CS 5700
Computer Security and Information Assurance
Section 6:
Legal, Privacy, and Ethical Issues
in Computer Security
Dr. Leszek Lilien
Department of Computer Science
Western Michigan University
Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger.
Using some slides courtesy of:
Prof. Aaron Striegel — course taught at U. of Notre Dame
Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke (U. Idaho) — taught at U. Washington
Prof. Jussipekka Leiwo — taught at Vrije Universiteit (Free U.), Amsterdam, The Netherlands
Slides not created by the above authors are © 2006-2010 by Leszek T. Lilien
Requests to use original slides for non-profit purposes will be gladly granted upon a written request.
© by Leszek T. Lilien, 2006-2010
Section 7 – Computer Security and Information Assurance
6. Legal, Privacy, and Ethical Issues in
Computer Security

Human Controls Applicable to Computer Security:
6.1. Basic Legal Issues
a)
b)
c)
d)
Protecting Programs and Data
Information and the Law
Ownership Rights of Employees and Employers
Software Failures (and Customers)
6.2. Computer Crime
6.3. Privacy
6.4. Ethics
a) Introduction to Ethics
b) Case Studies of Ethics
c) Codes of Professional Ethics
2
© by Leszek T. Lilien, 2006-2010
Section 7 – Computer Security and Information Assurance
7.1. Basic Legal Issues

Outline:
a) Protecting Programs and Data
b) Information and the Law
c) Ownership Rights of Employees and Employers
d) Software Failures (and Customers)
3
© by Leszek T. Lilien, 2006-2010
a) Protecting Programs and Data (1)
Copyrights — designed to protect expression of ideas

(creative works of the mind)
Ideas themselves are free




Different people can have the same idea
The way of expressing ideas is copyrighted
Copyrights are exclusive rights to making copies of
Section 7 – Computer Security and Information Assurance
expression


Copyright protects intellectual property (IP)
IP must be:

Original work

In some tangible medium of expression
--SKIP-- Digital Millennium Copyright Act (DMCA) of 1998

Clarified some copyright issues for digital objects
4
© by Leszek T. Lilien, 2006-2010
Protecting Programs and Data (2)

Section 7 – Computer Security and Information Assurance

Patent — designed to protect tangible objects, or ways to
make them (not works of the mind)

Protected entity must be novel & nonobvious

The first inventor who obtains patent gest his invention
protected against patent infrigement

Patents applied for algorithms only since 1981
Trade secret — information that provides competitive edge
over others

Information that has value only if kept secret

Undoing release of a secret is impossible or very difficult

Reverse engineering used to uncover trade secret is
legal!

T.s. protection applies very well to computer s/w

E.g., pgms that use algorithms unknown to others
5
© by Leszek T. Lilien, 2006-2010
Protecting Programs and Data (3)

Comparing Copyright, Patent and Trade Secret Protection
Copyright
Protects
Patent
Trade Secret
Expression of idea, Invention—way
not idea itself
something works
Secret, competitive
advantage
Yes; intention is to
promote
publication
Design filed at
Patent Office
No
Must Distribute Yes
No
No
Ease of filing
Very easy, do-ityourself
Very complicated; No filing
specialist lawyer
suggested
Duration
Originator’s life +
70 yrs; 95 y. For
company
19 years
Legal
Protection
Sue if unauthorized Sue if invention
Sue if secret
copy sold
copied/reinvented improperly
obtained
Section 7 – Computer Security and Information Assurance
Protected
Object Made
Public
Indefinite
6
© by Leszek T. Lilien, 2006-2010
Section 7 – Computer Security and Information Assurance
Protecting Programs and Data (4)

How to protect:

H/w

Patent

Firmware (microcode)

Patent physical device, chip

Use trade secret protection

Copyright s/w such as embedded OS

Object code s/w

Copyright of binary code ??

Copyright of source code ??

Need legal precedents

Source code s/w

Use trade secret protection

Copyright reveals some code, facilitates reverse
engineering

Need legal precedents, too
7
© by Leszek T. Lilien, 2006-2010
b) Information and the Law (1)

Characteristics of information as an object of value

Not depletable

Can be replicated (buyer can become a seller)

Has minimal marginal cost (= cost to produce n-the copy
after producing n-1 copies)
Value is often time dependent (outdated => lower/no value)
Can be transferred intangibly


Section 7 – Computer Security and Information Assurance

--SKIP-- Legal issues for information

Information commerce

Need technological and legal protections for info seller
Electronic publishing


Cryptographic + legal solutions to protect seller’s rights
Protecting data in DB



How to decide which DB is source for given data?
Who owns data in a DB if it is public data (e.g., name+phone?)
E-commerce


How to prove that info delivered too late or is „bad”?
8
© by Leszek T. Lilien, 2006-2010
b) Information and the Law (2)
Copyright, patents, trade secrets cover some (not all!)
protection needs
Remaining protection needs can use law mechanisms
discussed below


Section 7 – Computer Security and Information Assurance

Building precedents or contributing to legislating new laws
Law categories:
1) Criminal Law / Statutory Law
2) Civil Law
(I hope I’m right iwith these subcategories)
2a) Common Law / Tort Law
2b) Contracts
9
© by Leszek T. Lilien, 2006-2010
Section 7 – Computer Security and Information Assurance
b) Information and the Law (3)

