Webtrends Tracking Code
 

Crime

This article is based on UK law. It was last updated in August 2005.

Overview

Many would say that the internet is a criminal's playground. The ease with which it is possible, for example, to set up a spoof site, and do so anonymously, is cause for concern. Crime involves police, fines and prison sentences, as well as suing and being sued. Assuming your business intends to operate entirely above board, you may wonder what this subject has to do with you. You're not a hacker, you're not a thief. Possibly, this subject will have nothing to do with you – if you're fortunate. However, businesses risk becoming the victims of on-line crime and risk being held criminally responsible for the actions of their employees. It's worth knowing the risks.

The law is still developing, but there is plenty of existing legislation to regulate criminal activity on the web.

Hacking

Hacking is the popular term for what is properly called "cracking". Most experts take the view that a "cracker" is one who breaks into someone else's computer system, while a "hacker" is just a good computer programmer. Anyway, under the Computer Misuse Act, the following are offences:

  • Obtaining unauthorised access to computer material
  • Unauthorised modification of computer material
  • Unauthorised access with intent to commit or facilitate commission of further offences

The maximum sentences for these offences range from six months imprisonment and/or a £500 fine to five years imprisonment and/or an unlimited fine.

Anyone responsible for a system, whether an ISP or the operator of a web site or network, should take steps to bring the limits on the permitted use of their systems to the notice of their users.

Depending on the circumstances, an employer could be held criminally responsible where cracking is being carried out by one of his or her employees without the employer's knowledge. This is due to the legal concept called vicarious liablilty. An employer is vicariously liable for the wrongful or negligent acts of his or her employee committed within the general scope of his or her employment.

Viruses

A virus is a piece of programming code that causes some unexpected and usually unwanted event. Viruses take many different forms. Some will activate immediately; some lie dormant until executed by a particular event; some will corrupt data held on a computer or network so as to render it useless; some are merely playful. Sometimes, a virus can replicate itself known as a worm. Worms are a type of virus that does not corrupt files but will self-replicate and spread itself and in doing so can slow down or crash a network.

If a virus causes data corruption, the person who developed and/or introduced it onto the relevant system can be guilty of a crime under the Computer Misuse Act.

For example, a virus could get into your system without your knowledge, and it could spread to those receiving e-mail attachments from your system. This could very well result in your liability for negligence (i.e. civil liability, as opposed to criminal). In such an action, a court might want to know what procedures were in place in your business to detect viruses, to show that you were not negligent. Accordingly, effective virus detection software could serve your legal interests as well as those of your system's security.

A worm could be more difficult to deal with under the Computer Misuse Act; but see the consideration of Denial of service attacks, below.

Denial of Service attacks

Several leading web sites have been the victims of so-called Denial of Service, or DoS attacks. These are attacks by individuals who flood a web server with false and untraceable requests for information, overwhelming the system and ultimately crashing it.

If the responsible individual is prosecuted in the UK, it is likely to be under the Computer Misuse Act. Unfortunately, the Act predates the growth of the internet and it is not well suited to deal with such an attack. It is feasible that, depending on the nature of the attack, an attacker could slip through a loop hole. This is because the Act expects there to be access to or modification of material. In a 'simple' DoS attack, arguably there is no such access although there is likely to be such access in what is known as a Distributed Denial of Service Attack, or DDoS attack, where other computers are hijacked and used to join in the attack on the target without their owners' knowledge.

However, in England, it is possible that either a 'simple' DoS attack or a DDoS attack could constitute an offence under the Criminal Damage Act. In Scotland, either attack could be prosecuted as malicious mischief.

There have been attempts to update the Computer Misuse Act to make it clear that DoS attacks are unlawful.

Software piracy

According to an independent study in 2003 commissioned by the Business Software Alliance (BSA), nearly one third of all business software used in the UK is pirated.

When the BSA talks about piracy it refers to the use of unlicensed software. Some would argue that not all uses of unlicensed software amount to piracy; but either way, any unlicensed use is unlawful.

Software piracy is a crime which can be punished with imprisonment and a fine. It is not only a matter for the police; it can also involve customs officers, trading standards authorities and advertising standards authorities, as well as civil actions for damages.

You should also consider the risks of your business using pirate software. Many businesses are either unaware that they have unlawful copies on their system or turn a blind eye to it. Even if such a business is not caught, piracy poses other costs. Illegally copied software may contain viruses that can wreak havoc on a business.

