Legal Issues in Computing

Transcript

1. Legal and Professional Issues in Computing Revision for people who

   didn’t go to lectures all semester. 1

2. Privacy 2

3. Context We share and exchange an unprecedented amount of data

   There’s no clear division between private and public life 3

4. Article 8 Human Rights “Everyone has the right to respect

   for his private and family life, his home and correspondence.” EXCEPTIONS: National / Public Security Economic well-being Prevention of crime or disorder Protection of health / morals / rights and freedoms 4

5. Opt In Allows the sharing & gathering of information Opt

   Out Forbids the sharing & gathering of information 5

6. Regulation of Investigatory Powers Act (RIPA) [2000] Home Secretary can

   order the interception of external communications An ISP can not ever tell anyone it has been served with an interception warrant. If it does it can face 5 years of jail time. 6

7. Ethics 7 The science of duty or the branch of

   knowledge that deals with moral obligations

8. Points of View Utilitarian Looks forward to the consequences of

   actions. “The greatest happiness for the greatest number” Deontological Looks back to value systems and stresses duties. “This is what the law says”
 “This is what the bible says” 8

9. Ethics and the Law Law is the state taking responsibility

   for some ethical matters and enforcing the rules.
 Boundaries between ethics and law are often unclear. 9

10. TORT Defamation Civil Law Criminal Law 10

11. Hacking 11

12. The Law Computer Crime Offences committed through the use of

    a computer Cyber Crime Offences committed
 against a computer 12 VS

13. Council of Europe Convention & Cybercrime (2001) Covers: Substantive computer

    crimes
 Government access to comms and data
 Trans-border Illegal Access (Article 2)
 Illegal Interception (Article 3)
 Data Interference (Article 4)
 System Interference (Article 5)
 Misuse of devices (Article 6)
 Computer Forgery (Article 7)
 Computer Fraud (Article 8)
 Child Porn (Article 9)
 Copyright Infringement (Article 10) 13

14. Computer Misuse Act (1990) Section 1: Unauthorised access to computer

    material - Simple hacking. - 2 years in prison and/or max fine. Section 2: As (1) + intent to commit further offences - Stealing info / using it for blackmail. - 5 year in prison and/ or unlimited fine. Section 3: As (1) + doing pretty mean things to people. - Distributing viruses. Deletion. Fraud. Etc. - Max 10 years in prison and/or fine. 14

15. Computer Misuse Act (1990) Max punishments amended by the Police

    Justice Act (2006). The Fraud Act (2007) covers phishing / spoofing. If an individual copies stolen data, they are liable under Computer Misuse act and the DPA. 15

16. Hacking Terms 101 Interception
 Gaining unauthorised access Interruption
 Making something

    unavailable or unusable Modification
 Unauthorised tampering Fabrication
 Unauthorised creation of fake data 16

17. Hacking Terms 101 Virus
 Attaches itself to and infects user

    files. They can replicate. 
 Worms
 Independent malicious programs. Can spread by themselves. Trojan Horse
 Looks legit. Performs malicious operations secretly.
 Network Scanners
 Check for vulnerabilities in your own system. 17

18. Hacking Terms 101 Confidentiality
 Access only to authorised people Integrity


    Modification only by authorised people Availability
 Available to authorised people 18

19. Methods of Defence Encryption
 Symmetric. Asymmetric. Man in the Middle.

    Trusted CA.
 
 Transport Layer Security (Handshaking)
 Snooping. Spoofing. DNS Spoofing. ARP Spoofing. 19

20. SYN Sends a flood of TCP packets. The server sends

    back a TCP/SYN-ACK response, and waits for the send to reply. These half-open connections saturate the number of available connections. 20 Ping Sends echo requests immediately after receiving a reply to the last. Only a (sudo) can do this. Only works if the attacker has > bandwidth than the victim. ICMP packets use in / out bandwidth.

21. Email Spoofing The email senders address and header is altered

    to appear as though the email came from a different source. This works because SMTP doesn’t provide authentication. 21

22. Smurf Attack A misconfigured device allows packets to be sent

    to all the hosts on a particular network, via the broadcast address. The device effectively acts as an amplifier. The attacker uses ICMP Echo packets (Ping Flood). 22

23. Security Tools Firewalls Filters traffic between networks (Packet // NAT)

    Intrusion Detection Systems Scan the host and alert admin to suspicious activity 23

24. Data Protection Act 24

25. Articles 1-8 Fair and lawful usage. Used for limited, stated

    purposes. Adequate, relevant and non-excessive. Kept up to date. Not kept for too long. Processed in accordance with rights. Securely held. Not transferred out of EU w/o protection. 25

26. Individual Rights Request (in writing) whether they are processing any

    personal data, including a description of the data and the reason it’s being processed. A copy of all the data may also be requested, as well as information on how it was collected. 26 A FEE may be charged 40 DAYS to reply to requests

27. Exemptions 1. Staff Payroll (don’t have to notify ICO) 2.

    If disclosure of data about other people is involved 3. Credit Reference Agencies 4. Disproportionate effort required to make a copy 5. Repeated or unreasonable requests 6. Criminal Justice and Taxation 7. Domestic Purposes 27

28. Information Commissioners Office Enforce DPA, FoI and Electronic Communication Regulations.

    Prosecute offenders Issues guidance and codes of practice 28

29. Half Way Point Grab yourself a sandwich, you’re almost done!

    29

30. Freedom of Expression 30 Everyone has the right to Freedom

    of Expression. This includes holding opinions and the sharing information and ideas without interference.

