UK Hacking Laws
I have seen a few posts on various mailing lists and messaging boards regarding vulnerabilities found on a particular website or applicatation. Is there a danger that security researchers may be convicted in their attempts to discover new vulnerabilities? Even more scary is the new ammendment to the CMA. Having had to review this over the past few weeks, I thought I might summarise the legal “acts” relating to hacking in the United Kingdom and to share some future developments.
CMA - Computer Misuse Act, 1990
This act mentions 3 computer hacking offenses and defines them as follows:
1. Unauthorised access to a computer system.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised modification of computer material.
HRA - Human Rights Act, 1998
The HRA covers our basic human rights and priviledges. Its aim is to “give further effect” in UK law to the rights contained in the European Convention on Human Rights. The area affecting Hacking is the “Right to Privacy”. Storing or sharing personal information about another person without consent could be a breech of the Human Rights Act.
RIPA - Regulation of Investigatory Powers Act, 2000
“It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission…” RIPA basically defines what data can be intercepted and in what circumstances - although this act seems to mainly apply to phone systems and the postal service.
The Future
The CMA is outdated. It does not cover areas like Denial of Service attacks. A number of discussions have taken place this year. However, more interestingly, an ammendment to the CMA will include:
A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article –
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or
(b) believing that it is likely to be so used.
References
http://www.opsi.gov.uk/ACTS/acts1990/Ukpga_19900018_en_1.htm
http://www.opsi.gov.uk/ACTS/acts1998/19980042.htm
http://en.wikipedia.org/wiki/Human_Rights_Act_1998
http://www.opsi.gov.uk/Acts/acts2000/20000023.htm
The CMA is still broken, even with this latest round of updates.
The problem here is the wording, as is most laws. If we take a public web server as our example. The admin has NOT given 1 person specific legal, and authorised, access to visit that site, so in the eyes of the law it is unauthorised.
This line came from the old trespass law and was adapted for the BT hackers (check wikipedia for the whole story). The problem is that the user visiting the website will not no his/her access is unathorised unless there is something telling them that. If you recall the old telnet/ssh banners that most people used, well that was telling them unauthorised access was illegal, but with todays internet, how is that possible?
Not every site has a banner on each page stating unauthorised action is illegal, hence the majority of web users who visit sites which give error messages, are acting illegally under the eyes of the CMA
screwed up law, you bet!
*I spent 1 year looking into the CMA and fighting it in court, so do have a fair chunk of experience when it comes to this mundane piece of badly written law
Daniel, I was hoping you might have some comments on this, having experienced this firsthand yourself. Thanks for your comments.
[...] year I discussed some of the hacking and security laws in the UK on michaeldaw.org; pdp also discussed this on GNUCITIZEN a few months [...]
Security Tool Controversy…
It seems like I will avoid Germany now as well. From GNUCITIZEN:…