1.9 The Legal Framework

In this section you must be able to:

• Describe the provisions of the Computer Misuse Act.

• Describe the principles of software copyright and licensing agreements.

• Recall the nature, purpose and provisions of the current data protection legislation – rights, duties, exemptions, etc.

New Crimes Made Possible by ICT

New technology has created opportunities for crime:

• Software piracy (copying software illegally to sell)

• Hacking (unauthorised access to computer systems)

• Creation and distribution of viruses

• Distributing pornographic and other obscene material

• Fraudulent trading

• Credit card fraud

• Terrorist activity and blackmail

Abuse of ICT

There are also opportunities for the abuse of ICT:

• Sending unsolicited e-mails (now an offence in some countries)

• Creating inappropriate or misleading web-sites

• Registering a domain that might appear to belong to someone else – “cyber-squatting”

Inappropriate use of ICT is not necessarily illegal.

It’s important to distinguish between:

• Unethical use of ICT – i.e. morally questionable

• Criminal activity – i.e. an offence under the various laws covering use of ICT

Where do Laws Come From?

There are three sources of law:

• Case law – i.e. judges’ rulings in court cases

• Acts of Parliament – e.g. Data Protection Act

• European laws & directives – e.g. VDU use

Laws change for many reasons:

• Social and political pressure – e.g. dangerous dogs

• Reaction to specific cases – e.g. Gold & Shiffreen

• Combinations and clarifications of previous laws

• To close loopholes – e.g. “making off” and hacking

Laws Affecting ICT

There are various laws covering use of ICT

• Computer Misuse Act 1990

• Data Protection Act 1984 & 1998

• Copyright, Designs and Patents Act 1988

• European VDU & health directive 1992

Plus, more general guidelines such as:

• Health and Safety legislation

• Offices, Shops and Railways Act 1963

• Contract law – shink-wrap agreement controversy!

Plus what about things such as professional advice given by a computer?

Computer Misuse Act

• In 1988 two teenagers “hacked” the Duke of Edinburgh’s e-mail account and changed a message

• They were taken to court, but hadn’t actually committed an offence (there was no theft and no fraud committed)

• People also started getting worried about viruses, which had started to appear in 1986

• In response, the government introduced the Computer Misuse Act in 1990

Computer Misuse Act

Under the CMA there are three offences:

• Unauthorised access to computer programs or data

• Unauthorised access with further criminal intent

• Unauthorised modification of computer material (programs or data)

However…

• Unauthorised access can be difficult to detect

• The first people to be prosecuted (in 1997) were caught when boasting about their crime!

Computer Misuse Act

The CMA therefore protects us against:

• Hacking

• Theft and Fraud

• “Logic Bombs”

• “Denial of Service” attacks

• Viruses could commit offences at different levels depending on the payload:

– Some display harmless messages

– Some are deliberately malicious

– Some are unintentionally dangerous

Other Measures to Prevent Misuse

Other steps can be taken to prevent misuse.

• JavaScript, for example, was created with computer misuse in mind and was designed to prevent it being used to create viruses:

– JavaScript cannot write directly to discs (other than cookies) and so cannot delete or change any files

– There is no direct access to memory or to other hardware

Copyright and Patent

• Patents cover the ideas and concepts on which products or services operate:

– You can only patent software that performs a technical function – e.g. an encryption algorithm

– You can’t patent software that performs a human function, such as translating English to French

• Copyright covers the implementation of the idea – the actual words, images and sounds that you use

Copyright, Designs and Patents Act

• Under this act it is illegal to:

– Copy software

– Run pirated software

– Transmit software over a telecommunications link (thereby copying it)

• The act is enforced by FAST – the Federation Against Software Theft (also FACT for general copyright)

• The enforcement is complicated by:

– The confusion between copyright and patent

– Whether you can copyright a “look and feel”

– Contracts such as licensing and acceptable use agreements

Using Computers to Combat Crime

Computers can also be used to solve crimes:

• The Police National Computer (PNC) now allows forces across the country to share information

• Number-plate recognition can be used to identify people committing motoring offences

• Mobile phone records can be used to locate criminals and victims of crime

• Audit logs and records of e-mails and network traffic could be used as evidence

Data Protection

• We all have a right to privacy

• There might be a variety of reasons why you’d want to keep something private:

– It might be possible to using the information for fraudulent purposes

– The information might be of a sensitive nature, such as medical records

– You might just not want people to know!

• The Data Protection Act is to protect privacy

Data Protection Act

The Data Protection Act…

• Was introduced in 1984 and updated in 1998 to create a standard for data protection across Europe

• Originally covered personal data that are automatically processed but now covers some manual records as well

• Defines the terms data subject (the person about whom data is held) and data controller (called data user in the 1984 version)

• Requires that all data controllers (and the nature of the processing they do) must be recorded on the public register of data controllers

• Is overseen by the Information Commissioner

Data Protection Act – Eight Principles

Under the Data Protection Act, data must be…

• fairly and lawfully processed;

• processed for limited purposes and not in any manner incompatible with those purposes;

• adequate, relevant and not excessive;

• accurate;

• not kept for longer than is necessary;

• processed in line with the data subject's rights;

• secure;

• not transferred to countries without adequate protection.

Processing Personal Data

• Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual.

• Processing can only be carried out where:

– the individual has given his or her consent;

– the processing is necessary for the performance of a contract with the individual;

– the processing is required under a legal obligation;

– the processing is necessary to protect the vital interests of the individual;

– the processing is necessary to carry out public functions;

– the processing is necessary in order to pursue the legitimate interests of the data controller or third parties

Data Protection Act – What Else?

• It covers any information recorded as part of a “relevant filing system” – i.e. information that is “readily accessible”

• Data controllers must take security measures to safeguard personal data – i.e. to prevent unlawful processing or disclosure

• There are certain exemptions from the DPA

• Data subjects have rights that are defined in the act

DPA – The Rights of Individuals

If data are held about you, you are entitled to be…

• given a description of the data told for what purposes the data are processed

• told the recipients or the classes of recipients to whom the data may have been disclosed

• given a copy of the information with any unintelligible terms explained

• given any information available to the controller about the source of the data

• given an explanation as to how any automated decisions taken about you have been made

DPA – The Rights of Individuals

Further rights include:

• The right to access the data held – within 40 days and at a cost of no more than £10 for computer records and £50 for paper records

• The right to rectify, block, erase or destroy details that are inaccurate, or opinions based on inaccurate data

• The right not to have your details used for direct marketing

• The right to compensation for damage caused if the Data Protection Act is breached

Exemptions from the DPA

The Act does not apply to:

• Payroll, pensions and accounts data

• Names and addresses held for distribution purposes

• Personal, family, household of recreational use

• Data can be disclosed to an agent of the subject, or in response to a medical emergency

• Use of data in cases dealing with national security, the prevention of crime, or the collection of taxes & duty

Criminal Offences under the DPA

• Notification offences – where the data controller fails to notify the commissioner of processing or changes to processing

• Procuring and selling offences – disclosing, selling or obtaining data without authorisation

• Enforced access offences – e.g. you can’t make someone make an access request as a condition of employment

• Other – such as failure to respond to a request or to breach an enforcement notice

Freedom of Information Act• Covers all types of 'recorded' information held by public authorities

• Covers personal and non-personal data

• Public authorities include:

– Government Departments

– local authorities

– NHS bodies

– schools, colleges and universities

– the Police

– Parliament

– The Post Office

– The National Gallery

– The Parole Board

– Plus lots, lots more!