CS5038 The Electronic Society

Lecture 13: Legal Issues; Software Failure

Lecture Outline
• The Law: UK (statute and common) and International
• Criminal Law
• Civil Law
• Computer Misuse Act
 Hacking
 Viruses
• Contracts
• Software Failure
 e-Commerce example
 e-Government example
 e-Health example

1
 Who Makes The Law?
In the UK, there are three main sources:

Statute Law – made by the government

 Scottish parliament can also make some laws
Common Law – made by judges
 Often, by interpretation of statute law
International Law – made by govt treaties
 Includes EU Law – directives & instruments

2
 Statute Law
Statutes come from Acts of Parliament
 In principle, govt can make any law it likes (the UK
has no Constitution, like e.g. the US)
 In practice, govt is constrained by existing laws,
including EU law and internat’l treaties
 Acts of Parliament also have to be debated and
approved by House of Commons & Lords (and by
Royal Assent)

3
 Common Law
Statutes don’t always cover everything
 Judges interpret the statutes to make their
decisions
 When there is no statute, judges refer to common
law (also called case law)
 Often judges must follow decisions from earlier
cases (precedents)
 Judges do not create new areas of law

4
 Example of Common Law
Confidentiality:
 Employees owe a duty of confidentiality to their
employers
 Even after leaving employment, the employee
cannot divulge confidential information
There is no statute on confidentiality
However, precedents have been established through
previous court cases

5
 European Legislation
The most common form of European law-making is the
Directive
 A Directive instructs member states to update their
laws in certain ways
 A Directive specifies an end result, not exactly
how each member state should implement it
 Directives can take several years to implement,
but parts can be binding before the are fully
enacted
Euro Parliament can also issue Regulations and Decisions –
these are more immediate

6
 Criminal Law
In the UK, there are two main branches of the law:
criminal law and civil law
Criminal law, largely arose because the state wished to
forbid or punish behaviour that was not in the public
interest…
One motivation for criminal law was the state wished to
stop people seeking their own vengeance for wrongs
against their families…
Hence the state prosecutes cases on behalf of the
public: “R. versus Jones”, etc.

7
 Civil Law
Civil law is more concerned with peoples’ rights
and obligations - Examples:
Business contracts
Implied contracts (e.g. supermarket purchases)
Product liability – satisfactory quality and fit for purpose
Liability for negligence
Vicarious liability – e.g. employers may be liable for acts
by employees (slander, defamation, etc)

8
 Crimes May Be Both Criminal & Civil
Example: A drunken car driver knocks over a
pedestrian…
He is criminally liable: drunk driving, driving without due
care & attention, etc.
He is liable under civil law: the victim may sue for
damages, lost work, lost limbs etc.
Driver could be tried twice - usually in a criminal court
first

9
 Criminal Law and IT?
Until recently, there has been little criminal law
regarding IT - Criminal law is mostly concerned with
offences against the person and property. Information
was not really regarded as property…
Suppose I steal a book – obvious physical theft
Suppose I only photocopy the book?
Suppose I scan it and put it on the Internet?
What rights do or should the book’s owner and its
author have??
Should this be treated as a criminal or civil offence?

10
 Civil Law and IT?

All software is inherently buggy…

What rights should I have if
(a) the software I purchased fails?
(b) the failed software causes me to lose money?
Generally, software vendors try to limit their liability with “take-
it-or-leave-it” contracts – “Caveat Emptor”
They want customer to have no rights – buyer beware
But the courts can over-rule:
Concept of “the reasonable man”

11
 Do We Need New Laws?
Does computer technology introduce new types of crime
- Or just more efficient ways of committing old
crimes?
Generally, existing laws are adequate
 For, e.g., fraud & theft
But new laws needed for a few loopholes
 For, e.g., hacking, viruses
 (mainly because of the disruption they cause)

12
 Computer Misuse Act, 1990 (1)
Attempts to plug loopholes of other laws:
 Applies to fraud, hacking, virus-writing
 And other computer-related crimes…
Two main principles:
 If some conduct is criminal, it should be equally
criminal if computer technology is used
 If some conduct is generally not criminal, it should not
become so in a computer context

13
 Computer Misuse Act, 1990 (2)
1.-(1): A person is guilty of an offence if:
(a) he causes a computer to perform any
function with intent to secure access to any
program or data held within a computer
(b) the access he intends to secure is
unauthorised; and
(c) he knows this at the time
Note keywords: intent and access
So this defines hacking as an offence
(later)

14
 Computer Misuse Act, 1990 (2)
Section 2.-(1) says a person is guilty of a
further offence if (having gained
unauthorised access), it is to facilitate
the commission of an offence
Basically, this means its illegal to use a
computer to help set up a crime either
by yourself or with any other person

15
 Computer Misuse Act, 1990 (3)
3.-(1) A person is guilty of an offence if
(a) he does any act which causes the
unauthorised modification of the contents
of a computer; and
(b) at the time when he does the act he
has the requisite intent and requisite
knowledge
So, presumably, accidentally deleting
something is not a crime!

16
 Penalties Under The Act

Gaining unauthorised access (or trying to):

 Up to 6 months and/or a £5,000 fine
Above + intent to commit further offences:
 Up to 5 years and/or fine
Causing unauthorised modifications:
 Up to 5 years and/or fine
In each case, it needs to be “knowingly…”

17
 Definition of Access
Under the Act, “access” means:
 Altering or erasing a program
 Copying it or moving it to a different place
 Using a program or data
 Causing output from the computer
NB: “output” includes any login messages
 So, you’re accessing a computer, even before
you’ve logged-in! (aimed at dial-in scanners)

18
 Hacking

If a hacker does no damage is it a crime?

Hackers might say:
 They’re “testing security”
 They’re following an intellectual pass-time
 They didn’t break in (security was inadequate)
The Act says hacking is a crime
 because companies have to spend time and money
checking that no damage was done

19
 Viruses
Writing & distributing viruses is covered by Section 3
of the Act (“…any act which causes unauthorised
modification…”)
It doesn’t matter if no damage is done
Or if the “damage” is temporary
But this doesn’t deter virus writers!
Aberdeen uni detects 1000’s per day
Best defence is good anti-virus software

20
Prosecutions for Viruses
1995, Chris Pile (aka Black Baron)
Distributed several viruses
Cost UK companies ~ £500,000
Sentenced to 18 months jail
1999, David Smith (US)
Launched Melissa virus
Convicted by US court

21
 Computer Fraud
Fraud usually means gaining money by
deception (e.g. forging a signature on a
cheque)
Theft usually means physically stealing
So obtaining money illegally using computers is
generally classed as fraud
Often, computer fraud is conducted by insiders:
legitimate users engaged in illegitimate
activities (so, access isn’t the issue, but
authorisation is)

22
 Example: R v Bignall
Bignall was a police officer who used the
national police computer system to identify
the owner of a car (for his own interest)
His actions were discovered and he was
charged under the Misuse of Computers Act
Judge threw it out: “…The Act is primarily to
protect computers, not the information held…”
He should probably have been charged under
the Data Protection Act(?)

23
 Example: R v Thompson [1984]

Thompson worked for a bank in Kuwait

He identified several dormant accounts…
Wrote a program to transfer money into his own
accounts at the bank (little chance of
detection)
But only activated program on way home to UK
In UK, he wrote to the bank to transfer the
money to his real account in the UK
Bank finally noticed, and informed UK police

24
 R v Thompson - Continued
Thompson was convicted (in the UK) for obtaining
property by deception…
He appealed, saying crime was done in Kuwait (and
hence UK had no right to prosecute him)
Appeal judge ruled the offence was committed only
when he instructed bank to transfer money
“…The crime was committed in the UK; everything
else he did in Kuwait was ‘preparation’…”

25
 Contracts Overview
Consumer v’s Business Contracts
Contractual v’s Non-contractual liability
When things go wrong, who is liable?
Costs can be significant…
Damage to business – lost profits/income
Loss of life
Examples: very few software cases to date

26
 Contracts & Contract Law
A contract is a legal agreement between a supplier
and a consumer…
A contract confers rights and imposes duties on
the contracting parties
Contract law follows the doctrine of “freedom of
contract” – the contracting parties may specify
the extent of their rights and obligations…
Unless it breaches the law…

27
 Written Contracts
Usually, business-to-business contracts are
written & legally binding documents:
Buyer advertises work to be done
Suppliers tender a contract
Buyer selects a tender
Negotiations follow to agree on terms
A contract is agreed and signed
A payment (or other “consideration”) is made

28
 Implied Contracts
A contract can exist without a written document
If you buy something in a shop, then
The act of you paying & shopkeeper accepting
payment
Means an implied contract exists
Sale of Goods & Consumer Protection Acts:
You can expect goods to be “fit for purpose”
You can expect defective goods to be replaced
If you return goods, can you get the money back?

29
 Limitation Clauses
If one contracting party breaches the contract, the other
may sue for damages
 E.g. one/both parties may want to recover costs
etc. based on work done or profits lost
Often, companies try to limit their liability:
“Under no circumstances, and on no legal basis
whether tort, contract or otherwise, shall the licensor
be liable to you or any other person for loss or
damage of any character including, and without
limiting the above, damages for loss of goodwill, or
stoppages, loss or corruption of data or software,
computer failure or malfunction, or any and all other
damages or losses…”

30
 Consumer Software
In the consumer market, software often has
“shrink-wrap” limitation clauses
E.g. “By breaking this seal you agree to…”
This is OK, but if part of it breaches a national
law (e.g. Consumer Goods Act, or
Consumer Protection Act), then that part is
unenforceable
But you might have to go to court to win!

31
 When Things Go Wrong…
A party that breaches the terms of a contract is
liable for damages…
For software, there may be many reasons:
Software is delivered late (or never!)
Software does not perform agreed task
Software is defective
But no software is ever totally bug free?

32
 Non-Contractual Liability
If software is inevitably not bug-free, the courts
may call on the “reasonable man” concept.
E.g., if someone is hurt or money is lost, the
software provider could be held liable even if
the incident isn’t covered by the contract…
This is usually decided by considering what is
reasonable with the “technology of the day”…
So, if a plane crashes because the autopilot
failed, a court would be unlikely to award
damages against the software vendor unless
the s/w stopped the human pilot from taking
over…

33
 Saphena v’s Allied Collection, 1985
Allied: debt collection agency
Saphena: small software consultancy
Jan 1985: a contract was agreed for Saphena
to supply bespoke software to Allied
Apr 1985: software installed at Allied
Software mostly worked, but more work agreed
Aug 1985: problems with new software…
Feb 1986: parties agreed to terminate contract

34
 Allied Hire Own Programmer
Allied hired a programmer to fix Saphena’s
software (Saphena had provided source
code)
Saphena took Allied to court, claiming:
Allied had violated their copyright,
and had terminated the wrongfully
Saphena wanted payment for work done…
Allied counter-claimed: “the software provided
was not fit for purpose”

35
 High Court Ruling
Court (& Appeal Court) ruled for Saphena:
Software was not fit for purpose in Feb
1986
Some faults remained to be fixed
But Allied should not have terminated
Software is not something than can be
delivered in a “one-off” step
Its unreasonable to expect perfection (of
the software) straight away.

36
 Salvage Assoc’n v’s CAP, 1995

March 1987: Salvage Association contracted

CAP Financial Services to develop specs for
an accounting system
July 1987: specs delivered & accepted
Further contract for CAP to implement the
specified system by May 1988
However, delays & problems emerged…

37
 Problems with CAP System
Errors were found in the specification…
Problems with telecoms links…
Key staff left project…
CAP proposed “re-analysis & re-design”
Salvage organised an independent review
Consultants said CAP plan was impossible
Salvage terminated & filed for damages…

38
 Salvage Claim Damages
Salvage went to court and claimed damages of
£800,000 to recover costs, also claiming CAP’s
liability limitation clause (£25,000) was unfair
The judge ruled for Salvage:
Salvage were justified in terminating contract
– it was clear CAP could not deliver a system
CAP’s limitation clause breached the Unfair
Contract Terms Act 1977 – any such
limitation had to be reasonable; CAP’s wasn’t.

39
 St Albans Council v’s ICL, 1996
1989: Govt introduced Community Charge:
(this “poll tax” was to replace “the rates”)
Everyone should pay the same amount…
(formerly based on size & value of houses)
Local Councils had a fixed timescale to
implement the new tax collection system
St Albans contracted ICL for their system...
(ICL had template which be would customised)

40
 Tax System Requirements
St Albans would calculate total tax spend
System had to calculate total no. of taxpayers
(eligible v’s non-eligible people)
System divides total bill by no. taxpayers
This would set the tax bill for each taxpayer
This amount would then be fixed by law
It was agreed ICL would deliver their system in
stages…

41
 Tight Timescales
Govt required bills to be fixed by Dec 89
ICL delivered an early system on time…
But it over-calculated the no. of taxpayers…
ICL & St Albans knew there was a fault…
But St Albans had to set the rate anyway!
They later found the count was wrong by 3,000!
So the individual rate was fixed far too low!!
St Albans stood to lose £1.3m in taxes…

42
 St Albans Go to Court
St Albans took ICL to court, claiming:
ICL had broken contract (sofware had failed)
ICL’s liability limitation of £100,000 was unfair
ICL should be responsible for all loss of taxes
ICL counter-claimed:
St Albans had knowingly agreed to accept a
“development system”, “bugs and all”…
Judge ruled for St Albans on all counts…

43
 Details of St Albans Ruling
The judge’s comments are of interest:
“Parties who respectively agree to supply and acquire a
system recognising that it is still in the course of
development cannot be taken…to intend that the
supplier shall be at liberty to supply software which
cannot perform the function expected of it at the
stage of development at which it is supplied.”
In other words, even if ICL were supplying soft-
ware in stages, the software supplied at each
stage should have worked correctly

44
 ICL Appeal (and Lose)
The appeal judge ruled against ICL, saying:
“On whom is it better that a loss of this size should fall, a
local authority or an international computer company? The
latter is well able to insure (and in this case was insured)
and pass on the premium cost to its customers. If the loss
is to fall the other way it will ultimately be borne by the
local population either by increased taxation or by reduced
services. I do not think it is unreasonable that he who
stands to make the profit (ICL) should carry the risk.”
So, future rulings will tend to be “for the public”?

45
 London Ambulance Service
In 1992, the LAS introduced a new Computer-
Aided Despatch System
Designed to allocate ambulances to
incidents more efficiently – to meet new
govt targets for response times
In a typical day, system was expected to:
Process 2,500 calls
Move 5,000 patients

46
 LAS Technical Details
The CAD system was “state of the art”
Ambulance crews had Mobile Data Terminals
Data relayed to/from central computer
Call centre personnel entered details of
incidents into system
System allocated ambulances to incidents
System “went live” at 3am Oct 26, 1992
By the next day, LAS was in total chaos...

47
 LAS – What Went Wrong?
New system rapidly became overloaded…
Ambulances sent to wrong locations…
…Or taking hours to attend an incident
Callers getting frustrated, and re-reporting same
incident – causing more overloading
Information scrolled off call-centre screens
Between 10 & 20 people died as a result…

48
 The LAS Inquiry Report, 1993
The Report gave several findings:
The CAD system was over-ambitious and
implemented against an impossible
timetable
The LAS board was not informed of doubts
about the contractors abilities & experience
(contractors had little experience of similar
systems, and got the contract on low cost)
The LAS failed to set up appropriate
project management procedures…

49
 LAS Inquiry Report (cont)
It was a mistake to implement the full CAD
system in just one phase
Senior management failed to recognise or
respond to the many problems that caused
the system to fail
There was incomplete “ownership” of the
system – it was forced on staff without
consultation re new working practices etc.

50
 LAS Inquiry – More Failures

Training for staff was inadequate and inconsistent

(some staff trained too early!)
The system was not fully tested first
The system relied on complex comms technology
which didn’t always work
On 4th Nov, a minor bug crashed the system, and
the backup system also failed

51
 LAS Recommendations
The LAS Inquiry made several
recommendations about a future system:
Project management practices
Management/Staff Relations
Phased implementation
Staff training & systems testing
LAS does now have a successful system
75% of incidents treated within target limits

52
 Summary
• The Law: UK (statute and common) and International
• Criminal Law
• Civil Law
• Computer Misuse Act
Hacking
Viruses
• Contracts
• Software Failure
e-Commerce example
e-Government example
e-Health example
53