Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP1321 Digital Infrastructure Richard Henson University of Worcester May 2016.

Published byRandolph Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "COMP1321 Digital Infrastructure Richard Henson University of Worcester May 2016."— Presentation transcript:

1 COMP1321 Digital Infrastructure Richard Henson University of Worcester May 2016

2 Week 25: Laws relating to Privacy, and Security, of Data n Objectives:  Distinguish between criminal law and civil law  Explain basic principles of Computer Misuse Act  Explain UK and EU legislation in the context of Data protection  Explain the eight principles of the Data Protection Act  Explain the law on “cookies”

3 Criminal and Civil Law n Civil… private law suit (i.e. sue) ne.g. “crimes” under the Data Protection Act n Criminal… police involved ne.g. Computer Misuse Act n Further reading: n https://books.google.co.uk/books?id=n-ueBQAAQBAJ n“Cyber Crime: Concepts, Methodologies, Tools and Applications” https://books.google.co.uk/books?id=n-ueBQAAQBAJ https://books.google.co.uk/books?id=n-ueBQAAQBAJ

4 1990 Computer Misuse Act n Concerned with unauthorised access to computers and computer systems  the law that ought to be used against hackers  problem with gathering evidence if »no/inadequate auditing on system(s) »person accessing conceals their identity n Police often use other laws that are well tried and tested (e.g. [if money] fraud)

5 Computer Misuse Act (1990) n Rushed in as UK law nresponse to evidence that important people had their email messages looked at by unauthorised third parties n Rapidly rendered unfit for purpose as mobile phones (are they computers?) became available  amended in 2006 to include mobiles and make hacking tools illegal if in the wrong hands

6 Data Protection Act (DPA) 1984, updated 1998 n Enforced by the Information Commissioner’s Office, not the police  just as Unfair Trading legislation is enforced by Trading Standards  therefore a CIVIL matter »unless the company fails to register »little excuse for not doing @ £35 pa

7 UK Information Commissioner n The Data Protection Act can be summarised as:  “don’t mess around with your customers’ data… treat it as if it was your own” n Should be a matter of morality for a company NOT to be careless with personal data  agreed by 1984 that morality wasn’t enough!

8 Origins of DPA (EU) n European Charter on Human Rights (1950)…  article 8: protection of personal data  UK part of EU from 1973 n EC Directive 1981 primarily a response to concern about digital personal data  created the 8 principles still used today  EU countries given three years to implement the directive… n Updated as EU Directive 95/46 »http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.EU http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.EU

9 Structure for Data Protection n According to EU Directive 95/46:  citizens have their personal data stored known as data subjects  organisations using personal data in any way must: »name a data controller responsible for managing personal data of data subjects »follow all eight principles of handling personal data

10 DPA: Principle 1 n “Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –  (a) at least one of the conditions in Schedule 2 is met, and  (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.” n First prosecutions…. October 2015!

11 DPA: Principles 2, 3 n 2: “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” n 3: “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”

12 DPA: Principles 4, 5 n 4: “Personal data shall be accurate and, where necessary, kept up to date.” n 5: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

13 DPA: Principles 6, 7 n 6: “Personal data shall be processed in accordance with the rights of data subjects under this Act.” n 7: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” n Most prosecutions are under principle 7

14 DPA: Principle 8 n “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”  NB countries outside the EEA currently identified as complying: Argentina Canada Guernsey Isle of Man Switzerland Jersey

15 EU GDPR (General Data Protection Regulation) n Complete revision of previous EU data protection »data breach has to be declared within 72 hours »much stricter penalties for loss of personal data (fine up to 4% of gross annual turnover) »right to have data removed… and other changes n Already law, but not enforced for 2 years

16 Privacy and Security n Related, but different (!)  Privacy (Data Protection)… relates to human rights, and therefore a “people” thing  Security (Computer Missuse)… relates to computers and computer systems and controls to safeguard data held on them »anyone breaching controls without permission commits a criminal offence »usually difficult to catch them… hence increase in cyber crime

17 Electronic Commerce Act (2002) n Another example of EU-wide legislation  another example of weak enforcement? n “protect the consumer” law  privacy or security?  who enforces? n Intention: “What you see (on the website) is what you get!)”  no hidden charges!

18 Safe Harbour n A “trust” arrangement (not law!) between EU and another country  organisation agrees to handle data according to EU Directive 95/46 principles n Current agreement between EU and US recently rendered unfit for purpose  negotiations underway for a new safe harbour (v2.0 or privacy shield)

19 Complying with the Law n Two aspects for organisations to consider:  technical (management of infrastructure)  human (management of people)

20 Managing Infrastructure n Need good IT people with right skills… n Also…  right equipment  right software  right configuration  right maintenance

21 Managing people? n Policy n Share policy n Training to understand policy n Culture of admitting to lack of knowledge  Otherwise, mistakes through ignorance

22 How to test for compliance? n New government scheme…  Cyber Essentials  https://www.cesg.gov.uk/content/files/sche me_downloads/cyber-essentials-common- questionnaire.pdf https://www.cesg.gov.uk/content/files/sche me_downloads/cyber-essentials-common- questionnaire.pdf https://www.cesg.gov.uk/content/files/sche me_downloads/cyber-essentials-common- questionnaire.pdf n Download and take a look now…

23 Digital Single Market (EU) n Consequence of GDPR implementation  same rules for dealing with data will apply right across Europe  encourage digital trade between EU partner countries… n Assumption… organisations and regulators in all EU countries interpret the law in the same way!

