What right you have under the Data
Protection Act
1. Personal data shall be processed
fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the
conditions in Schedule 2 is met, and
(b) in the case of sensitive personal
data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained
only for one or more specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate,
relevant and not excessive in relation to the purpose or purposes for which
they are processed.
4. Personal data shall be accurate
and, where necessary, kept up to date.
5. Personal data processed for any
purpose or purposes shall not be kept for longer than is necessary for that
purpose or those purposes.
6. Personal data shall be processed in
accordance with the rights of data subjects under this Act.
7. Appropriate technical and
organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of, or
damage to, personal data.
8. Personal data shall not be
transferred to a country or territory outside the European Economic Area unless
that country or territory ensures an adequate level of protection for the
rights and freedoms of data subjects in relation to the processing of personal
data.
Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
Computer Misuse Act
1990
1 A person is guilty of an offence if—.
(a) he does any unauthorised act in relation
to a computer;.
(b) at the time when he does the act he
knows that it is unauthorised;
(c) either subsection (2) or subsection (3)
below applies..
2 This subsection applies if the
person intends by doing the act—.
(a) to impair the operation of any
computer;.
(b) to prevent or hinder access to any
program or data held in any computer;.
(c) to impair the operation of any such
program or the reliability of any such data; or.
(d) to enable any of the things mentioned
in paragraphs (a) to (c) above to be done..
3 This subsection applies if the
person is reckless as to whether the act will do any of the things mentioned in
paragraphs (a) to (d) of subsection (2) above..
4 The intention referred to in
subsection (2) above, or the recklessness referred to in subsection (3) above,
need not relate to—.
(a) any particular computer;.
(b) any particular program or data; or.
(c) a program or data of any particular
kind..
5 In this section—.
(a) a reference to doing an act includes a
reference to causing an act to be done;.
(b) “act” includes a series of acts;.
(c) a reference to impairing, preventing or
hindering something includes a reference to doing so temporarily..
6 A person guilty of an offence under
this section shall be liable—.
(a) on summary conviction in England and
Wales, to imprisonment for a term not exceeding 12 months or to a fine not
exceeding the statutory maximum or to
both;.
(b) on summary conviction in Scotland, to
imprisonment for a term not exceeding six months or to a fine not exceeding the
statutory maximum or to both;.
(c) on conviction on indictment, to
imprisonment for a term not exceeding ten years or to a fine or to both.
Case of Schifreen and Gold
Robert Schifreen and Stephen Gold, using conventional home computers and modems in late 1984 and early 1985, gained unauthorised access to British Telecom's Prestel interactive viewdata service. While at a trade show, Schifreen by doing what latterly became known as shoulder surfing, had observed the password of a Prestel engineer: the username was 22222222 and the password was 1234. This later gave rise to subsequent accusations that BT had not taken security seriously. Armed with this information, the pair explored the system, even gaining access to the personal message box of Prince Philip.
Prestel installed monitors on the suspect accounts and passed information thus obtained to the police. The pair were charged under section 1 of the Forgery and Counterfeiting Act 1981 with defrauding BT by manufacturing a "false instrument", namely the internal condition of BT's equipment after it had processed Gold's eavesdropped password. Tried at Southwark Crown Court, they were convicted on specimen charges (five against Schifreen, four against Gold) and fined, respectively, £750 and £600.
Although the fines imposed were modest, they elected to appeal to the Criminal Division of the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits, and claimed the Forgery and Counterfeiting Act had been misapplied to their conduct. They were acquitted by the Lord Justice Lane, but the prosecution appealed to the House of Lords. In 1988, the Lords upheld the acquittal. Lord Justice Brandon said:
We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated. The appellants' conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts.
The Law Lords' ruling led many legal scholars to believe that hacking was not unlawful as the law then stood. The English Law Commission (ELC) and its counterpart in Scotland both considered the matter. The Scottish Law Commission (SLC) concluded that intrusion was adequately covered in Scotland under the common law related to deception, but the ELC believed a new law was necessary.
Since the case, both defendants have written extensively about IT matters. Gold, who detailed the entire case at some length in the Hacker's Handbook, has presented at conferences alongside the arresting officers in the case.
No comments:
Post a Comment