1.9 The Legal Framework In this section you must be able to: Describe the provisions of the Computer Misuse Act. Describe the principles of software copyright and licensing agreements. Recall the nature, purpose and provisions of the current data protection legislation – rights, duties, exemptions, etc.

New Crimes Made Possible by ICT New technology has created opportunities for crime: Software piracy (copying software illegally to sell) Hacking (unauthorised access to computer systems) Creation and distribution of viruses Distributing pornographic and other obscene material Fraudulent trading Credit card fraud Terrorist activity and blackmail

Abuse of ICT There are also opportunities for the abuse of ICT: Sending unsolicited e-mails (now an offence in some countries) Creating inappropriate or misleading web-sites Registering a domain that might appear to belong to someone else – “cyber-squatting” Inappropriate use of ICT is not necessarily illegal. It’s important to distinguish between: Unethical use of ICT – i.e. morally questionable Criminal activity – i.e. an offence under the various laws covering use of ICT

Where do Laws Come From? There are three sources of law: Case law – i.e. judges’ rulings in court cases Acts of Parliament – e.g. Data Protection Act European laws & directives – e.g. VDU use Laws change for many reasons: Social and political pressure – e.g. dangerous dogs Reaction to specific cases – e.g. Gold & Shiffreen Combinations and clarifications of previous laws To close loopholes – e.g. “making off” and hacking

Laws Affecting ICT There are various laws covering use of ICT Computer Misuse Act 1990 Data Protection Act 1984 & 1998 Copyright, Designs and Patents Act 1988 European VDU & health directive 1992 Plus, more general guidelines such as: Health and Safety legislation Offices, Shops and Railways Act 1963 Contract law – shink-wrap agreement controversy! Plus what about things such as professional advice given by a computer?

Computer Misuse Act In 1988 two teenagers “hacked” the Duke of Edinburgh’s e-mail account and changed a message They were taken to court, but hadn’t actually committed an offence (there was no theft and no fraud committed) People also started getting worried about viruses, which had started to appear in 1986 In response, the government introduced the Computer Misuse Act in 1990

Computer Misuse Act Under the CMA there are three offences: Unauthorised access to computer programs or data Unauthorised access with further criminal intent Unauthorised modification of computer material (programs or data) However… Unauthorised access can be difficult to detect The first people to be prosecuted (in 1997) were caught when boasting about their crime!

Computer Misuse Act The CMA therefore protects us against: Hacking Theft and Fraud “Logic Bombs” “Denial of Service” attacks Viruses could commit offences at different levels depending on the payload: Some display harmless messages Some are deliberately malicious Some are unintentionally dangerous

Other Measures to Prevent Misuse Other steps can be taken to prevent misuse. JavaScript, for example, was created with computer misuse in mind and was designed to prevent it being used to create viruses: JavaScript cannot write directly to discs (other than cookies) and so cannot delete or change any files There is no direct access to memory or to other hardware

Copyright and Patent Patents cover the ideas and concepts on which products or services operate: You can only patent software that performs a technical function – e.g. an encryption algorithm You can’t patent software that performs a human function, such as translating English to French Copyright covers the implementation of the idea – the actual words, images and sounds that you use

Copyright, Designs and Patents Act Under this act it is illegal to: Copy software Run pirated software Transmit software over a telecommunications link (thereby copying it) The act is enforced by FAST – the Federation Against Software Theft (also FACT for general copyright) The enforcement is complicated by: The confusion between copyright and patent Whether you can copyright a “look and feel” Contracts such as licensing and acceptable use agreements

Using Computers to Combat Crime Computers can also be used to solve crimes: The Police National Computer (PNC) now allows forces across the country to share information Number-plate recognition can be used to identify people committing motoring offences Mobile phone records can be used to locate criminals and victims of crime Audit logs and records of e-mails and network traffic could be used as evidence

Data Protection We all have a right to privacy There might be a variety of reasons why you’d want to keep something private: It might be possible to using the information for fraudulent purposes The information might be of a sensitive nature, such as medical records You might just not want people to know! The Data Protection Act is to protect privacy

Data Protection Act The Data Protection Act… Was introduced in 1984 and updated in 1998 to create a standard for data protection across Europe Originally covered personal data that are automatically processed but now covers some manual records as well Defines the terms data subject (the person about whom data is held) and data controller (called data user in the 1984 version) Requires that all data controllers (and the nature of the processing they do) must be recorded on the public register of data controllers Is overseen by the Information Commissioner

Data Protection Act – Eight Principles Under the Data Protection Act, data must be… fairly and lawfully processed; processed for limited purposes and not in any manner incompatible with those purposes; adequate, relevant and not excessive; accurate; not kept for longer than is necessary; processed in line with the data subject's rights; secure; not transferred to countries without adequate protection.

Processing Personal Data Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual. Processing can only be carried out where: the individual has given his or her consent; the processing is necessary for the performance of a contract with the individual; the processing is required under a legal obligation; the processing is necessary to protect the vital interests of the individual; the processing is necessary to carry out public functions; the processing is necessary in order to pursue the legitimate interests of the data controller or third parties

Data Protection Act – What Else? It covers any information recorded as part of a “relevant filing system” – i.e. information that is “readily accessible” Data controllers must take security measures to safeguard personal data – i.e. to prevent unlawful processing or disclosure There are certain exemptions from the DPA Data subjects have rights that are defined in the act

DPA – The Rights of Individuals If data are held about you, you are entitled to be… given a description of the data told for what purposes the data are processed told the recipients or the classes of recipients to whom the data may have been disclosed given a copy of the information with any unintelligible terms explained given any information available to the controller about the source of the data given an explanation as to how any automated decisions taken about you have been made

DPA – The Rights of Individuals Further rights include: The right to access the data held – within 40 days and at a cost of no more than £10 for computer records and £50 for paper records The right to rectify, block, erase or destroy details that are inaccurate, or opinions based on inaccurate data The right not to have your details used for direct marketing The right to compensation for damage caused if the Data Protection Act is breached

Exemptions from the DPA The Act does not apply to: Payroll, pensions and accounts data Names and addresses held for distribution purposes Personal, family, household of recreational use Data can be disclosed to an agent of the subject, or in response to a medical emergency Use of data in cases dealing with national security, the prevention of crime, or the collection of taxes & duty

Criminal Offences under the DPA Notification offences – where the data controller fails to notify the commissioner of processing or changes to processing Procuring and selling offences – disclosing, selling or obtaining data without authorisation Enforced access offences – e.g. you can’t make someone make an access request as a condition of employment Other – such as failure to respond to a request or to breach an enforcement notice

Freedom of Information Act Covers all types of 'recorded' information held by public authorities Covers personal and non-personal data Public authorities include: Government Departments local authorities NHS bodies schools, colleges and universities the Police Parliament The Post Office The National Gallery The Parole Board Plus lots, lots more!