Tuesday, February 27, 2007

First UK case on Spyware

There was a recent case R v Waters, that reached the Court of Appeal about a man who had conspired to install spyware software on his wife's computer. He was sentenced to four months imprisonment and the Court of Appeal upheld the ruling:

Computers are an established part of modern life. An increasing amount of personal and private information is kept on computers, not only by the State and large organisations but also by individuals. The privacy of that information must be protected and it is vulnerable to the kind of unauthorised interference and intrusion that occurred in this case. The judge correctly identified deterrence as an element of sentencing in this case. In our judgment, a sentence of imprisonment for offences such as this was not wrong in principle.

For further reading, see also:

  • Deterrent sentence appropriate for "computer spying" [2007] Justice of the Peace & Local Government Law 171(7),

Thursday, February 22, 2007

Data Protection Act 1998

I received a recent press release about changes to be made to the UK Data Protection Act 1998 to strengthen the penalties against those who misuse personal information.

Following the results of a consultation paper launched last summer, the Department of Constitutional Affairs has announced that much tougher powers to sentence those found guilty of breaching Data Protection principles will be given to courts. For the first time, this will mean that courts may impose prison sentences for individuals who trade in, or deliberately misuse personal data. The change is intended to combat the illegal trade in personal information which has become highly profitable in recent years. Several reports by the Information Commissioner have highlighted the inadequacy of current penalties, as the fines imposed on those who breach the provisions of the Data Protection Act do not appear to have deterred others from participating in the trade. In the worst cases, judges will have the power to impose prison sentences of up to two years in addition to unlimited fines.

This follows a recent report from the ICO who called for tougher penalties against those who are involved in the illegal trade of personal information. See:

Thursday, February 15, 2007

Data snooping

There was a recent press release from the BBC on the confusion surrounding data snooping laws.
Balancing the needs of the police to investigate crimes online with the privacy of individual web users has become controversial as governments seek to extend their snooping rights in cyberspace. Already European ISPs and phone companies are in the process of implementing an EU directive which forces them to retain a variety of communication data for up to two years. Now, a republican congressman, Lamar Smith, has put forward a bill for discussion in the US Congress that could see a similar regime operating Stateside. Experts think it is unlikely that the US will introduce draconian data retention laws any time soon, not because they do not want to but because similar European legislation is currently in varying degrees of disarray.
The Data Retentions Directive 2006/24/EC (pdf) amends the Data Protection Directive 95/46/EC and Directive on Privacy and Electronic Communications 2002/58/EC. It will require organisations to store data of up to 2 years (Art. 6). However, some provisions continue to remain unclear when considering how the Directive (when implemented) will work in practice. For example, the Directive draws a distinction between retaining "traffic data" and "location data", but is it always necessarily clear how this is applied to the internet? Some articles/websites worth reading: