Laws in Ireland regarding hacking?

AARRRGH

Hello,

I don't know if anyone can help with this. Hopefully someone can.

Scenario -

I own a website. Rival website is logging into private areas of the website to snoop my design etc. For example, this would be similar to me logging in under another users account on boards.ie to read their private messages.

Is this legal or illegal in Ireland? Is it hacking, even if they got the username/password without using an exploit? (i.e. they guessed it or something like that.)

Any pointers appreciated.

Cheers.

NutJob

http://www.amazon.co.uk/exec/obidos/ASIN/0717137015/qid=1141728470/sr=1-5/ref=sr_1_3_5/203-6621183-6263940


Read it the laws are complicated and ull be surprised whats actually illegal(alot more than most people think).


I have no intention in giving half arsed legal advice but i will say dont do anything stupid itll hurt.

oh and a solicitor is a good thing recommend them.

liamo

If they're logging into private areas without permission then it's illegal.

What constitutes permission though? If you're running a public website then you're giving permission to the world at large to access it. If a user can create an account which gives them further privileges (eg to access private areas) then that, to me, constitutes permission to access those areas.

Of course, this is just complete speculation on my part because I don't know the exact details of your situation, nor am I a solicitor.

NutJob's suggestion to consult a solicitor is a good one. If it's important, it's worth spending some money on it.

Regards,

Liam

themole

dublindude wrote:

Is this legal or illegal in Ireland? Is it hacking, even if they got the username/password without using an exploit? (i.e. they guessed it or something like that.)

AFAIK, thats illegal.

It doesn't matter how thet got the username/password. What matters is that they did not receive it from you.

I could be wrong on that.

I have this book

i will give it a look through.

aidan_walsh

Question: Would the basis for an action around such an act have to be enforced in the country of the owner, or where the server is based (such as with copyrights)?

So, if your server is not in Ireland, is it relevant whether its legal here?

Duffman

Might be relevant:

Criminal Justice (Theft and Fraud Offences) Act, 2001 - Section 9:

Unlawful use of computer.



9.—(1) A person who dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with the intention of making a gain for himself or herself or another, or of causing loss to another, is guilty of an offence.

(2) A person guilty of an offence under this section is liable on conviction on indictment to a fine or imprisonment for a term not exceeding 10 years or both.

ntlbell

liamo wrote:

If they're logging into private areas without permission then it's illegal.

What constitutes permission though? If you're running a public website then you're giving permission to the world at large to access it. If a user can create an account which gives them further privileges (eg to access private areas) then that, to me, constitutes permission to access those areas.

Of course, this is just complete speculation on my part because I don't know the exact details of your situation, nor am I a solicitor.

NutJob's suggestion to consult a solicitor is a good one. If it's important, it's worth spending some money on it.

Regards,

Liam

as long as no information is changed or destroyed, or used for personal gain it's not illegal.

proving they used the information for personal gain is a tough one.

all logs can not be used as admissible eveidence.

liamo

ntlbell wrote:

as long as no information is changed or destroyed, or used for personal gain it's not illegal.

proving they used the information for personal gain is a tough one.

all logs can not be used as admissible eveidence.

I don't think that's right. Wasn't there a case in the UK recently where a chap donated money to an on-line charity, wasn't sure if the site was genuine and snooped around a little. The judge was very sympathetic but he was found guilty.

I would imagine our laws are similar. If I snuck into your house I would be guilty of breaking and entering (or, at the very least, trespassing) even if I did no damage or stole anything.

Regards,

Liam

Bamboozled

It happened us with one of our larger sites.
We ended up in the Garda Headquarters with the fraud squad and dealing with international squads because of the server being in belgium.

ntlbell

liamo wrote:

I don't think that's right. Wasn't there a case in the UK recently where a chap donated money to an on-line charity, wasn't sure if the site was genuine and snooped around a little. The judge was very sympathetic but he was found guilty.

I would imagine our laws are similar. If I snuck into your house I would be guilty of breaking and entering (or, at the very least, trespassing) even if I did no damage or stole anything.

Regards,

Liam

This is not the UK, and this is nothing to do with breaking and entering.

liamo

ntlbell wrote:

This is not the UK, and this is nothing to do with breaking and entering.

