Chapter 9 Legal Privacy and Ethical Issues in

Chapter 9 – Legal, Privacy, and Ethical Issues in Computer Security Program and data protection by patents, copyrights, and trademarks u Computer Crime u Privacy u Ethical Analysis of computer security situations u Codes of professional ethics u

Motivation for studying legal issues Know what protection the law provides for computers and data u Appreciate laws that protect the rights of others with respect to computers, programs, and data u Understand existing laws as a basis for recommending new laws to protect compuuters, programs, and data u

Aspects of Protection of the security of computers Protecting computing systems against criminals u Protecting code and data (copyright. . . ) u Protecting programmers’ and employers’ rights u Protecting private data about individuals u Protecting users of programs u

Protecting Programs and Data u Copyrights – designed to protect the expression of ideas (not the idea!!!) • Copyright law of 1978; Digital Millennium Copyright Act of 1998 • Copyright gives the author exclusive right to make copies of the expression and sell them to the public • “original works of authorship fixed in any tangible medium of expression, … from which they can be perceived, reproduced, or otherwise communicated. ”

Copyrights u u Public domain- work owned by the public, (e. g. government) Work must be original to the author “fair use of a copyrighted work, including such use by reproduction I copies…for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship or research. ” New owner can give away or sell object

Copyright u u u Each copy mist be marked with the copyright symbol © or the word Copyright, the year and the author’s name U. S. copyright lasts for 70 years beyond death of last surviving author or 95 years after publication for a company Copyright Infringement Copyrights for computer software (cannot copyright the algorithm) You do not purchase a piece of software, just the license to use it. Computer menu design can be copyrighted, but not “look and feel”

Digital Millennium Copyright Act u u u Digital objects can be subject to copyright Crime to circumvent/disable antipiracy functionality Crime to manufacture, sell, or distribute devices that disable antipiracy functionality Antipiracy devices can be used for research and educational purposes Acceptable to make a backup copy Libraries can make up to three copies for lending to other libraries

Patents u u Protect inventions, tangible objects, or ways to make them, not works of the mind. Patent designed to protect the device or process for carrying out an idea, not the idea itself. Patent goes to person who invented the object first Algorithms are inventions and can be patented

Trade Secrets Information that gives one company a competitive edge over others u Reverse engineering – study finished object to determine how it is manufactured or how it works u Trade secret protection can apply to software u

Protection for Computer Objects u u u Hardware can be patented Firmware (hardware patent; code protected as a trade secret) Object code – copyrighted Source code – either trade secret or copyright Documentation – copyright COPYLEFT (http: //www. gnu. org/copyleft. html#What. Is. Copyleft )

Information and the Law u Information as an Object • Information is not depletable • Information can be replicated • Information has a minimal marginal cost • Value of information is often time dependent • Information is often transferred intangibly

Legal Issues Relating to Information u Information Commerce • Copy protection, freeware, controlled distribution, mobile code/applets Electronic Publishing u Protecting Data in a Database (who u owns? ) u Electronic Commerce

Protecting Information Criminal and Civil Law – statues u Tort Law (harm not occurring from violation of a stature or from breach of a contract) – Fraud u Contract Law (agreement between two parties) – requires u • Offer • Acceptance • consideration

Rights of Employees and Employers u Ownership u Work for hire – “employer has right to u u of of of Products Patent – inventor owns the work Copyright – author is presumed owner of the work patent/copyright if the employee’s job function included inventing the product” Trade Secret Protection Employment Contracts

Software Failures What are the legal issues in selling correct and usable software? u What are the moral or ethical issues in producing correct and usable software? u What are the moral or ethical issues in finding, reporting, publicizing, and fixing flaws? u

“Responsible” Vulnerability Reporting u u u Vendor must acknowledge a vulnerability report confidentially to the reporter Vendor must agree that the vulnerability exits (or argue otherwise) to the reporter Vendor must inform users of the vulnerability and any available countermeasures within 30 days Vendor may request from the reporter a 30 -day quiet period to allow users time to install patches At the end of quiet period, vendor and report agree upon a release date Vendor shall credit reporter with having located vulnerability

Computer Crime Rules of Property u Rules of Evidence u Threats to Integrity and Confidentiality u Value of Data u Acceptance of Computer Terminology u

Computer Crime u u Why Computer Crime is Hard to Define Why Computer Crime is Hard to Prosecute • • • Lack of understanding Lack of physical evidence Lack of recognition of assets Lack of political impact Complexity of case Juveniles

2002 Computer Crime and Security Survey – CSI/FBI Report u u u Ninety percent of respondents detected computer security breaches within the last twelve months. Eighty percent acknowledged financial losses due to computer breaches. Forty-four percent (223 respondents) were willing and/or able to quantify their financial losses. These 223 respondents reported $455, 848, 000 in financial losses. For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%). Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement. )

Examples of Statutes u u u u U. S. Computer Fraud and Abuse Act (1984) U. S. Economic Espionage Act U. S. Electronic Funds Transfer Act U. S. Freedom of Information Act U. S. Privacy Act U. S. Electronic Communications Privacy Act USA Patriot Act International Dimensions

Computer Crime u Why Computer Criminals Are Hard to Catch • No international laws on computer crime • Complexity of crime u What Computer Crime Does Not Address • Courts must interpret what a computer is • Courts must determine the value of the loss

Cryptography and the Law Controls on Use of Cryptography u Controls on Export of Cryptography u Cryptography and Free Speech u Cryptographic Key Escrow u • Clipper, Capstone, Fortezza u Current Policy (1998)

Privacy u u u u u IDENTITY THEFT Threats to privacy Aggregation and Data mining Poor Security System (due diligence) Government Threats Computer use Societal Goal Corporate Rights and Private Business Privacy for Sale

Controls Protecting Privacy Authentication u Anonmity (anonymizers) u Computer Voting u Pseudonymity (Swiss bank account) u Legal Controls u • E. U. Data Protection Act (1998) • Gramm-Leach-Biley Act (1999) • HIPAA

Ethical Issues u Difference between law and ethics • Ethic – objectively defined standard of right and wrong (ethics are personal) u Studying Ethics • • • Ethics and Religion Ethical Principles are not universal Ethics does not provide answers (ethical pluralism) • Ethical Reasoning u CASE STUDIES OF ETHICS

CODE OF ETHICS IEEE (pg. 623) u ACM (pg. 624) u Computer Ethics Institute (pg. 625) u

Social Engineering “we have met the enemy and they are us” - POGO u Social Engineering – “getting people to do things that they wouldn’t ordinarily do for a stranger” – The Art of Deception, Kevin Mitnick u

Controls Reduce and contain the risk of security breaches u “Security is not a product, it’s a process” – Bruce Schneier [Using any security product without understanding what it does, and does not, protect against is a recipe for disaster. ] u

Education & Misinformation SQL Slammer infected through MSDE 2000, a lightweight version of SQL Server installed as part of many applications from Microsoft (e. g. Visio) as well as 3 rd parties. u Code. Red infected primarily desktops from people who didn't know that the "personal" version of IIS was installed. u Educate programmers and future u

Conclusions u Every organization MUST have a security policy • Acceptable use statements • Password policy • Training / Education Conduct a risk analysis to create a baseline for the organization’s security u Create a cross-functional security team u