12
HACKERS
Theft Extortion Mischief Possession of stolen property Unauthorized use of credit card data Interception of private communication Unauthorized use of a computer
15
BUDAPEST CONVENTION
Article 2 - Illegal Access Intentional access to a computer system without right. (with or without infringing security measures) (with or without intent to obtain data or dishonest intent)
16
Unauthorized use of a computer 342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of
an offence punishable on summary conviction who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electro-magnetic, acoustic, mechanical or
other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
(c) uses or causes to be used, directly or indirectly, a computer
system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a
computer system; or
(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to
commit an offence under paragraph (a), (b) or (c).
341.1(1) CRIMINAL CODE• Obtain computer service • Intercept any function of a
computer system • Uses a computer system
with intent to obtain or intercept
• Uses / possesses / traffics in or permits another person to have access to a computer password
• Fraudulently • without colour of right • Indictable or Summary
19
BUDAPEST CONVENTION
Article 3 - Illegal Interception Interception of non-public transmissions of data to / from / within a computer system - without right. (with or without dishonest intent) (with or without connection to another computer system)
20
Interception of Communications Interception 184 (1) Every one who, by means of any electro-magnetic,
acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and
liable to imprisonment for a term not exceeding five years.
184(1) CRIMINAL CODE
• Intercept a private communication
• Wilfully • Via: electro-magnetic,
acoustic, mechanical or other device
• Indictable (max 5 yrs) • Saving provision
• Management of system • Protecting the system
21
Disclosure of information 193 (1) Where a private communication has been intercepted
by means of an electro-magnetic, acoustic, mechanical or other device without the consent, express or implied, of the
originator thereof or of the person intended by the originator thereof to receive it, every one who, without the express
consent of the originator thereof or of the person intended by the originator thereof to receive it, wilfully
(a) uses or discloses the private communication or any part
thereof or the substance, meaning or purport thereof or of any part thereof, or
(b) discloses the existence thereof,
is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years.
193(1) CRIMINAL CODE
• Discloses the intercepted private communication
• Substance or meaning • OR the existence of the
private communication
• Without the express consent of the originator or the recipient
• Wilfully • Indictable (max 2 yrs) • Exemptions
22
Mischief in relation to computer data (1.1) Everyone commits mischief who wilfully
(a) destroys or alters computer data;
(b) renders computer data meaningless, useless or
ineffective;
(c) obstructs, interrupts or interferes with the lawful use of computer data; or
(d) obstructs, interrupts or interferes with a person in the
lawful use of computer data or denies access to computer data to a person who is entitled to access to it.
430(1.1) CRIMINAL CODE
• Destroy / Alter data • Renders data meaningless,
useless, or ineffective • Obstructs, interrupts, or
interferes with lawful use of computer data or a person
• Wilfully • Danger to life - Indictable
(max life) • Property - Indictable or
Summary
31
“All of our analysis must not expose the users of Ashley Madison (at BinaryEdge privacy is of outmost respect and we do not condone the actions that were performed against the Ashley Madison website).”
DISCLAIMER:
blog.binaryedge.io
34
Possession of property obtained by crime 354 (1) Every one commits an offence who has in his
possession any property or thing or any proceeds of any property or thing knowing that all or part of the property
or thing or of the proceeds was obtained by or derived directly or indirectly from
(a) the commission in Canada of an offence punishable by indictment; or
(b) an act or omission anywhere that, if it had occurred in Canada, would have constituted an offence punishable
by indictment.
354(1) CRIMINAL CODE
• Possess property you know is stolen
• Obtained or derived (directly or indirectly) from an indictable offence
35
Unauthorized use of credit card data (3) Every person who, fraudulently and without colour of
right, possesses, uses, traffics in or permits another person to use credit card data, including personal
authentication information, whether or not the data is authentic, that would enable a person to use a credit card
or to obtain the services that are provided by the issuer of a credit card to credit card holders is guilty of
(a) an indictable offence and is liable to imprisonment for a term not exceeding ten years; or
(b) an offence punishable on summary conviction.
342 CRIMINAL CODE
• Possess / use / traffics credit card data
• Data enabling use of credit card
• Whether or not data is authentic
• Indictable offence
36
Unauthorized use of computer
342.1 (1) Everyone is guilty of an indictable offence and
liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary
conviction who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be
intercepted, directly or indirectly, any function of a computer system;
(c) uses or causes to be used, directly or indirectly, a
computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to
computer data or a computer system; or
(d) uses, possesses, traffics in or permits another person to have access to a computer password that would
enable a person to commit an offence under paragraph (a), (b) or (c).
341.1(1) CRIMINAL CODE• Uses / possesses / traffics in
or permits another person to have access to a computer password
• Fraudulently • without colour of right • Indictable or Summary
45
4.7 Principle 7 — Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 4.7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. 4.7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4. 4.7.3 The methods of protection should include (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption. 4.7.4 Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. 4.7.5 Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).
4.7 PRINCIPLE 7 PIPEDA
• Info protected by security safeguards appropriate to sensitivity of info
• Protects against theft / unauthorized access
• More sensitive >> higher level of protection required
• Methods of Protection: includes passwords and encryption