Computer” is deliberately not defined anywhere in the CMA as the bounds of the term are continually shifting. In a 2011 report following an inquiry into phone hacking, a Parliamentary Select Committee concluded that although the CMA had not yet been used as the basis for a phone hacking prosecution, “a modern mobile telephone can fairly be described as a computer, as can the servers on which voicemail messages are stored.”  The same could easily be said for tablets and wearable devices. Just how far the term can stretch is ripe for testing.


Revenge porn

Since 13 April 2015 the disclosure of private sexual photographs or films without consent has been the subject of a specific criminal offence (section 33, Criminal Justice and Courts Act 2015).

Attracting up to two years’ imprisonment, the offence captures “giving, showing or making available” imagery of a private sexual nature and often occurs after relationship breakdown. “Sexual” is not limited to physically explicit depictions but encompasses what “a reasonable person could consider to be sexual because of its nature.” A critical feature is that the disclosure occurred without the consent of at least one of the individuals appearing in the film or photograph with the intent to embarrass or cause distress.


Fast removal

However it occurs, intimate image disclosure requires fast action to stop dissemination. If posted online, a removal request should be made immediately to the hosting website as well as search engines to limit it appearing as a “hit” via other websites.  For fast processing, the removal request must be sufficiently detailed. Full details of the image, including where it appears, what and who it depicts and why it causes distress are vital. According to last month’s Microsoft’s Content Removal Requests Report 38% of “revenge porn” removal requests between July and December 2015 were not accepted because of information deficiencies.



As with any case involving a personal violation, sensitivity is essential and there is no reason why revenge porn victims should not receive automatic anonymity like other sexual offence victims when a case progresses to court. Currently this does not occur (cf. Sexual Offences (Amendment) Act 1992) and an application to preserve the victim’s anonymity should always be made to the court at the start of any criminal proceedings.



The line between online curiosity and online criminality is not always immediately obvious. Repeated intrusive online attention, however, can amount to harassment or stalking (sections 1 and section 2A of the Protection from Harassment Act 1997).

Harassment includes “alarming the person or causing the person distress” and involves a course of conduct, being on at least two occasions (section 7) and attracts up to six months’ imprisonment.

Somewhat tautologically, the specific offence of stalking involves a course of conduct that is harassing and “amounts to stalking”. Examples include “contacting, or attempting to contact, a person by any means” and “monitoring the use by a person of the internet, email or any other form of electronic communication” (section 2A(3)(d)).

The Crown Prosecution Service’s (“CPS”) Guidance on Stalking and Harassment confirms that harassment and stalking includes “unwanted contact” via social media. Taking this further, such conduct could include unwanted sexting, vitriolic posts or systematic online attacks or “trolling”.



Whether the line has been crossed and a criminal investigation is required depends on the impact of the conduct on the victim. The fact that the victim might not be immediately aware of the identity of the person initiating the unwanted contact should not be a barrier to launching an investigation.  Under the CPS’s Guidance, a stalking investigation is likely to be appropriate where “the effect of such behaviour is to curtail a victim’s freedom, leaving them feeling that they constantly have to be careful.”

All manner of injunctive orders, including potentially a Violent Offender Order, are available pending determination of the offence charged and upon conviction.



Although the criminal law is often criticised for lagging behind cyber criminals, existing offences are arguably wide enough to capture some of the new risks posed by advancing technology. An innovative approach to criminal prosecution is required if cyber criminals are to be deterred. With so much of an individual’s life carried out and stored online, there is, in principle, no reason why a violation of privacy should not be treated as a serious offence.