Breaching an AUP a Crime In Western Australia

An anonymous reader writes "A recent court case highlights that breaching an acceptable use policy at work could land you in court in Western Australia: a police officer doing a search of the police database for a friend was fined — not for disclosing confidential police information, but for unlawful use of a 'restricted-access computer system' — cracking. More worryingly for West Australians, this legal blog points out that breaching any Acceptable Use Policy would seem to be enough to land you in jail for cracking — for example, using your internet connection to break copyright."

I don't see a problem with this

I'm authorized to use the computer at work to search through medial records (I'm an Pharm.D), but I can get in trouble (and fined) for searching HIPAA records without cause.

Re:I don't see a problem with this

[icebike]

Exactly.

Almost nothing in this article suggests a vendor's AUP is the topic under discussion.

The guy was using a police database for pete sake. These things are always governed by special rules and regulations just like HIPAA.

Unlawful use of a 'restricted-access computer system' is not the same as an AUP issue. Once the system is covered or by a legal "Restricted-Access" designation its not an AUP.

Re:I don't see a problem with this

[Interoperable]

Accessing a private system in a way that is forbidden by it's owner should get you fired. Accessing confidential information for personal reasons might be a breach of contract or, in the case of medical records and other sensitive information, even be illegal in its own right. However, simply misusing a private system shouldn't be a criminal act.

It seems to me that it could be likened to trespassing. A property owner could allow the public onto property providing that they abide by certain conditions. Failure to abide by those conditions would warrant getting kicked off the property. Refusal to leave would then constitute trespassing; however, trespassing would not occur the instant that an individual broke the conditions.

Accessing a system once authorization to use it has been revoked could be considered unauthorized use. Claiming that authorization is defacto revoked once the acceptable use policy is breached has the effect of using authorized use laws as a proxy to put breach of the acceptable use policy into the criminal code. That, I hope, goes against the intent of the law.

Re:I don't see a problem with this

[nurb432]

Following HIPAA regulations is different then a simple violation of an AUP.

Re:I don't see a problem with this

[Kalriath]

It's a police database. Pretty sure it's not an "Acceptable Use Policy" at issue here, I'm pretty sure it's a fucking law.

This is a non-story.

Re:I don't see a problem with this

There is no problem with this.
breaking the law can result in prosecution.
This is only possibly news to anti-copyright hippies living in moms basement.
There again...thats 99% of readers here.

Re:I don't see a problem with this

[SuricouRaven]

Much of this 'accessing a private system in a way that is forbidden by it's owner' is of a very trivial nature. Employes sneaking a few minutes break at work to check a website while they wait for an email, that manner of thing. The problem is that so long as it's possible for these trivial issues to be considered a serious offense of any form, there is the temptation for system operators to overreact - perhaps to make an example of someone, or settle a grudge.

Re:I don't see a problem with this

The problem here, is that this person is a police officer, yet he is being charged with a crime. Being a police officer is very demanding, and the same rules can not apply to them.

Re:I don't see a problem with this

[Barny]

Not just police officers are covered by this, ALL public servants are, our country takes a very dim view of people abusing their position to access personal information for fun or profit and it is a federal offence.

Re:I don't see a problem with this

[Barny]

Yup, all public servants are covered by that same law, they are not allowed to access any official records on any close acquaintance.

Re:I don't see a problem with this

[cheekyjohnson]

What? That's ridiculous. Police officers should have to follow the law like everyone else.

Re:I don't see a problem with this

[snowgirl]

I read the summary, and came to the same conclusion based on the charge. (A similar charge exists in the US, and I had to look it up for an internet debate at one point. A restricted-access computer generally has to be run by the government.)

Thanks for laying things out so clearly at the front of the article... I didn't even have to put the first leg of my pedantic-bitch pants on...

Re:I don't see a problem with this

Agreed. I used to work for the police (not as a police officer, just regular staff) and my job routinely involved accessing, creating and supplementing various kinds of records, most of which contained confidential information and all of which were protected by law in terms of access, sharing, use, publication and so on. This access was most definitely audited. Anyone accessing records without being able to demonstrate a legitimate reason was in trouble and this kind of unwarranted access may well form part of a criminal offense. I've also worked for a national utility and had access to millions of customer records. Again this was audited and inappropriate access was not acceptable. I knew people who were dismissed because they couldn't resist being nosy and I knew people who were the subject of criminal proceedings because they were stupid enough to see this data as a useful resource for their greedy schemes, or they were dumb enough to sell or even give away information to a 3rd party. Another thing I learned was that there are *always* people trying to access such data illegitimately, not by some fantastic technical exploit but by social engineering. People who do this can be expert, plausible and determined which is why access and audit procedures have to be rigorous and the laws have to be enforced.

Re:I don't see a problem with this

[Lorens]

Being a police officer is very demanding. The same rules can not apply to them. The rules are stricter for them.

There, corrected that for you.

Re:I don't see a problem with this

[Canberra+Bob]

TFA here though isn't referring to someone "sneaking a few minutes break at work to check a website while they wait for an email", it is talking about a police officer accessing personal and by its nature I would imagine very sensitive information on a police database, not a random website, that they had no legal reason to be accessing. This is a far cry from using company time to surf the web.

Re:I don't see a problem with this

trollface.jpg ??

Re:I don't see a problem with this

Everyone like to think he is special, not part of the masse. That make you part of the 99% of douche here.

Re:I don't see a problem with this

[smash]

If you were living in australia, you would have seen the biting sarcasm in that post. We've had a number of recent high profile cases of police acting as if they are above the law.

