IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Legal, Ethical & Professional Issues in Risk Management 13 September 2007 Charles G. Gray (c) 2007 Charles G. Gray 1 Law and Ethics in Risk Management In civilized life, law floats in a sea of ethics. Earl Warren, Chief Justice, United States Supreme Court, November 12, 1962 (c) 2007 Charles G. Gray 2 Learning Objectives Upon completion of this session you should be able to: – Use the information as a guide for future reference on laws, regulations, and professional organizations. – Differentiate between laws and ethics. – Identify major national laws that relate to the practice of information security. – Understand the role of culture as it applies to ethics in information security. (c) 2007 Charles G. Gray 3 Ignorance no Excuse • Ignorance (don’t know about it) of the law is not an acceptable excuse – Well established in legal decisions • Ignorance of a policy or procedure may be a defense • It is incumbent upon IT managers to be aware of federal, state, and local laws and ordinances (c) 2007 Charles G. Gray 4 Laws Applicable • Not only to publicly traded companies • Privately held companies as well – Except Sarbanes Oxley (c) 2007 Charles G. Gray 5 Risks of Breaking A Law • Litigation – Government (US or foreign) • Federal regulatory agency, DoJ, state AG – Criminal or civil action – Tort • • • • Loss of credibility (personal or work unit) Loss of future business Damage to corporate image, market value Personal liability (c) 2007 Charles G. Gray 6 Law and Ethics in Information Security • Laws - rules adopted for determining expected behavior – Laws are drawn from ethics • Ethics define socially acceptable behaviors • Ethics in turn are based on cultural mores: fixed moral attitudes or customs of a particular group (c) 2007 Charles G. Gray 7 Types of Law • Civil law – Wide variety of legal code guiding behavior • International, federal, state, municipality • Public law – Criminal, administrative, constitutional law • Tort law – Recourse against others for personal, physical or financial damage • Private law – Family, labor, commercial law (c) 2007 Charles G. Gray 8 Relevant US Laws - General • Communications Act of 1934 (“CA34”) – Telecommunications Deregulation and Competition Act of 1996 (“TA96”) • Federal Records Act of 1950 – Records disposal requires approval of the Archivist of the US – Applies to e-mail • Federal agencies must retain and manage electronic documents • Most work of public officials is public record and subject to disclosure (c) 2007 Charles G. Gray 9 Freedom of Information Act of 1966 / 1996 (FOIA) • The Freedom of Information Act provides for any person to request access to federal agency records or information – US Government agencies are required to disclose any requested information on receipt of a written request • Some exceptions apply (e.g., national security) • Does not apply to state or local government agencies or to private businesses or individuals, although many states have their own version of the FOIA – “Sunshine” laws (c) 2007 Charles G. Gray 10 Important Legislation • Omnibus Crime Control and Safe Streets Act – 1968 – Title III – “Wiretap Act” • Prohibits unauthorized wiretaps (common carriers) • All wiretaps require federal court order/supervision • Foreign Intelligence Surveillance Act (FISA) in conjunction with AUMF may not require court supervision (currently under review) – AUMF (Authorization for Use of Military Force) » PL 107-40, 18 September 2001 (c) 2007 Charles G. Gray 11 The Privacy Act of 1974 • Government’s protection of private information • Government may not conceal the existence of any databases – Recent activities seem to violate this (???) • No disclosure to other individuals or agencies without a court order, except for criminal law enforcement activity • Disclosing agency must keep a record of what they told, and to whom (c) 2007 Charles G. Gray 12 “Buckley Amendment” • Family Educational Right to Privacy Act (FERPA) – 1974 – Guarantees the right of privacy for grades, finances, personally identifying information, etc. – US Supreme Court held in 2002 that peer grading does not violate FERPA (Owasso, OK) – Risk of hackers (students?) obtaining access to a school’s records (c) 2007 Charles G. Gray 13 ECPA of 1986 • Electronic Communications Privacy Act (ECPA) of 1986 – Prohibits unauthorized interception • In transit • In storage • Includes private networks, but not interceptions outside of the US (Echelon) (c) 2007 Charles G. Gray 14 Computer Fraud and Abuse Act • Passed in 1986, amended in 1989, 1990, 1994, 1996 and 2001 – 1996 - National Information Infrastructure Protection Act • 18 USC 1030 • Criminalizes hacking, denial-of-service, viruses and other similar activities • Punishment – 1-5 years for first offense, 10 years for second – Theft of sensitive government info, 10-20 years – Harm or kill people – up to life in prison (c) 2007 Charles G. Gray 15 Computer Matching and Privacy Protection Act • 1988 and 1989 Congress amended the Privacy Act of 1974 • Prohibits federal agencies from comparing their databases with other agencies or with private databases – Could any comparisons have avoided 9/11? – Any effect on counter terrorism activities today? – Is this law good or not? • When do the advantages outweigh the (c) 2007 Charles G. Gray disadvantages? 16 CALEA - 1994 • Communications Assistance for Law Enforcement Act of 1994 – Digital Telephony Act – All “providers and carriers” to ensure that law enforcement can conduct legal interceptions and electronic surveillance • Equipment, facilities and services to meet specified criteria (Section 103) • Exceptions – Information service providers, private networks • Decryption by telco not required (c) 2007 Charles G. Gray 17 ECPA of 1996 • Update of 1986 law due to technology advancements • Adds electronic mail • Includes “any provider of wire or electronic communications” – not just common carriers • Disclosure of the identity of parties or existence of a communication is NOT covered – That is, disclosure of the fact (not content) is allowed • Inadvertent discovery of criminal activity may be disclosed to law enforcement officers (c) 2007 Charles G. Gray 18 Children’s Online Privacy Protection Act of 1998 • Protects collection of personal data on children under the age of 13 – Websites, on-line services, pen pal services, email, message boards, or chat rooms • Applies to any “child-oriented” site and any site where the owner suspects that a user is under 13 (on the internet, how do you know?) • No protection for older children (c) 2007 Charles G. Gray 19 2001 Treaty on Cybercrime • Council of Europe (NOT the EU) • Signed by the US, but NOT yet ratified by the Senate – President Bush has urged ratification – Many dissenting voices • Signatories agree to create computer abuse laws and copyright protection • Nations must cooperate to prosecute attackers (c) 2007 Charles G. Gray 20 USA PATRIOT Act of 2001 • “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism” • Broad powers defined to intercept and record wire, oral and electronic communications relating to – Terrorism – Computer fraud and abuse • Some provisions have been invalidated (c) 2007 Charles G. Gray 21 Sarbanes-Oxley Act of 2002 • Applies to all publicly traded companies – Includes non-US operations • Stringent accounting/reporting rules • “Internal controls” – Insure reliable and accurate financial reports • Track all data related directly or indirectly to the financial state of the company • Control and monitor anything that could affect data accuracy (c) 2007 Charles G. Gray 22 Sarbanes-Oxley Covers • E-mail • Instant messaging • Documentation contained in: – Word processing documents – PowerPoint presentations – Spreadsheets – Custom-built databases • Server cleaning • Data backup (c) 2007 Charles G. Gray 23 Sarbanes-Oxley Penalties • If you “get it wrong” - Personal criminal liability for corporate officers (c) 2007 Charles G. Gray 24 HIPAA • Healthcare Insurance Portability and Accountability Act (1996) – Serious consequences for violation – HIPAA Security committee should have all stakeholders represented (not just IT) – Use NIST SP800-30 as a guide – 54 standards and implementation features • Document and retain all remediation activities for at least six years (c) 2007 Charles G. Gray 25 Financial Industry Laws • CA-1386 (California - 2003) – This brought the ChoicePoint situation to light • Financial Services Modernization Act (1999) – Gramm-Leach-Bliley Act (Title V-Privacy) • Fair Credit Reporting Act (1996, rev 2002) • Basel II Agreement (international banking) (c) 2007 Charles G. Gray 26 HSPD-12 • Homeland Security Protection Directive #12 (2004) • FIPS PUB 201 Personal Identity Verification for Federal Employees and Contractors (Maybe states that access federal systems) – Requires “smart cards” to be issued • • • • Authentication for access to specific applications Building access based on security access level Must interoperate with multiple IT vendors Impregnable (an objective – not readily achievable – maybe not ever) (c) 2007 Charles G. Gray 27 Federal Information Processing Standards (FIPS) • 113 – 1985, Computer Data Authentication • 140-1 – 1994, Security Requirements for Cryptographic Modules • 140-2 – 2001, Security Requirements for Cryptographic Modules • 180-2 – 2002, Secure Hash Standard • 181 – Automated Password Generator • 186-2 – Digital Signature Standard (c) 2007 Charles G. Gray 28 More FIPS • 188 – 1994, Standard Security Labels for