Minimal adaptation has been done to remove text which was "Brunel-specific".
It should be noted that I am unable to provide hard and fast guidelines, mainly because the Act is relatively new and has yet to be put to the test in the Courts. I hope that I will be able to steer staff and students alike away from the more obvious pitfalls. It is worth emphasising that whilst the three offences are not the most serious in British law, each offence is punishable by a period of imprisonment.
Section 2 and Section 3 offences are what are termed "arrestable offences" and an individual may be arrested without warrant by a police officer if the police officer has reasonable suspicion that they have committed that offence. These offences are more serious than the Section 1 offence.
The two men had hacked into the British Telecom Prestel account and gained access to all the Customer Identification numbers. They left a number of messages in the Duke of Edinburgh’s private mailbox. Neither of the men was attempting to gain from his tour of Prestel, but they later said that they simply wished to demonstrate their skills by the access they gained. The offence with which they were charged is of interest today, because of its obvious inappropriateness for dealing adequately with the hacker. The exact offence with which they were charged was: "making a false instrument, namely a device on or in which information is recorded or stored by electronic means with the intention of using it to induce the Prestel computer to accept it as genuine and by reason of so accepting it to do an act to the prejudice of British Telecommunications plc"
The prosecution had to prove that the two men made a false instrument. There were two possible candidates for the role, the electronic impulses and the user segment. The trial Judge in his ruling said:
"...the defendant here made a series of electrical impulses which arrive at, affect and operate on what is called a user segment. These impulses are recorded or stored albeit for a limited period only ... by section 9(2) an instrument is sufficient and here there was, as I see it, an alteration to a user segment."
The two men were convicted and later appealed to the High Court. Their appeal was upheld by Lord Lane, Lord Chief Justice who said that the Forgery Act was not intended for computer misuse offences. The problem was that the machine was the "deceived" and the "false instrument" at the same time. Normally in a forgery case it was necessary to prove that some person was deceived. In this case the machine was both instrument and deceived entity.
1(1) A person is guilty of an offence if a) he causes a computer to perform any function with intent to secure access to any program or data held in a computer b) the access he intends to secure is unauthorised or c) he knows at the time when he causes the computer to perform the function that this is the case. 1(2) The intent a person has to commit an offence under this section need not be directed at a) any particular program or data b) a program or data of any particular kind or c) a program or data held in any particular computer. 1(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or both.
2(1) A person is guilty of an offence under this section if he commits an offence under section 1 above ("the unauthorised access offence") with intent a) to commit an offence to which this section applies or b) to facilitate the commission of such an offence (whether by himself or by any other person) and the offence he intends to commit or facilitate is referred to below in this section as the further offence. 2(2) This section applies to offences a) for which the sentence is fixed by law or b) for which a person of twenty one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or in England and Wales might be so sentenced but for the restrictions imposed by section 33 of the Magistrates Courts Act 1980). 2(5) A person guilty of an offence under this section shall be liable a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or both and b) on conviction on indictment, to imprisonment for a term not exceeding five years, or to a fine, or both.
3(1) A person is guilty of an offence if a) he does any act which causes the unauthorised modification of the contents of any computer and b) at the time when he does the act he has the requisite intent and the requisite knowledge. 3(2) For the purposes of subsection 3(1)b above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing a) to impair the operation of any computer b) to prevent or hinder access to any program or data held in any computer or c) to impair the operation of any such program or the reliability of any such data. 3(3) The intent need not be directed at a) any particular computer b) any particular program or data or a program or data of any particular kind or c) any particular modification or a modification of any particular kind. 3(4) For the purpose of subsection 1b above, the requisite knowledge is knowledge that any modification he intends to cause is unauthorised. 3(5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.
The Computer Misuse Act was created to prevent unauthorised access to computer systems and also to deter the more criminal elements in society from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer.
The section 2 and 3 offences, like many serious criminal offences, require an intent on behalf of the offender. Individuals committing those offences are clearly entering into the criminal arena and it would be difficult for them to claim that they did not believe that they were doing anything wrong.
Ignoring, for the moment, the more serious Section 2 and 3 offences, the Section 1 offence may be problematic for college staff and students alike. The police are often asked to advise college staff and systems managers about their responsibilities should they become aware of a Section 1 offence being committed. It is very difficult for the police to provide any kind of framework in this area, especially when it is clear that college authorities appear to be dealing with unauthorised access as a disciplinary matter and providing their own internal college sanctions. It is my view that internal disciplinary sanctions are more than likely appropriate. However, it may be worthwhile, when considering the action to be taken to seek advice from your local police fraud squad.
There are obviously differing degrees of seriousness dependent upon the individual circumstances. If you believe that there is some evidence that an individual is gaining unauthorised access in an attempt to commit Section 2 or 3 offences then we strongly recommend that the facts are reported to the police. In the long term this may be in everyone's best interests.
Dealing again mainly with Section 1 offences, unauthorised access, students should be aware that this is an offence which could ultimately lead to a period of imprisonment. It should be borne in mind that giving your user id and password for your college system to a friend or acquaintance who is not an authorised user may well lead to a court appearance, should a complaint be made to the police by the college authorities.
Furthermore, exploration within a system to which you have authorised access could also put you in jeopardy. If there is a hierarchy of privilege in your system, you must bear in mind the wording of the Section 1 offence if you are considering entry to parts of the system for which you do not have the requisite privileges.
In fairness, the ramifications of unauthorised access by students or staff should be well advertised. There should not be any equivocation or ambiguity about the access to which an individual is allowed. As a student you should not have any doubts about what your authorisation allows. If your college rules are not readily accessible or are in any way vague or unclear you should protest to the appropriate authority.
It would be worth considering forming a user group, consisting of students and staff to formulate policy in respect of computer misuse. The more "users" are involved in the group, the more likely the necessary information will be circulated to all those likely to be affected.
In conclusion, prevention is this area is almost certainly better than the cure. The parameters for use of college systems should be made clear as should the likely action which may be taken against those who transgress. Also, students should be able to seek advice if they are unsure about what they are or are not authorised to do on a college system.
Detective Inspector Michael Gorrill, Greater Manchester Police Commercial Fraud Squad