Guide

Networking, computers and the law

This guide outlines which laws apply to networking and how you can ensure regulations are followed.

Introduction

Most of the daily activities of network and system managers are likely to be subject to the law. Most things the law require are, in any case, good practice in operating networks and systems.

Information on current legal developments and our work to understand and influence them can be found on our regulatory developments blog.

A suggested charter for system and network administrators

This charter and practical examples should be useful to three groups: users who want to be assured the powers of administrators will not be abused; administrators who are concerned about the legality and implications of their actions; and managers to understand the reasonable requirements of the administrators' job and what activities they will be required to support.

Download the charter (pdf).

Network monitoring

Any network operator will need, from time to time, to examine the traffic that is flowing on their network, whether for capacity planning, tracing faults or investigating use or abuse of the network.

Respecting privacy

The law provides for these kinds of activity; however, any work on a communications network must comply with the Human Rights Act 1998 which states that individuals have a right to respect for the privacy of their communications.

Information about the volume or performance of network traffic flows will not normally fall within the Human Rights Act, but if a flow can be associated with an individual person then it will be protected by the Data Protection Act 2018 and General Data Protection Regulation.

Any monitoring or investigation that may, whether deliberately or accidentally, reveal the content of packets or messages will also be subject to the Investigatory Powers Act 2016. This Act distinguishes between monitoring required for the operation of a service (for example tracing network faults), and monitoring done for business purposes, including the policing of acceptable use policies.

Who can perform network monitoring?

Operational monitoring may, in general, be done at any time by the authorised operator of the service.

Business monitoring may only be done after users have been notified and for purposes set out in the Interception by Businesses etc. for Monitoring and Record-keeping Purposes Regulations associated with the Act. 

Ensure your actions are appropriate

The Human Rights Act further requires that any invasion of privacy must be proportionate to the risk that is being addressed by the monitoring. Any decision to monitor or investigate should therefore include an impact assessment to ensure that it will not cause more harm than good and should be undertaken with proper authorisation. 

Codes of Practice on Monitoring at Work (see especially Part 3) have been produced by the Information Commissioner: their provisions are likely to apply to students and other users as well as employees.

It should be noted that network measurement - creating packets or traffic flows and measuring their progress across a network - is unlikely to be affected by any laws on privacy or monitoring.

Investigations

Files on disk are not, in general, covered by the Investigatory Powers Act (note that this Act does apply to e-mail messages in mailboxes or queues). However the rights of users under the Human Rights Act must still be respected in any investigation.

Where an investigation may result in disciplinary or legal action, extreme care must be taken to preserve computer evidence as this is easily challenged.

The Association of Chief Police Officers' Good Practice Guide for Digital Evidence (pdf) and the US Department of Justice guide to Electronic Crime Scene Investigation (pdf) are both helpful. A guide to preparing for forensic investigations (pdf) is published by IAAC.

Note that those investigating misuse of computers may encounter information that is distressing or harmful to them, their colleagues or the organisation. Policies and procedures for investigation should be designed with this in mind, and should always be followed. For serious incidents, it may be worth engaging appropriate external investigators.

Possession of unlawful material

Where material is discovered that is unlawful to possess (such as in the  case of indecent images of children, section 46 of the Sexual Offences Act 2003) investigators are provided with legitimate reason defence to the criminal offences of possessing or making such images. The Criminal Justice and Immigration Act 2008 covers other specific images illegal to possess, but also contains a similar defence.

As described in a Memorandum of Understanding between the Crown Prosecution Service (CPS) and the Association of Chief Police Officers (ACPO), these defences will be interpreted strictly so investigators must be sure that have clear authorisation, and that they document and report their actions to prove their legitimate purpose. Jisc has developed guidelines to help sites comply with the ACPO/CPS Memorandum of Understanding.

The Internet Watch Foundation have a helpful best practice guide to assist organisations in dealing with these types of material. (In Scotland, the relevant law is the Protection of Children and Prevention of Sexual Offences (Scotland) Act 2005, however it is understood that the same best practice would apply).

