Chap 11: Legal and Ethical Issues in Computer Security

 Program and data protection by patents, copyrights, and trademarks  Computer crime  Ethical analysis of computer security situations  Codes of professional ethics SE571 Security in Computing Dr. Ogara 2

 International, national, state, and city laws can affect privacy and secrecy  Laws regulate the use, development, and ownership of data and programs Patents Copyrights Trade secrets  Laws affect actions that can be taken to protect the secrecy, integrity, and availability of computer information and service SE571 Security in Computing Dr. Ogara 3

 Law does not always provide an adequate control  Laws do not yet address all improper acts committed with computers  Some judges, lawyers, and police officers do not understand computing, so they cannot determine how computing relates to other, more established, parts of the law SE571 Security in Computing Dr. Ogara 4

 Common legal devices include: Copyrights Patents Trade Secrets SE571 Security in Computing Dr. Ogara 5

 Designed to protect the expression of ideas  Ideas are free but once expressed (in a tangible medium) must be protected  Intention of a copyright is to allow regular and free exchange of ideas  Gives the author the exclusive right to make copies of the expression and sell them to the public SE571 Security in Computing Dr. Ogara 6

 Copyright must apply to original work  It lasts for few years after which it is considered public domain  Copyright object is subject to fair use Product used in a manner for which it was intended and does not interfere with the author’s rights, e.g. comment, criticism, teaching, scholarly research Unfair use of copyrighted object is called piracy SE571 Security in Computing Dr. Ogara 7

 A U.S. copyright now lasts for 70 years beyond the death of the last surviving author  95 years after the date of publication for organizations  The international standard is 50 years after the death of the last author or 50 years from publication SE571 Security in Computing Dr. Ogara 8

 Algorithm is the idea, and the statements of the programming language are the expression of the idea  Protection is allowed for the program statements themselves, but not for the algorithmic concept  Copying the code intact is prohibited, but re-implementing the algorithm is permitted SE571 Security in Computing Dr. Ogara 9

 Digital objects can be subject to copyright  It is a crime to circumvent or disable antipiracy functionality built into an object  It is a crime to manufacture, sell, or distribute devices that disable antipiracy functionality or that copy digital objects SE571 Security in Computing Dr. Ogara 10

 However, these devices can be used (and manufactured, sold, or distributed) for research and educational purposes  It is acceptable to make a backup copy of a digital object as a protection against hardware or software failure or to store copies in an archive  Libraries can make up to three copies of a digital object for lending to other libraries SE571 Security in Computing Dr. Ogara 11

 Problems is deciding what is considered piracy Example, how do you transfer music from your CD to MP3 which is considered a reasonable fair use? SE571 Security in Computing Dr. Ogara 12

 It is criminal to reproduce or distribute copyrighted works, such as software or digital recordings, even without charge?  When you purchase a software you only have the right to use it  See Napster: No right to copy lawsuit – pp. 655 SE571 Security in Computing Dr. Ogara 13

 U.S. Patent and Trademark Office must be convinced that the invention deserves a patent  Patents were intended to apply to the results of science, technology, and engineering  A patent can be valid only for something that is truly novel or unique – usually one patent for a given invention  Since 1981 the patent law has expanded to include computer software SE571 Security in Computing Dr. Ogara 14

 This isn’t infringement. The alleged infringer will claim that the two inventions are sufficiently different that no infringement occurred  The patent is invalid. If a prior infringement was not opposed, the patent rights may no longer be valid. SE571 Security in Computing Dr. Ogara 15

 The invention is not novel. In this case, the supposed infringer will try to persuade the judge that the Patent Office acted incorrectly in granting a patent and that the invention is nothing worthy of patent  The infringer invented the object first. If so, the accused infringer, and not the original patent holder, is entitled to the patent SE571 Security in Computing Dr. Ogara 16

 Is information that gives one company a competitive edge over others  Unlike a patent or copyright it must be kept a secret  Employees should not disclose secrets  Owners must protect the secrets File encryption Make employees sign a statement not to disclose a secret SE571 Security in Computing Dr. Ogara 17

 Trade secret protection allows distribution of the result of a secret (the executable program) while still keeping the program design hidden  It does not cover copying a product (specifically a computer program)  It makes it illegal to steal a secret algorithm and use it in another product SE571 Security in Computing Dr. Ogara 18

