1. Privacy
1.1. Data Protection
1.1.1. EU
1.1.1.1. General Data Protection Regulation 2018
1.1.1.1.1. covers all individuals from EU and EEA
1.1.1.1.2. superseeds EU Directive
1.1.1.1.3. enforceable without requiring enabling national legislation
1.1.1.1.4. subjects have the right to:
1.1.1.1.5. applies to controllers and processors that are established in the EU even if processing is taking place outside the EU
1.1.1.1.6. applies to data subjects in the EU even if controllers and processors are outside the EU
1.1.1.2. European Directive on Data Protection 1995
1.1.1.3. EU-US Privacy Shield
1.1.1.3.1. alternative framework for data exchange after safe-harbour agreement was declared invalid
1.1.1.3.2. EU aim: provide transparency about transfer of data to US and protection
1.1.1.3.3. US: companies can annually certify and demonstrate compliance and cooperation with EU authorities
1.1.2. UK
1.1.2.1. Data Protection Act 1984
1.1.2.1.1. protects individuals from large organisations
1.1.2.1.2. covers:
1.1.2.2. Data Protection Act 1998
1.1.2.2.1. conforms to EU Directive on DP 1995
1.1.2.2.2. covers internet data too
1.1.2.2.3. not just large organisations
1.1.2.3. Data Protection Act 2018
1.1.2.3.1. updates data protection laws in the UK to supplement GDPR
1.2. Communications
1.2.1. UK
1.2.1.1. Regulation of Investigatory Powers Act 2000 (RIPA)
1.2.1.1.1. permits any organisation providing computer/phone services to monitor and record users' communications for legitimate reasons (eg. detecting crime)
1.2.1.1.2. users must be informed that such interceptions may take place
1.2.1.2. (DRAFT) Inverstigatory Powers Bill 2015
1.2.1.2.1. made to replace RIPA
1.2.1.2.2. require communication data to be kept for 12 months
1.2.1.2.3. cover all types of electronic communications
1.3. Freedom of Information
1.3.1. Freedom of Information Act 2000
1.3.1.1. basic principle: information held by public bodies should be available to the public (with certain exceptions)
1.3.1.2. public bodies: Parliament, NHS, government departments, local authorities, universities, schools etc.
1.3.1.3. information covered: printed documents, electronic documents, emails etc.
1.3.1.3.1. exceptions: classified documents
1.3.1.4. cons:
1.3.1.4.1. responding to FoIA requests can be costly
1.3.1.4.2. possible conflicts between FoIA and DPA
2. Computer Misuse
2.1. Computer .Misuse and UK/US Laws
2.1.1. US
2.1.1.1. Computer Fraud and Abuse Act 1986
2.1.1.1.1. covers the following:
2.1.1.1.2. penalties
2.1.2. UK
2.1.2.1. Computer Misuse Act 1990 (CMA)
2.1.2.1.1. 3 criminal offences:
2.1.2.1.2. applies to:
2.1.2.2. Police and Justice Act 2006
2.1.2.2.1. increased CMA penalties for offences
2.1.2.2.2. amended CMA to cover intent to impair operation of any computer
2.1.2.2.3. amended CMA to cover software tools intended to facilitate computer misuse
2.1.2.2.4. new offences:
2.1.2.2.5. problems with
2.1.2.3. Issues with Computer Misuse laws
2.1.2.3.1. convictions have been infrequent
2.1.2.3.2. police are over-stretched, experts are needed
2.1.2.3.3. companies attacked prefer not to share with the public to avoid drawing attention to security weaknesses
2.2. Computer Fraud
2.2.1. UK
2.2.1.1. covered by existing anti-fraud laws
2.2.2. cons:
2.2.2.1. much easier to occur due to e-commerce and online banking
2.2.2.2. detection and collection are harder
2.3. Obfuscation-based Inference Control
2.3.1. Anonymisation
2.3.1.1. decoupling identification from information
2.3.1.2. achieving it is hard
2.3.1.3. labelling a data set as anonymised remains unclear
2.3.2. Generalisation
2.3.2.1. reducing the precision of data to reduce the likelihood of informing identity
2.3.3. Suppression
2.3.3.1. suppression information, making fewer data available to attacker to reduce inferences
2.3.4. Dummy Addition
2.3.4.1. adding dummies or fake data points to data sets prior to providing to other party
2.3.5. Perturbation
2.3.5.1. adding noise to reduce the ability of other party to form inferences
