A woman who admitted rifling through emails in AOL accounts maintained by her former employer, Nannies Inc, while working for a competitor agency, has been fined £500 plus £60 costs. Susan Holmes, 36, of Beckenham in Kent, pleaded guilty to unauthorised access to a computer (contrary to section one of the Computer Misuse Act …
Failing Company Security Procedures
Meh, wouldn't be the first time a company has done this.
When I worked at Sun Microsystems we had one login and password for access to the FTP server that customers stored their Sun Explorer output to. I checked 2 years after I left and they still had not changed the login or password, and those Explorer's had lost of sensitive information on customer.
Paris because companies are as dumb as her.
Stupid and stupider
Stupid: the agency who didn't change their password when their key employee left
Stupider: the ex-employee who only got caught because she obviously removed emails - not heard of 'leave a copy on the server' luv??
Although I disagree strongly that the woman did break the law this could actually be a welcome judgement as it sets a precedent. Namely that if you leave your computer system unsecured you are not responsible for its misuse the guilt falling on the person abusing the system. Anyone else so the analogy with unsecured wifi routers?
This is just 'unnasseptable'....
.. go and sit on the naughty chair.
To Chris W.
You log onto someone else account that you do not have a right to, then it is blatantly a misuse of a computer. Or are you a hacker and believe that being able to control someone else's computer should be an okay act? (yes I know that is not what happened but that is why the law is there).
Existing laws often cover virtual space
This is an act of trespass really, with information theft or destruction.
Not exactly a break and enter, but an unauthorized entry.
They should have changed the locks, but I imagine they did revoke her access or her access was only associated with the job's position.
It is a common problem, whenever I leave a place I always ask the passwords of the accounts I have had access to are changed or the accounts locked. Not only is that good for the client, it is good for me as well, my systems may have automated access details on them, which if compromised could be used for further compromise if they don't change their locks. Sure, I delete the access myself but you will be amazed at how many places that information can be stored, when you are using automated backups, caches, program code etc.
If you want me to store access details for your systems in case of emergency that will cost you, as it moves liability in my direction. Responsibility should be paid for, authority is were you make money from a monopoly position :)
I try not to use their email systems, instead they can send it to mine. Again if they want you to use their email systems, you should tag on an extra charge, you have just taken on more liability.
Really most people should charge the companies they work for when asked to sign a security acceptance of usage policy, and I would like to see that become an industry standard, otherwise it is actually coercion, and a clever lawyer could invalidate that in a court of law. You are accepting liability with no financial compensation.
I also turn my back when people enter passwords as a matter of course, and I am very aware of the shoulder surfers, who tend to be the young IT folks who think they invented BTrees :). I don't want to know your passwords, just as I don't want to have to hand in your keys when found in the street, it just creates a liability issue.
Unauthorised access to a computer is certainly illegal. And this was a clearcut example. Did the employer want an ex-employee accessing thier email? Was she entitled to? Of course not.
People have already been convicted for unauthorised access to WiFi systems.
Is only a nanny, not an IT expert! Its' not like she'd have realised to use several anonymous proxys etc!
Nobody will ever catch me muHAHAHA!!
I am not so sure that this would set a precedent for passing off responsibility for use of unsecured WIFI to the abuser and not the owner... (WARNING: I am not a QC/Lawyer and this is not legal advice) <IMHO>
In this case, the "computer resource" was secured by password, and was owned by a company - hence, under more protections than an individual. This would only be analogous if the WIFI access point in question was
a) owned by a company (non-individual legal entity)
b) "secured" by a user/password (no matter how lame or guessable)
Because of this, a case dealing with a personal, unsecured WIFI access point that was "abused" for, say, copyright infringement, would not be able to use this case as a precedent. </IMHO>
However, when dealing with any country with "innocent unless (until?) proven guilty" I am sure they will put up a "unsecured = accomplice" precedent soon enough...
That Paris thing..
... it's *really* old now.
Yes, this sets a precedent. But not a good one.
How do you define someone as having the "right" to use a computer.
Before this case, you could have argued that a password was that. If you didn't know it (and had to guess/crack it), you didn't have the right, and anything you did to get access was unlawful.
Now, even being in possession of a password isn't enough.
How long before a company sues an employee for unauthorised access to data because a colleague told them the password (or worse, they needed it for a report last month and were given a password which was then never revoked)?
Presumably, you'll have to sign a document upon receipt of a password, and sign another one when the term for which you are allowed access to the data has expired, saying you won't use the password that you know to access the data in the event it doesn't get changed.
Scary stuff. SysAdmins of the world, beware. We could be next (yes, we have access to everything. But what if the Boss decides we shouldn't?)
Stop using rubbish analogies
Trespass, change the locks, etc. We had this with the router thing. Comparing unauthorised access to a computer system with property access rights is bogus.
A better analogy would be with unauthorised access to a computer sys.., oh wait, that's not an analogy. Duh! See, it's really pretty redundant. And in any case (see below), since specific legislation applies, comparison to any other legal area is pointless.
"Although I disagree strongly that the woman did break the law"
OK, lets wheel that quote out again :
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
Since the woman in question is no longer an employee of Nannies Inc, she is no longer authorised to access their data. Period.
You may think this law is somehow unjust, but it *is* the law, and this is a very clear cut case. Or are you trying to argue for an exemption under 1(1)(c) ? If so, on what grounds ? If not, why *do* you "strongly disagree" ?
What frightens me here is the level of misunderstanding that seems exist w/r/t to the CMA, it's not even a hard read as legislation goes.
"How long before a company sues an employee for unauthorised access to data because a colleague told them the password (or worse, they needed it for a report last month and were given a password which was then never revoked)?"
Take your tinfoil hat off and go and READ the CMA. The reason that this won't happen is very near the top, and also quoted in my previous post. Provided that the person has no reason to believe they weren't supposed to have access to that data, no offence has been committed, section 1(1)(c) exists specifically to cover such an eventuality.
"Scary stuff. SysAdmins of the world, beware. We could be next (yes, we have access to everything. But what if the Boss decides we shouldn't?)"
Like say he tells you that you shouldn't be reading other people's emails, even though you could ? Get used to it. If you're a sys admin, you should be mature enough to exercise such responsibility, and if you aren't, then you suffer the consequences. Seems fair enough to me. And before you ask, yes thanks, I have been a sys admin.
So where is the warning to the Agency?
Change your passwords when key employees leave.
These people, by their inaction were responsible for people being unable to work. Where is the counter-charge against them for negligence / incompetence and failure to give a Castlemaine XXXX?
Re: Re: Precedent
Let me get this straight, this agency left the door open and the ex-nanny decided to take advantage of the system so she's the guilty party. I leave my wifi router open and someone decides to take advantage of my setup and you're saying I'm the guilty party.
Even in this day and age when you are guilty for everything that doesn't make sense. It's one or the other. Either the misuser is guilty or the owner of the system is. If they'd charged the agency with having an insecure system then I would have to agree with you all but they didn't hence the implication is that insecure systems are a defence against misuse by others.
"You log onto someone else account that you do not have a right to, then it is blatantly a misuse of a computer"
Surely, using a computer for anything it has the ability to do is not misuse, but if it is against the law then it would be "illegal use". Beating someone to death with a PC would be misuse i.e. not the use for which it was intended. Similarly, she had a password and while her use of it may have been illegal/inappropriate as she was no longer a company employee, she wasn't misusing it as it's purpose is to grant access, and that is exactly what she did with it... no misuse anywhere in sight! ;)
verb, -used, -us·ing.
1. wrong or improper use; misapplication.
2. Obsolete. bad or abusive treatment.
–verb (used with object)
3. to use wrongly or improperly; misapply.
4. to treat badly or abusively; maltreat.
nb just in case you want to argue using definition 3; she used it properly, in the manner for which it was intended, just when she no longer had permission to do so.
Mine's the one with the thesaurus in the pocket...
why this fixation on just one guilty party? She's guilty of unauthorised access, the company is guilty of a breach of Dpa for not securing it adequately (ianal)
You want an anolog...
Would any of you be on the nannys side if she had walked off with her door access card (If she had one) and they had forgotten to cancle it?
Its the same thing.
@ rubbish analogies
Analogies were not used, just English words describing the actions, you made the analogy in your own head :)
A lock is just a mechanism to hinder unauthourised access, trespass is just the unlawful act of causing injury to a person's, property or rights.
Computer systems aren't really special. But, yes car analogies do get my goat, but in this case no analogies were being performed. Existing law already covers these action as being illegal, there was no requirement for extra or special laws in this case.
This particular comment though is a bit short sighted, and well rubbish :)
"Since the woman in question is no longer an employee of Nannies Inc, she is no longer authorised to access their data. Period."
It does not follow, unless specifically stated, i.e. if authorization was given it would have to be revoked, termination of employment alone would not guarantee it.
Password is not authorization
It is wishful thinking to say you have the authorization to access any account you have the password for.
A sysadmin, knowing the root password, has access to everybody's files on the system. It does not mean he's authorized to read your private files.
This is like saying that if a bicycle is not locked, you are allowed to take it. I know people who think that, but I do not like them very much.
RE: pedantry! :)
"Beating someone to death with a PC would be misuse i.e. not the use for which it was intended"
I like that!
Oh and I completely agree, a computer's purpose is to access and manipulate data. She used it to access (read) and manipulate (delete) the data on the companies mail server, exactly what the computer was designed for.
I think that its blatantly correct for her to be done for this, but the size of the fine is right too. £500 is not so much. It's basicaly a slap on the wrist. The company was stupid not to change the password, and I have no sympathy. However, WHY THE HELL were they using a single email account which multiple employees had access to. Do you think that, if she'd had access to a company pool car, they would have left her with a copy of the keys?
The entire nation needs educating about basic computer and information security. It would help in so many ways, from preventing the spread of virii to reducing identity theft.
But then we can't expect any help from the govt on this one, they can't even teach their own ministers/doctors/civil servants to be careful with their data.
PH because Nannies Inc. have shown a level of intelligence very similar to the girl
Perhaps it's apocryphal urban legend, but I'm sure that sometime during my long and misspent life I've read that if you turn the doorknob on an unlocked door and enter the premises within, you have committed the crime "break and entry", but if the door is wide open you haven't.
Whether you then commit theft, murder, or mayhem is another legal issue altogether.
Seems to me that true justice would mitigate the seriousness of this nanny's crime on the basis that the victim failed to take even the most elementary of precautions. Perhaps it's time to bring back the Court of Chancery and get true justice without reference to precedent and statute?
Not-Paris because I'd like to use Paris but the troops are complaining that she's no longer funny.
Would beating someone to death with a PC be misuse or just thinking outside of the box?
That aside, she shouldn't have done it, the company shouldn't have let her. They should have an audit done to make sure other sensitive info such as kids names & contact details, etc aren't exposed in any way.
A £500 fine?
Doesn't really compare with my six months suspended sentence and a £20k fine, does it.
People needs to understand that it's not because there's no security that you have the right to do what you want!
If i leave my house's doors unlocked, it didn't grant you the right to steal everything in my house, and if i walk naked on the road with a sign r@pe me ... it's doesn't ... oh ok maybe it's not a good example ...
"Beating someone to death with a PC would be misuse i.e. not the use for which it was intended"
Giving the BOFH and the PFY some ideas :)
why the hell is company using an AOL account, surely they should have had their own domain and mail server then setup everyone with a personal account and use Email forwarding so they everyone that needs to access to the emails gets them
Re: everyones guilty
What gripes my wagger though is that we haven't heard of the agency being taken to court and found guilty.
And if this is kept so, then we have a case of privilege.
And when that's the way the law works, it's no longer the rules we live by but a way to keep people down.
And fighting that isn't lawbreaking, it's freedom fighting.
Guilty of what, exactly?
Is there any evidence at all to suggest that personal information of any sort was revealed by their admitted stupidity?
Stupidity isnt a crime........
@Chris W / AC / Cliff Stanford
"Let me get this straight, this agency left the door open and the ex-nanny decided to take advantage of the system so she's the guilty party. "
Erm, yes, guilty of an offence under section 1 of the Computer Misuse Act 1990 as previously quoted. An offence to which she plead guilty.
"I leave my wifi router open and someone decides to take advantage of my setup and you're saying I'm the guilty party."
Erm, no, I think you have me mixed up with someone else.
"It's one or the other. Either the misuser is guilty or the owner of the system is."
Go back, follow the link, read the act. The security or otherwise of the system to which unauthorised access is sought is irrelevant in the definition of an offence. If a system is totally unsecured, unauthorised usage is still a breach of section 1. OK ? So the 'misuser' commits an offence in any case.
Weather or not the the owner of the system is guilty of some other offence, such as a breach of the DPA is a separate issue, and indeed a separate set of legal proceedings in which the owner may indeed be found guilty. So you see, you actually *can* have it both ways.
If you feel strongly that the company should be prosecuted, make a complaint to the ICO, but don't hold your breath waiting for them to do anything about it. If you feel that ICO's inability to do anything useful is a terrible injustice, lobby your MP, with similar caveats.
Feel free to live in your script kiddie utopia where it's OK to mess with people's systems if they didn't secure them properly, by all means, but do so knowing that the law disagrees with you very strongly indeed.
"It does not follow, unless specifically stated, i.e. if authorization was given it would have to be revoked, termination of employment alone would not guarantee it."
Common sense dictates otherwise. You can be as pedantic about it as you like, but you'll find that the default is employee == authorised, non employee != authorised.
"Doesn't really compare with my six months suspended sentence and a £20k fine, does it."
No, it doesn't, but then you were convicted of an 'unlawful interception' offence under RIPA, (for the purposes of blackmail, IIRC) so it wouldn't, would it.