Re:I don't see a problem with this

[AHuxley]

Australia has had a lot of police database issues. From the removal of original files and the double life of officers as active spies for criminal groups.
eg. "Victoria Police and the problem of corruption and serious misconduct"
http://www.opi.vic.gov.au/file.php?61
The NSA used levels of access, subsets of information was never open to anyone not cleared for that unique operation. The East Germans split all their spy info so no one person could ever walk out with full details.
In the private sector its a can be a internet free for all.
http://www.theage.com.au/technology/security/vodafone-sacks-staff-over-database-breaches-20110114-19q0y.html
http://www.zdnet.com.au/virus-hits-integral-energy-desktops-339298861.htm
Australia has a lot to learn at the low and mid level computing, usually buying in systems from the USA and letting the locals try their best. The NSA and GCHQ have worked with our top level defence staff, so thats more safe.

Re:I don't see a problem with this

Gah. As the guy who wrote TFA, this is exactly wrong. They aren't governed by special rules, or she'd be charged under a special rule. Instead, she was charged with cracking. The fact that it's a police database was entirely co-incidental.

A Restricted-access computer system is defined in the criminal code as: "a computer system in respect of which —

(a) the use of a password is necessary in order to obtain access to information stored in the system or to operate the system in some other way; and

(b) the person who is entitled to control the use of the system —

(i) has withheld knowledge of the password, or the means of producing it, from all other persons; or

(ii) has taken steps to restrict knowledge of the password, or the means of producing it, to a particular authorised person or class of authorised person;"

Again, the fact that it was a police DB was entirely co-incidental.

Re:I don't see a problem with this

[obeythefist]

I don't think we should confuse the notorious Victorian Police with the West Australian Police. Very different organisations.

Re:I don't see a problem with this

[cheekyjohnson]

It seems so. It is ridiculous enough to be a sarcastic post, but I have actually seen people say similar things in a serious manner.

Re:I don't see a problem with this

[GrpA]

No, it's a state offence. Given the wording, I'd guess that this was related to section 440A of the criminal code, which is related to unauthorised use of a restricted-access system.

It has nothing to do with AUPs but a LOT to do with a stopping people from doing stuff they shouldn't be on a computer system that complies with the code.

Systems with AUPs are rarely "restricted access systems" - Most systems don't comply. The police network does.

So do some public networks. It's not going to be possible to protect, for example, a public service AUP such as Facebook or Myspace under this law. It excludes any service in which access is not restricted.

But I agree. He's likely to have broken other laws, both federal and state, with what he did.

GrpA

Re:I don't see a problem with this

[Barny]

Actually there are a few other networks, medicare, centrelink, taxation, etc.

'Unauthorised' is about four pages of stuff (so far as centrelink and other public sector jobs go, not sure about police) you can't do with a system you have to access.

Of course other systems are protected by vairous laws, using someone elses wifi, hacking a facebook account (if the hacking is done in Australia) are among the things that are considered a federal offence. (just not under this specific one)

The law is very well used in the case the specified in the story, she should not have accessed the system in that way.

Re:I don't see a problem with this

As an ex-employee of the Australian Federal Public Service, I can assure you that all public servants are governed by special rules, and that unauthorised access to federal systems is categorised as an illegal offense under some law that used to pop it's name up daily on my login screen but i can't remember the name of now.

Re:I don't see a problem with this

Luckily, that sort of abhorrent behavior only happens in Australia. Here in the US, that law enforcement officer would be spending lots of time behind bars. Our LEOs are top notch!

By the way, Cheekyjohnson, please look up "cheeky".

Re:I don't see a problem with this

[davester666]

If you are alive, you would have seen the biting sarcasm in that post. We've had a number of recent high profile cases of police acting as if they are above the law.

FTFY.

Re:I don't see a problem with this

So you see nothing wrong at all with someone accessing your police records, credit rating, medicare records etc who has no reason to do so? You would think the government was in the wrong if they pressed charges against this individual accessing your personal data?

I suppose if someone cracked into the DSD computer network to attempt to steal sensitive information and the goons came around to their house asking questions you would be posting articles here on /. saying the government was sending goons to enforce the MS EULA or some such and other sky is falling hyperbole? After all it could not possibly have anything to do with someone trying to crack into a network requiring top secret clearance could it.

Re:I don't see a problem with this

[MichaelSmith]

Though compared to the US the issue overall is fairly minor.

Re:I don't see a problem with this

[martinX]

So you see nothing wrong at all with someone accessing your police records, credit rating, medicare records etc who has no reason to do so?

I think it's wrong, but they weren't charged with something quite so specific. From the link:

However, at the core of both is the unauthorised use of a restricted-access computer system. And that is an offence under the Criminal Code (WA). Section 440A(2) reads:
(2) For the purposes of this section a person unlawfully uses a restrictedaccess computer system —
                                  (a) if the person uses it when he or she is not properly authorised to do so; or
                                  (b) if the person, being authorised to use it, uses it other than in accordance with his or her authorisation.

Remember, she was charged with breaching the AUP of the system, nothing else.

So, I read that as 'if you normally have access to a restricted access system (how about a forum that requires a username and password for posting?) and use it in a way you are not authorised to do so (like flaming, because that was forbidden by the AUP of the forum) then you could be criminally prosecuted.

The way the law is written, it seems as though this can apply to any 'misuse' (as defined by the AUP) of any restricted access system, not just those systems containing police records, credit ratings, medicare records, national security info, etc.

While it's obvious IANAL, the wording seems a little broad for my liking. The kind of "broad" the DPP likes to use when looking to boost the numbers for the quarterly stats.

Re:I don't see a problem with this

> is different then a simple violation of an AUP.

THAN not THEN.

Re:I don't see a problem with this

[quenda]

I don't think we should confuse the notorious Victorian Police with the West Australian Police. Very different organisations.

Not so different as you might hope. e.g. when Andrew Petrelis was going to testify against a local colourful identity, police unrelated obtained his "protected" location from the police database, and he died mysteriously. The high-profile drug boss is still free many years later. Must have many friends in high places.

Re:I don't see a problem with this

[ultranova]

Pathetic troll is pathetic. Try a bit harder next time, okay?

