Computer Misuse Act 1990 Modified by Police and Justice act 2006

DisclaimerDisclaimer

● These notes do not constitute legal advice. ● If you need legal advice consult a suitably qualified practitioner.

IntroductionIntroduction

● Prior to 1990 there was no legislation addressing the problems caused by intrusion. ● Introduced in response to a high profile ( at the time) intrusion. ● An attempted prosecution under the Forgeries and Counterfeiting Act 1981 was deemed to be misapplied.

Offences:Offences:

● Unauthorised access to computer material ● Unauthorised access with intent to commit or facilitate a crime ● Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. ● Making, Supplying or obtaining anything which can be used in computer misuse offences

UnauthorisedUnauthorised accessaccess toto computercomputer materialmaterial

● “Just looking ...” ● guessing ● Bypassing security ● Enabling others to gain unauthorised access ● Requires “Intent” ● Up to 6 months in prison (Scotland) ● Up to GBP 10000 ( Currently, Scotland)

...intent...intent toto commitcommit oror facilitatefacilitate aa crimecrime

● Sole purpose of committing a crime

● Alter, delete or copy data or programs

● Impersonation ( e-mail … )

● Forgery, . ● Keyloggers, ,

● Up to 6 months in prison (Scotland)

● Up to GBP 10000 ( Currently, Scotland)

...recklessness...recklessness asas toto impairing,impairing, operationoperation ofof computer,computer, etc.etc. ● Specifically designed to address the spread of used to “crash” system ● Logic bombs, “Time locking” ● ...on conviction on indictment, to imprisonment for a term not exceeding ten years or to a fine or to both ...

Making,Making, supplyingsupplying oror obtainingobtaining articlesarticles forfor useuse inin offenceoffence ......

● Intended to prevent manufacture of tools etc. ● Intended to prevent manufacture of malware etc. ● Somewhat broad. ● on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both

AmAm II breakingbreaking thethe lawlaw ??

● Am I authorised to use the system ? ● ( Get out of jail card ) ● Am I intendingintending to gain such access ● Am I knowinglyknowingly gaining such access ● Am I propagating malware ? ● Am I developing tools with intentintent to commit an offence ?

HowHow toto avoidavoid breakingbreaking thethe LawLaw

● Only use systems that you are authorised to access ● Don't try and guess ● Don't spread malware ● Don't provide articles that can be used to intrude

IssuesIssues

● How can “Intent” be proved ? ● How can “Knowingly” be proved ? ● What happens if there is no authentication check ? ● Who was actually responsible (“Someone must have used my password … “)

PrecautionsPrecautions

● Develop an Acceptable use policy ● Make all users aware of policy ● Make sure that all login banners specify that only authorised users can progress pas this point.

PointsPoints toto ponderponder ● Accessing a web page requires access to a computer system. ● Have you been given authority to access that system ? How do you know? ● Has an offence been committed ? ● Are the manufacturers of web browsers supplying tools to allow intrusion ? ● Could you convince the jury ( or Judge )

Questions ? Comments ?