Computer Misuse Act 1990 Modified by Police and Justice act 2006
DisclaimerDisclaimer
● These notes do not constitute legal advice. ● If you need legal advice consult a suitably qualified practitioner.
IntroductionIntroduction
● Prior to 1990 there was no legislation addressing the problems caused by intrusion. ● Introduced in response to a high profile ( at the time) intrusion. ● An attempted prosecution under the Forgeries and Counterfeiting Act 1981 was deemed to be misapplied.
Offences:Offences:
● Unauthorised access to computer material ● Unauthorised access with intent to commit or facilitate a crime ● Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. ● Making, Supplying or obtaining anything which can be used in computer misuse offences
UnauthorisedUnauthorised accessaccess toto computercomputer materialmaterial
● “Just looking ...” ● Password guessing ● Bypassing security ● Enabling others to gain unauthorised access ● Requires “Intent” ● Up to 6 months in prison (Scotland) ● Up to GBP 10000 ( Currently, Scotland)
...intent...intent toto commitcommit oror facilitatefacilitate aa crimecrime
● Sole purpose of committing a crime
● Alter, delete or copy data or programs
● Impersonation ( e-mail … )
● Forgery, fraud. ● Keyloggers, Spyware, Phishing
● Up to 6 months in prison (Scotland)
● Up to GBP 10000 ( Currently, Scotland)
...recklessness...recklessness asas toto impairing,impairing, operationoperation ofof computer,computer, etc.etc. ● Specifically designed to address the spread of computer virus ● Trojan horse used to “crash” system ● Logic bombs, “Time locking” ● ...on conviction on indictment, to imprisonment for a term not exceeding ten years or to a fine or to both ...
Making,Making, supplyingsupplying oror obtainingobtaining articlesarticles forfor useuse inin offenceoffence ......
● Intended to prevent manufacture of tools etc. ● Intended to prevent manufacture of malware etc. ● Somewhat broad. ● on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both
AmAm II breakingbreaking thethe lawlaw ??
● Am I authorised to use the system ? ● ( Get out of jail card ) ● Am I intendingintending to gain such access ● Am I knowinglyknowingly gaining such access ● Am I propagating malware ? ● Am I developing tools with intentintent to commit an offence ?
HowHow toto avoidavoid breakingbreaking thethe LawLaw
● Only use systems that you are authorised to access ● Don't try and guess passwords ● Don't spread malware ● Don't provide articles that can be used to intrude
IssuesIssues
● How can “Intent” be proved ? ● How can “Knowingly” be proved ? ● What happens if there is no authentication check ? ● Who was actually responsible (“Someone must have used my password … “)
PrecautionsPrecautions
● Develop an Acceptable use policy ● Make all users aware of policy ● Make sure that all login banners specify that only authorised users can progress pas this point.
PointsPoints toto ponderponder ● Accessing a web page requires access to a computer system. ● Have you been given authority to access that system ? How do you know? ● Has an offence been committed ? ● Are the manufacturers of web browsers supplying tools to allow intrusion ? ● Could you convince the jury ( or Judge )
Questions ? Comments ?