The protection of electronic data and privacy is becoming increasingly important. Increasingly sophisticated scams are continuously emerging. Possessing personal details makes it much easier for scammers to target individuals effectively. The Australian legal system takes digital privacy very seriously.

The unauthorized access of someone's email or cloud storage account, even by guessing their password, is a serious issue that can lead to legal consequences. This article delves into the legal framework surrounding such actions, primarily focusing on Australian law, and highlights the potential ramifications of unauthorized access to someone else's email and files.

Commonwealth Law

The Criminal Code Act 1995 (Cth) plays a crucial role in addressing unauthorized access to data. Section 477.1 specifically makes it an offence to cause unauthorised access, modification, or impairment of data held in a computer or electronic communication to or from a computer. Under 477.1(a), for the prosecution to establish a case, it must prove that the accused knew the access was unauthorized and intended to commit or facilitate a serious offence through this action.

This section indicates the severity with which the law treats unauthorised access to data, emphasizing both the awareness of the illegality of the action and the intention behind it. Furthermore, Section 478.1 of the same act stipulates three key elements constituting an offence: unauthorized access to or modification of restricted data, intent to cause such access or modification, and knowledge that the access or modification is unauthorised. Restricted data, as defined by the law, is data held in a computer and protected by an access control system, like a password or encryption. This section underscores the legal protection extended to data that is explicitly safeguarded by security measures.

Western Australian Law

In Western Australia's legal framework, a pivotal addition was made in 1990 with the enactment of section 440A in the Criminal Code, denoted as 'unlawful operation of a computer system'. This legal provision targets individuals who access or operate a computer system without authorization. Specifically, it addresses the unauthorized access to information stored within a restricted access system, or the unauthorized operation of such a system in any manner not originally permitted.

A restricted access system, as defined by this law, refers to a computer system, or any part or application of it, which is accessible solely through a specific code. This code is deliberately kept confidential by the person in control of the system, or is made available only to a select group of authorized individuals. Although this section is primarily designed to address the issue of external hacking, it also raises intricate legal questions about the point at which initially authorized access shifts into unauthorized territory. This can happen either by exceeding the bounds of initial permissions or through the subsequent usage of data or information that was accessed under those initial permissions.

Accessing someone's email by guessing their password would constitute an offence under Section 440A of the Criminal Code Act Compilation Act 1913 in Western Australia. This section of the law specifically addresses the unauthorized use of a restricted-access computer system. In this context, an email account can be considered a part of such a system, especially as it is typically protected by a password or another form of security measure.

Guessing someone's password and using it to access their email would fall under the definition of 'use' as per the Act. This action equates to accessing information stored in the system (in this case, the email account) without the owner's authorization. The fact that access was gained by guessing the password does not mitigate the illegality of the act. The law does not differentiate between hacking into a system through sophisticated means and unauthorized entry through guessing a password — both are deemed unlawful if done without proper authorization.

Case Law

The case of Salter v The Director of Public Prosecutions (NSW) [2011] NSWCA 190 provides a practical illustration of these laws in action.

As a police officer, Natalie Salter accessed the police database, known as COPS, for personal reasons, breaching the trust inherent in her position. Her targets were varied: her ex-husband, his new partner, her relatives, and an individual she had clashed with over a car accident. None of her actions served official police purposes. Driven by motives like curiosity, jealousy, or even revenge, Salter's actions landed her in legal trouble, leading to charges of 22 offences of unauthorized access to restricted data under s 308H of the Crimes Act 1900 (NSW).

In the Local Court, Salter's defence was that she was simply browsing the database out of habit or boredom, without any ulterior purpose. She also claimed ignorance about the restricted nature of the data, insisting that she had no intention to use the information for any unlawful purpose. Despite her arguments, the magistrate found her guilty on all counts, resulting in a sentence of 18 months imprisonment, with a non-parole period of 12 months.

The complexities of her case came to the forefront when Salter appealed to the Supreme Court. Her appeal raised several issues, including the alleged failure of the prosecution to prove an ulterior purpose for her actions and the claim that the convictions were oppressive and unreasonable. She further argued that s 308H infringed upon the implied freedom of political communication and contended that the section was ambiguous and uncertain.

The Court of Appeal's decision was a decisive moment in this saga. The court dismissed her appeal, upholding both the convictions and the sentence. A key finding was that Salter had accessed the data with the intention of committing or facilitating a serious indictable offence. The Court found her motivations included potential stalking, harassment, intimidation, blackmail, or fraud, all serious indictable offences. It rejected her claims of ignorance and lack of unlawful intent as implausible.

Addressing Salter's constitutional challenge, the Court of Appeal held that s 308H did not impermissibly burden the implied freedom of political communication. The law, according to the court, served the legitimate end of protecting the integrity and security of computer systems and data, compatible with the constitutional system. The court also found that s 308H was reasonably appropriate and adapted to this end, targeting only the access of restricted data with an ulterior purpose and not hindering lawful access for legitimate purposes.

Finally, the Court tackled the argument about the ambiguity of s 308H. It declared the section clear and objectively applicable, based on each case's specific facts and circumstances. The court clarified that the section applies to access to restricted data with the intention of committing a serious indictable offence, or facilitating such an offence by another person, providing clear and objective elements for its application.

Through the lens of Natalie Salter's case, the article highlights the serious legal implications and ethical responsibilities associated with accessing restricted data, especially for those in positions of trust and authority.