Chapter 24 Outline
I.
Import/Export Encryption Restrictions
A. Governments control encryption technology for various reasons. The level of
control varies from outright banning to little or no regulation. Control over
import and export is a vital method of maintaining a level of control over
encryption technology.
B. A majority of the laws and restrictions exists for cryptography, which was until
recently a military issue. The advent of commercial transactions and network
communications over public networks such as the Internet has expanded the use
of cryptographic methods to include securing of network communications.
C. United States Law.
1.
Export controls on commercial encryption products are administered by the
Bureau of Industry and Security (BIS) in the U.S. Department of
Commerce.
a)
Rules governing exports of encryption are found in the Export
Administration Regulations (EAR), 15 C.F.R. Parts 730–774.
b) Sections 740.13, 740.17, and 742.15 are the principal references for the
export of encryption items.
2.
Until recently, encryption protection was accorded the same level of
attention as the export of weapons for war.
a)
With the rise of the Internet, widespread personal computing, and the
need for secure connections for e-commerce, this position has relaxed
somewhat.
b) The United States updated its encryption export regulations to provide
treatment consistent with regulations adopted by the European Union
(EU), easing export and re-export restrictions among the 15 EU
member states and Australia, the Czech Republic, Hungary, Japan,
New Zealand, Norway, Poland, and Switzerland.
c)
The member nations of the Wassenaar Arrangement agreed to remove
key length restrictions on encryption hardware and software that is
subject to certain reasonable levels of encryption strength. This
effectively removed "mass market" encryption products from the list of
dual-use items controlled by the Wassenaar Arrangement.
3.
The U.S. encryption export control policy rests on three principles: review
of encryption products prior to sale, streamlined post-export reporting, and
license review of certain exports of strong encryption to foreign government
end users.
4.
The current set of U.S. rules requires notification to the BIS for export in all
cases, but the restrictions are significantly lessened for “Mass Market”
products as defined by the following:
a)
They are generally available to the public by being sold, without
restriction, from stock at retail selling points such as over-the-counter
transactions, mail-order transactions, electronic transactions, and
telephone call transactions.
b) The cryptographic functionality cannot be easily changed by users.
c)
They are designed for installation by users without further substantial
support by the supplier.
d) When necessary, details of the items are accessible and will be
provided, upon request, to the appropriate authority in the exporter's
country to ascertain compliance with export regulations.
5.
Mass-market commodities and software employing a key length greater
than 64 bits for the symmetric algorithm must be reviewed in accordance
with BIS regulations. Restrictions on exports by U.S. persons to terroristsupporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria),
their nationals, and other sanctioned entities are not changed by this rule.
D. Non-U.S. laws.
1.
Export control rules for encryption technologies fall under the Wassenaar
Arrangement. It is an international arrangement on export controls for
conventional arms and dual-use goods and technologies.
a)
The Wassenaar Arrangement contributes to regional and international
security and stability. It promotes transparency and greater
responsibility in transfers of conventional arms and dual-use goods and
technologies, thus preventing destabilizing accumulations.
b) Other participating states seek, to ensure that transfers of these items do
not contribute to the development or enhancement of military
capabilities that undermine these goals, and are not diverted to support
such capabilities.
2.
Many nations have more restrictive policies than those agreed upon as part
of the Wassenaar Arrangement. Australia, New Zealand, United States,
France, and Russia go further than required under Wassenaar and restrict
general-purpose cryptographic software as dual-use goods through national
laws.
II. Digital Signature Laws
A. On October 1, 2000, the Electronic Signatures in Global and National
Commerce Act (commonly called the E-Sign law) went into effect in the United
States.
1.
This law implements a simple principle – a signature, contract, or other
record may not be denied legal effect, validity, or enforceability solely
because it is in an electronic form.
2.
Another source of law on digital signatures is the National Conference of
Commissioners on Uniform State Laws' Uniform Electronic Transactions
Act (UETA), which has been adopted in over 20 states.
