Presentation on theme: "Copyright JNT Association 2006 1 1 Striking a Balance: Privacy and Legal Issues in Network Management Andrew Cormack Chief Regulatory Adviser, UKERNA"— Presentation transcript:
Copyright JNT Association 2006 1 1 Striking a Balance: Privacy and Legal Issues in Network Management Andrew Cormack Chief Regulatory Adviser, UKERNA A.Cormack@ukerna.ac.uk
Copyright JNT Association 2006 2 2 2 Networks are full of Dilemmas Investigating faults or misuse –Prevent future misuse, or limit current disruption/privacy breach Investigating crimes –Protect victim, or protect investigator? Monitoring AUP Compliance –Protect organisation/community, or individual privacy? Content filtering –Protect individual’s morals, or his/her privacy? Free speech –Protect against offence, or permit expression of opinions? Marketing –Provide good customer service, or intrude on their private life?
Copyright JNT Association 2006 3 3 3 How to resolve these? Know what objective is Find a reasoned, reasonable balance –Harm if we do vs harm if we don’t –This will vary between organisations Act (if at all) in least intrusive way to achieve objective Ensure powers to act aren’t abused –Serious breach of trust if they are Tell users what we will do –And what the rules are Behave professionally –UKERNA’s System Administrator’s Charter may help
Copyright JNT Association 2006 4 4 4 What is reasonable? “ Reasonable” varies –Depending on circumstances and culture –Schools probably different from universities Can you justify your decision to your users? –If so, it’s probably reasonable! NB Powers subject to controls and sanctions are more likely to be seen as “Reasonable”
Copyright JNT Association 2006 5 5 5 Why does it matter? (1) Users’ reactions –They don’t like being surprised –Or feeling you are just snooping on them Organisation’s reputation –How do prospective students, parents, funders feel? –Are you happy with your press cuttings? Contracts with others (e.g. service providers)
Copyright JNT Association 2006 6 6 6 Why does it matter? (2) Reactions of your victims –Civil law may allow them to seek reparation –Or prohibit you from doing it again Reaction of society –Criminal law may lock up you (more likely your managers if you are working under instruction), fine the organisation, etc. Need to manage all these risks –“manage” does not always mean “eliminate”
Copyright JNT Association 2006 7 7 7 What does law control? NB These are “controlled”, not “prohibited” Use of Personal Data (DPA 1998) –Note that IP and e-mail addresses are personal Reading/recording information off networks (RIPA 2000) Reading files (HRA 1998) Publishing obscene, racist, terrorist, copyright, defamatory, etc. material –But you are protected until you are told about them –Note that only the rare ones are criminal, most are civil
Copyright JNT Association 2006 8 8 8 And what does it require? Ensure actions have a clear purpose Ensure actions are necessary and proportionate Have controls to prevent accidental/deliberate abuse of powers Inform users of what you are doing –Unless notification would defeat the purpose –But use this excuse sparingly! See slide 3
Copyright JNT Association 2006 9 9 9 So… Document your rules, procedures and controls –If you aren’t happy with them yourself, make them better –System/network managers are prime suspects Agree rules and procedures with your organisation –If they aren’t happy with them, make them better –If you have their backing, you have little (personally) to fear Explain rules/procedures to (selected) users –If they aren’t happy with them, make them better –Or explain them better! Now you have nothing to be ashamed of!
Copyright JNT Association 2006 11 What’s new in the law (2006)?
Copyright JNT Association 2006 12 Recent Cases War-driving (Communications Act 2003, s. 125) –“Dishonestly obtaining communications services” - £500 fine No requirement that service be protected, or use cause loss! But must be a deliberate act –So what is dishonest? Does it depend on SSID and location? DoS attacks (Computer Misuse Act 1990, s. 3) –Flooding a mailhub with e-mail: authorised? –Youth Court says yes; Appeal Court says no, so s.3 applies Test: “Would owner have agreed, if asked? No!” – Hmmm Police and Justice Bill will make it an explicit offence –Two months curfew Illegal interception (RIPA 2000) –Re-configuring mail server to copy all mails to someone else –£20,000 fine + costs + suspended prison sentence
Copyright JNT Association 2006 13 New Laws Terrorism Act 2006 –Notice and take-down of terrorist material Notice sent to senior executive of organisation –Two working days to respond Or organisation is held to approve the material RIPA 2000 (Pt 2 Ch 1) Code of Practice –Covers disclosure notices for traffic data –Documents existing practice
Copyright JNT Association 2006 14 Topics of Discussion 1 Blocking Illegal-to-Possess Content –Pressure on ISPs to prevent access to content on IWF list by next year –Currently, indecent images of children Hacking Tools (Police & Justice Bill) –Criminalise supplying tools for CMA offences With intent or likelihood that they will be so used –Authorised use is still fine under CMA 1990
Copyright JNT Association 2006 15 Topics of Discussion 2 Extreme Pornography (proposed legislation) –Will become illegal to possess Currently only publishing is illegal (OPA 1957) –“Good reason” defence to be included Access to encrypted material (RIPA 2000) –Existing power (Pt 3) to be switched on –Order to decrypt material seized by police Rarely, may be required to disclose a key –2-5 years in prison if you refuse to do so If court believes you could have disclosed/decrypted
Copyright JNT Association 2006 16 Topics of Discussion 3 DoS attacks (Police & Justice Bill) –CMA1990 s3 to become “unauthorised interference” Data Preservation after major incidents –ACPO working group to develop better process DPA1998 s.55 (DCA consultation) –2 years in prison for deliberate unauthorised disclosure of personal data (“What Price Privacy?” report by Information Commissioner) Currently only a fine – a “business expense” to some