Breaching an AUP a Crime In Western Australia 121
An anonymous reader writes "A recent court case highlights that breaching an acceptable use policy at work could land you in court in Western Australia: a police officer doing a search of the police database for a friend was fined — not for disclosing confidential police information, but for unlawful use of a 'restricted-access computer system' — cracking. More worryingly for West Australians, this legal blog points out that breaching any Acceptable Use Policy would seem to be enough to land you in jail for cracking — for example, using your internet connection to break copyright."
I don't see a problem with this (Score:4, Insightful)
I'm authorized to use the computer at work to search through medial records (I'm an Pharm.D), but I can get in trouble (and fined) for searching HIPAA records without cause.
Re:I don't see a problem with this (Score:5, Insightful)
Exactly.
Almost nothing in this article suggests a vendor's AUP is the topic under discussion.
The guy was using a police database for pete sake. These things are always governed by special rules and regulations just like HIPAA.
Unlawful use of a 'restricted-access computer system' is not the same as an AUP issue. Once the system is covered or by a legal "Restricted-Access" designation its not an AUP.
Re:I don't see a problem with this (Score:4, Funny)
The problem here, is that this person is a police officer, yet he is being charged with a crime. Being a police officer is very demanding, and the same rules can not apply to them.
Re: (Score:2)
What? That's ridiculous. Police officers should have to follow the law like everyone else.
Re: (Score:2)
Re: (Score:2)
It seems so. It is ridiculous enough to be a sarcastic post, but I have actually seen people say similar things in a serious manner.
Re: (Score:1)
If you are alive, you would have seen the biting sarcasm in that post. We've had a number of recent high profile cases of police acting as if they are above the law.
FTFY.
Re: (Score:2)
Though compared to the US the issue overall is fairly minor.
Re:I don't see a problem with this (Score:5, Insightful)
Being a police officer is very demanding. The same rules can not apply to them. The rules are stricter for them.
There, corrected that for you.
Re: (Score:3)
Not just police officers are covered by this, ALL public servants are, our country takes a very dim view of people abusing their position to access personal information for fun or profit and it is a federal offence.
Re: (Score:2)
No, it's a state offence. Given the wording, I'd guess that this was related to section 440A of the criminal code, which is related to unauthorised use of a restricted-access system.
It has nothing to do with AUPs but a LOT to do with a stopping people from doing stuff they shouldn't be on a computer system that complies with the code.
Systems with AUPs are rarely "restricted access systems" - Most systems don't comply. The police network does.
So do some public networks. It's not going to be possible to prote
Re: (Score:2)
Actually there are a few other networks, medicare, centrelink, taxation, etc.
'Unauthorised' is about four pages of stuff (so far as centrelink and other public sector jobs go, not sure about police) you can't do with a system you have to access.
Of course other systems are protected by vairous laws, using someone elses wifi, hacking a facebook account (if the hacking is done in Australia) are among the things that are considered a federal offence. (just not under this specific one)
The law is very well used i
Re: (Score:2)
I read the summary, and came to the same conclusion based on the charge. (A similar charge exists in the US, and I had to look it up for an internet debate at one point. A restricted-access computer generally has to be run by the government.)
Thanks for laying things out so clearly at the front of the article... I didn't even have to put the first leg of my pedantic-bitch pants on...
Re: (Score:2)
So you see nothing wrong at all with someone accessing your police records, credit rating, medicare records etc who has no reason to do so?
I think it's wrong, but they weren't charged with something quite so specific. From the link:
Re: (Score:3, Insightful)
Accessing a private system in a way that is forbidden by it's owner should get you fired. Accessing confidential information for personal reasons might be a breach of contract or, in the case of medical records and other sensitive information, even be illegal in its own right. However, simply misusing a private system shouldn't be a criminal act.
It seems to me that it could be likened to trespassing. A property owner could allow the public onto property providing that they abide by certain conditions. Failu
Re: (Score:2)
Re: (Score:3)
TFA here though isn't referring to someone "sneaking a few minutes break at work to check a website while they wait for an email", it is talking about a police officer accessing personal and by its nature I would imagine very sensitive information on a police database, not a random website, that they had no legal reason to be accessing. This is a far cry from using company time to surf the web.
