Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

NIE > Cybercrime > Flashcards

Cybercrime Flashcards

1
Q

Offences under the Computer Misuse Act 1990

A

The Computer Misuse Act 1990 Act ensures the United Kingdom’s compliance with the European Union Framework Decision on Attacks Against Information Systems. This compliance requires that penalties relating to ‘hacking’ into computer systems, unauthorised access to computer material, the intentional serious hindering of a computer system and importing tools for cyber crime, reflect the seriousness of the criminal activities that can be involved in committing these offences.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Unauthorised Access to Computer Material (‘Hacking’)—Computer Misuse Act 1990, s. 1

A
  • Triable either way
  • Two years’ imprisonment and/or a fine on indictment
  • Six months’ imprisonment and/or a fine summarily

The Computer Misuse Act 1990, s. 1 states:
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured;
(b) the access he intends to secure, or enable to be secured, is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2)
The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Unauthorised Access to Computer Materials

A

‘Computer’ is not defined and therefore must be given its ordinary meaning. Given the multiple functions of many electronic devices such as mobile phones, this could arguably bring them within the ambit of the Act.

This offence involves ‘causing a computer to perform any function’, which means more than simply looking at material on a screen or having any physical contact with computer hardware. In the latter case an offence of criminal damage may be appropriate. Any attempt to log on would involve getting the computer to perform a function (even if the function is to deny you access!).

Any access must be ‘unauthorised’. If the defendant is authorised to access a computer, albeit for restricted purposes, then it was originally held that he/she did not commit this offence if he/she then used any information for some other unauthorised purpose (e.g. police officers using data from the Police National Computer (PNC) for private gain (DPP v Bignell [1998] 1 Cr App R 1)). However, in R v Bow Street Metropolitan Stipendiary Magistrate, ex parte Government of the USA [2000] 2 AC 216 it was held that where an employee accessed accounts that fell outside his normal scope of work and passed on the information, in this instance to credit card forgers, he was not authorised to access the specific data involved.

Essentially, the purpose of this section is to address unauthorised access as opposed to unauthorised use of data, and behaviour such as looking over a computer operator’s shoulder to read what is on the screen would not be covered.

In order to prove the offence under s. 1 you must show that the defendant intended to secure access to the program or data. This is therefore an offence of ‘specific intent’ and lesser forms of mens rea such as recklessness will not do.

You must also show that the defendant knew the access was unauthorised.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) regulate the use of cookies and internet tracking devices, along with the use of unsolicited email and text messages. Guidance in their extent and practical effect is prepared by the Office of the Information Commissioner.

The powers of entry, search and seizure under the Police and Criminal Evidence Act 1984 apply to this offence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The 1990 Act defines a number of its terms at s. 17 which states:

A

(2) A person secures access to any program or data held in a computer if by causing a computer to perform any function he—
(a) alters or erases the program or data;
(b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;
(c) uses it; or
(d) has it output from the computer in which it is held (whether by having it displayed or in any other manner);
and references to access to a program or data (and to an intent to secure such access) shall be read accordingly.
(3) For the purposes of subsection (2)(c) above a person uses a program if the function he causes the computer to perform—
(a) causes the program to be executed; or
(b) is itself a function of the program.
(4) For the purposes of subsection (2)(d) above—
(a) a program is output if the instructions of which it consists are output; and
(b) the form in which any such instructions or any other data is output (and in particular whether or not it represents a form in which, in the case of instructions, they are capable of being executed or, in the case of data, it is capable of being processed by a computer) is immaterial.
(5) Access of any kind by any person to any program or data held in a computer is unauthorised if—
(a) he is not himself entitled to control access of the kind in question to the program or data; and
(b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled,
but this subsection is subject to section 10.
(6) References to any program or data held in a computer include references to any program or data held in any removable storage medium which is for the time being in the computer; and a computer is to be regarded as containing any program or data held in any such medium.
. . .
(8) An act done in relation to a computer is unauthorised if the person doing the act (or causing it to be done)—
(a) is not himself a person who has responsibility for the computer and is entitled to determine whether the act may be done; and
(b) does not have consent to the act from any such person.

In this subsection ‘act’ includes a series of acts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Definition of Terms

A

Securing access will therefore include:

  • altering or erasing a program or data;
  • copying or moving a program or data to a new storage medium;
  • using data or having it displayed or ‘output’ in any form from the computer in which it is held.

Under s. 17(5) access is ‘unauthorised’ if the person is neither entitled to control that type of access to a program or data, nor does he/she have the consent of any person who is so entitled. The provision under s. 17(5)(a) was the basis for the decision in Bow Street (see para. 2.5.2.1). This definition does not affect the powers available to any ‘enforcement officers’, i.e. police officers or other people charged with a duty of investigating offences (s. 10).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Unauthorised Access with Intent to Commit Further Offences—Computer Misuse Act 1990, s. 2

A
  • Triable either way
  • Five years’ imprisonment and/or a fine on indictment
  • Six months’ imprisonment and/or a fine summarily

The Computer Misuse Act 1990, s. 2 states:
(1) A person is guilty of an offence under this section if he commits an offence under section 1 above (‘the unauthorised access offence’) with intent—
(a) to commit an offence to which this section applies; or
(b) to facilitate the commission of such an offence (whether by himself or by any other person);
and the offence he intends to commit or facilitate is referred to below in this section as the further offence.
(2) This section applies to offences—
(a) for which the sentence is fixed by law; or
(b) for which a person of twenty-one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or, in England and Wales, might be so sentenced but for the restrictions imposed by section 33 of the Magistrates’ Courts Act 1980).
(3) It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion.
(4) A person may be guilty of an offence under this section even though the facts are such that the commission of the further offence is impossible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Unauthorised Access to Computers with Intent

A

The defendant must be shown to have had the required intent at the time of the access or other actus reus.

The intended further offence does not have to be committed at the same time, but may be committed in future (e.g. where the data is used to commit an offence of blackmail or to secure the transfer of funds from a bank account).

The provision as to impossibility (s. 2(4)) means that a person would still commit the offence if he/she tried, say, to access the bank account of a person who did not in fact exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Unauthorised Acts with Intent to Impair, or with Recklessness as to Impairing, Operation of Computer, etc.—Computer Misuse Act 1990, s. 3

A
  • Triable either way
  • 10 years’ imprisonment and/or a fine on indictment
  • Six months’ imprisonment and/or a fine summarily

The Computer Misuse Act 1990, s. 3 states:
(1) A person is guilty of an offence if—
(a) he does any unauthorised act in relation to a computer;
(b) at the time when he does the act he knows that it is unauthorised; and
(c) either subsection (2) or subsection (3) below applies.
(2) This subsection applies if the person intends by doing the act—
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.
(3) This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (c) of subsection (2) above.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Unauthorised Acts with Intent to Impair Operation of Computer, etc.

A

This section is designed to ensure that adequate provision is made to criminalise all forms of denial of service attacks in which the attacker denies the victim(s) access to a particular resource, typically by preventing legitimate users of a service accessing that service. An example of this is where a former employee, acting on a grudge, impaired the operation of a company’s computer by using a program to generate and send 5 million emails to the company (DPP v Lennon [2006] EWHC 1201 (Admin)).

The intention referred to in s. 3(2), or the recklessness referred to in s. 3(3), need not relate to any particular computer, any particular program or data, or a program or data of any particular kind (s. 3(4)). An ‘unauthorised act’ can include a series of acts, and a reference to impairing, preventing or hindering something includes a reference to doing so temporarily (s. 3(5)).

The ‘hindering’ provided by this section is intended to cover programs that generate denial of service attacks, or malicious code such as viruses.

Causing a computer to record that information came from one source when it in fact came from another clearly affects the reliability of that information for the purposes of s. 3(2)(c) (Zezev v USA; Yarimaka v Governor of HM Prison Brixton [2002] EWHC 589 (Admin)).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Unauthorised Acts Causing, or Creating Risk of, Serious Damage— Computer Misuse Act 1990, s. 3ZA

A
  • Triable on indictment
  • 14 years’ imprisonment and/or a fine

The Computer Misuse Act 1990, s. 3ZA states:
(1) A person is guilty of an offence if—
(a) the person does any unauthorised act in relation to a computer;
(b) at the time of doing the act the person knows that it is unauthorised;
(c) the act causes, or creates a significant risk of, serious damage of a material kind; and
(d) the person intends by doing the act to cause serious damage of a material kind or is reckless as to whether such damage is caused.
(2) Damage is of a ‘material kind’ for the purposes of this section if it is—
(a) damage to human welfare in any place;
(b) damage to the environment of any place;
(c) damage to the economy of any country; or
(d) damage to the national security of any country.
(3) For the purposes of subsection (2)(a) an act causes damage to human welfare only if it causes—
(a) loss to human life;
(b) human illness or injury;
(c) disruption of a supply of money, food, water, energy or fuel;
(d) disruption of a system of communication;
(e) disruption of facilities for transport; or
(f) disruption of services relating to health.
(4) It is immaterial for the purposes of subsection (2) whether or not an act causing damage—
(a) does so directly;
(b) is the only or main cause of the damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Unauthorised Acts Causing, or Creating Risk of, Serious Damage

A

Reference to doing an act includes a reference to causing an act to be done, and ‘act’ includes a series of acts. In reference to a country, this includes a reference to a territory, and to any place in, or part or region of, a country or territory (s. 3ZA(5)).

