Cybercrime Flashcards
What legislation deals with the power of seizure in respect of information stored in electronic form?
s20 PACE 1984
Unauthorised Access to Computer Material (‘Hacking’)
s1 Computer Misuse Act 1990
(1) A person is guilty of an offence if—
(a) He causes a computer to perform any function with INTENT to secure access to any program or data held in any computer, or to enable any such access to be secured.
(b) The access he intends to secure or to enable to be secured, is UNAUTHORISED; and
(c) He KNOWS at the time when he causes the computer to perform the function that that is the case.
Penalty:
- Indictment– 2 years and/or fine.
- Summarily– 12 months and/or fine.
‘Securing access’ to a computer includes…
s17 Computer Misuse Act 1990
- Altering or erasing a program or data
- Copying or moving a program or data to a new storage medium
- Using data or having it displayed or ‘output’ in any form from the computer in which it is held.
Unauthorised Access to Computers with Intent to Commit Further Offences
s2 Computer Misuse Act 1990
(1) Unauthorised access offence with intent (at the time of the actus reus)—
(a) To commit an offence
(b) To facilitate the commission of such an offence (can be at a later date)…
Further offence can be impossible.
Penalty:
- Indictment– 5 years and/or fine.
- Summarily– 6 months and/or fine.
Unauthorised Acts with Intent to Impair, or with Recklessness as to Impairing, Operation of Computer, etc.
s3 Computer Misuse Act 1990
(1) A person is guilty of an offence if intentionally or recklesslessly does an act—
(a) To impair the operation of any computer;
(b) To prevent or hinder access to any program or data held in any computer
(c) To impair the operation of any such program or the reliability of any such data;
(d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done.
Examples include programs that generate denial of service attacks, or malicious code such as viruses.
Penalty:
- Indictment– 10 years and/or fine.
- Summarily– 6 months and/or fine.
Unauthorised Acts Causing, or Creating Risk of, Serious Damage
s3ZA Computer Misuse Act 1990
(1) A person is guilty of an offence if—
(a) The person does any unauthorised act in relation to a computer;
(b) At the time of doing the act the person knows that it is unauthorised;
(c) The act causes, or creates a significant risk of, serious damage of a material kind; and
(d) The person intends by doing the act to cause serious damage of a material kind or is reckless as to whether such damage is caused.
(2) Damage is of a “material kind” for the purposes of this section if it is—
(a) Damage to human welfare in any place;
(b) Damage to the environment of any place;
(c) Damage to the economy of any country; or
(d) Damage to the national security of any country.
(3) For the purposes of subsection (2)(a) an act causes damage to human welfare only if it causes—
(a) Loss to human life;
(b) Human illness or injury;
(c) Disruption of a supply of money, food, water, energy or fuel;
(d) Disruption of a system of communication;
(e) Disruption of facilities for transport; or
(f) Disruption of services relating to health.
(4) It is immaterial for the purposes of subsection (2) whether or not an act causing damage—
(a) Does so directly;
(b) Is the only or main cause of the damage.
Penalty:
- Indictment– 14 years and/or fine.
Making, supplying or obtaining articles for use in offence under s1, 3 or 3ZA
s3A Computer Misuse Act 1990
Section 3A of The Computer Misuse Act 1990, is about making, supplying or obtaining articles for use in offence under…
- Section 1 - Unauthorised access to computer material
- Section 3 - Unauthorised acts with intent to impair, or with recklessness as to impairing the operation of a computer only
- Section 3ZA - Unauthorised acts causing, or creating risk of, serious damage
The Data Protection Act 2018
The GDPR*, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—
- The General Data Protection Regulation 2016/679
s2 Data Protection Act 2018
(a) Requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,
(b) Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c) Conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.
Some personal data that may be processed can be more sensitive in nature and therefore requires a higher level of protection.
The General Data Protection Regulation 2016/679 refers to this data as ‘special categories of personal data’, it includes:
Race
Ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data
Health data
Sex life
Sexual orientation
In brief, the 6 key principles of Article 5 of The General Data Protection Regulations 2016/679 are…
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (security)
The Data Protection Act 2018 creates a number of offences in relation to personal data, proceedings for which can only be instigated by the Commissioner, or with the consent of the Director of Public Prosecutions.
These offences include:
s170: Unlawful obtaining etc of personal data
s171: Re-identification of de-identified personal data
s173: Alteration etc of personal data to prevent disclosure to data subject
Defences for these are when it necessary for the prevention and detection of crime.
Penalty:
- Summarily– fine.
Malicious Communications
s1 Malicious Communications Act 1988
(1) Any person who sends to another person—
(a) A letter, electronic communication or article of any description which conveys—
(i) A message which is indecent or grossly offensive;
(ii) A threat; or
(iii) Information which is false and known or believed to be false by the sender; or
(b) Any article or electronic communication which is, in whole or part, of an indecent or grossly offensive nature,
…is guilty of an offence if his purpose is to cause distress or anxiety to the recipient or to any other person to whom he intends that it or its contents or nature should be communicated.
Penalty:
- Indictment– 2 years and/or fine.
- Summarily– 6 months and/or fine.
Defence Regarding Malicious Communications
s1 Malicious Communications Act 1988
- That the threat was used to reinforce a demand made by him on reasonable grounds and
- That he believed that the use of the threat was a proper means of reinforcing the demand.
- Reasonable grounds existed for believing.
Disclosing private sexual photographs and films with intent to cause distress
s33 Criminal Justice and Courts Act 2015
(1) It is an offence for a person to disclose a private sexual photograph or film if the disclosure is made—
(a) Without the consent of an individual who appears in the photograph or film, and
(b) With the intention of causing that individual distress.
Penalty:
- Indictment– 2 years and/or fine.
- Summarily– 12 months and/or fine.
What are MLATs?
Mutual Legal Assistance Treaties
This is the agreement for co-operation between countries, necessary given the borderless method of cybercrime.
- Any request into the UK will be via Interpol liaison.
- Requests from USA may be dealt with via RIPA.
- Request may be for intelligence only.
- Any evidential request and preservation orders will be through MLAT.
- An ILOR (International Letter of Request) relates to law enforcement requests likely to be used in criminal proceedings between countries. It is not for intelligence. In the UK the CPS will drive the request to aid prosecution.