chap 11: legal and ethical issues in computer security
DESCRIPTION
International, national, state, and city laws can affect privacy and secrecy Laws regulate the use, development, and ownership of data and programs Patents Copyrights Trade secrets Laws affect actions that can be taken to protect the secrecy, integrity, and availability of computer information and service SE571 Security in Computing Dr. Ogara 3TRANSCRIPT
SE571Security in Computing
Chap 11: Legal and Ethical Issues in Computer Security
SE571 Security in Computing Dr. Ogara 2
This Chapter Examines… Program and data protection by
patents, copyrights, and trademarks Computer crime Ethical analysis of computer security
situations Codes of professional ethics
SE571 Security in Computing Dr. Ogara 3
Law and Security International, national, state, and city laws can
affect privacy and secrecy
Laws regulate the use, development, and ownership of data and programs• Patents• Copyrights• Trade secrets
Laws affect actions that can be taken to protect the secrecy, integrity, and availability of computer information and service
SE571 Security in Computing Dr. Ogara 4
Challenges Law does not always provide an adequate
control
Laws do not yet address all improper acts committed with computers
Some judges, lawyers, and police officers do not understand computing, so they cannot determine how computing relates to other, more established, parts of the law
SE571 Security in Computing Dr. Ogara 5
Protecting Programs and Data Common legal devices include:
• Copyrights
• Patents
• Trade Secrets
SE571 Security in Computing Dr. Ogara 6
Copyrights Designed to protect the expression of ideas
Ideas are free but once expressed (in a tangible medium) must be protected
Intention of a copyright is to allow regular and free exchange of ideas
Gives the author the exclusive right to make copies of the expression and sell them to the public
SE571 Security in Computing Dr. Ogara 7
Copyrights Copyright must apply to original work
It lasts for few years after which it is considered public domain
Copyright object is subject to fair use• Product used in a manner for which it was intended
and does not interfere with the author’s rights, e.g. comment, criticism, teaching, scholarly research
• Unfair use of copyrighted object is called piracy
SE571 Security in Computing Dr. Ogara 8
Copyrights A U.S. copyright now lasts for 70 years
beyond the death of the last surviving author
95 years after the date of publication for organizations
The international standard is 50 years after the death of the last author or 50 years from publication
SE571 Security in Computing Dr. Ogara 9
Copyrights for Computer Software Algorithm is the idea, and the statements
of the programming language are the expression of the idea
Protection is allowed for the program statements themselves, but not for the algorithmic concept
Copying the code intact is prohibited, but re-implementing the algorithm is permitted
SE571 Security in Computing Dr. Ogara 10
Digital Millennium Copyright Act (DMCA) of 1998
Digital objects can be subject to copyright
It is a crime to circumvent or disable antipiracy functionality built into an object
It is a crime to manufacture, sell, or distribute devices that disable antipiracy functionality or that copy digital objects
SE571 Security in Computing Dr. Ogara 11
Digital Millennium Copyright Act (DMCA) of 1998
However, these devices can be used (and manufactured, sold, or distributed) for research and educational purposes
It is acceptable to make a backup copy of a digital object as a protection against hardware or software failure or to store copies in an archive
Libraries can make up to three copies of a digital object for lending to other libraries
SE571 Security in Computing Dr. Ogara 12
Digital Millennium Copyright Act (DMCA) of 1998
Problems is deciding what is considered piracy
Example, how do you transfer music
from your CD to MP3 which is considered a reasonable fair use?
SE571 Security in Computing Dr. Ogara 13
U.S. No Electronic Theft (NET) Act of 1997
It is criminal to reproduce or distribute copyrighted works, such as software or digital recordings, even without charge?
When you purchase a software you only have the right to use it
See Napster: No right to copy lawsuit – pp. 655
SE571 Security in Computing Dr. Ogara 14
Patents U.S. Patent and Trademark Office must be
convinced that the invention deserves a patent
Patents were intended to apply to the results of science, technology, and engineering
A patent can be valid only for something that is truly novel or unique – usually one patent for a given invention
Since 1981 the patent law has expanded to include computer software
SE571 Security in Computing Dr. Ogara 15
Patent Infringement
This isn’t infringement. The alleged infringer will claim that the two inventions are sufficiently different that no infringement occurred
The patent is invalid. If a prior infringement was not opposed, the patent rights may no longer be valid.
