“A notable feature of the proposed changes is around trying to break the link between criminal domains and victim domains. It is achieved through granting law enforcement agencies the power to take control of or take down the domains and IP addressed used by criminals, as well as the power to require the UK registry not to register domain names that are predicted to be used for criminal purposes,” said Varley.
The second proposal aims to toughen up the offences and penalties for taking or coping data rather than merely unauthorised access to or modification of data.
“Considering the seriousness of the threat and the difficulty in taking action against a person possessing or using illegally obtained data, the changes are welcome,” she added.
Under the CMA, data copying only attracts a fine and a maximum of up to two years imprisonment. It is difficult to take action against a person possessing or using data obtained through a CMA offence. It is also not covered under the Theft Act, as theft of data from computer systems commonly involves copying the data, without the intention to “permanently deprive”. The government is considering creating a general offence for possessing or using illegally obtained data.
The third proposal would give law enforcement agencies a new power to require data owners or individuals in control of data to preserve that data in an unaltered state so that it is available for law enforcement investigations.
The proposed power would not permit a law enforcement agency to seize data, but it is intended to allow time for the agency to determine whether the data is relevant to an investigation. If the data is required, the agency would need to obtain court authorisation before it could seize the data. This power would apply to any data relating to any offence. It would be available to all UK law enforcement agencies, including the National Crime Agency (NCA), UK police forces, HM Revenue & Customs (HMRC) and the Serious Fraud Office.
Cyber risk expert Stuart Davey of Pinsent Masons raised questions over the enforcement of the proposed changes, given the international nature of CMA offences.
“The main difficulty will be trying to enforce it worldwide, given that many of the cybercrimes involving victims in the UK are carried out by individuals or groups outside of the UK. The UK government will have to rely on cooperation with governments and law enforcement agencies in other jurisdictions, and also those jurisdictions having the ability and legislation to prosecute extra territorial criminality. It’s a global problem that calls for global response and this is recognised to some degree in the consultation,” he said.
The consultation ends on 6 April 2023.