1.9 The Legal Framework
In this section you must be able to:
• Describe the provisions of the Computer
Misuse Act.
• Describe the principles of software
copyright and licensing agreements.
New Crimes Made Possible by ICT
New technology has created opportunities for crime: • Software piracy (copying software illegally to sell) • Hacking (unauthorised access to computer
systems)
• Creation and distribution of viruses
• Distributing pornographic and other obscene material
• Fraudulent trading • Credit card fraud
Abuse of ICT
There are also opportunities for the abuse of ICT:
• Sending unsolicited e-mails (now an offence in some countries)
• Creating inappropriate or misleading web-sites
• Registering a domain that might appear to belong to someone else – “cyber-squatting”
Inappropriate use of ICT is not necessarily illegal. It’s important to distinguish between:
• Unethical use of ICT – i.e. morally questionable
Where do Laws Come From?
There are three sources of law:
• Case law – i.e. judges’ rulings in court cases • Acts of Parliament – e.g. Data Protection Act • European laws & directives – e.g. VDU use Laws change for many reasons:
Laws Affecting ICT
There are various laws covering use of ICT • Computer Misuse Act 1990
• Data Protection Act 1984 & 1998
• Copyright, Designs and Patents Act 1988
• European VDU & health directive 1992
Plus, more general guidelines such as: • Health and Safety legislation
• Offices, Shops and Railways Act 1963
• Contract law – shink-wrap agreement controversy!
Computer Misuse Act
• In 1988 two teenagers “hacked” the Duke of Edinburgh’s e-mail account and changed a message
• They were taken to court, but hadn’t actually committed an offence (there was no theft and no fraud committed)
• People also started getting worried about viruses, which had started to appear in 1986 • In response, the government introduced the
Computer Misuse Act
Under the CMA there are three offences:
• Unauthorised access to computer programs or data
• Unauthorised access with further criminal intent
• Unauthorised modification of computer material (programs or data)
However…
• Unauthorised access can be difficult to detect
Computer Misuse Act
The CMA therefore protects us against: • Hacking
• Theft and Fraud • “Logic Bombs”
• “Denial of Service” attacks
• Viruses could commit offences at different levels depending on the payload:
– Some display harmless messages – Some are deliberately malicious
Other Measures to Prevent Misuse
Other steps can be taken to prevent misuse. • JavaScript, for example, was created with
computer misuse in mind and was designed to prevent it being used to create viruses:
– JavaScript cannot write directly to discs (other than cookies) and so cannot delete or change any files
Copyright and Patent
• Patents cover the ideas and concepts on which products or services operate:
– You can only patent software that performs a
technical function – e.g. an encryption algorithm – You can’t patent software that performs a human
function, such as translating English to French • Copyright covers the implementation of the
Copyright, Designs and Patents Act
• Under this act it is illegal to:
– Copy software
– Run pirated software
– Transmit software over a telecommunications link (thereby copying it)
• The act is enforced by FAST – the Federation Against
Software Theft (also FACT for general copyright) • The enforcement is complicated by:
– The confusion between copyright and patent – Whether you can copyright a “look and feel”
Using Computers to Combat Crime
Computers can also be used to solve crimes: • The Police National Computer (PNC) now
allows forces across the country to share information
• Number-plate recognition can be used to
identify people committing motoring offences • Mobile phone records can be used to locate
criminals and victims of crime
Data Protection
• We all have a right to privacy
• There might be a variety of reasons why you’d want to keep something private:
– It might be possible to using the information for fraudulent purposes
– The information might be of a sensitive nature, such as medical records
– You might just not want people to know!
Data Protection Act
The Data Protection Act…
• Was introduced in 1984 and updated in 1998 to create a standard for data protection across Europe
• Originally covered personal data that are
automatically processed but now covers some manual records as well
• Defines the terms data subject (the person about whom data is held) and data controller (called data user in the 1984 version)
• Requires that all data controllers (and the nature of the processing they do) must be recorded on the public
register of data controllers
Data Protection Act – Eight Principles
Under the Data Protection Act, data must be… • fairly and lawfully processed;
• processed for limited purposes and not in any manner incompatible with those purposes;
• adequate, relevant and not excessive; • accurate;
• not kept for longer than is necessary;
• processed in line with the data subject's rights; • secure;
Processing Personal Data
• Personal data covers both facts and opinions about the individual. It also includes information regarding the
intentions of the data controller towards the individual. • Processing can only be carried out where:
– the individual has given his or her consent;
– the processing is necessary for the performance of a contract with the individual;
– the processing is required under a legal obligation;
– the processing is necessary to protect the vital interests of the individual;
– the processing is necessary to carry out public functions; – the processing is necessary in order to pursue the
Data Protection Act – What Else?
• It covers any information recorded as part of a “relevant filing system” – i.e. information that is “readily accessible”
• Data controllers must take security measures to safeguard personal data – i.e. to prevent
unlawful processing or disclosure
• There are certain exemptions from the DPA
DPA – The Rights of Individuals
If data are held about you, you are entitled to be…
• given a description of the data told for what purposes the data are processed
• told the recipients or the classes of recipients to whom the data may have been disclosed
• given a copy of the information with any unintelligible terms explained
• given any information available to the controller about the source of the data
DPA – The Rights of Individuals
Further rights include:
• The right to access the data held – within 40 days and at a cost of no more than £10 for computer records and £50 for paper records • The right to rectify, block, erase or destroy
details that are inaccurate, or opinions based on inaccurate data
• The right not to have your details used for direct marketing
Exemptions from the DPA
The Act does not apply to:
• Payroll, pensions and accounts data
• Names and addresses held for distribution purposes
• Personal, family, household of recreational use • Data can be disclosed to an agent of the subject,
or in response to a medical emergency
• Use of data in cases dealing with national
Criminal Offences under the DPA
• Notification offences – where the datacontroller fails to notify the commissioner of processing or changes to processing
• Procuring and selling offences – disclosing,
selling or obtaining data without authorisation
• Enforced access offences – e.g. you can’t make someone make an access request as a condition of employment
Freedom of Information Act
• Covers all types of 'recorded' information held by public authorities • Covers personal and non-personal data
• Public authorities include:
– Government Departments – local authorities
– NHS bodies
– schools, colleges and universities – the Police
– Parliament – The Post Office