Don't be so facetious and pedantic. It was quite obvious that I was making an analogy to breaking into a computer. And as for my reference to the UK, you'll find that the UK and Irish laws are very similar and, in fact, most Irish laws are based on UK law.

If you'd like to get specific about it, here's a couple of extracts from the Cork Online Law Review 2005.

The two main offences regarding hacking in Ireland are found in the Criminal Damage Act 1991. The ‘basic hacking offence' within Section 5 prohibits the accessing of another person's data, via a computer, without that said person's consent.

So, even if the information is not used or damaged, the act of accessing the data is an offence. I believe this is the point I was making.

... the United Kingdom promulgated the Computer Misuse Act 1990 into law, which served as the model for many other countries' legislative framework, including Ireland .

This, I believe, supports the reference I made to the UK.

Instead of making smart, unhelpful, sulky comments that add nothing to a debate or a thread, try backing up your statements or saying nothing at all.

ntlbell

liamo wrote:

The two main offences regarding hacking in Ireland are found in the Criminal Damage Act 1991. The ‘basic hacking offence' within Section 5 prohibits the accessing of another person's data, via a computer, without that said person's consent.

So, even if the information is not used or damaged, the act of accessing the data is an offence. I believe this is the point I was making.


Instead of making smart, unhelpful, sulky comments that add nothing to a debate or a thread, try backing up your statements or saying nothing at all.

Yes and comparing computer crime to breaking into a house is very helpfull.

it's about as helpfull as that law, in real life situations, useless.

Eru

NTL,

Liama is correct. Dont get in a huff because you were giving crap information out about a subject you obviously know nothing about.

Duff also gives good advise. theres little more too be said as both have made the point well. good posts!

will add 1 thing however, server area is not a requirement but its helpful and co-operation between nations means maximum charges and penalties for offenders.

ntlbell

Karlitosway1978 wrote:

NTL,

Liama is correct. Dont get in a huff because you were giving crap information out about a subject you obviously know nothing about.

Duff also gives good advise. theres little more too be said as both have made the point well. good posts!

will add 1 thing however, server area is not a requirement but its helpful and co-operation between nations means maximum charges and penalties for offenders.

The information was given basesd on the fact that the laws today in ireland are not specific enough for _real_ life computer crime scenario's.

I wasn't specifically talking about the OP's issue.

Because someone quotes a law doesn't mean they know they're talking about, I've worked in many ISP's for many years and have been involved in alot of these types of issues, and this law is for the most part is useless.

I'm too old to huff :rolleyes:

To the OP get in touch with a solicitor, I'm confident enough there's nothing he can do that i'll pay your legal fee's if he can!

Eru

Maybe if ISP's were helpful with the investigations and not stand in the way and block police efforts more crime would be solved such as the Indymedia saga in the UK

You know little of the law and you were proven comepletely wrong in your earlier comments. How do you explain the below comments? They are 100% ignorant and incorrect and another user called you on it (without any legal knowledge, training or experience just common sense)

ntlbell wrote:

as long as no information is changed or destroyed, or used for personal gain it's not illegal

and for future reference this quote would refer to an offence under Section 6 or 7, Criminal justice (Theft and fraud offences) Act 2001. Obtaining services or goods by deception.

ntlbell wrote:

proving they used the information for personal gain is a tough one.

His comments about breaking an entering (tresspass with intent in Ireland) was quite a good analogy I thought.

ntlbell

Karlitosway1978 wrote:

M


and for future reference this quote would refer to an offence under Section 6 or 7, Criminal justice (Theft and fraud offences) Act 2001. Obtaining services or goods by deception.


His comments about breaking an entering (tresspass with intent in Ireland) was quite a good analogy I thought.

Why for future reference?

it actually is part of section 9

.—(1) A person who dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with the intention of making a gain for himself or herself or another, or of causing loss to another, is guilty of an offence.
(2) A person guilty of an offence under this section is liable on conviction on indictment to a fine or imprisonment for a term not exceeding 10 years or both.



so if you scan a network, which is not ilegal are you accessing data?

if you make a connection to a machine on port 22 which is open and exposed to the outside world are you accessing data?



if you login to the machine have you accessed data?



you login to the machine, do nothing, log off have you accessed data?



