KINGSTON, Jamaica— The University of the West Indies (UWI) has told members of the Joint Select Committee of the Parliament reviewing Cybercrimes Act, 2015, to thread carefully with their definition of the term “unauthorised access”.

“Our greatest concern stems from the Act’s definition of what constitutes unauthorised access,” the UWI said in its written submission before the committee on Wednesday.

Pointing out that the definition of unauthorised access was pervasive throughout the Act, the UWI said a definition that more accurately represents access to resources in the digital world was needed.

It pointed to part I, section 4 of the Act which states that “a person accesses [a computer or data]…without authorisation if (a) he is not himself entitled to control the access, modification, use or function of the kind in question; (b) he does not have consent for the access, modification, use or function of the kind in question from any person who is so entitled; and (c) he is not acting pursuant to a power or function given to him under this Act or the Interception of Communications Act, and then the word “unauthorised” shall be construed accordingly.”

“The problem with this definition is that the reference to consent in (b) implies an explicit granting of privilege, by another person, to access the resource [data or computer] in question; but in an online world, the decision to disseminate information is negotiated by machines, and therefore a user could be liable for ‘unauthorised access’ under this definition through the negligent implementation of an online data resource by the resource owner,” the UWI warns.

It argued that this definition places the onus entirely upon an individual who may access a resource, regardless of whether or not measures were implemented by the resource’s owner(s) to regulate its use.

“In environments which preceded our own where handwriting and paper-based resources were standard, this definition would suffice,” the UWI stated.

It said that in instances when individuals send information via the post, items (a) through (c) above accurately capture who has authority to access it when it is sealed within an envelope as the envelope is addressed to its intended recipient, and the processes and procedures of the central sorting office are utilised to ensure its delivery.

“In this scenario it is reasonable to hold anyone who accesses the information, and does not satisfy any of (a) through (c), liable for unauthorised access. However, if the information had been sent on a postcard instead, it would seem unreasonable to do so”, the regional university posited.

According to the UWI, online data is analogous to information on a postcard. It said information is, by default, unprivileged, and therefore everyone is implicitly authorised to access it.

“If access to the information is intended to be restricted to a privileged group, there must be demonstrable measures taken by the resource owner to establish that the information is privileged, for example, through authentication challenges, encryption or other available mechanisms to restrict access to the information. In the digital world placing a resource (in particular data) in any environment, other than one that is completely isolated, without its owner including and implementing privilege designation and subsequent access control is analogous to the owner sending a postcard,” said the UWI.

It said there are myriad examples of people who have unintentionally accessed a resource that they have absolutely no interest in because the resource’s owner did not secure it. It said a typical and common example would involve a customer who visits a company’s website, clicks on a link or accidentally enters an invalid character in the process of providing company requested information, and receives restricted information from the company’s system as a result of the software’s poorly written code.

The UWI said that “In the digital world authorisation is defined by creating rules of use and any access that occurs without any authorisation challenge is deemed to be authorised. The local environment we wish to engender is one where individuals may find flaws or vulnerabilities, including poorly defined privilege and access controls, and report them without fear of possible prosecution. Such a scenario is completely removed from one who circumvents digital controls and escalates to other activities. It is this circumvention that demonstrates the intentional violation of privilege and access control that was implemented by the resource’s owner(s) but only when such controls exist”.

It has recommended that the definition of what an unauthorised access is, be amended to include a stipulation that such access occurs when an individual attempts (successfully or not) to circumvent the included digitally implemented privilege assignment and access controls to a resource.

“Here the term ‘resource’ is used collectively to describe the terms defined in part I, section 2 denoted as ‘interpretation’,” said the UWI.