Systems-Security Relevant Legislation

Warning

These notes are written not by a lawyer but by an engineering academic. They are a brief review of some laws applicable to system security issues. If you need qualified legal advice you should ask a lawyer.

Application of older laws to new computer crimes

Fraud and theft in connection with non-virtual assets are covered by the same laws whether or not a computer is used for the crime. Prior to the Computer Misuse Act 1990 unauthorised modification of data could be tried as criminal damage.

Robert Schifreen and Stephen Gold shoulder surfed a Prestel password from a BT engineer at a trade show in 1984. They used this to access Prince Phillip's mailbox in 1985. In the case R v Gold they were prosecuted under the Forgery and Counterfeiting Act 1981, for making a "false instrument" for forgery and convicted in the crown court. The fine was small, but they successfully appealed, and their appeal was upheld by the House of Lords in 1988.

UK Computer Misuse Act (CMA) 1990

Widely criticised at the time, this law seems to have stood the test of time. It was introduced because of weaknesses thought to exist in previous laws after the acquittal on appeal of Gold and Schifreen. There were 3 new offences under this act.

CMA Section 1

A section 1 offence under this act involves unauthorised access. Unauthorised access has to be attempted but does not have to succeed to be a criminal activity. The person attempting or gaining unauthorised access has to known this was unauthorised. There was some discussion, for example, about whether seeing a prompt provided by a Telnet/SSH server saying just login: constitutes an invitation to access the system. However, someone seeing this prompt will generally be expected to know whether or not they have been issued with a userid and password for the system in question. Trying a password is attempting to gain access, and knowing or correctly guessing a password isn't the same as being authorised to use it.

While this is not the same offence, there are analogies with traditional laws concerning trespass and breaking and entering. Trespass does not involve breaching any security barrier and is a civil law matter. Breaking and entering is a criminal offence.

The case of R. v Cuthbert 2005 is interesting. Daniel Cuthbert was convicted and fined £400 plus £600 costs (and lost his job) for attempting unauthorised access to an Asian Tsunami charitable appeal donations site when inputting the text string on a web browser when accessing a remote site (to which he had no special invitation to probe) :

http://whatever.domain/../../../

He did this attempting to see whether files on the web server in parent and grandparent directory paths relative to the normal published web directory were vulnerable. This action set off an intrusion detection alarm, which was traced back to his Internet Protocol address.

A section 1 offence originally could result in up to 6 months imprisonment on a summary conviction (i.e. in a magistrates court) or a fine or both. The Police and Justice Act 2006 section 35 extends section 1 of the 1990 act to include enabling themselves or someone else at a later time to carry out unauthorised access as an offence. The maximum term was increased to 2 years imprisonment.

What constitutes authorised access ?

In nearly all cases, users, employees, suppliers and customers etc. seem in practice to know what is authorised and what isn't. Situations where this is very likely to be worth clarifying include contractual penetration testing, and journalistic investigation into safety issues of legitimate public concern.

To access data you have to reasonably believe that you are authorised to do so. While the onus of proof is on the prosecution, to reduce the occupational hazard of wrongful arrest and conviction, those contractually involved in penetration-testing work to help an organisation evaluate its security systems and procedures are best advised to obtain clear instructions in writing describing the scope of the work to be carried out, and carry copies of these instructions. These instructions should ideally be on the letterhead of the organisation authorising this work, and be signed by someone who is independently verifiable as being in a position to authorise this work and the contractual arrangement under which it is carried out.

If you are working as a journalist on penetration testing a security system, ( e.g. by getting a job as a airline worker under false pretences) you will need to give the legal issues concerning employee confidentiality, deception and potential public-interest legal defences careful consideration and obtain legal advice before proceeding if you are in any doubt about the position you are placing yourself in.

CMA Section 2

Section 2 of the 1990 act makes carrying out section 1 offences while preparing to carry out further offences a more serious crime. For example, using unauthorised access to upload a computer virus to a system which has not yet been used to modify data, but with the intention of releasing it so that it would modify data if released would be a section 2 offence. So would unauthorised access to a bank's computer with the intention of carrying out a fraud.

This is analogous to going equipped to commit a robbery. Carrying a knife isn't an offence as such, e.g. if you are a chef on your way to work in a restaurant. If the prosecution can prove the accused was intending to use it for a robbery, carrying a knife is an offence.

On indictment through a crown court, a section 2 offence originally resulted in a maximum of 5 years imprisonment under the 1990 act.

CMA Section 3

This covers unauthorised modification of computer data. This includes changing database records as well as introducing malware, e.g. a trojan or virus into a system.

R. v Vallor is an example of a section 3 case. Simon Vallor was sentenced to 2 years imprisonment in 2003 after writing and distributing 3 computer viruses known to have infected 27,000 PCs. A similar case in the Netherlands resulted in the author of the Kournikova worm (which caused more damage) receiving 150 hours community service.