Re: (Score:2)
eg. "Victoria Police and the problem of corruption and serious misconduct"
http://www.opi.vic.gov.au/file.php?61 [vic.gov.au]
The NSA used levels of access, subsets of information was never open to anyone not cleared for that unique operation. The East Germans split all their spy info so no one person could ever walk out with full details.
In the private sector its
Re: (Score:2)
I don't think we should confuse the notorious Victorian Police with the West Australian Police. Very different organisations.
Re: (Score:2)
I don't think we should confuse the notorious Victorian Police with the West Australian Police. Very different organisations.
Not so different as you might hope. e.g. when Andrew Petrelis was going to testify against a local colourful identity, police unrelated obtained his "protected" location from the police database, and he died mysteriously. The high-profile drug boss is still free many years later. Must have many friends in high places.
Re: (Score:2)
Following HIPAA regulations is different then a simple violation of an AUP.
Re: (Score:2)
It's a police database. Pretty sure it's not an "Acceptable Use Policy" at issue here, I'm pretty sure it's a fucking law.
This is a non-story.
Re: (Score:2)
Yup, all public servants are covered by that same law, they are not allowed to access any official records on any close acquaintance.
Re: (Score:1)
There is no problem with this.
breaking the law can result in prosecution.
This is only possibly news to anti-copyright hippies living in moms basement.
There again...thats 99% of readers here.
Re: (Score:2)
Pathetic troll is pathetic. Try a bit harder next time, okay?
Or was yours some kind of meta-troll meant to offend through its low quality of workmanship rather than its actual contents? In that case, well played sir!
That's the problem with Modern Art/Trolling: you can never tell if a garbage bin is part of the exhibition or furniture.
Re: (Score:1)
Agreed. I used to work for the police (not as a police officer, just regular staff) and my job routinely involved accessing, creating and supplementing various kinds of records, most of which contained confidential information and all of which were protected by law in terms of access, sharing, use, publication and so on. This access was most definitely audited. Anyone accessing records without being able to demonstrate a legitimate reason was in trouble and this kind of unwarranted access may well form p
And that's why US law is different. (Score:5, Insightful)
Re: (Score:2)
The US ruled against a law which gives corporations more power?
Are we talking about a different US?
Re: (Score:1)
This is a work-related system, so possibly they have a signed contract between the employee and the police, which would be dealt with in the same way in the US.
Contracts that aren't signed are one thing, but if both parties have signed it, then it is a "Breach of contract", and definitely a crime in the US.
Re: (Score:2)
Re:And that's why US law is different. (Score:5, Informative)
How could breach of contract EVER be a crime?? It is a breach of contract, not a violation of a law, when you breach a contract you get the consequences listed in the contract, or if you refuse them a civil law suit, but not a fine and not a prison sentence.
Re: (Score:3)
How could breach of contract EVER be a crime?? It is a breach of contract, not a violation of a law, when you breach a contract you get the consequences listed in the contract, or if you refuse them a civil law suit, but not a fine and not a prison sentence.
My reading of TFA is that breach of the AUP itself was not what made this illegal. The AUP was merely the mechanism that had communicated to (or perhaps reminded) Ms Giles that her use was unauthorised.
Similarly, say a self-employed personal is contracted in to provide some sort of safety role, in the knowledge that the other party would be wholly reliant on their performance for safety, then recklessly fails to fulfil that role. The contractor may then be up for involuntary manslaughter not because of brea
Re: (Score:2)
Think of it in terms of trespass. Trespass law says, basically, "It's a crime to be on private property if the owner doesn't want you there," but it doesn't say anything about why the owner doesn't want you there. So if I say "you can walk across my yard" and my neighbor says "you can walk across my yard as long as you're not wearing a red shirt," you're committing a crime if you walk across my neighbor's yard wearing a red shirt, but walking across my yard, you're fine.* The crime is not in your choice
Re: (Score:2)
Thats a nice analogy for something that ,however , isn't true.
