1 9 The Legal Framework
1.9 The Legal Framework
In this section you must be able to:
• Describe the provisions of the Computer
Misuse Act.
• Describe the principles of software
copyright and licensing agreements.
• Recall the nature, purpose and provisions
of the current data protection legislation –
rights, duties, exemptions, etc.
(2)
New Crimes Made Possible by ICT
New technology has created opportunities for crime: • Software piracy (copying software illegally to sell) • Hacking (unauthorised access to computer
systems)
• Creation and distribution of viruses
• Distributing pornographic and other obscene material
• Fraudulent trading • Credit card fraud
(3)
Abuse of ICT
There are also opportunities for the abuse of ICT:
• Sending unsolicited e-mails (now an offence in some countries)
• Creating inappropriate or misleading web-sites
• Registering a domain that might appear to belong to someone else – “cyber-squatting”
Inappropriate use of ICT is not necessarily illegal. It’s important to distinguish between:
• Unethical use of ICT – i.e. morally questionable
• Criminal activity – i.e. an offence under the various laws covering use of ICT
(4)
Where do Laws Come From?
There are three sources of law:
• Case law – i.e. judges’ rulings in court cases • Acts of Parliament – e.g. Data Protection Act • European laws & directives – e.g. VDU use Laws change for many reasons:
• Social and political pressure – e.g. dangerous dogs • Reaction to specific cases – e.g. Gold & Shiffreen • Combinations and clarifications of previous laws • To close loopholes – e.g. “making off” and hacking
(5)
Laws Affecting ICT
There are various laws covering use of ICT • Computer Misuse Act 1990
• Data Protection Act 1984 & 1998
• Copyright, Designs and Patents Act 1988
• European VDU & health directive 1992
Plus, more general guidelines such as: • Health and Safety legislation
• Offices, Shops and Railways Act 1963
• Contract law – shink-wrap agreement controversy!
Plus what about things such as professional advice given by a computer?
(6)
Computer Misuse Act
• In 1988 two teenagers “hacked” the Duke of Edinburgh’s e-mail account and changed a message
• They were taken to court, but hadn’t actually committed an offence (there was no theft and no fraud committed)
• People also started getting worried about viruses, which had started to appear in 1986 • In response, the government introduced the
(7)
Computer Misuse Act
Under the CMA there are three offences:
• Unauthorised access to computer programs or data
• Unauthorised access with further criminal intent
• Unauthorised modification of computer material (programs or data)
However…
• Unauthorised access can be difficult to detect
• The first people to be prosecuted (in 1997) were caught when boasting about their crime!
(8)
Computer Misuse Act
The CMA therefore protects us against: • Hacking
• Theft and Fraud • “Logic Bombs”
• “Denial of Service” attacks
• Viruses could commit offences at different levels depending on the payload:
– Some display harmless messages – Some are deliberately malicious
(9)
Other Measures to Prevent Misuse
Other steps can be taken to prevent misuse. • JavaScript, for example, was created with
computer misuse in mind and was designed to prevent it being used to create viruses:
– JavaScript cannot write directly to discs (other than cookies) and so cannot delete or change any files
– There is no direct access to memory or to other hardware
(10)
Copyright and Patent
• Patents cover the ideas and concepts on which products or services operate:
– You can only patent software that performs a
technical function – e.g. an encryption algorithm – You can’t patent software that performs a human
function, such as translating English to French • Copyright covers the implementation of the
idea – the actual words, images and sounds that you use
(11)
Copyright, Designs and Patents Act
• Under this act it is illegal to:
– Copy software
– Run pirated software
– Transmit software over a telecommunications link (thereby copying it)
• The act is enforced by FAST – the Federation Against
Software Theft (also FACT for general copyright) • The enforcement is complicated by:
– The confusion between copyright and patent – Whether you can copyright a “look and feel”
– Contracts such as licensing and acceptable use agreements
(12)
Using Computers to Combat Crime
Computers can also be used to solve crimes: • The Police National Computer (PNC) now
allows forces across the country to share information
• Number-plate recognition can be used to
identify people committing motoring offences • Mobile phone records can be used to locate
criminals and victims of crime
• Audit logs and records of e-mails and network traffic could be used as evidence
(13)
Data Protection
• We all have a right to privacy
• There might be a variety of reasons why you’d want to keep something private:
– It might be possible to using the information for fraudulent purposes
– The information might be of a sensitive nature, such as medical records
– You might just not want people to know!
(14)
Data Protection Act
The Data Protection Act…
• Was introduced in 1984 and updated in 1998 to create a standard for data protection across Europe
• Originally covered personal data that are
automatically processed but now covers some manual records as well
• Defines the terms data subject (the person about whom data is held) and data controller (called data user in the 1984 version)
• Requires that all data controllers (and the nature of the processing they do) must be recorded on the public
register of data controllers
(15)
Data Protection Act – Eight Principles
Under the Data Protection Act, data must be… • fairly and lawfully processed;
• processed for limited purposes and not in any manner incompatible with those purposes;
• adequate, relevant and not excessive; • accurate;
• not kept for longer than is necessary;
• processed in line with the data subject's rights; • secure;
(16)
Processing Personal Data
• Personal data covers both facts and opinions about the individual. It also includes information regarding the
intentions of the data controller towards the individual. • Processing can only be carried out where:
– the individual has given his or her consent;
– the processing is necessary for the performance of a contract with the individual;
– the processing is required under a legal obligation;
– the processing is necessary to protect the vital interests of the individual;
– the processing is necessary to carry out public functions; – the processing is necessary in order to pursue the
(17)
Data Protection Act – What Else?
• It covers any information recorded as part of a “relevant filing system” – i.e. information that is “readily accessible”
• Data controllers must take security measures to safeguard personal data – i.e. to prevent
unlawful processing or disclosure
• There are certain exemptions from the DPA • Data subjects have rights that are defined in
(18)
DPA – The Rights of Individuals
If data are held about you, you are entitled to be…
• given a description of the data told for what purposes the data are processed
• told the recipients or the classes of recipients to whom the data may have been disclosed
• given a copy of the information with any unintelligible terms explained
• given any information available to the controller about the source of the data
• given an explanation as to how any automated decisions taken about you have been made
(19)
DPA – The Rights of Individuals
Further rights include:
• The right to access the data held – within 40 days and at a cost of no more than £10 for computer records and £50 for paper records • The right to rectify, block, erase or destroy
details that are inaccurate, or opinions based on inaccurate data
• The right not to have your details used for direct marketing
• The right to compensation for damage caused if the Data Protection Act is breached
(20)
Exemptions from the DPA
The Act does not apply to:
• Payroll, pensions and accounts data
• Names and addresses held for distribution purposes
• Personal, family, household of recreational use • Data can be disclosed to an agent of the subject,
or in response to a medical emergency
• Use of data in cases dealing with national
security, the prevention of crime, or the collection of taxes & duty
(21)
Criminal Offences under the DPA
• Notification offences – where the datacontroller fails to notify the commissioner of processing or changes to processing
• Procuring and selling offences – disclosing,
selling or obtaining data without authorisation
• Enforced access offences – e.g. you can’t make someone make an access request as a condition of employment
• Other – such as failure to respond to a request or to breach an enforcement notice
(22)
Freedom of Information Act
• Covers all types of 'recorded' information held by public authorities • Covers personal and non-personal data
• Public authorities include:
– Government Departments – local authorities
– NHS bodies
– schools, colleges and universities – the Police
– Parliament – The Post Office
– The National Gallery – The Parole Board – Plus lots, lots more!
(1)
Data Protection Act – What Else?
• It covers any information recorded as part of a “relevant filing system” – i.e. information that is “readily accessible”
• Data controllers must take security measures to safeguard personal data – i.e. to prevent
unlawful processing or disclosure
• There are certain exemptions from the DPA • Data subjects have rights that are defined in
(2)
DPA – The Rights of Individuals
If data are held about you, you are entitled to be…
• given a description of the data told for what purposes the data are processed
• told the recipients or the classes of recipients to whom the data may have been disclosed
• given a copy of the information with any unintelligible terms explained
• given any information available to the controller about the source of the data
• given an explanation as to how any automated decisions taken about you have been made
(3)
DPA – The Rights of Individuals
Further rights include:
• The right to access the data held – within 40 days and at a cost of no more than £10 for computer records and £50 for paper records • The right to rectify, block, erase or destroy
details that are inaccurate, or opinions based on inaccurate data
• The right not to have your details used for direct marketing
• The right to compensation for damage caused if the Data Protection Act is breached
(4)
Exemptions from the DPA
The Act does not apply to:
• Payroll, pensions and accounts data
• Names and addresses held for distribution purposes
• Personal, family, household of recreational use • Data can be disclosed to an agent of the subject,
or in response to a medical emergency
• Use of data in cases dealing with national
security, the prevention of crime, or the collection of taxes & duty
(5)
Criminal Offences under the DPA
• Notification offences – where the data
controller fails to notify the commissioner of processing or changes to processing
• Procuring and selling offences – disclosing,
selling or obtaining data without authorisation
• Enforced access offences – e.g. you can’t
make someone make an access request as a condition of employment
• Other – such as failure to respond to a request
(6)
Freedom of Information Act
• Covers all types of 'recorded' information held by public authorities • Covers personal and non-personal data
• Public authorities include:
– Government Departments – local authorities
– NHS bodies
– schools, colleges and universities – the Police
– Parliament – The Post Office
– The National Gallery – The Parole Board – Plus lots, lots more!