Monday, 29 May 2017

A crime that one cannot report

I was witness to what I believe was a crime.

The crime happened in the UK, and the victim of the crime is in the UK and the perpetrator of the crime is in the UK.

The crime happened on 26th May, and was reported in detail here.

The crime was that Sky broadband impeded access to data on a computer, specifically the contents of the web site www.ispreview.co.uk for a period of time, and did so intentionally - it is a clear violation of The Computer Misuse Act 1990, specifically section 3(2)(b) of the Act.

Sky did "prevent or hinder access to any program or data held in any computer" and did so without consent of the person responsible for that computer.

This is not different to someone launching a DoS attack on ispreview, except we know who did it and they admit they did it.

They clearly had intent to hinder access, as that is the purpose of their parental controls system.

They did not have to target that computer (see 3(4)(a)). Perhaps it was simply a mistake (i.e. reckless), but that is still a crime, see 3(4).

In my opinion, as a non lawyer, a crime has been committed. One that should be addressed.

Now, in this case, ispreview told Sky, and Sky admitted their action and rectified the matter. But that does not stop it being a crime in the first place. Tell a thief he has stolen your stuff and have him give it back does not stop him being a criminal.

I have no specific gripe against Sky. My issue is with the law. This blocking has no legal framework. ispreview have no legal recourse if blocked incorrectly - no right of appeal - not even any notice from Sky that they are blocked. ispreview had no malware, but even if they did, the actions of Sky are not legal under The Computer Misuse Act as far as I can see. Blocking access to a web site, even with permission from your own customer (unless they are responsible for the web site) is not legal, simple as that - why do so many ISPs do this illegal thing?

What is worse in this case is ispreview are a web site promoting many competing ISPs, so blocking it is also anti-competative.

Also, apparently, the block impacted some political party web sites - which I think may be a separate crime in itself - perhaps even more so during campaigning for a general election.

I reported to the Met Police, and they are not interested. They suggested Action Fraud. Unfortunately Action Fraud are all geared up to handle "fraud", which this was not. They suggested police (again) or crime stoppers. I am getting nowhere.

We have a crime that was committed and the perpetrator actually admitting they did it, and the police not interested. What is the point of these laws exactly?

Does this mean that we can all ignore The Computer Misuse Act as nobody enforces it?

P.S. Still trying...

Met police twitter suggested action fraud chat. Apparently they will not take a report unless a victim gives me permission. Do any Sky customers out there do so?


It gets worse...


19 comments:

  1. I will if you want but to be brutally frank you're wasting your time.

    This sort of shit was the whole point of the IWF (nobody's allowed to know what's on it) list in the first place. For anyone naive enough to think otherwise have a look at the ex-plod & ex-secret squirrel/civil-service mob who run it.

    Also "Action Fraud" are nothing other than a shill service for the banks to reduce their costs.

    AFAIK (In)Action Fraud won't look at losses/theft under £100k for an individual case & even then you'd be better off asking next-door's cat.

    So even if you do get someone to complain they're going to say "not £100k loss, you'll get a crime reference number & don't call us".

    Been like this a long long time Adrian....

    ReplyDelete
    Replies
    1. If you actually DO wish to pursue this its going to require you to get a solicitor (& unltimately a QC) involved. Preferably ones with clues about these matters.

      That's going to cost.

      English justicial enforcement has always been primarily about property rights and riots likely to damage said property

      Penalties for violence came later but were usually significantly less severe (proportionally) than penalties for things like debt.

      Grand Juries got abolished in the 30s (Churchill IIRC) because they had the sad habit of indicting people the state didn't want to prosecute.

      The CPS sorted all that out as they don't prosecute anyone the "crown" (parliament in theory but the govt/cabinet these days) doesn't want to.

      This all happened decades before most of your readers were born.

      The rule of law in E&W is based on wealth & power. Nothing else.

      Delete
    2. And don't forget that the CPS have the right to take over private prosecutions - so if you start to prosecute the "wrong person", the CPS can take over the prosecution, and then abandon it. There's nothing unlawful about them doing this - and it's a very good way to stop you prosecuting someone the government doesn't want prosecuted (assuming that they can lean on the DPP to get the CPS to take the prosecution off you).

      Delete
  2. Could you not sponsor a private prosecution RevK? The Railways do it all the time.

    ReplyDelete
    Replies
    1. Not worth it. What pisses me off is that they won't even accept the crime report. I could understand saying not in public interest to prosecute, but refusing to accept the crime report seems crazy.

      Delete
    2. It helps their statistics to not record crimes at all unless they're planning to put effort into them.

      Delete
  3. Irrespective of whether you actually can hammer this kind of cock-up into a CMA-shaped hole, this is undoubtedly better left as a matter between Sky's customers, Sky and ISPReview.

    You trying to drag the forces of law and order into what by any reasonable interpretation would be a civil matter between some parties who might have suffered a minuscule injury and another party who happens to be a competitor of yours looks, at best, absurd.