Or was yours some kind of meta-troll meant to offend through its low quality of workmanship rather than its actual contents? In that case, well played sir!

That's the problem with Modern Art/Trolling: you can never tell if a garbage bin is part of the exhibition or furniture.

And that's why US law is different.

[Jane+Q.+Public]

So far, the courts in the U.S. have ruled against such an idea, because in effect it would let companies define the law for themselves, at whim.

Re:And that's why US law is different.

[Haedrian]

The US ruled against a law which gives corporations more power?

Are we talking about a different US?

Re:And that's why US law is different.

[corsec67]

This is a work-related system, so possibly they have a signed contract between the employee and the police, which would be dealt with in the same way in the US.

Contracts that aren't signed are one thing, but if both parties have signed it, then it is a "Breach of contract", and definitely a crime in the US.

Re:And that's why US law is different.

[icebike]

So far, the courts in the U.S. have ruled against such an idea, because in effect it would let companies define the law for themselves, at whim.

Not germane here.

Break into your local police computer system and see how far the courts protect you.

It wasn't a "policy" that was violated, it was a "LAW". There are similar laws in virtually every state as well as at the federal level.

Re:And that's why US law is different.

You are correct, but you wouldn't receive a fine. Compensation would be required and determined in a civil court. The summarizer might have used the wrong terms though and I didn't rtfa so it might not have been an actual "fine", but compensation to the government.

Re:And that's why US law is different.

[Carewolf]

How could breach of contract EVER be a crime?? It is a breach of contract, not a violation of a law, when you breach a contract you get the consequences listed in the contract, or if you refuse them a civil law suit, but not a fine and not a prison sentence.

Re:And that's why US law is different.

[Carewolf]

That is what I thought, but according to the summary he was sued for violating the policy not for violating the law. This might be a misunderstandment or this might be a devious attempt to set a precedence by using the wrong violation in an otherwise obvious case.

Re:And that's why US law is different.

[icebike]

That is what I thought, but according to the summary he was sued for violating the policy not for violating the law. This might be a misunderstandment or this might be a devious attempt to set a precedence by using the wrong violation in an otherwise obvious case.

That's why you should always RTFA instead of trusting the summary.

From TFA:

unauthorised use of a restricted-access computer system. And that is an offence under the Criminal Code (WA). Section 440A(2)

She (not he) was not sued. She was CHARGED with a violation of a statute.

Re:And that's why US law is different.

[CanadianRealist]

"it would let companies define the law for themselves, at whim"

The key point being that "at whim" means without paying sufficient amounts of money to legislators. Companies are free to define the law for themselves, as long as they are willing to pay for it.

Re:And that's why US law is different.

[Jane+Q.+Public]

Breach of contract is at most a civil issue, not a crime.

Re:And that's why US law is different.

[Jane+Q.+Public]

The other responders have already explained this, I guess. In my state it is against the law for a police officer to use their records database in any way that is outside their official duties, just as you say. (In other words, unauthorized access and searches are illegal.) But I am far from certain that is true in all states.

Regardless, that isn't what the article was about.

Re:And that's why US law is different.

[shentino]

Not to mention that most AUPs say "we reserve the right to change any term with or without notice at any time", which could be construed as ex-post facto law if you are not notified with sufficient opportunity to cure.

Re:And that's why US law is different.

[vux984]

Contracts that aren't signed are one thing, but if both parties have signed it, then it is a "Breach of contract", and definitely a crime in the US.

Breach of contract is NEVER a crime in the US.

When you borrow money from the bank, and then miss a payment, you are in breach of contract. That's not illegal. You aren't a criminal. Its not a crime.

The contract may spell out consequences when you are in breach that you may be subject to (such as having the full loan amount being immediately repayable...) and the bank can sue you for damages caused by you not making your payment... and so forth.

Re:And that's why US law is different.

[jedidiah]

...except if this was a cop, it was likely authorized use.

The cop just abused their access priveledges.

This is a violation of an internal policy, not cracking or trespassing.

Re:And that's why US law is different.

[bws111]

If he abused his access privileges then it is not 'authorized use'. The laws are against unauthorized use.

Re:And that's why US law is different.

[Barny]

Not a contract, its a law in Australia that public servants are not allowed to access records of close acquaintances.

Re:And that's why US law is different.

[DaveGod]

How could breach of contract EVER be a crime?? It is a breach of contract, not a violation of a law, when you breach a contract you get the consequences listed in the contract, or if you refuse them a civil law suit, but not a fine and not a prison sentence.

My reading of TFA is that breach of the AUP itself was not what made this illegal. The AUP was merely the mechanism that had communicated to (or perhaps reminded) Ms Giles that her use was unauthorised.

Similarly, say a self-employed personal is contracted in to provide some sort of safety role, in the knowledge that the other party would be wholly reliant on their performance for safety, then recklessly fails to fulfil that role. The contractor may then be up for involuntary manslaughter not because of breach of contract but incidentally for the same reasons that he might also be sued for breach of contract.

Obviously there are still some issues here, like it appears rather easy to find yourself breaching your "authorised use" compared to the tests required to establish a criminal negligence in a manslaughter. Perhaps relevant though that this was a restricted database and Giles' employment position indicates she should have full appreciation of the restrictions and implications. That is very different to some garbage click-though AUP on home software.

Re:And that's why US law is different.

[Daniel+Dvorkin]

Think of it in terms of trespass. Trespass law says, basically, "It's a crime to be on private property if the owner doesn't want you there," but it doesn't say anything about why the owner doesn't want you there. So if I say "you can walk across my yard" and my neighbor says "you can walk across my yard as long as you're not wearing a red shirt," you're committing a crime if you walk across my neighbor's yard wearing a red shirt, but walking across my yard, you're fine.* The crime is not in your choice of clothing, but in being on the property against the owner's wishes.

