THE COMPUTER LAW AND SECURITY REPORT 1 CLSR

protection) covering software, and examination of authentication of electronic transactions, electronic fraud and the liability of information services. Protection of personal data and the confidentiality of database searches should operate under the Convention of the Council of Europe. If problems arise, other measures would be taken in time. Once the coordinated installation of the integrated services digital network (ISDN) (2) is completed, the Commission will give special attention to the quality of services and to the interworking of the packet-switching networks. It will also encourage improved postal services which carry not only books, but information products on new media, such as optical compact disks.

Pilot projects

The Commission is proposing to support a number of pilot or demonstration projects aimed at encouraging new collaboration with users of information services and/or industry. Projects must be large enough to exert a catalytic effect on the development of the information services industry and on the market in general. Such schemes should encourage the cooperation of small and medium-sized companies with the large organisations active in the information market, and aim in some projects to generate a high level of public demand in order to help up this important ready market. Projects submitted by groups of industry operators will, if accepted, receive a community contribution of up to 25 per cent of the development costs, which can take the form of subsidy, reduced-interest loans, guarantees or venture capital. Other projects, which are of general interest but which are unlikely to attract private sector investment (such as databases containing strategically useful information for public policy decisions) could attract up to 50 per cent of costs, unless already covered by Community contributions to exploratory and feasibility studies.

Access

The Commission wants to extend the opportunities of access of users of information through four major channels: - Libraries: In 1988 there will be special action in favour of

Communi ty l ibraries encouraging electronic interconnections and the use of the new information technologies.

- User access aimed at helping users to connect with the range of services available in the Community through, for example, the DIANE Guide (multi-lingual electronic directories) available on its host service ECHO. There should also be set up in the Community a number of help

desks to tackle the technical difficulties in assessing international services. Euronet DIANE has already shown that Community awareness campaigns have boosted by almost a third over five years the number of expert users of European on-line services.

- Training: There is a need to reinforce existing training schemes. ECHO host service will encourage training workshops and new automatic training aids, in cooperation with DELTA and SPRINT (Strategic Programme for Innovation and Technology Transfer).

- Reducing multilinguistic barriers: The Commission intends to undertake a complete study of the entire question of multilingualism and improve already existing systems (Eurotra and Systran) to facilitate incorporation of multilingualism in information services.

Implementation of plans

The Commission accepts that implementation of the Community Information Services Market involves at least two years of planning. It proposes a financial contribution of 15m ECU (£10.5m) in 1989 and 20m ECU (£14m) in 1990. Meanwhile, it will set up the European Information Market Observatory, encourage standardisation of equipment, and undertake the legal work required for future Community legislation. Member countries will be encouraged to back a coordinated campaign aimed at promoting the wealth and quality of information available in Europe, while the Commission will launch a small number of pilot or demonstration projects. Backed by the European Council in March 1985, the Commission's proposals have resulted from discussions with the ISPG (Information Service Providers Group) and ISUG (Information Services Users Group), and is open to proposals from users and the industry. The Commission has proposed the adoption of a Council Decision which will authorise it to report on activities in the second half of 1989. The draft Decision is backed by a fiche d'impact (impact assessment) which sees the development of information services as of value to small firms. Meanwhile, at the end of September 1987, the Commission held a workshop in Luxembourg under the title Kiosk: Towards a Common Market for Information, designed to develop the information industry between 1987 and 1992.

Footnotes: 1 COM(87) 360 of 2.9.1987. Note: Community documents are

available from Her Majesty's Stationery Office (HMSO). Some documents may be available from the Library of the EC Commission, 8 Storey's Gate, London SW1P 3AT.

2 See Recommendation, 86•659: OJ L 382 of 31.12.1986

US FOCUS

SMALL BUSINESS GUIDE TO COMPUTER SECURITY Needed: "Ostriches Anonymous"?

"My name is Bill, and I'm an ostrich." The scene is familiar, a small room filled with smoke. His collar open, forehead moist with sweat. Bill tells the tale of woeful ignorance that led him to seek this group's help. Now he is willing to take the "12-step" cure pioneered by Alcoholics Anonymous to avoid future disasters. All the other group members are "ostriches", or recovering ostriches. Men and women older and younger than him listen to Bill with

33

compassion, wincing in recognition when they have made similar mistakes. "1 never trusted my brother-in-law," Bill begins, "but the wife kept nagging, 'give Artoo a chance, give Artoo a chance." So I hired him to computerise my accounts receivable. For six months I asked why the receivables were shrinking but our profits weren't growing. He mumbled things I didn't understand and assured me everything was working fine. Then three months ago he disappeared, along with most of our cash. The creep sent me a postcard from Maui today. He was receiving the receivables, not the business. We're bankrupt now. I shoulda known not to trust someone whose idol is R2D2."

