General Chat Thread, is it illegal?? in General; Originally Posted by Hacksawbob
but ignorance of IT is, if you are an IT pro it is unlikely that you ...
6th March 2009, 12:00 PM #61
If you were given a drink by a friend and it was 'herbal' and contained a variety of illegal drugs you can still be charged. You are responsible for knowing what you eat, drink and do. Admittedly, your friend can also be hit very hard too. As I said, ignorance is not a defence, but can be used in mitigation. Commonly you see this in such situations such as people with spiked drinks who commit ABH or people with a history of mental illness. Mitigation takes places where there has been a partial duty by either the victim, the state or another party to restrict the chances of the crime being committed. This, like intent, is one of the things that lawyers will spend ages working on.
Originally Posted by Hacksawbob
6th March 2009, 12:12 PM #62
I haven't read all this thread as it's really long now, so apologies if I am repeating someone else's thoughts!
Yes it is definitely illegal, however to my knowledge only a handful of people have been caught and this is the problem. You need to be caught to be convicted and someone with malicious intent can commit a crime using your unsecured network and then be long gone.
Thankfully I do see far less unsecure home wireless networks these days than I used to say 2 years ago. I think people are definitely wiser about security in some respects, but certainly not all. The next hurdle will be explaining why WPA is better than WEP, so it'll give some users a false impression they're secure and up-to-date.
The biggest common culprit these days is undoubtedly spyware, and why did my laptop get spyware if I have a secure wireless network Of course they're completely unrelated, but interesting how some people view security.
6th March 2009, 12:28 PM #63
RTFM - seriously ... pretty much all suppliers have stuff in there about setting up the security of the device. They may not say that it is because of the Communications Act, Computer Misuse Act or DPA but people can go to the library and find out about what they should do about these things. The fact that it requires them to get off their backside and be proactive is a barrier in today's society ...
Originally Posted by mac_shinobi
You have a car. You are not expected to be able to build one from scratch, to reprogram the computer in most modern cars or to even certify that it is roadworthy. There are people around to do that for you. There is legislation around for that and for things like planes.
Some rich people own airplanes but it does not mean to say that they should have to take it apart and repair it themselves and know every thing that a plane has and how to take it apart and put it back together blind folded - they pay someone else for that to take care of all the technical bits n pieces and if you are not aware of wireless security for whatever reasons ( lack of RTFM ) or just wanting wireless to work and it just works so why fix it if it aint broke kind of approach and no one else tells them then how are they meant to know.
I deal with end users a lot as I am sure most ( to all ) people on here do and its amazing how many times you just want to -->
The thing you could have pointed towards was an area with little legislation and where you have to find information out yourself. The humble bicycle.
You can take one on the road at the drop of a hat. You don't have to have a licence or insurance and yet there are cases of cyclists killing people, directly or indirectly. There is an onus on the cyclist (or the person legally responsible for them) to follow certain laws. The Highway code is an example of the guidance available that is backed up by numerous laws (principally the Traffic Acts) and yet many cyclists and pedestrians have never read it (you would think this of many other road users too actually!) and yet should a cyclist be on the road after dark without lights then they can be charged, if a cyclist is on the pavement then they can be charged, if a cyclist is drunk then they can be charged and if a cyclist causes death by dangerous riding then they can be charged.
Not a perfect analogy, but getting closer methinks. The fault with the analogy is that you *own* the bicycle ... still looking for an equivalent where you get possible access or control of something where it is not yours or in your intended ownership, but it is a good analogy for ignorance not being an excuse.
6th March 2009, 12:32 PM #64
Borrowing someone's bike, or stealing one?
Originally Posted by GrumbleDook
6th March 2009, 12:42 PM #65
The actual term they use is to "secure access" and by connecting you have inherently gained access to network/network resources you shouldnt have. I am struggling to see the point of connection as its moot. Once connected you have secured access to resources you shouldnt, fact.
The use of the word 'gain' refers to an action taking place, either through intent or through negligence, in most acts. In the communications act this can be taken to be where access is gained to the service or system, not a connection between two devices. If that was the case then negotiation of connection between two devices, such as cast messages to blue tooth devices that leave their device status as discoverable, would be illegal.
This is the same regardless of it being wired or wireless, the connection type is irrelevant. You may struggle to negotiate with a ethernet port but its still attempting to gain access to something you shouldnt. Once you are "connected" you have "secured access" to a network you shouldnt.
The only diff between a Ethernet port and connecting over wireless is the physical negotiation versus the electronic negotiation with access. Attempting to do either is an offence knowingly. Once you have plugged it in/negotiated the pairing to the stage that network packets are sent you are further in breach as its no longer an attempt to access and more you have secured access.
There is no data negotiation exception in the act. Once connected you could sniff packets almost if connection was inherently allowed but use banned. Your receiving data you have no control over in broadcast but naturally this is not a defence as you have access to data your not authorised too.
