EE579T-Class 11B - Electrical & Computer Engineering
advertisement
EE579T / CS525T
Network Security
11: Legal Issues in Network Security
Prof. Richard A. Stanley
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #1
Thought for the Day
“If you’re gonna do the crime,
be prepared to do the time.”
Anonymous
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #2
Overview of Tonight’s Class
• Review last week’s lesson
• The exam
• Legal issues
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #3
Last time...
• Firewalls are useful tools to mediate access
from internal networks to external networks
• Firewalls are not a single-point security
solution
• Firewalls cannot protect against a malicious
user on the internal network
• Trusted computing systems are needed to
enforce security policy
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #4
Network Security and the Law
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #5
The Law? I’m a Techie!
• Modern computer technology has changed
the rules about where value resides
• Once upon a time, valuable things -- like
money -- were kept in bank vaults
• Today, valuable things -- like money -- are
reduced to bits and are kept in computers
• Today’s interbank courier is a network
connection
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #6
Bottom Line...
• If you are going to be involved with
computers, you are going to be involved
with the law, one way or another
• Better to know what it is all about before
you get hurt
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #7
What You Need to Know
•
•
•
•
•
•
•
What is illegal
What are the elements of proof
What constitutes evidence
How to protect the evidence
Whom to call
When to call them
What to tell them
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #8
U. S. Law
• Criminal
–
–
–
–
Charges brought by state in name of the people
No private prosecutions (cf. U.K. law)
No double jeopardy (what does this mean?)
Penalties: incarceration, death and/or fines
• Civil
– Action brought by one party against another
– Penalties: deprivation of property
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #9
Basis of U.S. Law
• English Common Law (except Louisiana)
– Statutes (enacted by legislatures)
– Case law
– Precedents
• State/local vs. Federal law
– Jurisdiction
– Pre-emption
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #10
Why Do You Care?
• Computer crime is one of -- if not THE -fastest growing crime categories
• “That’s where the money is”
• Fraud loss in Southern NY area alone,
Jan ‘95 to Jan ‘02: nearly $600,000,000
• This isn’t just victimless, white-collar
crime: nearly 2/3 of those arrested were
carrying automatic weapons
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #11
It Isn’t Just Crime
• If you operate a network service, you face
civil liability if civil codes are violated
– Copyright protection
– Trademark protection
– Other intellectual property
• Pressure from various entities
– Privacy
– Content
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #12
Knowing what is illegal is key
• Example: until late 1998, it was NOT
illegal in the U.S. to steal someone else’s
identity
• Where you are defines what is illegal
– OK to use another name in US if not to defraud
– Illegal in U.K.
• You WILL be involved in this if you are
involved in computer security
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #13
Caution!
• You are NOT a law enforcement officer!
• You need to know about computer law to be
an effective computer security person, just
as you need to know about motor vehicle
law to be an effective driver
• Ignorance is not an excuse
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #14
A Quick Taxonomy of the Law
• Just like engineering, they have a language
• 18 USC § 2319 decodes as “Title 18, United
States Code, Section 2319”
• State laws have their own abbreviations, but
follow the same pattern:
– In New York: PL = Penal Law
– In Mass: MGL = Mass. General Laws
– In Conn: CGS = Conn. General Statutes, etc.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #15
What is illegal?