B. From a practical standpoint, the existence of the E-Sign law and UETA has
enabled e-commerce transactions to proceed, and the resolution of the technical
details via court actions will probably have little effect on consumers.
C. Non-U.S. laws.
1.
The UN General Assembly adopted the United Nations Commission on
International Trade Law (UNCITRAL) Model Law on Electronic
Signatures.
2.
These laws have become the basis for many national and international
efforts in this area.
a)
Canada.
(1) Canada adopted a national model bill for electronic signatures to
promote e-commerce. The bill, called the Uniform Electronic
Commerce Act (UECA), allows the use of electronic signatures
in communications with the government.
(2) The law contains general provisions for the equivalence between
traditional and electronic signatures (source: BNA ECLR, May
27, 1998, p. 700) and is modeled after the UNCITRAL Model
Law on E-Commerce (source: BNA ECLR, September 13, 2000,
p. 918).
(3) The UECA is similar to Bill C-54 in authorizing governments to
use electronic technology to deliver services and communicate
with citizens.
b) Individual Canadian provinces have passed similar legislation defining
digital signature provisions for e-commerce and government use.
(1) These laws are modeled after the UNCITRAL Model Law on ECommerce to enable widespread use of e-commerce transactions.
(2) These laws have also modified the methods of interactions
between the citizens and the government, enabling electronic
communication in addition to previous forms.
c)
The EU.
(1) The European Commission adopted a Communication on Digital
Signatures and Encryption: “Towards a European Framework for
Digital Signatures and Encryption.” This communication states
that a common framework at the EU level is urgently needed to
stimulate “the free circulation of digital signature-related
products and services within the Internal market” and “the
development of new economic activities linked to electronic
commerce.” The communication also states that a common
framework is needed “to facilitate the use of digital signatures
across national borders.” Community legislation should address
common legal requirements for CAs, legal recognition of digital
signatures, and international cooperation.
(2) On May 4, 2000, the European Parliament and Council approved
the common position adopted by the Council.
(3) In June 2000, the final version of the directive, Directive
2000/31/EC, was adopted.
(4) To implement the articles contained in the directive, member
states will have to remove barriers, such as legal form
requirements, to electronic contracting, leading to uniform digital
signature laws across the EU.
III. Digital Rights Management
A. The Digital Millennium Copyright Act (DMCA) was enacted on October 20,
1998. The section of the law making it illegal to develop, produce, and trade any
device or mechanism designed to circumvent technological controls used in
copy protection has drawn considerable comment and criticism.
B. The methods used in most cases are cryptographic in nature, and this provision
had the ability to eliminate and/or severely limit research into encryption, and
the strengths and weaknesses of specific methods.
1.
A provision, Section 1201(g) of the Digital Millennium Copyright Act, was
included to provide for specific relief and allow exemptions for legitimate
research.
2.
The act has specific exemptions for research, provided the following four
elements are satisfied:
a)
The person lawfully obtained the encrypted copy, phonorecord,
performance, or display of the published work.
b) Such act is necessary to conduct such encryption research.
c)
The person made a good faith effort to obtain authorization before the
circumvention.
d) Such act does not constitute infringement under this title or a violation
of applicable law other than this section, including section 1030 of title
18 and those provisions of title 18 amended by the Computer Fraud and
Abuse Act of 1986.
IV. Privacy Laws
A. Governments in Europe and the United States have taken different approaches in
attempts to control privacy via legislation.
B. United States Laws.
1.
The Electronic Communications Privacy Act (ECPA) of 1986 was passed
by Congress and signed by President Ronald Reagan to address legal
privacy issues resulting from the increasing use of computers and other
technology specific to telecommunications.
a)
Sections of this law addressed e-mail, cellular communications,
workplace privacy, and other issues related to communicating
electronically.
b) A major provision was the prohibition against an employer's
monitoring an employee's computer usage, including e-mail, unless
consent is obtained.
c)
Other legal provisions protect electronic communications from wiretap
and outside eavesdropping, as users were assumed to have a reasonable
expectation of privacy and afforded protection under the Fourth
Amendment to the Constitution.
2.
A common practice with respect to computer access today is the use of a
warning banner which is typically displayed whenever a network
connection occurs and serves the following four purposes.
a)
They establish the level of expected privacy (usually none on a
business system) and serve as consent to real-time monitoring from a
business standpoint.
b) The banner tells the user that their connection to the network signals
their consent to monitoring.
c)
Consent can also be obtained to look at files and records.
(1) In the case of government systems, consent is needed to prevent
direct application of the Fourth Amendment.
d) The warning banner can establish the system or network administrator's
common authority to consent a law enforcement search.
3.
The Patriot Act of 2001, passed in response to the September 11 terrorist
attack on the World Trade Center buildings in New York, substantially
changed the levels of checks and balances in laws related to privacy in the
United States.
a)
This law extended the tap and trace provisions of existing wiretap
statutes to the Internet. The law mandated certain technological
modifications at ISPs to facilitate electronic wiretaps on the Internet.
b) The Act also permits the Justice Department to proceed with its rollout
of the Carnivore program, an eavesdropping program for the Internet.
c)
The Patriot Act also permits federal law enforcement personnel to
investigate computer trespass (intrusions) and enacts civil penalties for
trespassers.
4.
In November 1999, President Clinton signed the Gramm-Leach-Bliley
(GLB) Act, a major piece of legislation affecting the financial industry, and
also one with significant privacy provisions for individuals.
a)
The key privacy tenets enacted in GLB included the establishment of
an opt-out method for individuals to maintain some control over the use
of the information provided in a business transaction with a member of
the financial community.
b) GLB is enacted through a series of rules governed by state law, federal
law, securities law, and federal rules.
c)
Some internal information sharing is required under the Fair Credit
Reporting Act (FCRA) between affiliated companies, but GLB ended
sharing to external third-party firms.
5.
Identity privacy and the establishment of identity theft crimes is governed
by the Identity Theft and Assumption Deterrence Act, which makes it a
violation of the federal law to use another's identity knowingly—identity
theft.
a)
The collection of information necessary to do this is also governed by
GLB, which makes it illegal for someone to gather identity information
under false pretenses.
b) Student records have even further protections under the Family
Education Records and Privacy Act of 1974.
6.
On December 4, 2003, President Bush signed into law the Fair and
Accurate Credit Transactions Act of 2003 which includes several major
identity-theft provisions.
a)
These provisions are designed to be consumer-friendly and include a
free credit report annually.
b) They require merchants to leave all but the last five digits of a credit
card number off store receipts.
c)
They establish a national system of fraud detection allowing consumers
to have a single number to call to receive advice, set off a nationwide
fraud alert, and protect their credit standing.
7.
Medical and health information also has privacy implications, which is why
the U.S. Congress enacted the Health Insurance Portability &
Accountability Act (HIPAA) of 1996. HIPAA calls for sweeping changes in
the way health and medical data is stored, exchanged, and used.
a)
From a privacy perspective, significant restrictions of data transfers to
ensure privacy are included in HIPAA, including security standards and
electronic signature provisions.
b) HIPAA security standards mandate a uniform level of protections
regarding all health information that pertains to an individual and is
housed or transmitted electronically.
c)
The standard mandates safeguard physical storage, maintenance,
transmission, and access to individuals' health information.
d) HIPAA mandates that organizations using electronic signatures will
have to meet standards ensuring information integrity, signer
authentication, and nonrepudiation.
8.
The latest movement in U.S. personal privacy with respect to computer
records was started with California Senate Bill 1386 (SB1386). This law
was designed to help users to fight identity theft through early notification
of the loss of control of personal information stored in computer systems. It
was designed to force firms to notify users whenever their personal
information has become compromised.
C. European laws.
1.
