|
|
|
|
|
|
by peteretep
4187 days ago
|
|
|
> If this were the USA it would certainly be bad enough to
> warrant prosecution of the researcher
Sounds like he didn't access any data he wasn't allowed to, if he read the data of test accounts. Not sure how you'd prosecute this in the UK.Also you'd need to convince the CPS that it was in the public interest to prosecute, and they're not elected officials who need to appear Tough On Crime unlike the US. And even if both of those things happened, you'd then need to convince a magistrate that the case warranted a conviction. Still, he should have gone to ICO first and foremost. |
|
|
He has authorisation to access the data, and authorisation to access the computers in question. He doesn't, perhaps, have authorisation to use the specific mode of access but that isn't pertinent to the Act as written AFAICT.
The only possible part he falls foul of is Section 3(3) in that his actions might have caused the system to fail, but "recklessly" has a suggestion of him knowing that such deleterious outcomes were likely, and I don't think that's really true. I think his actions as reported are not in breach of this Act.
However, the proposed Section 3A will cover such actions if he [the reporter of the security lapse] believes that the information (see 3A(4)) he published is likely to be used to assist in the commission of an offence.
>"A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3." (CMA 1990, proposed S.3A(2))
This section is exceptionally broad. Indeed it appears to outlaw the disclosure of bugs found without malice and without intent. Communicate to Google, say, a program/data that could be used to break in to their system and it seems you fall foul of the letter of that Section. Chilling indeed.