CIS3360: Security in Computing

Legal and Ethical Issues

Cliff Zou

Spring 2012

2

Resources Used

Modified based on Prof. Ratan Guha’s CIS3360 lecture notes

References: C. Pfleeger and S. Pfleeger “Security in

Computing”, 4th Edition Prentice Hall Inc.(ISBN 0-13-239077-9)

Example Case: Information about CyberSpy US court orders keylogger

CyberSpy to halt software sales The Federal Trade Commission (FTC) won an injunction

today against software vendor and keylogger developer CyberSpy. The US district court ruling prohibits CyberSpy from selling or operating its RemoteSpy software package.

By Joel Hruska | Last updated November 18, 2008 7:37 PM

http://arstechnica.com/security/news/2008/11/us-court-orders-keylogger-cyberspy-to-halt-software-sales.ars

(source)

3

Outline Copyright History of Copyright in USA The Digital Millennium Copyright Act (DMCA) Patents Trademarks Trade Secrets Agreement NDA (Non-disclosure agreement) Computer Ethics Ten Commandments of Computer Ethics Computer Crimes

4

Copyright

Is a form of intellectual property law, protecting original works

including literary, dramatic, musical, and artistic works (e.g., poetry, novels, movies, songs, computer software & architecture) In essence, protect “creative contributions”

Does not protect facts, ideas, systems, methods of operation although it may protect the ways these things are expressed Example: protect “Viterbi algorithm” (CDMA)

Copyright Protection (1)

• Would cover an author’s words describing the dark and stormy night on which occurred the murder at the center of the mystery novel

• Would not cover the idea of making the events of a dark and stormy night central to a murder mystery

Copyright Protection (2) Copyright protection covers

• Reproduction [e.g., copying, quoting]

• Distribution [e.g., posting to Web pages]

• Adaptation [using with modifications]

• Display• Performance

Copyright Protection (3)

Applies to original works as soon as they are created and fixed in a tangible form

Does NOT require the registration of copyright, or notice that the work is copyrighted Patent needs registration before protection

Applies fully to electronic (Web) resources

Length of Copyright ProtectionsAnything published more than 75 years ago is now in

the public domainAnything created after 1 January 1978 is protected

for the life of the author plus 50 yearsOr, if the author is a corporation, for 75 years

from authorship or 100 years from creation (whichever is first)

Lots of exceptions govern works published between 1964 and 1977 and works created before 1 January 1978 but not published, or published between 1978 and 31 December 2002

Copyright Protection for Web Resources

• The fact that something is sent to you does not give you rights to it.– Copyright for an e-mail message belongs

to the sender of the message.• You cannot make copies of text,

images, or sounds from the Web without permission.– These things are still copyrighted, even

though anyone with a computer can get access to them.

Normally Copyright Requires…• That creators/owners of

an expression (authors, artists, musicians, programmers) be asked for permission to use their creations (and often be financially compensated for such use).

• It is their property which you are using.

• That stiff legal penalties be paid for violation of copyright:

• Most violations of copyright are matters of civil law.

• Excessive copying, though, is a felony.

History of Copyright in the U.S.(1) Copyright is provided for by the United States

Constitution of 1789 Article I, section 8 (the so-called “Commerce clause”)

specifies that “The Congress shall have the power … to promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”

• From Constitution of the United States (http://www.law.cornell.edu/constitution/constitution.table.html)

Note that the Constitution does NOT specify: How Congress shall “promote the progress” What a “limited time” is What makes one an author/inventor What is “exclusive right” What constitutes a writing or discovery

History of Copyright in the U.S. (2)

One year later, in 1790, the Congress enacted the first federal copyright law, protecting only maps, charts, and books.

In 1831, copyright protections were expanded to include musical compositions.

In 1908, the Supreme Court ruled player-pianos’ uses of copyrighted music were not copyright violations but pieces of machinery Some of the tensions we’re now seeing between

copyrighted content and technology thus appeared nearly 100 years ago

History of Copyright in the U.S.(3)

In 1984, the Supreme Court ruled that private home videotaping does not infringe copyrights

In 1992, Congress passes the Audio Home Recording Act that restricts use of digital-recording tools and requires makers of blank tapes and copying devices to contribute to a royalty pool for musicians

History of Copyright in the U.S.(4) In 1998, Digital Millennium Copyright Act (DMCA)

specifies copyright protection for digital formats A range of court cases over the past several

years have been dealing with the ramifications of the DMCA

– Fonovisa v. Napster– Kelly v. Arriba Soft Corp. – U.S. v. Elcomsoft– Church of Scientology & Google

• You can google to find the details of these cases There are also a number of new statutory laws

pending that attempt to address copyrights in an electronic environment

– Consumer Broadband & Digital Television Act of 2002

The Digital Millennium Copyright Act (DMCA) On October 12, 1998, the U.S. Congress passed the

Digital Millennium Copyright Act. The DMCA amended title 17 of the US Code to

extend the reach of copyright, while limiting the liability of Online Providers from copyright infringement by their users.

Criminalizes the circumvention of measures taken to protect copyright.

Heightens the penalties for copyright infringement on the Internet.

On May 22, 2001 the European Union passed the EU Copyright Directive or EUCD, similar in many ways to the DMCA.

DMCA Titles Title I: implements the WIPO (World Intellectual

Property Organization) treaties; Title II: creates limitations on the liability of online

service providers; anti-circumvention measures Title III: creates an exemption for making a copy

of a computer program by activating a computer for purposes of maintenance or repair.

Title IV: misc. provisions relating to Copyright Office functions, etc. Title V: creates new form of protection for the

design of vessel hulls.

DMCA Highlights (1) Makes it a crime to circumvent anti-piracy

measures built into most commercial software. Outlaws the manufacture, sale, or distribution of

code-cracking devices used to illegally copy software. Does permit the cracking of copyright protection

devices, however, to conduct encryption research, assess product interoperability, and test computer security systems.

Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances.

In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.

DMCA Highlights (2) Service providers, however, are expected to

remove material from users' web sites that appears to constitute copyright infringement. Problem for MegaDownload website?

Limits liability of nonprofit institutions of higher education -- when they serve as online service providers and under certain circumstances -- for copyright infringement by faculty members or graduate students.

Requires that "webcasters" pay licensing fees to record companies.

DMCA Highlights (3)

Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users."

States explicitly that "[n]othing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use..."

DMCA Title II: 17 USC Ch.12

1201(a)(1), prohibits the act of circumventing a technological measure used by copyright owners to control access to their works

1201(a)(2) and 1201(b) outlaw the manufacture, sale, distribution or trafficking of tools and technologies that make circumvention possible

Penalties / Liability

§1203, 1204 provide BOTH civil and criminal liability;• Civil: temporary & permanent injunctions;

• Actual damages and any additional profits of the violator;

• Statutory damages:

• Criminal: fines up to $500,000 and/or 5 yrs in prison for 1st violation; Fines up to $1,000,000 and/or 10yrs for subsequent violation.

Results of DMCA Title II

DMCA’s Unintended Consequences Have Greater Impact than Intended Affect (preventing infringement) Chills Freedom of Expression and Scientific

Research Restricts Private Copying Rights Creates Monopolies – Impedes Competition Stifles Innovation

Patents What is a patent?

A patent is an exclusive right granted for an invention, which is a product or a process that provides a new way of doing something, or offers a new technical solution to a problem.

What does a patent do?

A patent provides protection for the invention to the owner of the patent. The protection is granted for a limited period, generally 20 years.

Source: World Intellectual Property Organization

http://www.wipo.int/aboutip/en/patents.html

Where do Patents Come From? “A patent is granted by a national patent office or by

a regional office that does the work for a number of countries, such as the European Patent Office and the African Regional Industrial Property Organization. Under such regional systems, an applicant requests protection for the invention in one or more countries, and each country decides as to whether to offer patent protection within its borders. The WIPO-administered Patent Cooperation Treaty (PCT) provides for the filing of a single international patent application which has the same effect as national applications filed in the designated countries. An applicant seeking protection may file one application and request protection in as many signatory states as needed.”

Where Do Patents Come From?

Some commonly encountered patent granting

agencies: United States Patent and Trademark

Organization

http://www.uspto.gov European Patent Office (30 member states)

http://ep.espacenet.com Japan Patent Office

http://www.jpo.go.jp/

Purpose of Enforcing Patents Stop an infringer from selling product (injunction) Barrier to entry Preserve market position Obtain settlement Receive $$$: Lost profits, royalties Preserve rights

Where will I see Patent Reference

Indexing and abstracting databases Some databases cover not only journal

articles, but also patents, with varying amounts of coverage SciFinder Scholar (1907-current)

• http://www.cas.org/products/sfacad/index.html Beilstein (prior to 1980)

References in books and articles References in other patents

How Do I Find Full-Text of Patent Online from http://www.uspto.gov

requires installation of TIFF viewer patents can only be printed one page at a time

Print copies ordered from the USPTO $3 per patent can be ordered via online, fax, mail, or phone delivery can take some time

Commercial patent suppliers MicroPatent http://www.micropatent.com delivery via email of PDF ~$7 per patent document

Trademarks

The trademarks program Protects trademark owner’s interest in

brand name value and good will Protects consumers from confusion

Trademark can be Words : "Coca Cola" Phrases : "Have it your way" Symbols : Sounds :

• example, sound of “Intel inside”

Purpose of Trademarks ProtectionA Trademark Filing Program has four

purposes:

1. To retain control over the quality and types of use of the marks

2. To provide a basis for challenging infringers

3. To prevent third parties from registering a company’s marks

4. To minimize the financial risk

Register the Trademark (1) Majority – first to file vs. first to use Some of the major commercial

countries – first to file France Germany Japan Spain

United States – based on actual use

Register the Trademark (2) Trademark rights are territorial. Some regional systems exist:

Community Trade Mark (Europe) OAPI (Africa) Madrid Protocol – International filing system,

but still depends on approval at the national level by the 57 member countries

Register the Trademark (3) Select registration in countries in which

the company will manufacture, distribute and/or license its mark

United States – Trademark rights extend only to the areas in which a market presence has been established.

United States – Presumption of exclusive rights through federal registration

Appropriate Form of the TrademarkComposite Marks

Register the entire composite mark Register the word portion of a mark alone Register the design element

Word Marks Register in foreign script as well as Roman

script (e.g., Hangul, Cyrillic, Arabic) Register the proper translation or

transliteration in Asian languages

Trademark Infringement

“Likelihood of confusion” standard Court looks at factors like

similarity of goods sophistication of consumers length of time that mark has been used wrongful intent

Trademark Dilution

Federal Trademark Dilution Act of 1996 prior to 1996 28 states had anti-dilution laws

Must show “famous” mark “actual dilution”

Need not show likelihood of confusion Dilution Theory

Identical or highly similar mark use lessens the capacity of the famous mark to identify and distinguish its goods

Tarnishes the reputation of the mark

Trade Secrets

Protected by state common law, unlike other IP

Grounded in policy of business ethics Rights can be perpetual, but are

nonexclusive Vague standards (e.g., “generally known”) All patents begin life as trade secrets

What can be Trade Secrets? Can be almost anything:

the “secret formula” information about customers and prospects business plans and strategies

Can be “re-creatable,” if sufficiently difficult E.g., a market survey

Secret or Not?

Look to relevant audience If commonly known in field, not a trade

secret Even if information is not generally

known to public But need not be unknown to everyone

Trade Secrets Protection

Advantage: long life, no disclosure does not expire as patents

Disadvantage: no exclusivity a third party is not prevented from

independently duplicating and using the secret information once it is discovered.

