Friday 6 April 2012

Computer misuse: hacking, interception and the meaning of "transmission"

There’s been a lot of confusion in the reports concerning the hacking by a Sky News reporter of “Canoe Man” John Darwin’s email account. It’s said that intercepting email is an offence under the Computer Misuse Act 1990. That’s not quite right. Sky's John Ryley pleads “public interest” and it’s said that there is no such defence under the Act. That is right but misses the point.

If the reports are accurate, what the reporter did was uncover that Darwin was using the assumed name “John Jones” and then find, and gain access to, a Yahoo email account being operated by Darwin under that pseudonym. The Guardian says that the reporter did so “in the belief that Yahoo accounts were ‘notoriously weak at the time’,… [and that he was therefore] confident he could gain access with his existing background knowledge.” It sounds, then, likely that the journalist logged on to Yahoo in the normal way and simply guessed the account password. Probably “brute force” would overstate the work needed.

Now, the Computer Misuse Act 1990 does not actually proscribe interception of communications. It does, however, prohibit unauthorised access to data held on a computer:

"1 Unauthorised access to computer material.
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer …
(b) the access he intends to secure … is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case."

"17 Interpretation.
(2) A person secures access to any program or data held in a computer if by causing a computer to perform any function he—
(b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;
(c) uses it; or
(d) has it output from the computer in which it is held (whether by having it displayed or in any other manner);
(3) For the purposes of subsection (2)(c) above a person uses a program if the function he causes the computer to perform—
(a) causes the program to be executed;
(5) Access of any kind by any person to any program or data held in a computer is unauthorised if—
(a) he is not himself entitled to control access of the kind in question to the program or data; and
(b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled"

Guessing someone’s password, accessing their account and reading and printing or otherwise copying their emails would seem to involve securing access to data held on a “computer” (the Yahoo server) in the knowledge that that was unauthorised.

"(3)A person guilty of an offence under this section shall be liable—
(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
(c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both."

"(2) Subject to subsection (3) below, proceedings for an offence under section 1 above may be brought within a period of six months from the date on which evidence sufficient in the opinion of the prosecutor to warrant the proceedings came to his knowledge.
(3) No such proceedings shall be brought by virtue of this section more than three years after the commission of the offence."

Now, the reporter actually handed over copies of the emails to the police in 2008. On any view, it seems too late for a prosecution under the 1990 Act and all the talk about the lack of a public interest defence (even if the circumstances could conceivably justify such a defence being pled) is wide of the mark. 

That, though, is not an end to Sky’s troubles. It is actually the Regulation of Investigatory Powers Act 2000 which outlaws the “interception” of communications. It provides :

"(2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—
(a) so modifies or interferes with the system, or its operation,
(b) so monitors transmissions made by means of the system, or
(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,
as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication."

“any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy”.

But what the reporter is believed to have done would simply get him access to allow him to read all incoming and outgoing messages, after their receipt or sending. He was not able to stop messages from being delivered or read them before delivery. In essence, he would be able only to browse a historical database of messages. Would that amount, as a matter of law, to “interception”? As a matter of ordinary usage, you would think not. Section 2(2) refers specifically to activities done “while [the communication is] being transmitted”. Once a message has been sent or received, and is stored in an inbox or outbox, surely it has already been “transmitted”? Even if that is wrong, what about a message that has not just been delivered or received but actually seen, opened and read by the intended recipient? If someone gets unauthorised access to such a message then other offences might be committed but surely the horse has bolted and it’s too late to “intercept” it?

“(7) For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.”

These last few words, and the reference to “manner”, seem crucial. If the Act had proscribed accessing (by equating that to intercepting) messages stored “for the purpose of” of “collecting” them then that, arguably at least, would not make unlawful accessing messages that had already been received, opened and read. Such messages would on any definition already have been “collected”. The purpose of storing such messages might be to keep an archive or record but could not be to allow them to be “collected”. However, the matter is put beyond doubt by the form of words “in a manner that enables the intended recipient…to have access to it”. That clearly renders tantamount to unlawful interception any act which allows anyone other than the intended recipient of a message simply to read it whilst it is still capable of being accessed by that intended recipient.

If that is right, the sanctions are significant. Section1(7) of the 2000 Act provides:

"(7) A person who is guilty of an offence under subsection (1) or (2) shall be liable—
(a) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine, or to both;
(b) on summary conviction, to a fine not exceeding the statutory maximum."

"9 Criminal liability of directors etc.
(1) Where an offence under any provision of this Act other than a provision of Part III is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of—
(a) a director, manager, secretary or other similar officer of the body corporate, or
(b) any person who was purporting to act in any such capacity,

he (as well as the body corporate) shall be guilty of that offence and liable to be proceeded against and punished accordingly."

There is a growing jurisprudence on the penalties that might be visited on those who breach the terms of the Act and the courts seem perfectly willing to sentence offenders to time in jail. The reporter’s immediate boss has already resigned (though that had been planned anyway) but if this turns out to be anything like the News International phone hacking saga, the next few weeks could be interesting.

No comments:

Post a Comment