The Computer Misuse Act
The Computer Misuse Act is deliberately written to allow a wide interpretation of the law. Simply stated, the law prohibits unauthorised access to a computer.
The law does not define a computer. A computer may be any device that processes data. Lord Hoffman, in the Appeal Court, defined a computer as a device for storing, processing and retrieving information. For the most part, a jury can decide whether a device is a computer or not.
The law is also deliberately vague about the meaning of "accessing" and this may include reading data on a computer or affecting the operation of a computer by bombarding the device with messages.
Evidence of Access
In most cases, the evidence of access to a computer will be from the computer itself.
Unauthorised access to a computer might be by someone who has no right to use the computer. We see newspaper stories about people sitting at home and accessing government systems in search of information about, for example, "alien encounters".
We also see cases of unauthorised access by people misusing the computers at their place of work.
Typically, business computers keep logs of access. Logs are kept by most computer systems that are used in business and where data is accessed by more than one person. At the very least, these systems record the date and time of every logon and logoff together with the username. Many systems also record transaction detail that might include "add invoice", "pay bill", "examine account data" and so on.
We can only be sure that the person using a computer is the person whose username is in the logs if we are sure that nobody else knows the password for that username. Examination of the dates and times in the logs may show a logon that happened when the user was not present. Any such logon might undermine assertions about a username only being used by one person.
Unauthorised access to a computer might be by an anonymous user. Someone sat at home might attempt to break into, for example, government computers via the Internet by guessing usernames and passwords. Computer access logs often include the Internet address (IP) address of the computer that is attempting access. Internet service providers (ISP) keep logs that can tie an IP address to a street address.
Examination of ISP logs might show that an Internet access occurred when an accused person was not present at the street address.
The Computer Misuse Act includes wording that prohibits an "attack" on a computer that may not be intended to gain access but is intended to disrupt legitimate access by other people. Such attacks are often called "denial of service" attacks and involve one or more computers sending many messages to a computer across the Internet. The high number of messages causes the receiving computer to fail to process all of the messages and to break down.
Evidence of Authority or Lack of it
The debate about whether access to a computer was authorised or not authorised is not really a part of the work of a computer expert witness. It does seem that the law puts the Prosecution in the unusual position of having to prove a negative.
Court Judgements have sought to clarify the law regarding unauthorised access to a computer system by an employee of the operator of the computer system.
In Allison (1999), the Lords said that an employee might have permission to access some data on a computer system while not having permission to access other data on the same system.
A bank employee might routinely examine account details held on a computer system. It is likely that the bank would have a process to identify the accounts that the employee was to access. It may be, for example, that the employee was allowed to access account details in response to letters received from the holder of the account. It is likely that the Allison judgement means that it would be a computer misuse offence for a bank employee, who routinely examined account details as part of their job, to examine the account details of friends and family or the account details of celebrities to find out where these folk spent their money.
It appears that the Allison judgement requires that the prosecution of an employee depends on a clear policy or guidelines to ensure that an employee knows the extent of their authority to access a computer system.
I have worked a case where an employee working in a call centre was accused of computer misuse. The employee was authorised to look at the computer records for customers who called the call centre where the employee worked. The Prosecution said that he had looked at computer records for people without their express request or permission. The evidence included a witness statement from an employee who had examined telephone records and claimed to have found nothing to show that the relevant customers had called the call centre. I never understood how the Prosecution would show that the customers had not contacted the accused in some other way. It may be that the Prosecution shared this view because these charges were eventually dropped.
Expert Witness Examination
The evidence in computer misuse cases is often highly technical and may include log files and other records. An expert witness should be able to correlate these logs and records into a timeline that details the events and the times that these events occurred.
Logs may show anomalies including, for example, a single username being in use twice at the same time. Duplicate simultaneous uses of a single username may indicate that the password for this username is known by more than one person.
IP address usage logs may have been obtained from an ISP. These IP logs can be examined in concert with logs from the computer system itself.
R v Bow Street Magistrates Court and Allison (AP) Ex parte Government of the United States of America (Allison)  2 AC 216