Section 9: Legal, Privacy, and Ethical Issues in
advertisement
CS 5950/6030 –
Computer Security and Information Assurance
Section 9: Legal, Privacy, and
Ethical Issues in Computer Security
Dr. Leszek Lilien
Department of Computer Science
Western Michigan University
Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger.
Using some slides courtesy of:
Prof. Aaron Striegel — course taught at U. of Notre Dame
Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke (U. Idaho) — taught at U. Washington
Prof. Jussipekka Leiwo — taught at Vrije Universiteit (Free U.), Amsterdam, The Netherlands
Slides not created by the above authors are © 2006 by Leszek T. Lilien
Requests to use original slides for non-profit purposes will be gladly granted upon a written request.
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
9. Legal, Privacy, and Ethical Issues in
Computer Security
Human Controls Applicable to Computer Security:
9.1. Basic Legal Issues
a)
b)
c)
d)
Protecting Programs and Data
Information and the Law
Ownership Rights of Employees and Employers
Software Failures (and Customers)
9.2. Computer Crime
9.3. Privacy
9.4. Ethics
a) Introduction to Ethics
b) Case Studies of Ethics
c) Codes of Professional Ethics
2
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
9.1. Basic Legal Issues
Outline:
a) Protecting Programs and Data
b) Information and the Law
c) Ownership Rights of Employees and Employers
d) Software Failures (and Customers)
3
a) Protecting Programs and Data (1)
Copyrights — designed to protect expression of ideas
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
(creative works of the mind)
Ideas themselves are free
Different people can have the same idea
The way of expressing ideas is copyrighted
Copyrights are exclusive rights to making copies of
expression
Copyright protects intellectual property (IP)
IP must be:
Original work
In some tangible medium of expression
---[OPTIONAL]--- Digital Millennium Copyright Act
(DMCA) of 1998
Clarified some copyright issues for digital objects
4
Protecting Programs and Data (2)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Patent — designed to protect tangible objects, or ways to
make them (not works of the mind)
Protected entity must be novel & nonobvious
The first inventor who obtains patent gest his invention
protected against patent infrigement
Patents applied for algorithms only since 1981
Trade secret — information that provides competitive edge
over others
Information that has value only if kept secret
Undoing release of a secret is impossible or very difficult
Reverse engineering used to uncover trade secret is
legal!
T.s. protection applies very well to computer s/w
E.g., pgms that use algorithms unknown to others
5
---[OPTIONAL]-- Protecting Programs and Data (3)
Comparing Copyright, Patent and Trade Secret Protection
© by Leszek T. Lilien, 2006
Copyright
Protects
Patent
Trade Secret
Expression of idea, Invention—way
not idea itself
something works
Secret, competitive
advantage
Yes; intention is to
promote
publication
Design filed at
Patent Office
No
Must Distribute Yes
No
No
Ease of filing
Very easy, do-ityourself
Very complicated; No filing
specialist lawyer
suggested
Duration
Originator’s life +
70 yrs; 95 y. For
company
19 years
Legal
Protection
Sue if unauthorized Sue if invention
Sue if secret
copy sold
copied/reinvented improperly
obtained
Section 8 – Computer Security and Information Assurance – Spring 2006
Protected
Object Made
Public
Indefinite
6
Protecting Programs and Data (4)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
---[OPTIONAL]--- How to protect:
H/w
Patent
Firmware (microcode)
Patent physical device, chip
Use trade secret protection
Copyright s/w such as embedded OS
Object code s/w
Copyright of binary code ??
Copyright of source code ??
Need legal precedents
Source code s/w
Use trade secret protection
Copyright reveals some code, facilitates reverse
engineering
Need legal precedents, too
7
b) Information and the Law (1)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Characteristics of information as an object of value
Not depletable
Can be replicated (buyer can become a seller)
Has minimal marginal cost (= cost to produce n-the copy
after producing n-1 copies)
Value is often time dependent (outdated => lower/no value)
Can be transferred intangibly
---[OPTIONAL]-- Legal issues for information
Information commerce
Need technological and legal protections for info seller
Electronic publishing
Cryptographic + legal solutions to protect seller’s rights
Protecting data in DB
How to decide which DB is source for given data?
Who owns data in a DB if it is public data (e.g., name+phone?)
E-commerce
How to prove that info delivered too late or is „bad”?
8
b) Information and the Law (2)
Copyright, patents, trade secrets cover some (not all!)
protection needs
Remaining protection needs can use law mechanisms
discussed below
© by Leszek T. Lilien, 2006
Section 8 – Computer Security and Information Assurance – Spring 2006
Building precedents or contributing to legislating new laws
Law categories:
1) Criminal Law / Statutory Law
2) Civil Law
(I hope I’m right with these subcategories)
2a) Common Law / Tort Law
2b) Contracts
9
b) Information and the Law (3)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Comparison of Criminal and Civil Law
Criminal Law
Civil Law
Defined by
Statutes
Common law (tort l.)
Contracts
Cases
brought by
Government
Government
Individuals and
companies
Wronged
party
Remedy
Society
Individuals and
companies
Damages, typically
monetary
Jail, fine
10
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
c) Ownership Rights of Employees
and Employers (1)
Ownership rights are computer security issue
Concerned with protecting secrecy (confidentiality) and integrity of
works produced by employees of an employer
Ownership issues in emploee/employer relations:
Ownership of products
Products/ideas/inventions developed by employee after hours
might still be owned by her employer
Esp. if in the same „line of business”
Ownership of patents
If employer files for patent, employer (not employee—inventor)
will own patent
Ownership of copyrights
Similar to patents
Trade secret protection
No registered inventor/author—owner can prosecute
for damages
11
Ownership Rights of Employees and Employers (2)
Type of employment has ownership consequences
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Work for hire
All work done by employee is owned by employer
Employment contracts
Often spell out ownership rights
Often includes agreement not to compete (for some time after
termination)
Non-competition is not always enforceable by law
Licenses
Programmer retains full ownership of developed s/w
Grants license for a fee
12
d) Software Failures (& Customers) (1)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
--[OPTIONAL]-- Issue 1: Software quality: is it „correct”
or not?
If not correct: ask for refund, replacement, fixing
Refund: possible
Replacement: if this copy damaged, or improved in
the meantine
Fixing: rarely legally enforced; instead, monetary
awards for damages
Correctness of s/w difficult to define/enforce legally
Individual can rarely sue a major s/w vendor
Prohibitive costs for individual
13
Software Failures (& Customers) (2)
© by Leszek T. Lilien, 2006
---[OPTIONAL]--- Issue 2: Reporting software flaws
Should we share s/w vulnerability info?
Both pros and cons
Vendor interests
Vendors (e.g., MS) don’t want to react to individual
flaws
Section 8 – Computer Security and Information Assurance – Spring 2006
User interests
Would like to have fixes quickly
Responsible vulnerability reporting
How to report vulnerability info responsibly?
Prefer bundle a number of flaw fixes
E.g. First notify the vendor, give vendor a few weeks to fix
If vendor delays fixes, ask „coordinator” for help
Coordinator—e.g., computer emergency response center
Quality software is the real solution
„The worlds does no need faster patches,
it needs better software”
14
9.2. Computer Crime (1)
© by Leszek T. Lilien, 2006
Separate category for computer crime is needed
Because special laws are needed for CC
---[OPTIONAL]--- CC (special laws) need to deal with:
New rules of property for CC
Section 8 – Computer Security and Information Assurance – Spring 2006
Bits of info are now considered property (were not in 1984 case)
New rules of evidence for CC
Hard to prove authenticity of evidence for CC (easy to change!)
Value of integrity and confidentiality/privacy
Value of privacy is now recognized by several federal/state laws
Value of data
Courts understand value of data better
Acceptance of computer terminology
Law lags behind technology in acceptance of new terminology
15
---[OPTIONAL]--- Computer Crime (2)
CC (special laws) need to deal with—cont.
