Upload File

misuse project

22
Computer Crime & Misuse Computer Misuse Act 1990 (CMA1990) Synopsis A report on understanding the effectiveness of UK computing legislation, how it effects your organisation, and what your organisation can do to complement the legislation. Author(s) Nathan House Issued 28 August 2022 Status Draft v.0.8

Upload: bridgestone55

Post on 06-Nov-2015

228 views

Category:

Documents


3 download

Report

DESCRIPTION

Law

TRANSCRIPT

Computer Crime & Misuse

Computer Crime & Misuse

Computer Misuse Act 1990 (CMA1990)Synopsis

A report on understanding the effectiveness of UK computing legislation, how it effects your organisation, and what your organisation can do to complement the legislation.

Author(s)

Nathan House

Issued

04 May 2005Status

Draft v.0.8

Document History

ReleaseDateDescriptionAuthor(s)Contact Details

0.83rd December 1998DraftNathan House [email protected]

Table of Contents

31Management Summary

2Introduction43The Computer Misuse Act 1990 (CMA1990)53.1CMA 1990 Section 1) The Unauthorised Access Offence73.2CMA 1990 Section 2) The Ulterior Intent Offence83.3CMA 1990 Section 3) The Unauthorised Modification Offence94The Effectiveness of the Computer Misuse Act 1990104.1The Unauthorised Access Offence104.2The Ulterior Intent Offence114.3The Unauthorised Modification Offence114.4How does all this effect your company?125Conclusions136References146.1Books146.2Reports156.3Web sites16

1 Management Summary

This report will be looking at the law that governs computer misuse in the United Kingdom, this being the Computer Misuse Act of 1990. I will be discussing the offences under the act and then reflecting on there effectiveness.

I have chosen to look at the law of computer crime as I feel it is an important professional issue that can be explored in some depth. This is not the only legislation that effects computers, but is the most coherent approach to preventing computer misuse in the United Kingdom today.

2 Introduction

We have now become to rely very heavily on computers to make our lives easier. We see computers at home and at work but the computers we don't see help provide our electricity, gas and telecommunications. We have become to rely so heavily on these machines that without them we would be in serious trouble, no phones, no electricity, even no money. An example of one such computer Armageddon is the potential Y2K bug, nobody quite knows for sure what will really happen, will it pass as if nothing happened? or will everything grind to a halt?, or maybe somewhere in between the two, who knows. Computer misuse and crime is another way in which computers can be effected and thus causing problems to people and organisations. Computer use grows every day and along with wide spread computer use comes computer crimes. The growth of the Internet, more people becoming computer literate, computers and networks becoming more accessible, and the increasing number of people now using computers can be apportioned to the growth in computer crime. As we rely so much on computers we need effective control and legislation over them to help control crime and misuse.

3 The Computer Misuse Act 1990 (CMA1990)

The most notable item of legislation in the United Kingdom relating to computer hacking and viruses is the Computer Misuse Act of 1990. Brought together under controversy it introduced from the 1st September 1990, three new offences.

[-CMA1990] The Unauthorised Access Offence

The Ulterior Intent Offence

The Unauthorised Modification Offence

[-CMALC]

The CMA was introduced as a Private Members Bill which was unusual for a law relating to the imposition of criminal sanctions. It was thought at the time that the Queen would be announcing legislative proposals relating to computer misuse in her annual speech. In anticipation of this, the Law Commission's report was speeded up to such an extent that it failed to undergo the normal procedures of a draft bill. Thus the Law Commission's Report was almost the only focus for the details of the act.

[-CCSCC]

Strangely, only two years previous in 1986 the Scottish Law Commission produced its own report on computer related crime and misuse. This report was never actually used to aid the drawing up of the 1990 act as it was deemed out of date due to the rapid change of the computing industry. The two reports were actually radically different even though they were only separated by less than 2 years. What does this tell us about the relevance of a report commissioned 8 years ago and the effectiveness of an act that was almost solely drawn from it.

