Chapter 24 Outline I. Import/Export Encryption Restrictions A. Governments control encryption technology for various reasons. The level of control varies from outright banning to little or no regulation. Control over import and export is a vital method of maintaining a level of control over encryption technology. B. A majority of the laws and restrictions exists for cryptography, which was until recently a military issue. The advent of commercial transactions and network communications over public networks such as the Internet has expanded the use of cryptographic methods to include securing of network communications. C. United States Law. 1. Export controls on commercial encryption products are administered by the Bureau of Industry and Security (BIS) in the U.S. Department of Commerce. a) Rules governing exports of encryption are found in the Export Administration Regulations (EAR), 15 C.F.R. Parts 730–774. b) Sections 740.13, 740.17, and 742.15 are the principal references for the export of encryption items. 2. Until recently, encryption protection was accorded the same level of attention as the export of weapons for war. a) With the rise of the Internet, widespread personal computing, and the need for secure connections for e-commerce, this position has relaxed somewhat. b) The United States updated its encryption export regulations to provide treatment consistent with regulations adopted by the European Union (EU), easing export and re-export restrictions among the 15 EU member states and Australia, the Czech Republic, Hungary, Japan, New Zealand, Norway, Poland, and Switzerland. c) The member nations of the Wassenaar Arrangement agreed to remove key length restrictions on encryption hardware and software that is subject to certain reasonable levels of encryption strength. This effectively removed "mass market" encryption products from the list of dual-use items controlled by the Wassenaar Arrangement. 3. The U.S. encryption export control policy rests on three principles: review of encryption products prior to sale, streamlined post-export reporting, and license review of certain exports of strong encryption to foreign government end users. 4. The current set of U.S. rules requires notification to the BIS for export in all cases, but the restrictions are significantly lessened for “Mass Market” products as defined by the following: a) They are generally available to the public by being sold, without restriction, from stock at retail selling points such as over-the-counter transactions, mail-order transactions, electronic transactions, and telephone call transactions. b) The cryptographic functionality cannot be easily changed by users. c) They are designed for installation by users without further substantial support by the supplier. d) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country to ascertain compliance with export regulations. 5. Mass-market commodities and software employing a key length greater than 64 bits for the symmetric algorithm must be reviewed in accordance with BIS regulations. Restrictions on exports by U.S. persons to terroristsupporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria), their nationals, and other sanctioned entities are not changed by this rule. D. Non-U.S. laws. 1. Export control rules for encryption technologies fall under the Wassenaar Arrangement. It is an international arrangement on export controls for conventional arms and dual-use goods and technologies. a) The Wassenaar Arrangement contributes to regional and international security and stability. It promotes transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. b) Other participating states seek, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities that undermine these goals, and are not diverted to support such capabilities. 2. Many nations have more restrictive policies than those agreed upon as part of the Wassenaar Arrangement. Australia, New Zealand, United States, France, and Russia go further than required under Wassenaar and restrict general-purpose cryptographic software as dual-use goods through national laws. II. Digital Signature Laws A. On October 1, 2000, the Electronic Signatures in Global and National Commerce Act (commonly called the E-Sign law) went into effect in the United States. 1. This law implements a simple principle – a signature, contract, or other record may not be denied legal effect, validity, or enforceability solely because it is in an electronic form. 2. Another source of law on digital signatures is the National Conference of Commissioners on Uniform State Laws' Uniform Electronic Transactions Act (UETA), which has been adopted in over 20 states. B. From a practical standpoint, the existence of the E-Sign law and UETA has enabled e-commerce transactions to proceed, and the resolution of the technical details via court actions will probably have little effect on consumers. C. Non-U.S. laws. 1. The UN General Assembly adopted the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures. 2. These laws have become the basis for many national and international efforts in this area. a) Canada. (1) Canada adopted a national model bill for electronic signatures to promote e-commerce. The bill, called the Uniform Electronic Commerce Act (UECA), allows the use of electronic signatures in communications with the government. (2) The law contains general provisions for the equivalence between traditional and electronic signatures (source: BNA ECLR, May 27, 1998, p. 700) and is modeled after the UNCITRAL Model Law on E-Commerce (source: BNA ECLR, September 13, 2000, p. 918). (3) The UECA is similar to Bill C-54 in authorizing governments to use electronic technology to deliver services and communicate with citizens. b) Individual Canadian provinces have passed similar legislation defining digital signature provisions for e-commerce and government use. (1) These laws are modeled after the UNCITRAL Model Law on ECommerce to enable widespread use of e-commerce transactions. (2) These laws have also modified the methods of interactions between the citizens and the government, enabling electronic communication in addition to previous forms. c) The EU. (1) The European Commission adopted a Communication on Digital Signatures and Encryption: “Towards a European Framework for Digital Signatures and Encryption.” This communication states that a common framework at the EU level is urgently needed to stimulate “the free circulation of digital signature-related products and services within the Internal market” and “the development of new economic activities linked to electronic commerce.” The communication also states that a common framework is needed “to facilitate the use of digital signatures across national borders.” Community legislation should address common legal requirements for CAs, legal recognition of digital signatures, and international cooperation. (2) On May 4, 2000, the European Parliament and Council approved the common position adopted by the Council. (3) In June 2000, the final version of the directive, Directive 2000/31/EC, was adopted. (4) To implement the articles contained in the directive, member states will have to remove barriers, such as legal form requirements, to electronic contracting, leading to uniform digital signature laws across the EU. III. Digital Rights Management A. The Digital Millennium Copyright Act (DMCA) was enacted on October 20, 1998. The section of the law making it illegal to develop, produce, and trade any device or mechanism designed to circumvent technological controls used in copy protection has drawn considerable comment and criticism. B. The methods used in most cases are cryptographic in nature, and this provision had the ability to eliminate and/or severely limit research into encryption, and the strengths and weaknesses of specific methods. 1. A provision, Section 1201(g) of the Digital Millennium Copyright Act, was included to provide for specific relief and allow exemptions for legitimate research. 2. The act has specific exemptions for research, provided the following four elements are satisfied: a) The person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work. b) Such act is necessary to conduct such encryption research. c) The person made a good faith effort to obtain authorization before the circumvention. d) Such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. IV. Privacy Laws A. Governments in Europe and the United States have taken different approaches in attempts to control privacy via legislation. B. United States Laws. 1. The Electronic Communications Privacy Act (ECPA) of 1986 was passed by Congress and signed by President Ronald Reagan to address legal privacy issues resulting from the increasing use of computers and other technology specific to telecommunications. a) Sections of this law addressed e-mail, cellular communications, workplace privacy, and other issues related to communicating electronically. b) A major provision was the prohibition against an employer's monitoring an employee's computer usage, including e-mail, unless consent is obtained. c) Other legal provisions protect electronic communications from wiretap and outside eavesdropping, as users were assumed to have a reasonable expectation of privacy and afforded protection under the Fourth Amendment to the Constitution. 2. A common practice with respect to computer access today is the use of a warning banner which is typically displayed whenever a network connection occurs and serves the following four purposes. a) They establish the level of expected privacy (usually none on a business system) and serve as consent to real-time monitoring from a business standpoint. b) The banner tells the user that their connection to the network signals their consent to monitoring. c) Consent can also be obtained to look at files and records. (1) In the case of government systems, consent is needed to prevent direct application of the Fourth Amendment. d) The warning banner can establish the system or network administrator's common authority to consent a law enforcement search. 3. The Patriot Act of 2001, passed in response to the September 11 terrorist attack on the World Trade Center buildings in New York, substantially changed the levels of checks and balances in laws related to privacy in the United States. a) This law extended the tap and trace provisions of existing wiretap statutes to the Internet. The law mandated certain technological modifications at ISPs to facilitate electronic wiretaps on the Internet. b) The Act also permits the Justice Department to proceed with its rollout of the Carnivore program, an eavesdropping program for the Internet. c) The Patriot Act also permits federal law enforcement personnel to investigate computer trespass (intrusions) and enacts civil penalties for trespassers. 4. In November 1999, President Clinton signed the Gramm-Leach-Bliley (GLB) Act, a major piece of legislation affecting the financial industry, and also one with significant privacy provisions for individuals. a) The key privacy tenets enacted in GLB included the establishment of an opt-out method for individuals to maintain some control over the use of the information provided in a business transaction with a member of the financial community. b) GLB is enacted through a series of rules governed by state law, federal law, securities law, and federal rules. c) Some internal information sharing is required under the Fair Credit Reporting Act (FCRA) between affiliated companies, but GLB ended sharing to external third-party firms. 5. Identity privacy and the establishment of identity theft crimes is governed by the Identity Theft and Assumption Deterrence Act, which makes it a violation of the federal law to use another's identity knowingly—identity theft. a) The collection of information necessary to do this is also governed by GLB, which makes it illegal for someone to gather identity information under false pretenses. b) Student records have even further protections under the Family Education Records and Privacy Act of 1974. 6. On December 4, 2003, President Bush signed into law the Fair and Accurate Credit Transactions Act of 2003 which includes several major identity-theft provisions. a) These provisions are designed to be consumer-friendly and include a free credit report annually. b) They require merchants to leave all but the last five digits of a credit card number off store receipts. c) They establish a national system of fraud detection allowing consumers to have a single number to call to receive advice, set off a nationwide fraud alert, and protect their credit standing. 