This section of the act was also extended by the Police and Justice Act 2006 to include making deliberate denial of service attacks an offence. The maximum sentence was extended to 10 years.

CMA Section 3a

This was added to the 1990 act by section 37 of the Police and Justice Act 2006. It concerns making and supplying or obtaining items intended for the purpose of section 3 or section 1 offences. The offender must be aware they are doing this.

Further reading on the CMA act

UK Data Protection Act 1984 and 1998 (DPA)

Introduction to the DPA

This act regulates collection and use of data about people or which can be used to identify a person. It creates obligations for those collecting and storing this data and it gives rights to "data subjects" or those about whom data is stored. It does cover organisations and businesses, but doesn't cover domestic use, e.g. your address book.

This act has wide ranging requirements. This act is mainly concerned about ensuring personal data is used for legitimate purposes. It gives individuals rights:

The act states exceptions to these rights. For example individuals would not normally have any right to know what was recorded about them as a suspect in connection with a police investigation, or even if they are not suspected should disclosure of this data be likely to compromise a police investigation. The DPA act requires the erasure of data which is outdated.

Amending legislation

The principles within this act were extended through the Freedom of Information Act 2000 which gives individuals specified rights in connection with access to information held on them by government organisations. The 1998 Data Protection Act replaced the 1984 Data Protection Act.

Sensitive Personal Data

The 1998 DPA act introduced special provisions concerning sensitive personal data, including information about someones beliefs, opinions, sexual orientation, ethnic origins, trade union membership, criminal record or alleged offences.

Data Protection Principles

Information in this section was copied from the 1998 act Schedule 1

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
    • (a) at least one of the conditions in Schedule 2 is met, and
    • (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Principle 7

The Nationwide Building Society was recently fined £980,000 for a security lapse under this principle of the 1998 DPA.

This principle is significant for anyone responsible for the security of an organisation's data, to the extent the data is personal or can identify individuals. Managers who might be reluctant to sign an order for software, equipment or services thought neccessary to secure personal data may take a different view when the legal liability such refusal could incur is explained to them. If you don't want to be held personally responsible for data not being secured when the budget isn't yours to sign, you may want to put expenditure requests related to an employer's legal obligation in writing and keep a copy off site.

Further reading on the DPA

UK Regulation of Investigatory Powers Act 2000 (RIPA)

Introduction to the RIPA

An explanation of the purpose of this act is in its official title: "An Act to make provision for and about the interception of, communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed; to provide for the establishment of a tribunal with jurisdiction in relation to those matters, to entries on and interferences with property or with wireless telegraphy and to the carrying out of their functions by the Security Service, the Secret Intelligence Service and the Government Communications Headquarters; and for connected purposes."

The RIPA act was passed by Parliament in 2000. It has been argued that this was after contentious issues within this act had not been adequately debated. The act was passed with the intention of government ministers being able to activate parts of it as needed on grounds of national security.

The author of these notes is unaware of any published cases where prosecutions have been brought under this act.

Internet Service Providers

The RIPA act contains provisions for taps to be installed at large Internet Service Providers. There has been some discussion concerning who pays for this equipment. Objections from ISP industry stating this would incur costs resulted in section 14 of the act stating that the government would pay.

Access to cryptographic keys

It has been reported that the government intends activating Part 3 of RIPA which provides for access by government agencies to encryption keys. It is further argued that this is unlikely to result in convictions in practice, e.g. if an individual is asked to supply a key, that the encrypted data to which access is requested is legal and claims they have lost the key. The original proposed legislation was contentious in the sense of presumption of guilt - the individual had to prove that they did not have the key rather than the police having to prove that they did have it but deliberately and knowingly withheld it.

It is also likely that the intent of this law conflicts with the security of the technology design in some contexts. A stronger cryptosystem design, e.g. in connection with the Diffie Helmann Protocol involves the semi-permanent keying materials being used to securely authenticate sessions keys, in such a manner that once the session key has been securely deleted, this key will be unobtainable, and most people using this technology are likely to be unaware of the fact that divulging the semi-permanent keys will compromise neither the session keys or plaintext.

RIPA and financial security

RIPA creates issues concerning responsiblity for the security of keys used to authenticate financial transactions. If the government were to demand such a key this would enable a bank to disown responsibility for the integrity of financial transactions authenticated using this key, or disclosed with a consequent loss of confidentiality or business integrity due to the key leaking outside the bank's domain.

Further reading on RIPA

Software Patents

Software patents are allowed within the US. Software "as such" is not patentable within EU. Some legal opinions suggest that software may be patentable within the EU under certain circumstances when used as part of a non-obvious innovation which creates a "technical effect".