Where an offence under this section is committed as a result of an act causing or creating a significant risk of serious damage to human welfare of the kind mentioned in s. 3ZA(3)(a) or (b), or serious damage to national security, a person guilty of the offence is liable, on conviction on indictment, to imprisonment for life, or to a fine, or to both (s. 3ZA(7)).

Section 3ZA(1) sets out the elements of the offence. The actus reus (or conduct element) is that the accused undertakes an unauthorised act in relation to a computer (as in s. 3(1)(a) of the 1990 Act) and that act causes, or creates a significant risk of causing, serious damage of a material kind. The mens rea (namely the mental elements of the offence) is that the accused, at the time of committing the act, knows that it is unauthorised (as in s. 3(1)(b) of the 1990 Act) and intends the act to cause serious damage of a material kind or is reckless as to whether such damage is caused. An unauthorised act is defined in s. 17(8) of the 1990 Act as an act where the person doing the act does not have responsibility for the computer in question, which would thereby entitle him or her to determine whether the act is undertaken, and does not have the consent of the person responsible for the computer to commit the act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Making, Supplying or Obtaining Articles for Use in Offences under s. 1, 3 or 3ZA—Computer Misuse Act 1990, s. 3A

A
  • Triable either way
  • Two years’ imprisonment and/or a fine on indictment
  • Six months’ imprisonment and/or a fine summarily

The Computer Misuse Act 1990, s. 3A states:
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA.
(3) A person is guilty of an offence if he obtains any article—
(a) intending to use it to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA, or
(b) with a view to
its being supplied for use to commit, or to assist in the commission, of, an offence under section 1, 3 or 3ZA.
(4) In this section ‘article’ includes any program or data held in electronic form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Making, Supplying or Obtaining Articles for Use in Offences under s. 1, 3 or 3ZA

A

This section creates three offences designed to combat the market in electronic tools, such as ‘hacker tools’ which can be used for hacking into computer systems, and the increase in the use of such tools in connection with organised crime.

The Serious Crime Act 2015 amended s. 3A(3) of the 1990 Act to ensure that the offence provided for in s. 3A also applies to the making etc. of hacker tools intended to be used to commit the new s. 3ZA offence. Under the existing offence, the prosecution was required to show that the individual obtained the tool with a view to its being supplied for use to commit, or assist in the commission of an offence under s. 1 or 3 of the Act. Subsection (3) has been extended to include an offence of obtaining a tool for use to commit a Computer Misuse Act offence (including one under the new s. 3ZA) regardless of an intention to supply that tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The Data Protection Act 2018

A

The Data Protection Act 2018 is intended to provide a comprehensive legal framework for data protection in the UK. It sets standards for protecting personal data, in accordance with the General Data Protection Regulation (EU) 2016/679 (‘GDPR’). The GDPR forms part of the data protection regime alongside the 2018 Act.

The four main matters provided for are general data processing, law enforcement data processing, data processing by the intelligence services, and regulatory oversight and enforcement.

The responsibility for compliance with the principles relating to processing of personal data rests on the shoulders of the ‘controller’, meaning an employer, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (Article 2(d) of the GDPR). The controller is required to notify the supervisory authority before starting to process data.

The supervisory authority with regulatory oversight of the GDPR in the UK is undertaken by the Information Commissioner who monitors the data protection level, gives advice to the government about administrative measures and regulations, and starts legal proceedings when the data protection regulation has been violated (Article 28).

Individuals may lodge complaints about violations to the Information Commissioner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The Data Protection Act 2018, s. 2 states:

A

(1) The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by —
(a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,
(b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Personal Data

A

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (Article 6).

‘Personal data’ means any information relating to an identified or identifiable living individual.

‘Identifiable living individual’ means a living individual who can be identified, directly or indirectly, in particular by reference to —

(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(Article 2a of the GDPR)

Data are ‘personal data’ when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of ‘personal data’ are: address, credit card number, bank statements, criminal record etc.

The GDPR covers the processing of personal data in two ways: personal data processed wholly or partly by automated means (i.e. information in electronic form); and personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (i.e. manual information in a filing system). The notion processing means ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’ (Article 2(b)).

The data subject has the right to be informed when his/her personal data is being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair (Articles 10 and 11).

Data may be processed only if at least one of the following is true:

  • when the data subject has given his/her consent (Article 7);
  • when the processing is necessary for the performance of or the entering into a contract;
  • when processing is necessary for compliance with a legal obligation;
  • when processing is necessary in order to protect the vital interests of the data subject;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him/her. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or not being processed in compliance with the data protection rules (Article 12).

In relation to Article 7, the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; the data should not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Appropriate safeguards may be adopted for personal data stored for longer periods for historical, statistical or scientific use (Article 6).

