Off topic: what is sensitive information on a website?

[Dave Ryan <dave () mongers org>]

Hi list,

This is possibly off topic, but I figured that the technical experts in
the field were better positioned to offer a helpful answer/opinion to my
questions.

In the course of accessing a website (which, for our purposes, we will
consider as "the platforms necessary to deliver the services provide")
what constitutes legal and illegal access to information?

    1.  Is an authentication and authorisation procedure required to
        grant access to what $SITEX deems sensitive? What is the minimum
        requirement for distinguishing between public/sensitive
        information? At what point must a user be notified about this?

    2.  Must information be classified? Must users of the site,
        regardless of whether they are authorised to access sensitive
        information be notified that certain information is stored on
        the site and authorisation must be granted prior to accessing?
        (again, this relates to 1)

    3.  In the absence of an authentication/authorisation procedure,
        what constitutes as protection for the information? For example
        if I attempt to inject SQL into a database to return data, but
        this data has not been marked sensitive (i.e. the site security
        policy is not communicated to the user) am I committing a crime?
        I suppose other laws come into play at this point (DPA). But if
        am unaware as to the nature of the data, is the site in
        olation by not affording the information adequate protection?
        (At this point I suppose I should report this to the DP
        Commissioner, but what is my legal position?).

    4.  What if I attempt to validate the controls in place, i.e. I do
        not attempt to exploit a weakness but I do check for the 
        existence of one (e.g. I test for error codes;). In this 
        instance, have I committed a crime by putting the system into a 
        state where it generates an error code (assume the system has 
        not been damaged/modified/etc due to this activity). Many real
        word analogies to this one (e.g. checking a door to see if it is 
        locked), etc.

I suppose the underlying question is:

    What is misuse and must I be informed of what constitutes misuse on
    each website I visit?

As a reference, I offer section Section 1 of the Computer Misuse Act,
1990 (c. 18) [UK] states:

Unauthorised Access to Computer Material

1. - (1) A person is guilty of an offence if -

        (a) he causes a computer to perform any function with intent
            to secure access to any program or data held in any
            computer;

        (b) the access he intends to secure is unauthorised; and

        (c) he knows at the time when he causes the computer to perform
            the function that that is the case

    (2) The intent a person has to have to commit an offence under
        this section need not be directed at -

        (a) any particular program or data;

        (b) a program or data of any partciular kind; or

        (c) a program or data held in any particular computer

Thanks in advance for your opinions (or pointers to the obvious answers
I may have missed).

Kind Regards,
Dave.

-- 
http://dave.mongers.org