Investigating copyright complaints

Although the government’s proposed requirement on ‘ISPs’ to investigate copyright complaints has never been brought into force, Jisc customer organisations are still required to investigate such complaints under the Janet acceptable use policy. See investigating copyright complaints for more information and good practice.

Guidelines for handling illegal material

Occasionally, organisations may have to deal with allegations of serious misuse of computers, where indecent images of children (as defined by the Protection of Children Act 1978 and subsequent amendments) or extreme pornographic images (as defined by section 63 of the Criminal Justice and Immigration Act 2008) may be present on the organisation's computers. The possession of such images is a serious criminal offence and must be reported to the Police as soon as possible. Until the material can be handed to the Police, organisations need to act very carefully to avoid harm to their users or potential criminal liability for the organisation or its staff. Jisc has developed the following guidelines, with assistance from Jisc members and the Home Office, to assist sites in this situation.

Please note: Names have deliberately been left within square brackets so that the relevant organisations - universities, colleges, research councils etc - and departments can fill in their own details for internal circulation.

About these guidelines

These guidelines are intended to help and protect computer support staff who may be requested by [the University] to respond to reports of the presence of illegal images (whether indecent images of children or extreme pornographic images) on computers at [the University of Erewhon].

The Protection of Children Act 1978 and subsequent legislation makes the possession, making or publishing of indecent images of children a serious criminal offence; the Criminal Justice and Immigration Act 2008 introduces a similar crime of possession of extreme pornographic images.

Images of either type must be reported to the police as soon as possible, with the minimum interference, for them to investigate. However, there may occasionally be an urgent requirement to confirm an allegation, to secure evidence or to remove material from view, and in these cases authorised site staff may be best placed to do the minimum necessary to achieve this.

Any such action, and any information obtained as a result, must be handled in strict confidence both to protect the evidence and those persons involved: malicious allegations have sometimes been made against innocent parties.

Viewing or handling indecent images of children will normally be a serious criminal offence. However, section 46 of the Sexual Offences Act 2003 provides a limited defence for those who can prove that they needed to do so for the purposes of the prevention, detection or investigation of crime. The Crown Prosecution Service (CPS) and the Association of Chief Police Officers (ACPO) have agreed a Memorandum of Understanding (MOU) setting out the factors they will consider when deciding whether this defence may be available in any specific case.

Sections 63 and 68 and Schedule 14 of the Criminal Justice and Immigration Act 2008 provide a similar "good reason" defence to possession of extreme pornographic images and it is expected that this would be subject to similar tests.

Staff who have been properly authorised and instructed to respond to reports of the presence of illegal images and who satisfy all the tests should not have to fear that they will be prosecuted. The MoU recommends that organisations adopt written procedures for such activities to protect their staff.

These guidelines set out a procedure that is believed to be in accordance with the ACPO/CPS Memorandum of Understanding. Following this procedure should therefore give authorised staff some protection against prosecution by demonstrating that they have acted reasonably and professionally (MoU principle 5).

Principles for dealing with illegal material

The guidelines aim to implement the following essential principles:

  • The police are the appropriate people to be investigating serious crimes
  • The risk of exposing users and staff to potentially harmful material must be minimised
  • As little damage as possible should be done to any evidence of criminal activity

Therefore:

  • Allegations of the presence of illegal material on systems connected to the [university] network must be reported to and dealt with by authorised staff as soon as possible (MoU principles 1 and 2)
  • As soon as the likely presence of such material is confirmed, the matter must be handed to the police with the minimum delay, with the evidence in the best condition that can be achieved (MoU principles 3 and 4)
  • These guidelines must be followed, or any departure from them documented with reasons for doing so, to demonstrate that staff have acted responsibly and professionally (MoU principle 5)

Rules for staff

The basic rules for staff when dealing with illegal materials are:

  • Staff must only act when they have been given specific written authorisation by [computing service management] and in accordance with that authorisation and this procedure
  • The role of the organisation's staff is only to confirm the presence of illegal material, to prevent further access to the material and to do the least possible damage to evidence
  • Staff must report to the police as soon as the presence of illegal material is confirmed and must follow the directions of the police thereafter. The police should normally be contacted by a member of the [computing service management], but if they are not available then the police should be called direct and management informed as soon as possible
  • If any delay threatens the organisation's response to the report then the matter must be handed to the police immediately
  • Any information obtained as a result of actions under these guidelines must be treated as strictly confidential

Stages in the process

1. Receive report

Any report or allegation of the presence of illegal material on a [university] system must be immediately recorded in writing and passed to a member of [computing service management]. Only they can authorise further action.

