Internet Law SummativeFriendbook is aUK-based social media platform and has recently had to deal with issuesrelating to cybercrime committed by their employees.
This essay will adviseFriendbook on any potential criminal offences committed or any civil claimsthat could arise from the employees’ actions. Anna Unauthorised access to computer materialAnna may be found tobe liable under S.1 Computer Misuse Act (CMA) 1990 if; she causes a computer toperform any function with intent to secure access to any program or data heldin any computer, the access she intends to secure is unauthorised, and if sheknows at the time when he causes the computer to perform the function that thatis the case’.
1 Theprosecution would thus need to prove that Anna had unauthorised access to thedatabase. S.17(2) CMA defines “access” as altering or erasing data, copying ormoving data, using data or causing output to data. Whilst s.17(5) defines”unauthorised” as not being entitled to control access of any kind in questionof the data or program and not having consent from an entitled person.
Case lawalso helps to distinguish access and unauthorised access, R v Bow Street Magsand Allison (1999) overruled the decision in DPP v Bignell and held that aperson within an organisation who was authorised to access some data on acomputer system, can exceed their authority by accessing data at a leveloutside that authority.2The case of DPP v Ellis (2001) also reinforces this common law rule. Applyings.1 CMA and case law to this scenario, it seems that Anna is liable for a s.
1offence as security engineers at Friendbook do not have any authorisation toaccess the user database and there is no information present stating that shewas given permission to access the database by someone with validauthorisation. The penalty for a s.1 offence is in the Magistrates Court can bea fine of up to £5000 and/or 12 months’ imprisonment.3In Denco Ltd v Joinson (1991), it was held that anemployee was guilty of gross misconduct after he used an unauthorised passwordto access information on a computer which he knew he was not entitled to see.
4This could therefore mean that Friendbook coulddismiss Anna for gross misconduct as she understood that security engineerswere not meant to access the user database. Unauthorised access with intent to commit orfacilitate commission of fraudFriendbook hassuspicion that Anna has obtained user information, which has then been passedonto a third party to commit identity fraud. This falls into the realms of s.2Computer Misuse Act 1990 as it relates to unauthorised access with intent tocommit or facilitate commission of further offences,5which in this case would be suspected fraud. In order to be liable for s.2, Annamust commit a s.
1 offence with intent to commit an offence to which the sectionapplies or to facilitate the commission of an offence, which also coversoffences committed by a third party.6The principle set out in Allison (1999) also applies here as it is relevant tounauthorised access. In R v Ashley Mitchell (2011) the defendant hacked into acompany called Zynga and stole online gambling chips from a company. He thensold them on Facebook which was held to be unauthorised access. Applying s.2CMA and case law to this scenario means that Anna may potentially be liable fora s.2 offence as she has already committed a s.1 offence by accessing theFriendbook’s user database without authorisation.
Fraud has a sentence which isfixed by law, therefore it will suffice s.2(2)(a) Computer Misuse Act 1990 andwhilst Anna was not committing fraud herself there is reasonable suspicion thatshe was giving user data to a third party to commit a further offence. As Annais an employee, she should have had constructive knowledge that she was notpermitted to access the database, so obtaining data must have been intentional,which could constitute an offence under s.2(b).
A s.2 offence carries the samepenalty as a s.1 offence in the magistrates, however Anna could face a maximumof five years imprisonment and an unlimited fine if convicted in the crowncourt.7 BobLiability for the mailbomb attack on AllsafeCybersecurity A mailbomb is aform of denial of service (DoS), which is committed by attacker when they sendhuge amount of emails to an address in an attempt to overflow or overwhelm theserver where the email address is hosted.
8The old provision for S.3 CMA 1990 covered viruses and DDoS attacks, but didnot cover DoS attacks, as the server was not modified by a DoS. DPP v Lennonwas the first UK criminal case related to DoS attacks.9The court held that DoS attacks amounted to an offence of unauthorisedmodification under s.3 CMA and the case refined the law regarding DoS.10S.
35 Police and Justice Act 2006 came into effect on 1st October2008 to it amend the old provision of s.3 CMA by criminalising DoS attacks. The2006 legislation expands on the CMA’s 1990 provisions on unauthorisedmodification of computer material to criminalise someone who does an unauthorisedact related to a computer with “the requisite intent” and ‘the requisiteknowledge”. The new provision also states that the requisite intent is anintent to do the act in question and by doing so; to impair the operation ofany computer, to prevent or hinder access to any program or data held in anycomputer, or to impair the operation of any program or data held in anycomputer.11So by applying the facts in DPP v Lennon and s.3 it would seem that Bob may beliable for the mailbomb attack on Allsafe Cybersecurity as it can be assumedthat he had intented for the DoS to occur. Whilst no information is present onwhy he left Allsafe Cybersecurity it could be presumed that he was dismissedand thus wanted to seek revenge by causing disturbance within the company. Ifthis was the case he could be liable under s.
3 and the case law established inLennon (2006) as he had direct intent and had the requisite knowledge due torecently joining the hacking group Xposure, to commit the DoS attack. Thecompany also did not consent to the attack. A s.3 offence tried in themagistrate’s court would carry a penalty of up to £5000 or/and a maximum of 12months’ imprisonment.12Allsafe called also bring up a civil claim for damages against Bob as it couldbe assumed that the attack against the business caused hindered their trade,resulting in a loss of income. Unauthorised acts with intent to impair The amendments madeto s.
3 CMA where used in the case of R v Weatherhead, Rhodes, Gibson andBurchall, where four men were charged with being part of the DDoS attack on anumber of attacks on payment sites such as Paypal, Visa and Mastercard as partof ‘Operation Payback’. Their convictions under s.3 were upheld. R v Jefferyprovided a similar result, as the defendant who defaced the website of theBritish Pregnancy Advisory Service with Anonymous logo and statement, wassentenced to 32 months’ imprisonment. By applying s.
3 and the decisions of therelevant case law, it can be assumed that Bob will be liable for s.1 as hesecretly used the Friendbook computers, implying that no consent orauthorisation to do so. The fact that he used the computers to coordinate theDDoS attack means that he had intent to impair and there be sufficiently fors.3. Under s.5(2)(a),Bob can be charged for the attacks on the White House and the Pentagon.However, as the DDoS attack was coordinated on the White House and thePentagon, there is a possibility that Bob could be extradited to the US, underthe Extradition Act 2003. In the case of McKinnon, the defendant was in an evidentbreach of s.
3 but his extradition to the US was refused on human rightsgrounds, as his mental health problems made him a suicidal risk.13However, in Ahzaz v US (2013), the defendant was also in breach of s.3 but ashe had no issues with his health he was extradited. Judging by the facts of thecases it is quite possible that Bob has breached US law as a DDoS attack on theWhite House or any other government building would most likely constitute aserious offence.14The fact that there is no additional information about any potential metalhealth problems may mean that Bob being extradited to the US will be more likelyto occur, however this is for the courts to decide.
CarlaLiable under the Terrorism Act 2000 or terrorism Act2006S.57 Terrorism Act2000 deals with possession of articles which gives rise to reasonablesuspicion, whilst s.58 deals with collection and possession of informationwhich would likely be useful to a person committing or preparing to committerrorism15. A s.59 offence is concernedwith committing an offence to incite terrorism overseas, however this is not relevantin this scenario as the information is specifically about UK military airports.
In R v M & Others (2007), it was held that articles under the meaning ofs.57 could not be extended to documents and records due to express provisionbeen made for those items under s.58. However, R v Rowe (2007) overruled thecase and held that s.57 and s.58 dealt with different aspects of activitiesrelating to terrorism.16The courts also held that a person who possesses information was likely to beuseful to a person who may be committing or preparing an act of terrorism. Thiscould therefore suggest that Carla possessing information for publication, suchas detailed maps on and advice on to make home made explosions onto a websitecalled ‘fighting firepower’ could be a strong indication that Carla has specificintention for UK military airports to be destroyed.
Part 1 TerrorismAct 2006 is an alternative offence to the 2000 Act and it deals with terrorrelated offences which involve the encourage of terrorism and propaganda. S.1of the Act makes it an offence to publish statements likely to be understood bysome or all members of the public as direct or indirectly encouragement tocommission, preparation or instigation of terrorism.17S.2 makes it an offence to distribute, sell, circulate, transmit electronicmaterial intended to encourage members of the public to be directly orindirectly commit, prepare or instigate terrorism.
18S.3 of the act just connects the previous sections to the internet.19In RV Zafar the Court of Appeal considered the interplay of s.57 and Part 1, and itwas held that Part 1 referred to propaganda and encouragement, whilst s.57 referredto the use of articles for terror purposes. Carla may argue that she onlyoperates an anti-war activist website and its therefore not related toterrorism.
