copyright jnt association 2006 1 1 striking a balance: privacy and legal issues in network...

Copyright JNT Association 2006 11

Striking a Balance:Privacy and Legal Issues in Network Management

Andrew Cormack

Chief Regulatory Adviser, UKERNA

[email protected]

2Copyright JNT Association 2006 22

Networks are full of Dilemmas

• Investigating faults or misuse– Prevent future misuse, or limit current disruption/privacy breach

• Investigating crimes– Protect victim, or protect investigator?

• Monitoring AUP Compliance– Protect organisation/community, or individual privacy?

• Content filtering– Protect individual’s morals, or his/her privacy?

• Free speech– Protect against offence, or permit expression of opinions?

• Marketing– Provide good customer service, or intrude on their private life?


How to resolve these?

• Know what objective is• Find a reasoned, reasonable balance

– Harm if we do vs harm if we don’t– This will vary between organisations

• Act (if at all) in least intrusive way to achieve objective• Ensure powers to act aren’t abused

– Serious breach of trust if they are

• Tell users what we will do– And what the rules are

• Behave professionally– UKERNA’s System Administrator’s Charter may help


What is reasonable?

• “Reasonable” varies– Depending on circumstances and culture– Schools probably different from universities

• Can you justify your decision to your users?– If so, it’s probably reasonable!

NB Powers subject to controls and sanctions are more likely to be seen as “Reasonable”


Why does it matter? (1)

• Users’ reactions– They don’t like being surprised– Or feeling you are just snooping on them

• Organisation’s reputation– How do prospective students, parents, funders feel?– Are you happy with your press cuttings?

• Contracts with others (e.g. service providers)


Why does it matter? (2)

• Reactions of your victims– Civil law may allow them to seek reparation– Or prohibit you from doing it again

• Reaction of society– Criminal law may lock up you (more likely your

managers if you are working under instruction), fine the organisation, etc.

• Need to manage all these risks– “manage” does not always mean “eliminate”


What does law control?

NB These are “controlled”, not “prohibited”• Use of Personal Data (DPA 1998)

– Note that IP and e-mail addresses are personal• Reading/recording information off networks (RIPA

2000)• Reading files (HRA 1998)• Publishing obscene, racist, terrorist, copyright,

defamatory, etc. material– But you are protected until you are told about them– Note that only the rare ones are criminal, most are civil


And what does it require?

• Ensure actions have a clear purpose• Ensure actions are necessary and proportionate• Have controls to prevent accidental/deliberate abuse

of powers• Inform users of what you are doing

– Unless notification would defeat the purpose– But use this excuse sparingly!

• See slide 3


So…

• Document your rules, procedures and controls– If you aren’t happy with them yourself, make them better– System/network managers are prime suspects

• Agree rules and procedures with your organisation– If they aren’t happy with them, make them better– If you have their backing, you have little (personally) to fear

• Explain rules/procedures to (selected) users– If they aren’t happy with them, make them better– Or explain them better!

• Now you have nothing to be ashamed of!

Copyright JNT Association 2006 1111

What’s new in the law (2006)?


Recent Cases

• War-driving (Communications Act 2003, s. 125)– “Dishonestly obtaining communications services” - £500 fine

• No requirement that service be protected, or use cause loss!• But must be a deliberate act

– So what is dishonest? Does it depend on SSID and location?• DoS attacks (Computer Misuse Act 1990, s. 3)

– Flooding a mailhub with e-mail: authorised?– Youth Court says yes; Appeal Court says no, so s.3 applies

• Test: “Would owner have agreed, if asked? No!” – Hmmm• Police and Justice Bill will make it an explicit offence

– Two months curfew• Illegal interception (RIPA 2000)

– Re-configuring mail server to copy all mails to someone else– £20,000 fine + costs + suspended prison sentence


New Laws

• Terrorism Act 2006– Notice and take-down of terrorist material

• Notice sent to senior executive of organisation

– Two working days to respond• Or organisation is held to approve the material

• RIPA 2000 (Pt 2 Ch 1) Code of Practice– Covers disclosure notices for traffic data– Documents existing practice


Topics of Discussion 1

• Blocking Illegal-to-Possess Content– Pressure on ISPs to prevent access to content

on IWF list by next year– Currently, indecent images of children

• Hacking Tools (Police & Justice Bill)– Criminalise supplying tools for CMA offences

• With intent or likelihood that they will be so used

– Authorised use is still fine under CMA 1990



• Extreme Pornography (proposed legislation)– Will become illegal to possess

• Currently only publishing is illegal (OPA 1957)

– “Good reason” defence to be included

• Access to encrypted material (RIPA 2000)– Existing power (Pt 3) to be switched on– Order to decrypt material seized by police

• Rarely, may be required to disclose a key

– 2-5 years in prison if you refuse to do so• If court believes you could have disclosed/decrypted



• DoS attacks (Police & Justice Bill)– CMA1990 s3 to become “unauthorised interference”

• Data Preservation after major incidents– ACPO working group to develop better process

• DPA1998 s.55 (DCA consultation)– 2 years in prison for deliberate unauthorised

disclosure of personal data• (“What Price Privacy?” report by Information

Commissioner)• Currently only a fine – a “business expense” to some