• Can’t cover everything, so will concentrate on US
federal law, with added local & foreign examples
• US Code can be found on the Web at:
www4.law.cornell.edu/uscode
• Title 18 is the criminal title: it defines federal
crimes and criminal procedure
• All the laws of the United States are found
(somewhere) in the Code
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #16
What the laws will tell you
• What is prohibited, often in excruciating
detail
• What must be proven to prove the crime
(often by inference)
• What the penalty is for violating the law
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #17
US Code Overview - 1
Title 1 General Provisions
Title 2 The Congress
Title 3 The President
Title 4 Flag and Seal, Seat Of Government, and the States
Title 5 Government Organization and Employees
Title 6 Surety Bonds (repealed)
Title 7 Agriculture
Title 8 Aliens and Nationality
Title 9 Arbitration
Title 10 Armed Forces
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #18
US Code Overview -2
Title 11 Bankruptcy
Title 12 Banks and Banking
Title 13 Census
Title 14 Coast Guard
Title 15 Commerce and Trade
Title 16 Conservation
Title 17 Copyrights
Title 18 Crimes and Criminal Procedure
Title 19 Customs Duties
Title 20 Education
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #19
US Code Overview -3
Title 21 Food and Drugs
Title 22 Foreign Relations and Intercourse
Title 23 Highways
Title 24 Hospitals and Asylums
Title 25 Indians
Title 26 Internal Revenue Code
Title 27 Intoxicating Liquors
Title 28 Judiciary and Judicial Procedure
Title 29 Labor
Title 30 Mineral Lands and Mining
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #20
US Code Overview -4
Title 31 Money and Finance
Title 32 National Guard
Title 33 Navigation and Navigable Waters
Title 34 Navy (repealed)
Title 35 Patents
Title 36 Patriotic Societies and Observances
Title 37 Pay and Allowances Of the Uniformed Services
Title 38 Veterans' Benefits
Title 39 Postal Service
Title 40 Public Buildings, Property, and Works
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #21
US Code Overview -5
Title 41 Public Contracts
Title 42 The Public Health and Welfare
Title 43 Public Lands
Title 44 Public Printing and Documents
Title 45 Railroads
Title 46 Shipping
Title 47 Telegraphs, Telephones, and Radiotelegraphs
Title 48 Territories and Insular Possessions
Title 49 Transportation
Title 50 War and National Defense
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #22
Where You Stand Depends on
Where You Sit
• What is illegal depends on:
– where the crime occurred
– who has jurisdiction
• this is not always determined by geography (e.g.,
bank robbery is always a federal crime in the
U.S.A.)
• there may be overlapping jurisdiction
• prosecutors may decide to proceed in one
jurisdiction because of penalties available
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #23
For Example...
• Consider privacy
• The European Union has a very different
view of how data on individuals may be
collected and handled than does the U.S.
• This difference in laws has a significant
effect on cross-border electronic commerce
– How can you tell when E-commerce is crossborder? It isn’t easy?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #24
Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995, Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a
way incompatible with those purposes. Further processing of data for historical, statistical or
scientific purposes shall not be considered as incompatible provided that Member States
provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are
collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that data which are inaccurate or incomplete, having regard to the purposes for which
they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the data were collected or for which they are further processed.
Member States shall lay down appropriate safeguards for personal data stored for longer
periods for historical, statistical or scientific use.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #25
Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995, Article 8
The processing of special categories of data
1. Member States shall prohibit the processing of personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade-union membership, and the
processing of data concerning health or sex life. {absent specific consent of the data subject
as provided in other sections of this article}
3. Paragraph 1 shall not apply where processing of the data is required for the purposes of
preventive medicine, medical diagnosis, the provision of care or treatment or the
management of health-care services, and where those data are processed by a health
professional subject under national law or rules established by national competent bodies to
the obligation of professional secrecy or by another person also subject to an equivalent
obligation of secrecy.
4. Subject to the provision of suitable safeguards, Member States may, for reasons of
substantial public interest, lay down exemptions in addition to those laid down in paragraph 2
either by national law or by decision of the supervisory authority.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #26
Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995, Article 10
Information in cases of collection of data from the data subject
Member States shall provide that the controller or his representative must provide a data
subject from whom data relating to himself are collected with at least the following
information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the possible
consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data concerning him
in so far as such further information is necessary, having regard to the specific circumstances
in which the data are collected, to guarantee fair processing in respect of the data subject.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #27
Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995, Article 11
Information where the data have not been obtained from the data subject
1. Where the data have not been obtained from the data subject, Member States shall provide
that the controller or his representative must at the time of undertaking the recording of
personal data or if a disclosure to a third party is envisaged, no later than the time when the
data are first disclosed provide the data subject with at least the following information, except
where he already has it:
{same as Article 10 disclosures}
2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for
the purposes of historical or scientific research, the provision of such information proves
impossible or would involve a disproportionate effort or if recording or disclosure is expressly
laid down by law. In these cases Member States shall provide appropriate safeguards.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #28
Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995, Article 12
Right of access
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information
at least as to the purposes of the processing, the categories of data concerned, and the
recipients or categories of recipients to whom the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any
available information as to their source,
- knowledge of the logic involved in any automatic processing of data concerning him at least
in the case of the automated decisions referred to in Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of data the processing of which does
not comply with the provisions of this Directive, in particular because of the incomplete or
inaccurate nature of the data;
(c) notification to third parties to whom the data have been disclosed of any rectification,
erasure or blocking carried out in compliance with (b), unless this proves impossible or
involves a disproportionate effort.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #29
The Point?
• Under U.S. law, data about individuals
belongs to the collector of the data
– Hard to know what was collected & by whom
– Hard/impossible to access, correct
• Under E.U. law, data about individuals
belongs to the individual
– Data collector must advise individual of details
of data collected and what is being done with it
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #30
I Still Don’t Get It
• OK. Do you know where all your network
links go and whose laws apply to them?
• Because of the E.U. privacy laws,
multinational companies based in the U.S.
may no longer maintain E. U. employee
data in U.S. databases, and cannot process
payrolls for E.U. citizens on U.S. computers
• Could this impact your business?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #31
Language is Important
• Regulations are not laws -- they describe
details of how to comply with the law
• Annotations in laws trace the history of the
law’s development--what was illegal
yesterday may not be illegal today (e.g.
Prohibition), and vice versa
• You need a lawyer or a law enforcement
agent to help with the details
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #32
How Do Regulations Fit?
• Regulations provide detailed information on how
laws are to be applied
– Code of Federal Regulations (CFR) [44 USC § 1510]
– Code of Massachusetts Regulations (CMR)
– Similar taxonomy to statutes
• Regulations are not laws, but failure to observe
their requirements can often lead to serious
problems
• In some cases, violation of a regulation is a
violation of a statute
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #33
Who Does What?
• Law enforcement agencies
– Investigate crimes, collect evidence
• Prosecutors
– Evaluate evidence, decide whether to prosecute
– Represent state in criminal matters
• Courts
– Hear evidence, reach conclusion on guilt
• Defense attorneys
– Represent the accused
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #34
Prosecutorial Peculiarities
• All crimes are not prosecuted
• The likelihood of prosecution depends on
– Magnitude of the crime
– Likelihood of conviction
• Will the jury understand the crime?
• How good is the evidence?
• You can improve probability of prosecution by
knowing what you are doing and keeping the
evidence sound
• Prosecutors get performance reviews, too
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #35
Basic Theorem
• It is not permissible to break the law in
order to enforce it
– IRC sessions and law enforcement
– Automatic actions to counter hacking
– Eavesdropping (but not always)
• Depending on your point of view, this is a
basic preservation of constitutional liberty
or a gift to law breakers. But it is the law!
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #36
So, Who Enforces the Laws?
• Law enforcement officers!!
• Who, as we all know from television and
the newspapers, are
–
–
–
–
overweight
addicted to doughnuts and coffee
oversexed
not too bright
• BUNK!!!
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #37
Some facts about law
enforcement
• For the most part, law enforcement agents are
intelligent, honest, and hard-working
• Pay scales are far below private industry, so
finding agents with technology skills is hard,
especially CURRENT technology
• They want to do a good job -- taking criminals off
the street is what they do
• You need their help, and they need yours.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #38
Federal Agency Snapshots - 1
• FBI
–
–
–
–
Federal Bureau of Investigation
Part of US Department of Justice
Charged with enforcement of federal laws
Other counterparts
• Canada: RCMP
• Germany: Bundeskriminalpolizei
• Many nations have no counterpart
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #39
Federal Agency Snapshots - 2
• USSS
–
–
–
–
United States Secret Service
Best known for protecting the President
Part of the Homeland Security Department
Primary jurisdiction in counterfeiting (all sorts),
currency and electronic crime
– Foreign counterparts: no exact ones. RCMP in
Canada has many of same roles
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #40
Federal Agency Snapshots - 3
• US Customs Service
– Responsible for collecting duties and
preventing smuggling
– Primary enforcement agency protecting US
borders
– If you bring it into the US, it is their business
– Part of the Treasury Department
– Nearly every nation has an equivalent agency
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #41
New York Electronic Crimes
Task Force (NYECTF)
• Flagship law enforcement effort to protect
the public from electronic crimes
• Formed in 1995 by the US Secret Service
New York Field Office
• Unique partnership among government,
industry, and academia
• Now numbers nearly 250 members
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #42
Some ECTF Members
•
•
•
•
Federal law enforcement (FBI, USSS, etc.)
