1.9 The Legal Framework

In this section you must be able to:

• Describe the provisions of the Computer

Misuse Act.

• Describe the principles of software

copyright and licensing agreements.

• Recall the nature, purpose and provisions

of the current data protection legislation –

rights, duties, exemptions, etc.

New Crimes Made Possible by ICT

New technology has created opportunities for crime: • Software piracy (copying software illegally to sell) • Hacking (unauthorised access to computer

systems)

• Creation and distribution of viruses

• Distributing pornographic and other obscene material

• Fraudulent trading • Credit card fraud

Abuse of ICT

There are also opportunities for the abuse of ICT:

• Sending unsolicited e-mails (now an offence in some countries)

• Creating inappropriate or misleading web-sites

• Registering a domain that might appear to belong to someone else – “cyber-squatting”

Inappropriate use of ICT is not necessarily illegal. It’s important to distinguish between:

• Unethical use of ICT – i.e. morally questionable

• Criminal activity – i.e. an offence under the various laws covering use of ICT

Where do Laws Come From?

There are three sources of law:

• Case law – i.e. judges’ rulings in court cases • Acts of Parliament – e.g. Data Protection Act • _{European laws & directives – e.g. VDU use} Laws change for many reasons:

• Social and political pressure – e.g. dangerous dogs • Reaction to specific cases – e.g. Gold & Shiffreen • Combinations and clarifications of previous laws • To close loopholes – e.g. “making off” and hacking

Laws Affecting ICT

There are various laws covering use of ICT • Computer Misuse Act 1990

• Data Protection Act 1984 & 1998

• Copyright, Designs and Patents Act 1988

• European VDU & health directive 1992

Plus, more general guidelines such as: • Health and Safety legislation

• Offices, Shops and Railways Act 1963

• Contract law – shink-wrap agreement controversy!

Plus what about things such as professional advice given by a computer?

Computer Misuse Act

• In 1988 two teenagers “hacked” the Duke of Edinburgh’s e-mail account and changed a message

• They were taken to court, but hadn’t actually committed an offence (there was no theft and no fraud committed)

• People also started getting worried about viruses, which had started to appear in 1986 • In response, the government introduced the

Computer Misuse Act

Under the CMA there are three offences:

• Unauthorised access to computer programs or data

• Unauthorised access with further criminal intent

• Unauthorised modification of computer material (programs or data)

However…

• Unauthorised access can be difficult to detect

• The first people to be prosecuted (in 1997) were caught when boasting about their crime!

Computer Misuse Act

The CMA therefore protects us against: • Hacking

• Theft and Fraud • “Logic Bombs”

• “Denial of Service” attacks

• Viruses could commit offences at different levels depending on the payload:

– Some display harmless messages – Some are deliberately malicious

Other Measures to Prevent Misuse

Other steps can be taken to prevent misuse. • JavaScript, for example, was created with

computer misuse in mind and was designed to prevent it being used to create viruses:

– JavaScript cannot write directly to discs (other than cookies) and so cannot delete or change any files

– There is no direct access to memory or to other hardware

Copyright and Patent

• Patents cover the ideas and concepts on which products or services operate:

– You can only patent software that performs a

technical function – e.g. an encryption algorithm – You can’t patent software that performs a human

function, such as translating English to French • Copyright covers the implementation of the

idea – the actual words, images and sounds that you use

Copyright, Designs and Patents Act

• Under this act it is illegal to:

– Copy software

– Run pirated software

– Transmit software over a telecommunications link (thereby copying it)

• The act is enforced by FAST – the Federation Against

Software Theft (also FACT for general copyright) • The enforcement is complicated by:

– The confusion between copyright and patent – Whether you can copyright a “look and feel”

– Contracts such as licensing and acceptable use agreements

Using Computers to Combat Crime

Computers can also be used to solve crimes: • The Police National Computer (PNC) now

allows forces across the country to share information

• Number-plate recognition can be used to

identify people committing motoring offences • Mobile phone records can be used to locate

criminals and victims of crime

• Audit logs and records of e-mails and network traffic could be used as evidence

Data Protection

• We all have a right to privacy

• There might be a variety of reasons why you’d want to keep something private:

– It might be possible to using the information for fraudulent purposes

– The information might be of a sensitive nature, such as medical records

– You might just not want people to know!

Data Protection Act

The Data Protection Act…

• Was introduced in 1984 and updated in 1998 to create a standard for data protection across Europe

• Originally covered personal data that are

automatically processed but now covers some manual records as well

• Defines the terms data subject (the person about whom data is held) and data controller (called data user in the 1984 version)

• Requires that all data controllers (and the nature of the processing they do) must be recorded on the public

register of data controllers

Data Protection Act – Eight Principles

Under the Data Protection Act, data must be… • fairly and lawfully processed;

• processed for limited purposes and not in any manner incompatible with those purposes;

• adequate, relevant and not excessive; • accurate;

• not kept for longer than is necessary;

• processed in line with the data subject's rights; • secure;

Processing Personal Data

• Personal data covers both facts and opinions about the individual. It also includes information regarding the

intentions of the data controller towards the individual. • Processing can only be carried out where:

– the individual has given his or her consent;

– the processing is necessary for the performance of a contract with the individual;

– the processing is required under a legal obligation;

– the processing is necessary to protect the vital interests of the individual;

– the processing is necessary to carry out public functions; – the processing is necessary in order to pursue the

Data Protection Act – What Else?

• It covers any information recorded as part of a “relevant filing system” – i.e. information that is “readily accessible”

• Data controllers must take security measures to safeguard personal data – i.e. to prevent

unlawful processing or disclosure

• There are certain exemptions from the DPA • Data subjects have rights that are defined in

DPA – The Rights of Individuals

If data are held about you, you are entitled to be…

• given a description of the data told for what purposes the data are processed

• told the recipients or the classes of recipients to whom the data may have been disclosed

• given a copy of the information with any unintelligible terms explained

• given any information available to the controller about the source of the data

• given an explanation as to how any automated decisions taken about you have been made

DPA – The Rights of Individuals

Further rights include:

• The right to access the data held – within 40 days and at a cost of no more than £10 for computer records and £50 for paper records • The right to rectify, block, erase or destroy

details that are inaccurate, or opinions based on inaccurate data

• The right not to have your details used for direct marketing

• The right to compensation for damage caused if the Data Protection Act is breached

Exemptions from the DPA

The Act does not apply to:

• Payroll, pensions and accounts data

• Names and addresses held for distribution purposes

• Personal, family, household of recreational use • Data can be disclosed to an agent of the subject,

or in response to a medical emergency

• Use of data in cases dealing with national

security, the prevention of crime, or the collection of taxes & duty

Criminal Offences under the DPA

• _{Notification offences – where the data}

controller fails to notify the commissioner of processing or changes to processing

• _{Procuring and selling offences – disclosing,}

selling or obtaining data without authorisation

• Enforced access offences – e.g. you can’t make someone make an access request as a condition of employment

• Other – such as failure to respond to a request or to breach an enforcement notice

Freedom of Information Act

• Covers all types of 'recorded' information held by public authorities • Covers personal and non-personal data

• Public authorities include:

– Government Departments – local authorities

– NHS bodies

– schools, colleges and universities – the Police

– Parliament – The Post Office

– The National Gallery – The Parole Board – Plus lots, lots more!

Data Protection Act – What Else?

• It covers any information recorded as part of a “relevant filing system” – i.e. information that is “readily accessible”

• Data controllers must take security measures to safeguard personal data – i.e. to prevent

unlawful processing or disclosure

• There are certain exemptions from the DPA • Data subjects have rights that are defined in

DPA – The Rights of Individuals

If data are held about you, you are entitled to be…

• given a description of the data told for what purposes the data are processed

• told the recipients or the classes of recipients to whom the data may have been disclosed

• given a copy of the information with any unintelligible terms explained

• given any information available to the controller about the source of the data

• given an explanation as to how any automated decisions taken about you have been made

DPA – The Rights of Individuals

Further rights include:

• The right to access the data held – within 40 days and at a cost of no more than £10 for computer records and £50 for paper records • The right to rectify, block, erase or destroy

details that are inaccurate, or opinions based on inaccurate data

• The right not to have your details used for direct marketing

• The right to compensation for damage caused if the Data Protection Act is breached

Exemptions from the DPA

The Act does not apply to:

• Payroll, pensions and accounts data

• Names and addresses held for distribution purposes

• Personal, family, household of recreational use • Data can be disclosed to an agent of the subject,

or in response to a medical emergency

• Use of data in cases dealing with national

security, the prevention of crime, or the collection of taxes & duty

Criminal Offences under the DPA

• _{Notification offences – where the data}

controller fails to notify the commissioner of processing or changes to processing

• _{Procuring and selling offences – disclosing,}

selling or obtaining data without authorisation

• Enforced access offences – e.g. you can’t

make someone make an access request as a condition of employment

• Other – such as failure to respond to a request

Freedom of Information Act

• Covers all types of 'recorded' information held by public authorities • Covers personal and non-personal data

• Public authorities include:

– Government Departments – local authorities

– NHS bodies

– schools, colleges and universities – the Police

– Parliament – The Post Office

– The National Gallery – The Parole Board – Plus lots, lots more!