On Mon, 25 Dec 2006 10:00:07 +0000,
(Paul Cummins) wrote:

In article ,
(Alex Heney) wrote:


I don't think there is the slightest doubt that the access *would*
be illegal.

what about an open network with an SSID of "public" ?

What about it?

Completely different question, utterly different scenario.
--
Alex Heney, Global Villager
Circular Definition: see Definition, Circular.
To reply by email, my address is alexATheneyDOTplusDOTcom

On Mon, 25 Dec 2006 07:55:02 +0000, "ChrisR"
y.com.address
wrote:

snip

Bearing in mind that we are taliking about the criminal standard of proof
here, I think that's doubful.

No we aren't.

We are talking about whether an offence has been committed, not about
whether it can be proved.

But the courts will not normally interpret a criminal statute widely to
bring in conduct which only marginally constitutes the offence,

They don't need to.

and the
defence that the server owner has given permission is more likely to succeed
if the prosecution has to prove its case beyond reasonable doubt.

I don't think it has the slightest chance of succeeding, unless the
defence could show that the server owner had given *explicit*
permission.


make his server accessible to the whole world. Unless he has revoked that
permission, it makes no difference if the owner of the site URL has
purported to revoke it.

I do not accept that for one moment.

While the owner of the server certainly has rights, what those are
will depend on the contract.

And I cannot imagine anybody renting hosted space without being given
the permission to restrict access to it.

The statute does not mention having the right to restrict access, it
mentions having the right to grant access. More than one person can have
such a right, and if any one of them grants permission, expressly or
impliedly, our miscreant has permission and does not commit the offence.

I disagree.

Any implied permission will be overridden by express withdrawal of
permission, by anybody who has authority to do so.



The miscreant has "consent to access by him of the
kind in question to the data from any person who is so entitled".

I believe the chances any court would agree with your interpretation
are remote in the extreme.

It would make it impossible to prosecute crackers who bypass passwords
to get in to sites illegally.

We are talking only about data freely available to the world on a web
server. Once the data is restricted, eg by password access, the server owner
probably does not have authority to grant permission without the site
owner's consent, so the CMA may become relevant.

So why would he have permission to do so if there is no password
required?




I think it doubtful that a successful CMA prosecution could be brought
against a person for accessing a public website, or that the prosecuting
authorities would try.

I think it is doubtful due ONLY to the level proof required that the
illegal access was made.

I don't think there is the slightest doubt that the access *would* be
illegal.

I think there is, for the reasons given. The CMA works by reference to the
computer on which the data is stored. If the data is published to the world
and the computer is a public webserver, I think it's pretty hard to withdraw
a person's access permission.

It is not at all hard.

You just tell them that they are not authorised.

Explicit overrides implicit every time.



Restricting access by passwoord or to registered users would be different,
because the data is no longer impliedly available to the whole world, and
the CMA may help to prevent attempts to circumvent the security.


I see what you are saying here, and yes, I do agree that it means the
overall implied permission is no longer there.

Which means that people who attempt to bypass the login requirements
are then guilty of offences under the act even if they have not been
expressly told they are not authorised to access it.

While if there is no password, they do have to be expressly told.
--
Alex Heney, Global Villager
Never trust a skinny cook.
To reply by email, my address is alexATheneyDOTplusDOTcom

Any implied permission will be overridden by express withdrawal of
permission, by anybody who has authority to do so.

Where do you get that from? On the clear wording of the statute as you
quoted it, if A, B and C are all entitled to control access, and any one of
them has granted permission, what any of the others might have done is
irrelevant. A can't revoke B's consent, express or implied.

Chris R

On Tue, 26 Dec 2006 00:45:17 +0000, "ChrisR"
y.com.address
wrote:


Any implied permission will be overridden by express withdrawal of
permission, by anybody who has authority to do so.

Where do you get that from?

Express always overrides implied.

On the clear wording of the statute as you
quoted it, if A, B and C are all entitled to control access, and any one of
them has granted permission, what any of the others might have done is
irrelevant. A can't revoke B's consent, express or implied.


I doubt there is a court in the land would see it that way.

Not that I really accept that the server owner necessarily has the
right to grant access to the particular parts of the system comprising
a hosted website anyhow.

That will depend on the terms of the hosting contract, and will most
likely be delegated to the website manager.
--
Alex Heney, Global Villager
Terminal gla A look that kills...
To reply by email, my address is alexATheneyDOTplusDOTcom

ChrisR wrote:

"Graham Murray" wrote in message
...
"ChrisR"
y.com.address
writes:

I think there is, for the reasons given. The CMA works by reference to
the
computer on which the data is stored. If the data is published to the
world
and the computer is a public webserver, I think it's pretty hard to
withdraw
a person's access permission. And if he accesses a copy of that data on
another computer, eg a proxy server, he is still in the clear.

But is it much harder (in the legal, not practical, sense), or even
much different than, a supermarket or shopping centre banning a
particular individual from entering any of their premises?

You might say it is more akin to trying to ban someone from looking at your
premises, or (in the case of proxy servers) looking at a photograph of your
premises. But there is no offence of entering premises from which you are
banned, so the analogy falls down there. You can get an injunction to
restrain trespass - but equally the site owner could get an injunction to
stop the person viewing the website, if he had grounds for getting one.

If you want an analogy...

It's a bit like the implicit consent to all and sundry to enter onto
your property for the purpose of delivering an item, or to seek to
contact you (even if it is a flyer from the local curry house, or the
God botherers)

You can withdraw that permission on a case by case basis (for example I
have notified the local bettaware woman in writing that she is
forbidden to set foot on my property).