    ReplyDelete
    Replies
    1. It is clearly a crime of you read yeh CMA. My issue here is the lack of controls for this arbitrary blocking. Sites do not know they are blocked or by whom or why and have no legal recourse when blocked.

      Delete
  4. I'm both an A&A Customer, albeit only for VoIP services, and a Sky Broadband (& phone, not that I use it) customer. If you need permission off someone, you have mine!

    ReplyDelete
  5. Amused by Action Fraud's choice of text colour: http://rationalwiki.org/wiki/Green_ink

    ReplyDelete
  6. I think the best bit is where the Action Fraud representative says that he can't access the Government site with the legislation - implying that something is (unlawfully?) impeding his access to that site, too.

    ReplyDelete
  7. Can I suggest that you are mistaken here;

    section 3(2)(b) of the Computer Misuse Act only comes in to play if there is a breach of section 3 (1):

    A person is guilty of an offence if—

    (a)he does any unauthorised act in relation to a computer;

    (b)at the time when he does the act he knows that it is unauthorised; and

    (c)either subsection (2) or subsection (3) below applies.

    As Sky are authorised to make changes to their own systems, no offence has been commited.

    If you think about it, this is probably a good thing - otherwise an ISP would be commiting an offence were they to suspend service temporarily for maintenance. Worse still as an ISP you would be commiting an offence by suspending someones internet service for non-payment of their bills!

    ReplyDelete
    Replies
    1. The action was prohibiting or hindering address to data on a "computer". It was that computer that is relevant here, surely? Yes, the suspension one is an interesting one. But if this was not the interpretation a DoS attack, being an action on computers that send lots of packets, is not in relation to the attacked computer is it?

      Delete
    2. Also, if that was their argument I'd have been happy to discuss - they could not even see the law, yet were judging that I was wrong to report it either because I was not a victim or it was not a crime (they did not seem to be clear which).

      Delete
  8. It's difficult to see how blocking access to a website would be considered as an "unauthorised act in relation to a computer" which is necessary for an offence to occur. (If it were, then firewalls would be illegal).

    Thinking as I type here, but would you agree that in a DoS attack the packets are sent to the attacked computer, or some intermediary computer which the attacker is not authorised to act on?

    Also, the 1990 act was modified here:

    http://www.legislation.gov.uk/ukpga/2006/48

    See sections 35-38.

    ReplyDelete
    Replies
    1. My point is that an act to block access to date "on a computer" is clearly an act in relation to *that* computer. Normally legislation/gov/uk reports updated versions of acts so should show as amended. I am not saying it is sensible, but it does seem clear - the act was in relation to a computer - the computer on which the data resided that could not be accessed. It is an interesting point you raise, I agree.

      Delete
  9. Totally agree with your points about the ActionFraud service however.

    ReplyDelete
  10. "My point is that an act to block access to date "on a computer" is clearly an act in relation to *that* computer."

    Possibly, but is it an unauthorised act?

    I suspect this must have come up in court and there may well be case law which could clarify.

    ReplyDelete
  11. There are three elements to the s3 offence. To my mind, there are, in this situation, question marks over at least two of those elements.

    First, an act must be done in relation to a computer, and that act must be unauthorised.

    In respect of which computer is an act done here?

    The ISP will be running one or more computers comprising the filtering system. But the act of uploading the filtering definitions (or whatever similar act it is) is clearly authorised, as it is the ISP’s system: the ISP has responsibility for that computer, and is entitled to change the files on it.

    The other main computer at issue here is the ISPReview webserver. But is any “act done in relation to” that computer? This seems questionable. An act is done in relation to traffic destined for that computer, sure.

    I’m unconvinced, though, that an act is done by Sky “in relation to” that webserver.

    This seems distinguishable from a DoS attack, where one is sending data (or causing other computers to send data) to the target computer. This, to my mind, falls far more readily into “an [unauthorised] act done in relation to a computer”.

    (There may still be problems: if I run a webserver, I am, I presume, authorising someone to send traffic to it on, say, port 80 and 443. At what point, if any, does “sending traffic” to one of those ports become “sending too much traffic such that it is an unauthorised act”?)

    Second, if an act is done “in relation to” the webserver, does Sky “know that [that act] is unauthorised”? One would need to ascribe a mens rea to a legal person. That’s not straightforward. It can arise, where the “identification principle” can be applied. This basically requires that the acts and state of mind of the company’s senior managers are given effect to by the company.

    Could it be proven that a senior officer of the company was sufficiently involved in the decision making here that they “knew” that the act in question was unauthorised, such that this knowledge could be ascribed to the company? That seems like a stretch to me.

    (As we’ve discussed, I see a difference between someone not knowing that the act is authorised, or not thinking about whether an act is authorised or not, and knowing that the act is not authorised.)

    The same argument can be made around s3(2), and the mens rea of intent, and 3(3) and reckless.

    I do take your point that it would be nice if someone had been willing to listen to your complaint, and discuss the detail with you. But I can also understand that, with the limited resources to allocate, someone, somewhere, has to make a decision as to whether a crime was committed. Here, that decision was made sooner than you might have liked, clearly.

    ReplyDelete