Disclaimer
• I am not a lawyer• I have no legal training or qualifications• This material is based on (mostly) Butler, 2000• If in doubt – seek legal advice!• A disclaimer like this is useful on a website
where tips could be misinterpreted as professional advice
WUCM1 2
Contents
1. Computer misuse2. Intellectual property rights3. Privacy and data protection4. Other legislation:
1. Freedom of information2. Advertising and spam3. Defamation4. Accessibility
WUCM1 3
Computer Misuse Act 1990• Unauthorised access to computer material
– "A person is guilty of an offence if he causes a computer to perform any function with intent to secure unauthorised access to any program or data held in any computer and he knows at the time when he causes the computer to perform the function that that is the case." [Computer Misuse Act 1990, section 1]
• Unauthorised access with intent to commit or facilitate commission of further offences– "A person is guilty of an offence under this section if he commits an offence
under section 1 above (‘the unauthorised access offence’) with intent to commit a [further] offence; or to facilitate the commission of such an offence (whether by himself or by any other person)." [Computer Misuse Act 1990, section 2]
• Unauthorised modification of computer material – "A person is guilty of an offence if he does any act which causes an
unauthorised modification of the contents of any computer; and at the time when he does the act he has the requisite intent and the requisite knowledge." [Computer Misuse Act 1990, section 3]
WUCM1 4
Security breaches
• You have detected an illegal intrusion into your web server - what do you do?1. Prevent any damage and limit the disclosure of
sensitive information2. Get the web server restored and back on line
• What of the perpetrators? – Should you attempt to prosecute them?– If you restore the web server from a backup you are
destroying evidence of a crime – do you want to do this?
WUCM1 5
Tasks after a breach• Correctly identifying how the intruder breached your
security is vital• Locating the necessary patches or reconfigurations is
the next step • Once compromised, your web server becomes more of
a target: – Backdoor left by the villains– Intelligence gained during the initial breach identifies
other weaknesses– The villains bragged and set you up as a challenge
• Forethought and planning needed to be able to come up with a good response
WUCM1 6
What evidence?
• To report security breaches, you need to keep the evidence
• The evidence is usually:– Altered files, HTML files, CGI files, etc. – Web server logs– System logs– Firewall logs– Router logs– ...
WUCM1 7
What to preserve (1)
• Create a full backup of the web server system for evidence
• Use a permanent, write-once medium– e.g. CDROM or DVDROM
• For a web server, the files to copy include: – executables (usually in cgi-bin) – configuration files– log files– html documents, etc. that make up the content
WUCM1 8
What to preserve (2)
• You need a known good set of web server data for comparison
• Careful labelling vital here• The use of checksums for all important files is
another idea worth considering
WUCM1 9
Inform authorities
• Lots of choice here: – your boss– internal security team (e.g. in the University)– computer emergency response team (CERT) or
equivalent local group– police (and MI5 in certain circumstances)– your legal advisors– your insurance company
WUCM1 10
Inside job
• Any hint that the security breach might be an "inside job" implies:– The job is very much more sensitive– There could be numerous opportunities for
sabotage if the perpetrator suspects the breach has been correctly identified
– Also, bad employee relations and morale if you make unsubstantiated allegations against someone
WUCM1 11
Prepare for a breach
• Good practice: – Regular training sessions and "dry runs" will
establish good response habits in the relevant security teams
– Regular password changes for all systems – Training sessions for users on good security habits
• Packet sniffers may be of use in tracking a breach in progress
WUCM1 12
Copyright• One of a number of intellectual property rights• Implicit copyright– The very act of committing words and/or images to a
tangible medium creates the intellectual property right• Explicit copyright– © University of Portsmouth 2009– Possibly in a standard footer on every page
• Explicit assertion of copyright has a positive benefit in terms of credibility and gravitas, though not required by English law
• However, the law allows "fair use"
WUCM1 13
Copyright issues
• Are others making unfair use of your material?– Point this out to them– Ask them to stop ("cease and desist")– Legal remedies
• Web material inherently easy to copy• Technical means can sometimes defeat:– casual cut and paste– download to a file attempts
• Difficult to defeat a screen grab theft of images
WUCM1 14
Copyright of others• Are your website materials infringing someone
else's copyright?– Web is global so legal action could originate from
anywhere– Particular dangers in US jurisdictions– Expert advice at this point is vital
• Insurance to cover for these events• Main responsibility lies with the content
providers– Is this you?– Or your customers/users?
WUCM1 15
Getting permission• Blanket permissions:
– A good start for the UK are: • www.prs.co.uk, the Performing Rights Society (PRS) • www.mcps.co.uk, the Mechanical Copyright Protection Society (MCPS)
– University is part of some schemes with certain publishers (but only a few, and only for specific purposes)
• Specific permissions:– Contact copyright holder– Can be difficult to identify if there is no © notice
• Other forms of IPR (e.g. patents, trademarks):– www.patent.gov.uk, the UK patents, trademarks and copyrights office. – www.european-patent-office.org, for a European view and check. – www.wipo.org, the World Intellectual Property Organisation.