State law enforcement (NY State Police, etc.)
Local law enforcement (NYPD, PAPD, etc.)
Federal prosecutors (USA for So. Dist. Of NY,
USA for NJ, USA for CT, etc.)
• Academia (Fordham, CCNY, Dartmouth, etc.)
• Industry partners (telephone companies, banks,
consultants, etc.)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #43
NYECTF Results
• Has brought more than 800 indictments
– The Gambino crime family
– Crooks selling counterfeit hardware & software
– Cellular telephone fraud
• Value of crimes exceeds $600 million
• Looked to by law enforcement and industry
worldwide as the model to be emulated
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #44
The NYECTF Secret
• Deal with law enforcement as if it were a
business activity
– Don’t focus on numbers of arrests to measure
success
– Instead, focus on the change you bring to the
community
– Put differently, what is the return on
investment? (ROI)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #45
The Ultimate Compliment:
USA PATRIOT ACT OF 2001
SEC. 105. EXPANSION OF NATIONAL ELECTRONIC
CRIME TASK FORCE INITIATIVE.
The Director of the United States Secret Service shall take
appropriate actions to develop a national network of
electronic crime task forces, based on the New York
Electronic Crimes Task Force model, throughout the United
States, for the purpose of preventing, detecting, and
investigating various forms of electronic crimes, including
potential terrorist attacks against critical infrastructure and
financial payment systems.
(Italics and colored text not in original.)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #46
What About Unauthorized
Computer Access?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #47
Unauthorized Computer Access
• Federal law
– 18 USC § 1030 -- Fraud, use of computers for
economic espionage, computer intrusions
• Massachusetts law
– 266 MGL § 33A. Intent to defraud commercial
computer service; penalties
– 266 MGL § 120F. Unauthorized access to computer
system; penalties
• Canadian Law
– Criminal Code of Canada, 342.1
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #48
18 USC § 1030
• Knowing, intentional unauthorized access or
access beyond authorization is a crime, depending
on the computer and what is accessed
• Trafficking in computer access information a
crime
• Severe punishments provided
– As much as 10 years imprisonment
• USA Patriot Act of 2001 expands US Secret
Service jurisdiction in this area (§506)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #49
MGL CHAPTER 266. CRIMES AGAINST PROPERTY.
Chapter 266: Section 120F. Unauthorized access to
computer system; penalties.
Section 120F. Whoever, without authorization, knowingly accesses a
computer system by any means, or after gaining access to a computer system
by any means knows that such access is not authorized and fails to terminate
such access, shall be punished by imprisonment in the house of correction for
not more than thirty days or by a fine of not more than one thousand dollars,
or both.