MAY - JUNE THE COMPUTER LAW AND SECURITY REPORT

"Ostriches Anonymous" and Bill are fictitious, of course. Bill is a symbol of an addiction we all share to varying degrees, yet seldom recognise. Ignorance can be an addiction, much like alcohol, marijuana, and cocaine. Often we keep ourselves ignorant of those things we don't want to worry about, those things we think we can't control, and those things that would make us feel more frustrated. As they say in Alcoholics Anonymous, "denial aint a river in Egypt." Unfortunately, far too many of the business owners in our country keep themselves ignorant of the technology they use. That's the reason that dependence on our technology often seems to put us at risk. Do you think that Bill's case is unique? Try telling that to the Los Angeles company whose two chief programmers schemed to replace their operating systems with meaningless characters and bring the company's operation to a halt. Or ask the Beaverton Oregon company that was led on a chase as it tried to retrieve critical software that had been stolen by an extortionist. Or ask the Des Moines law firm that was hit with a $30,000 phone bill for calls actually made by electronic delinquents, (or hackers, if you wish) calling other computer systems from their own. According to a soon-to-be-issued report by the Small Business Computer Security Education and Advisory Council, 30-35% of the 17 million small businesses in this country had computers in 1985. By 1987 the percentage had nearly doubled, hitting 65%. The Council predicts a parallel growth of computer crime against the small business owner. "Small business management:' their report notes, "cannot usually afford the degree of specialisation and skill needed to effectively manage computer technology..." The problem of computer crime is one that the small business owner is not likely to be able to handle alone. Until the "ostriches" of the world unite, the Small Business Administration may be the newest resource available to those who would like their computer systems to be secure. As a result of Oregon Congressman Ron Wyden's efforts in passing the Small Business Computer Security and Education Act, the SBA will soon set up a hotline to assist small business owners with their questions about computer security. The number is 800 368 5855. They have also produced a book, A Small Business Guide to Computer Security, which can be ordered through the 800 number or by dropping the SBA a line at 1441 L. St. NW Washington DC 20416. When an ostrich puts its head in the sand, it leaves its posterior completely exposed. The moral for computer users should be clear: keep your head up and watch your assets.

J.J. Buck BloomBecker, Report Correspondent

US SPRINT MOUNTS CIVIL LAW HACK-ATTACK "Reach out and sue someone" seems to be the new motto of the long-distance telephone service companies. Alarmed by the growing volume of "toll fraud" or theft of their telephone services, the major carriers are using more security technology, cooperating with law enforcement, and bringing big-buck civil cases against the worst offenders they can find. A civil lawsuit filed in Los Angeles recently by U.S. Sprint illustrates the new posture. It offers a lesson to any computer user interested in how to use the civil law to fight against hack-attacks.

The Problem According to the complaint filed in Sprint vs. Syal, Mueller, and Unitel, Sprint personnel became suspicious that Unitel

was selling flat rate long-distance phone services using Sprint access and customer authorisation codes. Customer complaints often alert carriers to such problems. When someone with normal usage suddenly gets a four-figure bill they are likely to complain that they are not responsible for the calls being charged to their account. A number of carriers are installing hardware and software to analyse calling patterns in an attempt to detect fraud more quickly. Not all cases requires technological detection. In the case mounted against Unitel, a confidential informant informed Sprint Security personnel about Unitel, providing Sprint with 25 of the codes Unitel was using. Sprint was able to verify that the codes were its own.

The Investigation Since the 1984 passage of the Counterfeit Access Device and Computer Fraud and Abuse Act, the Secret Service has been increasingly involved in the investigation of both computer crime and theft of telephone services. According to an affidavit filed by Special Agent Brian Korbs of the Secret Service, Sprint contacted the Secret Service with its suspicions, and Korbs was put on the case. Korbs met the Gyan Syal, the affidavit continues, on April 7, 1987 and claimed to be a customer, interested in signing up for long distance service. Syal said he would provide Korbs with access codes if Korbs provided him with his three most recent phone bills. The same day, Korbs interviewed Syal's former partner, Kenton Lind. Lind said that he had left his partnership with Syal because he hadn't paid him, and because he was beginning to suspect the legality of Unitel's operations. Lind also told Korbs that Unitel customers had made numerous complaints to the effect that the access codes they had paid for did not work. Lind gave Korbs a list of 98 access codes, saying they had come from Syal or Syal's codefendant Karlheinz Mueller. The 25 codes previously given to Sprint security by the informant were among the 98 Korbs received. Sprint security personnel contacted 17 of the holders of those codes, and determined Unitel had no permission to use the codes.

Arrest, Search and Seizure Based on the information he had thus acquired Special Agent Korbs applied for a search warrant to seize evidence of the suspected fraud in the use of credit access devices and to arrest Syal. According to the civil complaint Sprint filed against Unitel, Syal and Mueller, Syal was arrested on April 15 1987 pursuant to the warrant Special Agent Korbs had filed. At the time of his arrest at his office, a list of 286 Sprint codes was found and seized.

Civil Action Sprint attorney Bernie Bianchino, says that Sprint has decided to pursue civil remedies in cases like this as well as cooperating in any possible criminal prosecutions. The civil remedies offer the possibility of injunction and significant damages, which are often not possible in criminal cases. Sprint's complaint demonstrates the variety of charges which can be brought against someone who has stolen and used a telephone service access code. Users will want to consider which of them might also be used in the case of use of a computer access code. RICO violations - Sprint claims that Syal and Mueller, through Unitel and other businesses, "served as suppliers of a computer system, clearinghouses, and coordinators for the activity carried out by a network of 'hackers' and

34

THE COMPUTER LAW AND SECURITY REPORT 1 CLSR

distributors of US Sprint codes." Though not spelled out in the complaint, this allegation suggests that Sprint believes that the defendants were selling software and instructions which could be used by others to learn Sprint codes. The complaint also charges that Unitel committed numerous acts of wire fraud by providing the access codes which could be used to keep Sprint from getting its rightful payment for the services it provided. Unauthorised use of communications - Sprint also claims that the defendants "received interstate wire communications consisting of Sprint's authorisation codes, and published the codes," in violation of federal law. Interception of wire communicat ion - The defendants are further charged with having "wilfullyintercepted, endeavoured to intercept and procured others to intercept" wire communications containing sprint access codes. This charge apparently refers to efforts to learn Sprint's codes through access to computer systems containing that information. Trafficking in unauthorised access devices - Sprint also claims that the defendants "used or trafficked" in unauthorised access devices and possessed 15 or more of these devices. Each access code is considered a "device" under this theory of litigation. Theft of services - Sprint appeals to the court to assess damages against the defendants for receiving long-distance services from Sprint without paying for them. Conversion - Finally Sprint claims ownership of the access codes which Unitel was allegedly selling, and charges the defendants with conversion, the civil law equivalent of theft, of the acces codes.

Damages

Unlike a criminal action, a plaintiff in a civil case can seek damages, injunctive relief, and other remedies directly from the court. In a criminal case such remedies are sometimes impossible, and always in the discretion of the court and the prosecution. Based on the allegations in its complaint, Sprint requests a permanent injunction prohibiting the defendants from using US Sprint access codes. It also requests damages for lost revenues, which it estimates at $7.6 million, a trebling of actual damages, and an award of punitive damages in the amount of $50,000.

Implications

Clearly this is not a lawsuit to be taken lightly. The stepped up campaign against telephone hacking on the part of the telephone companies seems to be in high gear. Aided by the new capacities of the Secret Service and the new provisions of the credit card law, telephone security personnel now have the tools they need to punish anyone they catch engaging in massive abuse of telephone access codes on the scale alleged to have been undertaken by Syal, Mueller and Unitel. Many of the techniques used by Sprint to investigate and later to sue civilly the defendants in this case can be applied in computer crime cases as well. The Federal Computer Fraud Act specifically prohibits "trafficking" in computer access codes, a prohibition analagous to the one relied on by Sprint. While the nation reacts to the massive change in communication resulting from deregulation and the consequent opening of the long-distance service markets, there will be no shortage of criminal entrepreneurs seeking to exploit inadequacies in security. This case demonstrates that the law provides numerous safeguards for the victim. It only requires use.

J.J. Buck BloomBecker, Report Correspondent

COMPUTER CRIME

Futuristic Anthropology - Reflections on US Computer Crime Law developments

Allow me to play soothsayer. If the ancient Greeks could see portents in goat droppings, can I not attempt to divine the future of the computer security profession from an analysis of the computer crime laws that were dropped - and passed - in 1987? Woe unto ye who ignore my prophecy! Eleven years ago Connecticut Senator Abraham Ribicoff introduced the first computer crime bill in the U.S. Senate. It went to defeat, as did all other attempts at federal legislation until 1984. But its effects have been felt in the dozens of states which copied its language. Since 1984 Congress has strengthened the Federal computer crime law, passed the Electronic Communications Privacy Act, and most recently, passed HR 145, the Computer Security Act of 1987. HR 145 could ultimately affect computer security professionals more than all the earlier laws combined. This law makes periodic computer security training for operators of "sensitive" Federal computer systems mandatory. It requires that every operator of a "sensitive" system establish a plan to assure the security and privacy of the systems under its control. If followed, this law will set a precedent that could significantly influence information management in the private as well as the public sector, and at all levels of government. (I think this is a welcome change, and one capable of enormous impact.) It is but one sign of the legislative interest in computer crime that Senator Ribicoff initiated a more than a decade ago. As 1987 begun, 47 states had some kind of computer crime laws. A modification of Parkinson's law is required to explain the fifteen computer crime bills that were introduced before the year ended. The quantity of new legislation introduced in an area is directly proportional to the amount of old legislation. This may seem bizarre to the systems professional, assuming logically that once a state has a law it has less need to deal with the problem. But it will make perfect sense to a television viewer used to seeing "new" programs imitate old ones far more frequently than striking out for virgin territory. As in entertainment, legislation is often the result of what people are paying attention to, not what they need. People are paying attention to the regular reports of computer crime our media entertains us with. People who used to gossip about asian flu are now asking me about IBM's viruses. The "democratisation" of computer crime is continuing, and probably gaining speed. Voters are becoming increasingly comfortable forming opinions about computers, and computer crime law seems to be the arena in which many of the negative opinions are expressed. It is for this reason that the reader may benefit from close attention to what the legislators think the voters are paying attention to. The content of the laws that passed further supports this observation. Three states, California, Illinois, and Missouri, undertook complete rewriting of their laws. In each case the law's proponents argued that the existing laws had been outstripped by the march of technology and criminal inventiveness. (In none of these cases, so far as I can tell, was there much hard evidence to support the argument). The three other amendments, in New Mexico, North Dakota, and Oregon, all reflected growing sophistication as to the varied nature of computer crime threats. Each raised the possible maximum penalty for a computer crime, reflecting the easy legislator's reaction to any problem - tougher laws.

35

MAY - JUNE THE COMPUTER LAW AND SECURITY REPORT

(Again, no evidence was brought forth that more toughness was needed, but rhetoric seemed adequate to carry the day). At the same time - and it is for this reason that I characterise the laws as sophisticated and not just draconic - several of the laws also reduced the minimum penalties for computer crime. This change, I believe, reflects the continued public interest in "hacking." Where there is little or no damage to a computer system juries are unlikely to allow the perpetrators to be severely punished, particularly if they are young, middle- class, bright, and not obviously part of a minority culture. (The seventh state, Arkansas, passed its first computer crime law, leaving only West Virginia and Vermont without any laws on the subject whatsoever. Massachusetts and Maine, which have only limited coverage of crimes involving computers in their current statutes, were each asked to reconsider by legislation introduced but not passed in those states. "Democratisation" goes beyond the passage of laws. The laws that did not pass suggest that computer crime law may soon be seen as a vehicle for protest against unpopular computer uses. California and Pennsylvania have followed the lead of proposed Federal legislation in attempting to outlaw the use of computers for child pornography activities. California has also attempted to criminalise the use of computers for advertising, selling, or distributing obscene matter. New Hampshire has attempted to prohibit computerised telephone solicitation, and Connecticut has added computers to the list of items that cannot be brought into jails without permission. Texas and North Carolina considered bills which would have provided further protections against misuse or theft of computer programs or information. Though none of the bills listed in the last two paragraphs passed, they should give computer professionals pause. Under some of these laws, if you were involved in the design, implementation, or use of a disapproved computer application, you might be liable. If a system is insecure, the odds that those who set it up or maintain it may be found liable are also increasing. In short, my prophecy is simple. As more attention is directed to computer use - and abuse - you'd better watch your assets.

Copyright 1988 J.J. Buck BloomBecker, Report Correspondent

LAW REPORTS UPDATE

Infosystems Technology Inc v Logical Software Inc 4th Cir., No 85-1932-L) The continuing litigation between these two corporations has been documented in a previous issue of The Report (1987-88 2 CLSR). The issue in the present case was essentially, "when is an enhancement not an enhancement?". Logical has developed the LOGIX Database Management System and the Softshell interface software, the former of which was licensed to Infosystems in 1982 for the purposes of modification and distribution. The agreement also gave Infosystems similar rights to any enhancements to LOGIX. Infosystems had in 1983 contracted with a third party to supply a modified form of LOGIX, but on the condition that it also developed a screen interface. This they did, but the interface was rejected by the third party. ITI subsequently brought an action claiming that Softshell should be considered as an enhancement to LOGIX, and that the absence of Softshell put Infosystems at a competitive disadvantage that in total amounted to $5.7 million. Their claim failed on two counts.

In the first place, it was held that although Softshell improved the performance of LOGIX, it could be used and marketed independently and therefore did not amount to an enhancement of LOGIX itself. Secondly, although the two software products contained a substantial amount of similar source code, this was not held to be a decisive factor in determining whether one product was an enhancement of another.

PC-SIG Inc., et al v Lone Star Inc,, et al (ND CA, San Jose Division, No C-87-20721-WAI)

In a note on public domain software on page 38 of this issue, it is suggested that the public domain distributors have found it necessary to turn to the law of copyright, as the market moves from its original noble intentions to a more commercially oriented approach. PC-SIG, a California-based distributor of public domain software, publish a catalogue in the form of a book, a newsletter and on disk. They claim that Lone Star, of Texas, have infringed copyrights by a variety of activities including; selling copies of the disk catalogue after removing PC-SIG's name and copyright notice, copying the format and organisation of PC-SIG's catalogues, and selling software containing PC-SIG's copyrighted material. PC-SIG claim that the catalogues in all forms are original compilations. More interesting is the claim that whilst PC-SIG does not own a copyright in the public domain software itself, its practice is to incorporate certain descriptive material found in the catalogues into each disk that it sells, and therefore owns a 'derivative copyright' in each public domain disk. In case this novel argument fails, PC-SIG's complaint also includes counts for unfair competition and trademark infringement. It is nevertheless instructive to see how copyright law is becoming the refuge of its former detractors.

Mead Data Central Inc. v Lex Systems Inc. (ND CA, San Francisco Div., No C88-0355-SAW) Mead Data have asked a California court to determine whether or not the company can extend the use of its LEXIS trademark. LEXIS is at present used in relation with Mead Data's computer-assisted on-line research services for lawyers, but Mead Data now wish to adopt LEXIS as its corporate name, and to use it in relation to all its on-line research services (e.g. news and medical research). Lex Systems Inc. ("LSI") own the trademark 'LEX' and use it in relation to its computerised accounting and management services for the legal profession. Following a law suit between the parties in 1972, it was agreed that Mead Data could use LEXIS for its computer-assisted legal research services. On the face of it, that agreement effectively precludes any wider usage, but Mead Data claim that the actual intention of that agreement was to prevent confusion between the products of the two companies. They argue that the use of LEXIS for news and medical research services would be as far if not further removed from the LEX services of L.S.I. as is LEXIS, and that any confusion would therefore be unlikely.

St Paul Fire & Marine Insurance Co. v Paperback Software Inc. et al (ND CA, San Francisco Div., No C-87-5357-SAW) Further ripples are being caused by the litigation over the 'look and feel' of Lotus' '1-2-3' software. Paperback's insurers between 1984 and 1986 are seeking a declaration that they have no duty to defend or indemnify Paperback for any judgement that might be imposed as a result of the copyright infringement litigation with Lotus. The point of contention is whether the 'property damage' sections of the insurance

36

THE COMPUTER LAW AND SECURITY REPORT 1 CLSR

policy extend to claims for damages to intangible property, and for economic loss. In the event that the property damage clauses do cover the copyright infringement claims, St Paul claim a) that the damage did not result from an 'accidental event' within the meaning of the policies; b) that the policies do not provide cover against equitable claims, such as injunctive relief; and c) that the Lotus claims are based upon development, production and marketing of software, all of which fall within a 'professional services' exclusion in the policies.

NEC Corp. v Intel Corp. (ND CA, San Jose Div., No C-84-20799-WPG) A new judge has been appointed in this case to replace Judge Ingram who recently disqualified himself from the case and at the same time vacated his very important 1986 ruling that microcode may be protected by federal copyright law. Judge Ingram's self-disqualification followed a motion brought by NEC on the grounds that the judge held $80 worth of Intel stock acquired through an investment club. Following the ruling that Intel's 8086 and 8088 microprocessors contain copyrightable microcode, the court was next to determine whether NEC's 'W' series of microprocessors infringe the 8086•8088 chips. Intel, understandably frustrated by the eighteen month delay, is seeking an immediate injunction barring the unauthorised distribution of copyrighted Intel micrograms, and an adjudication of the issue of copyrightability on the existing trial record.

Datagate Inc. v Hewlett-Packard Co. (ND CA, San Jose Div., No C-86-20016-RPA) In the last issue of The Report, it was reported that following the courts view that H-P's practices caused a 'chilling effect' upon potential entrants to the market for servicing H-P's

computers, H-P claimed that Datagate, as an existing competitor, could not have suffered injury from such a 'chilling effect' and therefore lacked standing to pursue the claim. Since then Datagate has sought to introduce new evidence, including declarations filed by a different third party maintenance organisation against H-P in an Ohio court. The declarations state that H-P had discontinued its four-hour response time service to customers who did not have a service contract with H-P. This had meant that many H-P users had terminated contracts with third party maintainers and switched back to H-P. H-P, whilst arguing that Datagate had still failed to show any actual injury, justifies its change of policy by saying that the four hour response provided a safety-net for the third party maintainers. Under the previous policy, H-P had to retain "an uneconomically high number of engineers" so that the third party maintainers had been saved the cost of hiring more engineers of their own. "Not even a monopolist is obligated to allow its rivals to take such a free ride on its resources", H-P said.

Inslaw Inc. v Department of Justice (D. DC, Bankruptcy Ct. No 85-00070) Inslaw, which filed for bankruptcy in 1985, had alleged that the Department of Justice used 44 unauthorised copies of 'Promis', a program used by U.S. attorney's offices to track cases. The judge awarded compensatory damages of $6.79 million, calculated using Inslaw's published licence fees. The judge, who had said in the course of the action that the Department of Justice has used "trickery, fraud and deceit" to misappropriate 'Promis', has not been re-appointed to the bench. He has since filed suit to block his ousting from office, and it has been suggested that he has not been re-appointed in part because of his ruling against the Justice Department.

David Greaves, Editorial Panelist

CURRENT AWARENESS

N E W S H I G H L I G H T S

S I M P L I F I E D F O R M S E N C O U R A G E M O R E TO REGISTER UNDER DATA PROTECTION ACT

Over 20,000 fresh applications for registration under the Data Protection Act have been received since the distribution by the Data Protection Registrar of simplified registration forms for small businesses in September. During the period September 1987 - January 1988 12,500 of the simplified forms and a further 8,000 applications on the original, larger forms have been received. Once vetted, these entries are being added to the Register, which now exceeds 160,000 entries. Data Protection Registrar, Eric Howe comments "We distributed 280,000 of the new simplified forms, including 30,000 to legal and financial advisers, and supported this with a modest advertising campaign in professional journals. In addition to the requests for registration, we have received 18,000 replies stating that registration was not necessary because no personal data was kept or because the computer application was exempt." "The 38,000 replies or 13.5% response rate certainly made the exercise worthwhile and applications are still flowing in at a rate of 400 a week. Judging by the experience in France, where it has taken 10 years to reach 160,000 registrations, this result is encouraging" Mr Howe said. "Our difficulty is

knowing with any accuracy how many should be registered. We are tending to revise downward the early estimates and believe that 250,000 might be closer to the figure." "It is pleasing to note that organisations are keeping their entries up-to-date. By the end of January, more than 23,000 requests for changes to entries had been received. There is no charge for making these changes" Mr Howe explained. The shorter registration forms for small businesses are obtainable from Crown Post Offices or the Office of the Data Protection Registrar, Springfield House, Water Lane, Wilmslow, Cheshire SK9 5AX.

DATA PROTECTION R E G I S T R A R W E L C O M E S C O D E S OF PRACTICE FOR POLICE

The Data Protection Registrar, Mr Eric Howe, has welcomed the Codes of Practice for police computer systems published by the Association of Chief Police Officers and the Association of Chief Police Officers (Scotland). Responding to the recent announcement by the Home Secretary that the Codes of Practice are now publicly available, the Registrar said "The use of personal data by police forces is both necessary and inevitably sensitive in a number of aspects. In these circumstances, the good practices laid down in the Data Protection Act become of particular importance. These Codes will assist police forces to comply with the data protection principles contained in the

37