3

My question is: What does "Unauthorised" mean? The legislation claims that it means not having "Consent" to access the system - does this refer to implicit or explicit? For example, would sending a username and password be considered consent, or would a contract be required? This is more focussed around web development and that kind of thing.

Moreover, if this were the case, would the absence of evidence of a password being sent be detrimental to a defence? Or would other evidence likely suffice, for example directions from the system's owner about how a developer should develop a certain script, or maybe a watermark on a website?

To conclude - what I'm really asking is how broad is the definition of "Authorisation", and how difficult is it to prove (or prove a lack of) authorisation?

AnotherUser
  • 165
  • 1
  • 4

2 Answers2

4

To answer the headline question, unauthorised is defined by Section 17(8), Computer Misuse Act 1990 which states:

An act done in relation to a computer is unauthorised if the person doing the act (or causing it to be done)—

  • (a) is not himself a person who has responsibility for the computer and is entitled to determine whether the act may be done; and

  • (b) does not have consent to the act from any such person.

In this subsection “ act ” includes a series of acts. 

(As for how difficult it is to prove or disprove acts have been authorised will hinge on the particular circumstances and available evidence.)

For completeness, there are four "unauthorised" offences within the Computer Misuse Act 1990.

  • Section 1 - Unauthorised access to computer material

  • Section 2 - Unauthorised access with intent to commit or facilitate commission of further offences

  • Section 3 - Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc

  • Section 3ZA - Unauthorised acts causing, or creating risk of, serious damage

1

I don't have any information on how UK law handles these situations, but the Supreme Court recently elaborated on the meaning of "authorization" in the Computer Fraud and Abuse Act:

An individual "exceeds authorized access" when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not "excee[d] authorized access" to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.

Van Buren v. United States, 141 S. Ct. 1648, 1662 (2021)

bdb484
  • 66,944
  • 4
  • 146
  • 214