The requirement of a password or other authentication to gain access shall
constitute notice that access is limited to authorized users.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #50
Criminal Code of Canada
342.1 (1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electro-magnetic, acoustic, mechanical or other
device, intercepts or causes to be intercepted, directly or indirectly, any
function of a computer system,
(c) uses or causes to be used, directly or indirectly, a computer system
with intent to commit an offence under paragraph (a) or (b) or an offence
under section 430 in relation to data or a computer system, or
(d) uses, possesses, traffics in or permits another person to have access to
a computer password that would enable a person to commit an offence
under paragraph (a), (b) or (c)
is guilty of an indictable offence and liable to imprisonment for a term
not exceeding ten years, or is guilty of an offence punishable on summary
conviction.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #51
Some Other Computer Crimes
• 18 USC § 1028 -- Identity theft
• 18 USC § 1029 -- Fraud and related activity
in connection with access devices
• 18 USC § 471 -- Counterfeiting US notes
• 18 USC § 2252 -- Kiddy pornography
• 18 USC § 2318 -- Counterfeit computer
labels, program documentation, packaging
• 18 USC § 2319 -- Copyright infringment
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #52
Identity Fraud
• Deals with “false identification document”
– Making, transfer, use, possession all crimes
– Identity documents covered
• Any identification document issued under by or
under the authority of the United States
– Includes federal, state, local, foreign government,
international quasi-governmental organization
– Birth certificate, driver’s license, personal ID card
– Penalties up to 15 years imprisonment
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #53
Other Areas of Concern
• Intellectual property of all types
– Copyrights
– Patents
– Trade secrets
• Your responsibility for the actions of others
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #54
Legal Issues in Computer
Security
• Copyrights [17 USC]
–
–
–
–
–
–
–
Protect expression of ideas, not the idea itself
Gives author exclusive rights to copy & sell
Can cover “any tangible medium of expression”
Work must be original to the author
Subject to “fair use”
Marking required
Lasts for 50 years after death of last author
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #55
Copyrights Again
• Copyright valid without registration, but
registering helps insure protection
• Infringement resolved in the courts
• U. S. Govt. works in public domain, but not
all governments (cf. Crown Copyright)
• Programs can be copyrighted, but…
• Copyright limits distribution, not use
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #56
More About Copyrights
• Fair use of a copyrighted work, including
such use by reproduction in copies or
phonorecords or by any other means :
–
–
–
–
criticism
comment
news reporting
teaching (including multiple copies for
classroom use)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #57
Copyright Infringement
• Basic statute is 17 USC § 506
– Title 17 deals with copyrights
– Section 506 treats remedies for infringement
– For legal consistency, penalties are in the
criminal title, Title 18
• Up to 3 years imprisonment, first offense
• Up to 6 years imprisonment, second or
subsequent offense
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #58
Digital Millennium Copyright
Act (DMCA)
• Passed by Congress October 28, 1998
• Expands the protection of copyrighted
works on the Internet and in digital form
– “Black Box” Provisions
• Limits the liability of on-line service
providers for infringement of copyrighted
works
– Safe Harbor” Provisions
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #59
DMCA “Safe Harbor”
• Service providers, upon payment of $20 fee
and meeting reporting requirements, can
qualify for liability protection against
copyright infringement
– “Service provider” is defined broadly as “a
provider of online services or network access,
or the operator of facilities therefor”
• Providers must not interfere with “standard”
measures used to ID and protect copyrights
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #60
DMCA “Black Box”
• DMCA makes circumventing protective
technologies, such as encryption and
passwords, a violation of the law
• Removing, changing, or altering “copyright
management information” also a violation
• Even if your copyrighted work is not
actually copied, a person could be liable for
attempting to do so, or for giving others the
tools and access to do so
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #61
DMCA Observations
• This is a major extension of copyright law!
• Penalties for “black box” violations exceed
the penalties in 17 USC for infringement
• There is little, if any, case law yet
• Does this violate the “fair use” doctrine?
• Feared placing a damper on research into
cryptography and cryptanalysis
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #62
ElcomSoft, Dmitry Sklyarov
and the DMCA
• Sklyarov a Russian programmer who, with his
company, developed a way to defeat the
encryption on Adobe eBooks, allegedly to make
backup copies or to be read audibly
• Sklyarov arrested July, 2001 in Las Vegas, and
charged with violating the DMCA
– Four circumvention counts, one conspiracy
– No copyright infringement counts
• Federal jury acquitted him on all counts, Dec 2002
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #63
Patents
•
•
•
•
Protect inventions [35 USC]
Object patented must be “nonobvious”
Patent goes to first to invent (in U.S.)
Requirements for patent
– Search for prior art
– Patent Office determination that it is novel
– Issuance of patent
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #64
What Can Be Patented?
“Whoever invents or discovers any new and useful process,
machine, manufacture, or composition of matter, or any new
and useful improvement thereof, may obtain a patent therefor,
subject to the conditions and requirements of this title.”