*Except, of course, that you will be killed by the monster of the week.

Re:And that's why US law is different.

[Max+Littlemore]

This has nothing to do with AUP. This is entirely because the idiot was accessing a secure government system.

So far, the U.S. gov't has extradited people for this and the U.S. courts have given them custodial sentences.

Re:And that's why US law is different.

[sg_oneill]

Thats a nice analogy for something that ,however , isn't true.

A breach of contract does not breach criminal law. Its not a crime to breach a contract unless it devolves into ,say, fraud (which is narrowly defined) or something like that.

It is however a breach of civil law and thus is sueable.

Re:And that's why US law is different.

[Daniel+Dvorkin]

AUPs and TOSs aren't contracts, though. The law hasn't decided exactly what they are. It's an area that will almost certainly keep evolving.

Re:And that's why US law is different.

[smash]

The individual in this case may well receive a fine. However there are also likely privacy laws that were breached (seperate and standing on their own in addition to the breach of acceptable use) that the cop violated, and i'm guessing that is why the sentence was so stiff.

Re:And that's why US law is different.

[smash]

Authorized use is for the purposes of an official investigation. Not looking up personal acquaintances.

The police database is not the fucking white pages.

Re:And that's why US law is different.

[icebike]

This is a violation of an internal policy, not cracking or trespassing.

Can you not READ?

Its a violation of Australian LAW. They even quoted the law for you on TFA. She was found Guilty.

Still you want to argue?
From which college did you get your Australian Law degree?

Re:And that's why US law is different.

[slashqwerty]

If he abused his access privileges then it is not 'authorized use'. The laws are against unauthorized use.

A similar issue came up in the United States in 2008. Lori Drew was prosecuted for violating the MySpace terms of use when she logged in with an alias, which meant accessing MySpace computers in "excess of authorized use"*. The jury convicted her. The judge threw out the conviction for the reasons mentioned by other posters along with the idea that the law would be unconstitutionally vague because there would be a lack of guidance for law enforcement and a lack of notice to the public.

*The case was heavily covered on Slashdot. Drew's reasons for accessing the system were highly unethical but not illegal at the time, so the prosecutor decided to get creative and charge her with exceeding the level of authorization granted by the terms of use.

Re:And that's why US law is different.

[gl4ss]

breaking your vows as a county/country/national official is usually a crime though. and doing favor searches for a friend is exactly that.

Re:And that's why US law is different.

[Carewolf]

I think the GP point is that if you require people to wear a red shirt to cross your lawn, then the man wearing a blue shirt will not be trespassing in a legal sense, because you have allowed access, he is just violating your terms of that access, which is a breach of contract, but in most legal systems not a crime. This is like going on the subway without a ticket, not a crime either, but has a civil fine.

Re:And that's why US law is different.

[martinX]

But the law she was charged under (Section 440A(2) of the WA Criminal Code) wasn't restricted to public servants accessing the records of close acquaintances. She was charged for breaching the AUP of the system

The law states that anyone who violates the AUP of any restricted access computer system has committed a criminal offence.
As an example, I found a forum that requires a username and password to access it. So it is a restricted access computer system. The owners have an AUP. One of the things it forbids is "rudeness, insults, profanity, bad language". So to post something containing profanity is a breach of the AUP of that restricted access computer system ... an offence under Section 440A(2).

Don't get me wrong - there needs to be laws covering improper access to restricted and/or private information, but this law seems a tad broad.

Re:And that's why US law is different.

[Barny]

http://www.slp.wa.gov.au/pco/prod/FileStore.nsf/Documents/MRDocument:20273P/$FILE/CrimCdActCompilationAct1913_16-a0-01.pdf?OpenElement

440A. Unlawful use of computers
(1) In this section —
computer system includes —
(a) a part of a computer system;
(b) an application of a computer system;
password includes a code, or set of codes, of electronic impulses;
restricted-access computer system means a computer system in respect of which —
(a) the use of a password is necessary in order to obtain access to information stored in the system or to operate the system in some other way; and
(b) the person who is entitled to control the use of the system —
(i) has withheld knowledge of the password, or the means of producing it, from all other persons; or
(ii) has taken steps to restrict knowledge of the password, or the means of producing it, to a particular authorised person or class of authorised person;
use a computer system means —
(a) to gain access to information stored in the system; or
(b) to operate the system in some other way.
(2) For the purposes of this section a person unlawfully uses a restricted-access computer system —
(a) if the person uses it when he or she is not properly authorised to do so; or
(b) if the person, being authorised to use it, uses it other than in accordance with his or her authorisation.
(3) A person who unlawfully uses a restricted-access computer system is guilty of a crime and is liable —
(a) if by doing so the person —
(i) gains a benefit, pecuniary or otherwise, for any person; or
(ii) causes a detriment, pecuniary or otherwise, to any person, of a value of more than $5 000, to imprisonment for 10 years;
(b) if by doing so the person —
(i) gains or intends to gain a benefit, pecuniary or otherwise, for any person; or
(ii) causes or intends to cause a detriment, pecuniary or otherwise, to any person, to imprisonment for 5 years;
(c) in any other case, to imprisonment for 2 years.
Summary conviction penalty in a case to which paragraph (c) applies: imprisonment for 12 months and a fine of $12 000.

Ok, what is really wrong here? All I can see happening is a fuck load of trolls going to jail.

It pretty much says "play by the rules the system you have chosen to use stipulates or get your arse to jail". It may be a little harsh, but you are not required to hit the accept button under the AUP, its not one of those magic microsoft buttons that causes the world to asplode if not clicked.

Note, that a lot of sites where anonymous posting is allowed, without password, then it doesn't matter if there's an AUP, you are safe to use it in any manner you chose, slashdot for instance, 4chan as another.

Re:And that's why US law is different.

[martinX]

Ok, what is really wrong here? All I can see happening is a fuck load of trolls going to jail.