Software patents are a security concern based on whether these do more to incentivise or hinder the process of security innovation. To the extent they hinder innovation it has been argued that this constrains implementation of security-relevant standards. An example is that implementations of the RSA cryptography algorithm were constrained within the US prior to the expiry of the RSA patent in September 2000.

Internet standards documents are traditionally considered to be free software. An example where patent license was considered incompatible with free software concerns Microsoft's SenderID implementation of the independently developed Sender Policy Framework (SPF) email origin authentication standard.

Do software patents promote or hinder innovation ?

The view that they achieve an effect opposite to their original intention is supported by a quote from someone we would normally expect to support the idea that software patents promote innovation. Here is a quote from Bill Gates. (This was quoted by Fred Warshofsky in "The Patent Wars" of 1994. The text is from an internal memo written by Bill Gates to his staff.)

If people had understood how patents would be granted when most of today's ideas were invented and had taken out patents, the industry would be at a complete standstill today. ... The solution is patenting as much as we can. A future startup with no patents of its own will be forced to pay whatever price the giants choose to impose. That price might be high. Established companies have an interest in excluding future competitors.

The UK government response in Feb 2007 to an anti-software patents petition , includes the following statement:

The recently published Gowers Review of Intellectual Property, an independent review commissioned by the Government, recommended that patent rights should not be extended to cover pure software, business methods and genes. The Government will implement those recommendations for which it is responsible, and will therefore continue to exclude patents from areas where they may hinder innovation: including patents which are too broad, speculative, or obvious, or where the advance they make lies in an excluded area such as software.

Copyright Law

Copyright law granted incentives, starting around the eighteenth century, for writers and publishers in respect of mechanical copying of content (initially printing). The rights of authors were fostered by creating entirely new offences, and this helped foster the development of a media publishing industry which includes books, films, music and TV. The packaged content industry is active in protecting its interests against distribution of copyrighted content through breaches of copyright law. More recently organisations acting on behalf of the content industry have become active in supporting the development of security technologies to make copying of their content more difficult. These copy-prevention technologies will be reviewed in another lecture.

US Digital Millennium Copyright Act

The Digital Millennium Copyright Act makes the development of copy-prevention circumvention technologies an offence within the US. Certain exemptions are allowed, including products which enable digital preservation, and for computer maintenance engineers to take backups of customer-purchased content.

The arrest of Dmitry Sklyarov while he was attending a conference within the US and his imprisonment awaiting trial gave the DMCA extraterritorial effect. The charges against him were later dropped and he was allowed to return home to Russia. Sklyarov had developed technology in Moscow which circumvented Adobe's e-book copy prevention technology. It has been argued that the business of Sklyarov's employer, which was legitimate within Russia, also had legitimate uses within the US, including making e-books accessible to blind readers using braille equipment.

The author of these notes has argued based on the view that computer source code is a form of speech, that the DMCA denies US citizens and visitors to the US certain rights to freedom of speech which are theoretically guaranteed by the US constitution, in connection with discussions and views concerning security defects present in specific copy-prevention technologies.

Another criticism made against the DMCA is that this privatises the creation of law, in the sense that it enables those developing copy prevention technologies to overrule previous case law exemptions to copyright collectively labelled "fair use". These have traditionally included exemptions for teachers photocopying small sections of textbooks as class handouts, use of photocopiers in libraries and various freedom of speech democratic rights to quote small sections of copyright materials in satirical, critical or scholarly contexts.

The DMCA has also been used by manufacturers to attempt to eliminate competition in markets for compatible components of garage door opening systems and inkjet replacement cartridges.

Contract law and system security

A contract comes into existence when a buyer and seller agree to an exchange, typically provision of goods and services for an agreed price. Most software comes without any security guarantees. It is debateable whether various provisions that appear on shrink wrapped licenses are compatible with existing consumer protection laws unless and until they have been tested in court. The assumption in respect of software sold to the consumer market, that it is up to the buyer to check and confirm suitability for purpose prior to installation seems to have held.

The buyer has more room to negotiate terms in respect of bespoke software designed for a specific purchaser requirement. This will typically be supplied by a programming contractor or software consultant. Contracts where the contractor retains exclusive copyright of the software created and the purchaser does not obtain the source code or any right to access and modify this can potentially result in security weaknesses being discovered which the customer is unable to remediate, and where the original contractor or software supplier may no longer be in business.

Alternatively the contractor might be unwilling to remedy or enhance the software to remedy security and other bugs or provide enhancements at a price considered acceptable by the software purchaser. If the contractor is unwilling to make the source code available to the purchaser directly, in some cases the services of a trusted third party might be used to secure the source code and hold this in escrow. The contract should specify conditions, (which should include situations resulting in loss of confidence by the software purchaser in the ability of the contractor to remedy any deficiencies within a reasonable cost and timescale, and the contractor going out of business) under which the TTP would make the source code available to the customer and the right of the customer to have this code modified e.g. by another contractor.