Don't start quoting laws that YOU do not understand to try and prove I have no understanding.

Eru

By ignoring the first part of my post do you admit you are wrong?

Secondly, I enforce these laws and understand them perfectly. You were the one that was unaware of such laws and I posted from memory not a copy and paste job (you really should be decent enough to reference statute.ie you know)

As for your comments. I am not an IT professional so will not answer in some regards (a lesson you would do well to remember as you quote laws you have no knowledge or understanding off) however if you used another persons password or accessed an area you had no permission to access then you have commited a crime.

I am a registered user on this site therefore I am allowed access and post here. If I used an admins password to access the site and read private messages I have commited a crime unless granted that right by said person.

Permission is a vital factor regardless of how, where and why.

ntlbell

Karlitosway1978 wrote:

By ignoring the first part of my post do you admit you are wrong?

Secondly, I enforce these laws and understand them perfectly. You were the one that was unaware of such laws and I posted from memory not a copy and paste job (you really should be decent enough to reference statute.ie you know)

As for your comments. I am not an IT professional so will not answer in some regards (a lesson you would do well to remember as you quote laws you have no knowledge or understanding off) however if you used another persons password or accessed an area you had no permission to access then you have commited a crime.

I am a registered user on this site therefore I am allowed access and post here. If I used an admins password to access the site and read private messages I have commited a crime unless granted that right by said person.

Permission is a vital factor regardless of how, where and why.

I'm not ignoring the first part of your post, you asked me to explain how i could make a statment, the questions i listed are to show you why I can make such a claim.

You posted from memory, and you can't remember what section it was? why would I have it in memory? I'm not a solicitor, and I would expect a good one to be able to remember what section of the law it is.

If I was unaware of such laws why would I make the personal gain comment? how would i know it was legal or not?

how can you enforce laws you have no understanding of

if you don't know if someone makes a TCP connection to port 22 on a machine exposed on a public network is against the law or not how can you enforce it?

so you can only enforce the law when it involves something you understand?

what good is that?

so someone with no understanding enforces these laws? that's very irish.

Eru

Where did I say I had no memory of the sections? I stated them clearly, you however are simple taking from another site. You couldn't even post a basic explanation of the laws.

Also,
Unlike you I do not speak of areas I have no experience or training in that is why I do not speak of ports, etc. Thats IT and we have an IT department, ever hear of expert witnesses?

according to you to be a Garda I should have personal knowledge of rape, murder, theft and incest as well should I? Or I am not able to enforce laws against these crimes?

Because Im not a psychiatrist or doctor I cannot act on or use my powers under the Childrens Act or Mental health Act?

Be sensible, no person knows everything about everything. I know law (as a Garda not a solicitor BTW), you know computers. I dont pretend to be an expert in your field, you should stop pretending in mine.

You were wrong in your comment. Thats the bottom line, just accept it.

ntlbell

Karlitosway1978 wrote:

I am a registered user on this site therefore I am allowed access and post here. If I used an admins password to access the site and read private messages I have commited a crime unless granted that right by said person.

Permission is a vital factor regardless of how, where and why.

How do you define permission?

why does it have to be a person?

can the permission come from software? what if the software wrongly elevated privilege's to grant permission you shouldn't have been given?

how where and why is never as black and white as you might like to think.

Eru

ntlbell wrote:

To the OP get in touch with a solicitor, I'm confident enough there's nothing he can do that i'll pay your legal fee's if he can!

How did I miss this the first time round????

Of course theres nothing he can do about it, a solicitor doesnt investigate or prosecute CRIMINAL offences. Thats the Gardai and DPP.

Wow your knowledge of Irish law is weak.

ntlbell

Karlitosway1978 wrote:

Where did I say I had no memory of the sections? I stated them clearly, you however are simple taking from another site. You couldn't even post a basic explanation of the laws.

Also,
Unlike you I do not speak of areas I have no experience or training in that is why I do not speak of ports, etc. Thats IT and we have an IT department, ever hear of expert witnesses?

according to you to be a Garda I should have personal knowledge of rape, murder, theft and incest as well should I? Or I am not able to enforce laws against these crimes?