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Difficulty of defining CC
Legal community is slow in accommodating advances
in computing
Law change is cautious/conservative by nature
Difficulty of prosecuting CC
Reasons:
Lack of understanding / lack of physical evidence /
lack of recognition of assets / lack of political impact /
complexity of CC cases / lenient treatment of juveniles comitting
CCs
16
---[OPTIONAL]--- Computer Crime (3)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Examples of American statutes related to CC
1974 — US Privacy Act
1984 — US Computer Fraud and Abuse Act
Penalties: max{100K, stolen value} and/or 1 to 20 yrs
1986 — US Electronic Communications Privacy Act
Protects privacy of data collected by the executive branch of
federal gov’t
Protects against wiretapping
Exceptions: court order, ISPs
1996 — US Economic Espionage Act
2001 — USA Patriot Act
— US Electronic Funds Transfer Act
— US Freedom of Information Act
17
---[OPTIONAL]--- Computer Crime (4)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
International CC Laws
1994 — EU Data Protection Act
Restricted Internet content — e.g., China
Cryptography use — different laws in different countries
Why computer criminals are hard to catch
Multinational activity
Complexity
E.g., attackers „bouncing” attacks thru many places to cover tracks
Law is not precise
Problems with „computer,” object value, privacy
Cryptography Challenges
Controls on its use internally (allowing gov’t to track illegal
activities) and for export
Free speech issues: restricting
Gov’t wanted key escrows (remember Clipper?)
18
9.3. Privacy (1)
Identity theft – the most serious crime against privacy
© by Leszek T. Lilien, 2006
Threats to privacy
Aggregation and data mining
Poor system security
Government threats
Section 8 – Computer Security and Information Assurance – Spring 2006
Gov’t has a lot of people’s most private data
Taxes / homeland security / etc.
People’s privacy vs. homeland security concerns
The Internet as privacy threat
Unencrypted e-mail / web surfing / attacks
Corporate rights and private business
Companies may collect data that U.S. gov’t is not allowed to
Privacy for sale - many traps
“Free” is not free…
E.g., accepting frequent-buyer cards reduces your privacy
19
Privacy (2)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Controls for protecting privacy
Authentication
Anonymity
Needed also in computer voting
Pseudonymity
Legal privacy controls
--OPTIONAL-
1996 — HIPAA
1998 — EU Data Protection Act
Privacy of individuals’ medical records
Privacy protections stronger than in the U.S.
1999 — Gramm-Leach-Bliley Act
Privacy of data for customers of financial institutions
20
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
9.4. Ethics
a) Introduction to Ethics (1)
Law vs. Ethics
Law alone can’t restrict human behavior
Ethics/morals are sufficient self-controls for most people
Contrast of law and ethics – Table 9-3, p. 606
Impractical/impossible to describe/enforce all acceptable
behaviors
---[OPTIONAL]--- Characteristics of ethics
Ethics is not religion (but religions include ethical principles)
Ethical principles are not universal
Vary in different cultures
Vary even in different individuals in the same culture
Ethics is pluralistic in nature
In sharp contrast to science and technology that often has only
one correct answer
21
---[OPTIONAL]--- Introduction to Ethics (2)
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Systems of ethics
1) Consequence-based — do what results in greatest good,
least harm
1a) Egoism
I do what’s good for me
1b) Utilitarianism
I do what’s brings greatest collective good
2) Rules-based (deontology) — do what is prescribed by
certain universal, self-evident, natural rules of proper
conduct
Could be based on religion on philosophy
22
---[OPTIONAL]---
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
b) Case Studies of Ethics
Read especially:
Case II: Privacy rights (p.612)
Case VIII: Ethics of Hacking or Cracking (p. 619)
23
c) Codes of Professional Ethics
Different codes of professional ethics
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
Computer Ethics Institute
10 Commandments of Computer Use – Fig. 9.3, p.
625
---[OPTIONAL]--
IEEE – Fig. 9-1, p. 623
ACM – Fig. 9-2, p. 624
24
Section 8 – Computer Security and Information Assurance – Spring 2006
© by Leszek T. Lilien, 2006
End of Section 9
Student project presentations follow
25
