uk legal framework (2003)
DESCRIPTION
A presentation I gave to a private security conference in 2003. I am not a lawyer and this isn't legal advice. The legal world has changed since 2003.TRANSCRIPT
UK Legal FrameworkPhil HugginsPrivate Security Conference Winter 2003
IANAL!
“I AM NOT A LAWYER”
This is not legal advice.This was written in 2003, laws change.
Agenda
Overview Computer Misuse Act Data Protection Act RIPA / Lawful Business Practice
Regulations Obscene Publications Act Protection of Children Act Summary
Overview
Most activity is covered under existing laws and regulations: Harassment Fraud Theft e.t.c.
Police are constrained and empowered by other legislation: Police and Criminal Evidence Act 1984 Regulation of Investigatory Powers Act 2000
Be wary of taking technical instruction from the Police. Once you act as an ‘agent’ of the Police then the evidence you
produce is bound by the same legislation they are bound by.
Computer Misuse Act 1990
Targets criminal computer manipulation Modelled on trespass Section 1 – Unauthorised Access Section 2 – Unauthorised Access With
Intent Section 3 – Unauthorised Modification of
Contents
Computer Misuse Act 1990
Section 1 lacks teeth. Sentence is a fine or 6 months. Rarely
custodial. Highlighted by the prosecution of Mathew
Bevan (Kuji) and Richard Pryce (Datastream Cowboy) for the 1993 Rome Labs Hack.
Pryce prosecuted under Section 1 got only community service. Bevan was not prosecuted as it wasn’t seen as worthwhile by the Crown Prosecution Service.
Computer Misuse Act 1990
Denial of Service Attacks Email Flood SYN Flood DDoS
No Access = Not Section 1 or 2 offence
No Modification = Not Section 3 offence
Computer Misuse Act 1990
Raphael Gray (Curador) 2000 Stole many credit card records from a
number of ecommerce websites. His defence - At no point was he aware
of the limit of his authorisation to access public services.
Plead guilty so defence not tested. Consider using HTTP Server Header to
contain a authorisation statement.
Computer Misuse Act 1990
What is Authorisation ? Authority Credentials – Username /
Password What are you authorised to do ? Pin it down with Acceptable Use
Statements for users and Job Descriptions for employees.
Data Protection Act 1998
Administered by the Information Commissioner http://www.dataprotection.gov.uk/
Covers data that identifies individuals 8 Principles – 2 are particularly relevant.
Appropriate technical and organisational measures should protect the data.▪ Failure to provide such measures is an offence under
the act.
Data should not be held for any longer than is necessary.▪ Current practice at a financial services client is to hold
investigation related data for at least 6 months but to formally review the requirement for the data retention every 12 months.
Data Protection Act 1998
Sensitive Data Racial / ethnic origin Political opinions Religious beliefs Membership of a trades union Physical or mental health Sexual life Criminal record
Monitoring under the DPA
“..where monitoring goes beyond mere human observation and involves the collection, processing and storage of any personal data it must be done in a way that is both lawful and fair to workers.”
Must conduct “impact assessment” for any monitoring.
Employee consent is NOT required UNLESS the data to be monitored is ‘sensitive data” as described under the DPA.
Covert monitoring requires authorisation at a “senior level” within the business.
Regulation of Investigatory Powers Act 2000
RIPA introduced to cope with the change in communications systems since the rapid growth of the Internet.
Mainly focused on issues of interception and intrusive investigation.
Includes provision for law enforcement and other public bodies to try to deal with the rapid spread of good quality encryption systems.
Restrictions on businesses detailed in the Lawful Business Practice Regulations.
Lawful Business Practice Regulations
Under RIPA it is against the law for a business to intercept communications on it’s systems.
Exceptions: Under a warrant Consent of sender and receiver Required for the operation of the system
Lawful Business Practice Regulations
Is the interceptionconnected with the operation of the
communications system ?
Have senders and receivers both given consent ?
Is there an interception ?Interception can take place.
Yes
No
No
Yes
Yes
No
Continue
Lawful Business Practice Regulations
Interception can take place.
No interception can take place
Is the interceptiononly for monitoringbusiness related communications ?
No Is the interceptionfor an authorised business purpose ?
Is a confidential telephone counselling service involved ?
Is the interceptionto decide whether acommunication is business related ?
Have all reasonable efforts been made to inform users of Interception ?No
Yes
Yes
Yes Yes
Yes
No
No
No
Lawful Business Practice Regulations
Authorised Business Use “to prevent and detect crime” “to investigate or detect unauthorised use of
the telecommunications system” “to ensure the security of the system and it’s
effective operation” However, must make all reasonable efforts
to inform users of interception Workers, including temporary or contract staff,
will be users of the system but outside callers or senders of e-mail will not be.
Obscene Publications Act 1959
Amended by the Criminal Justice and Public Order Act 1994
Obscene Material is “material that would tend to corrupt those exposed
to it” Case law suggests it is also obscene if it maintains
a level of corruption. Very much open to interpretation by the court, no
absolutes. No offence of possession. Offence of “Showing, distributing or
publishing”.
Protection of Children Act 1999
Offences: Taking, distributing or showing indecent photographs or
pseudo-photographs of children. Possessing indecent photographs or pseudo-photographs
of children. These are absolute offences;
There is no valid reason to knowingly possess these images.
It is only recently that case law established the Police themselves may legally possess this material for investigation.
Contact the police as soon as you discover this material. It is likely they will seize the disk and any backups and it will NOT be returned. If you require other legal material from the seized disks
you can request them to copy it for you. You will probably be charged for this.
Summary
The intent to commit or the commission of a non-CMA crime is more likely to lead to successful criminal prosecution.
Work with the Police but be wary of following their direction without detailed support on evidential matters.
Interception is allowed but must be formally reviewed to meet both DPA and Lawful Business Practice Requirements before carried out.
Inform users and employees about the possibility of monitoring through system banners and acceptable use policies.
http://blog.blackswansecurity.com