Let’s face it, we’ve all thought how good it would be to read that juicy and interesting email you can see on your co-worker’s screen in front of you, or to access their email and forward it on to another person or your personal email address.  If’ you are actually going to do it then STOP!  It is a criminal offence and you are breaking the law, as shown in this recent article from The Caterer www.thecaterer.com/articles/500312/gordon-ramsays-father-in-law-admits-computer-hacking

The Computer Misuse Act

The government passed a new law in 1990 called The Computer Misuse Act which categorises the unauthorised access or distribution of content as a criminal act, punishable by a large fine and/or up to 10 years in prison.  An example would be obtaining the password to someone else’s personal email account and then forwarding their emails to a third party.

How Are People Caught?

Every time you access a system or view data your computer address is recorded.  For instance, if you were to access a hotmail.com email account for example, Microsoft would record the IP address from where the access was made.  This record also shows the date and time, and often what was accessed.

To give an example, suppose you were to access a person’s hotmail.com email account from your Virgin Media home computer.  In this instance, Microsoft would record the fact that someone with an IP address owned by Virgin Media accessed the account at a specific date and time.  This in itself could not be proven to be you, as often IP addresses are shared between many houses and in this instance Virgin Media customers.  However, the Police and the Court would be able to enforce Virgin Media to identify what customer was using that IP address at that date and time.  Once the Police knew the customer that had that IP address was you, they would pay you a visit and take you into questioning.  The Police would have the power to confiscate your computer equipment for analysis and may retain it until after the court trial.

To use the same example, if you accessed the same hotmail.com account from your work PC computer, not only would Microsoft have recorded your company’s IP address (which would be shared amongst all its employee’s), but it is also likely your company firewall would have recorded you and your PC accessing hotmail.com at that time and logged that information.

Think of an email message as a letter.  Whenever this ‘letter’ is forwarded, sent or received, as it passes through each computer system to its final recipient, each computer system puts the letter in its own envelope, including any previous envelopes.   Each envelope is therefore an audit trail of who sent it, what email system it originated from and where it was sent to.

What Are the Offences and How Do You Know if What You’ve Done is Illegal?

Section 1 – Unauthorised Access to Computer Material

If you have accessed a computer system or email address that was not yours – for example a Hotmail.com or work email account – using a password that was not given to you by the owner of that account or system, it is illegal and carries a combination of a fine and a 6 month prison sentence.  This applies even if you have only viewed information and not distributed it or deleted it, as you have still accessed the data or information without authorisation.  If you have also changed the password to an email or computer account without the owners permission and have therefore secured their access this is also classed as an offence under the act.

Section 2 – Unauthorised Access with the Intent to Commit or Facilitate a Crime

This is similar to the first offence but concerns the act of accessing the information for the purpose of doing something illegal.  This could mean guessing the owner of the server or email accounts’ password or knowingly following a password recovery email with the intention of accessing the system using a changed password that the recovery email would allow you to do.  Distributing the information to a third-party or yourself carries a 5 year prison term.  If you have facilitated the commission of the offence – for example by changing the password of the account so another person can access the information – this also carries a 5 year prison term.

Section 3 – Unauthorised Acts with intent to impair, or with recklessness as to impairing the operation of a computer

You would be guilty of an offence if you do any unauthorised act in relation to a computer, at the time knowing it is unauthorised and impairing the operation of the computer system, preventing or hindering access to any email system, program or data held in a computer, or impairing the operation of any such system, program or data.  This penalty was recently increased to a 10 year prison sentence or fine, and includes the distribution or introduction of a virus or malware into a system.

Section 3ZA – Unauthorised Acts causing, or creating risk of, serious damage

This is primarily aimed at those people who seek to attack the critical national infrastructure.  (Depending on the motives of the perpetrator, terrorist legislation may be appropriate.)

Section 3A – Making, Supplying or Obtaining Articles for Use in Offence under Section 1, 3 or 3ZA.

This section creates offences designed to criminalise those who make or supply “malware”.  Whether an offence has been committed will depend on demonstrating that the offender has the necessary intent, as the act does not criminalise possession in itself.  A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under Sections 1, 3, or 3ZA.  In addition, if the person obtains any article intending to use it to commit, or to assist in the commission of an offence under section 1, 3 or 3ZA, there is up to 2 years in prison.

In Summary?

With the recent case of email hacking in the news, hopefully the public will be more aware of the illegality of hacking someone’s computer system or viewing email addresses without the consent of the owner of that email system.  With the likely prospect of at least a 6 month prison sentence and the ease of which you can be identified, always ask yourself the question, “Is it worth it?”

Look at the Our Services pages to see how we can help secure your IT systems and ensure any passwords are not easily guessed.

Further reading can be found here http://www.cps.gov.uk/legal/a_to_c/computer_misuse_act_1990/