The governments of Europe have developed a comprehensive concept of
privacy administered via a set of statutes known as data protection laws.
a)
These privacy statutes cover all personal data, whether collected and
used by the government or private firms.
b) These laws are administered by state and national data protection
agencies in each country.
2.
Privacy laws in Europe are built around the concept that privacy is a
fundamental human right that demands protection through government
administration.
a)
The Data Protection Directive, adopted by EU members has a provision
allowing the European Commission to block transfers of personal data
to any country outside the EU that has been determined to lack
adequate data protection policies.
b) The differences in approach between the United States and the EU with
respect to data protection lead to the EU expressing concern about the
adequacy of data protection in the United States, a move that could
pave the way to the blocking of data transfers.
c)
After negotiation, it was determined that U.S. organizations that
voluntarily joined an arrangement known as Safe Harbor would be
considered adequate in terms of data protection.
(1) Safe Harbor is a mechanism for self-regulation that can be
enforced through trade practice law via the Federal Trade
Commission (FTC).
(2) A business joining the Safe Harbor Consortium must make
commitments to abide by specific guidelines concerning privacy
and also agree to be governed by certain self-enforced regulatory
mechanisms, backed ultimately by FTC action.
3.
Another major difference between U.S. and European regulation lies in
where the right of control is exercised. In European directives, the right of
control over privacy is balanced in such a way as to favor consumers.
a)
The default privacy setting is deemed to be the highest level of data
privacy, and users have to opt in to share information.
b) This default setting is a cornerstone of the EU Data Protection
Directive and is enforced through national laws in all member nations.
V. Computer Trespass
A. Computer trespass is the unauthorized entry into a computer system via any
means, including remote network connections. This has led to a new area of law
that has both national and international consequences.
1.
For crimes that are committed within a country's borders, national laws
apply.
2.
For cross-border crimes, international laws and international treaties are the
norm.
3.
Enforcement actions stemming from these agreements have been rare, with
most actions employing national laws where applicable.
B. Computer trespass is treated as a crime in many countries and national laws
exist in many countries, including the EU, Canada, and the United States.
1.
These laws vary by state, but they all have similar provisions defining the
unauthorized entry into and use of computer resources as a crime.
2.
Whether called computer mischief as in Canada, or computer trespass as in
the United States, unauthorized entry and use of computer resources is a
crime with significant punishments under any of these laws.
C. Convention on cybercrime.
1.
The Convention on Cybercrime is the first international treaty on crimes
committed via the Internet and other computer networks.
a)
The Convention is the product of four years of work by the Council of
Europe experts, and also by the United States, Canada, Japan, and other
countries that are not members of the organization of the member states
of the European Council.
b) Currently, the convention is a draft treaty, ratified by only two
members, and a total of five members must ratify it for it to become
law.
2.
The main objective of the convention, set out in the preamble, is to pursue a
common criminal policy aimed at protecting the society against cybercrime,
especially by adopting appropriate legislation and fostering international
cooperation.
3.
The convention deals particularly with infringements of copyright,
computer-related fraud, child pornography, and violations of network
security.
VI. Ethics
A. Following some major lapses in senior executive ethical behavior, Congress
passed the Sarbanes-Oxley Act in 2002.
1.
This law was targeted at stemming a series of financial reporting
irregularities at the highest levels of corporate leadership. Although aimed
at the senior executive’s abuse of financial reporting systems, as these
systems are major IT components of a firm, the inclusion of IT becomes a
de facto standard event.
2.
Should tampering with electronic records that allow a company to perform
accurate financial reporting occur, there is a potential for a violation under
this statute.
3.
Sarbanes-Oxley has significant ramifications through the chain of
information used to report the current state of corporate financial
conditions.
a)
Controls and oversight over all processes used to produce financial
reports must include aspects of the Enterprise Resource Planning (ERP)
software and the business processes surrounding how it performs its
specific functions in the enterprise.
b) Validation and verification of results from this software-driven process
are subject to review and given the complexity of the process, reviews
and audits of IS processes can be used for monitoring compliance.