1.9 the legal framework in this section you must be able to: describe the provisions of the computer...
Post on 19-Dec-2015
212 views
TRANSCRIPT
1.9 The Legal Framework
In this section you must be able to:
• Describe the provisions of the Computer Misuse Act.
• Describe the principles of software copyright and licensing agreements.
• Recall the nature, purpose and provisions of the current data protection legislation – rights, duties, exemptions, etc.
New Crimes Made Possible by ICT
New technology has created opportunities for crime:
• Software piracy (copying software illegally to sell)
• Hacking (unauthorised access to computer systems)
• Creation and distribution of viruses
• Distributing pornographic and other obscene material
• Fraudulent trading
• Credit card fraud
• Terrorist activity and blackmail
Abuse of ICT
There are also opportunities for the abuse of ICT:
• Sending unsolicited e-mails (now an offence in some countries)
• Creating inappropriate or misleading web-sites
• Registering a domain that might appear to belong to someone else – “cyber-squatting”
Inappropriate use of ICT is not necessarily illegal.
It’s important to distinguish between:
• Unethical use of ICT – i.e. morally questionable
• Criminal activity – i.e. an offence under the various laws covering use of ICT
Where do Laws Come From?
There are three sources of law:
• Case law – i.e. judges’ rulings in court cases
• Acts of Parliament – e.g. Data Protection Act
• European laws & directives – e.g. VDU use
Laws change for many reasons:
• Social and political pressure – e.g. dangerous dogs
• Reaction to specific cases – e.g. Gold & Shiffreen
• Combinations and clarifications of previous laws
• To close loopholes – e.g. “making off” and hacking
Laws Affecting ICT
There are various laws covering use of ICT
• Computer Misuse Act 1990
• Data Protection Act 1984 & 1998
• Copyright, Designs and Patents Act 1988
• European VDU & health directive 1992
Plus, more general guidelines such as:
• Health and Safety legislation
• Offices, Shops and Railways Act 1963
• Contract law – shink-wrap agreement controversy!
Plus what about things such as professional advice given by a computer?
Computer Misuse Act
• In 1988 two teenagers “hacked” the Duke of Edinburgh’s e-mail account and changed a message
• They were taken to court, but hadn’t actually committed an offence (there was no theft and no fraud committed)
• People also started getting worried about viruses, which had started to appear in 1986
• In response, the government introduced the Computer Misuse Act in 1990
Computer Misuse Act
Under the CMA there are three offences:
• Unauthorised access to computer programs or data
• Unauthorised access with further criminal intent
• Unauthorised modification of computer material (programs or data)
However…
• Unauthorised access can be difficult to detect
• The first people to be prosecuted (in 1997) were caught when boasting about their crime!
Computer Misuse Act
The CMA therefore protects us against:
• Hacking
• Theft and Fraud
• “Logic Bombs”
• “Denial of Service” attacks
• Viruses could commit offences at different levels depending on the payload:
– Some display harmless messages
– Some are deliberately malicious
– Some are unintentionally dangerous
Other Measures to Prevent Misuse
Other steps can be taken to prevent misuse.
• JavaScript, for example, was created with computer misuse in mind and was designed to prevent it being used to create viruses:
– JavaScript cannot write directly to discs (other than cookies) and so cannot delete or change any files
– There is no direct access to memory or to other hardware
Copyright and Patent
• Patents cover the ideas and concepts on which products or services operate:
– You can only patent software that performs a technical function – e.g. an encryption algorithm
– You can’t patent software that performs a human function, such as translating English to French
• Copyright covers the implementation of the idea – the actual words, images and sounds that you use
Copyright, Designs and Patents Act
• Under this act it is illegal to:
– Copy software
– Run pirated software
– Transmit software over a telecommunications link (thereby copying it)
• The act is enforced by FAST – the Federation Against Software Theft (also FACT for general copyright)
• The enforcement is complicated by:
– The confusion between copyright and patent
– Whether you can copyright a “look and feel”
– Contracts such as licensing and acceptable use agreements
Using Computers to Combat Crime
Computers can also be used to solve crimes:
• The Police National Computer (PNC) now allows forces across the country to share information
• Number-plate recognition can be used to identify people committing motoring offences
• Mobile phone records can be used to locate criminals and victims of crime
• Audit logs and records of e-mails and network traffic could be used as evidence
Data Protection
• We all have a right to privacy
• There might be a variety of reasons why you’d want to keep something private:
– It might be possible to using the information for fraudulent purposes
– The information might be of a sensitive nature, such as medical records
– You might just not want people to know!
• The Data Protection Act is to protect privacy
Data Protection Act
The Data Protection Act…
• Was introduced in 1984 and updated in 1998 to create a standard for data protection across Europe
• Originally covered personal data that are automatically processed but now covers some manual records as well
• Defines the terms data subject (the person about whom data is held) and data controller (called data user in the 1984 version)
• Requires that all data controllers (and the nature of the processing they do) must be recorded on the public register of data controllers
• Is overseen by the Information Commissioner
Data Protection Act – Eight Principles
Under the Data Protection Act, data must be…
• fairly and lawfully processed;
• processed for limited purposes and not in any manner incompatible with those purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept for longer than is necessary;
• processed in line with the data subject's rights;
• secure;
• not transferred to countries without adequate protection.
Processing Personal Data
• Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual.
• Processing can only be carried out where:
– the individual has given his or her consent;
– the processing is necessary for the performance of a contract with the individual;
– the processing is required under a legal obligation;
– the processing is necessary to protect the vital interests of the individual;
– the processing is necessary to carry out public functions;
– the processing is necessary in order to pursue the legitimate interests of the data controller or third parties
Data Protection Act – What Else?
• It covers any information recorded as part of a “relevant filing system” – i.e. information that is “readily accessible”
• Data controllers must take security measures to safeguard personal data – i.e. to prevent unlawful processing or disclosure
• There are certain exemptions from the DPA
• Data subjects have rights that are defined in the act
DPA – The Rights of Individuals
If data are held about you, you are entitled to be…
• given a description of the data told for what purposes the data are processed
• told the recipients or the classes of recipients to whom the data may have been disclosed
• given a copy of the information with any unintelligible terms explained
• given any information available to the controller about the source of the data
• given an explanation as to how any automated decisions taken about you have been made
DPA – The Rights of Individuals
Further rights include:
• The right to access the data held – within 40 days and at a cost of no more than £10 for computer records and £50 for paper records
• The right to rectify, block, erase or destroy details that are inaccurate, or opinions based on inaccurate data
• The right not to have your details used for direct marketing
• The right to compensation for damage caused if the Data Protection Act is breached
Exemptions from the DPA
The Act does not apply to:
• Payroll, pensions and accounts data
• Names and addresses held for distribution purposes
• Personal, family, household of recreational use
• Data can be disclosed to an agent of the subject, or in response to a medical emergency
• Use of data in cases dealing with national security, the prevention of crime, or the collection of taxes & duty
Criminal Offences under the DPA
• Notification offences – where the data controller fails to notify the commissioner of processing or changes to processing
• Procuring and selling offences – disclosing, selling or obtaining data without authorisation
• Enforced access offences – e.g. you can’t make someone make an access request as a condition of employment
• Other – such as failure to respond to a request or to breach an enforcement notice
Freedom of Information Act• Covers all types of 'recorded' information held by public authorities
• Covers personal and non-personal data
• Public authorities include:
– Government Departments
– local authorities
– NHS bodies
– schools, colleges and universities
– the Police
– Parliament
– The Post Office
– The National Gallery
– The Parole Board
– Plus lots, lots more!