1. Security-Relevant Legislation ● Application of older laws to new computer crimes ● UK Computer Misuse Act (CMA) 1990 ● UK Data Protection Act 1984 and 1998 (DPA) ● UK Regulation of Investigatory Powers Act 2000 ● Software Patents ● Copyright Law ● US Digital Millennium Copyright Act ● Contract law and system security

2. Warning These notes are written not by a lawyer but by an engineering academic. They give a brief review of some laws applicable to system security issues. If you need qualified legal advice you must ask a lawyer.

3. Application of older laws to new computer crimes Fraud and theft in connection with non-virtual assets are covered by the same laws whether or not a computer is used for the crime. Prior to the Computer Misuse Act 1990 unauthorised modification of data could be tried as criminal damage. Robert Schifreen and Stephen Gold shoulder surfed a Prestel password from a BT engineer at a trade show in 1984. They used this to access Prince Phillip's mailbox in 1985. In the case R v Gold they were prosecuted under the Forgery and Counterfeiting Act 1981, for making a "false instrument" for forgery and convicted in the crown court. The fine was small, but they successfully appealed, and their appeal was upheld by the House of Lords in 1988.

4. UK Computer Misuse Act (CMA) 1990 Widely criticised at the time, the principles behind this law seem to have stood the test of time, though some of the maximum prison terms seem harsh. The CMA was introduced because of weaknesses thought to exist in previous laws after the acquittal on appeal of Gold and Schifreen. There are 3 sections creating new offences under this act. Subsection 3a was added to the 1990 act by section 37 of the Police and Justice Act 2006.

5. CMA Section 1 A section 1 offence under this act involves unauthorised access. Unauthorised access has to be attempted but does not have to succeed to be a criminal activity. The person attempting or gaining unauthorised access has to know this was unauthorised. There was some discussion, for example, about whether seeing a prompt provided by a Telnet/SSH server saying just login: constitutes an invitation to access the system. However, someone seeing this prompt will generally be expected to know whether or not they have been issued with a userid and password for the system in question. Trying a password is attempting to gain access, and knowing or correctly guessing a password isn't the same as being authorised to use it.

6. CMA 1 analogies While these are not the same offences, analogies can be drawn with traditional laws concerning trespass and breaking and entering. Trespass does not involve breaching any security barrier and is a civil law matter. Breaking and entering is a criminal offence.

7. CMA 1 - R. v Cuthbert 2005 Daniel Cuthbert was convicted and fined £400 plus £600 costs (and lost his job) for attempting unauthorised access to an Asian Tsunami charitable appeal donations site when inputting a path attack text string on a web browser when accessing a remote site (to which he had no special invitation to probe) : http://whatever.domain/../../../ He did this attempting to see whether files on the web server in parent and grandparent directory paths relative to the normal published web directory were accessible. This action set off an intrusion detection alarm, which was traced back to his Internet Protocol address.

8. CMA1 - penalties A CMA section 1 offence originally could result in up to 6 months imprisonment on a summary conviction (i.e. in a magistrates court) or a fine or both. The Police and Justice Act 2006 section 35 extends section 1 of the 1990 act to include enabling themselves or someone else at a later time to carry out unauthorised access as an offence. The maximum term was increased to 2 years imprisonment.

9. CMA1: What is unauthorised access ? In nearly all cases, users, employees, suppliers and customers etc. seem in practice to know what is authorised and what isn't. Situations where this is very likely to be worth clarifying include contractual penetration testing, and journalistic investigation into security issues of legitimate public concern. If you are considering working as a journalist on penetration testing a security system, ( e.g. by getting a job as a airline worker under false pretences) you will need to give the legal issues concerning employee confidentiality, deception and potential public-interest legal defences careful consideration and obtain legal advice before proceeding if you are in any doubt about the position you are placing yourself in.

10. CMA1 and contractual pentesting To access data you have to reasonably believe that you are authorised to do so. While the onus of proof is on the prosecution, to reduce the occupational hazard of wrongful arrest and conviction, those contractually involved in penetration-testing work to help an organisation evaluate its security systems and procedures are advised to obtain clear instructions in writing describing the scope of the work to be carried out, and carry copies of these instructions. These instructions should ideally be on the letterhead of the organisation authorising this work, and be signed by someone who is independently verifiable as being in a position to authorise this work and the contractual arrangement under which it is carried out.

11. CMA Section 2 Section 2 of the 1990 act makes carrying out section 1 offences while preparing to carry out further offences a more serious crime. For example, using unauthorised access to upload a computer virus to a system which has not yet been used to modify data, but with the intention of releasing it so that it would modify data if released would be a section 2 offence. So would unauthorised access to a bank's computer with the intention of carrying out a fraud. On indictment through a crown court, a section 2 offence originally resulted in a maximum of 5 years imprisonment under the 1990 act.

12. CMA2 going equipped analogy Preparing to do something illegal is a crime which concerns the state of someone's mind. This isn't a new issue for courts to deal with. Carrying a knife isn't an offence as such, e.g. if you are a chef on your way to work in a restaurant or a carpet fitter on route to or from a job. If the prosecution can prove the accused was intending to use it for a robbery, then carrying a knife is an offence.