A breach of contract does not breach criminal law. Its not a crime to breach a contract unless it devolves into ,say, fraud (which is narrowly defined) or something like that.
It is however a breach of civil law and thus is sueable.
Re: (Score:2)
AUPs and TOSs aren't contracts, though. The law hasn't decided exactly what they are. It's an area that will almost certainly keep evolving.
Re: (Score:2)
I think the GP point is that if you require people to wear a red shirt to cross your lawn, then the man wearing a blue shirt will not be trespassing in a legal sense, because you have allowed access, he is just violating your terms of that access, which is a breach of contract, but in most legal systems not a crime. This is like going on the subway without a ticket, not a crime either, but has a civil fine.
Re: (Score:2)
breaking your vows as a county/country/national official is usually a crime though. and doing favor searches for a friend is exactly that.
Re: (Score:2)
Re:And that's why US law is different. (Score:4, Informative)
Contracts that aren't signed are one thing, but if both parties have signed it, then it is a "Breach of contract", and definitely a crime in the US.
Breach of contract is NEVER a crime in the US.
When you borrow money from the bank, and then miss a payment, you are in breach of contract. That's not illegal. You aren't a criminal. Its not a crime.
The contract may spell out consequences when you are in breach that you may be subject to (such as having the full loan amount being immediately repayable...) and the bank can sue you for damages caused by you not making your payment... and so forth.
Re: (Score:2)
Not a contract, its a law in Australia that public servants are not allowed to access records of close acquaintances.
Re: (Score:2)
But the law she was charged under (Section 440A(2) of the WA Criminal Code) wasn't restricted to public servants accessing the records of close acquaintances. She was charged for breaching the AUP of the system
The law states that anyone who violates the AUP of any restricted access computer system has committed a criminal offence.
As an example, I found a forum that requires a username and password to access it. So it is a restricted access computer system. The owners have an AUP. One of the things it forbid
Re: (Score:2)
http://www.slp.wa.gov.au/pco/prod/FileStore.nsf/Documents/MRDocument:20273P/$FILE/CrimCdActCompilationAct1913_16-a0-01.pdf?OpenElement [wa.gov.au]
Re: (Score:2)
Ok, what is really wrong here? All I can see happening is a fuck load of trolls going to jail.
Jail for posting, say, profanity doesn't strike you as harsh?
Re: (Score:2)
Profanity is fine if the server says you can post it. You are not required to hit the 'submit' button, you are also not required to post on that site.
Its the equivelant to spray painting swear words on the side of someones house.
Re: (Score:2)
So you think jail time for that is OK?
Its the equivelant to spray painting swear words on the side of someones house.
Hardly. A post can be deleted and a user banned. No need to scrub and whitewash, just a few clicks.
Re: (Score:2)
So things can be deleted off the internet without leaving a trace? You sir just made my day :)
Even just that someone appears to have credibility by being a member of a site or forum can have a huge detrimental effect when that member behaves inappropriately. And such things, once posted on the net, have a habit of sticking around, and no amount of white wash can remove them.
Re: (Score:2)
These "things" you speak of aren't criminal defamation (which would have its own remedies) or other such nasties, but a transgresion of an AUP.
Since you still appear to think jail time would be appropriate for someone breaching the AUP of a forum, that has made my day.
Re: (Score:2)
Sorry for the late reply, 4 days in hospital kind of left me out of touch.
In this day and age, where you can 'digitally sign' a document with your mouse by clicking a few buttons, how does the AUP of a site not become a contract for your usage of said site?
Re: (Score:1)
So far, the courts in the U.S. have ruled against such an idea, because in effect it would let companies define the law for themselves, at whim.
Not germane here.
Break into your local police computer system and see how far the courts protect you.
It wasn't a "policy" that was violated, it was a "LAW". There are similar laws in virtually every state as well as at the federal level.
Re: (Score:2)
That is what I thought, but according to the summary he was sued for violating the policy not for violating the law. This might be a misunderstandment or this might be a devious attempt to set a precedence by using the wrong violation in an otherwise obvious case.
