Blog on Terror

A new anti-terror law has come into effect as of 21 June 2007 : the Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007. Under these new provisions (which operate in conjunction with the Terrorism Act 2006), encouraging acts of terrorism and the dissemination of terrorist publications is an offence, including where such actions occur online. If a third party posts material which is an offence under these provisions, the police may notify a blog operator and require them to take the offending material down promptly (within two days). Failure to do so without cause could result in the Directors going to prison!

Aside from the other legal risks associated with blogging, blog hosts clearly now need to ensure they're not inadvertently encouraging terrorism. Often, going after a blog host where offences are committed online is much easier then tracking down the individual who actually committed the offence, who may try to hide behind the anonymous nature of the internet.

Spammer gets the can?

I was amazed to see that a US spammer faces up to 11 years in jail under the federal CAN-SPAM Act (as well as a $250k fine).  A prolific spammer, Adam Vitale is said to have sent around 1.2 million spam emails in just one week in 2005.  Whether or not he receives the maximum sentence is another matter, but the tough penalties under US law make our remedies in the UK (possible fines under the Privacy and Electronic Communications Regulations) look rather paltry in comparison.

Safer child’s play in cyberspace

The European Commission launched a public consultation on 12 April 2007 into ways of making online technologies such as Internet, mobile phones, game consoles and digital TV, safer for children to use. The consultation concentrates on three areas: illegal content , harmful content  and user-generated content and on-line communication. The Commision is following on from its Safer Internet plus programme, which will end in 2008 and will use the information gathered for assessing which is the best way to address online technology safety in the future.

Unlike the USA, where children are protected under the Children's Internet Protection Act and the Deleting Online Predators Act, there is no specific piece of legislation in the UK that protects minors from being targeted through online technologies. The consultation will be welcome in a number of quarters and may lead to tougher legislation across Europe to protect children.

The consultation will be open until 7 June 2007.

Love Spam

Four men have been arrested in Japan following the transmission of an alleged 5.4 billion spam e-mails over a two month period, averaging 90 million messages a day.

The representatives of popular Japanese dating company Takumi Tashuni allegedly managed to achieve this truly astounding tally of amorous e-mails by using a computer network based in China, reports Japanese English language newspaper the Daily Mainichi.

The use of infrastructure in China for such illegitimate purposes is not a new concept. Lower costs and less stringently enforced regulation of internet activity make this one of the countries of choice for illegitimate e-mail and website activities.

Government acts on DoS

Last Wednesday, after some delays along the way, the Government finally passed an Act introducing a new "denial of service" offence, punishable by up to ten years in prison.  The text of the draft bill, including the relevant wording, can be found here - see section 34 in relation to the offence for carrying out "unauthorised acts with intent to impair operation of computer".

As we have previously reported, the existing Computer Misuse Act had been widely criticised for being out of date and leaving loopholes for denial-of-service attackers to exploit, notably in the wake of the initial acquittal of David Lennon a year ago after he initiated the sending of millions of emails to an ex-employer. Though Lennon was subsequently sentenced to a two month curfew on appeal under the existing law, the Government has nonetheless pressed ahead with the change, which should address some areas of ambiguity.

The new Act also introduces an offence of "making, supplying or obtaining articles for use in computer misuse offences", which might catch for example anyone creating a virus and making it avaiable for distribution by third parties.

The DoS and Don'ts of computer misuse

Progress seems to be being made on updating the Computer Misuse Act 1990, which has existed without amendment since Apple Macs looked like this. The CMA had avoided legislative "botox" thus far, thanks mainly to the wide-reaching manner in which it was drafted. But an All Party Internet Group inquiry in 2004 called for an increase to sentences for hackers from six months to two years (thereby also making it an extraditable offence), and to make it clear that Denial of Service (DoS) attacks are unlawful.

