[LINK] Musings: Web-Page Content as a Computer Crime?
Roger Clarke
Roger.Clarke at xamax.com.au
Thu Jan 25 08:47:38 AEDT 2007
Thanks to several people who assisted with my RFI re the computer
crimes provisions of the Clth Crimes Act, both on the privacy list
and off-list.
Here's what I'm playing with.
When a web-browser requests a file from a web-server, the native
response is a file containing HTML.
But the file may contain 'active code' (my term). I'm focussing on
Javascript, Java and ActiveX controls. (Any others?). Also
within-scope are instructions to set cookies.
The person using the web-browser *might* anticipate that 'active
code' could be inside the file. But most people wouldn't - if only
because they don't understand what the heck we're talking about. But
even those who are still hanging in there at this stage don't know
what the code does.
And cookies are worse. That's because there's an IETF RFC that
defines what Best Practice is in relation to cookies, and a big
proportion of sites breach it. (For one thing, the RFC permits
'session cookies' only).
I'm assessing the extent to which the files that many web-servers are
sending in response to a request from a web-browser might be in
breach of the 'computer crimes' provisions of Clth and State laws.
I'm assuming for the purposes of the exercise that the browser-user
has not 'authorised' the action (on the basis that any presumption of
consent is unreasonable, because it wasn't and couldn't be 'informed
consent').
The notes below relate to the Clth and NSW provisions. Any thoughts
much appreciated. (Who knows, there may even be case law!?).
_________________________________________________________________________
Commonwealth Crimes Act
Roughly, it's an offence to 'knowingly and without authorisation
modify data, by means of a carriage services provider, in a manner
that is reckless as to whether the modification impairs access to
data, or impairs the reliability, security or operation, of such data'
The bloke on the bus reckons that a Javascript programmer knowingly
and without authorisation modifies data - i.e. (a) and (b) are
satisfied; and that he does so by means of a carriage services
provider - (d)(iii).
So the key question is whether the Javascript programmer is reckless
about whether the modification of data might 'impair access to data
or the reliability, security or operation, of such data' - (c).
It's not entirely obvious, at least to me, what s. 477.2(1)(c) is
meant to mean, let alone what a court would construe it to mean.
[As Dick might have meant, 'first, let's kill all the legislative
drafters', because they either meant to grease the palms of their
professional colleagues the barristers, or they intended this to be
so complex that it could never be successfully used in a prosecution]
Here's the reference:
>the Clth Computer Crime offences have been moved to the schedule of
>the Criminal Code. See sections 476, 477 and 478.
>http://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html
[Note that *some* of the excruciating expression below is a result of
the legislative drafter trying to work within constitutional
limitations]
The part that appears to be relevant is:
477.2 Unauthorised modification of data to cause impairment
(1) A person is guilty of an offence if:
(a) the person causes any unauthorised modification of data held
in a computer; and
(b) the person knows the modification is unauthorised; and
(c) the person is reckless as to whether the modification
impairs or will impair:
(i) access to that or any other data held in any computer; or
(ii) the reliability, security or operation, of any such data; and
(d) one or more of the following applies:
(iii) the modification of the data is caused by means of a
carriage service;
(vii) the modification of the data impairs access to, or the
reliability, security or operation of, other data by means of a
carriage service.
Penalty: 10 years imprisonment.
(2) Absolute liability applies to paragraph (1)(d).
(3) A person may be guilty of an offence against this section even
if there is or will be no actual impairment to:
(a) access to data held in a computer; or
(b) the reliability, security or operation, of any such data.
__________________________________________________________________________
NSW Crimes Act (as an example of State law)
Roughly, it's an offence to 'modify data, knowing that that act is
unauthorised, and doing so either recklessly or with the intention of
causing impairment of data, or impairment of the reliability,
security or operation of data'.
Again, the bloke on the bus reckons that a Javascript programmer
modifies data, and that he's acting without the browser-owner's
authorisation - (a), and that there's a good chance that the
programmer knows he's acting without the browser-owner's
authorisation - (b) - although (b) has to be established in court.
Given the low quality of design, programming and quality assurance,
the bloke on the bus reckons 'reckless' may be a fair description -
(c part II) although that requires (probably tedious and
counter-intuitive) evaluation.
So, again, a key test seems to be the meaning of 'the impairment of
data, or of the reliability, security or operation of data' - (c
part I) - which remains unclear to bus passengers and me alike.
Here's the law:
NSW Crimes Act at ss. 308-308I
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308.html
Specifically:
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308d.html
308D Unauthorised modification of data with intent to cause impairment
(1) A person who:
(a) causes any unauthorised modification of data held in a computer, and
(b) knows that the modification is unauthorised, and
(c) intends by the modification to impair access to, or to impair the
reliability, security or operation of, any data held in a computer,
or who is reckless as to any such impairment,
is guilty of an offence.
Maximum penalty: Imprisonment for 10 years.
and
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308i.html
Unauthorised impairment of data held in computer disk, credit card or
other device (summary offence)
308I Unauthorised impairment of data held in computer disk, credit
card or other device (summary offence)
(1) A person:
(a) who causes any unauthorised impairment of the reliability,
security or operation of any data held on a computer disk, credit
card or other device used to store data by electronic means, and
(b) who knows that the impairment is unauthorised, and
(c) who intends to cause that impairment,
is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.
(2) An offence against this section is a summary offence.
(3) For the purposes of this section, impairment of the reliability,
security or operation of data is "unauthorised" if the person is not
entitled to cause that impairment.
__________________________________________________________________________
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list