Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Chapter 9 - Legal, Privacy, and Ethical Issues in Computer Security

advertisement 
Chapter 9 – Legal, Privacy, and
Ethical Issues in Computer Security
Program and data protection by
patents, copyrights, and trademarks
 Computer Crime
 Privacy
 Ethical Analysis of computer security
situations
 Codes of professional ethics

Motivation for studying legal issues
Know what protection the law
provides for computers and data
 Appreciate laws that protect the
rights of others with respect to
computers, programs, and data
 Understand existing laws as a basis
for recommending new laws to
protect compuuters, programs, and
data

Aspects of Protection of the
security of computers
Protecting computing systems
against criminals
 Protecting code and data (copyright...)
 Protecting programmers’ and
employers’ rights
 Protecting private data about
individuals
 Protecting users of programs

Protecting Programs and Data

Copyrights – designed to protect the
expression of ideas (not the idea!!!)
• Copyright law of 1978; Digital Millennium
Copyright Act of 1998
• Copyright gives the author exclusive right to
make copies of the expression and sell them to
the public
• “original works of authorship fixed in any
tangible medium of expression,… from which
they can be perceived, reproduced, or
otherwise communicated.”
Copyrights




Public domain- work owned by the
public, (e.g. government)
Work must be original to the author
“fair use of a copyrighted work, including
such use by reproduction I copies…for
purposes such as criticism, comment,
news reporting, teaching (including
multiple copies for classroom use),
scholarship or research.”
New owner can give away or sell object
Copyright






Each copy mist be marked with the
copyright symbol © or the word
Copyright, the year and the author’s name
U.S. copyright lasts for 70 years beyond
death of last surviving author or 95 years
after publication for a company
Copyright Infringement
Copyrights for computer software (cannot
copyright the algorithm)
You do not purchase a piece of software,
just the license to use it.
Computer menu design can be
copyrighted, but not “look and feel”
Digital Millennium Copyright Act






Digital objects can be subject to copyright
Crime to circumvent/disable antipiracy
functionality
Crime to manufacture, sell, or distribute
devices that disable antipiracy
functionality
Antipiracy devices can be used for
research and educational purposes
Acceptable to make a backup copy
Libraries can make up to three copies for
lending to other libraries
Patents




Protect inventions, tangible objects, or
ways to make them, not works of the
mind.
Patent designed to protect the device or
process for carrying out an idea, not the
idea itself.
Patent goes to person who invented the
object first
Algorithms are inventions and can be
patented
Trade Secrets
Information that gives one company
a competitive edge over others
 Reverse engineering – study
finished object to determine how it is
manufactured or how it works
 Trade secret protection can apply to
software

Protection for Computer Objects






Hardware can be patented
Firmware (hardware patent; code
protected as a trade secret)
Object code – copyrighted
Source code – either trade secret or
copyright
Documentation – copyright
COPYLEFT
(http://www.gnu.org/copyleft/copyleft.html#WhatIsCopyleft)
Information and the Law

Information as an Object
• Information is not depletable
• Information can be replicated
• Information has a minimal marginal cost
• Value of information is often time
dependent
• Information is often transferred
intangibly
Legal Issues Relating to
Information

Information Commerce
• Copy protection, freeware, controlled
distribution, mobile code/applets
Electronic Publishing
 Protecting Data in a Database (who

owns?)

Electronic Commerce
Protecting Information
Criminal and Civil Law – statues
 Tort Law (harm not occurring from
violation of a stature or from breach
of a contract) – Fraud
 Contract Law (agreement between
two parties) – requires

• Offer
• Acceptance
• consideration
Rights of Employees and
Employers

Ownership of Products
Ownership of Patent – inventor owns the

Ownership of Copyright – author is presumed

Work for hire – “employer has right to



work
owner of the work
patent/copyright if the employee’s job function
included inventing the product”
Trade Secret Protection
Employment Contracts
Software Failures
What are the legal issues in selling
correct and usable software?
 What are the moral or ethical issues
in producing correct and usable
software?
 What are the moral or ethical issues
in finding, reporting, publicizing, and
fixing flaws?