Jail for posting, say, profanity doesn't strike you as harsh?

Re:And that's why US law is different.

[Barny]

Profanity is fine if the server says you can post it. You are not required to hit the 'submit' button, you are also not required to post on that site.

Its the equivelant to spray painting swear words on the side of someones house.

Re:And that's why US law is different.

[martinX]

So you think jail time for that is OK?

Its the equivelant to spray painting swear words on the side of someones house.

Hardly. A post can be deleted and a user banned. No need to scrub and whitewash, just a few clicks.

Re:And that's why US law is different.

[Barny]

So things can be deleted off the internet without leaving a trace? You sir just made my day :)

Even just that someone appears to have credibility by being a member of a site or forum can have a huge detrimental effect when that member behaves inappropriately. And such things, once posted on the net, have a habit of sticking around, and no amount of white wash can remove them.

Re:And that's why US law is different.

[martinX]

These "things" you speak of aren't criminal defamation (which would have its own remedies) or other such nasties, but a transgresion of an AUP.

Since you still appear to think jail time would be appropriate for someone breaching the AUP of a forum, that has made my day.

Re:And that's why US law is different.

[Barny]

Sorry for the late reply, 4 days in hospital kind of left me out of touch.

In this day and age, where you can 'digitally sign' a document with your mouse by clicking a few buttons, how does the AUP of a site not become a contract for your usage of said site?

Pretty sure article/summary is overboard

[rrossman2]

It's no different than having access to a system tied into say patient records. There's no need or reason for you to go looking at information on someone else who you aren't treating or don't have permission to look at (for example in the US you have to sign papers for doctors to transfer your medical records etc to another doctors office).

I think the article is extrapolating something to include everything, where it shouldn't

Re:Pretty sure article/summary is overboard

You mean SlashFUD against some possible common sense law? Every country has some sort of database put together that lists vast amounts of the populations information intended to help those we put in authority solve crimes. When they start using that information to look up information on past girlfriends and neighbors without even a written report we have a problem. If these agencies really want to show the laws are effective they need to be shown the double edged sword and be tried the same way anyone else would be if they accessed information they were not entitled to.

Re:Pretty sure article/summary is overboard

[Mashiki]

I agree with what you say on this. Personally I'm surprised he only got fined, in Canada if you do what he did and you're a cop it's one of a few choices depending on how bad it is. Demotion of on average of 4 ranks(down as far as 4th rank constable -- that's one step above a base recruit), no pay for 60 days, or fired.

Hmmm

[Sulphur]

When your job is to uphold the law, it is a bad idea to organize the conspiracy.

missing the point entirely

[FuckingNickName]

By default you have privacy and property ownership: the Wireless Telegraphy Act in the UK, for example, doesn't let you intercept messages without the consent of the sender. Just because it's "on the Internet", laws don't suddenly stop applying. So, unless your contract stipulates otherwise, standard laws apply - and the AUP specifies the limit on what you're allowed to do with someone else's system. Make sense?

One step closer

[countertrolling]

to prison for violating an EULA...

Malicious or stupid. Or both.

[SpeedyDX]

TFA says right off the bat that in the case in question, Giles v Douglas, was charged under a CRIMINAL statute. Giles was granted special permission under certain specific conditions to use the police database. She did not adhere to those conditions and thus her use of the database was impermissible. Impermissible use of the database is a criminal offence (instance of s440). There's nothing special about this case.

Breaching the AUP is not a crime. Breaching the AUP in a manner that leads to committing a crime is also not a crime. BUT COMMITTING A CRIME IS A CRIME! It just so happens that an AUP is involved in the details of this case.

Re:Malicious or stupid. Or both.

[jedidiah]

In other words it was a violation of internal policy.

It's impossible to know from observing the "crime" whether or not it was infact a crime.

THIS is probably what a lot of people here have trouble with. It was an act that was not obviously illegal just by looking at it.

Re:Malicious or stupid. Or both.

And rephrased a different way, she purposefully access a police database for personal reasons. That's a very different league to someone browsing the net when they shouldn't at work.

I used to have access to the UK benefits (unemployment, disability etc) database when I worked for the Department of Work and Pensions. I used the database every day in the normal course of my work, and there were similar warnings against personal use splashed all over the login. However, it was made very clear to me during the induction that poking where I shouldn't would not only cost me my job, it would also be a criminal offense.

While the report doesn't mention it, I'd be very surprised if she hadn't had similar warnings during her training/induction.

If there were legitimate concerns that should be raised with the police regarding the child, she should have followed procedure, file a case or however they handle such things for the general public. If there aren't legal reasons to look up the data, then using the database should be as illegal as if I'd been concerned for a neighbour's finances and looked up his records.

Re:Malicious or stupid. Or both.

[Cederic]

Breaching the AUP is not a crime.

Nobody is suggesting that it is.

However: Accessing your ISPs systems without permission is illegal access and is a crime.

Do you have permission? Only if you obey the AUP.

The article thus posits that by breaching the AUP you cease to use the services in an authorised manner. Using the services in an unauthorised manner is illegal and you broke the law.

I personally think it's full of shit, but legally it may nonetheless be true. Ask a lawyer.

Re:Malicious or stupid. Or both.

[hldn]

Breaching the AUP is not a crime.

Nobody is suggesting that it is.

so now we're not even reading the titles of summaries on slashdot anymore?

Re:Malicious or stupid. Or both.

Well that's why we have courts and trials and judges because a crime needs to be proved, which in this case it was. People here have trouble with reality.

Re:Malicious or stupid. Or both.

[Cederic]

The title is sensationalistically misrepresenting the article. That doesn't qualify as a claim.

Re:Malicious or stupid. Or both.

[SpeedyDX]

Then read the title of TFA!!! Or actually read TFA!!! Is TFA sensationally*** misrepresenting TFA too?!

