Hi list,
This is possibly off topic, but I figured that the technical experts in
the field were better positioned to offer a helpful answer/opinion to my
questions.
In the course of accessing a website (which, for our purposes, we will
consider as "the platforms necessary to deliver the services provide")
what constitutes legal and illegal access to information?
1. Is an authentication and authorisation procedure required to
grant access to what $SITEX deems sensitive? What is the minimum
requirement for distinguishing between public/sensitive
information? At what point must a user be notified about this?
2. Must information be classified? Must users of the site,
regardless of whether they are authorised to access sensitive
information be notified that certain information is stored on
the site and authorisation must be granted prior to accessing?
(again, this relates to 1)
3. In the absence of an authentication/authorisation procedure,
what constitutes as protection for the information? For example
if I attempt to inject SQL into a database to return data, but
this data has not been marked sensitive (i.e. the site security
policy is not communicated to the user) am I committing a crime?
I suppose other laws come into play at this point (DPA). But if
am unaware as to the nature of the data, is the site in
olation by not affording the information adequate protection?
(At this point I suppose I should report this to the DP
Commissioner, but what is my legal position?).
4. What if I attempt to validate the controls in place, i.e. I do
not attempt to exploit a weakness but I do check for the
existence of one (e.g. I test for error codes;). In this
instance, have I committed a crime by putting the system into a
state where it generates an error code (assume the system has
not been damaged/modified/etc due to this activity). Many real
word analogies to this one (e.g. checking a door to see if it is
locked), etc.
I suppose the underlying question is:
What is misuse and must I be informed of what constitutes misuse on
each website I visit?
As a reference, I offer section Section 1 of the Computer Misuse Act,
1990 (c. 18) [UK] states:
Unauthorised Access to Computer Material
1. - (1) A person is guilty of an offence if -
(a) he causes a computer to perform any function with intent
to secure access to any program or data held in any
computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform
the function that that is the case
(2) The intent a person has to have to commit an offence under
this section need not be directed at -
(a) any particular program or data;
(b) a program or data of any partciular kind; or
(c) a program or data held in any particular computer
Thanks in advance for your opinions (or pointers to the obvious answers
I may have missed).
Kind Regards,
Dave.
--
http://dave.mongers.org
