|Home » Industry Watch
Crime of Negligence
The Oxford University network is a criminal's dream.
Patrick Foster and Roger Waite of the Oxford Student were given several reports about this; after hearing one time too many how easy it was to hack, they contacted authorities. Receiving no response, they decided to look into the matter themselves to bring pressure to the issue.
They gathered their data and presented it - without disclosing the exploits. Authorities responded by bringing Foster and Waite up on charges and reporting the matter to the Thames Valley Police as a violation of the Computer Misuse Act 1990.
The Oxford University network remains insecure.
The Computer Misuse Act was originally designed to outlaw the damaging of computer systems; only at the very last moment was a frenetic addition made also outlawing intrusion itself.
As journalists, Foster and Waite could not publish without corroborating the stories; as responsible users of the system, they had to inform authorities and attempt to bring about a change; mindful of security issues, they understood they could not go public with the details of the exploits.
When the university refused to react, they chose to check the story for themselves, publish a warning on the website, and collect all the information and turn it over to the university.
The university's response was not to secure the network but bring Foster and Waite up on charges.
Those using the Oxford University network were never told their confidential data could so easily be stolen or that the university CCTV system could so easily be disabled. An unnamed university spokeswoman defended current security policy with the following statement to the press.
'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.'
Which might theoretically be considered permissible - as long as the same spokeswoman has long since - in good time - decreed for all to hear:
DUE TO BUDGET CUTS ALL OUR NETWORKING SERVICES ARE CLOSED UNTIL FURTHER NOTICE. USERS ARE ADVISED THAT NO DATA IN THIS COMPUTER SYSTEM HAS BEEN SECURE. USERS ARE ALSO ADVISED THAT THE CCTV SYSTEM IS INSECURE.
AS THE UNIVERSITY CAN NO LONGER TAKE RESPONSIBILITY FOR YOUR PHYSICAL WELL-BEING, YOU ARE ADVISED TO TRANSFER IMMEDIATELY TO ANOTHER UNIVERSITY WHICH DOES NOT TAKE YOUR PERSONAL WELFARE SO LIGHTLY. THANK YOU.
But of course no such statement ever reached the public.
Students at Oxford are now up in arms, and rightfully so. A final comment from the same spokeswoman insisting on anonymity shows where security consciousness lies.
'The university knows that the vast majority of students greatly appreciate their free access to excellent computing facilities and would not abuse that access.'
Goebbels gobbledegook. Anyone found guilty of issuing such statements should be neutered.
Foster and Waite now face serious charges, both at Oxford and possibly again with the police - despite the fact that they handled the issue in an ethical manner, corroborating the stories they had been given, informing the university before publishing, and so forth.
The university, on their side, counter with cheap propaganda.
People expect data to be secure. In fact, they have a right to expect this, protected as they are by the Data Protection Act 1998. Oxford University are in grave violation of that act, and may in theory be brought up on criminal charges.
The university demonstrates a very lax attitude towards the best interests of the network users, and responds to alarm reports about both virtual and physical threats with nose-up dismissals.
The Computer Misuse Act 1990 deals only with intrusion, not with responsibility. Entrusted with the welfare of their users, the university have to offer a modicum of an effort to make that trust justifiable. So says the Data Privacy Act 1998.
Negligence is a crime, and Oxford University should be brought up on charges. Foster and Waite should not only be exonerated: the university should both apologise for its behaviour and thank them for their work.