Re: (Score:1)
That is what I thought, but according to the summary he was sued for violating the policy not for violating the law. This might be a misunderstandment or this might be a devious attempt to set a precedence by using the wrong violation in an otherwise obvious case.
That's why you should always RTFA instead of trusting the summary.
From TFA:
unauthorised use of a restricted-access computer system. And that is an offence under the Criminal Code (WA). Section 440A(2)
She (not he) was not sued. She was CHARGED with a violation of a statute.
Re: (Score:2)
...except if this was a cop, it was likely authorized use.
The cop just abused their access priveledges.
This is a violation of an internal policy, not cracking or trespassing.
Re: (Score:3)
If he abused his access privileges then it is not 'authorized use'. The laws are against unauthorized use.
Re: (Score:2)
A similar issue came up in the United States in 2008. Lori Drew [wikipedia.org] was prosecuted for violating the MySpace terms of use when she logged in with an alias, which meant accessing MySpace computers in "excess of authorized use"*. The jury convicted her. The judge threw out the conviction for the reasons mentioned by other posters along with the idea that the law would be unconstitutionally vague because t
Re: (Score:2)
Authorized use is for the purposes of an official investigation. Not looking up personal acquaintances.
The police database is not the fucking white pages.
Re: (Score:3)
This is a violation of an internal policy, not cracking or trespassing.
Can you not READ?
Its a violation of Australian LAW. They even quoted the law for you on TFA. She was found Guilty.
Still you want to argue?
From which college did you get your Australian Law degree?
Re: (Score:3)
Regardless, that isn't what the article was about.
Re: (Score:3)
"it would let companies define the law for themselves, at whim"
The key point being that "at whim" means without paying sufficient amounts of money to legislators. Companies are free to define the law for themselves, as long as they are willing to pay for it.
Re: (Score:2)
Not to mention that most AUPs say "we reserve the right to change any term with or without notice at any time", which could be construed as ex-post facto law if you are not notified with sufficient opportunity to cure.
Re: (Score:2)
This has nothing to do with AUP. This is entirely because the idiot was accessing a secure government system.
So far, the U.S. gov't has extradited people for this and the U.S. courts have given them custodial sentences.
Pretty sure article/summary is overboard (Score:5, Informative)
It's no different than having access to a system tied into say patient records. There's no need or reason for you to go looking at information on someone else who you aren't treating or don't have permission to look at (for example in the US you have to sign papers for doctors to transfer your medical records etc to another doctors office).
I think the article is extrapolating something to include everything, where it shouldn't
Re: (Score:2)
I agree with what you say on this. Personally I'm surprised he only got fined, in Canada if you do what he did and you're a cop it's one of a few choices depending on how bad it is. Demotion of on average of 4 ranks(down as far as 4th rank constable -- that's one step above a base recruit), no pay for 60 days, or fired.
Hmmm (Score:2)
When your job is to uphold the law, it is a bad idea to organize the conspiracy.
missing the point entirely (Score:2)
By default you have privacy and property ownership: the Wireless Telegraphy Act in the UK, for example, doesn't let you intercept messages without the consent of the sender. Just because it's "on the Internet", laws don't suddenly stop applying. So, unless your contract stipulates otherwise, standard laws apply - and the AUP specifies the limit on what you're allowed to do with someone else's system. Make sense?
One step closer (Score:2)
to prison for violating an EULA...
Malicious or stupid. Or both. (Score:5, Insightful)
TFA says right off the bat that in the case in question, Giles v Douglas, was charged under a CRIMINAL statute. Giles was granted special permission under certain specific conditions to use the police database. She did not adhere to those conditions and thus her use of the database was impermissible. Impermissible use of the database is a criminal offence (instance of s440). There's nothing special about this case.
Breaching the AUP is not a crime. Breaching the AUP in a manner that leads to committing a crime is also not a crime. BUT COMMITTING A CRIME IS A CRIME! It just so happens that an AUP is involved in the details of this case.
Re: (Score:2)
In other words it was a violation of internal policy.
It's impossible to know from observing the "crime" whether or not it was infact a crime.