We have mentioned previously on Naked Law the shortcomings of the CMA in tackling such DoS-type attacks, particularly as shown in the initial acquittal of David Lennon, who was said to have used the mail-bomber program Avalanche to flood the mail server of his ex-employer Domestic & General Insurance with more than 5 million emails. At trial the District Judge accepted the defence argument that each email sent was ‘authorised’ to modify the email server as that is how mail servers work, and that there was no cut-off point at which such volumes of email suddenly became unauthorised, and therefore illegal.  On appeal, this decision was overturned and the case referred back to the magistrates for sentencing.

A Computer Misuse Act (Amendment) Bill was proposed in 2005, but has since been withdrawn, with the amendments now incorporated in a Police and Justice Bill. These are currently being debated in the Lords, with much of the concern focused on proposals to make it an offence to “supply any article for use in offence.... believing that it is likely to be so used”. Fears have been raised that IT professionals who make and distribute hacking tools for legitimate purposes could risk prosecution, as they could be deemed “likely” to be used or modified for criminal purposes. As commented in the Lords, it would be like making the use of a crowbar illegal, as that could be “likely” to be used for burglaries. However the Home Office appear keen to play down such worries, and insist that only the bad guys will be caught by the legislation.

In the meantime many are saying that the real problem is not the CMA at all, but what Simon James, former head of the Computer Crime Unit at Scotland Yard, reportedly called a “woefully” under-resourced police force. Few could argue with this - as the Earl of Northesk points out, prosecutions under the CMA are currently rarer than for murder.

DoS prompts Computer Misuse Act review

We have posted several times before about the all-too-familiar deficiences in the Computer Misuse Act 1990 - but it finally looks as though there may be light at the end of the tunnel.  At the end of January, the UK Government published the Police and Justice Bill, Part 5 of which includes new provisions for dealing with computer crime, and specifically denial of service attacks.

The 15 year old Act has been subjected to criticism from reformers for many years now: its antiquated provisions seem woefully inadequate to cope with the rush to mainstream use of the worldwide web, e-mail and now wireless access. The stark deficiencies of the Act have been cast in relief by a long line of case-law – most recently and notably in November 2005, when a teenage boy launched a denial of service attack against his former employer.

The new reforms look to be far-reaching, introducing purposefully severe sentences to act as a deterrent while aspiring to tackle quickly-evolving menaces, such as denial of service. The key proposals include:

• an increase in the penalty for unauthorised access offences from six months to two years;
• an increase in the penalty for unauthorised modification of computer systems from five to ten years; and
• an attempt to make denial of service attacks illegal by making it an offence to "impair the operation of a computer".

Today, in the UK alone, attacks on IT services are estimated to cost businesses £3bn a year and reforms are badly needed.  Elsewhere, Spy Blog has posted an interesting critique of the Bill and Lilian Edwards looks in detail at the wording intended to deal with denial of service.

Did Alex publish Tew soon?

Like me, you may have had to suppress an involuntary smirk at the news that Alex Tew's deceptively simple Million Dollar Homepage idea has proved not to be so simple after all.  Mr Tew had just hit the full $1m, collected from a fascinating assortment of the great and not-so-great willing to pay $1 a pixel to appear on his website, when his site was struck by a denial-of-service attack from blackmailers.

This raises two interesting questions: is there anything (legally) he can do about the attacks; and do the attacks make him vulnerable to actions from third parties?

In relation to the former, we have seen recently the difficulty of bringing successful prosecutions in the UK under the Computer Misuse Act for denial-of-service attacks. In any event, it appears that the culprits are based somewhere in Russia, which is likely to make tracking them down and either prosecuting or pursuing a civil action against them rather problematic.  The website is now up-and-running again, but I suspect that Mr Tew has had to splash out a wodge of his (hard-earnt?) cash on his new DDoS-prevention technology.