Increasingly chosen over patent Cheap self-help vs. expensive registration Short lifespan of innovation Patent infringement difficult to police

Three Types of Agreement

NDA (Non-disclosure agreements): reinforces obligation to respect confidence

Assignment: transfers rights to invention Noncompete: temporarily prohibits post-

employment competition

NDA (Non-disclosure agreement) NDA: Effect on behavior usually low NDAs are critical to preserving trade

secrets rights Even with the most discrete client, vendor,

or investor, the absence of an NDA can blow IP rights

Provides notice & proves reasonable efforts Standard NDA not controversial Prohibiting reverse engineering? Possible misuse of “residuals” clause

NDA v. Automatic Protection Absent an NDA, independent

contractors are under no obligation to keep trade secrets

Employees have obligation to employer even without agreement Even after termination, forever

Employee Assignment

Employee Assignment: Some effect

Rationale: what the company pays for Some states limit with “garage

inventor” statutes Problem of post-employment restriction

Non-Compete Clause (NCC)

In contract law one party (usually an employee) agrees not to pursue a similar profession or trade in competition against another party (usually the employer).

NonCompetes: Substantial effects Justification: avoid trade secret battle Vague standards (e.g., “reasonable time and scope”) Varying law

California: almost never enforced Some states: “blue pencil” rule

Trade Secret ≠ Non-compete Obligation to protect trade secret generally does not prohibit

working for competitor

Computer Ethics Computer ethics defined as the application of

classical ethical principles to the use of computer technology

Ethical problems related to computers are not unique but they tend to occur on a much larger scale and scope Scope: communications networks bring the world together Anonymity: beneficial but creates problems of integrity Reproducibility

Aspects of computer ethics: Analysis of the nature of problems related to the social impact

of computers Formulation and justification of policies needed to manage

computer technology

Categories of Computer Ethics Issues

Privacy Computers create a false sense of security People do not realize how vulnerable information stored on

computers are

Property Physical property Intellectual property (in both copyright and patent) Data as property

Access Access to computing technology Access to data

Accuracy Accuracy of information stored

Problems with Codes of Ethics A legal system is not a complete and

correct guide to moral behavior Codes of ethics are mostly voluntary May encounter situations for which the

code makes no explicit recommendations

Goodness cannot be defined through a list of Dos and Don'ts

You must use your internal sense of ethics

Ten Commandments of Computer Ethics (1)

You shall not use a computer to harm other people. Intentionally interfering with other people’s work

• E.g., your honeypots should not attack others

Invading the privacy of individuals• E.g., create a set of fake social networking accounts to collect other’s

private information by becoming their “friends”

You shall not interfere with other people's computer work. Degrading or disrupting equipment, software, or system

performance. Using resources to interfere with the proper operation of any

computer, or destroy data. Intentionally interfering with other people’s work Invading the privacy of individuals

Ten Commandments of Computer Ethics (2) You shall not snoop around in other

people's computer files. Using an account owned by another user, or allowing

another user to access your account. (Any problems which arise from the misuse of a user’s password will be that user’s responsibility.)

Invading the privacy of individuals

You shall not use a computer to steal. Using resources in any manner that violates Board

policy, federal, state, or local law including unauthorized copying or transmission of software.

Ten Commandments of Computer Ethics (3)

You shall not use a computer to bear false witness. Initiating or forwarding “chain” letters. Downloading, storing, printing, or distributing files or

messages that are profane, obscene, threatening, or that use language that offends or tends to degrade others.

Urban Legends (e.g. kidney transplants) Unproven rumors (e.g. free coca cola)

You shall not copy or use proprietary software for which you have not paid. Using resources in any manner that violates Board

policy, federal, state, or local law including unauthorized copying or transmission of software.

Ten Commandments of Computer Ethics (4)

You shall not use other people's computer resources without authorization or proper compensation. Using information obtained through network and computer

resources without giving proper credit to the source (plagiarism).