THIS is probably what a lot of people here have trouble with. It was an act that was not obviously illegal just by looking at it.
Re: (Score:2)
Breaching the AUP is not a crime.
Nobody is suggesting that it is.
However: Accessing your ISPs systems without permission is illegal access and is a crime.
Do you have permission? Only if you obey the AUP.
The article thus posits that by breaching the AUP you cease to use the services in an authorised manner. Using the services in an unauthorised manner is illegal and you broke the law.
I personally think it's full of shit, but legally it may nonetheless be true. Ask a lawyer.
Re: (Score:2)
Breaching the AUP is not a crime.
Nobody is suggesting that it is.
so now we're not even reading the titles of summaries on slashdot anymore?
Re: (Score:2)
The title is sensationalistically misrepresenting the article. That doesn't qualify as a claim.
Re: (Score:2)
Then read the title of TFA!!! Or actually read TFA!!! Is TFA sensationally*** misrepresenting TFA too?!
I hope for the sake of your country that you do not vote. Stubborn people like you who spout off whatever the hell you believe, despite obvious and irrefutable proof of the contrary, are a cancer amidst society.
Re: (Score:2)
Wtf? Read my fucking reply to your fucking post. TFA clearly fucking states that by breaching AUP you may cease to be accessing your ISP in an authorised manner, thus making it an unauthorised access, which is accessing it without permission, which is illegal. Breaching the AUP isn't illegal, accessing a computer network without permission is.
You're a cunt and I vote to try and stop people like you setting laws.
restricted-access computer system (Score:3, Interesting)
restricted-access computer system means a computer system in respect of which —
(a) the use of a password is necessary in order to obtain access to information stored in the system or to operate the system in some other way; and
(b) the person who is entitled to control the use of the system —
(i) has withheld knowledge of the password, or the means of producing it, from all other persons; or
(ii) has taken steps to restrict knowledge of the password, or the means of producing it, to a particular authorised person or class of authorised person;
The definition of 'restricted-access computer system'. My interpretation of this, is that a police database would fall under this, but an internet connection would not. But the law isn't worded very well. It seems it was added in 1990, and written by someone with little understanding of computers.
Re: (Score:2)
Re: (Score:1)
Yes. The blog has a link to the WA government website, which has latest criminal code (as of 18/10/10).
Yes most internet connections you authenticate, but you don't need a password to access the internet. And would you define the entire internet as a 'computer system'?
It also states the 'computer system' must be restricted to authorised person(s). The internet isn't a restricted system.
Cracking? (Score:2, Offtopic)
So using a system you already have access to but not following workplace policy is cracking? You sound like one of those people who refuses to have a bank account and then wonders why nobody will hire you.
Re: (Score:2)
Re: (Score:2)
There are no laws against 'hacking' or 'cracking'. The laws are against "unauthorized use of a computer". It doesn't matter what method you used to access the computer, just that it is not authorized. Just like unauthorized access to physical property can get you a 'breaking and entering' charge, even if the only breaking you did was to push open an unlocked door.
Re: (Score:2)
Its not workplace policy, its law that no one is allowed to access police (or any other public database) for purposes other than their job. Remember with the information in these files they could set up a massive identity theft, blackmail, etc.
Re: (Score:2)
Corporations: Then we won't do business with you.
People: Fine! We don't need you.
Corporations:
People: I miss facebook. And my mobile phone won't work. And I want to see the next episode of House.
Corporations: Sign the agreement.
People: Oh... you win.
Criminalization of a civil issue (Score:2)
Transfers the cost to the taxpayers, and makes fishing expeditions pretty painless, and zero risk, for the companies doing it.
Huh? What's the problem? (Score:5, Insightful)
Re: (Score:1)
/. doesn't get along with rules well (unless it is the GPL, the holy word of RMS [blessed be his beard]). All it would take is a poorly worded summary and /. would be up in arms against a law that prohibits using planet-killing scale weapons.
Re: (Score:1)
/. doesn't get along with rules well (unless it is the GPL, the holy word of RMS [blessed be his beard]).
You misspelt infested.
