This document summarizes various UK laws related to computer and data security, including the Computer Misuse Act, Data Protection Act, Regulation of Investigatory Powers Act, Obscene Publications Act, and Protection of Children Act. It provides overviews of these acts and notes what behaviors they do and do not cover. For example, it states that denial of service attacks are not covered by the Computer Misuse Act. The document also gives advice on monitoring employees and when interception of communications is allowed.
2. “I AM NOT A LAWYER”
This is not legal advice.
This was written in 2003, laws change.
3. Overview
Computer Misuse Act
Data Protection Act
RIPA / Lawful Business Practice Regulations
Obscene Publications Act
Protection of Children Act
Summary
4. Most activity is covered under existing laws
and regulations:
Harassment
Fraud
Theft e.t.c.
Police are constrained and empowered by
other legislation:
Police and Criminal Evidence Act 1984
Regulation of Investigatory Powers Act 2000
Be wary of taking technical instruction from
the Police.
Once you act as an ‘agent’ of the Police then the evidence you produce is
bound by the same legislation they are bound by.
6. Section 1 lacks teeth.
Sentence is a fine or 6 months. Rarely
custodial.
Highlighted by the prosecution of Mathew
Bevan (Kuji) and Richard Pryce (Datastream
Cowboy) for the 1993 Rome Labs Hack.
Pryce prosecuted under Section 1 got only
community service. Bevan was not
prosecuted as it wasn’t seen as worthwhile by
the Crown Prosecution Service.
7. Denial of Service Attacks
Email Flood
SYN Flood
DDoS
No Access = Not Section 1 or 2 offence
No Modification = Not Section 3 offence
8. Raphael Gray (Curador) 2000
Stole many credit card records from a
number of ecommerce websites.
His defence - At no point was he aware of the
limit of his authorisation to access public
services.
Plead guilty so defence not tested.
Consider using HTTP Server Header to
contain a authorisation statement.
9. What is Authorisation ?
Authority Credentials – Username / Password
What are you authorised to do ?
Pin it down with Acceptable Use Statements
for users and Job Descriptions for employees.
10. Administered by the Information Commissioner
http://www.dataprotection.gov.uk/
Covers data that identifies individuals
8 Principles – 2 are particularly relevant.
Appropriate technical and organisational
measures should protect the data.
▪ Failure to provide such measures is an offence under the act.
Data should not be held for any longer than is
necessary.
▪ Current practice at a financial services client is to hold investigation
related data for at least 6 months but to formally review the
requirement for the data retention every 12 months.
11. Sensitive Data
Racial / ethnic origin
Political opinions
Religious beliefs
Membership of a trades union
Physical or mental health
Sexual life
Criminal record
12. “..where monitoring goes beyond mere human
observation and involves the collection,
processing and storage of any personal data it
must be done in a way that is both lawful and
fair to workers.”
Must conduct “impact assessment” for any
monitoring.
Employee consent is NOT required UNLESS
the data to be monitored is „sensitive data” as
described under the DPA.
Covert monitoring requires authorisation at a
“senior level” within the business.
13. RIPA introduced to cope with the change in
communications systems since the rapid
growth of the Internet.
Mainly focused on issues of interception and
intrusive investigation.
Includes provision for law enforcement and
other public bodies to try to deal with the
rapid spread of good quality encryption
systems.
Restrictions on businesses detailed in the
Lawful Business Practice Regulations.
14. Under RIPA it is against the law for a business to
intercept communications on it’s systems.
Exceptions:
Under a warrant
Consent of sender and receiver
Required for the operation of the system
15. No Interception can
Is there an interception ? take place.
Yes Yes
Have senders and
receivers both given
consent ? Yes
No
Is the interception
connected with the
operation of the Continue
communications system ? No
16. Is the interception Is the interception
only for monitoring Yes to decide whether a No Is a confidential
telephone counselling
business related communication is
service involved ?
communications ? business related ?
Yes Yes No
No Have all reasonable Is the interception
efforts been made to for an authorised
inform users of Yes business purpose ?
No
Interception ?
Yes
No
No interception
Interception can
can take place
take place.
17. Authorised Business Use
“to prevent and detect crime”
“to investigate or detect unauthorised use of the
telecommunications system”
“to ensure the security of the system and it’s effective
operation”
However, must make all reasonable efforts to
inform users of interception
Workers, including temporary or contract staff, will be
users of the system but outside callers or senders of e-
mail will not be.
18. Amended by the Criminal Justice and Public
Order Act 1994
Obscene Material is
“material that would tend to corrupt those exposed to
it”
Case law suggests it is also obscene if it maintains a
level of corruption.
Very much open to interpretation by the court, no
absolutes.
No offence of possession.
Offence of “Showing, distributing or publishing”.
19. Offences:
Taking, distributing or showing indecent photographs or pseudo-
photographs of children.
Possessing indecent photographs or pseudo-photographs of children.
These are absolute offences;
There is no valid reason to knowingly possess these images.
It is only recently that case law established the Police themselves may
legally possess this material for investigation.
Contact the police as soon as you discover this material. It is
likely they will seize the disk and any backups and it will NOT
be returned.
If you require other legal material from the seized disks you can
request them to copy it for you. You will probably be charged for this.
20. The intent to commit or the commission of a non-
CMA crime is more likely to lead to successful
criminal prosecution.
Work with the Police but be wary of following their
direction without detailed support on evidential
matters.
Interception is allowed but must be formally
reviewed to meet both DPA and Lawful Business
Practice Requirements before carried out.
Inform users and employees about the possibility of
monitoring through system banners and acceptable
use policies.