3. Intellectual Property Rights
3.1. Paris Convention 1883
3.1.1. covers trade marks and patents
3.2. Berne Convention 1886
3.2.1. covering copyright
3.3. known as negative rights as they demand that someone does not perform an activity
3.4. COPYRIGHT
3.4.1. Copyright, Design and Patents Act 1998
3.4.1.1. protects:
3.4.1.1.1. original literary, dramatic, musical and artistic works
3.4.1.1.2. sound recordings, films and TV programmes
3.4.1.2. lasts up to 70 years after authors death
3.4.1.3. software copyright
3.4.1.3.1. original code is protected, not boilerplate
3.4.1.3.2. using a program permits:
3.4.1.4. penaties
3.4.1.4.1. civil offence if done for individual reasons
3.4.1.4.2. criminal offence if done for commercial reasons
3.4.1.5. databases copyright
3.4.1.5.1. up to 15 years
3.5. Confidentiality
3.5.1. if someone reveals information obtained under an obligation of confidence, he/she can be sued in a civil court
3.5.2. UK
3.5.2.1. Public Interest Disclosure Act 1998
3.5.2.1.1. overrides an obligation of confidence making it possible for employees to expose wrong-doing
3.5.2.1.2. whistle-blower must first approach employer and then a professional body or public official
3.6. PATENTS
3.6.1. apply for one at National Patenting Office
3.6.1.1. if granted then information of the invention will be published
3.6.2. covered by CDPA 1998
3.7. TRADE MARKS
3.7.1. UK
3.7.1.1. Trade Marks Act 1994
3.7.1.2. register for one in the UK Intellectual Property Office
3.8. Trade Secrets
3.8.1. trade secrets definition
3.8.1.1. a secret device or technique used by a company in manufacturing its products
3.8.2. protected by General Tort Law
3.8.3. UK
3.8.3.1. Directive 2016/943
3.8.4. US
3.8.4.1. Economic Espionage Act 1996
3.9. Domain Names
3.9.1. Managed by ICANN (Internet Corporation of Assigned Names and Numbers)
3.9.2. sold on first-come-first-served basis
3.9.3. not protected by law
4. Internet
4.1. ISPs
4.1.1. UK
4.1.1.1. Caching
4.1.1.1.1. temporarily stores downloaded data to speed up downloading of the same data
4.1.1.1.2. not liable provided that:
4.1.1.2. Hosting
4.1.1.2.1. ISP permanently stores data uploaded by its customers
4.1.1.2.2. not liable provided that:
4.1.1.3. Mere Conduit
4.1.1.3.1. simply transmits data up/downloaded by the customer
4.1.1.3.2. not liable for damages or criminal sanctions
4.1.1.4. Internet Watch Foundation (IWF)
4.1.1.4.1. anyone can report unlawful content
4.1.1.4.2. if IWF judges that content is unlawful, it informs the local police and ISP
4.1.2. US
4.1.2.1. loser than EU law
4.1.2.2. liability for hosting is the same as liability for mere conduit
4.2. Cybercrime
4.2.1. Council of Europe Convention
4.2.1.1. covers
4.2.1.1.1. child pornography
4.2.1.1.2. criminal copyright infringement
4.2.1.1.3. computer-related fraud
4.2.1.1.4. hacking
4.2.1.1.5. hate material
4.3. Pornography
4.3.1. US
4.3.1.1. adult porn is protected by the constitutional right of freedom of speech
4.3.1.2. child porn is a criminal offence
4.3.2. EU
4.3.2.1. adult porn is lawful provided its non-violent, consensual and inaccessible to children
4.3.2.2. child porn is a criminal offence
4.4. SPAM
4.4.1. EU
4.4.1.1. EC Directive on Privacy and Electronic Communications 2002
4.4.1.1.1. requires that
4.4.1.1.2. cons:
4.4.2. US
4.4.2.1. CAN-SPAM Act 2003
4.4.2.1.1. requires that
5. Software Legal
5.1. UK
5.1.1. Unfair Contract Terms Act 1977
5.1.1.1. makes liability terms enforceable in law only to the extent that they are reasonable
5.1.1.2. person injured as result of faulty software or hardware can sue the supplier
5.1.1.3. faults might cause significan economic damage
5.1.2. Sale Of Goods Act 1979
5.1.2.1. requires that goods sold must be fit for purpose
5.1.2.2. applies to retail software
5.1.2.2.1. unclear if it also applies to software downloaded from the internet
5.2. EU
5.2.1. Payment Card Industry Data Security Standard (PCI DSS)
5.2.1.1. designed and developed to ensure consistent and secure use of cardholder data