You also need to watch out for illegally bundled software. Some resellers offer a system bundled with numerous copies of popular programs. Check that all documentation and necessary licences are supplied with the software and that they are valid.

Bear in mind that, even if it is individual employees obtaining and using illegal software, your business and/or its directors and other officers can be held liable.

In the UK, criminal penalties for companies and their directors can include unlimited fines and up to 10 years in prison. Civil penalties include damages. The Federation Against Software Theft (FAST) is a body created by the software industry which promotes the legal use of software. Reports can be made to FAST where the illegal sale or use of software is discovered. FAST offers guidance to businesses on ensuring that use of software is legal. Use of illegal software can also be reported to the BSA (mentioned above). The BSA offers a financial reward to anyone providing information on a company using illegal software.

Guidance to employees

If you have not given formal guidance to your employees on what software they can and cannot use, you should do so. An employee's handbook, for example, could be used to explain to each employee, among other matters, that he or she:

  • Must not copy any program installed on his or her computer for any purpose without prior written permission;
  • Must not install any program onto his or her computer without prior written permission;
  • That [the business] will not tolerate any employee making unauthorised copies of software;
  • That any employee found copying software illegally is subject to disciplinary measures and even dismissal;
  • If he or she wants to use software licensed by [the business] at home, he or she must consult with [a manager] to ensure that such use is permitted by the relevant licence.

If covering such matters in a handbook or by any other means, make sure they are read and understood by each employee.

If you have not got one, you should consider compiling an inventory of all software stored on all computers (and elsewhere) and ascertain that valid licences exist for each piece of software (and any authorised copies of it). Any unlicensed software found should be deleted and, if appropriate, replaced with licensed copies.

Fraud

One reason many people are reluctant to shop on-line is a fear of credit card fraud. Many are under the impression that when they give their details to a website, their credit card number will be intercepted by an internet eavesdropper. Fraud takes many different forms with varying penalties depending on the circumstances. The difficulty for the police is in catching those responsible.

Spoofing attacks, for example, can cause serious security problems for some companies, yet the attack can be straightforward and the attacker may be untraceable. Most of these attacks involve mail spoofing, where the "from" address is falsified in one or a series of email messages, making the recipient think they are communicating with a legitimate person or business. Another variation is to create a dummy web site to persuade the user that they are accessing the legitimate site. Although the user enters the correct URL, the local name server has been spoofed into believing that the domain name corresponds to the address of a web server run by the cracker. Typosquatters can also commit fraud by taking advantage of users entering an incorrect URL.

Internet pornography

It is an offence in the UK to possess any indecent photograph or pseudo photograph. The reference to pseudo photograph means that electronically formed images which look like photographs are also caught. The penalty for this crime is up to six months imprisonment or a fine.

It is also an offence to publish an obscene article (and the publication need not be for financial gain). The definition of article includes pictures. Publication covers distribution, circulation, showing or transmitting the data which makes up the obscene article. The test for 'obscene' is that the article must tend to deprave or corrupt people who are likely to read, see or hear it. The penalty for this offence is imprisonment of up to three years or a fine. The test of what constitutes obscenity is probably more liberal than that which applies to adult magazines in a newsagents.

It is also an offence to email anything grossly offensive, indecent, obscene or menacing.

Child pornography

The Protection of Children Act of 1978 makes it an offence to distribute or share indecent photographs of children or have them in one's possession with a view to doing this. Children include those under the age of 18 and those giving the impression that they are under 18. The meaning of "child" was changed with effect from 1st May 2004, increasing it from 16 years of age. 

Again, pseudo photographs are caught by this, as are copies. This is relevant because, when information is downloaded to your computer from the internet, you are copying it onto your own computer. This is not only the case if an image is saved; the process of viewing itself also involves copying (albeit transiently). Data stored on a computer disk is also caught if it is capable of conversion into a photograph.

The Criminal Justice Act of 1988 makes simple possession of indecent photographs or pseudo-photographs of children an offence (i.e. without any intention fo distribute or share them).

Racism on the internet

The online publication of material that is threatening, abusive or insulting is an offence in circumstances where hatred is likely to be stirred up against any racial group in Britain under the Race Relations Act.

Terrorism on the internet

According to the UK's Terrorism Act of 2000, it is an offence to provide or receive instructions in the making or use of firearms, explosives, or chemical, biological or nuclear weapons. Bomb-making instructions landed a US webmaster in prison in 2003 under US laws.

ISPs and liability for content

In a well publicised case, German prosecutors brought charges against the local manager of CompuServe in connection with child pornography on the internet.

Under the E-commerce Directive and the UK's equivalent E-commerce Regulations (see our article, The UK's E-commerce Regulations), generally speaking, ISPs will have no liability for data content when they only provide access or transmission services. Even if they take a more active role and host a web site, they will not be liable for the content of that website, provided that:

  • they do not know of any offending material which appears upon that site; and
  • they move swiftly to remove such material once they have knowledge of its existence.

At present, there is little guidance as to what constitutes 'offending material.' ISPs should make it a condition that anyone wishing to host adult or offensive material first presents a visitor with a clearly readable warning on the nature of the material in the site and that it is only suitable for those aged over 18. The ISP should also reserve the right to remove any site not complying with the conditions of use. Although the ISP will not monitor the sites it hosts, in the event of complaint, the ISP will be justified in removing the site if it does not comply with the condition.

In England, a criminal case decided that someone could be guilty of importing indecent photographs of children where he was under the impression that he was importing pornographic material but unaware that it was child pornography. This reasoning could be relevant to ISPs. Knowing that a site contains illegal material could be enough for a prosecution – knowledge of the degree of illegality might not be necessary.

Images downloaded by employees

Downloading illegal images may well make an employee liable for summary dismissal. However, this will depend on whether dismissal is an appropriate sanction in the particular circumstances, so it should not be considered a general rule. No dismissal should take place until a full and proper investigation is carried out and fair disciplinary procedures followed. It is always advisable to seek advice from your solicitor before dismissing.

Any employer should have an internet and e-mail policy (read our article, Internet and email policies). The policy should specifically prohibit downloading pornography and make it clear to employees that this behaviour will not be tolerated and is likely to lead to instant dismissal. Having such a policy not only clarifies the rules for the employee but might also help you as the employer if there is a question of vicarious liability.

Issues of this kind are rarely clear-cut. If you are in any doubt over how to address a particular situation, you should always consult your solicitor.

Cryptography keys

Under UK legislation, the owner of a decryption key can be prosecuted and sent to jail if he or she fails to comply with a demand to hand over the key to the police, intelligence services or customs and excise. This is provided for in the Regulation of Investigatory Powers Act.

Data Protection

The Data Protection Act 1998 created a criminal offence of knowingly or recklessly obtaining personal data from a data controller e.g. by breaking into the computer system of a company to retreive information. In addition, there are responsibilities on web site operators to protect the security of their systems. The Act applies if personal data is kept on, or in connection with, a web site or in your office system or manual records. Even if you operate a website which just collects the email addresses of visitors, this may constitute personal information. The Act would also apply if your site provided a forum for visitors to exchange information.

The operator of such a website is under a legal obligation to take "appropriate technical and organisational measures" against unauthorised or unlawful processing, which would include crackers who might try to access the personal information. What is an appropriate level of security will vary according to the type of information stored. For example, medical and financial details would demand greater security than details of interests and hobbies. The business operating the website is also obliged to ensure the reliability of any employees with access to personal data.

Similar demands are placed on businesses which store personal information in other ways, not just websites. If personal data is held for the purposes of marketing or as employee records, whether manually or on a computer system, the Act will also apply.

Failure to comply with the Act can lead to the serving of an enforcement notice; failure to comply with the notice is a criminal offence. It is also possible that the directors and other officers of the company will be guilty of the offence. In addition, the individual whose data is compromised can sue the business for compensation and, depending on the circumstances, distress. For further information on this Act, you should see our legal information about Data protection.

Jurisdiction

Occasionally, the UK courts have encountered difficulties in applying domestic law when considering offences, where part of the activity occurs overseas. However, the Computer Misuse Act deals with this, provided that at the time of the commission of the offence there was a significant link to this country.

Pornography will be met with varying levels of acceptance in different jurisdictions. For example, it is possible that the on-line seller of lingerie could fall foul of a strict regime such as Saudi Arabia's. Where the web site operator and the user are located in different countries, enforcement of national laws can be problematic. Generally, however, extradition will only be sanctioned by national authorities if the conduct complained of would constitute an offence if committed on its own territory.

If your web site has particular target markets, you can make it clear on the home page of your web site and use a disclaimer to reduce your risk of liability. For more information, see our guide on Jurisdiction.

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.