“Responsible” Vulnerability
Reporting






Vendor must acknowledge a vulnerability report
confidentially to the reporter
Vendor must agree that the vulnerability exits (or
argue otherwise) to the reporter
Vendor must inform users of the vulnerability and
any available countermeasures within 30 days
Vendor may request from the reporter a 30-day
quiet period to allow users time to install patches
At the end of quiet period, vendor and report
agree upon a release date
Vendor shall credit reporter with having located
vulnerability
Computer Crime
Rules of Property
 Rules of Evidence
 Threats to Integrity and
Confidentiality
 Value of Data
 Acceptance of Computer Terminology

Computer Crime


Why Computer Crime is Hard to Define
Why Computer Crime is Hard to Prosecute
•
•
•
•
•
•
Lack of understanding
Lack of physical evidence
Lack of recognition of assets
Lack of political impact
Complexity of case
Juveniles
2002 Computer Crime and Security
Survey – CSI/FBI Report





Ninety percent of respondents detected computer
security breaches within the last twelve months.
Eighty percent acknowledged financial losses due
to computer breaches.
Forty-four percent (223 respondents) were willing
and/or able to quantify their financial losses.
These 223 respondents reported $455,848,000 in
financial losses.
For the fifth year in a row, more respondents
(74%) cited their Internet connection as a
frequent point of attack than cited their internal
systems as a frequent point of attack (33%).
Thirty-four percent reported the intrusions to law
enforcement. (In 1996, only 16% acknowledged
reporting intrusions to law enforcement.)
Examples of Statutes








U.S. Computer Fraud and Abuse Act
(1984)
U.S. Economic Espionage Act
U.S. Electronic Funds Transfer Act
U.S. Freedom of Information Act
U.S. Privacy Act
U.S. Electronic Communications Privacy
Act
USA Patriot Act
International Dimensions
Computer Crime

Why Computer Criminals Are Hard to
Catch
• No international laws on computer crime
• Complexity of crime

What Computer Crime Does Not Address
• Courts must interpret what a computer is
• Courts must determine the value of the loss
Cryptography and the Law
Controls on Use of Cryptography
 Controls on Export of Cryptography
 Cryptography and Free Speech
 Cryptographic Key Escrow

• Clipper, Capstone, Fortezza

Current Policy (1998)
Privacy









IDENTITY THEFT
Threats to privacy
Aggregation and Data mining
Poor Security System (due diligence)
Government Threats
Computer use
Societal Goal
Corporate Rights and Private Business
Privacy for Sale
Controls Protecting Privacy
Authentication
 Anonmity (anonymizers)
 Computer Voting
 Pseudonymity (Swiss bank account)
 Legal Controls

• E.U. Data Protection Act (1998)
• Gramm-Leach-Biley Act (1999)
• HIPAA
Ethical Issues

Difference between law and ethics
• Ethic – objectively defined standard of right
and wrong (ethics are personal)

Studying Ethics
• Ethics and Religion
• Ethical Principles are not universal
• Ethics does not provide answers (ethical
pluralism)
• Ethical Reasoning

CASE STUDIES OF ETHICS
CODE OF ETHICS
IEEE (pg. 623)
 ACM (pg. 624)
 Computer Ethics Institute (pg. 625)

Social Engineering
“we have met the enemy and they
are us” - POGO
 Social Engineering – “getting people
to do things that they wouldn’t
ordinarily do for a stranger” – The
Art of Deception, Kevin Mitnick

Controls
Reduce and contain the risk of
security breaches
 “Security is not a product, it’s a
process” – Bruce Schneier [Using any
security product without
understanding what it does, and
does not, protect against is a recipe
for disaster.]

Education & Misinformation
SQL Slammer infected through MSDE
2000, a lightweight version of SQL
Server installed as part of many
applications from Microsoft (e.g.
Visio) as well as 3rd parties.
 CodeRed infected primarily desktops
from people who didn't know that
the "personal" version of IIS was
installed.
 Educate programmers and future

Conclusions

Every organization MUST have a
security policy
• Acceptable use statements
• Password policy
• Training / Education
Conduct a risk analysis to create a
baseline for the organization’s
security
 Create a cross-functional security
team

Related documents
Chapter 3 Ethics, Privacy & Security
Chapter 3 Ethics, Privacy & Security
Chapter 14 HR Ethics - UCO College of Business
Chapter 14 HR Ethics - UCO College of Business
Debjani Mukherjee, Ph.D. Director, Donnelley Ethics Program
Debjani Mukherjee, Ph.D. Director, Donnelley Ethics Program
nature_role_of_marketing
nature_role_of_marketing
Ethics for Software Engineers - TAMU Computer Science Faculty
Ethics for Software Engineers - TAMU Computer Science Faculty
Got Ethics?
Got Ethics?
Chapter 10 Global Business Ethics and Social Responsibility
Chapter 10 Global Business Ethics and Social Responsibility
McEthics in Europe and Asia Reactions
McEthics in Europe and Asia Reactions
COMM 330: Critical Issues in Mass Communication
COMM 330: Critical Issues in Mass Communication
Unit 2 Principles of Health and Social Care
Unit 2 Principles of Health and Social Care
Download
advertisement