Hacking & The Law: Is Access Enough to be Guilty?

TL;DR

Gaining access to sensitive information isn’t automatically a crime. It depends on what you do with that information, and your intent. Simply looking around without causing harm is usually less serious than stealing data or disrupting systems. The Computer Misuse Act 1990 (in the UK) defines what’s illegal.

Understanding the Law

The main law covering hacking in the UK is the Computer Misuse Act 1990. It’s been updated, but the core principles remain. It focuses on three key offences:

1. Section 1: Unauthorized Access to a Computer – This covers getting into a computer system without permission.
2. Section 2: Unauthorized Access with Intent to Commit Further Offence – Getting in *with the plan* to do something illegal (like stealing data).
3. Section 3: Impairing Operation of a Computer – Damaging or disrupting computer systems.

Is Just Looking Illegal?

Generally, no. If you accidentally stumble into an open directory on a server and just browse it without copying anything or changing anything, you probably haven’t broken the law. However, this is a grey area. If that directory was clearly marked as private, or if your actions caused any disruption (even unintentionally), things get more complicated.

What Makes Access Criminal?

1. Data Theft: Copying, downloading, or sharing sensitive information is a serious offence.
2. Damage to Systems: Deleting files, installing malware, or disrupting services falls under Section 3 of the Computer Misuse Act.
3. Intent: If you access a system with the clear intention of committing fraud, causing harm, or stealing data, that’s a major factor in determining guilt.
4. Circumventing Security Measures: Bypassing firewalls, passwords, or other security features to gain access can be illegal even if you don’t actually steal anything.

Examples

• Not Illegal (usually): Accidentally finding an open FTP server with publicly available files and browsing them without downloading.
• Illegal: Using a password cracker to gain access to someone’s email account, even if you just look at the emails.
• Illegal: Downloading customer data from a hacked database.
• Illegal: Installing ransomware on a company’s server.

How is Intent Proven?

Intent can be tricky to prove. Prosecutors will look at:

• Your actions before, during and after the access: Did you search for hacking tools? Did you try to sell stolen data?
• The context of the access: Were you a disgruntled employee? Were you hired by someone else to hack the system?
• Any communications: Emails, chat logs, or other messages that show your intent.

Penetration Testing & Ethical Hacking

There are exceptions! If you’re a security professional conducting a legally authorized penetration test (pen test), you have permission to access systems and look for vulnerabilities. This requires a clear contract outlining the scope of the testing.

Reporting Vulnerabilities

If you find a vulnerability in a system, responsibly disclosing it to the owner is often the best course of action. Many companies have bug bounty programs that reward researchers for finding and reporting security flaws. Avoid exploiting the vulnerability before reporting it!

What if I Think I’ve Been Hacked?

1. Change your passwords: Immediately change passwords on all affected accounts.
2. Scan for malware: Run a full system scan with reputable antivirus software.
3. Report the incident: Contact Action Fraud (https://www.actionfraud.police.uk/) and your local police force.