The flip side of the coin is that poor Alex may have left himself vulnerable to actions brought by the customers advertising on his site.  Within days of putting the site up again, he will have heard that his final customer intends to sue him for breach of contract and negligence.  Unsurprisingly, given that the final 1,000 pixels went for $38,100 on eBay, the purchaser is a bit miffed that the homepage was "extremely slow loading or completely unavailable" (as Alex puts it) for six days.

I suspect that the breach of contract claim might relate to Tew's terms on eBay, though a number of these provisions are familiar from those appearing on his own page.  In particular, these are of interest:

"The site and homepage will be online for at least 5 years (starting from the day it launched), so at least until 26th August 2010, but possibly even longer (that's the aim)" (states the homepage)

"The site and homepage will be online for a guaranteed 5 years (starting from the day it launched), so at least until 26th August 2010. However the aim is to keep the site online for decades to come" (Alex states on eBay)

"There might be occasional downtime for site maintenance but I'll try and keep these to a minimum" (both website and homepage)

Tew also claimed as part of his auction on eBay that "the site will be online for the next 5 years guaranteed".

Though it is a little late now, Alex might wish he had been a little less bold when setting out his contractual obligations, particularly when relatively large sums of money started flying about. 

The terms do not include a "force majeure" provision to exclude his liability if the site were to be offline for reasons beyond his control and there is no exclusion of liability for indirect losses or loss of profits caused by any breach of contract.  There is also no general cap purporting to limit his liability, for example to the amount paid for the pixels in question.  As the six days offline are unlikely to be convincingly described as "for site maintenance", there is little to protect Mr Tew in his site's ts and cs.

The idea of the homepage may be inspiring for those harbouring entrepreneurial ambitions, but it also serves as a reminder of why it is worth looking carefully at your terms and conditions before you start raking in the money.  Those operating a website may want to take another look at their ts and cs to make sure they do not give rise to any unnecessary exposure.

The rootkit of all evil

The real challenge of writing a blog post about Sony BMG and XCP copy protection, is that just when you think you’ve finished it, the story gets more interesting!

I've been watching how this issue has progressed. The FAQ on Sony’s web site originally said, in answer to the question of whether the XCP code was spyware: ‘Of course not’. That’s not what it says now.

Sony BMG’s actions give rise to two legal issues which are of interest to UK legal observers:

The open source problem

Firstly, that the copy protection software was, in part, allegedly copied! The code, provided to Sony BMG by a software company based in Oxford, is said to have incorporated software written by Jon Johansen and made available to be reused under the open source LGPL licence.

Whilst it is possible to incorporate LGPL in some commercial software distributions, in order to do so legitimately under your own licence terms, you need to jump through a number of hoops. One such requirement is that you must ensure that the licence terms of the distributed software “permit modification of the work for the customer's own use and reverse engineering for debugging such modifications”. The XCP End User Licence Agreement (EULA) states: “You may not change, alter, modify or create derivative works, enhancements, extensions or add-ons to any of the LICENSED MATERIALS…You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part”.

If, as appears to be suggested, Sony BMG’s CDs incorporate the LGPL material without a broader consent obtained from the relevant author, this will be a breach of the LGPL, and Jon Johansen could be entitled to take action against Sony BMG.

A number of software companies have had their fingers burned through unintentional inclusion of open source code in proprietary products, and software producers would do well to give training to coders on the implications of taking coding short cuts by using open source in their projects.

The Computer Misuse Act problem

A second issue is the question of the Computer Misuse Act. Whilst the Act is generally regarded as relatively toothless when it comes to computer crime, section 3 makes it an offence to intentionally modify the contents of a computer without the consent of the user.

Some observers have questioned whether Sony BMG’s distribution of the XCP software falls foul of this section. Sony’s initial FAQ pointed to their EULA, and the fact that the CDs in question were labelled as containing copy protection code. The EULA states:

“As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER.  The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT.  Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.”

The EULA also purports to limit Sony BMG’s liability for any problems with the software to US$5.

