copyright jnt association 2006 1 1 striking a balance: privacy and legal issues in network...
TRANSCRIPT
Copyright JNT Association 2006 11
Striking a Balance:Privacy and Legal Issues in Network Management
Andrew Cormack
Chief Regulatory Adviser, UKERNA
2Copyright JNT Association 2006 22
Networks are full of Dilemmas
• Investigating faults or misuse– Prevent future misuse, or limit current disruption/privacy breach
• Investigating crimes– Protect victim, or protect investigator?
• Monitoring AUP Compliance– Protect organisation/community, or individual privacy?
• Content filtering– Protect individual’s morals, or his/her privacy?
• Free speech– Protect against offence, or permit expression of opinions?
• Marketing– Provide good customer service, or intrude on their private life?
3Copyright JNT Association 2006 33
How to resolve these?
• Know what objective is• Find a reasoned, reasonable balance
– Harm if we do vs harm if we don’t– This will vary between organisations
• Act (if at all) in least intrusive way to achieve objective• Ensure powers to act aren’t abused
– Serious breach of trust if they are
• Tell users what we will do– And what the rules are
• Behave professionally– UKERNA’s System Administrator’s Charter may help
4Copyright JNT Association 2006 44
What is reasonable?
• “Reasonable” varies– Depending on circumstances and culture– Schools probably different from universities
• Can you justify your decision to your users?– If so, it’s probably reasonable!
NB Powers subject to controls and sanctions are more likely to be seen as “Reasonable”
5Copyright JNT Association 2006 55
Why does it matter? (1)
• Users’ reactions– They don’t like being surprised– Or feeling you are just snooping on them
• Organisation’s reputation– How do prospective students, parents, funders feel?– Are you happy with your press cuttings?
• Contracts with others (e.g. service providers)
6Copyright JNT Association 2006 66
Why does it matter? (2)
• Reactions of your victims– Civil law may allow them to seek reparation– Or prohibit you from doing it again
• Reaction of society– Criminal law may lock up you (more likely your
managers if you are working under instruction), fine the organisation, etc.
• Need to manage all these risks– “manage” does not always mean “eliminate”
7Copyright JNT Association 2006 77
What does law control?
NB These are “controlled”, not “prohibited”• Use of Personal Data (DPA 1998)
– Note that IP and e-mail addresses are personal• Reading/recording information off networks (RIPA
2000)• Reading files (HRA 1998)• Publishing obscene, racist, terrorist, copyright,
defamatory, etc. material– But you are protected until you are told about them– Note that only the rare ones are criminal, most are civil
8Copyright JNT Association 2006 88
And what does it require?
• Ensure actions have a clear purpose• Ensure actions are necessary and proportionate• Have controls to prevent accidental/deliberate abuse
of powers• Inform users of what you are doing
– Unless notification would defeat the purpose– But use this excuse sparingly!
• See slide 3
9Copyright JNT Association 2006 99
So…
• Document your rules, procedures and controls– If you aren’t happy with them yourself, make them better– System/network managers are prime suspects
• Agree rules and procedures with your organisation– If they aren’t happy with them, make them better– If you have their backing, you have little (personally) to fear
• Explain rules/procedures to (selected) users– If they aren’t happy with them, make them better– Or explain them better!
• Now you have nothing to be ashamed of!
10Copyright JNT Association 2006 1010
Copyright JNT Association 2006 1111
What’s new in the law (2006)?
12Copyright JNT Association 2006 1212
Recent Cases
• War-driving (Communications Act 2003, s. 125)– “Dishonestly obtaining communications services” - £500 fine
• No requirement that service be protected, or use cause loss!• But must be a deliberate act
– So what is dishonest? Does it depend on SSID and location?• DoS attacks (Computer Misuse Act 1990, s. 3)
– Flooding a mailhub with e-mail: authorised?– Youth Court says yes; Appeal Court says no, so s.3 applies
• Test: “Would owner have agreed, if asked? No!” – Hmmm• Police and Justice Bill will make it an explicit offence
– Two months curfew• Illegal interception (RIPA 2000)
– Re-configuring mail server to copy all mails to someone else– £20,000 fine + costs + suspended prison sentence
13Copyright JNT Association 2006 1313
New Laws
• Terrorism Act 2006– Notice and take-down of terrorist material
• Notice sent to senior executive of organisation
– Two working days to respond• Or organisation is held to approve the material
• RIPA 2000 (Pt 2 Ch 1) Code of Practice– Covers disclosure notices for traffic data– Documents existing practice
14Copyright JNT Association 2006 1414
Topics of Discussion 1
• Blocking Illegal-to-Possess Content– Pressure on ISPs to prevent access to content
on IWF list by next year– Currently, indecent images of children
• Hacking Tools (Police & Justice Bill)– Criminalise supplying tools for CMA offences
• With intent or likelihood that they will be so used
– Authorised use is still fine under CMA 1990
15Copyright JNT Association 2006 1515
Topics of Discussion 2
• Extreme Pornography (proposed legislation)– Will become illegal to possess
• Currently only publishing is illegal (OPA 1957)
– “Good reason” defence to be included
• Access to encrypted material (RIPA 2000)– Existing power (Pt 3) to be switched on– Order to decrypt material seized by police
• Rarely, may be required to disclose a key
– 2-5 years in prison if you refuse to do so• If court believes you could have disclosed/decrypted
16Copyright JNT Association 2006 1616
Topics of Discussion 3
• DoS attacks (Police & Justice Bill)– CMA1990 s3 to become “unauthorised interference”
• Data Preservation after major incidents– ACPO working group to develop better process
• DPA1998 s.55 (DCA consultation)– 2 years in prison for deliberate unauthorised
disclosure of personal data• (“What Price Privacy?” report by Information
Commissioner)• Currently only a fine – a “business expense” to some