Slashdot Mirror

← Back to Stories (view on slashdot.org)

Breaching an AUP a Crime In Western Australia

Posted by timothy on from the saw-it-in-wargames dept.

An anonymous reader writes "A recent court case highlights that breaching an acceptable use policy at work could land you in court in Western Australia: a police officer doing a search of the police database for a friend was fined — not for disclosing confidential police information, but for unlawful use of a 'restricted-access computer system' — cracking. More worryingly for West Australians, this legal blog points out that breaching any Acceptable Use Policy would seem to be enough to land you in jail for cracking — for example, using your internet connection to break copyright."

22 of 121 comments (clear)

  1. I don't see a problem with this by Anonymous Coward · · Score: 4, Insightful

    I'm authorized to use the computer at work to search through medial records (I'm an Pharm.D), but I can get in trouble (and fined) for searching HIPAA records without cause.

    1. Re:I don't see a problem with this by icebike · · Score: 5, Insightful

      Exactly.

      Almost nothing in this article suggests a vendor's AUP is the topic under discussion.

      The guy was using a police database for pete sake. These things are always governed by special rules and regulations just like HIPAA.

      Unlawful use of a 'restricted-access computer system' is not the same as an AUP issue. Once the system is covered or by a legal "Restricted-Access" designation its not an AUP.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:I don't see a problem with this by Interoperable · · Score: 2, Insightful

      Accessing a private system in a way that is forbidden by it's owner should get you fired. Accessing confidential information for personal reasons might be a breach of contract or, in the case of medical records and other sensitive information, even be illegal in its own right. However, simply misusing a private system shouldn't be a criminal act.

      It seems to me that it could be likened to trespassing. A property owner could allow the public onto property providing that they abide by certain conditions. Failure to abide by those conditions would warrant getting kicked off the property. Refusal to leave would then constitute trespassing; however, trespassing would not occur the instant that an individual broke the conditions.

      Accessing a system once authorization to use it has been revoked could be considered unauthorized use. Claiming that authorization is defacto revoked once the acceptable use policy is breached has the effect of using authorized use laws as a proxy to put breach of the acceptable use policy into the criminal code. That, I hope, goes against the intent of the law.

      --
      So if this is the future...where's my jet pack?
    3. Re:I don't see a problem with this by Anonymous Coward · · Score: 4, Funny

      The problem here, is that this person is a police officer, yet he is being charged with a crime. Being a police officer is very demanding, and the same rules can not apply to them.

    4. Re:I don't see a problem with this by Barny · · Score: 2

      Not just police officers are covered by this, ALL public servants are, our country takes a very dim view of people abusing their position to access personal information for fun or profit and it is a federal offence.

      --
      ...
      /me sighs
    5. Re:I don't see a problem with this by Lorens · · Score: 4, Insightful

      Being a police officer is very demanding. The same rules can not apply to them. The rules are stricter for them.

      There, corrected that for you.

    6. Re:I don't see a problem with this by Canberra+Bob · · Score: 2

      TFA here though isn't referring to someone "sneaking a few minutes break at work to check a website while they wait for an email", it is talking about a police officer accessing personal and by its nature I would imagine very sensitive information on a police database, not a random website, that they had no legal reason to be accessing. This is a far cry from using company time to surf the web.

  2. And that's why US law is different. by Jane+Q.+Public · · Score: 4, Insightful

    So far, the courts in the U.S. have ruled against such an idea, because in effect it would let companies define the law for themselves, at whim.

    1. Re:And that's why US law is different. by Carewolf · · Score: 4, Informative

      How could breach of contract EVER be a crime?? It is a breach of contract, not a violation of a law, when you breach a contract you get the consequences listed in the contract, or if you refuse them a civil law suit, but not a fine and not a prison sentence.

    2. Re:And that's why US law is different. by CanadianRealist · · Score: 2

      "it would let companies define the law for themselves, at whim"

      The key point being that "at whim" means without paying sufficient amounts of money to legislators. Companies are free to define the law for themselves, as long as they are willing to pay for it.

    3. Re:And that's why US law is different. by Jane+Q.+Public · · Score: 2

      The other responders have already explained this, I guess. In my state it is against the law for a police officer to use their records database in any way that is outside their official duties, just as you say. (In other words, unauthorized access and searches are illegal.) But I am far from certain that is true in all states.

      Regardless, that isn't what the article was about.

    4. Re:And that's why US law is different. by vux984 · · Score: 3, Informative

      Contracts that aren't signed are one thing, but if both parties have signed it, then it is a "Breach of contract", and definitely a crime in the US.

      Breach of contract is NEVER a crime in the US.

      When you borrow money from the bank, and then miss a payment, you are in breach of contract. That's not illegal. You aren't a criminal. Its not a crime.

      The contract may spell out consequences when you are in breach that you may be subject to (such as having the full loan amount being immediately repayable...) and the bank can sue you for damages caused by you not making your payment... and so forth.

    5. Re:And that's why US law is different. by bws111 · · Score: 2

      If he abused his access privileges then it is not 'authorized use'. The laws are against unauthorized use.

    6. Re:And that's why US law is different. by DaveGod · · Score: 2

      How could breach of contract EVER be a crime?? It is a breach of contract, not a violation of a law, when you breach a contract you get the consequences listed in the contract, or if you refuse them a civil law suit, but not a fine and not a prison sentence.

