cs 5950 computer security and information assurance section 7: legal, privacy, and ethical issues in...
Post on 19-Dec-2015
224 views
TRANSCRIPT
CS 5950Computer Security and Information Assurance
Section 7: Legal, Privacy, and Ethical Issues
in Computer Security
Dr. Leszek LilienDepartment of Computer Science
Western Michigan University
Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger.Using some slides courtesy of:
Prof. Aaron Striegel — course taught at U. of Notre DameProf. Barbara Endicott-Popovsky and Prof. Deborah Frincke (U. Idaho) — taught at U.
WashingtonProf. Jussipekka Leiwo — taught at Vrije Universiteit (Free U.), Amsterdam, The Netherlands
Slides not created by the above authors are © 2006 by Leszek T. LilienRequests to use original slides for non-profit purposes will be gladly granted upon a written request.
2Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
7. Legal, Privacy, and Ethical Issues in Computer Security
Human Controls Applicable to Computer Security:7.1. Basic Legal Issues
a) Protecting Programs and Datab) Information and the Lawc) Ownership Rights of Employees and Employersd) Software Failures (and Customers)
7.2. Computer Crime7.3. Privacy7.4. Ethics
a) Introduction to Ethicsb) Case Studies of Ethicsc) Codes of Professional Ethics
3Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
7.1. Basic Legal Issues
Outline:a) Protecting Programs and Datab) Information and the Lawc) Ownership Rights of Employees and Employersd) Software Failures (and Customers)
4Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
a) Protecting Programs and Data (1)
Copyrights — designed to protect expression of ideas (creative works of the mind)
Ideas themselves are free Different people can have the same idea
The way of expressing ideas is copyrighted Copyrights are exclusive rights to making copies of
expression
Copyright protects intellectual property (IP)IP must be:
Original work In some tangible medium of expression
--SKIP-- Digital Millennium Copyright Act (DMCA) of 1998
Clarified some copyright issues for digital objects
5Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
Protecting Programs and Data (2)
Patent — designed to protect tangible objects, or ways to make them (not works of the mind)
Protected entity must be novel & nonobvious The first inventor who obtains patent gest his
invention protected against patent infrigement Patents applied for algorithms only since 1981
Trade secret — information that provides competitive edge over others
Information that has value only if kept secret Undoing release of a secret is impossible or very
difficult Reverse engineering used to uncover trade
secret is legal! T.s. protection applies very well to computer s/w
E.g., pgms that use algorithms unknown to others
6Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
--SKIP-- Protecting Programs and Data (3) Comparing Copyright, Patent and Trade Secret
Protection Copyright Patent Trade Secret
Protects Expression of idea, not idea itself
Invention—way something works
Secret, competitive advantage
Protected Object Made Public
Yes; intention is to promote publication
Design filed at Patent Office
No
Must Distribute
Yes No No
Ease of filing Very easy, do-it-yourself
Very complicated; specialist lawyer suggested
No filing
Duration Originator’s life + 70 yrs; 95 y. For company
19 years Indefinite
Legal Protection
Sue if unauthorized copy sold
Sue if invention copied/reinvented
Sue if secret improperly obtained
7Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
Protecting Programs and Data (4)
How to protect: H/w
Patent Firmware (microcode)
Patent physical device, chip Use trade secret protection Copyright s/w such as embedded OS
Object code s/w Copyiright of binary code ?? Copyright of source code ?? Need legal precedents
Source code s/w Use trade secret protection
Copyright reveals some code, facilitates reverse engineering
Need legal precedents, too
8Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
b) Information and the Law (1) Characteristics of information as an object of value
Not depletable Can be replicated (buyer can become a seller) Has minimal marginal cost (= cost to produce n-the copy
after producing n-1 copies) Value is often time dependent (outdated => lower/no
value) Can be transferred intangibly
--SKIP-- Legal issues for information Information commerce
Need technological and legal protections for info seller Electronic publishing
Cryptographic + legal solutions to protect seller’s rights Protecting data in DB
How to decide which DB is source for given data? Who owns data in a DB if it is public data (e.g.,
name+phone?) E-commerce
How to prove that info delivered too late or is „bad”?
9Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
b) Information and the Law (2)
Copyright, patents, trade secrets cover some (not all!) protection needsRemaining protection needs can use law mechanisms discussed below
Building precedents or contributing to legislating new laws
Law categories:1) Criminal Law / Statutory Law2) Civil Law (I hope I’m right iwith these
subcategories)
2a) Common Law / Tort Law2b) Contracts
10Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
b) Information and the Law (3)
Comparison of Criminal and Civil Law
Criminal Law Civil Law
Defined by Statutes Common law (tort l.)Contracts
Casesbrought by
Government GovernmentIndividuals and companies
Wronged party
Society Individuals and companies
Remedy Jail, fine Damages, typically monetary
11Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
c) Ownership Rights of Employees and Employers (1)
Ownership rights are computer security issue Concerned with protecting secrecy (confidentiality) and
integrity of works produced by employees of an employer
Ownership issues in emploee/employer relations: Ownership of products
Products/ideas/inventions developed by employee after hours might still be owned by her employer Esp. if in the same „line of business”
Ownership of patents If employer files for patent, employer (not employee—
inventor) will own patent Ownership of copyrights
Similar to patents Trade secret protection
No registered inventor/author—owner can prosecutefor damages
12Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
Ownership Rights of Employees and Employers (2)
Type of employment has ownership consequences Work for hire
All work done by employee is owned by employer
Employment contracts Often spell out ownership rights Often includes agreement not to compete (for some
time after termination) Non-competition is not always enforceable by law
Licenses Programmer retains full ownership of
developed s/w Grants license for a fee
13Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
d) Software Failures (& Customers) (1)
--SKIP-- Issue 1: Software quality: is it „correct” or not?
