Law School and Department of Computer Science
University of Bristol
Crime and Punishment: Protecting ICT Users and Their Information Against Computer Crime and Abuse
The Crime and Punishment seminar was organised by the Joint Information Systems Committee Legal Information Service (J-LIS)  in London, September 2003. This event aimed to provide information about the risks, vulnerabilities and liabilities that might arise from the use of Information Communication Technologies (ICT) in Further and Higher Education. It also planned to suggest some strategies for determining the right balance between the aim of reducing risk, vulnerability and liability and the need to retain the value added to education by the free flow of information and communication. It is clear that unfettered use of ICT by staff and students can pose significant legal problems for educational institutions; but equally clear is that attempting to exert control over that use may open institutions to charges of breach of privacy rights, breach of interception laws and interference with academic freedom.
John X Kelly, Legal Information Officer at the JISC Legal Information Service, opened the day on behalf of J-LIS. The aims of the day were:
- to provide delegates with a range of viewpoints from ICT professionals in FE and HE, academic researchers and commercial enterprises
- to provide a forum for discussion and information sharing about the types of problems currently facing ICT professionals in FE and HE, including possible future problems
Andrew Cormack, Chief Security Advisor at UKERNA, then began the morning's presentations. UKERNA  manages the operation and development of the JANET network under a Service Level Agreement from JISC and Andrew's presentation discussed the issue of risk assessment in ICT provision. He suggested that when assessing risk, it is important to place the highest priority on those assets where both the threat and impact are high. In FE and HE institutions both the threat of attack or intrusion, and the effect of such an attack or intrusion, are likely to be greatest in their networks and their information. This is because educational institutions tend to have comparatively high bandwidth networks and high value information - both in terms of institutional administrative data and in terms of research and commercially sensitive data.
He also advised that the risks should be properly understood, for example, while an educational institution may suffer disruption if it is the target of a 'denial of service attack' (DOS attack), perhaps a larger risk, both in terms of potential legal liability, and in terms of damage to reputation, may be the use of institutional computer networks by intruders to launch large 'distributed denial of service attacks' (DDOS attacks) on third parties. Having proper procedures for identifying both inbound and outbound attacks, and ensuring that staff are available with the necessary technical understanding and the authority to take rapid and effective action to stop them, is thus vitally important. In terms of information, the ever increasing digitisation of institutional data, combined with new networked mechanisms for storing and retrieval of such data can provide a fertile environment for information thieves when installation, maintenance and security precautions appropriate to the nature of the data are not observed. While staff and student records may be of great value to those concerned, and their loss or corruption may lead to liability under data protection law, as well as attendant bad publicity, the greatest risk may well lie with controversial or commercially sensitive research data which, by its very nature, may attract very serious and targeted intrusion attempts.
Sharon Bishop, UK Field Operations Manager of FAST Corporate Services Ltd, then spoke about the need for effective software compliance in the FE and HE sector, and the potential penalties for failing to comply with copyright law. FAST Corporate Services  obviously have a vested interest in encouraging institutions to do their utmost to avoid deliberately or inadvertently engaging in software piracy, inasmuch as they act as a lobbying and enforcement body for the software industry, and provide consultancy in corporate software compliance. But the message embedded in the presentation was a valuable one - if your institution doesn't know, and can't control, what software its users have on its institutional machines, then it risks serious financial penalties, and senior management may also risk criminal penalties. A further useful point was that lack of knowledge about software piracy on an institution's machines may also suggest that other undesirable or illegal activities are likely to be missed. Sharon suggested a 4-stage software compliance programme involving:
- the establishment of proper polices and procedures, with measures taken to ensure that users are aware of and respect such policies
- the conducting of a software audit to determine what software is being used, and where - it was pointed out that this might identify over-licensing as well as under-licensing.
- the reconciliation of software installations with software licences
- ongoing management, including review of policies and procedures, regular audits and maintenance of a software asset register.
Sharon further noted that whilst FAST does not pay reward money for tip-offs, the Business Software Alliance UK provides an award of up to £10,000 for every report 'successfully concluded' - an attractive option, perhaps, to a disgruntled employee or student -
Following the coffee break, Mike Roch, Director of IT Services, University of Reading and Vice Chair, Universities & Colleges Information Systems Association (UCISA), spoke about his practical experiences of ICT misuse and provided specimen cases exemplifying the themes of the presentation. The thrust of the presentation was that while hazards such as hacking, viruses, spam and pornography are often seen as the prime examples of ICT misuse, and receive a large amount of media coverage, they are in essence problems with a technical solution, are often relatively well understood by those who have to deal with them, and because of this are usually manageable. The real difficulties often lie with misuse involving offences such as defamation, copyright infringement and harassment for which ICT is essentially the conduit, because these are harder to prevent via technical measures, require little technical know-how on the part of the misuser, usually have to be dealt with after the fact, and often involve difficult issues of evidence and proof. Mike noted that the law in this area sometimes appears contradictory, with legislation like the Regulation of Investigatory Powers Act and its associated secondary legislation providing powers for interception and investigation, whilst the Human Rights Act and the Data Protection Act place restrictions on what can be collected, when it can be collected and what it can be used for.
