Friday, 16 September 2011

Will UK Computer Misuse Act get as bad?

Should Faking a Name on Facebook Be a Felony?

Basically, the corresponding US legislation can have far reaching consequences. It can mean criminal cases for, for example, not using you real name on facebook. Apparently there have been cases of people done for uploading a different profile picture that is not theirs.

Heck, my facebook account has a picture of an orc and a fake name. That probably makes me a criminal in the states right now. Well, if that is my facebook account I suppose - if it is the orc's then that should be fine :-)

What is the world coming to?


  1. The computer misuse act seems to be rather too fuzzy for the internet age anyway. It criminalises "unauthorised access".. well, how do you know if you're authorised? Google has never given me written permission to access the web server at - I just point my browser there and it connects, doesn't ask for a password or anything and provides a service... Presumably the lack of a password makes me "authorised". This applies to any public website, whether or not it is as well known as Google.

    So I can pull out my laptop, scan for wireless networks and connect to an open one. It doesn't ask me for a password, so presumably I'm authorised... except it seems no I'm not because there have been successful convictions of people doing exactly this.

    (Personally I'm of the opinion that wireless networks have a method of telling people whether or not they are intended for public use, and if someone mistakenly set their network to be open there isn't realistically any way to know that it wasn't intended to be, so that's just their tough luck... the law seems to be erring the other direction which essentially outlaws the use of any public hotspot... but either way, the computer misuse act needs fixing to clarify what the hell "unauthorised access" actually is).

  2. Steve: It's the fact that unauthorised is left to a judge's interpretation that has ensured the CMA is fit for purpose in a different era.

    The courts have tended to take the point of view that whether your access is authorised depends on two things:

    1) Did you have reasonable notice that your access would be unauthorised? For this purpose a WEP key, or an SSID of "Private - do not use" would be enough to notify you that your access is unauthorised. Even a manufacturer default SSID, where you could be shown to know that it was open by default is enough - but first they'd have to show that you should reasonably have known that "linksys" with open security was a default configuration.

    2) Did you have separate authorisation that you can show to the court - e.g. a piece of paper from the cafe running the hotspot with the WEP key printed on it?

    I don't have links to hand right now, but I remember two cases where someone used an open hotspot and ended up being prosecuted for it.

    In the first case, the hotspot's power levels had been set to only provide service inside the provider's building - the person prosecuted had built a special antenna to gain access, which also opened them up to prosecution under other Acts (because they were exceeding the permitted ERP for the 2.4GHz band). CMA was just one of many ways to jail them, and the court wanted to make clear that authorisation wasn't just about technical measures (like WEP and WPS), but about physical measures, too (like ensuring you have to be on the wrong side of a locked door to get access).

    In the second case, the user was using a cafe's hotspot from a car parked on a nearby road. They tracked him down (by the simple technical measure of turning off the AP whenever the cafe was empty, and noting who came in to complain, then following him back to his car), and asked him to stop using it from outside the cafe; he refused. They called the police, who asked him to stop using it; he refused. At that point, he got arrested and prosecuted.

    In both cases, the mainstream press reporting (both technical and non-technical) focused on the "being prosecuted for using open WiFi" side of the case, not on the "plenty of reasons they should have known they were unauthorised" side of the case. I have not yet seen a case where someone who merely gets out their WiFi enabled device and lets it connect to the strongest open access point nearby has been prosecuted - despite the fact that this must happen many times a day.

  3. As a gedankenexperiment, imagine that the CMA did specify what unauthorised meant; initially it would be "dialling into a remote computer facility over the Public Switched Telephony Network and using a username and password not issued to you to obtain access" (that being the threat the CMA is meant to counter).

    When the Internet arrives, the law is no longer fit for purpose; it needs amending to indicate that connecting to my computer over the Internet is equivalent to dialling in over the PSTN.

    When token-based VPNs appear, the law needs amending again - the token is not a password (think smartcard access).

    When WiFi comes along, the law gets updated to specify WEP keys - until the update happens, because WEP is a shared key system, it's impossible to bend the law to criminalise anyone who hacks WiFi, no matter what their intent.

    Assume for the sake of argument that the process of amending the law to specify WEP keys goes slightly awry, and specifies WEP specifically; when WPA arrives, upgrading your security to WPA means that it's no longer illegal for me to use your WiFi without authorisation.

    Back in the real world, we have the "reasonable man" test, which is common in application of law, and will be a familiar test to any judge of the land. It's a simple test - given what the prosecution have proven, would a reasonable man believe that they were authorised to act in the way the defendant did?

    So, I'm in Starbucks, I get my phone out, and see an open network "Starbucks Free WiFi - Buy Our Coffee!". I buy a coffee and connect - no court will convict, as a reasonable man would assume that having bought a coffee as suggested in the SSID, they were authorised.

    I'm at work - I connect to work's WiFi - again, fine, as I have authorisation as part of my job.

    I go round to AAISP's offices in Bracknell, and find a vacant Ethernet jack - without making myself known to the staff, I plug in and start downloading vile and illegal material from the Internet. Not OK - despite this not being WiFi, I should have been aware that wandering into someone's office and using a random network port without permission isn't authorised activity. On the other hand, if there was an open network "AAISP", and I was visiting AAISP on business (say to discuss a large Firebrick FB2700 order with associated lines), and I connected, there's not much chance that any court would convict - it's an open network, I'm visiting AAISP, why wouldn't I have authorisation to use it?