The need for new legislation was identified during the 1980's when it was realised that existing laws for computer crime was extremely limited. [-KNPCMA]In the example of R. v Gold 1988; The defendants broke into a database using usernames and passwords which they had gathered without authority to do so. The defendants then modified data and obtained information. With no specific legislation for crimes of this sort the defendants were charged under the "Forgery and Counterfeiting Act 1981". The prosecutors arguing that the defendants used usernames and passwords thus creating a false instrument. The defendants were eventually acquitted on appeal, as usernames and passwords were not deemed as a false instrument.

The CMA 1990 introduced a new type of legislation other than what would be deemed normal law. Standard law practice for prosecution states that a person must move beyond the planning stage of the offence they are preparing to commit before prosecution. Or in other words before putting plans into action. In standard law a person can plan to commit an offence, but, if they never action that plan then they have not committed the offence. Some legislation differs from this, the CMA 1990 is just such one. Unfortunately the line between planning and putting plans into action has always been a difficult subject to resolve. The CMA 1990 had a need for legislation's in this area as the time between plan and action in computing turns can be a matter of seconds. An estimate has been made that all the foreign currency reserves could be transferred electronically in 15 minutes, a statement the author read in the computing press, there was no mention as to how they arrived at this figure. How true this estimate is, is unknown, suffice to say money, and vast amounts of money, can be now moved electronically in the blink of an eye. The CMA 1990 addresses this to some degree by creating the Unauthorised Access Offence. A person who has not actually caused damage, but only gained access has committed an offence under section 1 of CMA 1990. This person is in the planning stage of his offence but can still be prosecuted under the CMA 1990.

The Acts three new offences were designed to avoid the "tangible evidence" difficulties. Below is the authors summary of the offences.

3.1 CMA 1990 Section 1) The Unauthorised Access Offence

This offence is considered to be relatively minor and can be dealt with in Magistrate's courts. This offence itself deals with computer misuse, where a person is without the intent to commit serious crime. A serious crime could be deemed as fraud for example. It is also stated that there need not be intention to cause harm. This offence now making the act of hacking without the intention to cause harm an offence. - Gaining unauthorised access.

From the offence;

[-CMA1990](a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that this is the case.

Fine: Maximum 2000

Imprisonment: Maximum 6 months

3.2 CMA 1990 Section 2) The Ulterior Intent Offence

This offence is considered to be a serious offence which is dealt with by the Crown Court. Offenders under this offence are subject to serious penalties. This offence deals with unauthorised access to computer systems with specific intent of committing, or facilitating the commission, of a serious crime. Appliance of the (CMA Section 1)Unauthorised Access Offence is a pre-requisite for appliance of the (CMA Section 2) Ulterior Intent Offence. Thus a person must have committed the offence of Unauthorised Access to then commit an offence under the Ulterior Intent Offence. For example, a person must gain unwanted access to a system to then be charged with intent to commit a serious crime on that system. - An intent to commit a serious crime.

From the offence;

[-CMA1990](a)A person is guilty of an offence under this section if he commits an offence under section 1 above "the Unauthorised Access Offence" with intent - pre-requisite(b) to commit an offence to which this section applies; or

(c) to facilitate the commission of such an offence (whether by himself or any other person).

Fine: Unlimited

Imprisonment: Maximum 5 years

3.3 CMA 1990 Section 3) The Unauthorised Modification Offence

This offence is also considered to be serious and is also dealt with by the Crown Court. Offenders under this offence are subject to serious penalties. This offence deals with the unauthorised modification of computer based data and information. This would also include viruses, worms, logic bombs, Trojans and other such similar programs. The degree to which the defendant was intent to commit unauthorised modification must also be attained and proven. The offence can only be committed by a person who had intent to commit an act which then alters the contents of a computer system in a way that then impairs its operation. Simply adding words to a word processed document with intent, that then cause impairment to operation would fall under this offence.

From the offence;

[-CMA1990](a) he does any act which causes an unauthorised modification of the contents of any computer, and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.

and by so doing..

(c) to impair the operation of any computer.

Fine: Unlimited

Imprisonment: Maximum 5 years

To be noted CMA 1990 is discriminate as it uses the word "he" in reference to person(s).

4 The Effectiveness of the Computer Misuse Act 1990

This report will know look into the effectiveness of the CMA 1990 in regards to computer misuse.

Computer Crime in the UK is investigated mainly by the Computer Crime Unit at New Scotland Yard. The CCU also liases with BT and Mercury for further investigation of hacking, and also virus attacks.

[-LEF]In analysing this offence, reports produced on it and looking at cases brought under the act the author thoughts and conclusions are;

4.1 The Unauthorised Access Offence

The word computer is not defined leaving the offence extremely broad.

Two key features of the offence are the requirement that;

"An attempt must be made to cause a computer to perform a function"

"and with the intention that this should enable access to any program or data stored in it"

Theses statement are subject to extreme definition. For example any act performed on a computer will perform a function. Also it is not necessary that the person committing the act can see the program they are accessing. So under the Unauthorised Access Offence a person could access the operation of a CD player (play a CD) which was unauthorised by the owner of the CD player thus be committing an offence under section one of CMA 1990! The offence proves the difficulty of having unauthorised access to an object an offence.

A person must know that they are committing unauthorised access, or a least this must be proven. The question whether access is unauthorised will be determined by reference to the state of mind of the computer owner or of the person entitled to control access. Again subject to definition. Also if a person has access to one part of a system and not to another, It must be proved that when accessing parts he was unauthorised to that he new that this was the case.

The intention of the user must be proved, and that the accused knew that his or her access was unauthorised, in order to secure a conviction. The fact that a party should have suspected that their attentions of access were unwanted would not suffice.

Generally subject to definition with some statements difficult to prove.

4.2 The Ulterior Intent Offence

To secure a conviction under this offence a person must be first found to have committed the unauthorised access offence to them be convicted of the ulterior intent offence. This in itself limits the use of the ulterior intent offence as the unauthorised access offence must be a proven pre-requisite to secure conviction.

A distinction exists between unauthorised access and unauthorised use of access. Although much will once again depend upon the facts of a particular case, it may be difficult to establish that an authorised user has stepped sufficiently far outside any access rights as to commit the Ulterior Intent Offence.

Matters are not so straightforward where the conduct which allegedly constitutes the ulterior intent offence possesses an international dimension.

4.3 The Unauthorised Modification Offence

The offence may be committed only by a party who acts intentionally. Negligent or even reckless conduct will not suffice. This can be difficult to prove.

Covers distributors of virus for every system it infects assuming the necessary intention is established.

It could be argued that the offence may also cover acts that would not normally be considered as criminal. For example simply adding words to a word processed document with intent, that then cause impairment to operations would fall under this offence.

It is important to note that under Section 3 (1) (b) the different degree of intent on the part of the defendant that the prosecution has to prove. It is possible that proving this degree of intent may now be becoming a potentially fatal problem for the Act.

It is clear from the above conclusion, reports produced on the CMA 1990 and cases brought under the act that there are a number of problems with it. The CMA has not provided a complete answer to the problem, but it has gone some way towards it.

There are many omissions and loopholes to the offence for example: When a diskette is inserted into a computer's disk drive, it is treated as being a part of the computer, and any unauthorised access to or modification of it will therefore be an offence. However, when the diskette is outside the computer, the Act will not apply.

[-CMA5Y]

The English Law Commission wrote of its proposed offences in 1989 that:

"we do not see the main justification... as being that [they] will necessarily secure the conviction of a large number of individuals. Rather, the criminalisation of hacking will... change the climate of opinion, by removing the present aura, if not of acceptability then at least of fun, that surrounds hacking."

So from this statement we can conclude that the acts purpose was of prevention, more than one of prosecution. But has it worked?

The act has not been as effective a deterrent as one might have hoped. This is due to a number of other factors that need to be achieved in order for the act to reach its full potential. These include: greater awareness of the Act, the willingness of victims to prosecute, greater police expertise, and the adoption by computer owners of complementary security and disciplinary policies.

It may also be that the evidence on hacking - although it is far from substantial - does indicate the beginning of a downward trend. Steven Saxby has written that;

"some survey figures may be mis-leading... as hacking may have been classified under another category... [the Act] does seem to have had a deterrent effect in this area".

[- EDPL]

4.4 How does all this effect your company?

[-DIMG]

Companies are often reluctant to bring cases of hacking and virus penetration to court because of the bad publicity that may be engendered. However, there are signs that this attitude may be changing as the widespread nature of the problem becomes more fully recognised.

