ee579u/6 #1 spring 2004 © 2000-2004, richard a. stanley ee579u information systems security and...

56
Spring 2004 © 2000-2004, Richard A. Stanley EE579U/6 #1 EE579U Information Systems Security and Management 7. Information Security Law revisited Professor Richard A. Stanley

Post on 22-Dec-2015

215 views

Category:

Documents


0 download

TRANSCRIPT

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #1

EE579UInformation Systems Security

and Management7. Information Security Law revisited

Professor Richard A. Stanley

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #2

Overview of Today’s Class

• Review of last class (#5 -- #6 was the mid-term)

• More about information security Law

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #3

Last time…

• Computer crime is a fast-growing area of illegal activity

• “That’s where the money is”• Computers (and networks) are regulated by

a large and growing body of law• Both civil and criminal issues involved• Liability is a major consideration for any

business or practitioner

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #4

Law

• You have had a basic grounding in the law in the last class

• This class seeks to expand your understanding of how law is classified, made, and enforced…

• And how it affects our world of information systems

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #5

Definitions of Laws - 1

• Laws are often considered commands, a means for controlling people’s conduct in society.

• Law can be defined as a means of social control having four characteristics: – A scheme of social control– A method to protect social interests, – It accomplishes its purpose by recognizing a capacity in

persons to influence the conduct of others– Law provides courts and legal procedures to help the

person with this capacity

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #6

Definitions of Laws - 2

• Law can regulate human conduct and through the courts it can resolve controversies. – Justice is a purpose and objective of government and

civil society. Apparently the achievement of justice depends upon the concept of right and wrong in the society involved. One goal of justice in our society, as stated in the Declaration of Independence, is to secure for all “life, liberty and the pursuit of happiness.”

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #7

Classifications of Law - 1

• Common Law – rules of law created by the courts through judicial decisions

• Stare decisis (Latin: to stand by things decided)– courts “make law” as part of the process of deciding cases

and controversies before them – case law is created in the process

– Stare decisis is essentially the doctrine of precedent. Courts cite to stare decisis when an issue has been previously brought to the court and a ruling already issued. Generally, courts will adhere to the previous ruling, though this is not universally true

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #8

The Stare Decisis Dilemma

Source: Jon Roland, “How stare decisis Subverts the Law,” from http://www.constitution.org/col/0610staredrift.htm

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #9

Classifications of Law – 2

• Precedent is established for future cases when a rule of law has been announced and followed by courts so that the rule has become settled by judicial decision

• Civil Law systems rely primarily on legislative enactments, rather than judicial decisions, for law. Any court in a civil law system must defer to the legislation for the answer to a legal issue. This is not the system of law within the U.S.A.

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #10

Classifications of Law – 3

• Public Law involves those matters that regulate society as opposed to individuals interacting. Examples of public law include constitutional law, administrative law and criminal law.– Constitutional Law---involves the interpretation and

application of either the federal or state constitution.– Administrative Law--describes the legal principles

that apply to government agencies, bureaus, boards and commissions.

– Criminal Law--encompasses all legal aspects of crime

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #11

Classifications of Law – 4

• Private Law encompasses those legal problems and relationships that exist between individuals. Private law is traditionally separated into the law of contracts, the law of torts, and the law of property. – Contract Law – addresses agreements between two

parties.– Tort Law – addresses wrongs other than a breach of

contract, by which one party injures another.– Property Law – deals with ownership and possession

of both tangible things and intangible rights.

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #12

Did We Get It Wrong in Our Last Class?

• In that course, you learned that law could be classified into criminal law and civil law

• That is a perfectly acceptable way of classifying laws, and is commonly used– The term civil law as used in this classification

scheme means something different from the same term as used on Slide 9

• Refers to all non-criminal laws and activities

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #13

Just for Good Measure

• Law can also be classified between substance and procedure– Substantive law defines the legal relationship of

people with other people or between them and the state.

– Procedural law deals with the method and means by which substantive law is made and administered, the time allowed for one party to sue another and the rules of law governing the process of the lawsuit are examples of procedural laws.

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #14

Why Do We Care?

• There are many issues in information systems that are governed by law

• You need to know enough to know when to call for expert help from the attorneys, and have at least a basic understanding of what they are talking about when the talk with you about their view of your systems and their potential legal problems.

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #15

An Example

• The Boston Globe of 19 October 2003 reports how the newspaper was able to purchase Governor Romney’s credit report for $125 on-line.– Is this legal?– If not, who broke the law?– What can be done about it?– How would you deal with it if your IT system

were involved?

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #16

Goldshield Web Page Home

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #17

Need Personal Data?

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #18

Some Other Sources

• Intelius

• Skip Trace

• Skipease

• …and many, many more

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #19

What’s The Problem?

