By Colin Barker, 7 October 2005 08:35
NEWS A computer consultant has been convicted of gaining unauthorised access to a website collecting donations for victims of last year's tsunami, even though the judge hearing the case accepted that he meant to cause no harm.
Daniel Cuthbert of Whitechapel in London was found guilty on Thursday afternoon of breaching Section One of the Computer Misuse Act (CMA), 1990, on the afternoon of New Year's Eve, 2004.
Cuthbert, who at the time of his arrest had been employed by ABN Amro to carry out security testing, had pleaded not guilty to the charge. He was fined £400 plus £600 costs.
District judge Mr Q Purdy, who heard the case, told Cuthbert it was "with deep regret that he was finding him guilty" given his record of unblemished good behaviour. But Judge Purdy also said that Cuthbert had changed his defence, between being interviewed by police at the beginning of the year and his appearance in court this week.
Judge Purdy said Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
Earlier this year, it was reported that Cuthbert had donated money to the Tsunami appeal using the text-only Lynx browser, which can appear to behave differently to other browsers from the server's point of view.
But in court on Wednesday, Cuthbert said he had made a £30 donation to the site, after clicking on a banner advert. When he received no final thank-you or confirmation page he suspected he might have fallen victim to a phishing scam, so he carried out two tests to check the security of the site.
Cuthbert's defence team had argued that he had merely 'knocked on the door' of the site, pointing out that he had the skills to break into it if he wanted.
Section one of the CMA says it is an offence to make "unauthorised access to computer material". There is no burden on the prosecution to prove that the accused had intended to cause any damage.
Judge Purdy accepted Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.
Colin Barker and Graeme Wearden write for ZDNet UK
Comments
There are 4 comments. Join the discussion
1. John Airey
Now I can comment at last!
What a complete waste of time. All he did was check the security of the site as he suspected that his credit cards may have been stolen. It's the electronic equivalent of trying a door to see if it's open, and if it is to alert the police.
For this he has lost his job, been fined and is considering leaving the IT industry.
The judge has made a big mistake in applying section one of the act as a "strict liability" offence (like drunk driving). He has made it impossible for IT security professionals to gather evidence on "phishing" or "pharming" sites.
I shall be writing to the attorney general to explain the ramifications of this judgement, which are far reaching indeed.
2. anonymous too
Exactly what did he do when he "knocked on the door"? It's kind of scary not knowing what constitutes "a hack" these days.
3. Conrad
appended ../../../ to a url and entered ' -- to see if the site was vulnerable to SQL injection.
Unathorised access is too general a definition. If you've ever manually changed a URL because of a broken link, then you've in essence gained unauthorized access as you're circumventing the website's behaviour.
4. John Chamberlain
Case Law. Does it mean if a company or person runs a dirty penetration test on a server or attempts to gain unauthorised access to make changes or for what ever then they are breaking the Law? ...