Sunday, January 16, 2011

Breaching an Acceptable Use Policy a Criminal Offence

We generally expect that 'hacking' --- illegally gaining access to the computer systems of another --- would be a criminal offence. (Out of deference to the computer community, 'cracking' will be used for the remainder of the post.) And we generally expect that breaking the acceptable use policy at work is something deserving --- at most --- of being fired.

However, at the core of both is the unauthorised use of a restricted-access computer system. And that is an offence under the Criminal Code (WA). Section 440A(2) reads:
(2)    For the purposes of this section a person unlawfully uses a restricted‑access computer system —
                 (a)    if the person uses it when he or she is not properly authorised to do so; or
                 (b)    if the person, being authorised to use it, uses it other than in accordance with his or her authorisation.
UPDATE: To clarify, a "restricted-access computer system" is nothing special. It's defined in the Code as:
a computer system in respect of which —
                 (a)    the use of a password is necessary in order to obtain access to information stored in the system or to operate the system in some other way; and
                 (b)    the person who is entitled to control the use of the system —
                              (i)    has withheld knowledge of the password, or the means of producing it, from all other persons; or
                             (ii)    has taken steps to restrict knowledge of the password, or the means of producing it, to a particular authorised person or class of authorised person;

So breaching an AUP could, at least conceivably, land you in jail: ss (2)(b).

But would it ever happen?
Yes, and a conviction was just upheld in the WA Supreme Court --- Giles v Douglas [2011] WASC 14.

Ms Giles was a WA police officer. While working in the Northern Territory some years ago, she met a "RA", a police officer, and they became friends. RA separated from his wife around 2002, and RA's wife took custody of their children and moved to WA. RA's wife had been abused as a child, and had drinking and domestic violence issues. Ms Giles moved to WA in 2004.

On 27 March 2009, Ms Giles was contacted by RA. He told Ms Giles that his wife had just died, and as such, he had concerns about the children.  Ms Giles set about making inquiries about the children.

Some of the inquiries she made were searches of the police database. Upon logging into this database, all users were presented with the following warning:
Information contained within the Western Australia Police Computer Systems is confidential, must not be disclosed to unauthorised persons under any circumstances and not be accessed for personal reasons. (emphasis added)
This is where she came unstuck, and ended up in court. She was charged under section 440A. She argued that accessing the database in these circumstances was a proper part of her role --- that she would have done the same for "the local butcher", if he had come in with the same story. She also argued that her supervisor had authorised the searches, or alternately that she had an honest and reasonable belief that she was authorised to do the searches.

The Magistrate didn't buy it, and Ms Giles failed in her appeal to the Supreme Court. To be clear, Ms Giles wasn't convicted for breaching police secrecy, or improper disclosure of information --- she was convicted for common cracking. She used the restricted-access system other than in accordance with her authorisation: s 440A(2)(b).

So What?
The decision is fully in accordance with the law --- although whether it's the right decision on the facts is slightly more open. Either way, it highlights the dangerous state of computer offences in WA law. The decision would seem to stand for the proposition that a breach of a contractual or workplace agreement regarding computer use amounts to criminal conduct.

That's casts the net of conduct potentially caught by the section very, very wide. For example, as well as forbidding cross-posting and unlawfully downloading copyrighted material, the acceptable use policy governing my 3G wireless modem contains the following clause:
The service is provided for interactive use. However, if automated programs or programs that maintain a persistent connection to a remote service are used, they must only be used when you are physically present at the computer. These activities include (but are not limited to) automated file downloading, IRC ‘bots’, continuous streaming media and peer­to­peer file sharing applications. (emphasis added)
So if I set the latest set of system updates downloading overnight, I'd be breaching the AUP. I'd then be accessing the restricted-access computer system belonging to my ISP in excess of my authorisation.

Would that make me a cracker? No.

Would that make me liable to criminal sanctions? It would seem so.

Is that good law?


  1. Apples and oranges.

    There's a world of difference between a police officer misusing a database, and a piece of consumer hardware operating unattended.

    The DPP and a court are unlikely to decide a brief or sentence in the manner implied. Check subsection 3 - the Crown would be looking for detriment, and that's not achieved solely through unattended operation.

    But if activity associated with your modem causes detriment, expect an investigation.

    Also, remember the modem's AUP is with the vendor, not the Crown. You should be concerned about your modem vendor's appetite for civil action. Their lawyers created the AUP to mitigate their liability. Civil courts can yield unexpected outcomes - I'm sure you can dream up a few examples where suits are made by webservice operator to network provider, to device manufacturer, to you.

  2. There's also precedent under U.S. Law, in the U.S. vs Lori Drew case where (without reference to some rather dubious moral behaviour behind it), Ms Drew was charged under criminal law as a computer hacker because she violated MySpace's Terms of Service by setting up an account with a fake name.

  3. @coward: Yes, I'm aware that the DPP probably wouldn't prosecute, but the fact remains that it remains a possibility.

    I don't think who the AUP is with is relevant - the judgment quite specifically points to the clause in the database warning, rather than that the crown owns the database.

    I realise that it is a leap, but I don't think it's as big a leap as you make out.

    And yes, a civil action is more likely. But again, that's not the point.

  4. It's a pretty dodgy law, especially considering an ISP can (and has in my case) change their definition of Acceptable use at any time, and without any guarantee of allowing the users to terminate the contract when they do so.
    Or even telling the users the policy has changed.

  5. A restricted access system is NOT the same as an Acceptable Use Policy. The RA is a legally protected system, prosecuted under criminal law, whereas an AUP is merely an agreement between two parties, which would be subject to civil arbitration.

    While I appreciate that you are concerned by this case, it doesn't set a precedent regarding AUPs.

  6. @Anon (re Restricted-access != AUP)

    That is entirely wrong. Restricted-access is defined in the criminal code and clearly includes systems governed by AUPs.

    I've updated the article to show the definition. It was an oversight on my part not to include that definition earlier; sorry.

  7. This is not the case. Your wireless server is Virgin I take it? ( I've seen that clause in their TOS before ). However, using a USB internet dongle immediately puts your use outside of Section 440A because it invalidates what is required for the system to be a "restricted access system" - Same with most ISPs, though not all. As someone who runs a private "Restricted Access System" and who has initiated a successful prosecution under this law, I've spent more time with it than most. Breach an AUP and all you've done is breach an AUP. Even in this case.

    The key here is what constitutes a restricted access syste and what constitutes unauthorised use.

    So while IANAL, I am pretty sure that you could breach your ISPs AUP all you like with impunity. Until they cut you off, as per the terms.

    Hardly a criminal act.

    On the other hand if you hacked into their accounting system and changed your bill, then you may well be in breach.

    Seems like a fairly commonsense law to me?

    Be careful not to take laws too literally. Otherwise you'll come to believe that sneezing on someone is an assault. Sure, it can be, but it's not likely to be taken that way.


  8. @David:

    I'd disagree with your characterisation of restricted-access system. The dongle requires a set of electrical impulses (electrical impulses are included in the definition of password), namely the 'phone number' of the dongle to connect, and the ISP does indeed restrict access to only those with the right phone numbers (and with credit on their accounts).

    Maybe it wasn't the greatest example - maybe the AUP of a website would have been a better idea. But I'd argue the point still stands.

    Also, re: taking the law literally --- see the Interpretation Act: I blogged about it a few posts back in the context of a driving incident in America.