Seems there must be something in the water with regards to crazy applications of anti-cracking law.
I was somewhat amazed to find lawyers for Sony arguing that (in the US at least) it is cracking to use your own computer in a way other than authorised. (Post on The Volokh Conspiracy, hat tip to Overlawyered)
Sure, it rightfully wins the "Silliest Theory of the Computer Fraud and Abuse Act" award, but it highlights again the dangers of over-broad computer crime law.
Showing posts with label computers. Show all posts
Showing posts with label computers. Show all posts
Monday, January 17, 2011
Sunday, January 16, 2011
Breaching an Acceptable Use Policy a Criminal Offence
We generally expect that 'hacking' --- illegally gaining access to the computer systems of another --- would be a criminal offence. (Out of deference to the computer community, 'cracking' will be used for the remainder of the post.) And we generally expect that breaking the acceptable use policy at work is something deserving --- at most --- of being fired.
However, at the core of both is the unauthorised use of a restricted-access computer system. And that is an offence under the Criminal Code (WA). Section 440A(2) reads:
So breaching an AUP could, at least conceivably, land you in jail: ss (2)(b).
But would it ever happen?
Yes, and a conviction was just upheld in the WA Supreme Court --- Giles v Douglas [2011] WASC 14.
Ms Giles was a WA police officer. While working in the Northern Territory some years ago, she met a "RA", a police officer, and they became friends. RA separated from his wife around 2002, and RA's wife took custody of their children and moved to WA. RA's wife had been abused as a child, and had drinking and domestic violence issues. Ms Giles moved to WA in 2004.
On 27 March 2009, Ms Giles was contacted by RA. He told Ms Giles that his wife had just died, and as such, he had concerns about the children. Ms Giles set about making inquiries about the children.
Some of the inquiries she made were searches of the police database. Upon logging into this database, all users were presented with the following warning:
The Magistrate didn't buy it, and Ms Giles failed in her appeal to the Supreme Court. To be clear, Ms Giles wasn't convicted for breaching police secrecy, or improper disclosure of information --- she was convicted for common cracking. She used the restricted-access system other than in accordance with her authorisation: s 440A(2)(b).
So What?
The decision is fully in accordance with the law --- although whether it's the right decision on the facts is slightly more open. Either way, it highlights the dangerous state of computer offences in WA law. The decision would seem to stand for the proposition that a breach of a contractual or workplace agreement regarding computer use amounts to criminal conduct.
That's casts the net of conduct potentially caught by the section very, very wide. For example, as well as forbidding cross-posting and unlawfully downloading copyrighted material, the acceptable use policy governing my 3G wireless modem contains the following clause:
Would that make me a cracker? No.
Would that make me liable to criminal sanctions? It would seem so.
Is that good law?
However, at the core of both is the unauthorised use of a restricted-access computer system. And that is an offence under the Criminal Code (WA). Section 440A(2) reads:
(2) For the purposes of this section a person unlawfully uses a restricted‑access computer system —
(a) if the person uses it when he or she is not properly authorised to do so; or
(b) if the person, being authorised to use it, uses it other than in accordance with his or her authorisation.UPDATE: To clarify, a "restricted-access computer system" is nothing special. It's defined in the Code as:
a computer system in respect of which —(a) the use of a password is necessary in order to obtain access to information stored in the system or to operate the system in some other way; and(b) the person who is entitled to control the use of the system —(i) has withheld knowledge of the password, or the means of producing it, from all other persons; or(ii) has taken steps to restrict knowledge of the password, or the means of producing it, to a particular authorised person or class of authorised person;
So breaching an AUP could, at least conceivably, land you in jail: ss (2)(b).
But would it ever happen?
Yes, and a conviction was just upheld in the WA Supreme Court --- Giles v Douglas [2011] WASC 14.
Ms Giles was a WA police officer. While working in the Northern Territory some years ago, she met a "RA", a police officer, and they became friends. RA separated from his wife around 2002, and RA's wife took custody of their children and moved to WA. RA's wife had been abused as a child, and had drinking and domestic violence issues. Ms Giles moved to WA in 2004.
On 27 March 2009, Ms Giles was contacted by RA. He told Ms Giles that his wife had just died, and as such, he had concerns about the children. Ms Giles set about making inquiries about the children.
Some of the inquiries she made were searches of the police database. Upon logging into this database, all users were presented with the following warning:
Information contained within the Western Australia Police Computer Systems is confidential, must not be disclosed to unauthorised persons under any circumstances and not be accessed for personal reasons. (emphasis added)This is where she came unstuck, and ended up in court. She was charged under section 440A. She argued that accessing the database in these circumstances was a proper part of her role --- that she would have done the same for "the local butcher", if he had come in with the same story. She also argued that her supervisor had authorised the searches, or alternately that she had an honest and reasonable belief that she was authorised to do the searches.
The Magistrate didn't buy it, and Ms Giles failed in her appeal to the Supreme Court. To be clear, Ms Giles wasn't convicted for breaching police secrecy, or improper disclosure of information --- she was convicted for common cracking. She used the restricted-access system other than in accordance with her authorisation: s 440A(2)(b).
So What?
The decision is fully in accordance with the law --- although whether it's the right decision on the facts is slightly more open. Either way, it highlights the dangerous state of computer offences in WA law. The decision would seem to stand for the proposition that a breach of a contractual or workplace agreement regarding computer use amounts to criminal conduct.
That's casts the net of conduct potentially caught by the section very, very wide. For example, as well as forbidding cross-posting and unlawfully downloading copyrighted material, the acceptable use policy governing my 3G wireless modem contains the following clause:
The service is provided for interactive use. However, if automated programs or programs that maintain a persistent connection to a remote service are used, they must only be used when you are physically present at the computer. These activities include (but are not limited to) automated file downloading, IRC ‘bots’, continuous streaming media and peertopeer file sharing applications. (emphasis added)So if I set the latest set of system updates downloading overnight, I'd be breaching the AUP. I'd then be accessing the restricted-access computer system belonging to my ISP in excess of my authorisation.
Would that make me a cracker? No.
Would that make me liable to criminal sanctions? It would seem so.
Is that good law?
Subscribe to:
Posts (Atom)