The written record must include how the presence of the material was detected: in particular staff must never proactively seek out illegal material.

Do not start an investigation without authorisation from [computing service management]. Authorisation will be given in writing. In particular, do not investigate an allegation on your own.

Normally, management will report the matter directly to the police and be guided by them in all further activities.

If a member of [computing service management] is not available, call the police and inform [computing service management] as soon as possible. The contact for [the University] is the Police Liaison Officer who can be reached by phone on [NNNN].

Reports of material elsewhere on the Internet, for example on public websites, should normally be passed to the Internet Watch Foundation.

2. Obtain written authorisation

MoU principle 1.

The only situation involving illegal material that need not be immediately reported to the police is where there has been an unverified allegation that a member of the organisation has been accessing such material.

Unfortunately there have been cases where such allegations have been made falsely and maliciously. If there is real doubt over the accuracy of a report, [computing service management] may need to authorise appropriately skilled members of staff to perform the minimum checks necessary to confirm the presence of such material on [university] systems or elsewhere.

If you are authorised to deal with an allegation, you will be informed in writing by a member of [computing service management]. The authorisation should identify you, and the authorising manager, by name and job title. All actions to deal with the allegation must always be performed by two authorised staff working together.

As soon as it seems likely that illegal material is present, this must be reported to [computing service management] for them to contact the police. No further investigation must be done unless authorised by the police and then following their instructions to the letter.

Staff must not attempt to identify how material came to be on the system, or which users may have accessed it, as doing so is almost certain to damage the credibility of evidence that may need to be presented in court.

3. Perform minimum checks needed to confirm the presence of material

MoU principles 3 and 4.

The purpose of the organisation's actions is only to confirm whether illegal material is likely to be present on a computer. This should involve the least possible handling of computer files and disks, both to reduce the risk of exposing staff to harmful material and to do the least possible damage to evidence.

Every action taken must be recorded in writing (ink, not electronic), with every mouse click, command or URL recorded. Where a complex command needs to be recorded this may be printed out in addition to writing it down but the printout must be signed and dated immediately and inserted into the written record.

Two staff must be present at all times. Both must sign and date every sheet of the record. If possible they should also initial each entry in the record.

If possible, these checks should be performed with the computer disconnected from all networks, to prevent external interference.

Often, checking a list of filenames or URLs visited will be sufficient to confirm suspicions: viewing files or visiting websites should be regarded as an absolute last resort. If it is necessary to visit a suspect web site then this should be done with a text-only browser, or at least with all image downloads turned off (ensure you know how to do this before starting the investigation). The text or filenames of a site will often indicate the nature of the content.

As soon as evidence of the presence or absence of illegal material is found, stop any further actions and report to the member of [computing service management] who gave the original authorisation.

4. Protect evidence

MoU principles 3 and 4.

The most effective way to protect evidence is to remove power from the computer on which the illegal material is stored (pull the power lead out of the back of the computer, not the mains socket: do not perform a shutdown as this may overwrite evidence).

If, however, the computer cannot be taken out of service for an indefinite period then a backup copy of at least some of the illegal material must be taken before making it inaccessible to users. Ideally this should be a forensic-quality copy of the disk using, for example, the UNIX® 'dd' command or a recognised commercial forensic package. If this is not possible for reasons of space or skill then a directory listing and a selection of files should be copied to a secure medium, eg CD-ROM. Such copying should be the minimum necessary to indicate the scale and nature of the illegal material.

In either case the evidence - computer, disk or backup copies - must be sealed, labelled, signed and dated, and placed in a secure, locked location until it can be handed to the police. Details of the location and its security measures must be recorded in writing. All those with access to the location must be identified and any actual entry into the location recorded and signed.

The incident must not be discussed with colleagues. The material must not be shown to anyone other than, if absolutely necessary, those authorising and performing the investigation. Doing so may compromise the individual and jeopardise any subsequent police investigation.

5. Make minimum change to prevent access

MoU principle 3.

If the computer containing the material is not taken out of service, then action must be taken to prevent deliberate or accidental access to the material.

Such action must make the least possible change to any remaining evidence; advice should normally be taken from the police on appropriate measures. These may include changing the permissions on directories or files to make them inaccessible, or deleting them.

6. Report to police

MoU principle 2.

When the authorised actions are completed, the results must be reported to the member of [computing service management] who authorised them. If the presence of illegal material was confirmed or seems likely, this must be reported immediately to the police.

The Janet Network and infringement of copyright

The Janet Acceptable Use Policy (AUP) identifies infringement of copyright as an unacceptable use of the network (paragraph 16). The creation or transmission of any material which infringes the copyright of another person would be a breach of the AUP.

Janet-connected organisations are required by the terms and conditions for the use of the Janet Network to take reasonable steps to ensure that users comply with the AUP, in particular to ensure that any unacceptable use of the network, including copyright misuse, is investigated promptly and dealt with effectively should it occur.

Rights-holders and their agents are increasingly monitoring peer-to-peer networks and other Internet services to detect breaches of their intellectual property rights. These notes aim to help Janet-connected organisations respond effectively to these complaints.

Receiving complaints

Complaints relating to IP addresses are generally sent to the e-mail contact(s) listed in the RIPE IP address database. Complaints about particular servers may also be sent to the advertised contacts for those services (eg webmaster for web servers).

Occasionally, complaints are sent to Jisc CSIRT, though this is a less direct route as Jisc CSIRT does not have access to logs or other records required for an investigation. Such complaints will be passed to the organisation's registered security contact to be dealt with.

Organisations should therefore ensure that:

  • Contact details for all their public IP address ranges are up-to-date (different address ranges may have separate contact details listed - updates to contact details for IP address ranges can be sent to ipaddress@ja.net)
  • E-mail to these addresses is read frequently
  • Those reading it know how to deal with copyright complaints

Responding to complaints

Complaints of copyright misuse should include at least the:

  • Complete IP address (or web URL) of the alleged breach
  • Date and time, or range of times, when the alleged breach occurred. (Times should include the time zone in GMT +0100 format)

Many organisations connect to Janet through proxies or network address translation devices and these are more likely to be able to identify the responsible individual if the complaint includes full details of both ends of the connection over which the copyright material was transferred. Prompt complaints, made soon after the event, are more likely to result in successful investigations.

Complaints should also include a working e-mail address to which responses may be sent. This may be used to request further details if insufficient information has been provided. Where complete information has been provided, organisations should respond to confirm that the complaint has been received and will be investigated in line with the Janet AUP and organisational acceptable use policies.

Dealing with complaints

Having received a complaint of copyright misuse, Janet-connected organisations are required to investigate it and should ensure that their local policies support this.

Investigation will normally involve the organisation matching the complaint against its own information, such as server, authentication, DHCP and network flow logs. As discussed in the Janet technical guide on Logfiles, organisations should normally keep sufficient logs to enable them to link activity on Janet to a responsible individual.

If these logs appear consistent with the complaint, the organisation should identify the responsible individual and contact them to ensure that if a copyright breach has occurred then it stops and is not repeated. If the organisation's logs indicate that the complaint may be incorrect or mis-directed, the organisation should inform the reporter so that they can improve their detection and reporting systems.

If a complaint relates to a visiting user from another member of the eduroam federation then the organisation should forward it to be dealt with under the eduroam policy.

If a user has committed a breach of copyright or of good security practice (for example by allowing others to use their account), the complaint provides an opportunity to warn them of the need to act responsibly in future. Many sites have also reported good results from using these users as ambassadors to spread good practice among their friends and colleagues. This can be an effective way to reduce copyright breaches and improve compliance with the Janet AUP.

Disclosing information

The Janet-connected organisation's obligations under the AUP will be satisfied once it has taken effective action to stop the reported copyright infringement and to discourage future breaches.

Rights-holders will normally also consider this action sufficient. In the most serious cases, however, rights-holders may wish to take legal action against the individuals responsible. In criminal cases the police can issue a notice under section 61 of the Investigatory Powers Act 2016 requiring the organisation to disclose the identity of the user associated with a username or IP address. In civil cases the courts can make orders (known as Norwich Pharmacal orders) with the same effect. Any organisation receiving either a notice or an order must comply if it is able to.

Schedule 2 of the Data Protection Act 2018 also permits (but does not require) an organisation to identify an individual user if it wishes to do so and is satisfied both that this is necessary for the legitimate interests of the rights-holder and that it does not prejudice the rights or legitimate interests of the user. Organisations considering using this power should declare this in their registration with the Information Commissioner and the Fair Processing Notices they give to users, and should take care to comply with their obligations under the Data Protection Act 2018 when using this route, in order to avoid any risk of legal liability. 

Conclusion

Jisc intends to continue to work with rights-holders and connected sites to ensure that processes for reducing copyright misuse are effective.

Any comments or suggestions for improvements should be sent to Jisc's chief regulatory adviser, Andrew Cormack (andrew.cormack@jisc.ac.uk) and any problems with individual complaints to Jisc CSIRT (irt@jisc.ac.uk).

Disclosure of information to law enforcement

The police and other law enforcement agencies may need assistance to prevent, detect or investigate criminal activity involving networks or computers at Janet-connected sites.

As this may involve organisations doing things that would normally be prohibited by law (for example disclosing personal information, contrary to the Data Protection Act 2018), the law has a number of provisions and processes to permit cooperation.

This page describes those most likely to be encountered by Janet-connected sites. Jisc may facilitate urgent requests by providing details of our trusted security contacts at the site(s) concerned.

Co-operation and best practice

The processes have been designed to ensure the best balance between providing good information or evidence for investigating authorities and protecting organisations or individuals. It is therefore important for all parties to follow the appropriate process for each situation.

Some of these processes require the organisation to cooperate, whereas in others the organisation must assess whether cooperation is necessary and proportionate before it agrees or refuses cooperation accordingly.

In most cases the law enforcement agency will make informal contact with an organisation before serving a formal notice on it. This provides an opportunity for the agency and the organisation to discuss what relevant information may be available and could be released so that the contents of the notice, when it is served, should be clear and acceptable to both parties.

In most cases this contact will be made by a trained single point of contact for the agency, who is already familiar with the types of information likely to be available from computers and networks.

Disclosing logfiles

By far the most common request made by the police is to identify an individual user or to provide information about their on-line activity. Information about communications and the individuals who made them (eg the identity of users of a particular email or IP address, when they logged in and to whom they sent emails), but not including the content of any files or communications, is covered by the Investigatory Powers Act 2016 (IPA), where it is referred to as 'communications data'.

Section 61 of the IPA allows law enforcement, and other authorities listed in Schedule 4 of the Act,  to serve a notice on an organisation requiring that communications data be disclosed.

A notice under this section must be given in a form that allows a permanent record to be kept - other than in exceptional circumstances this will be in writing, giving at least the minimum information in paragraph 6.23 of the Code of Practice. An organisation receiving a notice must comply with it by disclosing the information specified in the notice: normally the authority will contact the organisation before issuing a notice to confirm that the information is available.

Disclosing other information

Information that is not communications data, and therefore not covered by the Investigatory Powers Act 2016, includes the content of e-mails and files.

Two different processes (one mandatory, one not) cover the disclosure of this type of information.

Evidence

A court may make an order that an organisation must disclose specified information to the court, usually for use as evidence. The most common orders are those issued by judges under Schedule 1 of the Police and Criminal Evidence Act 1984 (PACE), known as PACE Production Orders as they require the recipient to produce (disclose) information that they would otherwise be under a legal duty to keep confidential.

An organisation that receives such an order must comply with it, generally by disclosing the required information to a police constable, or explain to the court why it is unable to do so. Failure to comply, without good reason, is likely to constitute a criminal offence.

Personal data

Schedule 2 Part 1 Section 2(1) of the Data Protection Act 2018 allows an organisation that holds personal data (including the content of emails and files) to choose to disclose data if it is persuaded that the disclosure is both necessary and proportionate for the purpose of detecting, investigating or preventing of crime. It is the responsibility of the organisation that has the data to ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.

Agencies concerned with crime and national security can therefore ask an organisation if it is willing to disclose information under either of these sections, but there is no legal requirement to comply with such a request.

Further guidance on what to disclose

Standard forms (eg from the Internet Crime Forum) have been designed on which the agency can make the case for disclosure: organisations that are persuaded that a request is necessary and proportionate and decide to disclose information on that basis are strongly recommended to keep a copy of the request, together with a record of the process by which the organisation reached the decision to disclose. These will be needed as evidence if the organisation is subsequently sued for having breached its obligation under the Data Protection Act to keep personal data secure.

Removing material from publication

Universities and colleges in England, Wales and Northern Ireland have a statutory duty to protect free speech by their members under section 43 of the Education (No.2) Act 1986 (similar provisions also apply to universities and colleges in Scotland).

However, where information published by a university or college, or one of its members, breaks the criminal or civil law (these are generally also breaches of the Janet Acceptable Use Policy), this duty may be overridden and the publication may be altered or removed.

The normal situation under UK law is contained within the Electronic Communications (EC Directive) Regulations 2002. This protects organisations that provide services such as web hosting from liability so long as they act promptly when informed of a particular publication that may be unlawful. If the publication continues after a complaint, the organisation will be held to have approved the content of the publication and may be liable if the publication is later found to break the law. See our guide to hosting liability.

For the particular case of material relating to terrorism, sections 3 and 4 of the Terrorism Act 2006 set out a more detailed and demanding process. A police constable may issue a written notice to a senior representative of the organisation (usually the secretary or registrar) informing them that they are publishing terrorist material. The organisation must remove or amend the material within two working days or else it will be held to have approved the publication of the material. Following receipt of a notice the organisation is also required to take all reasonable steps to prevent re-publication.

Being prepared

A complaint does not have to take any particular form, but it must give specific information that allows the publication to be identified. Organisations should therefore have efficient processes to receive and consider complaints of unlawful material on their websites and to remove or alter any material that they would not be prepared to defend in court. Note that the organisation should not disclose the identity of the person responsible for the publication other than under one of the processes above.

Data retention and data preservation

Section 87 of the Investigatory Powers Act 2016 permits the home secretary to order any organisation that operates a network to retain data about the use of its systems. We are not aware of this power being used against any private network. Unless and until an organisation receives such a notice, the Data Protection Act 2018 prohibits the collection or retention of any personal data that the organisation does not itself need.

Should the authorities subsequently need to see the retained information, disclosure will be achieved by one of the processes described above.

Logs and data collection

It is strongly recommended that anyone responsible for a computer or network should collect sufficient logs of activity to be able to identify the account and individual responsible for any misuse.

The policies for connection to the Janet Network expect that sites will maintain such logs.

Requirements for logs are discussed in our technical guide.

Risks of not keeping logs

Even though logging may not be required by law (see the section on Data Retention above for circumstances when it may be), Janet-connected organisations that have failed to keep logs have found themselves being blamed for misuse from their site that they could not trace. It is quite possible that such blame could develop into a formal claim of liability for damage caused, leaving the organisation with bad publicity at best and a large bill for damages and legal costs at worst.

Restrictions

There are a number of legal issues that must be addressed in any logging activity. Even if the logs contain only information that the network was used by particular accounts, then they will constitute personal data within the meaning of the Data Protection Act 2018 (particularly the Privacy and Electronic Communications (EC Directive) Regulations 2003).

This places restrictions on how logs may be used, and also requires that they be protected against misuse by appropriate technical and procedural measures. Personal data may only be kept so long as there is good reason to do so: organisations should ensure that they have a retention policy stating how long logs will be held and that they are deleted after this period.

If the logs contain the content of any communication, for example the text of e-mails, news or chatroom conversations, then recording them counts as interception and the conditions of the Investigatory Powers Act 2016 must also be met.

Laws relevant to networking and computing

National and international law apply to activities carried out using computers and networks. The UK has a number of laws which apply particularly to computers and networks:

This guide is made available under Creative Commons License (CC BY-NC-ND).