[LINK] Musings: Web-Page Content as a Computer Crime?

Roger Clarke Roger.Clarke at xamax.com.au
Thu Jan 25 08:47:38 AEDT 2007


Thanks to several people who assisted with my RFI re the computer 
crimes provisions of the Clth Crimes Act, both on the privacy list 
and off-list.

Here's what I'm playing with.

When a web-browser requests a file from a web-server, the native 
response is a file containing HTML.

But the file may contain 'active code' (my term).  I'm focussing on 
Javascript, Java and ActiveX controls.  (Any others?).  Also 
within-scope are instructions to set cookies.

The person using the web-browser *might* anticipate that 'active 
code' could be inside the file.  But most people wouldn't - if only 
because they don't understand what the heck we're talking about.  But 
even those who are still hanging in there at this stage don't know 
what the code does.

And cookies are worse.  That's because there's an IETF RFC that 
defines what Best Practice is in relation to cookies, and a big 
proportion of sites breach it.  (For one thing, the RFC permits 
'session cookies' only).

I'm assessing the extent to which the files that many web-servers are 
sending in response to a request from a web-browser might be in 
breach of the 'computer crimes' provisions of Clth and State laws.

I'm assuming for the purposes of the exercise that the browser-user 
has not 'authorised' the action (on the basis that any presumption of 
consent is unreasonable, because it wasn't and couldn't be 'informed 
consent').

The notes below relate to the Clth and NSW provisions.  Any thoughts 
much appreciated.  (Who knows, there may even be case law!?).

_________________________________________________________________________

Commonwealth Crimes Act

Roughly, it's an offence to 'knowingly and without authorisation 
modify data, by means of a carriage services provider, in a manner 
that is reckless as to whether the modification impairs access to 
data, or impairs the reliability, security or operation, of such data'

The bloke on the bus reckons that a Javascript programmer knowingly 
and without authorisation modifies data - i.e. (a) and (b) are 
satisfied;  and that he does so by means of a carriage services 
provider - (d)(iii).

So the key question is whether the Javascript programmer is reckless 
about whether the modification of data might 'impair access to data 
or the reliability, security or operation, of such data' - (c).

It's not entirely obvious, at least to me, what s. 477.2(1)(c) is 
meant to mean, let alone what a court would construe it to mean.

[As Dick might have meant, 'first, let's kill all the legislative 
drafters', because they either meant to grease the palms of their 
professional colleagues the barristers, or they intended this to be 
so complex that it could never be successfully used in a prosecution]

Here's the reference:

>the Clth Computer Crime offences have been moved to the schedule of 
>the Criminal Code. See sections 476, 477 and 478.
>http://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html

[Note that *some* of the excruciating expression below is a result of 
the legislative drafter trying to work within constitutional 
limitations]

The part that appears to be relevant is:

477.2   Unauthorised modification of data to cause impairment
(1)  A person is guilty of an offence if:
     (a)  the person causes any unauthorised modification of data held 
in a computer; and
     (b)  the person knows the modification is unauthorised; and
     (c)  the person is reckless as to whether the modification 
impairs or will impair:
         (i)  access to that or any other data held in any computer; or
         (ii)  the reliability, security or operation, of any such data; and
     (d)  one or more of the following applies:
         (iii)  the modification of the data is caused by means of a 
carriage service;
         (vii)  the modification of the data impairs access to, or the 
reliability, security or operation of, other data by means of a 
carriage service.
Penalty:  10 years imprisonment.
(2)  Absolute liability applies to paragraph (1)(d).
(3)  A person may be guilty of an offence against this section even 
if there is or will be no actual impairment to:
     (a)  access to data held in a computer; or
     (b)  the reliability, security or operation, of any such data.

__________________________________________________________________________

NSW Crimes Act (as an example of State law)

Roughly, it's an offence to 'modify data, knowing that that act is 
unauthorised, and doing so either recklessly or with the intention of 
causing impairment of data, or impairment of the reliability, 
security or operation of data'.

Again, the bloke on the bus reckons that a Javascript programmer 
modifies data, and that he's acting without the browser-owner's 
authorisation - (a), and that there's a good chance that the 
programmer knows he's acting without the browser-owner's 
authorisation - (b) - although (b) has to be established in court.

Given the low quality of design, programming and quality assurance, 
the bloke on the bus reckons 'reckless' may be a fair description - 
(c part II) although that requires (probably tedious and 
counter-intuitive) evaluation.

So, again, a key test seems to be the meaning of 'the impairment of 
data, or of the reliability, security or operation of data' -  (c 
part I) -  which remains unclear to bus passengers and me alike.

Here's the law:

NSW Crimes Act at ss. 308-308I
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308.html

Specifically:
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308d.html
308D Unauthorised modification of data with intent to cause impairment
(1) A person who:
(a) causes any unauthorised modification of data held in a computer, and
(b) knows that the modification is unauthorised, and
(c) intends by the modification to impair access to, or to impair the 
reliability, security or operation of, any data held in a computer, 
or who is reckless as to any such impairment,
is guilty of an offence.
Maximum penalty: Imprisonment for 10 years.

and
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308i.html
Unauthorised impairment of data held in computer disk, credit card or 
other device (summary offence)
308I Unauthorised impairment of data held in computer disk, credit 
card or other device (summary offence)
(1) A person:
(a) who causes any unauthorised impairment of the reliability, 
security or operation of any data held on a computer disk, credit 
card or other device used to store data by electronic means, and
(b) who knows that the impairment is unauthorised, and
(c) who intends to cause that impairment,
is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.
(2) An offence against this section is a summary offence.
(3) For the purposes of this section, impairment of the reliability, 
security or operation of data is "unauthorised" if the person is not 
entitled to cause that impairment.
__________________________________________________________________________

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW



More information about the Link mailing list