13. CMA Section 3 This covers unauthorised modification of computer data. This includes changing database records and introducing malware, e.g. a trojan or virus into a system. R. v Vallor is an example. Simon Vallor was sentenced to 2 years imprisonment in 2003 after writing and distributing 3 computer viruses known to have infected 27,000 PCs. A similar case in the Netherlands resulted in the author of the more damaging Kournikova worm receiving 150 hours community service. This section was extended by the Police and Justice Act 2006 to include making deliberate denial of service attacks an offence. The maximum sentence was extended to 10 years.

14. CMA Section 3a This was added to the 1990 act by section 37 of the Police and Justice Act 2006. It concerns making and supplying or obtaining items intended for the purpose of section 3 or section 1 offences. The offender must be aware they are doing this.

15. Further reading on the CMA act http://en.wikipedia.org/wiki/Computer_misuse_act The Computer Misuse Act Wikipedia entry http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm Text of the act http://en.wikipedia.org/wiki/Police_and_Justice_Act_2006 Police and Justice Act 2006 (PJA) Wikipedia entry http://www.wikicrimeline.co.uk/index.php?title=Police_and_Justice_Act_2006 Police and Justice Act 2006 detailed commentary http://www.opsi.gov.uk/acts/acts2006/60048--f.htm#35 Text of The Police and Justice Act 2006 part 5 http://www.crimeupdate.net/crimebook/index.php?title=Computer_misuse_act WikiCrimeLine Commentary on the CMA act

16. UK Data Protection Act 1984 and 1998 This act regulates collection and use of data which can be used to identify a person. It creates obligations for those collecting and storing this data and it gives rights to "data subjects" or those about whom data is stored. It affects organisations and businesses, but doesn't cover domestic use, e.g. your address book.This act is mainly concerned with ensuring personal data is used for legitimate purposes. The act has exceptions. For example individuals would not normally have any right to know what was recorded about them as a suspect in connection with a police investigation, or even if they are not suspected should disclosure of this data be likely to compromise a police investigation.

17. DPA rights granted to data subjects This act grants an individual rights: ● To find out what data about him/her is held by an organisation. (Maximum cost currently £10). ● To have incorrect data concerning him/her to be corrected. (This is often significant in connection with credit reference agencies. ● To be removed from direct mailing lists. ● To prevent data about him/her being processed if this is likely to cause damage or distress.

18. DPA amending legislation The principles within this act were extended through the Freedom of Information Act 2000 which gives individuals specified rights in connection with access to information held on them by government organisations. The 1998 Data Protection Act replaced the 1984 Data Protection Act.

19. DPA sensitive personal data The 1998 DPA act introduced special provisions concerning sensitive personal data, including information about someone's beliefs, opinions, sexual orientation, ethnic origins, trade union membership, criminal record or alleged offences.

20. DPA Principles 1&2 Source: copied from from the 1998 act Schedule 1 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- ● (a) at least one of the conditions in Schedule 2 is met, and ● (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

21. DPA Principles 3-5 Source: copied from from the 1998 act Schedule 1 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

22. DPA Principles 6-8 Source: copied from from the 1998 act Schedule 1 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

23. DPA principle 7 effects The Nationwide Building Society was recently fined £980,000 for a security lapse under the 1998 DPA. This affects anyone responsible for the security of an organisation's data, to the extent the data is personal or can identify individuals. Managers who might be reluctant to sign an order for software, equipment or services thought neccessary to secure personal data may take a different view when the legal liability such refusal could incur is explained. If you don't want to be held personally responsible for data not being secured when the budget isn't yours to sign, you may want to put expenditure requests related to an employer's legal obligation in writing and keep a copy off site.

24. Further reading on the DPA http://en.wikipedia.org/wiki/Data_protection_act Wikipedia DPA entry http://www.ico.gov.uk/ The UK Information Commissioner is responsible for oversight of the DPA. http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm The text of the DPA.

25. UK Regulation of Investigatory Powers Act 2000 An explanation of the purpose of this act is in its official title: "An Act to make provision for and about the interception of, communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed; to provide for the establishment of a tribunal with jurisdiction in relation to those matters, to entries on and interferences with property or with wireless telegraphy and to the carrying out of their functions by the Security Service, the Secret Intelligence Service and the Government Communications Headquarters; and for connected purposes."

26. RIPA history and effects The RIPA act was passed in 2000. The act was passed with the intention of government ministers being able to activate parts of it as needed on grounds of national security. The RIPA act contains provisions for taps to be installed at large Internet Service Providers. There has been some discussion concerning who pays for this equipment. Objections from ISPs stating this would incur costs resulted in section 14 of the act stating that the government would pay. It is thought unlikely that the UK government is paying for taps at very small ISPs - and there is little preventing anyone concerned from acting as their own ISP.

27. RIPA access to cryptographic keys Part 3 of this act provides for access by government agencies to encryption keys. Journalistic accounts exist of 2 convictions for refusal. The original proposed legislation was contentious in the sense of presumption of guilt - the individual had to prove that they did not have the key rather than the police having to prove that they did have it but deliberately and knowingly withheld it.

28. Further reading on the RIPA http://en.wikipedia.org/wiki/RIPA Wikipedia RIPA entry http://www.opsi.gov.uk/acts/acts2000/20000023.htm The text of the act. http://www.fipr.org/rip/ RIPA information centre http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis Rubber hose cryptanalysis - the use of coercion to obtain cryptographic keys.

29. The Data Retention Directive “The Data Retention Directive 2006/24/EC of the European Parliament and Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC" relates to Telecommunications data retention. According to the directive, member states must store citizens' telecommunications data for six to 24 months. Under the directive the police and security agencies can request access to details such as IP address and time of use of every email, phone call and text message sent or received. Permission to access the information will be granted only by a court.” http://en.wikipedia.org/wiki/Data_Retention_Directive The UK implementation of this directive gives a retention period of 12 months.

30. Software Patents 1 Software patents are allowed within the US. Software "as such" is not patentable within EU. Some legal opinions suggest that software may be patentable within the EU under certain circumstances when used as part of a non-obvious innovation which creates a "technical effect". Software patents are a security concern based upon the widespread view that these do more to hinder than incentivise the process of security innovation and standardisation.

31. Software Patents 2 To the extent they hinder innovation it has been argued that patents constrain implementation of security-relevant standards. An example is that implementations of the RSA cryptography algorithm were constrained within the US prior to the expiry of the RSA patent in September 2000. Internet standards documents are traditionally considered to be free software. An example where patent license was considered incompatible with free software concerns Microsoft's SenderID implementation of the independently developed Sender Policy Framework (SPF) email origin authentication standard.

32. Do software patents promote or hinder innovation ? Here's a quote from Bill Gates. (Source: Fred Warshofsky in "The Patent Wars" of 1994. The text is from an internal memo written by Bill Gates to his staff.) "If people had understood how patents would be granted when most of today's ideas were invented and had taken out patents, the industry would be at a complete standstill today.... The solution is patenting as much as we can. A future startup with no patents of its own will be forced to pay whatever price the giants choose to impose. That price might be high. Established companies have an interest in excluding future competitors."

33. Copyright Law Copyright law granted incentives, starting around the eighteenth century, for writers and publishers in respect of mechanical copying of content (initially printing). The rights of authors were fostered by creating new offences which affected very few people prior to the consumer electronics industry. Copyright helped foster the development of a publishing industry including books, films, music and TV. The packaged content industry is active in protecting its interests against now very widespread infringement. More recently technologies have been developed on behalf of the content industry with the intention of making copying of content difficult. These technical copy-prevention methods will be reviewed in another lecture.

34. US Digital Millennium Copyright Act The Digital Millennium Copyright Act makes copy- prevention circumvention technology an offence within the US. Certain exemptions are allowed, including products which enable digital preservation, and for computer maintenance engineers to take backups of customer- purchased content. The imprisonment prior to the trial of Dmitry Sklyarov while visiting the US gave the DMCA extraterritorial effect. The charges were later dropped and he was allowed to return home to Russia. Sklyarov had developed technology in Moscow which circumvented Adobe's e-book copy prevention technology. It has been argued that this circumvention technology also had legitimate uses within the US, including making e-books accessible to blind readers using Braille.

35. Criticisms of the DMCA If computer source code is a form of speech, the DMCA denies rights theoretically guaranteed by the US constitution, in connection with speech concerning defects in specific copy- prevention technologies. The DMCA privatises the creation of law, in that it enables those developing copy-prevention technologies to overrule previous case-law exemptions to copyright collectively labelled "fair use". These have traditionally included exemptions for class handouts, use of photocopiers in libraries and rights to quote small sections of copyright materials in satirical, critical or scholarly contexts. The DMCA has been used by manufacturers to attempt to eliminate competition in markets for compatible components of garage door opening systems and inkjet replacement cartridges.

36. Further reading on the DMCA http://en.wikipedia.org/wiki/DMCA http://en.wikipedia.org/wiki/Dmitri_Sklyarov Wikipedia DMCA and Dmitry Sklyarov entries http://www.freesklyarov.org/letters/010728-kay.html Letter to US Ambassador about the Sklyarov case. http://www.wired.com/news/technology/0,1282,60383,00.html http://news.zdnet.com/2110-9595_22-979834.html Use of DMCA to prevent competition in replacement keys and printer consumables.

37. Contract law and system security 1 A contract exists when a buyer and seller agree an exchange, typically goods or services for an agreed price. Most software comes without guarantees. It is debateable whether click-through licenses are compatible with other laws unless and until tested in court. For software sold to the consumer market, it is up to the buyer to check and confirm suitability for purpose prior to installation.

38. Contract law and system security 2 The buyer has room to negotiate terms in respect of bespoke software designed for a purchaser requirement. Contracts where the contractor retains exclusive copyright of the software created and the purchaser does not obtain source code access can result in security weaknesses being discovered which the customer is unable to remediate, and where the original contractor or software supplier may no longer be in business or willing to offer a price acceptable to the customer.