Thursday, 12 April 2012

Digital theft

An article today "Code can't be stolen under federal law, court rules" http://news.cnet.com/8301-1009_3-57412779-83/code-cant-be-stolen-under-federal-law-court-rules/ caught me eye today. I found this interesting as how theft applies to the digital world.

In the article it mentions how former Goldman Sachs programmer Sergey Aleynikov was convicted in December 2010 of downloading code for Goldman Sachs' high-speed computerised trading operations and uploading it to an overseas server before he left the Wall Street investment bank in 2009. Chief Judge Dennis Jacobs in an appeal against the conviction said "because Aleynikov did not 'assume physical control' over anything when he took the source code, and because he did not thereby 'deprive [Goldman] of its use". He went on to saw  "We decline to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age."

Which gives us a problem when convicting cyber-criminals as too which law should be used. Could the same problem occur in the UK.

In the physical world theft normally means deprive someone of their property and in the UK the Theft Act 1968 defines theft as

(1)A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and thief and steal shall be construed accordingly.
(2)It is immaterial whether the appropriation is made with a view to gain, or is made for the thief own benefit.

Interestingly it define property as

(1)Property includes money and all other property, real or personal, including things in action and other intangible property.

It also has defines “Belonging to another”..

(1)Property shall be regarded as belonging to any person having possession or control of it, or having in it any proprietary right or interest

So it in terms of whether software which is intangible would be included under the definition of property and of belonging to another.

However in the UK as the USA there can be argument about the intention of permanently depriving the other of it as effectively a copy is made and therefore the owner is not deprived of the property. Taking a disk with the only code on it, or copying and then deleting the code would permanently depriving the owner of the code and therefore be prosecutable under the Theft Act in the UK under the these particular circumstances. It would be possible to use Intellectual Property right and copyright laws to prosecute an authorised copy of the code but the penalties are not as sever as the theft act.

The Computer and Misuse Act 1990 and modified by the Police and Justice Act 2006 gives the following offences which do not apply to the theft of material, however it may be possible that section 1 could be used if access to the material was not part of an employee's role.

1.unauthorised access to computer material,
2.unauthorised access with intent to commit or facilitate commission of further offences,
3.unauthorised modification of computer material
3A.Making, supplying or obtaining articles for use in computer misuse offences


There appears to be very little to protect businesses from competition from former employees, consultants or anyone else.

In order to protect a company under English law businesses should set in place contractual obligations on employees and consultants to maximise the legal means to protect intellectual property rights, confidential information and trade secrets against information theft and industrial espionage at the outset, and during the course of the relationship as seniority increases to garner some protection against theft when an employee leaves for employment else where. When an employee does leave with confidential information it is a breach of confidence that the employers had placed in them. In UK law it is possible to have a breach of confidence

The test for a cause of action for breach of confidence is.

1. the information itself must have the necessary quality of confidence about it;
2. that information must have been imparted in circumstances imparting an obligation of confidence;
3. there must be an unauthorised use of that information to the detriment of the party communicating it.

The test scenarios here are ones need for a digital theft/copying act to ensure that theft or copying of  of an intangible property can be prosecuted when it has a detriment affect on a business.

It is interesting that at the end of the article about Sergey Aleynikov it mentions the appeals court the previous day had rejected the USA government's broad interpretation of a nearly 30-year-old anti-hacking law in trying to prosecute a man for misappropriation of trade secrets. The Appeals judges ruled yesterday that the government's interpretation of the 1984 federal Computer Fraud and Abuse Act could lead to millions of Americans being subjected to prosecution for harmless Web surfing at work, probably not the intention of the USA court or if common sense was used, but both cases highlight the need for careful wording of any legislation to ensure there are no loopholes or it is too broad in scope as common sense is not a constant across a population.

Conclusion

In the digital world it can be very difficult to apply laws that where developed for the physical world, also that computer laws are still not sufficient to cover adequate the type of offences that can be committed in the digital world. Legislators still do not understand what the digital world is and how manipulation of digital data can be very profitable and that laws need to implemented quicker to try and catch up with the digital economy.

No comments:

Post a Comment