I hope for the sake of your country that you do not vote. Stubborn people like you who spout off whatever the hell you believe, despite obvious and irrefutable proof of the contrary, are a cancer amidst society.

Re:Malicious or stupid. Or both.

[Cederic]

Wtf? Read my fucking reply to your fucking post. TFA clearly fucking states that by breaching AUP you may cease to be accessing your ISP in an authorised manner, thus making it an unauthorised access, which is accessing it without permission, which is illegal. Breaching the AUP isn't illegal, accessing a computer network without permission is.

You're a cunt and I vote to try and stop people like you setting laws.

HOW'Z IT GO ?? OH, YEAH !!

Don't go to bed with no price on your head
                      No no don't do it

Don't do the crime if you can't do the time
                      Yeah don't do it

And keep your eye on the sparrow
When the going gets narrow

                      Don't do it
                      Don't do it

Where can I go where the cold winds don't blow
Now !!

Now is that really so hard ?? Instead of asking, why do THEY make this illegal, ask, why am I doing this illegal act !! Then tell yourself, don't do it !! Easy !! Simple !!

Oh, the Possibilities

Good thing Clear isn't in Australia. Get thrown in jail for using more than 7 GB a month is a bitch.

restricted-access computer system

[AfroTrance]

restricted-access computer system means a computer system in respect of which —

(a) the use of a password is necessary in order to obtain access to information stored in the system or to operate the system in some other way; and

(b) the person who is entitled to control the use of the system —

(i) has withheld knowledge of the password, or the means of producing it, from all other persons; or

(ii) has taken steps to restrict knowledge of the password, or the means of producing it, to a particular authorised person or class of authorised person;

The definition of 'restricted-access computer system'. My interpretation of this, is that a police database would fall under this, but an internet connection would not. But the law isn't worded very well. It seems it was added in 1990, and written by someone with little understanding of computers.

Re:restricted-access computer system

[SuricouRaven]

Are you sure this is the current version, and it hasn't been amended since? It seems very limited to limit the law to systems with password authentication. If it matters, dialup and most ADSL systems (At least those using PPPoE) do use passwords for authentication. Cable internet (DOCSIS) doesn't, but rather authenticates the modem hardware.

Re:restricted-access computer system

[AfroTrance]

Yes. The blog has a link to the WA government website, which has latest criminal code (as of 18/10/10).

Yes most internet connections you authenticate, but you don't need a password to access the internet. And would you define the entire internet as a 'computer system'?

It also states the 'computer system' must be restricted to authorised person(s). The internet isn't a restricted system.

Re:restricted-access computer system

(As the guy who wrote TFA:) Password is defined in the criminal code:

"password includes a code, or set of codes, of electronic impulses;"

So the authentication done in modem hardware would, IMO, constitute a password.

Re:restricted-access computer system

However, the ISP you connect to is restricted - the only authorised people are paying customers.

Cracking?

[ArchieBunker]

So using a system you already have access to but not following workplace policy is cracking? You sound like one of those people who refuses to have a bank account and then wonders why nobody will hire you.

Re:Cracking?

[SuricouRaven]

Remember that laws are usually not written by people with a technological background. This is why there have been cases of people facing criminal hacking charges for things like guessing a default password of 'password'.

Re:Cracking?

[bws111]

There are no laws against 'hacking' or 'cracking'. The laws are against "unauthorized use of a computer". It doesn't matter what method you used to access the computer, just that it is not authorized. Just like unauthorized access to physical property can get you a 'breaking and entering' charge, even if the only breaking you did was to push open an unlocked door.

Re:Cracking?

[Barny]

Its not workplace policy, its law that no one is allowed to access police (or any other public database) for purposes other than their job. Remember with the information in these files they could set up a massive identity theft, blackmail, etc.

Citizen's Acceptable Use Policy

There is an easy fix for that.

Citizens of the world should establish and join an organization, which would create it's own Acceptable Use Policy, when other organizations, including corporations, etc. are dealing with their members.

If corporations and other organizations are entitled to create and legally enforce "Acceptable Use Policies", most certainly citizens, consumers should have the same right.

Criminalization of a civil issue

[nurb432]

Transfers the cost to the taxpayers, and makes fishing expeditions pretty painless, and zero risk, for the companies doing it.

Stuxnet false flag op

Yesterday I told you I thought the stuxnet was a false flag op. Today it's proven.
It would sure be nice if all you slashdot heads took a break from compiling your latest kernels, and stop towing the establishment agenda.

Elections - abused by electronics - /.'ers poo poo it.
Spying - abused by fios splitters - /.'ers poo poo it.
HFT - poo poo
Stuxnet - The Protecting Cyberspace as a National Asset Act of 2010 + Internet ID

The dirty secret is if elections can be manipulated, so can fighter aircraft, space craft, nuclear reactors, os's, and the monetary system itself

Quit saying this stuff is okay. It's fucking not okay! It's treasonous! Wake the fuck up!

Re:Citizen's Acceptable Use Policy

Congratulations, you've formulated a bullshit fix to a problem that doesn't even exist. RTFA.

Huh? What's the problem?

[adamofgreyskull]

Another misuse of the "Your Rights Online" tag and there are already a metric crap-tonne of morons saying that this is awful. It's a blog post that completely misses the fucking point. If wikileaks had reported that Australian police were allowed to look up information on citizens without a valid reason (i.e. for shits and giggles) everyone would be up in arms saying, "Isn't this terrible?". This isn't just a breach of an Acceptable Use Policy, it's against the law, for some very fucking good reasons. There are laws and procedures in place to stop simple invasions of privacy (like this) but also to stop criminals from bribing corrupt Police Officers to look up information for them.

Re:Huh? What's the problem?

[Duradin]

/. doesn't get along with rules well (unless it is the GPL, the holy word of RMS [blessed be his beard]). All it would take is a poorly worded summary and /. would be up in arms against a law that prohibits using planet-killing scale weapons.

Re:Huh? What's the problem?

[syousef]

/. doesn't get along with rules well (unless it is the GPL, the holy word of RMS [blessed be his beard]).

You misspelt infested.

Re:Huh? What's the problem?

[Gnavpot]

It's a blog post that completely misses the fucking point. If wikileaks had reported that Australian police were allowed to look up information on citizens without a valid reason (i.e. for shits and giggles) everyone would be up in arms saying, "Isn't this terrible?".

I haven't RTFB, but I have RTFS, and it already addresses this:
"a police officer [...] was fined -- not for disclosing confidential police information, but for unlawful use of a 'restricted-access computer system'

What is worrying in the story is that she was not fined for her real, very serious, and I hope very criminal offense, but instead was fined for something which is usually not considered a criminal offense, but merely a breach of contract: Using a service with permission but not complying with the usage policy.

Let us use a car analogy:
A policeman deliberately hits a person with a police car, causing the person to die.
Instead of charging him with murder (or whatever the correct legal term is), he is charged with car theft.

The logic behind:
He had a permission to use the car for police work. He had no permission to use the car for murder. Using a car without permission = car theft.

Re:Huh? What's the problem?

All it would take is a poorly worded summary and /. would be up in arms against a law that prohibits using planet-killing scale weapons.

And by /. you mean everyone on /. but yourself of course, because you're only a part of the community to show it its failings.

Re:Huh? What's the problem?

[bws111]

It does make sense like it is. In your car analogy there were two crimes committed: car theft and murder. If they had evidence he took the car, and didn't have evidence that he was the murderer, it would indeed make sense to only charge him with car theft. For the case at hand, I don't know if a cop giving someone information is a crime or not, but even if it was, how would they prove it? She gave the info to a friend, at the friends request. Who would even know a crime occurred?

The fact that she was charged with unauthorized access of a computer and not some sort of breach of contract also makes sense. What if the person accessing the database was not a cop? A cop who is not authorized to do a search is no different from a person off the street, and if they both perform the same action they should both be liable for the same penalties.

Re:Huh? What's the problem?

If you or I had done this, we'd get 5 years minimum for a fistful of hacking charges. When someone in the system does this, they get a slap on the wrist. There are thousands of real world examples of your hypothetical. Cops get away with murder all the time.

Re:Huh? What's the problem?

"but also to stop criminals from bribing corrupt Police Officers to look up information for them."

This is how you stay ahead of the game, at least in China. Don't see any problem coming from this one.

Re:Huh? What's the problem?

She was charged with unauthorised user of a computer system. In Australia that is an criminal offense, Even unauthorised use of an open wireless access point is a criminal offense here. And to be honest I fully support them being criminal offenses, a few years back a whole raft of public servants were also charged under this crime for accessing social security records. It is actually nice that people with vast access to citizens private information have at least someone looking over their shoulder to slap the bastards when they overstep the bounds.

Re:Citizen's Acceptable Use Policy

[SuricouRaven]

People: We demand fair treatment!
Corporations: Then we won't do business with you.
People: Fine! We don't need you.
Corporations: ...
People: I miss facebook. And my mobile phone won't work. And I want to see the next episode of House.
Corporations: Sign the agreement.
People: Oh... you win.

Searching Obama's student loan info

The people who searched Obama's student loan info during his campaign got in a lot of trouble. They all lost their jobs and I think got probation. How is what the cop did any different?

Most companies of any decent size or who work with a company of any decent size have an AUP that makes it pretty clear that you can only access data on the company's systems for your job duties and not for anything else. If you violate that AUP you are aware it is wrong and should face the consequences. If you're lucky you'll only lose your job, but in serious cases I think you should face jail time. For instance if you looked up an address for a friend's ex-wife, it might be to send her money he owes her like he claims, or it could be because he wants to murder her...

It's a police database, so it's not unusual

In the United States (or at least in Florida, where I work) police databases are privileged information. Police officers are only allowed to access them when actively investigating crimes or civil infractions of the law. The public can only access scrubbed versions which redact private information like social security numbers and home addresses.

Illicit access, irregardless of disclosure, is a third degree felony under Florida law.

Then again, in our system specific databases are covered by specific criminal laws, so there's probably a difference between our system and this particular Australian incident.

newsflash:

[smash]

If i don't like the colour of your fence i can take you to court over it. Doesn't mean i'll necessarily win.

I think this is far more reasonable than the cases in the US of people for example taking people to court for burning themselves on coffee because it wasn't labelled as hot, and WINNING.

If you abuse your authority to access private information, or breach terms of use that you signed then it SHOULD be legitimate for the provider to take you to court over it. If you disagree with terms of use, don't sign them.

Un-Authorised use

[Ozoner]

This situation is quite common.

It is illegal for Government Officers (in Oz and probably elsewhere) to use a Government Data Base for anything outside their authorisation. Like searching for a friends address.

The logs are kept and frequently analysed.

I live here!

Aww shit, I live in WA.. this is kinda scary, thinking they could jail my ass for ripping copyright songs. >.> (but there IS a fair use clause.. erm)

Re:Citizen's Acceptable Use Policy

The headline should read "Breaching a Police Database a Crime in all of Western World". The article is pure idiocy, only matched by your "solution" to this nonexistent problem.

Easy solution

Don't use your Internet connection to violate copyright, then you won't be susceptible to either civil or criminal charges.

Break out of the media consumption cycle and you'll have more time for things that actually matter.

Nothing to see here. Move along!

[Dabido]

I worked for WAPol (West Australian Police) up until 3 years ago (almost to the day! 3 Years and four days), and the police make it very clear to their employees that they aren't allowed to use the Police Database etc for looking up info that isn't related to a case they're working on.

