There are fresh warnings for social media users to be careful about what they post online, after information from more than 214 million Facebook, Instagram and LinkedIn accounts – including 1.7 million Australian accounts – was found on an unsecured server belonging to a Chinese social media management company.
Personal information exposed
The An investigation by the cyber security company ‘Safety Detectives’ has reported that, while most of the information was available online, the ability to determine a person’s full name, country of residence, place of work, job position, contact information can be dangerous in the wrong hands, especially given the information also allegedly included subscriber information that was not publicly posted.
The company says the data was likely obtained through ‘screen scraping’ or data-scraping’, which is a practice often engaged in for business and marketing purposes.
Once data has been scraped, it is meant to be stored with proper cyber security protocols in place, so that it doesn’t fall into criminal hands.
But there are fresh calls for both social media users to be wary about what they post online, how much personal information they divulge and to continually check their account settings.
While users need to be responsible for their accounts and their posts, there’s also an obligation from large social media companies and in fact all websites which collect data, to have better protections in place to ensure that data breaches don’t occur.
What is data scraping?
Data scraping – which may also be known as screen scraping or web harvesting – is generally the act of using a software program to copy and extract data from a website, which may then be used for another purpose.
It is an automated process, which is usually implemented using software tools known as bots or crawlers. While most companies would object to their databases and content being ‘scraped’, many are powerless to stop it, unless they invest big in cyber security.
Is accessing private data an offence?
While there is no specific legislation in Australia which relates to ‘scraping’ data, the act of accessing or modifying data which is not publicly available, and is classed as ‘restricted data’ , may be prosecuted under existing computer hacking legislation.
For example, unauthorised access to, or modification of, restricted data held in a computer is an offence under section 308H of the Crimes Act 1900 (NSW), which carries a maximum penalty of 2 years in prison.
To establish the offence, the prosecution must prove beyond reasonable doubt that:
- You caused access to, or modification of, data held in a computer,
- You did so intentionally,
- You were not authorised to cause that access or modification,
- The data was restricted data, and
- You knew the data was restricted data.
‘Data held in a computer’ means:
- Data entered or copied into a computer,
- Data held in any removable storage which was in a computer for a time, or
- Data held in any data storage device on a computer network of which a computer forms a part.
A ‘data storage device’ is any thing, including a disk or file server, which contains or is designed to contain data for use by a computer.
‘Access’ to data held in a computer means:
- The display of data by the computer or any other output of the data,
- The copying or moving of the data to any other place in the computer or to any data storage device, or
- The execution of any program.
‘Modification’ of data held in a computer means:
- The alteration or removal of data, or
- The addition of data.
Your actions were ‘unauthorised’ if you were not entitled to cause them however, your actions are not unauthorised merely because you had an ulterior motive for them, or if:
- You were an ‘authorised person’ such as a police or other law enforcement officer,
- The computer disk, credit card or other device was in your lawful custody, and
- Your actions were to preserve, or to prevent the concealment, fabrication, destruction or loss of, evidence of any offence.
‘Restricted data’ means data held in a computer to which access is restricted by an access control system associated with a function of the computer.
Proceedings for the offence must be commenced no later than 12 months from the date of the alleged commission of the offence.
Duress is a defence to the charge.
Other legal avenues for prosecution may include under existing Copyright Laws which would potentially offer protection for website content or articles, which can also be vulnerable to ‘screen scraping’. In Australia copying data or substantially copying data from a third party website without the authority of the owner may infringe copyright.
However, It is a question for the courts to determine whether data qualifies for copyright protection.
Many companies also explicitly state that scraping content or data is a breach of their website’s basic terms and conditions, which may offer them legal protection if they choose to pursue civil action, but this requires being able to detect that the screen scraping has occurred, and to be able to track and trace the perpetrator.
Going to court for a data-related offence?
If you are charged with ‘unauthorised access to restricted data’ or another data-related offence, call us today on (02) 9261 8881 to arrange a free first appointment and let our experienced criminal defence lawyers advise you about your options and the best way forward.