Legal issues

1WUCM1

Disclaimer

• I am not a lawyer• I have no legal training or qualifications• This material is based on (mostly) Butler, 2000• If in doubt – seek legal advice!• A disclaimer like this is useful on a website

where tips could be misinterpreted as professional advice

WUCM1 2

Contents

1. Computer misuse2. Intellectual property rights3. Privacy and data protection4. Other legislation:

1. Freedom of information2. Advertising and spam3. Defamation4. Accessibility

WUCM1 3

Computer Misuse Act 1990• Unauthorised access to computer material

– "A person is guilty of an offence if he causes a computer to perform any function with intent to secure unauthorised access to any program or data held in any computer and he knows at the time when he causes the computer to perform the function that that is the case." [Computer Misuse Act 1990, section 1]

• Unauthorised access with intent to commit or facilitate commission of further offences– "A person is guilty of an offence under this section if he commits an offence

under section 1 above (‘the unauthorised access offence’) with intent to commit a [further] offence; or to facilitate the commission of such an offence (whether by himself or by any other person)." [Computer Misuse Act 1990, section 2]

• Unauthorised modification of computer material – "A person is guilty of an offence if he does any act which causes an

unauthorised modification of the contents of any computer; and at the time when he does the act he has the requisite intent and the requisite knowledge." [Computer Misuse Act 1990, section 3]

WUCM1 4

Security breaches

• You have detected an illegal intrusion into your web server - what do you do?1. Prevent any damage and limit the disclosure of

sensitive information2. Get the web server restored and back on line

• What of the perpetrators? – Should you attempt to prosecute them?– If you restore the web server from a backup you are

destroying evidence of a crime – do you want to do this?

WUCM1 5

Tasks after a breach• Correctly identifying how the intruder breached your

security is vital• Locating the necessary patches or reconfigurations is

the next step • Once compromised, your web server becomes more of

a target: – Backdoor left by the villains– Intelligence gained during the initial breach identifies

other weaknesses– The villains bragged and set you up as a challenge

• Forethought and planning needed to be able to come up with a good response

WUCM1 6

What evidence?

• To report security breaches, you need to keep the evidence

• The evidence is usually:– Altered files, HTML files, CGI files, etc. – Web server logs– System logs– Firewall logs– Router logs– ...

WUCM1 7

What to preserve (1)

• Create a full backup of the web server system for evidence

• Use a permanent, write-once medium– e.g. CDROM or DVDROM

• For a web server, the files to copy include: – executables (usually in cgi-bin) – configuration files– log files– html documents, etc. that make up the content

WUCM1 8

What to preserve (2)

• You need a known good set of web server data for comparison

• Careful labelling vital here• The use of checksums for all important files is

another idea worth considering

WUCM1 9

Inform authorities

• Lots of choice here: – your boss– internal security team (e.g. in the University)– computer emergency response team (CERT) or

equivalent local group– police (and MI5 in certain circumstances)– your legal advisors– your insurance company

WUCM1 10

Inside job

• Any hint that the security breach might be an "inside job" implies:– The job is very much more sensitive– There could be numerous opportunities for

sabotage if the perpetrator suspects the breach has been correctly identified

– Also, bad employee relations and morale if you make unsubstantiated allegations against someone

WUCM1 11

Prepare for a breach

• Good practice: – Regular training sessions and "dry runs" will

establish good response habits in the relevant security teams

– Regular password changes for all systems – Training sessions for users on good security habits

• Packet sniffers may be of use in tracking a breach in progress

WUCM1 12

Copyright• One of a number of intellectual property rights• Implicit copyright– The very act of committing words and/or images to a

tangible medium creates the intellectual property right• Explicit copyright– © University of Portsmouth 2009– Possibly in a standard footer on every page

• Explicit assertion of copyright has a positive benefit in terms of credibility and gravitas, though not required by English law

• However, the law allows "fair use"

WUCM1 13

Copyright issues

• Are others making unfair use of your material?– Point this out to them– Ask them to stop ("cease and desist")– Legal remedies

• Web material inherently easy to copy• Technical means can sometimes defeat:– casual cut and paste– download to a file attempts

• Difficult to defeat a screen grab theft of images

WUCM1 14

Copyright of others• Are your website materials infringing someone

else's copyright?– Web is global so legal action could originate from

anywhere– Particular dangers in US jurisdictions– Expert advice at this point is vital

• Insurance to cover for these events• Main responsibility lies with the content

providers– Is this you?– Or your customers/users?

WUCM1 15

Getting permission• Blanket permissions:

– A good start for the UK are: • www.prs.co.uk, the Performing Rights Society (PRS) • www.mcps.co.uk, the Mechanical Copyright Protection Society (MCPS)

– University is part of some schemes with certain publishers (but only a few, and only for specific purposes)

• Specific permissions:– Contact copyright holder– Can be difficult to identify if there is no © notice

• Other forms of IPR (e.g. patents, trademarks):– www.patent.gov.uk, the UK patents, trademarks and copyrights office. – www.european-patent-office.org, for a European view and check. – www.wipo.org, the World Intellectual Property Organisation.

