Serious Crime and Other Offences - Cyber Crime Flashcards
Unauthorised Access to Computer Material (Hacking) - Computer Misuse Act 1990 S.1
- he causes a computer to perform any function with intent to secure access to any program or date held in any computer or to enable any such access to be secured
- the access he intends to secure, or enable to be secured, is unauthorised and
- he knows at the time when he causes the computer to perform the function that that is the case
- includes any attempt to log on
- if the defendant is authorised to access a computer but access it outside of normal scope of work and passed on the information, this would constitute an offence if he was not authorised to access the specific data involved
- an offence of specific intent - must show that the defendant intended to secure access to the program/ data and that he knew the access was unauthorised
- Physical contact with the hardware is not required
There is nothing contained in the definition which states that fraudulent activity must take place, or that a gain must be made
in R v Bow Street Metropolitan Stipendiary Magistrate, ex parte Government of the USA [2000] 2 AC 216 it was held that where an employee accessed accounts that fell outside his normal scope of work and passed on the information, in this instance to credit card forgers, he was not authorised to access the specific data involved.
- powers of entry, search and seizure apply to this offence
- The offence is triable either way and punishable with a maximum term of imprisonment of two years
Examples of Unauthorised Access to Computer Material
- alters. erases program/ data
- copies or moves it to any storage medium other than that in which is is held/ to a different location from where it is held
- uses it
- has it output from the computer in which it is held (if instructions of which it consists are output and the form in which any such instructions or any data is output)
- causes the program to be executed or is itself a function of the program
- ## The case of R v Bow Street Metropolitan Stipendiary Magistrate, ex parte Government of the USA [2000] 2 AC 216 is illustrative that the purpose of the Act is to address unauthorised access as opposed to unauthorised use of data, so behaviour such as looking over a computer operator’s shoulder to read what is on the screen would not be covered.
Unauthorised Access with Intent to Commit Further Offences - Computer Misuse Act 1990 S.2
- commits an offence under s.1 with intent to
- commit an offence to which this section applies or
- to facilitate the commission of such an offence (whether by himself or another person) and the offence is to which this section applies
Applies to offences for which the sentence is fixed by law or for which a person of 21 years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years
- immaterial whether the further offence is to be committed on the same occasion at the unauthorised access or any future occasion
- can be guilty even though the facts are such that the commission of the further offence is impossible
example - data is used to commit an offence of blackmail
s. 2(4) states that a person may be guilty of an offence under s. 2 even though the facts are such that the commission of the further offence is impossible.
Unauthorised Acts with Intent to Impair, or with Recklessness as to Impairing, Operation of Computer, etc - Computer Misuse Act 1990 S.3
- does any unauthorised acts in relation to a computer
- at the time when he does the act he knows that it is unauthorised and he either:
intends by doing the act to impair the operation of any computer, to prevent or hinder access to any program or data held in any computer or to impair the operation of any such program or the reliability of such data
or is reckless as to whether the act will do anything mentioned above
example: former employee, acting on a grudge, impaired the operation of a company’s computer program by using it to generate and send 5 million emails to the company
- the hindering, impairing etc can be temporary
- ‘hindering’ relates to viruses or malware
Unauthorised Acts Causing or Creating Risk Of Serious Damage - Computer Misuse Act 1990 S.3ZA
- the person does any unauthorised act in relation to a computer
- at the time of doing the act the person knows that it is unauthorised
- the act causes, or creates significant risk of, serious damage or a material kind
- the person intends by doing the act to cause serious damage of a material kind or is reckless as to whether such damage is caused
damage of a material kind includes:
- damage to human welfare in any place (loss to human life, human illness/ injury, disruption of a supply of money/ food/ water/ energy/ fuel, disruption of a system of communication, disruption of facilities for transport, disruption of services relating to health)
- damage to the environment in any place
- damage to the economy in any country
- damage to the national security of any country
- immaterial whether or not an at causing damage does so directly or is the only or main cause of the damage
actus reus - accused undertakes an unauthorised act in relation to a computer and that act causes, or creates a significant risk of causing, serious damage of a material kind
mens rea - at the time of committing the act, knows that it is unauthorised and intends the act to cause serious damage of a material kind or is reckless as to whether such damage would be caused
Making, Supplying or Obtaining Articles for Use in Offences under s.1, 3 or 3Z - Computer Misuse Act 1990 S.3A
- makes, adapts, supplies or offers to supply any article intending to be used to commit, or to assist in the commission of, an offence under s.1, 3 or 3Z
- supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under s.1, 3 or 3Z
- obtains any article intending to use it to commit, or to assist in the commission of, an offence under s.1, 3 or 3Z or with a view to it being supplied for use to commit or to assist in the commission of, an offence under s.1, 3 or 3Z
- article includes any program or data held in electronic form
- legislation designed to combat ‘hacker’ tools
What does GDPR not apply to?
- the processing of personal data by an individual in the course of a purely personal/ household activity
- the processing of personal data by a competent authority for any law enforcement purposes
- the processing of personal data to which intelligence services processing applies
- responsibility for compliance rests on the shoulders of the controller e.g. employer, public authority, agency or any other body which alone or jointly with other determines the purposes and means of the processing of personal data
- the information commissioner is the lead enforcer for Data Protection and UK GDPR - responsible for monitoring their application to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data
Protection of Personal Data - Data Protection Act 2018 S.2
- requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis
- conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified and
- conferring functions on the commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions
- personal data - any information relating to an identified or identifiable data subject e.g. name, identification number, location data etc
- processing - any operation or set of operations which is performed on personal data or on sets of personal data - collection, recording, organisation, structuring, storage, adaption or alteration etc
Offences Relating to Personal Data
- knowingly or recklessly obtaining or disclosing personal data without the consent of the controller (s.170(1))
- selling personal data if the person obtained the data in circumstances in which an offence under subsection 1 was committed (s.170(4))
- offering to sell personal data (s.170(5))
- knowingly or recklessly re-identifying information that is de-identified personal data without the consent of the controller responsible for de-identifying the data (s.171(1))
- knowingly or recklessly processing personal data that is information that has been re-identified where the person does so without the consent of the controller (s.171(5))
- the controller or person employed by the controller alters, defaces, blocks, erases, destroys or conceals information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive (s.173(3))
Malicious Communications - Malicious Communications Act 1988 S.1(1)
- offence of sending letters etc with intent to cause distress or anxiety
- any person who sends to another person a letter, electronic communication or article of any description which conveys:
a) a message which is indecent or grossly offensive
b) a threat
c) information which is false and known or believed to be false by the sender - any article or electronic communication which is, in whole or part, of an indecent or grossly offensive nature, is guilty of an offence if his purpose in sending it is that it should cause distress or anxiety to the recipient or to any other person to whom he intends that it or its contents or nature should be communicated
- sending includes transmitting
- covers occasions where the article itself is indecent or grossly offensive (e.g. putting dog faeces through someone’s letter box)
- can include false information if senders purpose was to cause distress or anxiety
- includes emails, text messages, paper messages, social media
- can be committed by using someone else to send, deliver or transmit a message
- includes where a person falsely reports that someone has been a victim of a crime to cause anxiety or distress by the arrival of police
What are the defences for malicious communications?
- the threat was used to reinforce a demand made by him on reasonable grounds and
- he believed, and had reasonable grounds for believing, that the use of the threat was a proper means of reinforcing the demand
- intended to cover financial institutions and other commercial concerns which often need to send forceful letters to customers
S.2 Data Protection Act 2018
The Data Protection Act 2018, s. 2 as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419)) states:
“ (1) The UK GDPR and this Act protect individuals with regard to the processing of personal data, in particular by —
(a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,
(b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.”
What is personal data?
‘Personal data’ means any information relating to an identified or identifiable living individual. ‘Identifiable living individual’ means a living individual who can be identified, directly or indirectly, in particular by reference to— “ (a) an identifier such as a name, an identification number, location data or an online identifier, or (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual
