Anti-hacking legislation

To identify and show understanding of the offences covered by the Computer Misuse Act 1990.

ALL: Will be able to state the three offenses specified in the Act MOST: Will be able to explain the consequences of breaking t Act SOME: Will show understanding of the offenses by categorising

scenarios

A quality set of notes covering the Computer Misuse Act.

Introduced as a result of concerns about people misusing the data and programs held on a computer

Other laws tried instead

Examples. Cox v Riley 1986 (Criminal Damage Act 1971) R. v Gold and Another (Forgery and Counterfeiting

Act 1981)

The case of R. v Gold and Schifreen was highly publicised

Gained unauthorized access to British Telecom's Interactive viewdata service

Lead to Law Commission produced report Report No.186, Computer Misuse

This became the Computer Misuse Act 1990

http://bit.ly/kBSHIi

Original bill specifically aimed at hackers

Many amendments during passage through parliament

Eventual legislation very broad based, lost much of the original intent

The Act specifies 3 offences

In summary these are:- ◦ Unauthorised Access◦ Unauthorised access with intent to commit further

offences◦ Unauthorised acts with intent to impair operation

of a computer etc.

◦ http://www.legislation.gov.uk/ukpga/1990/18/contents◦ http://goo.gl/Nn7vz

Unauthorised Access

◦ Summary penalty maximum12 months imprisonment / fine of up to statutory maximum

◦ Indictment penalty up to 2 years / fine / both

You are committing an offence if you try to access any program or data held in any computer without permission and you know at the time that this is the case.

E.G. A student gaining access to a fellow students area, or breaking in to the college administrative system, is breaking this category of act.

Summary conviction – tried by a judge alone Indictment conviction – held before a jury

http://www.legislation.gov.uk/ukpga/1990/18/section/1

Unauthorised Access with intent to commit further offenses

◦ Summary penalty 12 months imprisonment / fine of up to statutory maximum

◦ Indictment penalty up to 5 years / fine / both

You are committing an offence if you try to access any program or data held in any computer without permission and you know at the time that this is the case and you intend to commit a further offense

E.G. A student breaking into the college administrative system so as to change his/her grades but does not succeed

Summary conviction – tried by a judge alone Indictment conviction – held before a jury

http://www.legislation.gov.uk/ukpga/1990/18/section/2

Unauthorised Acts with intent to impair operation of a computer etc.

◦ Summary penalty 12 months imprisonment / fine of up to statutory maximum

◦ Indictment penalty up to 10 years / fine / both

You are committing an offence if you access any program or data held in any computer without permission and amend, delete, corrupt the data etc. held on the system

E.G. A student breaks into the college administrative system and changes his grades

Summary conviction – tried by a judge alone Indictment conviction – held before a jury

http://www.legislation.gov.uk/ukpga/1990/18/section/3

Criminal Vs Judge

12/14

Scenario 1

A student hacks into a college database to impress his friends unauthorised access

Later he decide to go in again, to alter his grades, but cannot find the correct file – unauthorised access with intent

A week later he succeeds and alters his grades – unauthorised act

Scenario 2

An employee who is about to be made redundant finds the Managing Director’s password; logs into the computer system using this and looks at some confidential files-

unauthorised access

Having received his redundancy notice he goes back in to try and cause some damage but fails to do so –

unauthorised access with intent

After asking a friend, he finds out how to delete files and wipes the main customer database –

unauthorised act

Prosecution are rare and punishments small

◦ Examples

Defendant causes firm to lose £36,000 - Fined £1,650; conditional discharge

Defendant destroys £30,000 worth of data - Fined £3000; 140 hours community service

15/14

Very complex Offences difficult to prove Evidence difficult to collect - firms do not co-operate

with police Firms embarrassed by hacking - particularly banks Employees often simply sacked/demoted Police lack expertise; time; money Offence perceived as ‘soft crime’ no one injured/hurt

This case in 1991 caused great concern and it was suggested that further prosecutions under the act would be unlikely to succeed◦ Defendant (and others) hacked into a variety of

systems and caused damage◦ Defence stated that defendant ‘addicted to

computers’ so could not help hacking◦ Not guilty verdict returned by jury

Hacking has increased both at hobby and professional levels

A few high profile cases Offenders often in other countries with no

equivalent legislation Some ‘international task forces’ set up but

no real progress Current UK estimated costs of cyber crime -

£27 billion per year http://goo.gl/wwffa - Telegraph 18 Feb 2011

ICO Questions

PLT Team Worker Independent Enquirers Creative Thinkers Self Managers

In selected groups of 3/4 you must collaborate and complete this activity

Create 1 resource that combines the answers to the questions set for homework

Think about an appropriate technology you could use to collaborate e.g. Google Docs Linoit