Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

Francis Davey fjmd1a at
Wed Aug 4 08:15:19 BST 2010

On 4 August 2010 07:12, Peter Tomlinson <pwt at> wrote:
> I take the same line with this "unauthorised access" argument as I do with
> the problem of restrictions on the validity of off peak tickets on UK
> trains: if the restriction is not declared to me at the time of purchase of
> the ticket (and done so in writing in a form that I can conveniently carry
> with me), then the restriction is not valid.

I once approached the ticket office in Ealing Broadway, said "A ticket
to XXXX please" and was handed a ticket in return for payment. I
headed towards the barriers and the person who sold me the ticket
yelled "Hey! You can't use that ticket yet." At the time I thought it
was extraordinary that he had assumed I wanted anything other than to
buy a ticket and get on a train.

However, that's all beside the point. This thread seems to be
wandering all over the place and this is partly because there's
confusion between:

* what people think might or might not be morally right in general
concerning URL truncation
* whether URL truncation constitutes unauthorized access within the
meaning of section 1 of the Computer Misuse Act 1990

I think the first point is simply unarguable: if you run a HTTP server
then its up to you to cope with any reasonable HTTP request that is
sent to you (i.e. I am not saying anything about malicious requests
such as denial of service attacks). You don't have to answer a request
at all (you don't have to run a server of course) or you can return a
404 or anything else you like.

This has nothing to do with a victim's possible responsibility (or
otherwise) for criminal activity - in the gold example for instance
(curiously one of the examples given by the Anglo-Saxon Chronicle of
the good that William I did was that one could safely traverse the
country with gold in one's possession without fear). Analogies with
real-world activities (tickets, houses etc) really don't help, since
they are all quite different and do not take place in a protocol
governed, voluntarily joined, organised structure like the internet.

The second point is specific to the CDA. Analogies with other
activities are unhelpful because they are covered by other statutes
with very different requirements for mental involvement.

For example theft requires not only that I intend to permanently
deprive the owner of property belonging to them, but also that I do so
dishonestly. "dishonesty" has a subjective/objective test (at least
for criminal liability): that is did the defendant know that the act
in question was objectively dishonest (i.e. that the generality of the
population would consider it dishonest)?

Another example: walking into someone's property through an open door
is, of course, not by itself a criminal offence. It would almost
always be a trespass to land - there is (unless otherwise specified)
an implied license to pass from the highway to someone's front door
for a lawful purpose, but there is not to do so into their premises
and trespass is a civil wrong of strict liability so without a licence
a mistaken belief as to right is no defence.

NB: there is no crime of "breaking and entering", there is an offence
of burglary, which may be committed by entering as a trespasser with
intent to commit (for instance) theft or rape, Breaking would be
criminal damage (which has a different species of mental involvement).

Train tickets are, of course, regulated. The contractual situation
would be (absent statute) that a company was entitled to publish all
its terms and conditions in a book which you could pay for, but you
would be bound by them if you bought a ticket stating it was subject
to those conditions. I doubt this corresponds to many posters moral
view of the situation but its a well established principle in English
law having been hammered out in the "railway ticket" cases of the 19th
century. Consumer law is an overlay and may alter the position, but
private law aside, tickets are regulated by statute and so one can
find oneself in unfair and unjust situations quite easily because the
law is drafted to be generally unjust so as to be effective.

There is no dishonesty requirement in the CDA. The requirement is that
the defendant subjectively know that the access is objectively
unauthorised. URL shortening on a site without any reason to believe
that it is "unauthorised" could not, in my view, ever be a s1 offence
because of the way in which the internet operates and is known by
those involved to operate. Things would be different if a website
(which you had read) had a disclaimer to the contrary, or you had read
terms and conditions which told you not to do the very thing you did.

You would not, as a defendant, have to prove that what you did was
authorised, but rather the prosecution would have the burden of
proving that you knew it wasn't. That strikes me as a difficult thing
to do in the case of URL shortening.

There are always mad decisions by judges. Some of them area appealed
(against a magistrates conviction you have a statutory appeal as of
right to the Crown Court which helps a bit), many of them are not
because the loser gets fed up, doesn't have the energy for a further
fight, or simply because they are badly advised.

I often tell of a case where I convinced my opponent that I was right
before the hearing (I was clearly right) but we were jointly unable to
convince the judge that I was. My opponent was quite eloquent on my
behalf as well. The judge's decision was appealable on its face but
(for whatever reason) we made no appeal. Perhaps my client was fed up
with the process. I certainly might have been.

Francis Davey

More information about the ukcrypto mailing list