1. Queen's Speech: One does not have much to say about IT and Outsourcing
In the Queen's speech at the opening of Parliament this month, there was not a lot to say about IT, Technology and Outsourcing. Last year's rumoured all-singing, all-dancing new Communications Bill appears to have been abandoned and, perhaps following the recent European decision finding the Data Retention Directive to be invalid, previous legislative attempts at gaining access to more communications data (for example the Communications Data Bill) have also fallen off the radar.
The main point of interest in the Queen's speech for the IT sector this year was therefore the proposals for a new Serious Crime Bill.
With cyber security remaining high on the political agenda, the draft of the proposed Serious Crime Bill published on 6 June 2014 makes proposals to amend the current UK Computer Misuse Act in a number of ways, including significantly strengthening the sentences for computer misuse offences.
New Offence causing serious damage
The Government’s UK Cyber Security Strategy included a commitment to review existing legislation, for example the Computer Misuse Act, to ensure that it remained relevant and effective. Following that review, the proposed amendments contained in the Serious Crime Bill introduce a new offence in respect of computer misuse causing serious damage.
The new offence relates to unauthorised acts in relation to a computer that cause or create a significant risk of "serious damage" to:
- human welfare;
- the environment;
- the economy; or
- national security.
The sentencing for this new offence would be imprisonment for up to 14 years, unless the unauthorised act causes or creates a significant risk of causing: (i) loss of human life; (ii) human illness or injury; or (iii) serious damage to national security, in which case the maximum sentence will be life imprisonment.
The previous maximum penalty of ten years’ imprisonment was not considered adequate by the Government in those cases where the impact of the action is to cause serious damage, for example to critical national infrastructure. The government believes that the new offence addresses that gap in the criminal law.
Implementing the "Attacks against Information Systems" Directive
The proposed draft of the Serious Crime Bill also includes amendments to the Computer Misuse Act necessary to implement certain parts of Directive 2013/40/EU on attacks against information systems, which is due to be implemented by Member States by 4 September 2015.
Article 7 of the Directive requires Member States to criminalise certain activities in relation to the commission of certain offences in the Directive. It requires Member States to take necessary measures to ensure that the intentional production, sale, procurement for use, import, distribution or otherwise making available, of certain tools, with the intention that they be used to commit any of the substantive offences in the Directive is punishable as a criminal offence.
Section 3A of the Computer Misuse Act meets these requirements other than in relation to the "procurement for use" of tools. Under the existing offence, the prosecution is required to show that the individual obtained the tool with a view to its being supplied for use to commit, or assist in the commission of an offence under the Act. The proposed amendment therefore extends this to include an offence of obtaining a tool for use to commit a Computer Misuse Act offence regardless of any intention to supply that tool.
Finally, Article 12 of the Directive requires Member States to increase the extra-territorial scope of their legislation.
The draft Serious Crime Bill therefore amends the appropriate provisions of the Computer Misuse Act to allow the prosecution of a UK national who commits any offence under the Computer Misuse Act while outside the UK, even when the conduct has no significant link to the UK other than the offender's nationality. The only condition is that the offence in question was also an offence in the country where it took place.
The possible deterrent effect of the new proposed sentencing will come as welcome news for many organisations worried about the vulnerability of their systems. However, it has also drawn criticism for continuing to criminalise certain legitimate hacking, such as certain types of research and security testing.
The Bill had its second reading at the House of Lords on 16 June 2014 and is due to pass to the committee stage at the House of Lords on 2 July 2014.
A copy of the current draft of the Serious Crime Bill is available here.
2. The Bare Essentials: UK Government launches Cyber Essentials Scheme
The Government has launched its new "Cyber Essentials" scheme as the next step in its "10 Steps to Cyber Security" initiative.
The scheme provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common Internet based threats. In addition, it offers by way of a certification process, a mechanism for organisations to demonstrate that they have taken such steps.
The scheme's requirements are focused on Internet originated attacks against an organisation's IT system and concentrate on five key controls:
- Boundary firewalls and Internet gateways
- Secure configuration
- Access control
- Malware protection; and
- Patch management.
Organisations can either self-assess their compliance with the requirements in order to be awarded the Cyber Essentials certification, with such self-assessment being subsequently verified by an independent certification body. Or alternatively, they can achieve the higher standard of Cyber Essentials Plus through the external testing of the organisation's cyber security approach.
BAE Systems, Barclays and Hewlett Packard are reported to be some of the first organisations to apply for the new certification and, whilst the scheme is not mandatory, the Government has confirmed that, from 1 October 2014, it will require all suppliers bidding for certain personal and sensitive information handling contracts to have the Cyber Essentials certification.
A copy of the Government's guidance is available here.
3. US court permits search warrant for data stored outside the United States
Joe Falcone from the Herbert Smith Freehills dispute resolution team in New York considers the recent decision by a federal magistrate judge in New York ordering Microsoft Corporation to produce, in response to a search warrant issued at the behest of US authorities, the contents of one of its customer's e-mail accounts stored on a Microsoft server in Ireland.
US government authorities obtained a search warrant under the Stored Communications Act for information located in the e-mail account of a Microsoft customer. Once Microsoft determined that the target account was hosted, and its content information stored, on a server in Dublin, it sought to quash the warrant insofar as it sought information stored abroad. Microsoft argued that, just as US courts lack authority to issue warrants for search and seizure of physical property located outside the US, they similarly cannot issue a warrant requiring seizure of electronic information stored outside the US.
The same magistrate judge that approved the warrant also rejected Microsoft's argument (In The Matter Of A Warrant To Search A Certain E-Mail Account Controlled And Maintained By Microsoft Corporation, 13 Mag. 2814 (S.D.N.Y. 25 April 2014)). In his view, unlike a conventional search warrant that is subject to territorial restrictions, an SCA warrant is a "hybrid"—part search warrant subject to criminal procedure requirements, and part subpoena that is served on the ISP itself and hence "does not involve government agents entering the [ISP's] premises … to search its servers and seize the e-mail account in question."
This unique hybrid structure does not implicate the prohibition against extraterritorial application of warrants, since it has "long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information." Per the court, this holding is consistent with the view that a "search" of digital information occurs only when data is exposed to human observation, not when it is processed by a computer. Thus, no search would take place in this case until the information is reviewed by authorities in the US, thereby precluding any concerns about an extraterritorial search.
The ruling is not binding on any other court. Microsoft described the case as a first step in its campaign to correct the US government's views on the application of search warrants to electronic content stored outside the US, and to that end has appealed the decision to the federal district court. Argument on Microsoft's objections is set for late July 2014.
The decision can be found here.
4. Keep Calm and Carry On Browsing
Joel Smith and Heather Newton from the Herbert Smith Freehills IP team consider the recent Court of Justice of the European Union (CJEU) judgment confirming that browsing the internet (without downloading or printing) does not require permission of the copyright owner.
The CJEU decision arose from a reference made by the UK Supreme Court in the long running Meltwater case (Public Relations Consultants Associations Ltd v The Newspaper Licensing Agency Ltd and others). The case was initially brought by the Newspaper Licensing Agency against Meltwater News, a media monitoring organisation providing internet links to its customers which grouped together relevant news items for them to read. The NLA (the collecting society for newspapers) argued that both Meltwater and its customers needed a licence to deliver and receive the service. In the course of the litigation, Meltwater accepted that it needed a licence and therefore dropped out of the litigation. However the question remained in respect of Meltwater's customers.
The UK Supreme Court held that no customer licence was necessary as the acts involved in viewing material on a website could fall under the temporary copying exemption under Article 5.1 of the Information Society Directive 2001/29/EC (Section 28A of the CDPA). However, a reference was also made to the CJEU.
The CJEU has now confirmed that those who browse the internet are not at risk of any unintentional liability for copyright infringement simply through the act of viewing websites. For those involved in the administration of rights, it confirms that the operation of the internet, as far as browsing is concerned, is not dependent on wide ranging implied licences.
However, the CJEU decision determines the position only for browsing. It does not therefore give internet users any comfort that printing or downloading material, or storing it on an email, is equally permitted.
In reaching its decision, the CJEU relied on the fact that when material is published on the internet, the website publisher is required to obtain the copyright owners permission. As such, the proviso in Article 5.5 of the Directive that any temporary copying exemption should not conflict with normal exploitation of the work and not unreasonably prejudice the legitimate interests of the rights holders was also met for browsing. This will inevitably throw the focus of copyright owners back on to the need to police the posting of their copyright works on the internet in the first place.