Legal Implications – Computer Misuse Act
During the 1980’s as the use of computers and telecommunications systems in society grew rapidly, so did incidents of computer related crime. The law as it stood was unable to deal with the new crimes being committed involving computers. The
Government set up a Royal Commission to look at the whole area of computer misuse. This resulted in the government introducing the “Computer Misuse Act 1990”.
The Act contains three sections covering various misuses.
- Unauthorised access to computer material.
- Unauthorised access with intent to commit or facilitate commission of further offences.
- Unauthorised modification of computer material.
The first section deals with “basic hacking”, which is getting access to a computer system, data or a program without permission. If for example a pupil finds the teacher’s password and uses it to access the school computer system, even though no damage to files or data has been done, it is still a crime. This section of the Act only covers unauthorised access of a computer system, so viewing or printing out another users word-processed file without permission is also a crime.
The second section applies to situations when a computer system is being used to help in committing another crime. If a computer is being used to steal money from a bank account or used to help disable an alarm system to aid a robbery then it is covered by this section of the act.
The third section of the Act covers “expert hacking”, which is the modification of data on a computer system without permission. It is this section that covers the deliberate planting of viruses on a computer system. It also covers the deletion or modification of another users file. It could also apply to a student who changes the system setup files on a computer, without permission.
The act covers all grounds, mostly writing it down as ‘hacking’, but can cover a variety of internet crimes. There are many examples of internet crimes all over the news, as there is always a hysteria around ‘hacking’, a lot of people not understanding how the concept works, even though a lot of people can accidentally end up pirating something like software that they use for school or work.
Some examples of high-end or controversial cases of software misuse;
Andrew Auernheimer, a self-professed internet troll, was hardly a sympathetic figure when the government brought hacking charges against him and friend Daniel Spitler in 2011. The two discovered a hole in AT&T’s website that allowed them to obtain the email addresses of AT&T iPad users. When iPad users accessed AT&T’s website, the site recognized their device ID and displayed their email address. Spitler and Auernheimer wrote a script that managed to harvest about 120,000 email addresses by modeling the behavior of thousands of iPads with unique IDs contacting the website. The government insisted that accessing unprotected emails that AT&T didn’t want anyone to access was criminal hacking.
Auernheimer was convicted and sentenced to three and a half years in prison. His conviction, however, was vacated on appeal over the issue of venue—the court ruled that New Jersey, where the case was tried, had no business charging him since none of his crimes occurred in that state. Unfortunately, this meant that the more significant issue addressed by his attorneys on appeal—challenging the government’s claim that accessing data on a public website qualified as hacking—never got resolved.
The government stretched the borders of the CFAA to new dimensions in charging a middle-aged Missouri mother named Lori Drew with hacking in 2008. Prosecutors charged Drew not for breaching a computer, but for violating MySpace’s terms of service after she conspired with three others to open a phony MySpace account as a nonexistent teen named Josh Evans. Drew and her associates used “Evans” to bully a teen girl who had fallen out with Drew’s daughter.
After the girl, who had a history of depression, killed herself, the public pressured authorities to charge Drew with a crime, any crime. There was no law against cyber bullying, so prosecutors charged Drew with unauthorized access to MySpace’s computers because she violated the site’s user agreement. MySpace required that registrants provide factual information about themselves when signing up and also refrain from using information obtained from the site to harass anyone. Prosecutors argued that by violating this contract, Drew had committed the same crime as any hacker. The jury agreed. But the judge ultimately vacated the conviction, on grounds that the government’s interpretation of the CFAA was constitutionally vague and “would convert a multitude of otherwise innocent Internet users into misdemeanor criminals.”
Both cases were seen as pretty controversial at the time, if only because people didn’t quite understand what they were doing, but both were misusing the software and going against said software’s ‘terms of usage’, which is basically agreement you agree to as soon as you use the software. Every piece of software has one and you must agree to it to be able to use it, the company usually making you physically agree to it before even allowing you to access the website.