35 USC § 101
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #65
More on Patents
• Valid for 20 years since US ratification of GATT
harmonization, earlier 17 years, not generally
renewable
• Requires disclosure of all working details
• A patent is a public document
• Infringement must be opposed. Claims:
–
–
–
–
This isn’t infringement
The patent is invalid
The invention is not novel
The infringer invented first
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #66
Patents and Software
• Software can be patented
• Easier to patent a process in which software
forms a part, but then use of the software
outside the process is not covered
• Not much case law yet
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #67
Patent Infringement
• Is a civil, not a criminal matter
– Cf. Copyright violations
• Remedies provided
– 35 USC § 271 defines infringement
– 35 USC § 281 provides for civil remedy
– 35 USC § 284 et seq. provide for damages
• If you participate in infringement, you could
be a defendant
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #68
Trade Secrets
•
•
•
•
Gives a competitive edge over others
Must always be kept secret
Applies well to software
Hard to enforce (e.g. reverse engineering)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #69
Who Owns Intellectual Property?
• Generally, if you were paid to produce it by
your employer, they own the property
• If you produce it on your own time, but use
skills learned on the job, they may still own
the property
• Intellectual property agreements
• Employment contracts
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #70
Some Related Statutes
• Freedom of Information Reform Act of 1986
[5 USC § 552]
– Requires disclosure of Executive Branch data except in
cases of national security or personal privacy
– Significant impact on computer security
• Privacy Act of 1974 [5 USC § 552]
• Fair Credit Reporting Act [15 USC § 1681]
– Places limits on data collected on individuals and uses
to which data can be put
– Consumer right to know contents of own files
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #71
Remember...
• A copyright protects the tangible
expression of an idea, not the idea itself
– Copyright infringement is a crime
• A patent protects an idea (sort of -- more
later), not merely its expression
– Patent infringement must be contested
– Patent infringement is a civil matter, not a
crime
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #72
Negligence
•
•
•
•
•
Simple
Gross
Contributory
“The prudent man”
Due diligence
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #73
More Legal Considerations
• What if…
– One of your employees is using your network
to do something illegal?
– Someone outside the organization is using your
network resources for illicit purposes?
– Your system is broken into and important
information goes missing or becomes public?
Are You Liable?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #74
What Is Your Responsibility?
•
•
•
•
For intellectual property?
For personal data?
For financial data?
For proper operation of the network?
• How and where are these things defined?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #75
The Other “P” Word
• Privacy
–
–
–
–
–
What is it?
How to protect it?
What do customers and employees expect?
What do they have a right to expect?
Where is the Constitutional right to privacy
found?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #76
What Are You Gonna Do?
• Know the applicable law where you operate
• When you determine a violation has
probably occurred:
– Save the audit logs and any other documentary
evidence of the offense
– Notify your supervisor
– Call the authorities
– Keep your suspicions close hold
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #77
Whom to Call?
• First, call the local police
– Describe what you think you have
– Ask for advice
– Announce intention to call federal law agency
• Call the feds
– USSS
– FBI
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #78
Before You Call
• Get to know the cognizant law enforcement
agents, local and federal
• Find out if you can help them
– Low investment, high payoff
– They’ll be more responsive if they know you
• Don’t cry wolf
– Be sure you know what you are talking about
– Have the information to support your claim
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #79
Above All...
• Be certain your organization intends to
pursue the criminal case to the end;
otherwise, you are wasting everyone’s time
and they won’t thank you
• Keep your mouth shut except to the police;
the libel laws are still in full effect
• Don’t forget you don’t carry the badge
• Don’t talk down to the police
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #80
Summary
• Computer crime is a fast-growing area of
illegal activity
• “That’s where the money is”
• Computers and networks are regulated by a
large and growing body of law
• Both civil and criminal issues involved
• Liability is a major consideration for any
business or practitioner
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #81
Homework
• Identify a network security incident that is
being, or -- in your view -- should be treated
as a crime. Describe the incident and its
impact. Identify the crime(s) that you
believe was (were) committed. In what
jurisdiction should action be pursued?
What would you have done to prevent this
incident? To mitigate the effects of the
investigation on continuing business?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/11 #82
