UK Legal Framework (2003)


Published on

A presentation I gave to a private security conference in 2003.

I am not a lawyer and this isn't legal advice. The legal world has changed since 2003.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

UK Legal Framework (2003)

  1. 1. Phil HugginsPrivate Security Conference Winter 2003
  2. 2. “I AM NOT A LAWYER” This is not legal advice.This was written in 2003, laws change.
  3. 3.  Overview Computer Misuse Act Data Protection Act RIPA / Lawful Business Practice Regulations Obscene Publications Act Protection of Children Act Summary
  4. 4.  Most activity is covered under existing laws and regulations:  Harassment  Fraud  Theft e.t.c. Police are constrained and empowered by other legislation:  Police and Criminal Evidence Act 1984  Regulation of Investigatory Powers Act 2000 Be wary of taking technical instruction from the Police.  Once you act as an ‘agent’ of the Police then the evidence you produce is bound by the same legislation they are bound by.
  5. 5.  Targets criminal computer manipulation Modelled on trespass Section 1 – Unauthorised Access Section 2 – Unauthorised Access With Intent Section 3 – Unauthorised Modification of Contents
  6. 6.  Section 1 lacks teeth. Sentence is a fine or 6 months. Rarely custodial. Highlighted by the prosecution of Mathew Bevan (Kuji) and Richard Pryce (Datastream Cowboy) for the 1993 Rome Labs Hack. Pryce prosecuted under Section 1 got only community service. Bevan was not prosecuted as it wasn’t seen as worthwhile by the Crown Prosecution Service.
  7. 7.  Denial of Service Attacks  Email Flood  SYN Flood  DDoS No Access = Not Section 1 or 2 offence No Modification = Not Section 3 offence
  8. 8.  Raphael Gray (Curador) 2000 Stole many credit card records from a number of ecommerce websites. His defence - At no point was he aware of the limit of his authorisation to access public services. Plead guilty so defence not tested. Consider using HTTP Server Header to contain a authorisation statement.
  9. 9.  What is Authorisation ? Authority Credentials – Username / Password What are you authorised to do ? Pin it down with Acceptable Use Statements for users and Job Descriptions for employees.
  10. 10.  Administered by the Information Commissioner  Covers data that identifies individuals 8 Principles – 2 are particularly relevant.  Appropriate technical and organisational measures should protect the data. ▪ Failure to provide such measures is an offence under the act.  Data should not be held for any longer than is necessary. ▪ Current practice at a financial services client is to hold investigation related data for at least 6 months but to formally review the requirement for the data retention every 12 months.
  11. 11.  Sensitive Data  Racial / ethnic origin  Political opinions  Religious beliefs  Membership of a trades union  Physical or mental health  Sexual life  Criminal record
  12. 12.  “..where monitoring goes beyond mere human observation and involves the collection, processing and storage of any personal data it must be done in a way that is both lawful and fair to workers.” Must conduct “impact assessment” for any monitoring. Employee consent is NOT required UNLESS the data to be monitored is „sensitive data” as described under the DPA. Covert monitoring requires authorisation at a “senior level” within the business.
  13. 13.  RIPA introduced to cope with the change in communications systems since the rapid growth of the Internet. Mainly focused on issues of interception and intrusive investigation. Includes provision for law enforcement and other public bodies to try to deal with the rapid spread of good quality encryption systems. Restrictions on businesses detailed in the Lawful Business Practice Regulations.
  14. 14.  Under RIPA it is against the law for a business to intercept communications on it’s systems. Exceptions:  Under a warrant  Consent of sender and receiver  Required for the operation of the system
  15. 15. No Interception canIs there an interception ? take place. Yes Yes Have senders and receivers both given consent ? Yes No Is the interception connected with the operation of the Continue communications system ? No
  16. 16. Is the interception Is the interceptiononly for monitoring Yes to decide whether a No Is a confidential telephone counsellingbusiness related communication is service involved ?communications ? business related ? Yes Yes No No Have all reasonable Is the interception efforts been made to for an authorised inform users of Yes business purpose ? No Interception ? Yes NoNo interception Interception can can take place take place.
  17. 17.  Authorised Business Use  “to prevent and detect crime”  “to investigate or detect unauthorised use of the telecommunications system”  “to ensure the security of the system and it’s effective operation” However, must make all reasonable efforts to inform users of interception  Workers, including temporary or contract staff, will be users of the system but outside callers or senders of e- mail will not be.
  18. 18.  Amended by the Criminal Justice and Public Order Act 1994 Obscene Material is  “material that would tend to corrupt those exposed to it”  Case law suggests it is also obscene if it maintains a level of corruption.  Very much open to interpretation by the court, no absolutes. No offence of possession. Offence of “Showing, distributing or publishing”.
  19. 19.  Offences:  Taking, distributing or showing indecent photographs or pseudo- photographs of children.  Possessing indecent photographs or pseudo-photographs of children. These are absolute offences;  There is no valid reason to knowingly possess these images.  It is only recently that case law established the Police themselves may legally possess this material for investigation. Contact the police as soon as you discover this material. It is likely they will seize the disk and any backups and it will NOT be returned.  If you require other legal material from the seized disks you can request them to copy it for you. You will probably be charged for this.
  20. 20.  The intent to commit or the commission of a non- CMA crime is more likely to lead to successful criminal prosecution. Work with the Police but be wary of following their direction without detailed support on evidential matters. Interception is allowed but must be formally reviewed to meet both DPA and Lawful Business Practice Requirements before carried out. Inform users and employees about the possibility of monitoring through system banners and acceptable use policies.
  21. 21.