Because Im not a psychiatrist or doctor I cannot act on or use my powers under the Childrens Act or Mental health Act?

Be sensible, no person knows everything about everything. I know law (as a Garda not a solicitor BTW), you know computers. I dont pretend to be an expert in your field, you should stop pretending in mine.

You were wrong in your comment. Thats the bottom line, just accept it.

You are commenting on a law that you don't understand, if your "expert witness" posted on this thread we could get this cleared up, but you commenting on it with no understanding of IT is pointless.

the same way if you were commenting on an issue which was to do with mental health i'd expect you to understand the under liying issue, or have your "expert witness" post instead.

the fact you have a "team" to get an understanding of these things doesn't mean you have an understanding of what's been discussed in _this_ thread.

so you're admitting you don't understand IT so you can't understand how it fits within the law.

ntlbell

Karlitosway1978 wrote:

How did I miss this the first time round????

Of course theres nothing he can do about it, a solicitor doesnt investigate or prosecute CRIMINAL offences. Thats the Gardai and DPP.

Wow your knowledge of Irish law is weak.

The point I was making is that i'm so sure nothing will come of it, that i'll pay any legal fee's in making the attempt.

Eru

ntlbell wrote:

How do you define permission?

why does it have to be a person?

can the permission come from software? what if the software wrongly elevated privilege's to grant permission you shouldn't have been given?

how where and why is never as black and white as you might like to think.

Your questions are a weak attempt to change the argument and avoid admitting your wrong. I will answer however as it is simple to do so.

A, A machine cannot be guilty of an offence therefore it must be a human. Should we charge dogs with murder? DPP V Lassie????? DPP V John Smyths PC; "I swear judge I didnt do it, it was the PC, number 5 is alive!"

B, The law allows for accidents. It is an adequate defence if you reasonable believed you had the permission of the owner or would have had the permission had you been able to request it. See the Criminal justice (theft and fraud offences) Act 2001. Section 5 for more examples.

C, same as A, machines cannot commit crime. Only humans can. Again as per A, if you used the increased allowances despite knowing it was an error you have commited a crime.

D, Permission is defined under the various acts depending on what act you intend to prosecute under however its basically consent or an allowance to act/not act, etc. What a pointless question, get a dictionary.

All under Theft Act 2001. Criminal damage Act has seperate allowances (theres even an offence of destroying your own property)

Pretty black and white in my opinion. In fact law is always black and white as it written down in statutes and case law. If theres a grey area the high court makes a decision and it becomes 'case law stated'; which then amends or decides for all future cases.

For example, Marsh V DPP made a case law stated that Gardai cannot be the victims under Section 4 ofthe public order Act 1994. There is no further debate on this, it has been decided for all future cases.

ntlbell

Karlitosway1978 wrote:

Your questions are a weak attempt to change the argument and avoid admitting your wrong. I will answer however as it is simple to do so.

A, A machine cannot be guilty of an offence therefore it must be a human. Should we charge dogs with murder? DPP V Lassie????? DPP V John Smyths PC; "I swear judge I didnt do it, it was the PC, number 5 is alive!"

B, The law allows for accidents. It is an adequate defence if you reasonable believed you had the permission of the owner or would have had the permission had you been able to request it. See the Criminal justice (theft and fraud offences) Act 2001. Section 5 for more examples.

C, same as A, machines cannot commit crime. Only humans can. Again as per A, if you used the increased allowances despite knowing it was an error you have commited a crime.

D, Permission is defined under the various acts depending on what act you intend to prosecute under however its basically consent or an allowance to act/not act, etc. What a pointless question, get a dictionary.

All under Theft Act 2001. Criminal damage Act has seperate allowances (theres even an offence of destroying your own property)

Pretty black and white in my opinion. In fact law is always black and white as it written down in statutes and case law. If theres a grey area the high court makes a decision and it becomes 'case law stated'; which then amends or decides for all future cases.

For example, Marsh V DPP made a case law stated that Gardai cannot be the victims under Section 4 ofthe public order Act 1994. There is no further debate on this, it has been decided for all future cases.