Posting personal communication without the original author’s consent.

You shall not appropriate other people's intellectual output. Posting personal communication without the original author’s

consent. Using information obtained through network and computer

resources without giving proper credit to the source (plagiarism).

Ten Commandments of Computer Ethics (5)

You shall think about the social consequences of the program you are writing or the system you are designing. Initiating or forwarding “chain” letters. Downloading, storing, printing, or distributing files or

messages that are profane, obscene, threatening, or that use language that offends or tends to degrade others.

You shall always use a computer in ways that show consideration and respect for your fellow humans. Downloading, storing, printing, or distributing files or

messages that contain information considered dangerous to the public at large.

Computer Crime

Any crime in which computer-related technology is encountered.

The commission of illegal acts through the use of a computer or against a computer system.

“An act committed in violation of criminal or civil codes using electronic or digital technologies for unauthorized activities and transactions”

Types of Computer Crime

Business attacks Financial attacks Terrorist attacks Grudge attacks Fun attacks

Most Common Computer Crimes

Fraud by computer manipulation Computer forgery Damage to or modifications of computer

data or programs Unauthorized access to computer

systems and service Unauthorized reproduction of legally

protected computer programs

Computer Crimes Are Hard to Prosecute

Lack of understanding Lack of physical evidence Lack of recognition of assets Lack of political impact Complexity of case Age of defendant (Juveniles)

Lack of updated law for the new technology

Computer Crimes Are Hard to Catch

Multinational activity No international laws for computer crimes

Complexity Networked attacks hard to trace E.g., attacker uses a chain of “stepping stones”

to conduct an attack• These stepping stones are all around the world

The Fight Against Computer Crimes The role in combating cyber crime is

essentially two-fold:

(1) preventing cyber attacks before they occur or limiting their scope by disseminating warnings and advisories about threats so that potential victims can protect themselves

(2) responding to attacks that do occur by investigating and identifying the perpetrator

Existing Laws Used for Computer Crimes

U.S. Computer Fraud and Abuse Act U.S. Economic Espionage Act U.S. Electronic Funds Transfer Act U.S. Freedom of Information Act U.S. Privacy Act U.S. Electronic Communications Privacy Act U.S. Patriot Act Gramm-Leach-Bliley Act HIPAA CAN Spam Act

61

U.S. Computer Fraud and Abuse Act

Unauthorized access to a computer containing data protected for the national defense or foreign relations concerns

Unauthorized access to a computer containing certain banking or financial information

Unauthorized access, use, modification, destruction, or disclosure of a computer or information in a computer operated on behalf of the U.S. government

Accessing without permission a “protected computer,” which the courts now interpret to include any computer connected to the Internet

Computer fraud Transmitting code that causes damage to a computer

system or network Trafficking in computer passwords

U.S. Economic Espionage Act

This act outlaws use of a computer for foreign espionage to benefit a foreign country or business or theft of trade secrets (1996)

U.S. Electronic Funds Transfer Act This law prohibits use, transport, sale,

receipt, or supply of counterfeit, stolen, altered, lost, or fraudulently obtained debit instruments in interstate or foreign commerce

US Privacy Act (1974)

This act protects the privacy of personal data collected by the government. An individual is allowed to determine What data

65

HIPAA (Health Insurance Portability and Accountability Act- Public Law 104-191, 1996) Part I – Rights of workers to maintain health

insurance coverage after their employment was terminated

Part II – Protection of the privacy of individuals’ medical records. Healthcare providers must perform standard security practices such as Enforce need to know Ensure minimum necessary disclosure Designate a privacy officer Document information security practices Track disclosure of information Develop a method for patients’ inspection and

copying of their information

66

Computer Crime Cases

List of computer crime criminals: http://en.wikipedia.org/wiki/

List_of_computer_criminals Timeline of hacker history:

http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history

Lecture IA-32 Architecture 67