Re: (Score:3)
It's a blog post that completely misses the fucking point. If wikileaks had reported that Australian police were allowed to look up information on citizens without a valid reason (i.e. for shits and giggles) everyone would be up in arms saying, "Isn't this terrible?".
I haven't RTFB, but I have RTFS, and it already addresses this:
"a police officer [...] was fined -- not for disclosing confidential police information, but for unlawful use of a 'restricted-access computer system'
What is worrying in the story is that she was not fined for her real, very serious, and I hope very criminal offense, but instead was fined for something which is usually not considered a criminal offense, but merely a breach of contract: Using a service with permission but not complying with the u
Re: (Score:3)
It does make sense like it is. In your car analogy there were two crimes committed: car theft and murder. If they had evidence he took the car, and didn't have evidence that he was the murderer, it would indeed make sense to only charge him with car theft. For the case at hand, I don't know if a cop giving someone information is a crime or not, but even if it was, how would they prove it? She gave the info to a friend, at the friends request. Who would even know a crime occurred?
The fact that she was c
Searching Obama's student loan info (Score:1)
The people who searched Obama's student loan info during his campaign got in a lot of trouble. They all lost their jobs and I think got probation. How is what the cop did any different?
Most companies of any decent size or who work with a company of any decent size have an AUP that makes it pretty clear that you can only access data on the company's systems for your job duties and not for anything else. If you violate that AUP you are aware it is wrong and should face the consequences. If you're lucky yo
newsflash: (Score:2)
If i don't like the colour of your fence i can take you to court over it. Doesn't mean i'll necessarily win.
I think this is far more reasonable than the cases in the US of people for example taking people to court for burning themselves on coffee because it wasn't labelled as hot, and WINNING.
If you abuse your authority to access private information, or breach terms of use that you signed then it SHOULD be legitimate for the provider to take you to court over it. If you disagree with terms of use, do
Un-Authorised use (Score:1)
This situation is quite common.
It is illegal for Government Officers (in Oz and probably elsewhere) to use a Government Data Base for anything outside their authorisation. Like searching for a friends address.
The logs are kept and frequently analysed.
Nothing to see here. Move along! (Score:1)
I worked for WAPol (West Australian Police) up until 3 years ago (almost to the day! 3 Years and four days), and the police make it very clear to their employees that they aren't allowed to use the Police Database etc for looking up info that isn't related to a case they're working on.
It's not considered 'cracking' either. Unlawful use just means the person was using it for something other than their work, and when you have the sort of information the police database has on people you will know why you ca
Re: (Score:2)
But the law as written isn't just for police or even just public servants. It applies to anyone accessing any computer system (even those they have access to, like a forum) that requires a password and doing something outside the terms of the AUP of that system. Nothing in the way that the law is written applies to accessing confidential information, just to breaching the AUP of the system.
The fact that a police officer was charged (and convicted) under this law seems to be occupying everyone's attention, b
Re: (Score:1)
Nothing in the way that the law is written applies to accessing confidential information, ...
The law specifically covers unlawful access. This is not necessarily CRACKING as the article claims:
she was convicted for common cracking
. She was actually convicted for using the system beyond her authority.
This law goes both ways. The police cannot come to your house and go through your computers without a warrant. If they do turn up and start accessing your computers without a warrant and without your permission you can sue them under the same law.
WA Pol have an AUP which is specifically designed to cover the illegal and unauthorise
Re: (Score:2)
I agree that what she did was wrong.
However I maintain that it seems like just about anyone could be in breach of any AUP. If a forum's AUP forbade things like "rudeness, flaming, profanity and blasphemy" and somebody let loose one day with a stream of invective (I have heard that happens on some forums), is that really a criminal offence?
Re: (Score:1)
Technically all those things are considered criminal offences already whether performed on-line or off. They're covered by anti-discrimination / Harassment / hate speech laws etc (we have no blasphemy laws, but anyone making blasphemous comments are usually prosecuted under the anti-discimination laws for vilification).
Most forums based in WA would probably have those things listed in their AUP just to cover their own butts.
I know of a case which was thrown out of court for wasting the courts time because
Not only Australia (Score:1)