7. Medical and health information also has privacy implications, which is why the U.S. Congress enacted the Health Insurance Portability & Accountability Act (HIPAA) of 1996. HIPAA calls for sweeping changes in the way health and medical data is stored, exchanged, and used. a) From a privacy perspective, significant restrictions of data transfers to ensure privacy are included in HIPAA, including security standards and electronic signature provisions. b) HIPAA security standards mandate a uniform level of protections regarding all health information that pertains to an individual and is housed or transmitted electronically. c) The standard mandates safeguard physical storage, maintenance, transmission, and access to individuals' health information. d) HIPAA mandates that organizations using electronic signatures will have to meet standards ensuring information integrity, signer authentication, and nonrepudiation. 8. The latest movement in U.S. personal privacy with respect to computer records was started with California Senate Bill 1386 (SB1386). This law was designed to help users to fight identity theft through early notification of the loss of control of personal information stored in computer systems. It was designed to force firms to notify users whenever their personal information has become compromised. C. European laws. 1. The governments of Europe have developed a comprehensive concept of privacy administered via a set of statutes known as data protection laws. a) These privacy statutes cover all personal data, whether collected and used by the government or private firms. b) These laws are administered by state and national data protection agencies in each country. 2. Privacy laws in Europe are built around the concept that privacy is a fundamental human right that demands protection through government administration. a) The Data Protection Directive, adopted by EU members has a provision allowing the European Commission to block transfers of personal data to any country outside the EU that has been determined to lack adequate data protection policies. b) The differences in approach between the United States and the EU with respect to data protection lead to the EU expressing concern about the adequacy of data protection in the United States, a move that could pave the way to the blocking of data transfers. c) After negotiation, it was determined that U.S. organizations that voluntarily joined an arrangement known as Safe Harbor would be considered adequate in terms of data protection. (1) Safe Harbor is a mechanism for self-regulation that can be enforced through trade practice law via the Federal Trade Commission (FTC). (2) A business joining the Safe Harbor Consortium must make commitments to abide by specific guidelines concerning privacy and also agree to be governed by certain self-enforced regulatory mechanisms, backed ultimately by FTC action. 3. Another major difference between U.S. and European regulation lies in where the right of control is exercised. In European directives, the right of control over privacy is balanced in such a way as to favor consumers. a) The default privacy setting is deemed to be the highest level of data privacy, and users have to opt in to share information. b) This default setting is a cornerstone of the EU Data Protection Directive and is enforced through national laws in all member nations. V. Computer Trespass A. Computer trespass is the unauthorized entry into a computer system via any means, including remote network connections. This has led to a new area of law that has both national and international consequences. 1. For crimes that are committed within a country's borders, national laws apply. 2. For cross-border crimes, international laws and international treaties are the norm. 3. Enforcement actions stemming from these agreements have been rare, with most actions employing national laws where applicable. B. Computer trespass is treated as a crime in many countries and national laws exist in many countries, including the EU, Canada, and the United States. 1. These laws vary by state, but they all have similar provisions defining the unauthorized entry into and use of computer resources as a crime. 2. Whether called computer mischief as in Canada, or computer trespass as in the United States, unauthorized entry and use of computer resources is a crime with significant punishments under any of these laws. C. Convention on cybercrime. 1. The Convention on Cybercrime is the first international treaty on crimes committed via the Internet and other computer networks. a) The Convention is the product of four years of work by the Council of Europe experts, and also by the United States, Canada, Japan, and other countries that are not members of the organization of the member states of the European Council. b) Currently, the convention is a draft treaty, ratified by only two members, and a total of five members must ratify it for it to become law. 2. The main objective of the convention, set out in the preamble, is to pursue a common criminal policy aimed at protecting the society against cybercrime, especially by adopting appropriate legislation and fostering international cooperation. 3. The convention deals particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security. VI. Ethics A. Following some major lapses in senior executive ethical behavior, Congress passed the Sarbanes-Oxley Act in 2002. 1. This law was targeted at stemming a series of financial reporting irregularities at the highest levels of corporate leadership. Although aimed at the senior executive’s abuse of financial reporting systems, as these systems are major IT components of a firm, the inclusion of IT becomes a de facto standard event. 2. Should tampering with electronic records that allow a company to perform accurate financial reporting occur, there is a potential for a violation under this statute. 3. Sarbanes-Oxley has significant ramifications through the chain of information used to report the current state of corporate financial conditions. a) Controls and oversight over all processes used to produce financial reports must include aspects of the Enterprise Resource Planning (ERP) software and the business processes surrounding how it performs its specific functions in the enterprise. b) Validation and verification of results from this software-driven process are subject to review and given the complexity of the process, reviews and audits of IS processes can be used for monitoring compliance.