5.2.1.2. standard not a law so compliance is only attained through agreements and contracts
5.2.1.3. laws are still relevant as cardholder data is still personal data
5.2.1.4. control objectives:
5.2.1.4.1. 1. build and maintain secure network and systems
5.2.1.4.2. 2. protect cardholder data
5.2.1.4.3. 3. maintain vulnerability management program
5.2.1.4.4. 4. implement strong access control measures
5.2.1.4.5. 5. regularly monitor and test networks
5.2.1.4.6. 6. maintain an information security policy
5.2.1.5. rules for the display of the PAN number on receipts
5.2.1.5.1. only show first 6 and last 4 digits
5.2.2. Fair and Accurate Credit Transactions Act (FACTA) 2003
5.2.2.1. designed to reduce identity fraud and providing citizens greater insight into their credit profile
5.2.2.2. rules regarding display of PAN numbers
5.2.2.2.1. no more than the last 5 digits of the card number
6. Health and Safety
6.1. UK
6.1.1. Health and Safety Regulations 1992
6.1.1.1. DSE users are employees that use display screen equipment continuously for more than an our in a single working day
6.1.1.1.1. regulation doesn't apply to people using DSE for less than an hour or infrequent use
6.1.1.2. employers should consult and communicate with DSE regards issue as well as providing relevant information
6.1.1.3. employers must:
6.1.1.3.1. analyse workstations and assess and reduce risk
6.1.1.3.2. ensure appropriate controls are in place
6.1.1.3.3. ensure employees have sufficient information and training
6.1.1.3.4. provide eyesight tests upon request, special eyewear if required
6.1.1.3.5. review the assessment
6.1.1.4. employees can request eye tests and employers are expected to provide test and supply eyewear
6.1.1.5. checklist for assessment is provided by the Health and Safety Executive
7. Codes of Conduct
7.1. Professional body
7.1.1. an organisation that promotes high standards in a particular profession
7.1.2. IT related ones:
7.1.2.1. ACM (US)
7.1.2.1.1. Association for Computing Machinery
7.1.2.2. BCS (UK)
7.1.2.2.1. British Computer Society
7.1.2.3. IEEE (US)
7.1.2.3.1. Institute of Electrical and Electronics Engineers
7.1.2.4. IET (UK)
7.1.2.4.1. Institution of Engineering and Technology
7.2. Code of conduct
7.2.1. each body publishes one and requires all its members to adhere to it
7.2.2. member can be expelled for serious breach
8. History of IT
8.1. Mainframe Era (1950s - 1970s)
8.1.1. centralised computers with dumb terminals
8.1.2. automation of existing back office activities
8.1.3. independent applications for each business areas
8.1.4. tight central control (no autonomy)
8.1.5. high cost
8.1.6. large businesses, utilities, government
8.2. Minicomputer Era (1970s - 1980s)
8.2.1. limited distribution of functions with some autonomy for business units
8.2.2. dumb input/output devices
8.2.3. application systems still independent
8.2.4. problems of data storage and integration
8.2.5. still largely about transaction processing
8.2.6. medium size business could also enter as prices dropped
8.3. Distributed/PC era (1980s - 1990s)
8.3.1. departmental automation with large degree of autonomy
8.3.2. data distributed and poorly managed
8.3.3. low connectivity and compatibility
8.3.4. difficult to collect corporate information
8.3.5. small businesses could enter market using PCs for straightforward business activities
8.4. Client-server Era (1990s)
8.4.1. distributed autonomy
8.4.2. internet standardising communication
8.4.3. more data capture and sharing of processing
8.4.4. data warehousing
8.4.5. SMEs gained access to packaged solutions and application generators
8.5. Network Era (2000s)
8.5.1. complex architecture integrating mainframe applications with application servers and the internet
8.5.2. integrated applications (e.g. supply chain) with distributed functionality
8.5.3. use of third-party components or web services
8.5.4. SMEs have access to Web for marketing and on-line sales; services such as Paypal