THE C O M P U T E R LAW A N D SECURITY REPORT 2 CLSR

of confidence, which he described as the 'third leg of the stool' after contract and copyright. Software is widely treated as confidential, but can the same be true of mass-marketed software when demonstrations are freely given to unlicensed users? It is of course still possible to overlay contractual obligations of confidence. But the speaker made the telling point that where features of a popular package become generally known this may expose the product to commercial attack by 'cloning short of copyright infringement: Michael Silvedeaf, a barrister who specialises in intellectual property gave a very comprehensive account of the litigation process in claims of this type, and particularly emphasised the value of the interlocutory injunction. The final speaker on Day one was Laurie Slade of the Institute of Arbitrators, and he cited flexibility as the main advantage of arbitration. Privacy and the availability of an arbitrator were also given as advantages, but the speaker acknowledged that "arbitration is only as good as the arbitrator" and wont further in admitting that there was at the present time a shortage of good arbitrators qualified to hear computer related cases.

Day two The second day was spent more on contractual matters. Simon Chalton dealt with bespoke development and stressed the importance of the requirements specification, as it is in this area that most disputes are grounded. Dolina Kaye, formerly of ICL, but now with Exxel Consultants, gave some useful advice on ways of negotiating the best deal. Moreover, one can usually obtain a cheaper price by ordering different elements of a system from different suppliers. Such a purchasing method requires a good deal of expertise in contract negotiations, and may create problems when faults occur in the system, and the suppliers all deny responsibility. The alternative is to ask one supplier to act as prime contractor, and to assume responsibility for supplying and integrating the various elements. Not unexpectedly however, this method is usually the more expensive. Keith Harpham was once Chief Executive with Thorn EMI Computer Software, but now heads Software Opportunities Ltd., a company set up to help software developers bring products to market. The theme of his talk was new software marketing vehicles. Two that he mentioned wore site licences and per-user licensing. Site licences have the advantage that costs are known, expansion of use is easier and unintentional licence infringement is avoided. On the other hand, it can be difficult actually to define 'the site', or to cater for home use. Per-user licensing is attractive to software companies because the more a product is used, the more revenue is generated. Of course, the software itself must be able to determine levels of use and consideration needs to be given to the level of users. Is this to be those who actually use or those who have the potential to use? There has been a great deal of debate recently about the enforceability or otherwise of shrink-wrap software licences. Christopher Millerd, bravely attempted an analysis of the legal position. It is generally accepted that where the user sends back the user registration card, acceptance of the licance terms is communicated and the contract is complete. However, statistics show that only around 10% of users actually return these cards, and even then the Unfair Contract Terms Act 1977 may weaken the clauses typically found in such licences. Shortage of space prevents a fuller consideration of the wide range of topics covered at this year's Symposium. Audiences, on such occasions, inevitably seek to obtain definitive answers

to specific problems, and this presents great difficulties for speakers given the uncertainty which prevails in so many areas of computer law in the UK. The conference however succeeded in raising the level of awareness on matters such as software copyright and procurement, and with the very high standard of the course documentation, few delegates can have gone away dissatisfied.

David Greaves, Editorial Panelist

LEGAL LIABILITY FOR EXPERT SYSTEMS - 14 MAY 87 LONDON. A ONE DAY CONFERENCE ORGANISED BY LEARNED INFORMATION LTD.

Speakers: Colin Tapper Professor Bryan Niblett

Human experts are now utilising expert systems to assist them in a wide variety of applications, including design and diagnosis. It does not take a lawyer to see that the use of such systems could result in complicated issues of liability for defects in their design, manufacture and use. This conference was held to consider such issues. It was organised by Learned Information Ltd. of Oxford, who are publishers in the field of expert systems. The organisers managed to engage two of the most distinguished authorities in the field of computer law to chair the seminar; Professor Bryan Niblett and Colin Tapper, both of whom are barristers, authors of leading books on Computer Law and possessing significant experience of the computer industry. Professor Niblett began the day with an analysis of the nature of expert systems and a consideration of some of the earliest and most successful applications. Many of these such as MYCIN and PROSPECTOR are well known examples. Some of the most successful recent rule-based applications have concentrated on narrow subject areas (e.g. EXCOM used by DEC to help design system configurations). It has to be recognised however that even the best expert systems, like the exports themselves, are fallible. With many of the present systems being used for financial management and engineering design there is clearly plenty of opportunity for economic loss. He went on to describe the several ways in which expert systems are marketed; as shells, such as EXPERTECH, where the user supplies his own knowledge base; or as systems complete with a knowledge base. Colin Tapper then gave an interesting presentation on the nature of law, in which he described how the courts have historically dealt with new situations by a process of analogy (ie. by comparing the motor car to the horse). Subsequent sessions dealt with contractual and tortious liability and the way in which the distinction between the two is becoming less clear. In some of these sessions, the subject matter was not specifically relevant to developers of expert systems, but relevant to software developers generally. Some of the lawyers present therefore found that they received a 'refresher' in the law of tort and contract, whilst for many of the representatives of expert systems companies, the talk went somewhat over their heads. I have felt on several occasions that when dealing with subjects such as this, it would be useful to begin by having parallel sessions in which the lawyers could be introduced to the nature of the technology, and the technologists to the law. This would make for more productive sessions later in the day. Nevertheless, a good deal of time was left for questions and answers, during

35

JULY - AUGUST THE C O M P U T E R LAW AND SECURITY REPORT

which many interesting points arose. The organisers are to be congratulated for putting on the conference. The use of expert systems will inevitably become a very fertile ground for liability claims, but up to now few people have begun to consider the legal implications.

David Greaves, Editorial Panelist

COMPUTER SECURITY - 3 DAY SEMINAR 20-22 /5 /87 . EMAP

Cost: £749

Speaker: Bob Abbott

The seminar details looked impressive and delegates, although under 20 in total, assembled at the Forum Hotel in eager and enthusiastic mood. A peek at the traditionally weighty reference file, professionally produced, heightened anticipation of the knowledge we were all going to acquire. The presenter, Bob Abbott, is an American whose company, EDP Audit Controls Inc., undertakes computer security projects and audits primarily in the States. Day one began, inevitably, with fundamental concepts of computer security, the implications of continually changing technology and the increase in computer related crimes. Areas to be considered in formulating a security program were identified and discussed, with emphasis placed on the commitment of management to ensure effectiveness. This appeared to be of major concern to delegates. It was generally felt that the lack of appreciation in this area was a major stumbling block in trying to institute appropriate security measures. Suggestions were made (some repeatable!) to overcome these attitudes, which included more use of available statistics and references to reinforce the message. We then moved onto the area of risk and vulnerability identification. List followed list: risk analysis - vulnerability analysis - threat/asset matrices - leaving us all swamped and swimming for the shore. This area had been overly complicated by the showing of continuous, boring viewfoils of typed material corresponding to the reference file before us. In fact, the most practical session of the day was the advice, albeit in outline, of the method to structure a computer security program and conduct a security review.

Day two

The pace of the second day was considerably more leisurely, if not slow. Case studies, reflecting different aspects of computer security were discussed. These were quite basic and inappropriate to the level of delegates attending. We then returned to risk analysis with yet more lists and forms and

appendices, by which time most delegates' concentration had moved on to trying to keep awake. Recommendations were made to include in a corporate security program a procedure for testing and evaluating security controls and a security test and evaluation plan was duly considered. An interesting concept in attempting to ensure adherence to corporate security policies was suggested by the Speaker. He has developed a program of 'Accreditation' for distributed data processing facilities. Each site would have to apply for 'Accreditation' on an annual basis and in this way the clauses of compliance with laid down policies would be improved. The security of software was then debated with comprehensive guidelines produced on methodologies to ensure adequate controls. Emphasis was placed on the importance of stringent recruitment procedures for those in key positions, particularly systems programmers. The last session of the day covered th e preparation of disaster recovery and contingency plans, using the speaker's own methodolody of a COOP (Continuity of Operations Plan).

Day three

The final day and our enthusiasm had left us. We assembled, our expectations dulled, eager for the five o'clock train home. Questions, submitted the previous day by delegates with particular areas of concern were addressed by the speaker. Following these questions, a great amount of time, disproportionate to other important issues, was given to the subject of errors in software. This was covered in detail and the role of the EDP auditor discussed. The Speaker advised that the auditor should 'verify the controls in use'; the controls which the computer security manager should 'have put in place.' Miscellanies dominated the closing session. The potential risks of the automated office environment and the trend towards remote diagnostics and maintenance of equipment; encryption and the interest of the Orange look. It was with a sigh of relief that most delegates headed for the exit. A disappointing seminar by a speaker who seemed totally bored with the subject himself. The audio visuals were uninteresting, typed sheets (as our reference file) and one would have expected a higher standard of presentation from a 'Conference Circuit' speaker. Comments made revealed the speaker was uninformed of the European arena and sweeping generalisations of the capabilities of investigative bodies and fire officials were singularly misplaced. The content lacked depth and was somewhat basic for the designated level of attendees. Delegates found this seminar of limited value and will find great difficulty in justifying the vast expense. I am left wondering how such an interesting field could be made so boring.

Pamela Hughes, Report Correspondent

STOP PRESS

CONFERENCES Outer Space Committee Programme for the committee meetings at the International Bar Association (section on Business Law) Conference - London 14th - 18th September 1987. Topics include: • Legal, technological and commercial developments in outer

space • The joint United States, European, Japanese and Canadian

space station project

• The legal and commercial issues relating to the provision of insurance for commercial space ventures

• Legal, technical and commercial aspects of satellite operation

• Remote sensing from outer space Further information from: International Bar Association 2 Harewood Place Hanover Square LONDON WIR 9HB Tel 01-629-1206

36