W3C home > Mailing lists > Public > www-tag@w3.org > October 2005

Computer Misuse Act breaks WebArch (ws Re: Section 5.4.2 of RFC 3986 not actually 'legal' syntax_)

From: Henry S. Thompson <ht@inf.ed.ac.uk>
Date: Thu, 13 Oct 2005 11:40:59 +0100
To: Tyler Close <tyler.close@gmail.com>
Cc: www-tag@w3.org, Daniel Weitzner <djweitzner@w3.org>, Rigo Wenning <rigo@w3.org>
Message-ID: <f5bbr1tn1hg.fsf@erasmus.inf.ed.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I find this both chilling and incomprehensible.

As I read the record (follow the various pointers back from [1]), the
defendant in the case was sitting at a browser with something along
the lines of 

  http://donate.bt.com/tsunami/relief/appeal/confirmDonation.html

in the address window of his browser, edited this to read

  http://donate.bt.com/tsunami/relief/../../../

and hit Return.

For this he lost his job and has a criminal conviction.

The apparently relevant section of the Computer Misuse Act [2] reads as
follows:

   1. (1) A person is guilty of an offence if

       (a) he causes a computer to perform any function with intent to
           secure access to any program or data held in any computer;

       (b) the access he intends to secure is unauthorised; and

       (c) he knows at the time when he causes the computer to perform
           the function that that is the case.

How (c) could be said to apply in this case is beyond me. . .

The issue for the TAG is surely that exploratory modifications of URIs
are in a sense _invited_ by their very nature, and thus should never be
describable as unauthorized -- by publishing
http://www.example.com/a/b/c, I implicitly publish all
path-transformed versions of that URL, don't I?  Put that way, it
sounds a bit extreme, but surely there's a substantial point at issue
here which needs to be explored. . .

I have to confess I have occasionally done something close to this,
namely just repeatedly truncating a URI in the address window looking
for a directory I can browse. . .  At the very least it never occurred
to me that I was running the risk of setting off alarms, much less of
breaking the law . . .

Danny, Rigo, is there a point here the W3C or the TAG should try to
address?

ht

[1] http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/
[2] http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm#mdiv1
- -- 
 Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh
                     Half-time member of W3C Team
    2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440
            Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                   URL: http://www.ltg.ed.ac.uk/~ht/
[mail really from me _always_ has this .sig -- mail without it is forged spam]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFDTjm7kjnJixAXWBoRAtBeAJ4nCVk9I+UQ6l+Qlf6Nxu7vN8tOnQCcD0Wz
oT8Q/uFyoIw8T1qhp+EwSVc=
=job5
-----END PGP SIGNATURE-----
Received on Thursday, 13 October 2005 10:41:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:37 GMT