      My reading of TFA is that breach of the AUP itself was not what made this illegal. The AUP was merely the mechanism that had communicated to (or perhaps reminded) Ms Giles that her use was unauthorised.

      Similarly, say a self-employed personal is contracted in to provide some sort of safety role, in the knowledge that the other party would be wholly reliant on their performance for safety, then recklessly fails to fulfil that role. The contractor may then be up for involuntary manslaughter not because of breach of contract but incidentally for the same reasons that he might also be sued for breach of contract.

      Obviously there are still some issues here, like it appears rather easy to find yourself breaching your "authorised use" compared to the tests required to establish a criminal negligence in a manslaughter. Perhaps relevant though that this was a restricted database and Giles' employment position indicates she should have full appreciation of the restrictions and implications. That is very different to some garbage click-though AUP on home software.

    7. Re:And that's why US law is different. by icebike · · Score: 2

      This is a violation of an internal policy, not cracking or trespassing.

      Can you not READ?

      Its a violation of Australian LAW. They even quoted the law for you on TFA. She was found Guilty.

      Still you want to argue?
      From which college did you get your Australian Law degree?

      --
      Sig Battery depleted. Reverting to safe mode.
  3. Pretty sure article/summary is overboard by rrossman2 · · Score: 4, Informative

    It's no different than having access to a system tied into say patient records. There's no need or reason for you to go looking at information on someone else who you aren't treating or don't have permission to look at (for example in the US you have to sign papers for doctors to transfer your medical records etc to another doctors office).

    I think the article is extrapolating something to include everything, where it shouldn't

  4. One step closer by countertrolling · · Score: 2

    to prison for violating an EULA...

    --
    For justice, we must go to Don Corleone
  5. Malicious or stupid. Or both. by SpeedyDX · · Score: 5, Insightful

    TFA says right off the bat that in the case in question, Giles v Douglas, was charged under a CRIMINAL statute. Giles was granted special permission under certain specific conditions to use the police database. She did not adhere to those conditions and thus her use of the database was impermissible. Impermissible use of the database is a criminal offence (instance of s440). There's nothing special about this case.

    Breaching the AUP is not a crime. Breaching the AUP in a manner that leads to committing a crime is also not a crime. BUT COMMITTING A CRIME IS A CRIME! It just so happens that an AUP is involved in the details of this case.

  6. restricted-access computer system by AfroTrance · · Score: 3, Interesting

    restricted-access computer system means a computer system in respect of which —

    (a) the use of a password is necessary in order to obtain access to information stored in the system or to operate the system in some other way; and

    (b) the person who is entitled to control the use of the system —

    (i) has withheld knowledge of the password, or the means of producing it, from all other persons; or

    (ii) has taken steps to restrict knowledge of the password, or the means of producing it, to a particular authorised person or class of authorised person;

    The definition of 'restricted-access computer system'. My interpretation of this, is that a police database would fall under this, but an internet connection would not. But the law isn't worded very well. It seems it was added in 1990, and written by someone with little understanding of computers.

  7. Huh? What's the problem? by adamofgreyskull · · Score: 5, Insightful

    Another misuse of the "Your Rights Online" tag and there are already a metric crap-tonne of morons saying that this is awful. It's a blog post that completely misses the fucking point. If wikileaks had reported that Australian police were allowed to look up information on citizens without a valid reason (i.e. for shits and giggles) everyone would be up in arms saying, "Isn't this terrible?". This isn't just a breach of an Acceptable Use Policy, it's against the law, for some very fucking good reasons. There are laws and procedures in place to stop simple invasions of privacy (like this) but also to stop criminals from bribing corrupt Police Officers to look up information for them.

    1. Re:Huh? What's the problem? by Gnavpot · · Score: 2

      It's a blog post that completely misses the fucking point. If wikileaks had reported that Australian police were allowed to look up information on citizens without a valid reason (i.e. for shits and giggles) everyone would be up in arms saying, "Isn't this terrible?".

      I haven't RTFB, but I have RTFS, and it already addresses this:
      "a police officer [...] was fined -- not for disclosing confidential police information, but for unlawful use of a 'restricted-access computer system'

      What is worrying in the story is that she was not fined for her real, very serious, and I hope very criminal offense, but instead was fined for something which is usually not considered a criminal offense, but merely a breach of contract: Using a service with permission but not complying with the usage policy.

      Let us use a car analogy:
      A policeman deliberately hits a person with a police car, causing the person to die.
      Instead of charging him with murder (or whatever the correct legal term is), he is charged with car theft.

      The logic behind:
      He had a permission to use the car for police work. He had no permission to use the car for murder. Using a car without permission = car theft.

    2. Re:Huh? What's the problem? by bws111 · · Score: 2

      It does make sense like it is. In your car analogy there were two crimes committed: car theft and murder. If they had evidence he took the car, and didn't have evidence that he was the murderer, it would indeed make sense to only charge him with car theft. For the case at hand, I don't know if a cop giving someone information is a crime or not, but even if it was, how would they prove it? She gave the info to a friend, at the friends request. Who would even know a crime occurred?

      The fact that she was charged with unauthorized access of a computer and not some sort of breach of contract also makes sense. What if the person accessing the database was not a cop? A cop who is not authorized to do a search is no different from a person off the street, and if they both perform the same action they should both be liable for the same penalties.