The Police can meet with considerable difficulties when collecting evidence: Telecommunications companies and many others such as ISPs are not obliged to reveal information.

Mainframe computers cannot be retained as evidence - the Police have to rely on local expertise and advice as to what material to download.

Files can be erased without trace.

Juries appear to view hackers (and perhaps virus spreaders) as maverick "Robin Hood" characters pitting their wits against the 'system'. Sentences are perceived as being much too light in comparison with the seriousness of the offence.

Judges and barristers/advocates lack the specialist knowledge of computers to apply the law as it was intended - they tend to make inappropriate interpretations.

5 Conclusions

The CMA 1990 is at present the most coherent approach to preventing, dealing with and thinking about problems of computer misuse in the United Kingdom today.

Today as mentioned earlier, we rely on computers even more then ever before, even more today than back in 1990 just eight years ago. More operations are becoming computerised, this is because computerisation makes our operations more efficient and more effective. The more we become reliant, the more we need to be aware of protecting what we become to rely on.

[-CMALC]

The CMA 1990 is the United Kingdoms first attempt to legislate and control the act of computer misuse. It is used more as a preventative law than a solid law for prosecution.

With regard to hacking for fun the law is useful. Some people are obviously genuinely put off with the possibility of being prosecuted. Before 1990 people were more complacent as the acts they were committing were not really offences. This is obviously dependant on peoples knowledge of the offence in the first place though. With a greater awareness of the Act, the willingness of victims to prosecute, greater police expertise, and the adoption by computer owners of complementary security and disciplinary policies the act would be a complementary law.

In the authors opinion an improvement would be to concentrate more on the severity of actions committed rather than the unimportant detail that it was committed on a computer.

[-KNPCMA]There has been a low number of prosecutions in relation to incidents reported. As the Law Commission wrote of its proposed offences in 1989, that it was hoped to be an effective preventative measure, unfortunately this has not really been the case. But it can also be argued, with increasing computerisation and computer knowledge constantly growing, crime in parallel will increase. The laws effectiveness would be more measurable on a static industry. Everything subject to interpretation as the saying suggests - "There are Lies, Damn lies and Statistics"

Used intelligently the CMA 1990 is an effective way of dealing with misuse. As noted earlier; to be found guilty of the Unauthorised Access Offence a person must be aware that what they are accessing is unauthorised, and there knowledge of this must then be proved. An example of an intelligent use of this offence would be; For example in an organisation when logging onto an NT Workstations a prompt could inform the user that;

"Unauthorised access is an offence under section 1 of the Computer Misuse Act, any unauthorised access will be prosecuted"

This being a simple registry setting. The university then able to prove more easily that a user was fully aware of their unauthorised access.

The act does have problems, but it provides the UK with its first legislation to control computer misuse. With a sound framework it is the base for prevention and control of computer misuse today, and the building block for tomorrow.

6 References

Alphabetical order-

6.1 Books

[-BCSGSP]

Guidelines - British Computing Society on good security practice

Edited by Raj Middleton

[-CSCS]

Common-sense Computer Security - Mcgrey Hill

Martin R.Smith

[-CUKE]

The Cuckoo's Egg, The Bodley Head, 1990.

C Stoll

[-HTH]

Halting the Hacker - A practical guide to computer security

Donald L PIPKIN

[-NHD]

The New Hacker's Dictionary (2nd Edition), MIT Press, 1993E S Raymond

6.2 Reports[-BBCW] Big blue to help users foil computer thieves Computer Weekly 2 Dec 1993.[-CAC]

Crime and the Computer, Clarendon Press, 1990.

M Wasik,

[-CMA1990]

Computer Misuse Act 1990 CMA1990

Legislation draw up from Law commissioners report, came into action 1st September 1990

[-CCSCC]

Computer Crime, Scottish Law Commission Consultative Memorandum No 68 (1986) and Report (Cm 174) 1987.[-CMA5Y]

THE COMPUTER MISUSE ACT 1990: 5 YEARS ON

Rupert Battcock

[-CMALC]

Computer Misuse, Law Commission Working Paper No 110 (1988) and Report No 186 (1989).[-EDPL] Encyclopedia of Data Protection Law Dec 1994 update. The number of hacking incidents actually decreased from the 1987 survey to the 1990 survey - which also casts doubt on the actual deterrent effect of the Act.

[-HUN]

Hacking - The Unauthorised Access of Computer Systems; The Legal Implications, 52 Modern Law Review

D Bainbridge[-KNPCMA]

Known Prosecutions Under the Act

Compiled by Rupert Battcock[-SCFA]

Survey of Computer Fraud and Abuse, The Audit Commission for Local Authorities and the National Health Service in England and Wales, 1982, 1985, 1987, 1991.

6.3 Web sites

[-DIMG]

Detective Inspector Michael Gorrill, Greater Manchester Police Commercial Fraud Squad

A web page that was written by above. From home page of [email protected]

http://www.nerc.ac.uk\serv\index.html

[-LEF]

The Law and the Electronic Frontier

http://law-www-server.law.strath.ac.uk/diglib/book/criminal/

PAGE


Quality Insights’ Special Innovation Project (SIP): Opioid Misuse … · Quality Insights’ Special Innovation Project (SIP): Opioid Misuse and Diversion. Special Innovation Projects

Opiate substance misuse

Drug Misuse

Substance Misuse Disorders

Misuse and Exhaustion

Brief Project Report 15 February 2010 APEC Training Program for Preventive Education on ICT Misuse

Misuse detection systems

Misuse IFIP99

Misuse Confidence

The Evaluation of Four Early Intervention Substance Misuse ... report Part 2.pdf · Section 3: Lewisham Yot Substance Misuse Intervention 12 - 25 Referral to the project 12 Profile

Computer misuse

Drug Misuse Declared

North West ‘Through the Gate Substance Misuse Services ...€¦ · North West ‘Through the Gate Substance Misuse Services’ Drug Testing Project Page 1 of 232 Secondary Title

Preventing Misuse & Abuse

Anti Biotics Misuse

The Project Gutenberg EBook of The Misuse of Mind, by Karin …intersci.ss.uci.edu/wiki/eBooks/BOOKS/Bergson/The Misuse of Mind... · and the new ones which we must adopt in order

North West ‘Through the Gate Substance Misuse Services’ Drug Testing Project€¦ ·  · 2017-07-18North West ‘Through the Gate Substance Misuse Services’ Drug Testing Project

misuse of science

POLITICAL MISUSE OF DOMESTIC INTELLIGENCE/67531/metadc3223/m2/1/high_res_… · instrument of political misuse, oppression and intimidation (Elliff, 1971). This project involves a

WORKSHOP ON DRUGS MISUSE CLASS, CONSEQUENCES, LAW AND IMPRISONMENT. 12/10/2015Salisa Project, funded by Newham1 Organised by Salisa Project

Maine’s Prescription Monitoring Program Daniel J. Eccher, MPH Project Coordinator Prescription Drug Misuse: A Community Challenge

Constitution Law Project on Misuse of Article 356

IV = 0 Security Cryptographic Misuse of Libraries · IV = 0 Security Cryptographic Misuse of Libraries Somak Das Vineet Gopal Kevin King Amruth Venkatraman 6.857 Final Project May

Parental Substance Misuse

Why Project ECHO? Prescription Drug Abuse and Misuse in Delaware

Misuse of Language

Misuse of Internet

Stimulants of Misuse

MHPSS Leaflets_Alcohol Misuse

Alcohol misuse in adolescents - Trusted Writer Misuse in Adolescents_N… · Adolescents, alcohol and alcohol misuse, health promotion, substance misuse Review All articles are subject

Project Painter Plus 3A0248D - Gracomagnum.graco.com/downloads/manuals/3A0248D.pdf · Warnings 4 3A0248D EQUIPMENT MISUSE HAZARD Misuse can cause death or serious injury. † Always

Computer Misuse Act

Misuse Cases - RITse555/Misuse Cases.pdfmetaphor to requirements elicitation • Make the reasoning behind affected requirements immediately ... Templates for Misuse Case Descriptions

8 Licensing & Misuse

Misuse of Alcohol