SE571 Security in Computing Dr. Ogara 16
Patent Infringement
The invention is not novel. In this case, the supposed infringer will try to persuade the judge that the Patent Office acted incorrectly in granting a patent and that the invention is nothing worthy of patent
The infringer invented the object first. If so,
the accused infringer, and not the original patent holder, is entitled to the patent
SE571 Security in Computing Dr. Ogara 17
Trade Secrets Is information that gives one company a
competitive edge over others
Unlike a patent or copyright it must be kept a secret
Employees should not disclose secrets Owners must protect the secrets
• File encryption• Make employees sign a statement not to disclose a
secret
SE571 Security in Computing Dr. Ogara 18
Trade Secrets Trade secret protection allows distribution
of the result of a secret (the executable program) while still keeping the program design hidden
It does not cover copying a product (specifically a computer program)
It makes it illegal to steal a secret algorithm and use it in another product
SE571 Security in Computing Dr. Ogara 19
Trade Secrets Enforcement Problems
• Does not help if program/code is decoded – trade secret protection disappears
• Additional protection/safeguards is needed Make copies of sensitive documents Control access to files
SE571 Security in Computing Dr. Ogara 20
Trade Secrets Examples” Motorola settles trade secrets lawsuit
s Google Wallet spurs trade-secrets law
suit from PayPal Ex-DuPont Employee Pleads Not Guilt
y in Trade Secrets Case
SE571 Security in Computing Dr. Ogara 21
Comparing Copyright, Patent and Trade Secrets Protection
SE571 Security in Computing Dr. Ogara 22
Protecting Computer Objects Hardware
• Patented
Firmware – Chips and microcode• Patented• Data (algorithms, instructions and programs inside
it) are not patentable• Trade secret – for code inside chip
Object Code Software• Copyrighted
SE571 Security in Computing Dr. Ogara 23
Protecting Computer Objects Source Code Software
• Trade secret• Copyrighted
Documentation• Copyrighted
Web Content• Copyrighted
SE571 Security in Computing Dr. Ogara 24
Information and the Law Information as an object
• Is not depletable/may be used repeatedly• Can be replicated – buyer can resell and deprive
original seller of sales• Has minimal marginal cost – cost of producing
additional information• Value of information is time dependent – e.g. Stock
market price• Often transferred intangibly – difficult to claim
information as flawed if a copy is accurate whereas underlying information is incorrect or useless.
SE571 Security in Computing Dr. Ogara 25
Information and the Law Legal issues relating to information
• Information commerce – how do you protect software developers and publishers from piracy?
• Electronic publishing – how do you protect news organization and encyclopedia in the web for being target for copyright?
• Protecting data in database – how do you protect them, who owns the data, how do you know which database the data came from?
• Electronic commerce – how do you prove conditions for delivery of your order is not damaged or arrives late
SE571 Security in Computing Dr. Ogara 26
Information and the Law Protecting information
• Criminal and Civil Law• Tort Law• Contract Law
SE571 Security in Computing Dr. Ogara 27
Criminal and Civil Law Statutes are laws that state explicitly that certain
actions are illegal
Violation of a statute will result in a criminal trial
Statute law is written by legislators and is interpreted by the courts
In a civil case, an individual, organization, company, or group claims it has been harmed
The goal of a civil case is restitution: to make the victim “whole” again by repairing the harm
SE571 Security in Computing Dr. Ogara 28
Tort Law A tort is harm not occurring from violation of a
statute or from breach of a contract but instead from being counter to the accumulated body of precedents
Tort law is unwritten but evolves through court decisions that become precedents for cases that follow
Fraud is a common example of tort law in which, basically, one person lies to another, causing harm
SE571 Security in Computing Dr. Ogara 29
Contract Law A contract involves three things:
• an offer • an acceptance • a consideration
Contracts help fill the voids among criminal, civil, and tort law
One party makes an offer
Most common legal remedy in contract law is money
SE571 Security in Computing Dr. Ogara 30
Contract Law One party makes an offer
Second party may accept or reject or ignore
Contract is voluntary
Most common legal remedy in contract law is money
SE571 Security in Computing Dr. Ogara 31
Rights of Employers and Employees Employees want to protect secrecy and
integrity of works produced by the employees
Ownership of products• Who owns the patent?• Who owns the copyright?• Work for hire• Licenses• Trade secret protection• Employee contracts
SE571 Security in Computing Dr. Ogara 32
Ownership of products Who owns the patent?
• If an employee lets an employer patent an invention, the employer is deemed to own the patent and therefore the rights to the invention
• Employer has the right to patent if the employee’s job functions included inventing the product
SE571 Security in Computing Dr. Ogara 33
Ownership of products Who owns the copyright?
• Author (programmer) is the presumed owner of the work, and the owner has all rights to an object
• Work for hire applies to many copyrights for developing software or other products
SE571 Security in Computing Dr. Ogara 34
Work for Hire Employer, not the employee, is
considered the author of a work
Difficult to identify and depends in part on the laws of the state in which the employment occurs
SE571 Security in Computing Dr. Ogara 35
Work for Hire - Conditions The employer has a supervisory relationship,
overseeing the manner in which the creative work is done.
The employer has the right to fire the employee.
The employer arranges for the work to be done before the work was created (as opposed to the sale of an existing work).
A written contract between the employer and employee states that the employer has hired the employee to do certain work.
SE571 Security in Computing Dr. Ogara 36
Licenses Licensed software is an alternative to a work for hire
Programmer develops and retains full ownership of the software
Programmer grants to a company a license to use the program
License can be granted for a definite or unlimited period of time, for one copy or for an unlimited number, to use at one location or many, to use on one machine or all, at specified or unlimited times
SE571 Security in Computing Dr. Ogara 37
Trade Secret Protection No registered inventor or author
Owner can prosecute a revealer for damages if a trade secret is revealed
Trade secrets are held as confidential data
SE571 Security in Computing Dr. Ogara 38
Employee Contracts Spells out rights of ownership
Spells out that company claims all rights to any programs developed, including all copyright rights and the right to market
Spells out that employee agrees not to reveal those secrets to anyone
SE571 Security in Computing Dr. Ogara 39
Employee Contracts More restrictive contracts assign to the
employer rights to all inventions (patents) and all creative works (copyrights)
Employee may be asked not to compete by working in the same field for a set period of time after termination
Example: DuPont dismisses trade secrets suit against former chemist
SE571 Security in Computing Dr. Ogara 40
Redress for Software Failures What role does quality play in various
legal disputes?
What should be done when software faults are discovered?
SE571 Security in Computing Dr. Ogara 41
Redress for Software Failures Selling correct software
• Software malfunctions• Don’t like look and feel
I want a refund• Users entitled to reasonable period to
inspect software
SE571 Security in Computing Dr. Ogara 42
Redress for Software Failures I want it to be good
• Mass-market software is seldom totally bad• Legal remedies typically result in monetary
awards for damages, not a mandate to fix the faulty software
SE571 Security in Computing Dr. Ogara 43
Computer Crime Law regarding crimes involving
computers are less clear
New laws needed to address these problems
Rules of property Unauthorized access to a computing system is a
crime Problem is access by a computer does not involve
physical object so may not be punishable crime
SE571 Security in Computing Dr. Ogara 44
Rules of Evidence Courts prefer an original source
document to a copy
Copies may be inaccurate or modified
Problem with computer-based evidence in court is being able to demonstrate the authenticity of the evidence
SE571 Security in Computing Dr. Ogara 45
Rules of Evidence It is difficult to establish a chain of
custody - ensure that nobody has had the opportunity to alter the evidence in any way before its presentation in court
SE571 Security in Computing Dr. Ogara 46
Threats to Integrity and Confidentiality
Integrity and secrecy of data are also issues in many court cases
Example, disclosing grades or financial information without permission is a crime
SE571 Security in Computing Dr. Ogara 47
Value of Data Concept of value and how we determine
it is key to computer based law
How do you determine value of credit report?
Legal system must find ways to place a value on data that is representative of its value to those who use it
SE571 Security in Computing Dr. Ogara 48
Acceptance of Computer Terminology
Law lags in determining acceptance of definitions of computing terms
Computers and their software, media, and data must be understood and accepted by the legal system
SE571 Security in Computing Dr. Ogara 49
Why Computer Crime Is Hard to Prosecute
Lack of understanding • Courts, lawyers, police agents, or jurors do not
necessarily understand computers
Lack of physical evidence• Police and courts have for years depended on
tangible evidence, such as fingerprints
Lack of recognition of assets• Is computer time an asset?
SE571 Security in Computing Dr. Ogara 50
Why Computer Crime Is Hard to Prosecute
Lack of political impact• Less attention to obscure high-tech crime
Complexity of case• Jurors may have difficulty understanding
high tech complex crime
Age of defendant – many computer crimes are committed by juveniles
SE571 Security in Computing Dr. Ogara 51
U.S. Computer Fraud and Abuse Act Unauthorized access to a computer
containing data protected for national defense or foreign relations concerns
Unauthorized access to a computer containing certain banking or financial information
SE571 Security in Computing Dr. Ogara 52
U.S. Computer Fraud and Abuse Act Unauthorized access, use, modification,
destruction, or disclosure of a computer or information in a computer operated on behalf of the U.S. government
Accessing without permission a “protected computer,” which the courts now interpret to include any computer connected to the Internet
SE571 Security in Computing Dr. Ogara 53
U.S. Computer Fraud and Abuse Act Penalties range from $5,000 to
$100,000 or twice the value obtained by the offense, whichever is higher, or imprisonment from 1 year to 20 years, or both.
SE571 Security in Computing Dr. Ogara 54
Laws that Govern Crimes Against Computers
U.S. Computer Fraud and Abuse Act 1974 U.S. Economic Espionage Act 1996
• outlaws use of a computer for foreign espionage to benefit a foreign country or business or theft of trade secrets
U.S. Electronic Funds Transfer Act • prohibits use, transport, sale, receipt, or supply
of counterfeit, stolen, altered, lost, or fraudulently obtained debit instruments in interstate or foreign commerce
SE571 Security in Computing Dr. Ogara 55
U.S. Freedom of Information Act Provides public access to information
collected by the executive branch of the federal government
Requires disclosure of any available data, unless the data fall under one of several specific exceptions, such as national security or personal privacy
SE571 Security in Computing Dr. Ogara 56
U.S. Privacy Act 1974 Protects the privacy of personal data
collected by the government
• Allow individuals to know information collected about them
• prevent one government agency from accessing data collected by another agency for another purpose
SE571 Security in Computing Dr. Ogara 57
U.S. Electronic Communications Privacy Act 1986
Protects against electronic wiretapping
An amendment to the act requires Internet service providers to install equipment as needed to permit these court-ordered wiretaps
Allows Internet service providers to read the content of communications in order to maintain service
SE571 Security in Computing Dr. Ogara 58
Gramm-Leach-Bliley Act 1999 Covers privacy of data for customers of
financial institutions
Customers must be given the opportunity to reject any use of the data beyond the necessary business uses for which the private data were collected
Require financial institutions to undergo a detailed security-risk assessment/have comprehensive security program
SE571 Security in Computing Dr. Ogara 59
Health Insurance Portability and Accountability Act (HIPAA)
First part of the law concerned the rights of workers to maintain health insurance coverage after their employment was terminated
Second part of the law required protection of the privacy of individuals’ medical records
SE571 Security in Computing Dr. Ogara 60
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare providers are required to perform standard practices such as
• Enforce need to know. • Ensure minimum necessary disclosure. • Designate a privacy officer. • Document information security practices. • Track disclosures of information.• Develop a method for patients’ inspection and
copying of their information. • Train staff at least every three years.
SE571 Security in Computing Dr. Ogara 61
USA Patriot Act 2001 Contains provisions supporting law
enforcement’s access to electronic communications
Law enforcement need only convince a court that a target is probably an agent of a foreign power in order to obtain a wiretap order
Main computer security provision of the Patriot Act is an amendment to the Computer Fraud and Abuse Act
SE571 Security in Computing Dr. Ogara 62
The CAN SPAM Act 2003 Controlling the Assault of Non-Solicited Pornography
and Marketing (CAN SPAM)
Contains provisions supporting law enforcement’s access to electronic communications
Law enforcement need only convince a court that a target is probably an agent of a foreign power in order to obtain a wiretap order
Main computer security provision of the Patriot Act is an amendment to the Computer Fraud and Abuse Act
SE571 Security in Computing Dr. Ogara 63
The CAN SPAM Act 2003 It bans false or misleading header information
It prohibits deceptive subject lines
It requires commercial e-mail to give recipients an opt-out method.
It bans sale or transfer of e-mail addresses of people who have opted out.
It requires that commercial e-mail be identified as an advertisement
SE571 Security in Computing Dr. Ogara 64
California Breach Notification 2003 Requires any company doing business in
California or any California government agency to notify individuals of any breach that has, or is reasonably believed to have, compromised personal information on any California resident
At least 20 other states have since followed with some form of breach notification
SE571 Security in Computing Dr. Ogara 65
International Dimensions Council of Europe Agreement on
Cybercrime
• Requires countries that ratify it to adopt similar criminal laws on hacking, computer-related fraud and forgery, unauthorized access, infringements of copyright, network disruption, and child pornography
SE571 Security in Computing Dr. Ogara 66
International Dimensions E.U. Data Protection Act
• Governs the collection and storage of personal data about individuals, such as name, address, and identification numbers
• The law requires a business purpose for collecting the data, and it controls against disclosure
SE571 Security in Computing Dr. Ogara 67
International Dimensions Restricted Content
• Some countries have laws controlling Internet content allowed in their countries
Use of Cryptography • use of cryptography imposed on users in
certain countries e.g. China requires foreign organizations or individuals to apply for permission to use encryption in China
SE571 Security in Computing Dr. Ogara 68
Ethical Issues in Computer Security What are the ethical issues concerning
confidentiality, integrity and availability of data?
Ethics or morals to prescribe generally accepted standards of proper behavior
Ethical system is a set of ethical principles
SE571 Security in Computing Dr. Ogara 69
Differences between Law and Ethics
SE571 Security in Computing Dr. Ogara 70
Taxonomy of Ethical Theories Consequence-Based Principles
• Based on consequence of an action to individual
Considers which results is the greatest future good and the least harm
• Based on consequence to all society (principle of utilitarianism)
Does the action bring the greatest collective good for all people with the least possible negative for all?
SE571 Security in Computing Dr. Ogara 71
Taxonomy of Ethical Theories Rule-Based
• Based on rules acquired by individual – religion, experience and analysis
• Based on universal rules evident to everyone