As for bluetooth its not even compatible tbh. Discoverable devices are the same as spotting wireless points. Discovering does not mean you have "secured access" or have attempted to the same way as scanning what access points are available is not a crime. Looking around the room spotting ethernet ports is not a crime but is it not a crime to actually attempt to "secure access" by negotiation a ethernet cable into the hole in the wall (if caught mid action). That is intent tbh unless you are useless with pc and believe it will recharge your laptop for example and then you would need to prove you had no idea what you were doing.
If you attempt to "secure access" by negotiating a connection with the device to attempt to "secure access" to its resources, yeh that should be illegal by the act and quite rightly so. The negotiation is the attempt to gain access. Its success/failure has nothing to do with it tbh as if you are knowing trying to connect to a open access point that uses mac address lists you would not connect as it would fail but the attempt should be seen as an attempt to "secure access" to something your not supposed to. The point I thought was that its illegal to attempt to access a network/computer/service (the network is a service) you know you shouldn't. If the negotiation is not imporant then it could be seen that you can effectively keep attempting to "secure access" but only once you do it becomes illegal, that would effectively condon hacking as long as you did not get in as only once you secure access and then use the access would you be breaking the law.
This is the act Computer Misuse Act 1990 (c. 18) and I am only really discussing it and not policy's as thats separate.
I may be missing something but to me the act seems clear. Trying to secure access to stuff your not supposed be it over wireless or a network port is the same thing. I want to ensure I am clear as its always important to know the law
Cheers for explaining so far GD but I am still struggling to see the exception for negotiating. This post is a little over the post as we are debating it in the office too but if it is seen as "use" being the important factor then you can effectively try to hack vpn's etc and be legal until you actually get in?
6th March 2009, 01:03 PM #66
Ah ... I can see where the confusion and difference of view is here.
Connection is between two devices, access is with a system or network.
Two devices may negotiate a connection without any access to the system being available. You cannot get any further than just a connection unless you meet specific requirements with your machine. This is where it goes up the OSI model with the packets and how they are used.
I can put a plug into a socket on the wall outside a block of flats (lift the weather protection cover, pull out the plastic fake plug and then plug mine in) but I do not switch the plug on or my machine on. I am gaining no electricity but have 'negotiated' a connection (physical in this example rather than packet based) but that is pretty much the same when just talking about connection to an open wireless network. It is the throwing of the switch is when action can be taken against the person putting the plug into the socket.
The same with the wireless network, it is when packets start to travel on the system that are not designed for negotiation of connection, (remembering that things like DHCP, DNS obtained from the connected routing device are part of that negotiation too). That is use. We need to remember that majority of breaches that venture in to the 'use' territory will be covered under the Communications Act and not the CMA.
The CMA is geared for when access is then made to specific services are accessed where the accused has not right of access under any normal circumstances. In the OPs example the accused is accessing the 'Net, something available through other sources, under the CMA we are talking about the accused accessing your home music collection (home environment) or company files (corporate environment), or services that they would otherwise not have access to (eg services that you run or have paid to use such as an internal streaming video service such as the closed system pumping out channels via Virgin Media or Sky)
There is an overlap between the two acts so it is easy to see why people concentrate on one rather than the other. The relevance of the DPA is on the 'victim' here ... should they hold data that they should be holding securely under the principles of the DPA and you gain access to these then you are *both* at fault, but under different acts. One of several reasons why certain big names do not seek to have charges raised against war-drivers because they could get hammered themselves.
6th March 2009, 01:06 PM #67
Great minds ... just done that to show the difference between negotiation and access. It is better if the plug socket is on the wall of a street so we don't get people raising doubts about trespass too!
Originally Posted by Gibbo
The bike analogy was intended to show culpability (fault) and where ignorance is not a defence rather than the wi-fi access.
6th March 2009, 01:13 PM #68
But surely that means I can attempt to negotiate using different passwords but only once negotiated with the correct password/mac etc would I be committing a crime. If I have the wrong MAC/password I have not secured access until I get it correct. Also is the network itself not a service to allow connections between PC's and by using the network service you can see data over the network.
it is when packets start to travel on the system that are not designed for negotiation of connection, (remembering that things like DHCP, DNS obtained from the connected routing device are part of that negotiation too). That is use.
I think we are getting there now with thrashing this out, I know how much fun you have reading/writing documentation GD so I do bow to your experience, I just want to clear up my impression of the act.
6th March 2009, 01:15 PM #69
- Rep Power
so quite a good thread then posted by me lol.
just a quick yes or no will be fine
6th March 2009, 02:08 PM #70
6th March 2009, 02:12 PM #71
I'd imagine that trying different passwords would be considered attempting to gain illegal access. Similar to trying to pick a lock. Regardless of whether you manage or not, the act of attempting to pick the lock is a crime (I think).
Originally Posted by ZeroHour
Of course, knowledge of how to do it is in itself not illegal, so you could happily practise it on your own access point.
