Saturday, 16 February 2008

Electronic Espionage

The UK differs from the United States with its efforts at codification through the Restatement and Uniform Trade Secrets Act[1] to introduce a legislative set of controls preventing electronic espionage. The English law as it relates to a breach of confidential information is solely derived from the common law as it has evolved through the cases. A duty of confidence arises when confidential information comes to the knowledge of a person in circumstances where it would be unfair were that information to be disclosed to others (e.g. because the recipient of the information was on notice, or had agreed, that the information was to be so treated). A breach of confidence is the breach of a duty which can give rise to a civil action[2]. Breach of confidence will usually arise in connection with the disclosure of information which has a commercial value, but can also include personal information about individuals.

Breach of confidence is complex and carries on to expanding to “reflect changes in society, technology and business practice”[3]. Additionally, Art. 8 of the European Convention on Human Rights (concerning the right to privacy) has expanded the available actions connected with a breach of confidence to include safeguarding against the misuse of private information[4]. It is required under English law that the plaintiff prove three things must be proved to succeed in an action for a breach of confidence:

  1. the information must be confidential, but does not apply to information which is trivial[5];
  2. the information was provided in circumstances importing an obligation of confidence;
  3. there must be an unauthorised use or disclosure of the information, and, at least, the risk of damage[6].
The jurisdictional basis in English law of the action for breach of confidence is unclear. The foundation most regularly relied upon is contract. Frequently the parties will have incorporated express terms relating to confidentiality, but the courts have also commonly acted on the basis of an implied confidentiality provision in an existing contractual relationship. The courts have also created an equitable obligation of confidentiality autonomous of any contractual relationship. This obligation applies to the initial beneficiary of the information, and to third parties who receive unauthorized disclosures of confidential information. This has also been used in addition to a contractual obligation, and at times in substitution for a contractual obligation.
The duty that confidence should be preserved may be outweighed by various other public interest causes which call for use or disclosure in the public interest> this could be either the world at large or the proper authorities. At times, a court will be required to balance the public interest in maintaining confidentiality against the public interest favouring use or disclosure[7]. Disclosure of confidential information will not be restrained where there is a ‘just cause or excuse for disclosing it’[8].

An ISP or ICP needs to consider both the need to protect data against the needs of protection the public interest. A failure to safeguard the interests of their clients places the intermediary in damage of civil actions. This issue is a particular concern for ICPs (who have some obligation unless explicitly excluded in contract) and particularly service providers specialising in the provision of security services. These providers are contracted to ensure that the security of their clients is maintained and are open to actions in both contract and negligence if they fail in their duties.

Data Protection
In December 2000, the Privacy Amendment (Private Sector) Act 2000[9] modified the Privacy Act[10] in Australia making it apply to various private sector organisations. The Australian legislation was updated to reflect the EU[11] and is based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The National Privacy Principles[12] (the NPPs) in the Privacy Act detail the methods that the private sector should use to “collect, use, keep secure and disclose personal information”.[13]

These principles provide individuals with a statutory right to discern the extent of information held concerning them by an organisation. It further introduces a right to correct information that is incorrect. An ISP or ICH in Australia would be covered by the amended Privacy Act. The State and Territory privacy legislation also needs to be considered.[14] Likewise, an ISP or ICP in the UK would be covered under the principles laid out in European Union Directive 95/46/EC.

An ISP or ICH that hosts sites for other parties could be held liable if they fail to maintain a reasonable level of system security and a breach of this leads to a compromise of an individuals private data.

Criminally, the UK has no legislation specifically focussed to dishonest acquisition of pure information[15]. The law holds that information is not property capable of being stolen such as was decided in Oxford v Moss[16], where a university student broke into the Examination Committee’s premises, studied and made a copy of the exam paper and departed, leaving the original exam paper behind. The student’s actions were held not to be theft[17].

In the event that improperly obtained credit card numbers are published on a website facilitating the enacting of fraudulent purchases using those card numbers, if the intermediary operator knows or ought to known of this action, liability may exist. It is possible that the ISP or ICP could also be a secondary participant in the crime[18]. There is also the possibility of a charge of conspiracy, if the necessary agreement between the intermediary and subscriber could be demonstrated (such as through a contract to not conduct standard checks).

Criminal liability may occur in instances where the subscriber of an ICP publishes passwords allowing unauthorised entry into a computer system. The intermediary may be liable for an offence under the Computer Misuse Act[19] that is committed using those passwords. The precise nature of any liability will be dependant on the facts of the case. In the event that the intermediary had advertised to a category of persons who are expected to execute an attack against a computer system using those passwords made available on the web server, this could amount to incitement to commit an offence under the Computer Misuse Act[20]. To establish incitement, it must be demonstrated that the defendant knew or believed that the individual so incited had the required mens rea to commit the offence. As the mens rea for an offence under Section 1 of the Computer Misuse Act is simply that the defendant intends to gain access to a computer system and knows that such access is not authorized it would be a simple fact to establish.