• Virtually every IT system contains information, or links to information, that can be misused

• In nearly every case, misuse of that information is a criminal offense, and/or can also be actionable under property or tort law

• This is not a situation any IT system management team wants to be in

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #20

Subpoena

• Is a written court order requiring the attendance of the person named in the subpoena at a specified time and place for the purpose of being questioned under oath concerning a particular matter which is the subject of an investigation, proceeding, or lawsuit

• A subpoena may also require the production of a paper, document, or other object relevant to the particular investigation, proceeding, or lawsuit

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #21

If You Receive a Subpoena

• You must either…– Comply– Apply to the proper court to vacate or modify

the subpoena

• Neither of these is a “do-it-yourself” activity

• Subpoenas are increasingly being used to investigate matters involving IT systems

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #22

Fourth Amendment

• “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #23

Search Warrant

• A warrant, issued by competent authority (normally a judge of court), authorizing an examination or search of specified premises for goods stolen, secreted, or concealed

• Search warrants are quite specific—they do not permit sweeping blanket searches

• Legal basis is compliance with the Fourth Amendment to the Constitution, which limits unreasonable search and seizure

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #24

What About Computers?• To determine whether an individual has a

reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant if it would be prohibited from opening a closed container and examining its contents in the same situation.

http://www.cybercrime.gov/s&smanual2002.htm#_I_

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #25

Issues

• Courts have differed in their interpretation of the Fourth Amendment as applied to computers– Fifth Circuit held that the computer was effectively a

closed container– Tenth Circuit viewed each file as a container

• Protection may be lost if computer is in possession of a third party, or if control of files is lost

• Fourth Amendment does not apply to searches conducted by private parties who are not government agents

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #26

Search Warrants and You

• This is not generally an area in which you can seek a priori legal opinion

• Interfering with agents performing a search authorized by a proper warrant is usually a crime, whether anything is found or not

• The increase in computer-based crime has dramatically increased the issuance of warrants in the information systems area

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #27

There Are Many Issues

• Stewardship of property in your system– Intellectual property– Information of which you are unaware

• Availability of information about warrants, etc. targeting your system is available on the Internet

• What to do if information about you is made public, even if it is incorrect?

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #28

“It’s Not Fair”

• When caught or challenged, many allege they are victims of selective enforcement

• This claim is nearly always specious– It is physically impossible to catch all the

criminals all the time. Does this mean that none should be prosecuted?

– This “defense” does not impress the courts and is often viewed as the last resort of a scoundrel

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #29

Identity Fraud

• Deals with “false identification document”– Making, transfer, use, possession all crimes– Identity documents covered

• Any identification document issued under by or under the authority of the United States

– Includes federal, state, local, foreign government, international quasi-governmental organization

– Birth certificate, driver’s license, personal ID card

– Penalties up to 15 years imprisonment

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #30

Other Areas of Concern

• Intellectual property of all types– Copyrights– Patents– Trade secrets

• Your responsibility for the actions of others

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #31

Legal Issues in Computer Security

• Copyrights [17 USC]– Protect expression of ideas, not the idea itself

– Gives author exclusive rights to copy & sell

– Can cover “any tangible medium of expression”

– Work must be original to the author

– Subject to “fair use”

– Marking required

– Lasts for 50 years after death of last author (moving target)

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #32

Copyrights Again

• Copyright valid without registration, but registering helps insure protection

• Infringement resolved in the courts

• U. S. Govt. works in public domain, but not all governments (cf. Crown Copyright)

• Programs can be copyrighted, but…

• Copyright limits distribution, not use

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #33

More About Copyrights

• Fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means :– criticism– comment– news reporting– teaching (including multiple copies for

classroom use)

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #34

Copyright Infringement

• Basic statute is 17 USC § 506– Title 17 deals with copyrights– Section 506 treats remedies for infringement– For legal consistency, penalties are in the

criminal title, Title 18

• Up to 3 years imprisonment, first offense• Up to 6 years imprisonment, second or

subsequent offense

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #35

Music Sharing and Copyrights

• Recording Industry Association of America (RIAA) is presently in process of suing numerous individuals across America for illegally sharing music

• The issue here is copyright violation, as the owners of the copyrighted songs claim economic loss by having their songs pirated

• Is this an IS security problem?

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #36

Digital Millennium Copyright Act (DMCA)

• Passed by Congress October 28, 1998• Expands the protection of copyrighted

works on the Internet and in digital form– “Black Box” Provisions

• Limits the liability of on-line service providers for infringement of copyrighted works– Safe Harbor” Provisions

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #37

DMCA “Safe Harbor”

• Service providers, upon payment of $20 fee and meeting reporting requirements, can qualify for liability protection against copyright infringement– “Service provider” is defined broadly as “a

provider of online services or network access, or the operator of facilities therefor”

• Providers must not interfere with “standard” measures used to ID and protect copyrights

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #38

DMCA “Black Box”• DMCA makes circumventing protective

technologies, such as encryption and passwords, a violation of the law

• Removing, changing, or altering “copyright management information” also a violation

• Even if your copyrighted work is not actually copied, a person could be liable for attempting to do so, or for giving others the tools and access to do so

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #39

DMCA Observations

• This is a major extension of copyright law!

• Penalties for “black box” violations exceed the penalties in 17 USC for infringement

• There is little, if any, case law yet

• Does this violate the “fair use” doctrine?

• Feared placing a damper on research into cryptography and cryptanalysis

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #40

ElcomSoft, Dmitry Sklyarovand the DMCA

• Sklyarov is a Russian programmer who, with his company, ElcomSoft, developed a way to defeat the encryption on Adobe eBooks, allegedly to make backup copies or to be read audibly

• Sklyarov arrested July, 2001 in Las Vegas, and charged with violating the DMCA– Four circumvention counts, one conspiracy– No copyright infringement counts

• Federal jury acquitted him on all counts, Dec 2002

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #41

Patents• Protect inventions [35 USC]• Object patented must be “nonobvious”• Patent goes to first to invent (in U.S.)

– Goes to first to file in most other jurisdictions

• Requirements for patent– Search for prior art– Patent Office determination that it is novel– Issuance of patent

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #42

What Can Be Patented?

“Whoever invents or discovers any new and useful process,

machine, manufacture, or composition of matter, or any new

and useful improvement thereof, may obtain a patent therefor,

subject to the conditions and requirements of this title.”

35 USC § 101

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #43

More on Patents• Valid for 20 years since US ratification of GATT

harmonization, earlier 17 years, not generally renewable

• Requires disclosure of all working details• A patent is a public document• Infringement must be opposed. Claims:

– This isn’t infringement– The patent is invalid– The invention is not novel– The infringer invented first

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #44

Patents and Software

• Software can be patented, and often is– Read the license statement

• Easier to patent a process in which software forms a part, but then use of the software outside the process is not covered

• Not much case law yet

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #45

Patent Infringement

• Is a civil, not a criminal matter (property law)– Cf. Copyright violations

• Remedies provided – 35 USC § 271 defines infringement

– 35 USC § 281 provides for civil remedy

– 35 USC § 284 et seq. provide for damages

• If you participate in infringement, you could be a defendant

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #46

Trade Secrets

• Give a competitive edge over others

• Must always be kept secret

• Applies well to software, especially since the copyright act changes in 1978

• Hard to enforce (e.g. reverse engineering)

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #47

How to Protect Trade Secrets?

• Must enforce some degree of special handling and secrecy to prove business’ intent to keep the information secret

• Example: recipe for Coca-Cola– Locked in Atlanta bank vault– Combination known to only 2 employees– These persons are never publicly identified– Both cannot travel on the same airplane

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #48

Enforcing Trade Secrets

• Every state has laws prohibiting theft of trade secrets, so does the federal government

• Theft can constitute a crime under both state and federal law– e.g. Economic Espionage Act of 1996 (EEA) (18 USC

§ 1831-1839)– Fines up to $500K (indiv.) / $5M (corporate), jail up to

ten years– Law also applies to theft outside the US if the thief is a

US national or corporation

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #49

Who Owns Intellectual Property?

• Generally speaking, if you were paid to produce it by your employer, they own the property

• If you produce it on your own time, but use skills learned on the job, they may still own the intellectual property!

• Intellectual property agreements are common, and often in dispute

• Employment contracts may contain intellectual property ownership clauses

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #50

Your Responsibilities

• As an employee?

• As a management staff member?

• As a technical staff member?

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #51

What About Assistance to Law Enforcement?

• This can be a win-win situation for law enforcement and your company

• Be careful about doing something like this without senior executive support, in writing

• Never confuse yourself with a law enforcement agent

• Be cautious about practicing law without a license

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #52

What About Multinational Exposure?

• Most networks today have presence in many jurisdictions and nations

• Laws are not uniform across jurisdictions

• Issues as to what is a crime, where the crime occurred, and where jurisdiction rests are largely unclear

• Forewarned is forearmed

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #53

Summary

• The law is increasingly an issue about which information security professionals must be aware and knowledgeable

• Law is a complex topic, and expert help is needed to succeed here. Not for DIY.

• That said, you need to remain “on top of” what is going on in the legal domain

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #54

Homework - 1

• You are the information security officer of your company and are on duty. Six FBI agents present themselves at the entrance to the company with a search warrant for the computers of one of your employees. What do you do? During their search, they decide to seize the computer of another employee not named in the warrant. What do you do?

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #55

Homework – 2

• In your morning mail at the company, you receive a subpoena from the local federal court demanding you turn over “all records of electronic communications for the period named.” What actions are you going to take? In what order? What files or information do you think should be turned over? Who decides?

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/6 #56

Homework – 3

• As information security officer of your organization, how do you plan to educate your staff as to the elements of the law you feel they need to know without generating a lot of lost time and “barracks lawyering?” Are you going to seek anyone else’s assistance?