If not correct: ask for refund, replacement, fixing Refund: possible Replacement: if this copy damaged, or
improved in the meantine Fixing: rarely legally enforced; instead,
monetary awards for damages Correctness of s/w difficult to define/enforce
legally Individual can rarely sue a major s/w vendor
Prohibitive costs for individual
14Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
Software Failures (& Customers) (2) Issue 2: Reporting software flaws
Should we share s/w vulnerability info? Both pros and cons
Vendor interests Vendors (e.g., MS) don’t want to react to individual
flaws Prefer bundle a number of flaw fixes
User interests Would like to have fixes quickly
Responsible vulnerability reporting How to report vulnerability info responsibly?
E.g. First notify the vendor, give vendor a few weeks to fix If vendor delays fixes, ask „coordinator” for help
Coordinator—e.g., computer emergency response center
Quality software is the real solution „The worlds does no need faster patches,
it needs better software”
15Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
7.2. Computer Crime (1) Separate category for computer crime is needed
Because special laws are needed for CC
---SKIP-- CC (special laws) need to deal with: New rules of property for CC
Bits of info are now considered property (were not in 1984 case)
New rules of evidence for CC Hard to prove authenticity of evidence for CC (easy to change!)
Value of integrity and confidentiality/privacy Value of privacy is now recognized by several federal/state
laws Value of data
Courts understand value of data better Acceptance of computer terminology
Law lags behind technology in acceptance of new terminology
16Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
--SKIP-- Computer Crime (2)
CC (special laws) need to deal with—cont. Difficulty of defining CC
Legal community is slow in accommodating advances in computing Law change is cautious/conservative by nature
Difficulty of prosecuting CC Reasons:
Lack of understanding / lack of physical evidence / lack of recognition of assets / lack of political impact /complexity of CC cases / lenient treatment of juveniles comitting CCs
17Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
Computer Crime (3)
Examples of American statutes related to CC---SKIP--
1974 — US Privacy Act Protects privacy of data collected by the executive
branch of federal gov’t 1984 — US Computer Fraud and Abuse Act
Penalties: max{100K, stolen value} and/or 1 to 20 yrs 1986 — US Electronic Communications Privacy
Act Protects against wiretapping Exceptions: court order, ISPs
1996 — US Economic Espionage Act 2001 — USA Patriot Act — US Electronic Funds Transfer Act — US Freedom of Information Act
18Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
--SKIP-- Computer Crime (4)
International CC Laws 1994 — EU Data Protection Act Restricted Internet content — e.g., China Cryptography use — different laws in different
countries
Why computer criminals are hard to catch Multinational activity Complexity
E.g., attackers „bouncing” attacks thru many places to cover tracks
Law is not precise Problems with „computer,” object value, privacy
Cryptography Challenges Controls on its use internally (allowing gov’t to track
illegal activities) and for export Free speech issues: restricting Gov’t wanted key escrows (remember Clipper?)
19Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
7.3. Privacy (1) Identity theft – the most serious crime against privacy
Threats to privacy Aggregation and data mining Poor system security Government threats
Gov’t has a lot of people’s most private data Taxes / homeland security / etc.
People’s privacy vs. homeland security concerns The Internet as privacy threat
Unencrypted e-mail / web surfing / attacks Corporate rights and private business
Companies may collect data that U.S. gov’t is not allowed to
Privacy for sale Many traps
Accepting frequent-buyer cards reduces your privacy
20Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
Privacy (2)
Controls for protecting privacy Authentication Anonymity
Needed also in computer voting Pseudonymity Legal privacy controls
1996 — HIPAA Privacy of individuals’ medical records
1998 — EU Data Protection Act Privacy protections stronger than in the U.S.
1999 — Gramm-Leach-Bliley Act Privacy of data for customers of financial institutions
21Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
7.4. Ethicsa) Introduction to Ethics (1) Law vs. Ethics
Law alone can’t restrict human behavior Impractical/impossible to describe/enforce all acceptable
behaviors Ethics/morals are sufficient self-controls for most
people Contrast of law and ethics – Table 9-3, p. 606
--SKIP-- Characteristics of ethics Ethics is not religion (but religions include ethical
principles) Ethical principles are not universal
Vary in different cultures Vary even in different individuals in the same culture
Ethics is pluralistic in nature In sharp contrast to science and technology that often has
only one correct answer
22Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
--SKIP-- Introduction to Ethics (2)
Systems of ethics1) Consequence-based — do what results in
greatest good, least harm1a) Egoism
I do what’s good for me1b) Utilitarianism
I do what’s brings greatest collective good
2) Rules-based (deontology) — do what is prescribed by certain universal, self-evident, natural rules of proper conduct
Could be based on religion on philosophy
23Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
--SKIP-- b) Case Studies of Ethics Read especially:
Case II: Privacy rights (p.612) Case VIII: Ethics of Hacking or Cracking (p. 619)
24Sect
ion
8 –
Com
pu
ter
Secu
rity
an
d In
form
ati
on
Ass
ura
nce
– S
pri
ng
2
00
6
© by L
esz
ek
T.
Lilie
n,
20
06
c) Codes of Professional Ethics Different codes of professional ethics
Computer Ethics Institute 10 Commandments of Computer Use – Fig.
9.3, p. 625
IEEE – Fig. 9-1, p. 623
ACM – Fig. 9-2, p. 624