 Enforcement Problems Does not help if program/code is decoded – trade secret protection disappears Additional protection/safeguards is needed  Make copies of sensitive documents  Control access to files SE571 Security in Computing Dr. Ogara 19

 Examples”  Motorola settles trade secrets lawsuits Motorola settles trade secrets lawsuits  Google Wallet spurs trade-secrets lawsuit from PayPal Google Wallet spurs trade-secrets lawsuit from PayPal  Ex-DuPont Employee Pleads Not Guilty in Trade Secrets Case Ex-DuPont Employee Pleads Not Guilty in Trade Secrets Case SE571 Security in Computing Dr. Ogara 20

SE571 Security in Computing Dr. Ogara 21

SE571 Security in Computing Dr. Ogara 22  Hardware Patented  Firmware – Chips and microcode Patented Data (algorithms, instructions and programs inside it) are not patentable Trade secret – for code inside chip  Object Code Software Copyrighted

SE571 Security in Computing Dr. Ogara 23  Source Code Software Trade secret Copyrighted  Documentation Copyrighted  Web Content Copyrighted

SE571 Security in Computing Dr. Ogara 24  Information as an object Is not depletable/may be used repeatedly Can be replicated – buyer can resell and deprive original seller of sales Has minimal marginal cost – cost of producing additional information Value of information is time dependent – e.g. Stock market price Often transferred intangibly – difficult to claim information as flawed if a copy is accurate whereas underlying information is incorrect or useless.

SE571 Security in Computing Dr. Ogara 25  Legal issues relating to information Information commerce – how do you protect software developers and publishers from piracy? Electronic publishing – how do you protect news organization and encyclopedia in the web for being target for copyright? Protecting data in database – how do you protect them, who owns the data, how do you know which database the data came from? Electronic commerce – how do you prove conditions for delivery of your order is not damaged or arrives late

SE571 Security in Computing Dr. Ogara 26  Protecting information Criminal and Civil Law Tort Law Contract Law

SE571 Security in Computing Dr. Ogara 27  Statutes are laws that state explicitly that certain actions are illegal  Violation of a statute will result in a criminal trial  Statute law is written by legislators and is interpreted by the courts  In a civil case, an individual, organization, company, or group claims it has been harmed  The goal of a civil case is restitution: to make the victim “whole” again by repairing the harm

SE571 Security in Computing Dr. Ogara 28  A tort is harm not occurring from violation of a statute or from breach of a contract but instead from being counter to the accumulated body of precedents  Tort law is unwritten but evolves through court decisions that become precedents for cases that follow  Fraud is a common example of tort law in which, basically, one person lies to another, causing harm

SE571 Security in Computing Dr. Ogara 29  A contract involves three things: an offer an acceptance a consideration  Contracts help fill the voids among criminal, civil, and tort law  One party makes an offer  Most common legal remedy in contract law is money

SE571 Security in Computing Dr. Ogara 30  One party makes an offer  Second party may accept or reject or ignore  Contract is voluntary  Most common legal remedy in contract law is money

SE571 Security in Computing Dr. Ogara 31  Employees want to protect secrecy and integrity of works produced by the employees  Ownership of products Who owns the patent? Who owns the copyright? Work for hire Licenses Trade secret protection Employee contracts

SE571 Security in Computing Dr. Ogara 32  Who owns the patent? If an employee lets an employer patent an invention, the employer is deemed to own the patent and therefore the rights to the invention Employer has the right to patent if the employee’s job functions included inventing the product

SE571 Security in Computing Dr. Ogara 33  Who owns the copyright? Author (programmer) is the presumed owner of the work, and the owner has all rights to an object Work for hire applies to many copyrights for developing software or other products

SE571 Security in Computing Dr. Ogara 34  Employer, not the employee, is considered the author of a work  Difficult to identify and depends in part on the laws of the state in which the employment occurs

SE571 Security in Computing Dr. Ogara 35  The employer has a supervisory relationship, overseeing the manner in which the creative work is done.  The employer has the right to fire the employee.  The employer arranges for the work to be done before the work was created (as opposed to the sale of an existing work).  A written contract between the employer and employee states that the employer has hired the employee to do certain work.

SE571 Security in Computing Dr. Ogara 36  Licensed software is an alternative to a work for hire  Programmer develops and retains full ownership of the software  Programmer grants to a company a license to use the program  License can be granted for a definite or unlimited period of time, for one copy or for an unlimited number, to use at one location or many, to use on one machine or all, at specified or unlimited times

SE571 Security in Computing Dr. Ogara 37  No registered inventor or author  Owner can prosecute a revealer for damages if a trade secret is revealed  Trade secrets are held as confidential data

SE571 Security in Computing Dr. Ogara 38  Spells out rights of ownership  Spells out that company claims all rights to any programs developed, including all copyright rights and the right to market  Spells out that employee agrees not to reveal those secrets to anyone

SE571 Security in Computing Dr. Ogara 39  More restrictive contracts assign to the employer rights to all inventions (patents) and all creative works (copyrights)  Employee may be asked not to compete by working in the same field for a set period of time after termination Example: DuPont dismisses trade secrets suit against former chemistDuPont dismisses trade secrets suit against former chemist

SE571 Security in Computing Dr. Ogara 40  What role does quality play in various legal disputes?  What should be done when software faults are discovered?

SE571 Security in Computing Dr. Ogara 41  Selling correct software Software malfunctions Don’t like look and feel  I want a refund Users entitled to reasonable period to inspect software

SE571 Security in Computing Dr. Ogara 42  I want it to be good Mass-market software is seldom totally bad Legal remedies typically result in monetary awards for damages, not a mandate to fix the faulty software

SE571 Security in Computing Dr. Ogara 43  Law regarding crimes involving computers are less clear  New laws needed to address these problems  Rules of property  Unauthorized access to a computing system is a crime  Problem is access by a computer does not involve physical object so may not be punishable crime

SE571 Security in Computing Dr. Ogara 44  Courts prefer an original source document to a copy  Copies may be inaccurate or modified  Problem with computer-based evidence in court is being able to demonstrate the authenticity of the evidence

SE571 Security in Computing Dr. Ogara 45  It is difficult to establish a chain of custody - ensure that nobody has had the opportunity to alter the evidence in any way before its presentation in court

SE571 Security in Computing Dr. Ogara 46  Integrity and secrecy of data are also issues in many court cases  Example, disclosing grades or financial information without permission is a crime

SE571 Security in Computing Dr. Ogara 47  Concept of value and how we determine it is key to computer based law  How do you determine value of credit report?  Legal system must find ways to place a value on data that is representative of its value to those who use it

SE571 Security in Computing Dr. Ogara 48  Law lags in determining acceptance of definitions of computing terms  Computers and their software, media, and data must be understood and accepted by the legal system

SE571 Security in Computing Dr. Ogara 49  Lack of understanding Courts, lawyers, police agents, or jurors do not necessarily understand computers  Lack of physical evidence Police and courts have for years depended on tangible evidence, such as fingerprints  Lack of recognition of assets Is computer time an asset?

SE571 Security in Computing Dr. Ogara 50  Lack of political impact Less attention to obscure high-tech crime  Complexity of case Jurors may have difficulty understanding high tech complex crime  Age of defendant – many computer crimes are committed by juveniles

SE571 Security in Computing Dr. Ogara 51  Unauthorized access to a computer containing data protected for national defense or foreign relations concerns  Unauthorized access to a computer containing certain banking or financial information

SE571 Security in Computing Dr. Ogara 52  Unauthorized access, use, modification, destruction, or disclosure of a computer or information in a computer operated on behalf of the U.S. government  Accessing without permission a “protected computer,” which the courts now interpret to include any computer connected to the Internet

SE571 Security in Computing Dr. Ogara 53  Penalties range from $5,000 to $100,000 or twice the value obtained by the offense, whichever is higher, or imprisonment from 1 year to 20 years, or both.

SE571 Security in Computing Dr. Ogara 54  U.S. Computer Fraud and Abuse Act 1974  U.S. Economic Espionage Act 1996 outlaws use of a computer for foreign espionage to benefit a foreign country or business or theft of trade secrets  U.S. Electronic Funds Transfer Act prohibits use, transport, sale, receipt, or supply of counterfeit, stolen, altered, lost, or fraudulently obtained debit instruments in interstate or foreign commerce

SE571 Security in Computing Dr. Ogara 55  Provides public access to information collected by the executive branch of the federal government  Requires disclosure of any available data, unless the data fall under one of several specific exceptions, such as national security or personal privacy

SE571 Security in Computing Dr. Ogara 56  Protects the privacy of personal data collected by the government Allow individuals to know information collected about them prevent one government agency from accessing data collected by another agency for another purpose

SE571 Security in Computing Dr. Ogara 57  Protects against electronic wiretapping  An amendment to the act requires Internet service providers to install equipment as needed to permit these court-ordered wiretaps  Allows Internet service providers to read the content of communications in order to maintain service

SE571 Security in Computing Dr. Ogara 58  Covers privacy of data for customers of financial institutions  Customers must be given the opportunity to reject any use of the data beyond the necessary business uses for which the private data were collected  Require financial institutions to undergo a detailed security-risk assessment/have comprehensive security program

SE571 Security in Computing Dr. Ogara 59  First part of the law concerned the rights of workers to maintain health insurance coverage after their employment was terminated  Second part of the law required protection of the privacy of individuals’ medical records

SE571 Security in Computing Dr. Ogara 60  Healthcare providers are required to perform standard practices such as Enforce need to know. Ensure minimum necessary disclosure. Designate a privacy officer. Document information security practices. Track disclosures of information. Develop a method for patients’ inspection and copying of their information. Train staff at least every three years.

SE571 Security in Computing Dr. Ogara 61  Contains provisions supporting law enforcement’s access to electronic communications  Law enforcement need only convince a court that a target is probably an agent of a foreign power in order to obtain a wiretap order  Main computer security provision of the Patriot Act is an amendment to the Computer Fraud and Abuse Act

SE571 Security in Computing Dr. Ogara 62  Controlling the Assault of Non-Solicited Pornography and Marketing (CAN SPAM)  Contains provisions supporting law enforcement’s access to electronic communications  Law enforcement need only convince a court that a target is probably an agent of a foreign power in order to obtain a wiretap order  Main computer security provision of the Patriot Act is an amendment to the Computer Fraud and Abuse Act

SE571 Security in Computing Dr. Ogara 63  It bans false or misleading header information  It prohibits deceptive subject lines  It requires commercial to give recipients an opt-out method.  It bans sale or transfer of addresses of people who have opted out.  It requires that commercial be identified as an advertisement

SE571 Security in Computing Dr. Ogara 64  Requires any company doing business in California or any California government agency to notify individuals of any breach that has, or is reasonably believed to have, compromised personal information on any California resident  At least 20 other states have since followed with some form of breach notification

SE571 Security in Computing Dr. Ogara 65  Council of Europe Agreement on Cybercrime Requires countries that ratify it to adopt similar criminal laws on hacking, computer-related fraud and forgery, unauthorized access, infringements of copyright, network disruption, and child pornography

SE571 Security in Computing Dr. Ogara 66  E.U. Data Protection Act Governs the collection and storage of personal data about individuals, such as name, address, and identification numbers The law requires a business purpose for collecting the data, and it controls against disclosure

SE571 Security in Computing Dr. Ogara 67  Restricted Content Some countries have laws controlling Internet content allowed in their countries  Use of Cryptography use of cryptography imposed on users in certain countries e.g. China requires foreign organizations or individuals to apply for permission to use encryption in China

SE571 Security in Computing Dr. Ogara 68  What are the ethical issues concerning confidentiality, integrity and availability of data?  Ethics or morals to prescribe generally accepted standards of proper behavior  Ethical system is a set of ethical principles

SE571 Security in Computing Dr. Ogara 69

SE571 Security in Computing Dr. Ogara 70  Consequence-Based Principles Based on consequence of an action to individual  Considers which results is the greatest future good and the least harm Based on consequence to all society (principle of utilitarianism)  Does the action bring the greatest collective good for all people with the least possible negative for all?

SE571 Security in Computing Dr. Ogara 71  Rule-Based Based on rules acquired by individual – religion, experience and analysis Based on universal rules evident to everyone