31. Protection First Amendment of the US Constitution (1791) Universal Declaration

    of Human Rights (1948) Article 19 European Convention on Human Rights (1950) Article 10 Human Rights Act (1998) Article 10 31

32. Constraints Obscene Publications Act (1959, 1964) Protection of Children Act

    (1978) Official Secrets Act (1989) Computer Misuse Act (1990) Criminal Justice & Public Order Act (1994) Defamation Act (2013) 32

33. Defamation Act (2013) Aiming to ensure there is a balance

    between FoE and the right to defend ones self. Have to show serious harm before suing for defamation. Increased protection to hosts of user-gen content. Add defence: ‘Responsible publication on matter of public interest’ 33

34. Workplace Monitoring 34

35. Employers have the legal right to monitoring employees. If the

    monitoring is justified, no consent is needed. 35 “

36. Pros
 Prevent productivity loss
 Reduce legal liability
 Protect assets
 Minimise

    -ve publicity
 36 
 Cons
 Undermines trust
 Measure quantity over quality
 Invasion of privacy
 No distinction between work / private life

37. Employers Should… Only collect relevant information Provide employees with notice,

    as well as avenues for appeal. Verify information before using it in evaluations. Make the data available to employees, as well as provide financial compensation if privacy rights are violated. Have a maximum data retention time. 37

38. ACAS Discipline Principles Informal Action should be prioritised Full investigation

    before action is taken. Employees should know of the complaint & have opportunity to defend. Employees should be given copies of evidence before a meeting. Employees have the right to be accompanied by union / friends. No employee can be dismissed for a first breach of discipline. Employee has the right to appeal. 38

39. Gross Misconduct (Grounds for dismissal) Theft / Fraud Bullying Property

    damage Insubordination Discrimination Serious Negligence Breach of H&S Breach of Confidence Use of drugs / alcohol Porn @ Work 39

40. Gross Misconduct Procedure 1. Suspended from work on full pay

    (for < 5 days). 2. Investigate the claims. 3. If the business is satisfied the claim is true, it can dismiss without notice. 4. An appeal can be made within 5 days. 40

41. Freedom of Information 41

42. 3 Codes of Practice 1. Responding to requests for information

    2. Records Management
 Public Records Act (1958), Public Records NI Act (1923) 3. Obligations of public authorities
 Environmental Information Regulations Act (2004) 42

43. Public Authorities Covered 43 Central & Local Government Non-departmental public

    bodies NHS Bodies Schools, colleges and universities NI Assembly Emergency Services House of Commons / Lords National Assembly of Wales

44. Role of the ICO 1. Enforce Compliance 2. Promote good

    practice 3. Approve / Advise on publication schemes 4. Advise the public of their rights 5. Report to parliament 44

45. Making a Request 1. Ask in writing (includes fax /

    email) 2. Give your name and address 3. Describe the information you want 45 
 You don’t have to live in the UK, be a British Citizen, or say why you want the information

46. Responding to a Request 1. Within 20 working days 2.

    Can charge a fee 3. Must tell the requester if the data is held 4. Must give a reason if data is refused 5. Must tell the application they have the right to complain 46

47. Exemptions National Security Law Enforcement Commercial Interests Personal Data Public

    Interest Test 47

48. Appeals 1. Via authorities own complaints procedure 2. Information Commissioner

    3. Cabinet Minister can obtain an executive override for the authority 48

49. Intellectual Property 49

50. Patent Invention Design Right Aesthetic look Trademark Distinguishable graphical sign

    Confidential Trade secrets Copyright Fixed expression of an idea 50

51. Copyright This deals with the expression of an idea -

    but not the idea itself. The expression must be original and have required labour, skill, and judgement. 51 15Y databases 25Y typographical arrangement 50Y sound recordings 70Y literature, art, drama, software

52. Copyright Restricts… Making and issuing copies Renting or lending copies

    Performing / Showing / Playing Adaption
 Exemptions: Libraries, Private use, Schools for education 52

53. Preventing Copies DRM
 Encryption
 Watermarks
 Intentional Mistakes EXEMPTIONS: Back-ups
 De-compilation


    Correcting Errors 53

54. Copyright Designs and Patents Act (1988) Copying is allowed if:

    It’s incidental
 It is for the lawful use of work
 It’s for the purpose of transmission
 Has no independent economic significance
 
 This excludes programs and databases 54

55. Databases Copyright Expire 15y after last investment was made. Infringement

    occurs when data is extracted / reused. 55

56. You’re Done! Now go and have a beer. 56