COMP3371 Cyber Security Richard Henson University of Worcester November 2015
Week 11: The Law and Information Security n Objectives: Distinguish between criminal law and civil law Explain basic principles of Computer Misuse Act Explain UK and EU legislation in the context of Data protection Explain the eight principles of the Data Protection Act Explain the law on “cookies”
Criminal and Civil Law n Civil… private law suit (i.e. sue) ne.g. “crimes” under the Data Protection Act n Criminal… police involved ne.g. Computer Misuse Act n Further reading: n n“Cyber Crime: Concepts, Methodologies, Tools and Applications”
Computer Misuse Act (1990) n Rushed in as UK law after proof that important people had their messages looked at by unauthorised third parties n Rapidly rendered unfit for purpose as mobile phones (are they computers?) became available amended in 2006 to include mobiles
Data Protection Act (DPA) 1984, updated 1998 n Enforced by the Information Commissioner’s Office, not the police just as Unfair Trading legislation is enforced by Trading Standards therefore a CIVIL matter »unless the company fails to register »little excuse for not £35 pa
UK Information Commissioner n The Data Protection Act can be summarised as: “don’t mess around with your customers’ data… treat it as if it was your own” n Should be a matter of morality for a company NOT to be careless with personal data agreed by 1984 that morality wasn’t enough!
Origins of DPA (EU) n European Charter on Human Rights (1950)… article 8: protection of personal data UK part of EU from 1973 n EC Directive 1981 primarily a response to concern about digital personal data created the 8 principles still used today EU countries given three years to implement the directive… n Updated as EU Directive 95/46 »
Structure for Data Protection n According to EU Directive 95/46: citizens have their personal data stored known as data subjects organisations using personal data in any way must: »name a data controller responsible for managing personal data of data subjects »follow all eight principles of handling personal data
DPA: Principle 1 n “Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.” n First prosecutions…. October 2015!
DPA: Principles 2, 3 n 2: “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” n 3: “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
DPA: Principles 4, 5 n 4: “Personal data shall be accurate and, where necessary, kept up to date.” n 5: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
DPA: Principles 6, 7 n 6: “Personal data shall be processed in accordance with the rights of data subjects under this Act.” n 7: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” n Most prosecutions are under principle 7
DPA: Principle 8 n “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” NB countries outside the EEA currently identified as complying: Argentina Canada Guernsey Isle of Man Switzerland Jersey
Legitimate Collection of Customer Data n Seller’s site uses cookies to gather customer clicking behaviour data cookie is stored on the client computer contains personal data customer may regard this as private n To be any use for marketing purposes: the cookie must be externally accessible to the sellers site: n BUT a potential security issue In EU must NOT be accessible to other external sites n HOWEVER sites OUTSIDE this jurisdiction not legislated to obey EU Data Protection laws have a tendency to swap or sell customer details
Safe Harbour n An arrangement between EU and another counrtry, through which an organisation agrees to handle data according to EU Directive 95/46 principles n Current agreement between EU and US recently rendered unfit for purpose negotiations underway for a new safe harbour (2.0)
Examples of Use of Cookies n User ID & shopping cart data embedded in the cookie customer orders the items selected from different pages they will expect to see the items and costs stored in their shopping cart this happens by the data being written to the cookie shopping cart system therefore needs to keep track of individual customer “clicking behaviour” to keep their shopping cart up to date… n Selections that are identified via search engine may want to keep track of the previously used search criteria enables it to re-display those words after the initial search is complete n A forum website may use a cookie to report new additions since a user’s last visit
Cookies n Small amounts of information stored on user’s computer from a website that they have visited n Controversial until recently because a lot of people unaware that websites could even do this 2012 law required website to inform users…
Types of Cookies n Session cookies: just active whilst user connected to website could be stored at: »server end »client end either way, the data is deleted when the session finishes
Embedded cookies n It is possible to embed cookie style information via server scripts in dynamically created pages: held on the server NOT on the client computer n However: if the client stops perusing that the server, the session is finished When the client returns, a new session-ID will be allocated, and identification of that cookie is lost
Long life cookies n To avoid the need for clients returning at a later date and having to start again, cookies with a longer life span may be implemented: previously input information can be displayed automatically n BUT that data needs to be stored in the meantime… not a wise thing to do where sensitive information is concerned!!!
How secure are cookies? n A cookie will often contain personal data, and that data will be accessible to the server that put it there it is up to the client whether to trust a web site requesting personal information EU websites are legally required to look after personal data, but who checks up on them? n 2012: EU Law on Cookies introduced…
Identifying a Reputable Site n A clear acknowledgement, on the website, of the legal requirements n An indication that they have reached a standard or kitemark Ideally ISO n Customers should beware of… Java applets downloaded to the client computer could in theory gather personal data from a cookie and send back to base!!!
Cookies & Protection against Applets n Applets: computer programs which could: »download and install themselves on the client machine »run in the background, scanning memory, disks, etc. »store information n If such an applet is later running when the client is logged onto the Web: »it could gather information and send it to a server »client wouldn’t even know this has happened! n HOWEVER… cookies are stored with a server generated ID which is encrypted, so even applets can’t get at them!
What is held on a cookie? n Encrypted text… n Information (mostly identifiers and dates) contained in them cannot hold sensitive details UNLESS those details are already obtained by other means like the client filling out a personal details form nthe only programs that can get through the encryption are those that know the ID and the encryption method nso the cookie data SHOULD be secure…
Deleting “Long Life” Cookies n Browsers all provide facility to do so… neach has its own unique navigation