WUCM1 16

Trademarks

• Trademarks generate some special requirements• Trademarks are specific to the category of

organisation (context specific)– Hence many are duplicated across different

categories (e.g. Apple)• Trademarks are part of the "brand" concept:– Vast amounts of money spent– Hence trademark aggressively defended– Imply that Coca-Cola supports your website by using

their logo or trademark – watch out!

WUCM1 17

Trademark violation

• For example, Butler (2000) cites – A webmaster who had a cunning plan to attract

users by putting ‘Playboy’ in the meta tags on the site

– Hoping for extra hits from search engines references

– Gains were somewhat overshadowed by being sued for trademark infringement by the magazine of the same name

WUCM1 18

Who owns the copyright? • Number of questions to ask:– For work done by employees as part of their job the

copyright is normally vested in the company as a legal entity

– What if the employee designs a good web page at home in the evenings?

– What if the company employs a contractor to produce website materials?

– What about the consultant who has designed a generic solution, and is providing a "customised" version

• Need a good contract before work commences – else litigation

WUCM1 19

Liability for copyright infringement• Who is it that gets sued for the copyright

infringement? – What if you never see the content?– ISP with a server farm of managed hosts: are you

liable for the content? – Pornography presents an even greater risk - it might

be the police after you• To clarify this the USA enacted the Digital

Millennium Copyright Act– Distinguishes between carriers of data and originators– Similar provisions in English (and other EU) law

WUCM1 20

Digital Millennium Copyright Act (USA)

• Protects online service providers if:– Anyone who transmits, routes, or provides connections for

digital online communications, referred to as transitory communications, such as Internet Service Providers (ISPs)

– Anyone who provides (or operates) online services or network access and uses information location tool, such as links, online directories, and search engines

– Anyone who provides (or operates) online services or network access and who stores information on systems or networks at the direction of users, such as website hosts

– Anyone who provide (or operates) online services or network access and who utilises system caching, or very temporary data storage

WUCM1 21

Privacy

• Data Protection Act 1998 (DPA)– implements the 1995 EU directive on data protection– repealed 1984 Act– replaced some stuff from other legislation

• e.g. Access to Health Records Act 1990

• Important for websites because data is easy to collect• Advisable to publish (and stick to!) a privacy policy

with a prominent link on your web pages• Any privacy policy will link to your security policy as:– it is no good intending not to misuse private data if it is

easily stolen due to poor security

WUCM1 22

Privacy policies• Butler (2000) suggests specifying:

– The kind of personal information you will be gathering • name, address, e-mail, etc

– Who will be collecting the information• you or some other organisation

– How you will be collecting the information• online forms, cookies, etc.

– Why and how you or others will be using the information• needed to perform service• secondary uses (e.g. future

marketing, self or other)– How long information will be

retained• deleted after order dispatched, kept

for future orders

– With whom you will be sharing the information • business partners, advertisers etc.

– The choices that visitors may make regarding the collection, use, or sharing of their information• opt out or opt in

– Any restrictions for visitors who don’t provide the information • limited access?

– The security procedures used to protect the information from misuse• SSL

– How visitors can update or correct any inaccurate information

WUCM1 23

Freedom of Information

• Freedom of Information Act 2000• A public body is obliged, subject to limited

exceptions, to disclose information following receipt of a request made in accordance with the Act

WUCM1 24

Advertising

• Advertising standards apply to web based adverts

• Web adverts must be legal, decent, honest and truthful

• Various consumer legislation applies• International application is another legal

minefield– e.g. advertise something that it is illegal/restricted

to buy in another country

WUCM1 25

Deep links

• On academic sites generally considered "a good thing"

• Might by-pass expensive advertising or corporate imaging

• Within frames could be considered plagiarism, as you are "passing off" others' work as your own

• Shetland Times vs. Shetland News case 1996

WUCM1 26

Spam

• Spam is now legally defined (e.g. CAN-SPAM Act 2003 in USA) and restricted in many places

• Largely unenforced• In Europe, see the Coalition Against

Unsolicited Commercial Email (CAUCE): http://www.euro.cauce.org/en/index.html

• Junkbusters (direct marketing) www.junkbusters.com

WUCM1 27

Defamation• Two types:

– Libel: usually written and long-lasting– Slander: usually spoken and short-term

• Same difficulties as for copyright infringement in assigning legal responsibility

• Legal battles cost – even if you win (no legal aid for defamation in UK)

• Defamation Act of 1996 (see Butler) defines:– Author: An originator of the statement – Editor: A person having editorial responsibility for the content

of the statement– Publisher: A person whose business is issuing material to the

public

WUCM1 28

Defamation liability• Following not usually liable:

– Someone who operates or provides an equipment, system, or service by means of which the statement is retrieved, copied, distributed, or made available in electronic form.

– The broadcaster of a live programme containing the statement if the broadcaster has no effective control over the maker of the statement

– The operator or provider of access to a communications system (like the Internet) by means of which the statement is transmitted or made available, by a person over whom he/she has no effective control

• Also standard defences:– Justification - it's true!– Fair comment – based on true facts, without malice, in good faith,

public interest– Privilege (in Parliament, courts, etc.)

• Onus on defence to prove one of the above

WUCM1 29

Accessibility

• Disability Discrimination Act 1995• General obligation on service providers to

take all reasonable steps to ensure that it is not impossible or unreasonably difficult for a disabled person to use their services

• Requires reasonable action – not at all costs!

WUCM1 30