WUCM1 16
Trademarks
• Trademarks generate some special requirements• Trademarks are specific to the category of
organisation (context specific)– Hence many are duplicated across different
categories (e.g. Apple)• Trademarks are part of the "brand" concept:– Vast amounts of money spent– Hence trademark aggressively defended– Imply that Coca-Cola supports your website by using
their logo or trademark – watch out!
WUCM1 17
Trademark violation
• For example, Butler (2000) cites – A webmaster who had a cunning plan to attract
users by putting ‘Playboy’ in the meta tags on the site
– Hoping for extra hits from search engines references
– Gains were somewhat overshadowed by being sued for trademark infringement by the magazine of the same name
WUCM1 18
Who owns the copyright? • Number of questions to ask:– For work done by employees as part of their job the
copyright is normally vested in the company as a legal entity
– What if the employee designs a good web page at home in the evenings?
– What if the company employs a contractor to produce website materials?
– What about the consultant who has designed a generic solution, and is providing a "customised" version
• Need a good contract before work commences – else litigation
WUCM1 19
Liability for copyright infringement• Who is it that gets sued for the copyright
infringement? – What if you never see the content?– ISP with a server farm of managed hosts: are you
liable for the content? – Pornography presents an even greater risk - it might
be the police after you• To clarify this the USA enacted the Digital
Millennium Copyright Act– Distinguishes between carriers of data and originators– Similar provisions in English (and other EU) law
WUCM1 20
Digital Millennium Copyright Act (USA)
• Protects online service providers if:– Anyone who transmits, routes, or provides connections for
digital online communications, referred to as transitory communications, such as Internet Service Providers (ISPs)
– Anyone who provides (or operates) online services or network access and uses information location tool, such as links, online directories, and search engines
– Anyone who provides (or operates) online services or network access and who stores information on systems or networks at the direction of users, such as website hosts
– Anyone who provide (or operates) online services or network access and who utilises system caching, or very temporary data storage
WUCM1 21
Privacy
• Data Protection Act 1998 (DPA)– implements the 1995 EU directive on data protection– repealed 1984 Act– replaced some stuff from other legislation
• e.g. Access to Health Records Act 1990
• Important for websites because data is easy to collect• Advisable to publish (and stick to!) a privacy policy
with a prominent link on your web pages• Any privacy policy will link to your security policy as:– it is no good intending not to misuse private data if it is
easily stolen due to poor security
WUCM1 22
Privacy policies• Butler (2000) suggests specifying:
– The kind of personal information you will be gathering • name, address, e-mail, etc
– Who will be collecting the information• you or some other organisation
– How you will be collecting the information• online forms, cookies, etc.
– Why and how you or others will be using the information• needed to perform service• secondary uses (e.g. future
marketing, self or other)– How long information will be
retained• deleted after order dispatched, kept
for future orders
– With whom you will be sharing the information • business partners, advertisers etc.
– The choices that visitors may make regarding the collection, use, or sharing of their information• opt out or opt in
– Any restrictions for visitors who don’t provide the information • limited access?
– The security procedures used to protect the information from misuse• SSL
– How visitors can update or correct any inaccurate information
WUCM1 23
Freedom of Information
• Freedom of Information Act 2000• A public body is obliged, subject to limited
exceptions, to disclose information following receipt of a request made in accordance with the Act
WUCM1 24
Advertising
• Advertising standards apply to web based adverts
• Web adverts must be legal, decent, honest and truthful
• Various consumer legislation applies• International application is another legal
minefield– e.g. advertise something that it is illegal/restricted
to buy in another country
WUCM1 25
Deep links
• On academic sites generally considered "a good thing"
• Might by-pass expensive advertising or corporate imaging
• Within frames could be considered plagiarism, as you are "passing off" others' work as your own
• Shetland Times vs. Shetland News case 1996
WUCM1 26
Spam
• Spam is now legally defined (e.g. CAN-SPAM Act 2003 in USA) and restricted in many places
• Largely unenforced• In Europe, see the Coalition Against
Unsolicited Commercial Email (CAUCE): http://www.euro.cauce.org/en/index.html
• Junkbusters (direct marketing) www.junkbusters.com
WUCM1 27
Defamation• Two types:
– Libel: usually written and long-lasting– Slander: usually spoken and short-term
• Same difficulties as for copyright infringement in assigning legal responsibility
• Legal battles cost – even if you win (no legal aid for defamation in UK)
• Defamation Act of 1996 (see Butler) defines:– Author: An originator of the statement – Editor: A person having editorial responsibility for the content
of the statement– Publisher: A person whose business is issuing material to the
public
WUCM1 28
Defamation liability• Following not usually liable:
– Someone who operates or provides an equipment, system, or service by means of which the statement is retrieved, copied, distributed, or made available in electronic form.
– The broadcaster of a live programme containing the statement if the broadcaster has no effective control over the maker of the statement
– The operator or provider of access to a communications system (like the Internet) by means of which the statement is transmitted or made available, by a person over whom he/she has no effective control
• Also standard defences:– Justification - it's true!– Fair comment – based on true facts, without malice, in good faith,
public interest– Privilege (in Parliament, courts, etc.)
• Onus on defence to prove one of the above
WUCM1 29