It's not considered 'cracking' either. Unlawful use just means the person was using it for something other than their work, and when you have the sort of information the police database has on people you will know why you can't use it for personal, friends or family use. I have a vague recollection of an officer who got into trouble years ago for looking up information on his ex-partner and her new boyfriend. I also have a recollection of a lot of police officers getting in trouble for looking up a notorious criminals details when they had nothing to do with his case.

The summary/article is spreading FUD concerning something which has been the case for many, many years, and any Police employee (whether an officer or not) knows the consequences of.

It would be interesting to know what sort of information the officer was getting for their friend. "Doing a search of the police database for a friend' sound harmless enough till you put it into context of the information that's available. It's not like they were searching a dating service database for harmless info on what people like to do on dates or something, the officer was searching something with criminal records, peoples locations/addresses/phone numbers etc. and information you wouldn't want to be getting around, especially if you're trying to start a new life after screwing up badly, or if you're wanted by a gang for informing on them, or if you're in hiding from your ex-partner who you have an AVO against. This sort of information is dynamite against anyone and that's why it's restricted and pretty well monitored for who is accessing what. The 'friend' would only have asked for this info if it was stuff they couldn't obtain through a legitimate source, and if they can't get it legitimately then you wonder what sort of information they are after. On top of that, the officer involved would have known the risks involved, because they pretty much drum it into you that you can't access the database for anything other than a case you're working on, so what was so important that the officer felt they could risk their job for?

Re:Nothing to see here. Move along!

[martinX]

But the law as written isn't just for police or even just public servants. It applies to anyone accessing any computer system (even those they have access to, like a forum) that requires a password and doing something outside the terms of the AUP of that system. Nothing in the way that the law is written applies to accessing confidential information, just to breaching the AUP of the system.

The fact that a police officer was charged (and convicted) under this law seems to be occupying everyone's attention, but outside of this specific case (which just provides precedent) look at the breadth of how it could apply.

Not only Australia

[TheHonch]

That's illegal in Sweden too and probably the most common reason for police to get fired, and sentenced, and that's a good thing. I don't want nosy policeofficers to look up their neighbours, boyfriends or such

Re:Nothing to see here. Move along!

[Dabido]

Nothing in the way that the law is written applies to accessing confidential information, ...

The law specifically covers unlawful access. This is not necessarily CRACKING as the article claims:

she was convicted for common cracking

. She was actually convicted for using the system beyond her authority.
This law goes both ways. The police cannot come to your house and go through your computers without a warrant. If they do turn up and start accessing your computers without a warrant and without your permission you can sue them under the same law.

WA Pol have an AUP which is specifically designed to cover the illegal and unauthorised use of their system for confidential / classified material etc. It is there to protect people from officers using it illegally to get information that can be used to black mail people, or other illegal activities, etc.
If you read the conviction it specifically says:
17 It was common ground before the magistrate that the unlawful use in this case was in s 440A(2)(b).
ie she used it beyond what she was authorised to use it. The proof of this was in her emails

'Chucky, Kiralee just rings. Give me her name and date of birth, and I'll look up the IR and send you the information you need to contact the kids. So this is a point where she hasn't made any investigations at all. The first correspondence is, 'Give me the details and I will send you the name and address.' So at that point of time she can't have had any, shall we say, concerns, one would think, about - she wasn't aware, hadn't done any investigations, she was just told obviously from that, that he wanted to find out the location of the children, and she said, 'Yeah, sure. Give me the information, name and address, and I'll find it for you.'

In other words, she was going to give this guy the info he wanted and if you read on you find out that he hadn't even told her at this stage that he'd heard his wife had died. He'd just asked for his kids address, and she was going to look it up and give it to him.

So at that point of time, she did not have any of that information, because she hasn't accessed it, and the primary purpose, in my view, was to locate where the children are so that he could get the children back.

As I said previously, the police drum this information into you that you're not allowed to access this sort of info for personal use. In this case it was very obvious it was for personal use. I think the judge got it right that she knew she was accessing this information and she wasn't authorised to do so.

Now, imagine that the guys wife was still alive and the guy wanted this information in order to go kill his wife and kids. That's the reason police have strict protocols to follow etc. If something had of happened slashdot would be whinging the police and the judiciary system didn't follow the law and were to blame.

Now, looking at the breadth at which it applies, it means that no one, not even the police are allowed onto my or your (or anyone else's) systems without a warrant or the owners specific permissions.

As far as systems that people use are concerned, such as forums, social networks etc, if someone was to crack slashdot in order to get everyones personal information, under this law they can be persecuted. Such as the guy who recently did it for Facebook looking for girls nude pictures.

If someone invents an AUP that's so convoluted that it makes it impossible to use their site, it is pretty much the same as them refusing you access anyway. If they change the AUP on you, you still have recourse under the law. The law requires you to know the Criminal Law (ie the bit about you not being allowed to access things you have not been given authorisation to access). It doesn't require that you learn every AUP off by heart. So, if by some stupid chance a forum suddenly changes their AUP on

Re:Nothing to see here. Move along!

[martinX]

I agree that what she did was wrong.

However I maintain that it seems like just about anyone could be in breach of any AUP. If a forum's AUP forbade things like "rudeness, flaming, profanity and blasphemy" and somebody let loose one day with a stream of invective (I have heard that happens on some forums), is that really a criminal offence?

Re:Nothing to see here. Move along!

[Dabido]

Technically all those things are considered criminal offences already whether performed on-line or off. They're covered by anti-discrimination / Harassment / hate speech laws etc (we have no blasphemy laws, but anyone making blasphemous comments are usually prosecuted under the anti-discimination laws for vilification).
Most forums based in WA would probably have those things listed in their AUP just to cover their own butts.
I know of a case which was thrown out of court for wasting the courts time because it was petty (someone screaming abuse at a political speaker - the politician had them arrested by the police). I would say that any case coming before a judge where the abuse/rudeness/profanity etc was nothing out of the ordinary would most likely also get thrown out (the precedent has already been set).