However, in R v Brown (2011), the defendant was selling theAnarchist’s cookbook and argued that s.2 Terrorism Act 2006 and s.58 was inbreach of his human rights, it was held that the statutory defence of reasonableexcuse did not apply, therefore, it most likely won’t apply for Carla too. Havingall UK military airports and information on how to gain access with detailedmaps and bomb making advice would possibly not be seen as reasonable. This formof information arguably goes well beyond being an activist, therefore Carlacould still be liable for a s.57 offence as the materials on the website seemto be preparatory materials, as opposed to propaganda materials which wouldfall under Part 1 instead.
DineshDisclosure of sexual image and offensive status S.33 of theCriminal Justice and Courts Act 2015, states that it is an offence to disclosea private sexual photograph or film, without the consent of an individual whoappears in the photograph or film, and with the intention of causing thatindividual distress. S.34 outlines the elements of the offence, which are;disclosure without consent, disclosure is with the intention of causingdistress and must be private and sexual.20Whilst, S.35 outlines the meaning of “private” and “sexual”.
Both Dinesh andMonica where ‘sexting’ each other, which involved exchanging private sexualimages of themselves with each other. However, the image of Monica was postedon Friendbook with no consent, which thus caused Monica distress as she saidshe would never forgive him, which may constitute a s.35 offence. Dinesh improperlyused Friendbook’s platform to post the message “Eric and the world, Monica is aslut”. This can be seen as a form of a cyberstalking offence as calling Monicaa slut and directing it to Eric and the world (Public) can be viewed as insulting,grossly offensive and menacing in character. This can therefore make Dinesh liableunder, S.127 Communications Act 2003 which relates to improper use of public electroniccommunications network and S.
43 Telecommunications Act 1984 which relates toimproper use of telecommunication systems. The disclosure of Monica’s sexualimage and the status update could also make Dinesh liable under S.4(a)(1)Public Order Act 1986, as calling Monica a slut would constitute insulting wordsand, also sharing it globally via Friendbook would be seen as insulting andabusive towards Monica, as she states she would never forgive him. Potential liability for harassment S.1 Protectionfrom Harassment Act 1997 states that a person must not pursue a course ofconduct which amounts to harassment of another and which he knows or ought toknow amounts to harassment of the other. Referring to the elements of theprovision, Dinesh may be liable for s.1 harassment as he has sent Monica messagespleading for them to get back together, whilst there is no information on theexact number he has sent, it can be assumed that it was a substantial amount asshe found his constant messages upsetting. Dinesh continued to send Monicamessages even when she told him via text and a message on Friendbook that she doesn’twant to speak to him, therefore he must have been aware that his messages amountedto harassment.
A s.1 offence carries a penalty of up to six months imprisonmentand a restraining order under s.5.21In terms of a civil claim, Monica can sue Dinesh for harassment under the s.3 Protectionfrom Harassment Act even if he is not found liable of the criminal offence,however she will have to make her claim within six years. 1 S.
1 Computer Misuse Act 19902 Rv Bow Street Magistrate and Allison, ex parte US Govt 1999 HL 3 ibid n.14 Denco Ltd v Joinson (EAT 1991)5 Murray, A. (2016). Information Technology Law: The Lawand Society (Law & Society). 3rd ed. Oxford: Oxford University Press. 6 S.2 Computer Misuse Act 19907 S.2 Computer Misuse Act 19908 Andrew Murray, information Technology Law9 Fafinski, S., “Cyber crime”, (2007) The New Law Journal 157(7258),15910 Pinsent Masons, DPP v Lennon, (2007)11 S.35 Police and Justice Act 200612 S.3 Computer Misuse Act 199013 https://www.theguardian.com/world/blog/2012/oct/16/gary-mckinnon-extradition-decision-live14 The Computer Fraud and Abuse Act (CFAA)15 S.58 Terrorism Act 200016 http://www.lawsociety.org.uk/support-services/advice/articles/case-summaries/rowe-v-r/17 S.2 Terrorism Act 200618 S.2 Terrorism Act 200619 S.3 Terrorism Act 200620 S.34 Criminal Justice and Courts Act 201521 S.12(5) of the Domestic Violence, Crime and Victims Act 2004