Alternatively the intermediary could be charged with aiding, abetting, counselling or procuring commission of an offence. In all cases, the defendant must have the intention to do the acts which he knows to be capable of assisting or encouraging the commission of a crime, but does not actually need to have the intent that such crime be committed. There must be a causal link for procurement, aiding requires support but not consensus nor causation, while abetting and counselling necessitate consensus but not causation.

[1] The Restatement and Uniform Trade Secrets Act (1985) USA. “In view of the substantial number of patents that are invalidated by the courts, many businesses now elect to protect commercially valuable information through reliance upon the state law of trade secret protection. Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974), which establishes that neither the Patent Clause of the United States Constitution nor the federal patent laws pre-empt state trade secret protection for patentable or unpatentable information, may well have increased the extent of this reliance”.
[2] Lord Nicholls in Campbell v MGN Ltd [2004] A.C.457 at 464-5 summarised the law of confidence as “[the imposition] of a duty of confidence whenever a person receives information he knows or ought to know is fairly and reasonably to be regarded as confidential”
[3] Douglas v Hello! Ltd [2001] QB 967, per Keene LJ.
[4] Campbell v MGN Ltd [2004] A.C.457
[5] Faccenda Chicken Ltd v Fowler [1987] Ch. 117
[6] Coco –v- AN Clark (Engineers) Ltd. [1969] RPC 41; Murray –v- Yorkshire Fund Managers Ltd [1968] 1 WLR 951. See generally Clerk & Lindsell on Torts, 19th edition (2006), Chapter 28, paragraphs 28-01 and 28-02
[7] Attorney General –v- Observer Ltd. and Others (on appeal from Attorney General –v- Guardian Newspapers (No.2)) [1990] 1 AC 109, see especially pages 281 B-H and 282 A-F, per Lord Goff of Chieveley. See: Clerk and Lindsell on Torts, 19th Edition (2006), Chapter 28, paragraph 28-05
[8] Malone –v- Metropolitan Police Commissioner [1979] 2 WLR 700 at 716, per Sir Robert Megarry V-C and see also W –v- Edgell [1990] Ch. 389; and R –v- Crozier [1991] Crim LR 138, CA.
[9] This Act came into effect from 21 December 2001.
[10] Australia has an informational privacy regime at the federal level based on the Privacy Act 1988 which initially applied mainly to Commonwealth and ACT Government public sector agencies.
[11] European Union Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[12] The National Privacy Principles are extracted from the compilation of Act No. 155 of 2000 Act No. 119 of 1988 that was prepared on 10 January 2001
[13] The Australian Office of the Privacy Commissioner has released “INFORMATION SHEET 2 -2001 Preparing for 21 December 2001” which is available from
[14] See further, The Office of the Federal Privacy Commissioner, Privacy in Australia
[15] There have been a number of cases in the United States, which involve the publication of stolen proprietary information. For example, United State v Riggs and Neidorf, 741 F.Supp.556 (N.D II 1990), the defendants had between them hacked into a Bell Telephone Company computer, obtained highly confidential information about that computer company’s emergency telephone number system, and had published it in a magazine. They were prosecuted under the 1986 Computer Fraud and Abuse Act, and also under federal statutes dealing with wire fraud and interstate transfer of stolen property.
[16] (1978) 68 Cr. App. R. 183
[17] In the UK, placing stolen Government confidential information on a bulletin board is likely to fall foul of the Official Secrets Act. However, catching the culprit is the main problem; the UK Government has been unable to prevent Sinn Fein putting information about police and army facilities and security on its Web page based in Texas.
[18] US Cases involve Defense Department information (United States-v-Morrison, 859 F.2d.151 (4th Circuit 1988)), law enforcement record (United States-v-Girard, (2nd Circuit 1979)), banking information (United States-v-Cherif, 943 F.2d.692 (7th Circuit 1991)) and stock market information (Carpenter-v-United States, 484 U.S. 19(1987). Besides these federal statutes, which only apply where there has been a transfer across State lines, a number of States have laws, which make criminal the theft of confidential information.
[19] Computer Misuse Act (1990) UK
[20] In a case involving police radar detectors, it was held that advertising an article for sale, representing its virtue to be that it may be used to do an act which is an offence, is an incitement to commit that offence-even if the advertisement is accompanied by a warning that the act is an offence.

No comments: