chap 11: legal and ethical issues in computer security

SE571Security in Computing

Chap 11: Legal and Ethical Issues in Computer Security

SE571 Security in Computing Dr. Ogara 2

This Chapter Examines… Program and data protection by

patents, copyrights, and trademarks Computer crime Ethical analysis of computer security

situations Codes of professional ethics


Law and Security International, national, state, and city laws can

affect privacy and secrecy

Laws regulate the use, development, and ownership of data and programs• Patents• Copyrights• Trade secrets

Laws affect actions that can be taken to protect the secrecy, integrity, and availability of computer information and service


Challenges Law does not always provide an adequate

control

Laws do not yet address all improper acts committed with computers

Some judges, lawyers, and police officers do not understand computing, so they cannot determine how computing relates to other, more established, parts of the law


Protecting Programs and Data Common legal devices include:

• Copyrights

• Patents

• Trade Secrets


Copyrights Designed to protect the expression of ideas

Ideas are free but once expressed (in a tangible medium) must be protected

Intention of a copyright is to allow regular and free exchange of ideas

Gives the author the exclusive right to make copies of the expression and sell them to the public


Copyrights Copyright must apply to original work

It lasts for few years after which it is considered public domain

Copyright object is subject to fair use• Product used in a manner for which it was intended

and does not interfere with the author’s rights, e.g. comment, criticism, teaching, scholarly research

• Unfair use of copyrighted object is called piracy


Copyrights A U.S. copyright now lasts for 70 years

beyond the death of the last surviving author

95 years after the date of publication for organizations

The international standard is 50 years after the death of the last author or 50 years from publication


Copyrights for Computer Software Algorithm is the idea, and the statements

of the programming language are the expression of the idea

Protection is allowed for the program statements themselves, but not for the algorithmic concept

Copying the code intact is prohibited, but re-implementing the algorithm is permitted


Digital Millennium Copyright Act (DMCA) of 1998

Digital objects can be subject to copyright

It is a crime to circumvent or disable antipiracy functionality built into an object

It is a crime to manufacture, sell, or distribute devices that disable antipiracy functionality or that copy digital objects



However, these devices can be used (and manufactured, sold, or distributed) for research and educational purposes

It is acceptable to make a backup copy of a digital object as a protection against hardware or software failure or to store copies in an archive

Libraries can make up to three copies of a digital object for lending to other libraries



Problems is deciding what is considered piracy

Example, how do you transfer music

from your CD to MP3 which is considered a reasonable fair use?


U.S. No Electronic Theft (NET) Act of 1997

It is criminal to reproduce or distribute copyrighted works, such as software or digital recordings, even without charge?

When you purchase a software you only have the right to use it

See Napster: No right to copy lawsuit – pp. 655


Patents U.S. Patent and Trademark Office must be

convinced that the invention deserves a patent

Patents were intended to apply to the results of science, technology, and engineering

A patent can be valid only for something that is truly novel or unique – usually one patent for a given invention

Since 1981 the patent law has expanded to include computer software


Patent Infringement

This isn’t infringement. The alleged infringer will claim that the two inventions are sufficiently different that no infringement occurred

The patent is invalid. If a prior infringement was not opposed, the patent rights may no longer be valid.


Patent Infringement

The invention is not novel. In this case, the supposed infringer will try to persuade the judge that the Patent Office acted incorrectly in granting a patent and that the invention is nothing worthy of patent

The infringer invented the object first. If so,

the accused infringer, and not the original patent holder, is entitled to the patent


Trade Secrets Is information that gives one company a

competitive edge over others

Unlike a patent or copyright it must be kept a secret

Employees should not disclose secrets Owners must protect the secrets

• File encryption• Make employees sign a statement not to disclose a

secret


Trade Secrets Trade secret protection allows distribution

of the result of a secret (the executable program) while still keeping the program design hidden

It does not cover copying a product (specifically a computer program)

It makes it illegal to steal a secret algorithm and use it in another product


Trade Secrets Enforcement Problems

• Does not help if program/code is decoded – trade secret protection disappears

• Additional protection/safeguards is needed Make copies of sensitive documents Control access to files


Trade Secrets Examples” Motorola settles trade secrets lawsuit

s Google Wallet spurs trade-secrets law

suit from PayPal Ex-DuPont Employee Pleads Not Guilt

y in Trade Secrets Case

http://www.suntimes.com/business/10347604-420/motorola-settles-trade-secrets-lawsuits.html

http://www.suntimes.com/business/10347604-420/motorola-settles-trade-secrets-lawsuits.html

http://arstechnica.com/web/news/2011/05/google-wallet-spurs-trade-secrets-lawsuit-from-paypal.ars

http://arstechnica.com/web/news/2011/05/google-wallet-spurs-trade-secrets-lawsuit-from-paypal.ars

http://www.businessweek.com/news/2012-03-08/ex-dupont-employee-to-plead-not-guilty-in-trade-secrets-case

http://www.businessweek.com/news/2012-03-08/ex-dupont-employee-to-plead-not-guilty-in-trade-secrets-case


Comparing Copyright, Patent and Trade Secrets Protection


Protecting Computer Objects Hardware

• Patented

Firmware – Chips and microcode• Patented• Data (algorithms, instructions and programs inside

it) are not patentable• Trade secret – for code inside chip

Object Code Software• Copyrighted


Protecting Computer Objects Source Code Software

• Trade secret• Copyrighted

Documentation• Copyrighted

Web Content• Copyrighted


Information and the Law Information as an object

• Is not depletable/may be used repeatedly• Can be replicated – buyer can resell and deprive

original seller of sales• Has minimal marginal cost – cost of producing

additional information• Value of information is time dependent – e.g. Stock

market price• Often transferred intangibly – difficult to claim

information as flawed if a copy is accurate whereas underlying information is incorrect or useless.


Information and the Law Legal issues relating to information

• Information commerce – how do you protect software developers and publishers from piracy?

• Electronic publishing – how do you protect news organization and encyclopedia in the web for being target for copyright?

• Protecting data in database – how do you protect them, who owns the data, how do you know which database the data came from?

• Electronic commerce – how do you prove conditions for delivery of your order is not damaged or arrives late


Information and the Law Protecting information

• Criminal and Civil Law• Tort Law• Contract Law


Criminal and Civil Law Statutes are laws that state explicitly that certain

actions are illegal

Violation of a statute will result in a criminal trial

Statute law is written by legislators and is interpreted by the courts

In a civil case, an individual, organization, company, or group claims it has been harmed

The goal of a civil case is restitution: to make the victim “whole” again by repairing the harm


Tort Law A tort is harm not occurring from violation of a

statute or from breach of a contract but instead from being counter to the accumulated body of precedents

Tort law is unwritten but evolves through court decisions that become precedents for cases that follow

Fraud is a common example of tort law in which, basically, one person lies to another, causing harm


Contract Law A contract involves three things:

• an offer • an acceptance • a consideration

Contracts help fill the voids among criminal, civil, and tort law

One party makes an offer

Most common legal remedy in contract law is money


Contract Law One party makes an offer

Second party may accept or reject or ignore

Contract is voluntary

Most common legal remedy in contract law is money


Rights of Employers and Employees Employees want to protect secrecy and

integrity of works produced by the employees

Ownership of products• Who owns the patent?• Who owns the copyright?• Work for hire• Licenses• Trade secret protection• Employee contracts


Ownership of products Who owns the patent?

• If an employee lets an employer patent an invention, the employer is deemed to own the patent and therefore the rights to the invention

• Employer has the right to patent if the employee’s job functions included inventing the product


Ownership of products Who owns the copyright?

• Author (programmer) is the presumed owner of the work, and the owner has all rights to an object

• Work for hire applies to many copyrights for developing software or other products


Work for Hire Employer, not the employee, is

considered the author of a work

Difficult to identify and depends in part on the laws of the state in which the employment occurs


Work for Hire - Conditions The employer has a supervisory relationship,

overseeing the manner in which the creative work is done.

The employer has the right to fire the employee.

The employer arranges for the work to be done before the work was created (as opposed to the sale of an existing work).

A written contract between the employer and employee states that the employer has hired the employee to do certain work.


Licenses Licensed software is an alternative to a work for hire

Programmer develops and retains full ownership of the software

Programmer grants to a company a license to use the program

License can be granted for a definite or unlimited period of time, for one copy or for an unlimited number, to use at one location or many, to use on one machine or all, at specified or unlimited times


Trade Secret Protection No registered inventor or author

Owner can prosecute a revealer for damages if a trade secret is revealed

Trade secrets are held as confidential data


Employee Contracts Spells out rights of ownership

Spells out that company claims all rights to any programs developed, including all copyright rights and the right to market

Spells out that employee agrees not to reveal those secrets to anyone


Employee Contracts More restrictive contracts assign to the

employer rights to all inventions (patents) and all creative works (copyrights)

Employee may be asked not to compete by working in the same field for a set period of time after termination

Example: DuPont dismisses trade secrets suit against former chemist

http://www.setexasrecord.com/news/242117-dupont-dismisses-trade-secrets-suit-against-former-chemist

http://www.setexasrecord.com/news/242117-dupont-dismisses-trade-secrets-suit-against-former-chemist


Redress for Software Failures What role does quality play in various

legal disputes?

What should be done when software faults are discovered?


Redress for Software Failures Selling correct software

• Software malfunctions• Don’t like look and feel

I want a refund• Users entitled to reasonable period to

inspect software


Redress for Software Failures I want it to be good

• Mass-market software is seldom totally bad• Legal remedies typically result in monetary

awards for damages, not a mandate to fix the faulty software


Computer Crime Law regarding crimes involving

computers are less clear

New laws needed to address these problems

Rules of property Unauthorized access to a computing system is a

crime Problem is access by a computer does not involve

physical object so may not be punishable crime


Rules of Evidence Courts prefer an original source

document to a copy

Copies may be inaccurate or modified

Problem with computer-based evidence in court is being able to demonstrate the authenticity of the evidence


Rules of Evidence It is difficult to establish a chain of

custody - ensure that nobody has had the opportunity to alter the evidence in any way before its presentation in court


Threats to Integrity and Confidentiality

Integrity and secrecy of data are also issues in many court cases

Example, disclosing grades or financial information without permission is a crime


Value of Data Concept of value and how we determine

it is key to computer based law

How do you determine value of credit report?

Legal system must find ways to place a value on data that is representative of its value to those who use it


Acceptance of Computer Terminology

Law lags in determining acceptance of definitions of computing terms

Computers and their software, media, and data must be understood and accepted by the legal system


Why Computer Crime Is Hard to Prosecute

Lack of understanding • Courts, lawyers, police agents, or jurors do not

necessarily understand computers

Lack of physical evidence• Police and courts have for years depended on

tangible evidence, such as fingerprints

Lack of recognition of assets• Is computer time an asset?


Why Computer Crime Is Hard to Prosecute

Lack of political impact• Less attention to obscure high-tech crime

Complexity of case• Jurors may have difficulty understanding

high tech complex crime

Age of defendant – many computer crimes are committed by juveniles


U.S. Computer Fraud and Abuse Act Unauthorized access to a computer

containing data protected for national defense or foreign relations concerns

Unauthorized access to a computer containing certain banking or financial information


U.S. Computer Fraud and Abuse Act Unauthorized access, use, modification,

destruction, or disclosure of a computer or information in a computer operated on behalf of the U.S. government

Accessing without permission a “protected computer,” which the courts now interpret to include any computer connected to the Internet


U.S. Computer Fraud and Abuse Act Penalties range from $5,000 to

$100,000 or twice the value obtained by the offense, whichever is higher, or imprisonment from 1 year to 20 years, or both.


Laws that Govern Crimes Against Computers

U.S. Computer Fraud and Abuse Act 1974 U.S. Economic Espionage Act 1996

• outlaws use of a computer for foreign espionage to benefit a foreign country or business or theft of trade secrets

U.S. Electronic Funds Transfer Act • prohibits use, transport, sale, receipt, or supply

of counterfeit, stolen, altered, lost, or fraudulently obtained debit instruments in interstate or foreign commerce


U.S. Freedom of Information Act Provides public access to information

collected by the executive branch of the federal government

Requires disclosure of any available data, unless the data fall under one of several specific exceptions, such as national security or personal privacy


U.S. Privacy Act 1974 Protects the privacy of personal data

collected by the government

• Allow individuals to know information collected about them

• prevent one government agency from accessing data collected by another agency for another purpose


U.S. Electronic Communications Privacy Act 1986

Protects against electronic wiretapping

An amendment to the act requires Internet service providers to install equipment as needed to permit these court-ordered wiretaps

Allows Internet service providers to read the content of communications in order to maintain service


Gramm-Leach-Bliley Act 1999 Covers privacy of data for customers of

financial institutions

Customers must be given the opportunity to reject any use of the data beyond the necessary business uses for which the private data were collected

Require financial institutions to undergo a detailed security-risk assessment/have comprehensive security program


Health Insurance Portability and Accountability Act (HIPAA)

First part of the law concerned the rights of workers to maintain health insurance coverage after their employment was terminated

Second part of the law required protection of the privacy of individuals’ medical records


Health Insurance Portability and Accountability Act (HIPAA)

Healthcare providers are required to perform standard practices such as

• Enforce need to know. • Ensure minimum necessary disclosure. • Designate a privacy officer. • Document information security practices. • Track disclosures of information.• Develop a method for patients’ inspection and

copying of their information. • Train staff at least every three years.


USA Patriot Act 2001 Contains provisions supporting law

enforcement’s access to electronic communications

Law enforcement need only convince a court that a target is probably an agent of a foreign power in order to obtain a wiretap order

Main computer security provision of the Patriot Act is an amendment to the Computer Fraud and Abuse Act


The CAN SPAM Act 2003 Controlling the Assault of Non-Solicited Pornography

and Marketing (CAN SPAM)

Contains provisions supporting law enforcement’s access to electronic communications

Law enforcement need only convince a court that a target is probably an agent of a foreign power in order to obtain a wiretap order

Main computer security provision of the Patriot Act is an amendment to the Computer Fraud and Abuse Act


The CAN SPAM Act 2003 It bans false or misleading header information

It prohibits deceptive subject lines

It requires commercial e-mail to give recipients an opt-out method.

It bans sale or transfer of e-mail addresses of people who have opted out.

It requires that commercial e-mail be identified as an advertisement


California Breach Notification 2003 Requires any company doing business in

California or any California government agency to notify individuals of any breach that has, or is reasonably believed to have, compromised personal information on any California resident

At least 20 other states have since followed with some form of breach notification


International Dimensions Council of Europe Agreement on

Cybercrime

• Requires countries that ratify it to adopt similar criminal laws on hacking, computer-related fraud and forgery, unauthorized access, infringements of copyright, network disruption, and child pornography


International Dimensions E.U. Data Protection Act

• Governs the collection and storage of personal data about individuals, such as name, address, and identification numbers

• The law requires a business purpose for collecting the data, and it controls against disclosure


International Dimensions Restricted Content

• Some countries have laws controlling Internet content allowed in their countries

Use of Cryptography • use of cryptography imposed on users in

certain countries e.g. China requires foreign organizations or individuals to apply for permission to use encryption in China


Ethical Issues in Computer Security What are the ethical issues concerning

confidentiality, integrity and availability of data?

Ethics or morals to prescribe generally accepted standards of proper behavior

Ethical system is a set of ethical principles


Differences between Law and Ethics


Taxonomy of Ethical Theories Consequence-Based Principles

• Based on consequence of an action to individual

Considers which results is the greatest future good and the least harm

• Based on consequence to all society (principle of utilitarianism)

Does the action bring the greatest collective good for all people with the least possible negative for all?


Taxonomy of Ethical Theories Rule-Based

• Based on rules acquired by individual – religion, experience and analysis

• Based on universal rules evident to everyone

chap 11: legal and ethical issues in computer security

Documents