6th March 2009, 02:25 PM #72
Aha ... the use of security (or attempt to bypass it) raises the level of packet traffic to the application layer! You are now in breach of CMA! We also need to remember that in law in England and Wales (Scotland and NI do have a few more exceptions but should also conform to this) the attempt to commit a crime is the same as *actually* committing a crime. Variations of this abound ... 'going equipped' actually refers to having tools or items which can be used to prove the intent or attempt to commit criminal acts, as well as being a criminal act itself in a number of case.
Originally Posted by ZeroHour
If you are driving round with certain software that breaks down the security and encryption to gain access to a connection to a network then you may be collared for going equipped *unless* you have a reason for it.
Police no longer carry slim jims in their cars anymore (device used to pop locks on many cars when people get locked out) because they would be going equipped. Garages are not meant to carry them unless they are on their way to unlock a car that has called in with the problem.
6th March 2009, 02:48 PM #73
- Rep Power
I think this is the relevant section from the Communications Act 2003:
So it's only an offence to connect to a wireless point with intent to avoid paying for such a service, so if you accidentally connect to your neighbour's access point when you have your own, it's fine.
Dishonestly obtaining electronic communications services
(1) A person who—
(a) dishonestly obtains an electronic communications service, and
(b) does so with intent to avoid payment of a charge applicable to the provision of that service,
is guilty of an offence.
(2) It is not an offence under this section to obtain a service mentioned in section 297(1) of the Copyright, Designs and Patents Act 1988 (c. 48) (dishonestly obtaining a broadcasting or cable programme service provided from a place in the UK).
(3) A person guilty of an offence under this section shall be liable—
(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum, or to both;
(b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine, or to both.
If you connect because you've used up your usage allowance, it's not.
If you connect because you don't have your own access point, it's not - unless of course you're sufficiently stupid to not realise you don't have one, and think your laptop comes with "the internet"
My housemate and various guests I've had to my house have inadvertently connected to the neighbour's wireless connection point, and sometimes only notice it when they try to access resources on our network, as of course Windows would otherwise Auto-connect to our network as it knows the WPA passphrase.
6th March 2009, 03:57 PM #74
This is not in the CMA though, it does not state along the lines of "your allowed to secure access as long as its open before and you dont beat security and you dont actually use the connection"
Originally Posted by GrumbleDook
If we take the act literally I can only see it as meaning one thing, securing access regardless of use or security measures used is a breach of the act. It does not differentiate. If you are not specifically allowed access then you are in breach. I know common sense may apply to parts but the act is fairly clear imho and if it does not differentiate between types etc of securing access then its a cover all rather then a cover common sense. The act does not seem to care about packet technicalities either which tbh I think is better. The more technical an act the more likely people will get off with said technicalities.
The clarity comes from:
This implies trying to secure access is the crime. You will inherently see data over the network when you connect (in a receiving state) so its hard to argue connecting would never result in seeing data.
A person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
I have to say I am enjoying this thread I just dont want you to think I am nay saying you GD, just passing thoughts.
Thanks to ZeroHour from:
GrumbleDook (6th March 2009)
6th March 2009, 05:12 PM #75
Happy to have some discourse about it all.
Another thing to remember is that the laws are statements to which you apply to circumstances and events. In the courts this is expanded to give case law and the rulings on case law give context and meaning to the bare statements.
Having said that, they key point I was making about trying to access things on a secured network is the point where the application layer hits. An attempt to gain access is an attempt to connect to the network and bypass / break the security that has been set. This is a the application layer are requires intent to do it. The device you are connecting to now longer is treated as a network or dumb device (as mentioned when talking about talking about what is a 'connection' under the Communications Act) but as a service. The attempt to use the service is the crime. Remember that a router is a computer ... one designed for a particular task and it runs many programs (units of code). Wireless routers are an example of this and the security features are a program in themselves ... this is one of the reasons why packets at this level are part of the application layer (yes ... gross generalisation and even a slightly patronising comment ... not intended that way.) This is the bit where the cross over between Communications Act and CMA is not clear ... if you connect to a secure network it is CMA, but if you then use the company's PBX to make calls it is Communications Act too. It could look like they *only* use Communications Act when CMA cannot easily be proved. If you can't get them on one thing, hit them with something else.
IIRC a chunk of this has already been discussed and publish on outlaw as well as slashdot ... a hunt through my mail archives will be needed. Strange to think that a bunch of lawyers have explained it all far more eloquently and with a goodly amount of technical specialism too.
Thanks to GrumbleDook from:
ZeroHour (6th March 2009)
By mattx in forum Jokes/Interweb Things
Last Post: 18th February 2009, 10:28 AM
By Geoff in forum IT News
Last Post: 5th November 2008, 02:37 PM
By _Bat_ in forum School ICT Policies
Last Post: 12th July 2007, 12:46 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)