sect9-legal priv etc issues

CS 5950/6030 Computer Security and Information Assurance

Section 9: Legal, Privacy, andEthical Issues in Computer SecurityDr. Leszek LilienDepartment of Computer ScienceWestern Michigan University

Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger.Using some slides courtesy of:Prof. Aaron Striegel course taught at U. of Notre DameProf. Barbara Endicott-Popovsky and Prof. Deborah Frincke (U. Idaho) taught at U. WashingtonProf. Jussipekka Leiwo taught at Vrije Universiteit (Free U.), Amsterdam, The Netherlands

Slides not created by the above authors are 2006 by Leszek T. LilienRequests to use original slides for non-profit purposes will be gladly granted upon a written request.

*Section 8 Computer Security and Information Assurance Spring 2006 by Leszek T. Lilien, 2006

9. Legal, Privacy, and Ethical Issues in Computer SecurityHuman Controls Applicable to Computer Security:

9.1.Basic Legal Issuesa)Protecting Programs and Datab) Information and the Lawc)Ownership Rights of Employees and Employersd)Software Failures (and Customers)9.2.Computer Crime9.3.Privacy9.4.Ethicsa) Introduction to Ethicsb) Case Studies of Ethicsc) Codes of Professional Ethics


9.1. Basic Legal Issues

Outline:

a)Protecting Programs and Datab) Information and the Lawc)Ownership Rights of Employees and Employersd)Software Failures (and Customers)


a)Protecting Programs and Data (1)

Copyrights designed to protect expression of ideas (creative works of the mind)Ideas themselves are freeDifferent people can have the same ideaThe way of expressing ideas is copyrightedCopyrights are exclusive rights to making copies of expression

Copyright protects intellectual property (IP)

IP must be:Original workIn some tangible medium of expression

---[OPTIONAL]--- Digital Millennium Copyright Act (DMCA) of 1998Clarified some copyright issues for digital objects


Protecting Programs and Data (2)

Patent designed to protect tangible objects, or ways to make them (not works of the mind)Protected entity must be novel & nonobviousThe first inventor who obtains patent gest his invention protected against patent infrigementPatents applied for algorithms only since 1981

Trade secret information that provides competitive edge over othersInformation that has value only if kept secretUndoing release of a secret is impossible or very difficultReverse engineering used to uncover trade secret is legal!T.s. protection applies very well to computer s/wE.g., pgms that use algorithms unknown to others


---[OPTIONAL]-- Protecting Programs and Data (3)Comparing Copyright, Patent and Trade Secret Protection

CopyrightPatentTrade SecretProtectsExpression of idea, not idea itselfInventionway something worksSecret, competitive advantageProtected Object Made PublicYes; intention is to promote publicationDesign filed at Patent OfficeNoMust DistributeYesNoNoEase of filingVery easy, do-it-yourselfVery complicated; specialist lawyer suggested No filingDurationOriginators life + 70 yrs; 95 y. For company19 yearsIndefiniteLegal ProtectionSue if unauthorized copy soldSue if invention copied/reinventedSue if secret improperly obtained


Protecting Programs and Data (4)

---[OPTIONAL]--- How to protect:H/wPatentFirmware (microcode)Patent physical device, chipUse trade secret protectionCopyright s/w such as embedded OSObject code s/wCopyright of binary code ??Copyright of source code ??Need legal precedentsSource code s/w Use trade secret protectionCopyright reveals some code, facilitates reverse engineeringNeed legal precedents, too


b) Information and the Law (1)

Characteristics of information as an object of valueNot depletableCan be replicated (buyer can become a seller)Has minimal marginal cost (= cost to produce n-the copy after producing n-1 copies)Value is often time dependent (outdated => lower/no value)Can be transferred intangibly

---[OPTIONAL]-- Legal issues for informationInformation commerceNeed technological and legal protections for info sellerElectronic publishingCryptographic + legal solutions to protect sellers rightsProtecting data in DBHow to decide which DB is source for given data?Who owns data in a DB if it is public data (e.g., name+phone?)E-commerceHow to prove that info delivered too late or is bad?



Copyright, patents, trade secrets cover some (not all!) protection needs

Remaining protection needs can use law mechanisms discussed belowBuilding precedents or contributing to legislating new laws

Law categories:

1) Criminal Law / Statutory Law2)Civil Law (I hope Im right with these subcategories)2a) Common Law / Tort Law2b) Contracts



Comparison of Criminal and Civil Law

Criminal LawCivil LawDefined byStatutesCommon law (tort l.)ContractsCasesbrought byGovernmentGovernmentIndividuals and companiesWronged partySocietyIndividuals and companiesRemedyJail, fineDamages, typically monetary


c) Ownership Rights of Employees and Employers (1)

Ownership rights are computer security issueConcerned with protecting secrecy (confidentiality) and integrity of works produced by employees of an employer

Ownership issues in emploee/employer relations:Ownership of productsProducts/ideas/inventions developed by employee after hours might still be owned by her employerEsp. if in the same line of businessOwnership of patentsIf employer files for patent, employer (not employeeinventor) will own patentOwnership of copyrightsSimilar to patentsTrade secret protectionNo registered inventor/authorowner can prosecute

for damages


Ownership Rights of Employees and Employers (2)

Type of employment has ownership consequences

Work for hireAll work done by employee is owned by employer

Employment contractsOften spell out ownership rightsOften includes agreement not to compete (for some time after termination)Non-competition is not always enforceable by lawLicensesProgrammer retains full ownership of developed s/wGrants license for a fee


Software Failures (& Customers) (1)

--[OPTIONAL]-- Issue 1: Software quality: is it correct or not?If not correct: ask for refund, replacement, fixingRefund: possibleReplacement: if this copy damaged, or improved in the meantineFixing: rarely legally enforced; instead, monetary awards for damagesCorrectness of s/w difficult to define/enforce legallyIndividual can rarely sue a major s/w vendorProhibitive costs for individual


Software Failures (& Customers) (2)---[OPTIONAL]--- Issue 2: Reporting software flawsShould we share s/w vulnerability info?Both pros and consVendor interestsVendors (e.g., MS) dont want to react to individual flawsPrefer bundle a number of flaw fixesUser interestsWould like to have fixes quicklyResponsible vulnerability reportingHow to report vulnerability info responsibly?E.g. First notify the vendor, give vendor a few weeks to fixIf vendor delays fixes, ask coordinator for helpCoordinatore.g., computer emergency response centerQuality software is the real solutionThe worlds does no need faster patches,

it needs better software


9.2. Computer Crime (1)

Separate category for computer crime is neededBecause special laws are needed for CC

---[OPTIONAL]--- CC (special laws) need to deal with:New rules of property for CCBits of info are now considered property (were not in 1984 case)New rules of evidence for CCHard to prove authenticity of evidence for CC (easy to change!)Value of integrity and confidentiality/privacyValue of privacy is now recognized by several federal/state lawsValue of dataCourts understand value of data betterAcceptance of computer terminologyLaw lags behind technology in acceptance of new terminology


---[OPTIONAL]--- Computer Crime (2)

CC (special laws) need to deal withcont. Difficulty of defining CCLegal community is slow in accommodating advances in computing Law change is cautious/conservative by natureDifficulty of prosecuting CCReasons:

Lack of understanding / lack of physical evidence / lack of recognition of assets / lack of political impact /complexity of CC cases / lenient treatment of juveniles comitting CCs



Examples of American statutes related to CC1974 US Privacy ActProtects privacy of data collected by the executive branch of federal govt1984 US Computer Fraud and Abuse ActPenalties: max{100K, stolen value} and/or 1 to 20 yrs1986 US Electronic Communications Privacy ActProtects against wiretappingExceptions: court order, ISPs1996 US Economic Espionage Act2001 USA Patriot Act US Electronic Funds Transfer Act US Freedom of Information Act



International CC Laws1994 EU Data Protection ActRestricted Internet content e.g., ChinaCryptography use different laws in different countries

Why computer criminals are hard to catchMultinational activityComplexityE.g., attackers bouncing attacks thru many places to cover tracks

Law is not preciseProblems with computer, object value, privacy

Cryptography ChallengesControls on its use internally (allowing govt to track illegal activities) and for exportFree speech issues: restricting Govt wanted key escrows (remember Clipper?)


9.3. Privacy (1)

Identity theft the most serious crime against privacy

Threats to privacyAggregation and data miningPoor system securityGovernment threatsGovt has a lot of peoples most private dataTaxes / homeland security / etc.Peoples privacy vs. homeland security concernsThe Internet as privacy threatUnencrypted e-mail / web surfing / attacksCorporate rights and private businessCompanies may collect data that U.S. govt is not allowed toPrivacy for sale - many trapsFree is not freeE.g., accepting frequent-buyer cards reduces your privacy


Privacy (2)

Controls for protecting privacyAuthenticationAnonymityNeeded also in computer votingPseudonymityLegal privacy controls

--OPTIONAL--1996 HIPAAPrivacy of individuals medical records1998 EU Data Protection ActPrivacy protections stronger than in the U.S.1999 Gramm-Leach-Bliley ActPrivacy of data for customers of financial institutions


9.4. Ethicsa) Introduction to Ethics (1)Law vs. EthicsLaw alone cant restrict human behaviorImpractical/impossible to describe/enforce all acceptable behaviorsEthics/morals are sufficient self-controls for most peopleContrast of law and ethics Table 9-3, p. 606

---[OPTIONAL]--- Characteristics of ethicsEthics is not religion (but religions include ethical principles)Ethical principles are not universalVary in different culturesVary even in different individuals in the same culture Ethics is pluralistic in natureIn sharp contrast to science and technology that often has only one correct answer


---[OPTIONAL]--- Introduction to Ethics (2)

Systems of ethics

1)Consequence-based do what results in greatest good, least harm1a) EgoismI do whats good for me1b) UtilitarianismI do whats brings greatest collective good

Rules-based (deontology) do what is prescribed by certain universal, self-evident, natural rules of proper conductCould be based on religion on philosophy


---[OPTIONAL]--- b) Case Studies of Ethics

Read especially:Case II: Privacy rights (p.612)Case VIII: Ethics of Hacking or Cracking (p. 619)


c) Codes of Professional Ethics

Different codes of professional ethics

Computer Ethics Institute10 Commandments of Computer Use Fig. 9.3, p. 625

---[OPTIONAL]--- IEEE Fig. 9-1, p. 623

ACM Fig. 9-2, p. 624


End of Section 9Student project presentations follow

sect9-legal priv etc issues

Documents

information assurance

information assurance

computer securitydr

computer crime9

computer swe

datab information

trade secret information

copyright issues