What is not completely clear is the extent to which clicking ‘I accept’ to this EULA is sufficient to consent to the permanent installation of software deep in the computer’s operating system with, it is alleged, the potential to facilitate virus or other hacker attacks. At the very least, it would be difficult for Sony BMG to argue that someone who puts a music disc in their CD-ROM drive and clicks their agreement to a EULA has given their informed consent to the XCP software installation, if it also has the effects described by the Electronic Frontier Foundation (EFF) who state that the code: “degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers”.

Interestingly, the EFF state in their US Court complaint that, in the case of SunnComm’s MediaMax, another copy protection technology used by Sony BMG on some audio CDs, the software is installed prior to display of the relevant EULA, and is not removed even if a user does not accept the terms of the EULA.

Sony BMG confirmed, in a letter to the EFF, that it “…is committed to reviewing the EULAs that it uses on all its discs with copy protection software to ensure that they are clear and disclose information to the consumer.”

What this does make clear is the importance of getting the terms of your end user licence agreement right, particularly when distributing software to consumers. However, if the licence had said in bold letters: “Do you agree to install software which degrades the performance of your machine and opens up new security vulnerabilities?”, the number of those clicking ‘Accept’ might have been significantly reduced.

Whilst lawsuits have been filed in the US, where it is believed the majority of the CDs were distributed, we are not aware of any plans to consider prosecuting Sony BMG in the UK. We may have to wait before learning what "consent" means under the Computer Misuse Act.

CMA has had its day

The latest issue of Computing reports that the Home Office is now committed to introduce changes to update the 15 year old Computer Misuse Act. This follows the case earlier this month of a teenager who had allegedly crashed an email server by sending 5 million emails to his ex-employer. Wimbledon Magistrates Court found that the teenager had not broken the law.

Section 3 of the Act states:

"A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge."

The difficulty faced by the prosecution was establishing that sending emails to an email server was an 'unauthorised modification'. Clearly when an email server receives an email, the contents of the email server are modified. However, the defence successfully argued that as the purpose of an email server was to receive emails, the receipt of one or more individual emails was authorised by the owners of the email server for the purposes of the Act.

There is nothing in the current Act to deal with difficulties caused by repeated submission of data to a server and as a result the teenager was acquitted. The judge specifically stated that the Act did not cover denial of service attacks.

The issue has been discussed in Parliament, and a private members bill has been tabled to amend the Computer Misuse Act specifically to address denial of service issues. The Bill is due for a second reading in 2006. In the meantime, the authorities will continue to struggle to take action against those disrupting the internet on the basis of the current UK legislation.

Gambling Act 2005 - remote gambling

Elements of the Gambling Act 2005 have recently come into force, bringing about a number of changes to the regulation of the gambling industry.  The Government anticipates that the Act will be fully implemented by late 2007.  The Act modernises and codifies UK laws of gambling in a single piece of legislation. In particular it addresses the technological advances of recent years, by creating a licensing structure for ‘remote’ gambling as this form of gambling becomes more prevalent.

Section 4 of the Act sets out the definition of remote gambling. Remote gambling is defined as gambling in which people participate by the use of "remote communication". Remote communication means communication using the internet, telephone, television, radio or "any other kind of electronic or other technology for facilitating communication". This is designed to cover all forms of gambling where players are not face to face.

One of the major changes for the UK gambling industry brought about by the new Gambling Act 2005 is the regulation of remote gambling operations in this country. Whilst online betting has always been permitted under the Betting, Gaming and Lotteries Act 1963, the Gaming Act 1968 prevented the establishment within the UK of an online or other remotely operated casino.

For a traditional casino, there are a number of regulations regarding the way in which casino games can be played. This ensures that customers are not exploited by unscrupulous operators skewing the odds in their favour. The Government has been keen to ensure, particularly in the online environment, that sufficient safeguards were put in place to ensure fairness for customers. As a result, under the Act, licensing requirements are placed on the providers of software to be used in online gambling operations.

Under section 41 of the Act, an offence is committed if, in the course of business, a person "manufactures, supplies, installs or adapts" computer software for use in connection with remote gambling, other than in accordance with an operating licence. Again this provision is very wide and potentially means that a number of software providers, whose software is used for a variety of applications, not just remote gambling, would have to obtain an operating licence.

Although principally aimed at regulating those who actually generate the software used in gambling applications, its ambit is potentially much wider and could suggest that an operator based outside the UK may need to be licensed in order to provide its UK customers with the software necessary to take advantage of its services.

Seeing the online world through rose tinted contact lenses

I have to confess to feeling a bit sorry for Ebay sometimes. If there is a breach of any law relating to online selling, Ebay seem to be first in the firing line. However, it is a good example of the lessons to be learned by anyone planning to set up a web site trading internationally - there are lots of local laws which may well catch you out.

Ebay's latest challenge - which is to see it in court in London next week - is over (of all things) contact lenses. The Opticians Act 1989 prohibits from sale "any optical appliance or zero powered contact lens unless the sale is effected by or under the supervision of a registered medical practitioner, a registered optometrist or a registered dispensing optician". Ebay's terms and conditions also prohibit the sale of contact lenses, but as the Act is a strict offence, this is unlikely to be sufficient to avoid liability for the site.

The General Optical Council, who are behind the action, say they alerted Ebay to the problem last year but it has failed to take steps to deal with the issue. Given the number of new listings placed on Ebay each day, it is hard to see how the site could easily comply with this type of regulation without employing an army of staff to check entries. Let's see if the job adverts start to appear...

Email interception RIP

Southwark Crown Court has been hearing the case against one of the UK's internet pioneers, Cliff Stanford, this week. Mr Stanford, the founder of Demon Internet, was accused of a breach of the Regulation of Investigatory Powers Act, or RIPA.

Together with co-defendant George Liddell, Stanford was alleged to have intercepted email communications at Redbus Interhouse plc in 2002 using software installed in Redbus' computer system which meant that any emails sent to John Porter, a former chairman of Redbus Interhouse, were copied to a separate email account.

Cliff Standford pleaded guilty to unlawful and unauthorised interception of electronic communications, an offence under section 1 of RIPA.

There have been relatively few published court cases on RIPA, which was an extremely controversial piece of legislation when first enacted. RIPA is written in language intended to catch a variety of types of modern communications, and as a result can be difficult to apply to particular uses of technology. Does the installation of software to send a duplicate of emails comprise an 'interception' of a communication for the purposes of RIPA? It may be relevant to Mr Stanford's case that interception of communications over a private telecommunication system does not give rise to a criminal offence where carried out by "a person with a right to control the operation or the use of the system".

The BBC reports that Mr Stanford is planning to appeal following an adverse interpretation of RIPA by the judge. If he does, we may get more clarity on what is permissible in this complex area of law.

Get Safe Online…

… is a campaign due to be kicked off in October to educate small businesses and consumers as to the risks of online trading and increase awareness of internet security.  Run jointly by the Government and private sector, it currently has the backing of 8 major companies including Microsoft, Dell, eBay and HSBC and is seeking additional corporate partners. Each are contributing £150,000 of support. It is not yet known whether the site will address the legal issues relevant to businesses who chose to trade online, such as defamation and compliance with e-commerce and distance selling legislation.

From hotspot to hot water

The first known successful prosecution of an individual for 'war driving' (using a third party's wireless internet connection to access their network and the internet) came with the decision last week of a jury in Isleworth, UK to find Gregory Straszkiewicz guilty under sections 125 and 126 of the Communications Act 2003.

The Act introduced a new offence of dishonestly obtaining an electronic communications service with the intent to avoid a charge applicable to that service. Mr Straszkiewicz is reported to have been caught by police outside a residential building surfing the internet using a laptop.

Commentators have suggested that it may be difficult for Wi-Fi network owners to prove that their network has been accessed by a third party.

Commission getting desperate for WEEE

The European Commission has written to the UK government (along with those of other member states including France and Italy) asking for an explanation for its failure to implement the EC Directive on Waste Electronic and Electrical Equipment (WEEE) before the August 2004 deadline.

The DTI announced in March that there would be a delay in implementing the directive because of "major practical difficulties".  The new obligations are now expected to come into force from January 2006.

Under the directive, producers and distributors of WEEE will have new obligations in relation to the recovery and recyclying of WEEE. Producers will be expected to recover in the region of 70% of goods, and recycle in the region of 60%.

Computer Misuse Act 1990 - Third time lucky?

The BBC has reported that Labour MP Tom Harris has introduced a 10 minute rule bill which would, were it to become law, amend the Computer Misuse Act 1990.

The Bill would make three key changes to the Act.  It would increase the maximum term of imprisonment for a section 1 offence - the unauthorised access offence - from 6 months to 2 years.  Secondly, it would increase the maximum tariff for a section 3 offence - unauthorised modification - from 5 to 10 years.  Finally, it would amend section 3 to ensure that all forms of unauthorised interference would be an offence - in particular it would cover denial of service attacks.

The Bill is the third attempt to amend the Computer Misuse Act 1990 and many commentators hope that it succeeds where the previous attempts have failed.  The drafting of the bill used in the first attempt was criticised.  The second attempt, which received strong support, was timed-out because the general election intervened and reduced the amount of parliamentary time available.  Mr Harris' bill is based on the second attempt.

As well as showing that government really is "tough on [cyber] crime", the increase in the penalty for the commission of a section 1 offence would have the added benefit of making the offence extraditable.

Although many 10 minute rule bills fall because they do not have the government's support (support is provided by the government freeing up some time on its legislative timetable in parliament to allow the bill to be passed), this bill may enjoy government support because it is viewed as crucial for the security of business in the UK today.

The reading of the bill is timely - 21 year old Sven Jaschan was recently convicted in Germany of computer sabotage and illegally altering data.  He had admitted writing the Sasser worm which caused serious damage in May 2004.  The maximum period of imprisonment in Germany is 5 years, but because he admitted the offence and was a minor when he committed it, he avoided a jail term.

If hackers recognise that the commission of an offence can result in a lengthy jail sentence and that they could be extradited to stand trial in the UK, they may think twice before committing an offence.  UK business certainly hopes so.

When the game’s up, the chips are down…

Amidst all the publicity surrounding the civil actions being taken against internet users in the UK and US who have downloaded copyright-infringing music, it’s easy for the public to forget that the Copyright, Designs and Patents Act 1988 (CDPA) also imposes criminal sanctions.

However a report today reveals that a 22 year old University of Cambridge graduate has been sentenced to 140 hours community service for circumventing the copy protection system on the Microsoft Xbox.

The BBC reports that the graduate is the first person in the UK to be sentenced under these provisions in section 296 of the CDPA.

It seems as though copyright holders are fighting back.  The big question is, will isolated civil actions and prosecutions (which have a real impact on those directly affected), actually help to discourage the people who still regard the infringement of copyright as a matter of little or no consequence?

To catch a phish

The UK prosecution of an individual who carried out identity fraud through phishing has resulted in a six year prison sentence. Douglas Havard was sentenced in Leeds Crown Court following admission of conspiracy to defraud and conspiracy to launder money.

Spam prosecution in Oz

The Australian Communications Authority is bringing its first prosecution under Australia's Spam Act against an alleged global spammer based in Perth.  This action follows the successful prosecution in the US of Jeremy Jaynes (apparently the world's 8th most prolific spammer), who in April was sentenced to 9 years in jail under the federal CAN-SPAM Act.  No such luck over here in the UK - not a single prosecution has been brought against spammers under the Privacy and Electronic Communications Regulations since they came into force in 2003.