I am not now required to erect a security fence. It is sufficient that
should she set foot again, she is knowingly trespassing.

"Dave Mayall" wrote in message
ups.com...
ChrisR wrote:

"Graham Murray" wrote in message
...
"ChrisR"
y.com.address
writes:

I think there is, for the reasons given. The CMA works by reference to
the
computer on which the data is stored. If the data is published to the
world
and the computer is a public webserver, I think it's pretty hard to
withdraw
a person's access permission. And if he accesses a copy of that data
on
another computer, eg a proxy server, he is still in the clear.

But is it much harder (in the legal, not practical, sense), or even
much different than, a supermarket or shopping centre banning a
particular individual from entering any of their premises?

You might say it is more akin to trying to ban someone from looking at
your
premises, or (in the case of proxy servers) looking at a photograph of
your
premises. But there is no offence of entering premises from which you are
banned, so the analogy falls down there. You can get an injunction to
restrain trespass - but equally the site owner could get an injunction to
stop the person viewing the website, if he had grounds for getting one.

If you want an analogy...

It's a bit like the implicit consent to all and sundry to enter onto
your property for the purpose of delivering an item, or to seek to
contact you (even if it is a flyer from the local curry house, or the
God botherers)

You can withdraw that permission on a case by case basis (for example I
have notified the local bettaware woman in writing that she is
forbidden to set foot on my property).

I am not now required to erect a security fence. It is sufficient that
should she set foot again, she is knowingly trespassing.

I don't think the analogy with premises is helpful. Much as we like to think
of visiting a website in cyberspace as visiting a physical location, that
isn't how the Computer Misuse Act works. It works by reference to data being
obtained from a specific computer. Anyone entitled to control access to that
computer or data is also capable of granting consent to access. If the
computer owner has made it available to the whole world, the fact that some
other person (who owns the website URL) has banned a person from it does not
mean he hasn't still got consent from the computer (server) owner.

The analogy also falls down because there is no statute making it an offence
to enter your property without consent. All you have achieved with your
Better lady is to give you grounds to sue for trespass if she enters your
property; but she still isn't guilty of burglary if she does.

But if we must pursue the analogy, it's like a landlord having lodgers in
his house, all sharing the house. One of the lodgers may purport to ban the
landlord's friends from his room, or from the kitchen; but if the landlord
allows his friend into the kitchen, or even into the lodger's room (since he
has no right of exclusive possession), the friend is not trespassing. If the
house were a market (really stretching the analogy now, since such sharing
arrangements don't exist in markets - an antiques centre perhaps?) and the
landlord opened it to the public, a single stallholder could not ban anyone
from approaching his stall.

Chris R

On Fri, 29 Dec 2006 08:05:04 +0000, "ChrisR"
y.com.address
wrote:


"Dave Mayall" wrote in message
oups.com...
ChrisR wrote:

"Graham Murray" wrote in message
...
"ChrisR"
y.com.address
writes:

I think there is, for the reasons given. The CMA works by reference to
the
computer on which the data is stored. If the data is published to the
world
and the computer is a public webserver, I think it's pretty hard to
withdraw
a person's access permission. And if he accesses a copy of that data
on
another computer, eg a proxy server, he is still in the clear.

But is it much harder (in the legal, not practical, sense), or even
much different than, a supermarket or shopping centre banning a
particular individual from entering any of their premises?

You might say it is more akin to trying to ban someone from looking at
your
premises, or (in the case of proxy servers) looking at a photograph of
your
premises. But there is no offence of entering premises from which you are
banned, so the analogy falls down there. You can get an injunction to
restrain trespass - but equally the site owner could get an injunction to
stop the person viewing the website, if he had grounds for getting one.

If you want an analogy...

It's a bit like the implicit consent to all and sundry to enter onto
your property for the purpose of delivering an item, or to seek to
contact you (even if it is a flyer from the local curry house, or the
God botherers)

You can withdraw that permission on a case by case basis (for example I
have notified the local bettaware woman in writing that she is
forbidden to set foot on my property).

I am not now required to erect a security fence. It is sufficient that
should she set foot again, she is knowingly trespassing.

I don't think the analogy with premises is helpful. Much as we like to think
of visiting a website in cyberspace as visiting a physical location, that
isn't how the Computer Misuse Act works. It works by reference to data being
obtained from a specific computer. Anyone entitled to control access to that
computer or data is also capable of granting consent to access. If the
computer owner has made it available to the whole world, the fact that some
other person (who owns the website URL) has banned a person from it does not
mean he hasn't still got consent from the computer (server) owner.


I am as certain as is possible without an actual court case, that you
are simply wrong on this.

The contract the server owner has with the website owner almost
certainly does not give the server owner the right to override any
access restrictions imposed by the website owner.

And even if the contract does allow it, that still does not mean that
an implied authorisation will override an explicit withdrawal of
authorisation.

It would have to be *explicit* authorisation by the server owner.
--
Alex Heney, Global Villager
I'm not lost, I'm "locationally challenged."
To reply by email, my address is alexATheneyDOTplusDOTcom

Dave Mayall wrote:

You can withdraw that permission on a case by case basis (for example
I have notified the local bettaware woman in writing that she is
forbidden to set foot on my property).

I am not now required to erect a security fence. It is sufficient that
should she set foot again, she is knowingly trespassing.

She won't want to risk a brush with the law....