24 Legitimate Collection of Customer Data using Cookies n Vendors websites often use cookies to gather customer clicking behaviour data  cookie is stored on the client computer  contains personal data n To be any use for marketing purposes:  the cookie must be externally accessible to the vendors site: »potential security issue »in EU must NOT be accessible to other external sites nHOWEVER »sites OUTSIDE this jurisdiction not legislated to obey EU Data Protection laws »have a tendency to swap or sell customer details

25 Cookies n Small amounts of information stored on user’s computer from a website that they have visited n Controversial until recently because a lot of people unaware that websites could even do this  2012 EU Law (another!) required the website to inform users…

26 Types of Cookies n Session cookies:  just active whilst user connected to website  could be stored at: »server end »client end  either way, the data is deleted when the session finishes

27 Embedded cookies n It is possible to embed cookie style information via server scripts in dynamically created pages:  held on the server  NOT on the client computer n However:  if the client stops perusing that the server, the session is finished  When the client returns, a new session-ID will be allocated, and identification of that cookie is lost

28 Long life cookies n To avoid the need for clients returning at a later date and having to start again, cookies with a longer life span may be implemented:  previously input information can be displayed automatically n BUT that data needs to be stored in the meantime…  not a wise thing to do where sensitive information is concerned!!!

29 Examples of Use of Cookies n User ID & shopping cart data embedded in the cookie  customer orders the items selected from different pages they will expect to see the items and costs stored in their shopping cart  this happens by the data being written to the cookie  shopping cart system therefore needs to keep track of individual customer “clicking behaviour” to keep their shopping cart up to date… n Selections that are identified via search engine may want to keep track of the previously used search criteria  enables it to re-display those words after the initial search is complete n A forum website may use a cookie to report new additions since a user’s last visit

30 How secure are cookies? n A cookie will often contain personal data, and that data will be accessible to the server that put it there  it is up to the client whether to trust a web site requesting personal information  EU websites are legally required to look after personal data, but who checks up on them? n 2012: EU Law on Cookies…

31 Cookies & Protection against Applets n Applets: computer programs which could: »download and install themselves on the client machine »run in the background, scanning memory, disks, etc. »store information n If such an applet is later running when the client is logged onto the Web: »it could gather information and send it to a server »client wouldn’t even know this has happened! n HOWEVER…  cookies are stored with a server generated ID which is encrypted, so even applets can’t get at them!

32 What is held on a cookie? n Encrypted text… n Information (mostly identifiers and dates) contained in them cannot hold sensitive details UNLESS those details are already obtained by other means like the client filling out a personal details form nthe only programs that can get through the encryption are those that know the ID and the encryption method nso the cookie data SHOULD be secure…

33 Deleting “Long Life” Cookies n Browsers all provide facility to do so… neach has its own unique navigation

34 Identifying a Reputable Web Site n A clear acknowledgement of their legal requirements, including cookies ngood practice to include a link to this on home page, no buried deep in the site structure! n An indication that they have reached a standard or kitemark  Ideally ISO 27001 n Businesses need to apply due diligence

35 When is a website reputable? n Follows the law… Follows industry guidelines… Gets a badge through being audited to show good practice! Advice for (1) SMEs (2) Web Developers?

36 Thanks for listening Any Questions?

Download ppt "COMP1321 Digital Infrastructure Richard Henson University of Worcester May 2016."

Similar presentations

TEAM 4 Case Study Mauritius: Mrs Nandini Kissoon-Luckputtya

TEAM 4 Case Study Mauritius: Mrs Nandini Kissoon-Luckputtya
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,

Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,
Legislation in ICT.

Legislation in ICT.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.

University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Legislation Who governs e-commerce?. E-commerce is regulated by laws and guidelines. These aim to ensure that sites operate effectively and that online.

Legislation Who governs e-commerce?. E-commerce is regulated by laws and guidelines. These aim to ensure that sites operate effectively and that online.
Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.

Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.
Data Protection Act.

Data Protection Act.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
General Purpose Packages

General Purpose Packages
Research Paper Presentation Software Engineering in agent systems.

Research Paper Presentation Software Engineering in agent systems.
Computers, the law and ethics  Lesson Objective: Understand some of the legal & ethical issues in developing computer systems  Learning Outcome: Know.

Computers, the law and ethics  Lesson Objective: Understand some of the legal & ethical issues in developing computer systems  Learning Outcome: Know.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.

Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.
COMP3123 Internet Security Richard Henson University of Worcester December 2010.

COMP3123 Internet Security Richard Henson University of Worcester December 2010.

Similar presentations

Ads by Google