Information Transfer • 190 – 1994, Guideline for the Analysis of Local Area Network Security • 196 – 1997, Entity Authentication Using PKI • 197 – 2001, AES • 200 – 2006, Minimum Security Requirements for Federal Info Systems • 2001-1 – 2006, Personal Identity Verification (PIV) (c) 2007 Charles G. Gray 29 Employee Privacy • ECPA prohibits deliberate eavesdropping on personal telephone calls • Not applicable to (i.e., can be monitored) – E-mail – IM – Web surfing • Proposed “Notice of Electronic Monitoring” Act died in committee in 2000 (c) 2007 Charles G. Gray 30 E-mail Archive Risks • Federal Rules of Civil Procedure – E-mail must be archived (can be outsourced) • Inbound and outbound • “Backup tapes” are not “archives” – Easily searchable (“accessible”) by multiple parties • Assess the cost of the search – Can run into millions of $$ • Social threats – Offensive content, jokes, images, racial content • Trade secrets, misleading market info, customer information (c) 2007 Charles G. Gray 31 Keep or Shred?? • By 2010 the world’s information base will double every 11 hours (IBM Global Technology Services, 2006) • Document retention rules are complex and changing (Rules of “discovery) • It helps to have a document retention policy – Must provide for “standing still” even if there is a remote “possibility” of litigation – Eliminate low-value information ASAP, actively manage what is kept (c) 2007 Charles G. Gray 32 Consumer Privacy • One of the hottest topics in information management • Unprecedented ability to collect information on an individual, combine facts from separate sources, and merge it with other information has resulted in comprehensive databases of information • Aggregation of data from multiple sources permits unethical organizations to build databases of facts with frightening capabilities (c) 2007 Charles G. Gray 33 Privacy of Customer Information • Privacy of Customer Information – CPNI • State regulations vary – e.g., Washington • FCC docket CC 96-115 June 2007 (“Pretexting”) • HIPAA – The Health Insurance Portability & Accountability Act Of 1996 also known as the Kennedy-Kassebaum Act • The Financial Services Modernization Act – Gramm-Leach-Bliley Act of 1999 (c) 2007 Charles G. Gray 34 Export and Espionage Laws • Trading with the Enemy Act – 1917 • Export Administration Act of 1979 – Expired 2001, extended to 2007 • Presidential “Declaration of National Emergency” under the International Emergency Economic Powers Act – Covers export of cryptography – Wassenaar Arrangement (1996) • Economic Espionage Act (EEA) of 1996 • Security and Freedom Through Encryption Act of 1999 (c) 2007 Charles G. Gray 35 FISMA • Federal Information Security Management Act of 2002 – Title III of the E-Government Act of 2002 • Promote the development of key security standards • Applies to all federal government entities and “affiliated parties” such as contractors • Mandates annual audits (c) 2007 Charles G. Gray 36 FISMA Objective More secure information systems within the federal government including the critical infrastructure of the United States (c) 2007 Charles G. Gray 37 FISMA Vision • Standards for categorizing IS by mission impact • Standards for minimum security requirements • Guidance for selecting appropriate controls • Guidance for assessing security controls in IS and determining effectiveness • Guidance for certifying and accrediting information systems (c) 2007 Charles G. Gray 38 FISMA Anticipated Results • Cost-effective, risk-based IS programs • Establish a level of due diligence for federal agencies and contractors • Consistent and cost-effective security controls throughout the federal IT structure • Consistent, comparable and repeatable security control assessments • More complete, reliable and trustworthy information for authorizing officials (c) 2007 Charles G. Gray 39 FISMA Related Publications • FIPS 199 and 200 • NIST Special Publications – 800-53 – 800-59 – 800-60 • Under development – 800-37 – 800-53 – 800-53A Note: see http://csrc.nist.gov/publications/nistpubs (c) 2007 Charles G. Gray 40 US Copyright Law • Intellectual property is recognized as a protected asset in the US • US copyright law extends to the published word, including electronic formats • Fair use of copyrighted materials includes – Use to support news reporting, teaching, scholarship, and a number of other related permissions – Purpose of the use has to be for educational or library purposes, not for profit, and should not be excessive (c) 2007 Charles G. Gray 41 State & Local Regulations • States or localities may have a number of laws and regulations that impact operations • It is the responsibility of the information security professional to understand state laws and regulations and insure the organization’s security policies and procedures comply with those laws and regulations (c) 2007 Charles G. Gray 42 PCI DSS • Payment Card Industry Data Security Standard (not a “legal” requirement) • Visa, MasterCard, American Express, Diners Club, Discover, JCB, others – When the elephants dance, the mice get trampled • Supersedes individual company compliance standards • Requirements – Compliance with requirements – Validation of PCI DSS requirements (c) 2007 Charles G. Gray 43 PCI DSS Requirements • Maintain firewalls • No default passwords • Protect stored cardholder data • Encrypt transmission of cardholder data • Regular update of antivirus software • Develop and maintain secure systems • Restrict access based on “need to know” • Unique ID for each person with access • Restrict physical access to cardholder data • Track and monitor all access • Regular test of security systems • Maintain a policy that addresses info security • (Implied) Validate all of the above (c) 2007 Charles G. Gray 44 International Laws and Legal Bodies • Council of Europe Cyber-Crime Convention – Adopted 23 November 2001 – Creates an international task force to oversee a range of security functions associated with Internet activities, – Standardize technology laws across international borders – Attempts to improve the effectiveness of international investigations into breaches of technology law • Convention is well received by advocates of intellectual property rights with its emphasis on copyright infringement prosecution (c) 2007 Charles G. Gray 45 The EU “Data Directive” • Directive 95/46/EC – Issued by the EC on 24 July 1995 – Effective October 1998 • Intense negotiations between the EC and the US • Some data is exempt – National defense/security – Public safety (c) 2007 Charles G. Gray 46 Key Elements of the Directive • Broad definition of “personal data” – Essentially ANY information relating to a “natural person” • Broad definition of “processing” • Requires “unambiguous consent” of subject • Principles for data quality – Guaranteed right of access (right to object) • “Automated” decisions prohibited • Confidentiality and security (c) 2007 Charles G. Gray 47 Potential Impacts • • • • • • • Mainframes, client/server systems Intranet/extranet E-mail Telecopies (fax) Notebook/laptop computers PDAs World Wide Web (c) 2007 Charles G. Gray 48 Business Sectors Involved • • • • • • • • Financial Educational institutions Media (Radio, TV, newspapers, web sites) Pharmaceuticals/medical Business/leisure travel Telephone/data networks Non-profit organizations ISPs (c) 2007 Charles G. Gray 49 Business Functions Affected • • • • • • Human resources (record keeping, etc.) Auditing and accounting Business consulting Call centers Customer service centers Etc., etc., etc. (c) 2007 Charles G. Gray 50 Other Countries Considering the EU Approach • • • • • • Iceland Liechtenstein Monaco Norway Russia Switzerland • • • • • • New Zealand Australia Hong Kong Canada Japan Others (?) (c) 2007 Charles G. Gray 51 US “Safe Harbor” Agreement • Concept approved by EC 27 July 2000 • Narrowly averted a trade war • Applies to companies regulated by – Federal Trade Commission – Department of Transportation • Department of Commerce has oversight • Essentially voluntary and self-enforcing – Participant list is available on-line at http://web.ita.doc.gov (~650 companies) (c) 2007 Charles G. Gray 52 European Directive 2006/24/EC • “Data Retention Directive” 15 March 2006 • Public communications networks – “Traffic data” to identify the user (not content) – Telephone calls or call attempts • Voice, voice mail, conference calls, data calls, call forwarding, call transfer, messaging, SMS, etc. – Internet user ID – Cell user ID • Retain for 6 to 24 months (c) 2007 Charles G. Gray 53 Europe to US Air Travel • Original plan from 2004 negated by European court • New agreement effective January 2008 – Airlines must transmit PNR (19 data fields) to DHS 72 hours prior to departure • No-match PNR kept for seven days • False-positive match kept for seven years • Confirmed match kept for 99 years (I ask, on what kind of storage media??) – Limited to counterterrorism, serious crimes, public health emergencies, flight from custody (c) 2007 Charles G. Gray 54 Digital Millennium Copyright Act (DMCA) of 1998 • Implements two WIPO treaties acknowledged by the US • Copyright protection – Berne Convention – Trade-Related Aspects of Intellectual Property Rights (TRIPs) • Copyright, patents, trademarks, trade secrets, industrial designs, integrated circuit layouts (c) 2007 Charles G. Gray 55 The United Nations Charter • Provides for information security during information warfare – Use of IT to conduct lawful military offensive operations by a sovereign state • EW/IW has a long history – Jamming – Intercepting • Encryption – Spoofing (c) 2007 Charles G. Gray 56 OECD Security Guidelines • Awareness of the need for security of ICT systems (“Culture of Security”) • Participants are responsible for the security of ICT systems and networks • Respond in a timely and co-operative manner to security incidents. • Respect the legitimate interests of others • Compatible with essential elements of a democratic society (c) 2007 Charles G. Gray 57 OECD Security Guidelines (2) • Participants should conduct regular risk assessments • Incorporate security as an essential element of ICT systems • Adopt a comprehensive approach to security management • Review and reassess – modify policies, practices and procedures as appropriate (c) 2007 Charles G. Gray 58 Policy Versus Law • Most organizations develop and formalize a body of expectations called policy • Policies function in an organization like laws • Violations may be pursued administratively or via litigation (c) 2007 Charles G. Gray 59 Enforcing Policy • For a policy to become enforceable, it must be: – Distributed to all individuals who are expected to comply with it – Readily available for employee reference – Easily understood with multi-language translations and translations for visually impaired, or literacyimpaired employees – Acknowledged by the employee, usually by means of a signed consent form • ALL four conditions must be met for the organization have a reasonable expectation of effective policy (c) 2007 Charles G. Gray 60 Ethical Concepts in Information Security 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. The Ten Commandments of Computer Ethics from The Computer Ethics Institute Thou shalt not use a computer to harm other people. Thou shalt not interfere with other people's computer work. Thou shalt not snoop around in other people's computer files. Thou shalt not use a computer to steal. Thou shalt not use a computer to bear false witness. Thou shalt not copy or use proprietary software for which you have not paid. Thou shalt not use other people's computer resources without authorization or proper compensation. Thou shalt not appropriate other people's intellectual output. Thou shalt think about the social consequences of the program you are writing or the system you are designing. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans. (c) 2007 Charles G. Gray 61 Cultural Differences in Ethical Concepts • Differences in cultures cause problems in determining what is ethical and what is not ethical • Studies of ethical sensitivity to computer use reveal different ethnic groups/nationalities have different perspectives • Difficulties arise when one nationality’s ethical behavior contradicts that of another national group ( E.g., Multi-national corporations) (c) 2007 Charles G. Gray 62 Ethics and Education • Employees must be trained and kept aware of topics related to information security, including the expected behaviors of an ethical employee • Especially important in areas of information security, as many employees may not have the formal technical training to understand that their behavior is unethical or even illegal • Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user (c) 2007 Charles G. Gray 63 Deterrence to Unethical and Illegal Behavior • Deterrence - preventing an illegal or unethical activity – Laws, policies, and technical controls • Laws and policies only deter if three conditions are present: – Fear of penalty – Probability of being caught – Probability of penalty being administered (c) 2007 Charles G. Gray 64 Codes of Ethics, Certifications, and Professional Organizations • Many organizations have codes of conduct and/or codes of ethics • Codes of ethics can have a positive effect • Unfortunately, just having a code of ethics is not enough • It is the responsibility of security professionals to act ethically and according to the policies and procedures of their employer, their professional organization, and the laws of society (c) 2007 Charles G. Gray 65 Association of Computing Machinery • The ACM is a respected professional society – originally established in 1947 as “the world's first educational and scientific computing society” • The ACM’s code of ethics requires members to perform their duties in a manner befitting an ethical computing professional • The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others (c) 2007 Charles G. Gray 66 International Information Systems Security Certification Consortium • The (ISC)2 is a non-profit organization – focuses on the development and implementation of information security certifications and credentials • The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned a certification from (ISC)2 • This code focuses on four mandatory canons: – Protect society, the