Gavin Sutter, Research Fellow, Information Technology Law Unit, Centre for Commercial Law Studies, Queen Mary, University of London, then gave a whistle-stop tour of the UK regime for interception of electronic communications established by the Regulation of Investigatory Powers Act 2000 (RIPA). He made specific reference to the obligations placed on FE and HE institutions to comply with warrants requiring assistance with an interception and notices to hand over certain types of information. This included the content of communications, communication data, (information which is associated with a network user's communications excepting the actual content), and protected information (essentially encryption keys and/or plaintext of encrypted messages). Gavin advised, in the course of a detailed and comprehensive guide to this facet of the RIPA that institutions should:
- establish a dedicated team to deal with interception warrants and notice to handover
- have an awareness raising policy document for staff who may be the first recipient of such a communication to the institution
- use confidentiality agreements, alongside the awareness raising policy information, to encourage a 'need-to-know' culture and to avoid breach of secrecy requirements
- have procedures for secure disposal of intercepted content once no longer necessary, much as with disposal of confidential information
- consider carefully their use of encryption, if handing over an encryption key might compromise additional data is not subject to a particular notice
Following a hearty lunch, Andrew Charlesworth, Senior Research Fellow in IT & Law at the University of Bristol, did his best to keep the audience on their metaphorical toes with a discussion of the role of academic freedom in the debate over ICT use. He made particular reference to the trend towards the filtering of incoming content and the censorship of outgoing information in FE and HE institutions. Academic freedom is a delicate subject in current times, due in part to the increasingly managerial approach of modern education, which has difficulty with the expression of academic opinions which do not reflect, or indeed may actively contradict, the institutional viewpoint. But also because there will always be those who seek to promote their viewpoint under the banner of 'academic freedom' whilst seeking to deny others that same freedom. Andrew suggested that the concept of academic freedom remained a valuable one, but that in demanding academic freedom, staff and students should be willing to accept that with the rights inherent in that concept come a related set of responsibilities.
In the provision of ICTs, as in other areas of FE and HE activity, the way to maintain academic freedom, whilst ensuring the effective provision of services and the protection of the institution's interests, is to ensure that there is a dialogue between members of the institution, and that policies and practices are discussed and explained in a fashion that permits a shared understanding of acceptable ICT activities (even if that understanding is not unanimous). Institutions have to be willing to be flexible in their construction, development, interpretation and application of ICT usage rules, and both able and willing to provide constructive advice to academic staff and students. They also have to be clear about their policy with regard to use of institutional ICTs to promote non-core research and teaching viewpoints, and should endeavour to apply such policies in an even-handed and non-discriminatory fashion. Academic staff should be conscious of the operational environment in which other staff work and consider carefully the implications of their actions on their institution's image and whether their viewpoint/opinion/action is one that should be identified with them as an individual, or with the institution.
A sombre note was struck by Joanna Price of the Cyberspace Research Unit at the University of Central Lancashire, standing in for Rachel O'Connell, Director of the Unit, who was unable to attend on the day. Joanna gave an eye-opening and alarming presentation on the use of current forms of ICT by paedophiles, such as chat rooms and discussion lists, as they select and groom children for exploitation. She demonstrated the likely risks of newer forms of ICT such as video mobile phones. Joanna then outlined a strategy for pre-empting such exploitation which has been developed by the Cyberspace Research Unit. The sophistication and effectiveness of the cybergrooming techniques and the damage and distress that they and any resulting physical exploitation may cause, should give all parents of young children reason for concern and promote a serious interest in understanding the nature of the cyberactivities of their offspring.
The presentations were concluded with a presentation by George Vernon, Computer Systems Manager at Plymouth College of Further Education, who spoke about his practical experiences of ICT misuse in the FE sector and made an eloquent case that his job description in the current stage of educational ICT use should probably more accurately be Information Systems Security Manager. George noted that while many of the problems in the FE sector were not dissimilar to those in the HE sector, the nature of the institutions suggested a different range of solutions, not least because of the widely differing ages, abilities and attitudes amongst FE students. Certainly the range of solutions George offered, including filtering of mail and Internet access together with the possibility of restricting internet access to essential users, would probably play very badly amongst staff and students in a large university. However when one considers the resource constraints for some FE colleges, including an institutional bandwidth of 2Mbits, and the youth of some of the students, such restrictions may seem less draconian. Certainly the points relating to handling academic staff diplomatically and the need for provision of well communicated practical advice for users are as applicable to HE as they are to FE.
Overall, the combination of speakers worked well, and the provision of both FE and HE viewpoints made for some interesting debates in the various discussion sessions scattered throughout the day (all chaired by Lindsay Boullin of Eversheds). It was clear that the issue of computer crime and abuse of ICT cannot be handled by 'one-size-fits-all' policy and advice, as the effect of such activities varies widely in scope, scale and impact between the FE and HE sectors.
All the presentations can be viewed in more detail on the JISC Web site .
- JISC Legal Information Service http://www.jisc.ac.uk/index.cfm?name=services_jlis
- UKERNA http://www.ukerna.ac.uk/
- The FAST Web Site http://www.fast.org.uk/
- Crime & Punishment - Protecting ICT users and their information against computer crime and abuse - event materials http://www.jisc.ac.uk/legal/index.cfm?name=lis_ccrime_materials
Andrew Charlesworth is Senior Research Fellow in IT and Law and Director of the Centre for IT and Law (CITL) based in the Law School and Department of Computer Science, University of Bristol.
Article Title: "Crime and Punishment: Protecting ICT users and their information against computer crime and abuse, London - September 2003"
Author: Andrew Charlesworth
Publication Date: 30-October-2003
Publication: Ariadne Issue 37
Originating URL: http://www.ariadne.ac.uk/issue37/jisc-lis-2003-09-rpt/