17
Q

Sensitive Personal Data

A

Some of the personal data that may be processed can be more sensitive in nature and therefore requires a higher level of protection. The GDPR refers to the processing of this data as ‘special categories of personal data’. This means personal data about an individual’s:

  • race;
  • ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (where this is used for identification purposes);
  • health data;
  • sex life; or
  • sexual orientation.

Keynote

There must still be a lawful basis for processing special category data under Article 6, in exactly the same way as for any other personal data.

This type of data could create more significant risks to a person’s fundamental rights and freedoms, for example, by putting them at risk of unlawful discrimination. Additional specific conditions need to be satisfied in relation to this type of data (Article 9(2)).

The processing of the personal data of a child is lawful where the child is at least 16 years old. Where the child is below the age of 16 years, the consent or authorisation of the holder of parental responsibility is required (Article 8).

18
Q

Data Protection Principles

A

The six data protection principles are central to GDPR compliance and all organisations are required to comply and demonstrate privacy by design.

The GDPR requires organisation to show how they comply with the principles, for example, by documenting the decisions you take about a processing activity.

The principles provided by Article 5 of the GDPR requires that personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.p. 418
19
Q

In brief the seven key principles of the GDPR are:

A
  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
20
Q

Offences Relating to Personal Data

A

The 2018 Act creates a number of offences in relation to personal data, proceedings for which can only be instigated by the Commissioner, or with the consent of the Director of Public Prosecutions.

These offences include:

  • Unlawful obtaining etc of personal data (s. 170).
  • Re-identification of de-identified personal data (s. 171).
  • Alteration etc of personal data to prevent disclosure to data subject (s. 173).

Specific defences are provided in relation to these offences including where it was necessary for the purposes of preventing or detecting crime.

All these offences are triable summarily and punishable by a fine.

21
Q

Malicious Communications—Malicious Communications Act 1988, s. 1(1)

A
  • Triable either way
  • Two years’ imprisonment and/or a fine
  • Six months’ imprisonment and/or a fine summarily

The Malicious Communications Act 1988, s. 1 states:
(1) Any person who sends to another person—
(a) a letter, electronic communication or article of any description which conveys—
(i) a message which is indecent or grossly offensive;
(ii) a threat; or
(iii) information which is false and known or believed to be false by the sender; or
(b) any article or electronic communication which is, in whole or part, of an indecent or grossly offensive nature,
is guilty of an offence if his purpose, or one of his purposes, in sending it is that it should, so far as falling within paragraph (a) or (b) above, cause distress or anxiety to the recipient or to any other person to whom he intends that it or its contents or nature should be communicated.

22
Q

Malicious Communications

A

‘Sending’ will include transmitting (note that this offence is complete as soon as the communication is sent).

‘Purposes’ is simply another way of saying ‘intention’.

Section 1(1)(b) covers occasions where the article itself is indecent or grossly offensive (such as putting dog faeces through someone’s letter box).

The offence is not restricted to threatening or indecent communications and can include giving false information provided that one of the sender’s purposes in so doing is to cause distress or anxiety. The relevant distress or anxiety may be intended towards the recipient or any other person.

In addition to letters, the above offence also covers any article; it also covers electronic communications which include any oral or other communication by means of an electronic communications network. This will extend to communications in electronic form such as emails, text messages, pager messages, social media, etc. (s. 1(2A)).

It is clear from s. 1(3) that the offence can be committed by using someone else to send, deliver or transmit a message. This would include occasions where a person falsely reports that someone has been a victim of a crime in order to cause anxiety or distress by the arrival of the police.

23
Q

Section 1 of the 1988 Act goes on to state:

A

(2) A person is not guilty of an offence by virtue of subsection (1)(a)(ii) above if he shows—
(a) that the threat was used to reinforce a demand made by him on reasonable grounds; and
(b) that he believed, and had reasonable grounds for believing, that the use of the threat was a proper means of reinforcing the demand.

24
Q

Defence Regarding Malicious Communications

A

The italicised words in the offence (author’s emphasis) make the relevant test objective. It will not be enough that the person claiming the defence under s. 1(2) subjectively believed that he/she had reasonable grounds; the defendant will have to show:

  • that there were in fact reasonable grounds for making the demand;
  • that he/she believed that the accompanying threat was a proper means of enforcing the demand; and
  • that reasonable grounds existed for that belief.

Given the decisions of the courts in similarly worded defences under the Theft Act 1968 (e.g. blackmail; see chapter 3.1), it is unlikely that any demand could be reasonable where agreement to it would amount to a crime.

The defence is intended to cover financial institutions and other commercial concerns which often need to send forceful letters to customers.

NIE (41 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions