Embed Size (px)
Citation preview
COM6650/6655 ProfessionalIssuesinInformationTechnology PartIX:ComputerMisuseandComputerCrime
Dr.AmandaSharkey
DepartmentofComputerScienceUniversityofSheffield
• Takehomeexam:tobereleasedonMoleonTuesday1stDecember
• 3exam-stylequestions• DueMonday14thDecember
2
• 1Introduction• 2WhatisComputerMisuse?• 3ComputerFraud• 4SoftwarePiracy• 5Viruses• 6Hacking• 7TheComputerMisuseAct1990• 8Conclusions• 9Summary
• 1Introduction!
• IThaschangedthewayinwhichcrimesarecommitted:• Valuableassetsarestoredascomputerdata;• Telecommunicationshavebroadenedthegeographyofcrime;
• Computershavegivenrisetoanewrangeofcriminalactivitiessuchascomputerhackingandviruses.
• Muchofthisactivityhascapturedtheimaginationofthepublic,butiscomputercrimereallyabigproblem?
• 1.1Whatisthescaleofcomputercrime?• DataoncomputercrimeiscollectedbytheAuditCommission
(http://www.auditcommission.gov.uk).!
• Theftcoverslosstoemployersthroughtheftofdataorsoftware;seldomdoesthiscauseanydirectloss.
1997updatetothissurveyfound10%increasesince1994innumberoforganisationsreportingcomputermisuse
TypeofMisuse
1994 1990 1987
No. DirectLoss No. DirectLoss No. DirectLoss
Fraud 108 2,904,430 73 1,102,642 61 2,526,751
Theft 121 196,305 27 1,000 22 34,500
Hacking 47 65,500 26 31,500 35 100
Viruses 261 30,485 54 5,000 0 0
Totals 537 3,196,720 180 1,140,142 118 2,561,351
• AuditCommissionUK(2005)figurefortotalvalueoffraudinpublicsectorwas£83million(notrestrictedtocomputerfraud)
• Problemofunder-reporting.• USsurvey(2004)estimatedthatphishingattackscostUSbanks$1.2billionin2003,and57millionAmericanshadreceivedphishinge-mails.
2012 Cost of Cyber Crime Study: United States
•Ponemonins[tutereport:
•Averageannualcostofcybercrimefor56organisa[onswas$8.9millionperyear
•Mostcostly:denialofservice,maliciousinsidersandweb-baseda]acks.
7
2WhatisComputerMisuse?• Inthelate1980stherewasgrowingconcernabouthackersandthedamagetheycouldcause.
• Twostudies:ScottishLawCommission(reported1987),EnglishLawCommission(reported1989)!
• ScottishLawCommissionidentifiedeightdifferentcategoriesofcomputermisuseina1987report.
• PromptedtheComputerMisuseAct1990(CMA).• Bearinmindthattheactionsdescribedbelowwillsometimesgiverisetoliabilitiesundercivillaw.
!EightdifferentcategoriesofcomputermisuseidentifiedbyScottish
Lawreport(1987)!(1)Erasureorfalsificationofdataorprogramstogainafinancialor
otheradvantageThiscategorydealswithfraudortheft!(2)ObtainingunauthorisedaccesstoacomputerThiscovershackingandunauthoriseduseofanemployer'scomputerby
anemployee.Hackersthatdamagecomputersystemsoftenhavenointentionofdoing
so.Withoutintent,thereisnocrime.ThisloopholehasbeenaddressedbytheCMA.
!
!!Eightdifferentcategoriesofcomputermisuseidentifiedby
ScottishLawreport(1987)continued….!3)EavesdroppingonacomputerThisinvolvestheuseofequipmenttopickupradiation
emissionsfromacomputerscreen.!(4)TakinginformationwithoutphysicalremovalLegalproblemsariseheresince'information'isnota
physicalthing;itcannotbestolen.Dealingwiththisproblemwouldrequirechangestothelaw
oftheft;amajorundertaking.Copyright,patentsandlawofconfidenceoffersome
protection.10
!EightdifferentcategoriesofcomputermisuseidentifiedbyScottish
Lawreport(1987)continued!(5)Unauthorisedborrowingofcomputermaterial
Borrowingofcomputermediadoesnotconstitutetheft.!(6)Denialofaccesstoauthorisedusers
Auserofacomputersystemcouldprejudiceotherusersbydenyingthemaccesstothecomputer,ordenyingthemaccesstoparticulardatathattheyneed.
!(7)Unauthoriseduseofcomputertime/facilities
Authorisedusersofacomputercouldusethemforunauthoriseduses,suchasprivateresearchanddevelopmentwhichiscompetitivewiththeiremployer.
!(8)Maliciousorrecklesscorruptionorerasureofdataorprograms
Theresultsofthisactivitycouldcausefinancialloss,damagetotheenvironmentorevenlossoflife.
BasicsofEnglishcriminallaw
• MostcriminaloffencesaresetoutinActsofParliament:e.g.TheftAct1968,FraudAct2006,ComputerMisuseAct1990.
• Somecommonlawoffencesremain,e.g.Murder• Elementsofanoffencecanbeanalysedintermsof
– Mensrea(mentalelement,andintention)– Actusreus(actualbehaviour)
• Someoffencestermed‘strictliabilityoffences’forwhichthereisnomensrea– (e.g.Drivingatnightwithfaultyrearlightisanoffenceevenifthedriverdidnotknowthelightwasfaulty)
• Criminaloffences:– Policeinformed– TheymaychargethepersonandthenpassthecaseovertotheCrownProsecutionService.
– AccusedappearsinMagistratescourt– CasemaybecommittedfortrialinCrownCourt.– Minor(summary)offencesdealtwithinmagistratescourt
– Serious(indictable)offencestriedinCrownCourt.– Intermediateoffences,e.g.Theftandfraud,aretriableeitherway(magistrateorcrowncourt).
3.ICTFraud
• Computersystemsvulnerabletofraud.– E.g.RvSunderland(unreported)1983,employeeofBarclaysBankusedbank’scomputertofindadormantaccount,andthenforgedtheholder’ssignaturetowithdraw£2,100.
– Sentencedto2yearsimprisonment,butillustratesvulnerabilityofsuchsystems,especiallyfromwithinanorganisation.
!3.1Typesofcomputerfraud(AuditCommission)!3.1.1Entryofanunauthorisedinstruction(inputfraud)
Unauthorisedalterationofdatapriortoitbeinginputintoacomputer.Probablycommon.
Example:inputdataforms!3.1.2Alterationofinputdata(datafraud)
Dataheldonacomputersystemismodifiedforfraudulentmeans.!3.1.3Suppressionofdata(outputfraud)!Outputfromacomputersystemisdestroyedoraltered.Themotiveisusuallytoconcealcriminalactivity.Example:auditrollsfromcashtill!3.1.4Programfraud!Alterationofacomputerprogram.Sophisticated,andthereforehardtodetectExample:salamifraud
3.2Fraudoffences• Fraudisacollectionofsimilaroffences,someofwhichwerecoveredbythe
TheftActs1968and1978!
3.2.1Obtainingpropertybydeception!
• Problemswitholddeceptionoffences!
• TheTheftAct1968definestheoffenceoftheftasfollows:• Apersonwhobyanydeceptiondishonestlyobtainspropertybelongingto
another,withtheintentionofpermanentlydeprivingtheotherofit,shallonconvictiononindictmentbeliabletoimprisonmentforatermnotexceedingtenyears.
• Thisdefinitionimpliesthedeceptionofaperson.TheLawLordsconfirmedthisviewin1974:foradeceptiontotakeplacetheremustbesomepersonorpersonswhowillhavebeendeceived
• Apersoncommittingacomputerfrauddeceivesthecomputer,notahumanmind.So,thisoffenceisprobablyinappropriateforcomputerfraud.
• TheTheftAct1968definestheoffenceasfollows:• Apersonwhobyanydeceptiondishonestlyobtainspropertybelongingtoanother,withtheintentionofpermanentlydeprivingtheotherofit,shallonconvictiononindictmentbeliabletoimprisonmentforatermnotexceedingtenyears.!
• Ifapersongainsaccesstoacomputersystemwithoutpermissionandthenmakesaprintoutoftheinformationcontainedtherein,hashecommittedtheft?
• OxfordvMoss(1978)• Student‘borrowed’anexaminationpaperbeforetheexam
• Couldnotbeprosecutedfortheftsincehereturnedtheitem
• Wasprosecutedfortheftofconfidentialinformation– Butacquittedongroundsthatinformationcannotberegardedaspropertyandsocannotbestolen.
• RvLloyd(1985)
• Projec[onistinacinemaand2others,tookfilmsfrom cinema,andcopiedthembutreturnedthem.
Thepiratedcopiesweresoldataconsiderableprofit
• BUTthechargeofthej(conspiracytosteal)washeldtobe inappropriate
• nointen[ontopermanentlydeprive.
• chargeofconspiracytodefraudmighthaveworkedbe]er
19
• 3.2.2Conspiracytodefraud• Commonlawoffence• Aconspiracyisanagreementbetweentwoormorepersonstocarryoutanunlawfulact.
• Conspiracytodefraudmaybeapplicabletocomputerfraud,sincedeceptionneednotbeproven
• TheftAct1968:• Dishonestlyextractingelectricity
– Unauthorisedaccesswillresultinsomeconsumptionofelectricity
– Butwillhavetodemonstratethatthepersonrealisedtheywerebeingdishonest
– RvGhosh(1982)GhoshTest– Needtodeterminewhetherthedefendanthimselfrealisedthatwhathewasdoingwasby[ordinarystandardsofreasonableandhonestpeople]dishonest
• 3.2.3Attempts• Tobechargedwithanattempt,apersonmusthavedonean
actwhichis'morethanmerelypreparatorytothecommissionofanoffence'.
• Acomputerfraudwhichisnotcompletedmaybeanattempttostealmoney.ConfusionoverthisisonereasonwhysectiontwooftheComputerMisuseAct1990wasenacted(seelater).
• SeealsoFraudAct2006• 3.2.4Fraudastheft• Applyingtheoffenceofthefttocomputerfraudnormally
presentsnoproblems,exceptingourreservationsaboutpermanentlydepriving.
FraudAct2006DealswithsomeofdeficienciesofTheftActs1968and1978,especiallyICTfraud
Apersonisguiltyoffraudifinbreachofanyofthefollowing:
-(i)fraudbyfalserepresentation -(ii)fraudbyfailingtodiscloseinformation -(iii)fraudbyabuseofpositionPenalties:Summaryconviction(Magistratescourt):imprisonmentforupto12monthsand/orfine
Convictiononindictment(Crowncourttrialbyjury):imprisonmentforupto10yearsand/orfine
• (i)Fraudbyfalserepresentation(FraudAct2006,section2)– Occurswhenpersondishonestlymakesafalserepresentation,intendingtomakeagainforhimselforanother,ortocauselosstoanother,ortoexposeanothertoriskofloss.
– E.g.‘phishing’obtaininginformationsuchasbankaccountdetailsbysendingemail(orSMS)purportingtobefromthatperson’sbank
– E.g.‘pharming’(directingtraffictogenuinewebsitetobogusone)
– UnlikeTheftAct1968(permanentlydeprive),noneedforactualgainorloss,orforittobepermanent.
• (ii)Fraudbyfailingtodiscloseinformation(FraudAct2006Section3)
• Thisformofoffenceoffraudapplieswhenapersondishonestlyfailstodisclosetoanotherpersoninformationwhichheisunderalegaldutytodisclose,andintends,byfailingtodisclosetheinformation,tomakeagainforhimselforanother,ortocauselosstoanotherortoexposeanothertoriskofloss.
• Mayberelevantforonlinetransactions–– E.g.Electronicsubmissionoftaxreturns,roadtaxfund,televisionlicenses.
• (iii)Fraudbyabuseofposition(section4ofFraudAct2006)
• Applieswhenapersonoccupiesapositioninwhichheisexpectedtosafeguard,ornottoactagainst,thefinancialinterestsofanotherperson.– Typicalexampleofoffence:personwithenduringpowerofattorneymisusespositiontodrawfundsfromthedonor’sbankaccount.
– Orwhereemployeeofsoftwarecompanyuseshispositiontomakeunauthorisedcopiesofhisemployer’ssoftwaretosellforhisownbenefit.
– Orwhereemployeesellsanemailcontainingconfidentialinformationbelongingtotheemployertoarivalcompany.
• Articlesforuseinfraud– Possessionofarticle,ormakingorsupplyingarticles!
– Section6ofFraudAct2006,makesitanoffenceforapersontohaveinhispossessionorunderhiscontrolanyarticleforuseinthecourseoforinconnectionwithanyfraud.
• Mightincludedecryptionsoftwareifintendedtobeusedforfraud!• Summaryconviction:upto12monthsimprisonmentand/orfine• Onconvictioninindictment:maximumpenalty5yearsimprisonment!
!– Section7ofFraudAct2006:anoffencemadeoutifapersonmakes,adapts,
supplies,orofferstosupplyanyarticle• Knowingthatitisdesignedoradaptedforuseinthecourseoforinconnectionwithfraud;• Intendingittobeusedtocommitorassistinthecommissionoffraud.• E.g.SoftwaretocircumventtechnologicalmSummaryconviction:upto12months
imprisonmentand/orfine• Onconvictioninindictment:maximumpenalty10yearsimprisonmentmeasuresapplied
tocopyrightworkstopreventunauthorisedactsinrelationtothoseworks.• .
• Obtainingservicesdishonestly• FraudAct2006,section11
– Replacessection1ofTheftAct1978,obtainingservicesbydeception.– Mightnothaveappliedwhendeceptiondidnotoperateonahumanbeinge.g.
Serviceobtainedbyenteringpassword,checkedbycomputer.– Offencecommittedbypersonwhoobtainsservicesforhimselforanotherby
dishonestactwhere• A)theservicesaremadeavailableonthebasisthatpaymenthasbeen,isbeingorwillbe
madefororinrespectofthem• B)heobtainsthemwithoutanypaymenthavingbeenmadefororinrespectofthemor
withoutpaymentbeingmadeinfulland• C)whenheobtainsthem,heknows
– Thattheyarebeingmadeonthebasisdescribedin(a)orthattheymightbe,butintendsthatpaymentwillnotbemade,orwillnotbemadeinfull.
– Maximumpenalty• Onsummaryconviction,imprisonmentfortermnotexceeding12months,and/orfine• Onconvictiononindictment,imprisonmentfor5yearsand/orfine.
• 1Introduction• 2WhatisComputerMisuse?• 3ComputerFraud• 4SoftwarePiracy• 5Viruses• 6Hacking• 7TheComputerMisuseAct1990• 8Conclusions• 9Summary
4SoftwarePiracy• Formany,theconceptofsoftwarepiracyisadifficultonetograsp
because,ineconomicterms,softwareresembleswhatiscalleda'publicgood'.
• Example:apublicgood– Free-to-air-television
• non-rivalrous(consumptionbyonedoesn’treduceavailabilitytoothers)andnon-excludable(no-onecanbeexcluded)
!• Anti-piracyorganisationssuchasFASTmountraidsonsoftware
pirates,usingspecialsearchwarrants.• FASTestimatethat30%ofallsoftwareinuseintheUKisinfringing,
costingthesoftwareindustryseveral100millionpoundsperyear.• Seehttp://www.fast.org.uk
4.1Fightingsoftwarepiracy• Auditingprogramscanautomatethedetectionofillegallycopiedsoftwareoncomputernetworks.
• Hardwarecopy-protection'keys'canbeused,butareunpopularwithconsumers.
• Analternativeisasoftwarekey.
• 4.2Legislationapplicabletosoftwarepiracy• Copyright,DesignsandPatentsAct1988;definesanumberofcriminaloffences;themostseriousarefordistributingandimporting.
• ForgeryandCounterfeitingAct1981;adisc,tapeorotherrecordingmediummaybea'falseinstrument'.
• TradeDescriptionsAct1968;intendedtoprotectconsumersfrombuyinginferiorgoods,e.g.copiedsoftwarewhichisbeingsoldasthegenuinearticle.
5VirusesVirusesareprogramsthataredevisedtobecopiedinadvertently.Theyareconcealedinotherprogramsordata,anddamageorslowtheoperationoftheir'host'systems.!TheAuditCommissionfindthatvirusesarethemostcommonformofcomputerabuse.The‘ILoveYou’virusreleasedin2000wasestimatedtohaveaworldwideeconomicimpactof$8.75billion(CSI/FBIComputerCrimeandSecuritySurvey,2002)
• ComputerMisuseAct1990:oneofitspurposeswastocriminalisetheuseofcomputerviruses
6.Hacking• Computerhackingistheaccessingofacomputersystemwithouttheexpressorimpliedpermissionoftheownerofthatcomputersystem.
• 6.1RvGold(1988)• See:Bainbridge,p.440Sixthedition
ThecaseofRversusGold:TwojournalistsgainedaccessintoBTPrestelGoldcomputernetworkwithoutpermissionandaltereddata.OnealsogainedaccesstoDukeofEdinburgh’spersonalcomputerfilesandleftmessage“GoodafternoonHRHDukeofEdinburgh”Theyclaimedtheygainedaccesstonetworktohighlightdeficienciesinsecurity.!TheywerechargedunderForgeryandCounterfeitingAct1981onmakingafalseinstrument–theCIN(customeridentificationnumber)andpassword.JournalistsfoundguiltyatCrowncourt,andfined(£750and£600)ConvictionsquashedbyCourtofAppeal,andconfirmedbyHouseofLordsActswereadishonesttrick,notcriminaloffencesIftheconvictionhadbeenupheld,wouldmeandefendantshaddeceivedacomputer
!AfterRvsGoldcase,whichconcludedthathackingwasnotacriminaloffenceperse,thecomputerindustrybecamedissatisfiedwiththescopeofcriminallaw.!!ThispromptedtheComputerMisuseAct1990.Unusually,thiswasintroducedasaprivatemember'sBill.!!Hackingwiththeintenttocommitafurthercrimesuchastheft,ordamagebyalteringdata,isnowaseriouscriminaloffenceundertheAct.!!HackingwithoutintentiontocommitafurthercrimeisaminorcriminaloffenceundertheAct.
6.2OtheroffencesassociatedwithhackingTheComputerMisuseAct1990isthemainweaponagainsthacking,althoughotherareasofcriminallawmayberelevant:!ThelawoftheftRegulationofInvestigatoryPowersAct2000(RIPA)DataProtectionAct1998(DPA)!RIPAconcernstheintentionalinterceptionofcommunicationsonpublicandprivatetelecommunicationssystem,includingdatanetworks.TheDPAregulatestheuseandstorageof'personaldata',i.e.informationrelatingtoindividualsthatcanbeidentifiedfromthatinformation.Ifacomputerhackercopiespersonaldataandstoresitonhisowncomputer,heisholdingpersonaldatawithoutbeingregistered.Thisisacriminaloffence.
7TheComputerMisuseAct1990TheActcreatesthreenewoffences.!CMASection1:Unauthorisedaccesstocomputermaterial
Apersonisguiltyofthisoffenceifhe'...causesacomputertoperformanyfunctionwithintenttosecureaccesstoanyprogramordataheldinanycomputer;theaccessheintendstosecureisunauthorised;andheknowsatthetimewhenhecausesthecomputertoperformthefunctionthatthisisthecase..'Thisoffenceaimstodeterhackerswithoutrequiringanyevidenceofintentiontocommitacrimeoralterdataorprograms.Thepenaltyismoderate-afine,oraprisonsentencenotexceedingsixmonthsduration.
Whatisthesignificanceofthethirdclause?
• CMASection2:Unauthorisedaccesswithintenttocommitorfacilitatefurtheroffences
• (ulteriorintentoffence)• Apersonisguiltyofthisoffenceifhecommitsan'...unauthorisedaccess
offencewithintenttocommitanoffencetowhichthissectionapplies;orfacilitatethecommissionofsuchanoffence(whetherbyhimselforanyotherperson)..'
• The'offencetowhichthissectionapplies'meansanycriminaloffenceforwhichthesentenceisatleastfiveyears,suchasfraud,theftorblackmail.
• Addressesamoreseriousformofhacking,inwhichunauthorisedaccessisgainedwithintenttocommitafurthercrime,whetherornotthatfurtheroffenceinvolvestheuseofacomputer.
• Particularlyusefuliftheoffenceisnotcompleted.E.g.Personattemptstogainaccesstoacomputerwiththeintentionofsendingablackmailmessage,butdoesn’tgetbeyondloginscreen.Couldstillbeconvictedifit’sshownthattheyhad– Intentiontosecureaccess– Knowledgethataccessisunauthorised– Theintentiontocommitblackmail
• Thepenaltyisgreater-alargefine,aprisontermnotexceedingfiveyears,orboth.
• CMASection3:Unauthorisedmodificationofcomputermaterial• Apersonisguiltyofthisoffenceif'hedoesanyactwhichcausesan
unauthorisedmodificationofthecontentsofanycomputer;andatthetimewhenhedoestheacthehastherequisiteintentandtherequisiteknowledge'.
• Theterm'requisiteintent'meansto:– Impairtheoperationofacomputer– Preventorhinderaccesstoaprogramordataheldinanycomputer
• Impairtheoperationofaprogramorreliabilityofdata• Theintentneednotbedirectedspecificallyat:
– Aparticularcomputer– Aparticularprogramordataoraprogramordataofanyparticularkind– Aparticularmodificationoramodificationofanyparticularkind
• Penalty:Likesection2,maximumof5yearsimprisonmentorunlimitedfine
• Thisoffencecoversfourformsofconduct:• 1.Unauthorisederasureofprogramsordatacontainedincomputermemoryoronastoragemedium.
• 2.Thecirculationofavirusinfectedprogram,withtheintentionofcausingamodificationthatwillimpairtheoperationoftherecipient'scomputer.
• 3.Unauthorisedadditionofavirustoacomputer'slibraryofprograms,whichwillimpairtheoperationoftherecipient'scomputerbyusingupitscapacity.
• 4.Unauthorisedadditionofapasswordtoadatafile,therebyrenderingthatdatainaccessibletoanyonewhodoesnotknowthepassword.
7.4ProblemswiththeComputerMisuseActThefirstcontestedCrownCourttrialundertheCMAcametocourtinApril1993,andhadproblems.FirstmajorcasebroughtunderComputerMisuseAct!7.4.1ThePaulBedworthcase!RvPaulBedworthSouthwarkCrownCourtComputerMisuseAct1990,ss1,3Unauthorisedaccess-Unauthorisedmodification-ConspiracyHackingfromhisbedroominmother’shouse-JANET,BT,FinancialTimes,EuropeanCommissionsites.Allegeddamageof£120,000.Expertpsychiatricevidenceofobsessiveaddictiontohacking.Held-defendantwas"addictedtohacking",andlackedcriminalintent.Defendantacquitted.!Possiblyhisyoungage(18)wasafactor,alsoheavy-handedarrest.!Hackers’charter?
7.4.2FollowingtheBedworthcaseTherewassomeconsolationforthepolice.TwoofBedworth'sfriends,NeilWoodsandKarlStrickland,pleadedguiltytosimilarchargesundertheCMA.!Theybothgotsixmonthsimprisonment.Inhissummingup,judgeMichaelHarrissaid:!'...ifyourpassionhadbeencarsratherthancomputerswewouldhavecalledyourconductdelinquent,andIdon'tshrinkfromtheanalogyofdescribingwhatyouweredoingasintellectualjoyriding...hackersneedtobegivenaclearsignalbytheCourtsthattheiractionswillnotandcannotbetolerated...'!ItseemsunlikelythattheBedworthcaserepresentsalegalloopholeintheComputerMisuseAct1990.AmemberoftheLawCommissioncommented:!'...Idon'tthinkthere'saloophole.Onlyinlimitedcircumstancesisthisdefencelikelytobeusedagain,andthejury'sdecisioninthiscasestrikesmeasextraordinary...'!Indeed,therehavebeenmanysuccessfulprosecutionssince.
7.4.3ArethereproblemswiththeAct?• TheComputerMisuseAct1990iscautious,reflectingthegreat
carethatmustbetakenwhendraftingthiskindoflegislation.• TheCMAaddressesmostoftheareasofcomputermisuse
identifiedbytheScottishLawCommissionreport,apartfromelectroniceavesdropping.
• Theterm'computer'isnotdefinedbytheAct.Isthisaproblem?
• Aconcernisthemeaningof'unauthorisedaccess'.Whatisthesituationwhenaccessisauthorisedbutthefunctionperformedisnot?
• Example:DPPvBignell(1998)• SeeBainbridgepp.442-3sixthed.
!!!
• DPPvBignell(1998)• Twopoliceofficersusedpolicenationalcomputertogainaccesstodetailsofmotorcarstheywantedforprivatepurposesunconnectedwithdutiesaspoliceofficers.
• Chargedwithunauthorisedaccesstocomputermaterialundersection1ofCMA1990
• Appealsallowed–theiraccesswasauthorised• ....worryingdecision!
• ButsoonreversedinHouseofLords:
!• RvsBowStreetMetropolitanStipendiaryMagistrate(2000)• EmployeeofAmericanExpressinFloridawasauthorisedtoaccess
specificcustomeraccounts–butsheaccessedotheraccountsandpassedonconfidentialinformationallowingcounterfeitcreditcardstobemade.
!• Decision:Authorisationshouldnotextendtoaccesscomputermaterial
forunauthorisedpurpose
!• LordHobhousecriticisedthedecisionmadeinDPPvBignell-should
havebeenconcernedwithauthoritytoaccesstheactualdatainvolved,notjustthekindofdata.
• Employeehadauthoritytoaccessthekindofdatasheaccessed,butnottheparticulardatasheaccessed.
• i.e.Authorisationtoaccesscomputermaterialdoesnotextendtoaccessingcomputermaterialforanunauthorisedpurpose.
• Usingloggedoncomputerifsomeonehasleftthemselvesloggedon.
• EllisvDPP(2001)• Ex-studentofNewcastleUniversity.Usednon-openaccesscomputerstobrowsewebsites,whencomputerleftloggedonbyprevioususers.
• Toldbyadminofficerhedidnothavepermissiontousenonopen-accesscomputers.
• Convictedundersection1ofComputerMisuseAct1990• Theclaimthatwhathehaddonewaslikepickingupadiscardednewspaperandreadingitwasrejected.
• HowmanyprosecutionsunderComputerMisuseAct?
• 1999-2000proceedingsagainst32persons• 26foundguilty• surprisinglylownumber
49
• 8Conclusions• TheComputerMisuseAct1990wasanimportantstepinEnglish
Law,thatgoessomewaytowardsprotectingcomputerprogramsanddataaslegalpropertyunderthecriminallaw.
• Preventionisbetterthanprosecution.TheAuditCommissionrecommendsseveralwaystoimprovecomputersecurity:
Morestaffarebeinggivencomputerstoperformtheirtasks,butfewofthemreceivetrainingintermsofprotectingthedatatheyuse;
• Withthegreateruseofnetworks,moreattentionneedstobegiventorestrictingandcontrollingaccess;
• Simple,basiccontrolscoulddomuchtoreducerisk;• Auditdepartmentshaveavitalroletoplayinadvisingonand
helpingtodesignsecuritymeasures;• Morecomputer-literateauditorsareneeded.• Agoodsignisthatthecourtsappeartobetreatingcomputercrime
seriously,withcustodialsentencesbeingadministeredinmanycases.
9Summary!Computercrimeisaserious(andgrowing)problem.!Fourimportantareasofcomputercrimearefraud,softwarepiracy,hackingand
viruses.!PriortotheintroductionoftheComputerMisuseAct1990,theabilityofcriminallaw
todealwithcomputercrimewasquestionable.!TheComputerMisuseActwasintroducedin1990.Itintroducesthreenewoffences:
–unauthorisedaccesstocomputermaterial–unauthorisedaccesswithintenttocommitorfacilitatefurtheroffences–unauthorisedmodificationofcomputermaterial
!ApplicationoftheActhasmetwithmixedsuccess.TheBedworthtrialisconsidered
tobealegalanomalythatisunlikelytoberepeated.!Successfulexamples:
–RvBowStreetMetropolitanStipendaryMagistrate–EllisvsDPP(2002)
• FraudAct2006:broughtinanumberofoffencestotackleICTfraud– Mostoffencescanbecommittedwithoutthecompletionoftherelevantgainorlossactuallytakingplace
– Iffraudiscompletedthenachargeoftheftmaybeappropriate!
• Asecurecomputersystemisabetterprotectionagainstcomputercrimethanlegislation.
52
• Nextweek:• TheSocialContextofComputing!
• Tomorrow:releaseoftakehome‘exam’• (worth70%ofmodulemark)
