1.

9 The Legal Framework

In this section you must be able to:

Describe the provisions of the Computer Misuse Act. Describe the principles of software copyright and licensing agreements. Recall the nature, purpose and provisions of the current data protection legislation rights, duties, exemptions, etc.

New Crimes Made Possible by ICT

New technology has created opportunities for crime:
Software piracy (copying software illegally to sell) Hacking (unauthorised access to computer systems) Creation and distribution of viruses Distributing pornographic and other obscene material Fraudulent trading Credit card fraud

Terrorist activity and blackmail

Abuse of ICT
There are also opportunities for the abuse of ICT:
Sending unsolicited e-mails (now an offence in some countries) Creating inappropriate or misleading web-sites Registering a domain that might appear to belong to someone else cyber-squatting Inappropriate use of ICT is not necessarily illegal.

Its important to distinguish between:

Unethical use of ICT i.e. morally questionable Criminal activity i.e. an offence under the various laws covering use of ICT

Where do Laws Come From?

There are three sources of law: Case law i.e. judges rulings in court cases Acts of Parliament e.g. Data Protection Act European laws & directives e.g. VDU use

Laws change for many reasons:

Social and political pressure e.g. dangerous dogs Reaction to specific cases e.g. Gold & Shiffreen Combinations and clarifications of previous laws To close loopholes e.g. making off and hacking

Laws Affecting ICT

There are various laws covering use of ICT
Computer Misuse Act 1990 Data Protection Act 1984 & 1998

Copyright, Designs and Patents Act 1988

European VDU & health directive 1992 Plus, more general guidelines such as: Health and Safety legislation Offices, Shops and Railways Act 1963 Contract law shink-wrap agreement controversy! Plus what about things such as professional advice given by a computer?

Computer Misuse Act

In 1988 two teenagers hacked the Duke of Edinburghs e-mail account and changed a message They were taken to court, but hadnt actually committed an offence (there was no theft and no fraud committed) People also started getting worried about viruses, which had started to appear in 1986
In response, the government introduced the Computer Misuse Act in 1990

Computer Misuse Act

Under the CMA there are three offences: Unauthorised access to computer programs or data Unauthorised access with further criminal intent Unauthorised modification of computer material (programs or data) However

Unauthorised access can be difficult to detect

The first people to be prosecuted (in 1997) were caught when boasting about their crime!

Computer Misuse Act

The CMA therefore protects us against:
Hacking Theft and Fraud

Logic Bombs
Denial of Service attacks Viruses could commit offences at different levels depending on the payload:
Some display harmless messages Some are deliberately malicious

Some are unintentionally dangerous

Other Measures to Prevent Misuse

Other steps can be taken to prevent misuse.
JavaScript, for example, was created with computer misuse in mind and was designed to prevent it being used to create viruses:
JavaScript cannot write directly to discs (other than cookies) and so cannot delete or change any files There is no direct access to memory or to other hardware

Copyright and Patent

Patents cover the ideas and concepts on which products or services operate:
You can only patent software that performs a technical function e.g. an encryption algorithm You cant patent software that performs a human function, such as translating English to French

Copyright covers the implementation of the idea the actual words, images and sounds that you use

Copyright, Designs and Patents Act

Under this act it is illegal to:
Copy software Run pirated software Transmit software over a telecommunications link (thereby copying it)

The act is enforced by FAST the Federation Against Software Theft (also FACT for general copyright)

The enforcement is complicated by:

The confusion between copyright and patent Whether you can copyright a look and feel Contracts such as licensing and acceptable use agreements

Using Computers to Combat Crime

Computers can also be used to solve crimes:
The Police National Computer (PNC) now allows forces across the country to share information Number-plate recognition can be used to identify people committing motoring offences

Mobile phone records can be used to locate criminals and victims of crime
Audit logs and records of e-mails and network traffic could be used as evidence

Data Protection
We all have a right to privacy
There might be a variety of reasons why youd want to keep something private:
It might be possible to using the information for fraudulent purposes
The information might be of a sensitive nature, such as medical records You might just not want people to know!

The Data Protection Act is to protect privacy

Data Protection Act

The Data Protection Act Was introduced in 1984 and updated in 1998 to create a standard for data protection across Europe Originally covered personal data that are automatically processed but now covers some manual records as well

Defines the terms data subject (the person about whom data is held) and data controller (called data user in the 1984 version)
Requires that all data controllers (and the nature of the processing they do) must be recorded on the public register of data controllers Is overseen by the Information Commissioner

Data Protection Act Eight Principles

Under the Data Protection Act, data must be fairly and lawfully processed; processed for limited purposes and not in any manner incompatible with those purposes; adequate, relevant and not excessive; accurate; not kept for longer than is necessary; processed in line with the data subject's rights; secure; not transferred to countries without adequate protection.

Processing Personal Data

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual. Processing can only be carried out where:
the individual has given his or her consent; the processing is necessary for the performance of a contract with the individual; the processing is required under a legal obligation; the processing is necessary to protect the vital interests of the individual; the processing is necessary to carry out public functions; the processing is necessary in order to pursue the legitimate interests of the data controller or third parties

Data Protection Act What Else?

It covers any information recorded as part of a relevant filing system i.e. information that is readily accessible Data controllers must take security measures to safeguard personal data i.e. to prevent unlawful processing or disclosure There are certain exemptions from the DPA

Data subjects have rights that are defined in the act

DPA The Rights of Individuals

If data are held about you, you are entitled to be given a description of the data told for what purposes the data are processed told the recipients or the classes of recipients to whom the data may have been disclosed

given a copy of the information with any unintelligible terms explained

given any information available to the controller about the source of the data given an explanation as to how any automated decisions taken about you have been made

DPA The Rights of Individuals

Further rights include: The right to access the data held within 40 days and at a cost of no more than 10 for computer records and 50 for paper records The right to rectify, block, erase or destroy details that are inaccurate, or opinions based on inaccurate data The right not to have your details used for direct marketing The right to compensation for damage caused if the Data Protection Act is breached

Exemptions from the DPA

The Act does not apply to: Payroll, pensions and accounts data Names and addresses held for distribution purposes

Personal, family, household of recreational use

Data can be disclosed to an agent of the subject, or in response to a medical emergency

Use of data in cases dealing with national security, the prevention of crime, or the collection of taxes & duty

Criminal Offences under the DPA

Notification offences where the data controller fails to notify the commissioner of processing or changes to processing Procuring and selling offences disclosing, selling or obtaining data without authorisation Enforced access offences e.g. you cant make someone make an access request as a condition of employment Other such as failure to respond to a request or to breach an enforcement notice

Freedom of Information Act

Covers all types of 'recorded' information held by public authorities Covers personal and non-personal data

Public authorities include:

Government Departments local authorities NHS bodies

schools, colleges and universities

the Police Parliament The Post Office

The National Gallery

The Parole Board Plus lots, lots more!