commonwealth, and the infrastructure – Act honorably, honestly, justly, responsibly, and legally – Provide diligent and competent service to principals – Advance and protect the profession (c) 2007 Charles G. Gray 67 System Administration, Networking, and Security (SANS) Institute • The System Administration, Networking, and Security Institute, or SANS, is a professional organization with a large membership dedicated to the protection of information and systems • SANS offers a set of certifications called the Global Information Assurance Certification or GIAC (c) 2007 Charles G. Gray 68 Information Systems Audit and Control Association • Professional association with a focus on auditing, control, and security • Although it does not focus exclusively on information security, the Certified Information Systems Auditor or CISA certification does contain many information security components • The ISACA also has a code of ethics for its professionals • It requires many of the same high standards for ethical performance as the other organizations and certifications (c) 2007 Charles G. Gray 69 CSI - Computer Security Institute • Provides information and certification to support the computer, networking, and information security professional • While CSI does not promote a single certification certificate like the CISSP or GISO, it does provide a range of technical training classes in the areas of Internet Security, Intrusion Management, Network Security, Forensics, as well as technical networking (c) 2007 Charles G. Gray 70 Other Security Organizations • Information Systems Security Association (ISSA)® • Internet Society or ISOC • Computer Security Division (CSD) of the National Institute for Standards and Technology (NIST) – contains a resource center known as the Computer Security Resource Center - one of the most comprehensive sets of publicly available information on the entire suite of information security topics • CERT® Coordination Center or CERT/CC, is a center of Internet security expertise operated by Carnegie Mellon University • Computer Professionals for Social Responsibility (CPSR) promotes the development of ethical computing (c) 2007 Charles G. Gray 71 Key US Federal Agencies • The Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC) (www.nipc.gov) – National InfraGard Program • National Security Agency (NSA) – The NSA is “the Nation's cryptologic organization” • The U.S. Secret Service (c) 2007 Charles G. Gray 72 Organizational Liability and the Need for Counsel • Liability is the legal obligation of an entity • Liability extends beyond a legal obligation or contract to include liability for a wrongful act and the legal obligation to make restitution • Liability increases if an organization refuses to take strong measures known as “due care” • “Due diligence” requires that an organization make a valid effort to protect others and continually maintain this level of effort (c) 2007 Charles G. Gray 73 Due Care Theory • Seller has a duty to exercise due care to protect consumers from harm that the seller can reasonably foresee • The organization ensures that every employee knows what is acceptable or not acceptable behavior – and knows the consequences of unethical or illegal behavior (c) 2007 Charles G. Gray 74 Due Care in Action • Buyers & sellers don’t meet as equals – Sellers have better knowledge & expertise – Buyers are in a vulnerable situation • Seller should protect consumers by: – Design – Choice of materials/software – Quality control – Warnings, labels, & instructions • Failure by a seller to exercise due care is considered to be negligence (c) 2007 Charles G. Gray 75 Due Diligence • Make a valid effort to protect others – Continuous ongoing process • With the internet, potential for harm is worldwide • “Long arm of jurisdiction” – A court’s right to hear a case if the wrong was committed in its territory, or involving its citizens • Trial in the injured party’s home area invariably favors the injured party (c) 2007 Charles G. Gray 76 Due Diligence (FDIC example) • Management is responsible to verify compliance of all COTS and vendorsupplied software – Assure compliance with ALL laws and regulations (Bank Secrecy Act, PATRIOT Act, Money Laundering Act, etc.) • Evaluate and confirm compliance prior to purchase • Financial institution management is responsible even if software fails to perform (c) 2007 Charles G. Gray 77 P2P Due Diligence (Limewire) • CEO said he “was not aware of the extent of security problems . . .” • Classified military orders, corporate accounting documents, terrorist threat assessments, tax returns, etc. • US Patent Office report: – “Stunning to see features that are incredibly easy to misuse” • Could be liable for thousands of lawsuits (c) 2007 Charles G. Gray 78