I have the information to backup my statments, you haven't been able to answer any of my questions or prove any of my statments wrong you stating they're wrong is not enough

So if a human chooses to allow software to grant permissions, everyone who access the data based on the interaction with the software must be comitting a crime as they have not been granted permission by a human.

yes it's all black and white.

Nietzschean

since u keep complaining that the other posters have no clue :
connecting on port 22 is an open available public service (ssh), only after authenticating with stolen details and accessig privlidged information would be the correct inalagy.

as for port scanning, that information is all public, doesn't seem to fit into this conversation at all and is just you trying to through in technical terms to make up for your lack of understanding of all the relevent laws....

you login to the machine, do nothing, log off have you accessed data?

well as you well no doubt know that would depend on the persons setup, if they infact display anything mail/msgs upon login or even a directory listing that would class as accessing data.. where the law stands on that i'm not sure but i think your approach here of trying to rule out people who know their legalese is pretty lame....

ntlbell

Nietzschean wrote:

since u keep complaining that the other posters have no clue :
connecting on port 22 is an open available public service (ssh), only after authenticating with stolen details and accessig privlidged information would be the correct inalagy.

as for port scanning, that information is all public, doesn't seem to fit into this conversation at all and is just you trying to through in technical terms to make up for your lack of understanding of all the relevent laws....


well as you well no doubt know that would depend on the persons setup, if they infact display anything mail/msgs upon login or even a directory listing that would class as accessing data.. where the law stands on that i'm not sure but i think your approach here of trying to rule out people who know their legalese is pretty lame....

it would class as accessing data , but what if they don't display it?? where the law stands is not clear, and that's what the point was proving. I'm not trying to prove he doesn't understand the law but the crimes, the law is not very complicated, the crimes often are and do not fit into the law.

Eru

ntlbell wrote:

I have the information to backup my statments, you haven't been able to answer any of my questions or prove any of my statments wrong you stating they're wrong is not enough

I have answered everything. I even did it with a nice easy to read A,B,C and D. I quoted the exact laws and sections. What do you want? look up statute.ie yourself, I know you can.

ntlbell wrote:

So if a human chooses to allow software to grant permissions, everyone who access the data based on the interaction with the software must be comitting a crime as they have not been granted permission by a human.

what a load of **** and you know it. If the program grants wrong access then you have no permission and therefore by using that permission despite being aware you should not have it you have commited a crime.

If you logged onto a PC and it makes a mistake and sends you into a private area then you were unaware and had no intent or option. You in effect had neither mens rea (guilty mind, intent) nor actus reus (guilty act) which are required for criminal acts.

The machine can only act based on human input. My PC cannot turn itself on, go to Amazon and use my credit card to buy a nice fur coat. It requires a human hand to make it do so.

The key here is intent. If you hack into a machine you have commited a crime regardless of what you gain.

If you hack a machine and also take and use credit card details you have commited more crimes.

If I use my sisters credit card online because she said I could then I have commited no crime. If I look into her email on her request or after asking could I then I have commited no crime.

All black and white. outline the scenario and I will answer legal or illegal but as the above user posinted out. I am using standard terms and language and I explain the 'legal' terms when needed. You are hiding behind pointless questions and IT jargon.

Bottom line, you stated that hacking is legal provided you obtain no information, that was wrong. you were wrong and therefore I and others are correct in stating so.

Eru

ntlbell wrote:

it would class as accessing data , but what if they don't display it?? where the law stands is not clear, and that's what the point was proving.

Excuse me? I believe it was already pointed out to you by another user in plain English.

You said it was legal and were proven wrong. Simple

Nietzschean

What is there some saying about the law being blind, anyway sure if he accessed the data the onus of proof would be on him that he didn't view it, or store/distribute it in any way. Once its proved he's accessed the data surely its his problem from then on?

As for the OP's post, logging into the secure part of a website, you could easily prove the page was view'd/downloaded from apache's logs of all the pictures that would have been pulled to go with the page, claiming he didn't view em wouldn't be much use really, he willfully accessed a protected part of the site , if he closed his browser after having a peak or a proper root around i don't see the difference....

Eru

No, its 'Justice is blind' as in she doesnt see race, colour, etc etc etc.