Comparison of Criminal and Civil Law
Criminal Law
Civil Law
Defined by
Statutes
Common law (tort l.)
Contracts
Cases
brought by
Government
Government
Individuals and
companies
Wronged
party
Remedy
Society
Individuals and
companies
Damages, typically
monetary
Jail, fine
10
© by Leszek T. Lilien, 2006-2010
c) Ownership Rights of Employees
and Employers (1)
Ownership rights are computer security issue

Concerned with protecting secrecy (confidentiality) and integrity of
works produced by employees of an employer


Ownership issues in emploee/employer relations:

Ownership of products
Section 7 – Computer Security and Information Assurance

Products/ideas/inventions developed by employee after hours
might still be owned by her employer

Esp. if in the same „line of business”
Ownership of patents


If employer files for patent, employer (not employee—inventor)
will own patent
Ownership of copyrights


Similar to patents
Trade secret protection


No registered inventor/author—owner can prosecute
for damages
11
© by Leszek T. Lilien, 2006-2010
Ownership Rights of Employees and Employers (2)
Type of employment has ownership consequences



Work for hire

All work done by employee is owned by employer
Employment contracts

Often spell out ownership rights

Section 7 – Computer Security and Information Assurance

Often includes agreement not to compete (for some time after
termination)

Non-competition is not always enforceable by law
Licenses

Programmer retains full ownership of developed s/w

Grants license for a fee
12
© by Leszek T. Lilien, 2006-2010
Section 7 – Computer Security and Information Assurance
d) ++SKIP++ Software Failures (&
Customers) (1)

Issue 1: Software quality: is it „correct” or not?

If not correct: ask for refund, replacement, fixing

Refund: possible

Replacement: if this copy damaged, or improved in
the meantine

Fixing: rarely legally enforced; instead, monetary
awards for damages

Correctness of s/w difficult to define/enforce legally

Individual can rarely sue a major s/w vendor

Prohibitive costs for individual
13
© by Leszek T. Lilien, 2006-2010
++SKIP++ Software Failures (& Customers) (2)

Issue 2: Reporting software flaws

Should we share s/w vulnerability info?

Both pros and cons

Vendor interests

Vendors (e.g., MS) don’t want to react to individual
flaws

Section 7 – Computer Security and Information Assurance


User interests

Would like to have fixes quickly
Responsible vulnerability reporting

How to report vulnerability info responsibly?



Prefer bundle a number of flaw fixes
E.g. First notify the vendor, give vendor a few weeks to fix
If vendor delays fixes, ask „coordinator” for help

Coordinator—e.g., computer emergency response center
Quality software is the real solution

„The worlds does no need faster patches,
it needs better software”
14
© by Leszek T. Lilien, 2006-2010
7.2. Computer Crime (1)


Separate category for computer crime is needed

Because special laws are needed for CC
---SKIP-- CC (special laws) need to deal with:

New rules of property for CC

New rules of evidence for CC


Section 7 – Computer Security and Information Assurance
Bits of info are now considered property (were not in 1984 case)
Hard to prove authenticity of evidence for CC (easy to change!)
Value of integrity and confidentiality/privacy


Value of privacy is now recognized by several federal/state laws
Value of data


Courts understand value of data better
Acceptance of computer terminology


Law lags behind technology in acceptance of new terminology
15
© by Leszek T. Lilien, 2006-2010
--SKIP-- Computer Crime (2)
CC (special laws) need to deal with—cont.


Difficulty of defining CC

Legal community is slow in accommodating advances
in computing

Difficulty of prosecuting CC


Section 7 – Computer Security and Information Assurance
Law change is cautious/conservative by nature
Reasons:
Lack of understanding / lack of physical evidence /
lack of recognition of assets / lack of political impact /
complexity of CC cases / lenient treatment of juveniles comitting
CCs
16
© by Leszek T. Lilien, 2006-2010
Computer Crime (3)
Examples of American statutes related to CC
---SKIP-
1974 — US Privacy Act


1984 — US Computer Fraud and Abuse Act


Section 7 – Computer Security and Information Assurance





Penalties: max{100K, stolen value} and/or 1 to 20 yrs
1986 — US Electronic Communications Privacy Act


Protects privacy of data collected by the executive branch of
federal gov’t
Protects against wiretapping
Exceptions: court order, ISPs
1996 — US Economic Espionage Act
2001 — USA Patriot Act
— US Electronic Funds Transfer Act
— US Freedom of Information Act
17
© by Leszek T. Lilien, 2006-2010
--SKIP-- Computer Crime (4)


International CC Laws

1994 — EU Data Protection Act

Restricted Internet content — e.g., China

Cryptography use — different laws in different countries
Why computer criminals are hard to catch

Multinational activity

Complexity
Section 7 – Computer Security and Information Assurance



E.g., attackers „bouncing” attacks thru many places to cover tracks
Law is not precise

Problems with „computer,” object value, privacy
Cryptography Challenges

Controls on its use internally (allowing gov’t to track illegal
activities) and for export

Free speech issues: restricting

Gov’t wanted key escrows (remember Clipper?)
18
© by Leszek T. Lilien, 2006-2010
7.3. Privacy (1)
Identity theft – the most serious crime against privacy


Threats to privacy

Aggregation and data mining

Poor system security

Government threats
Section 7 – Computer Security and Information Assurance


The Internet as privacy threat


Unencrypted e-mail / web surfing / attacks
Corporate rights and private business



Gov’t has a lot of people’s most private data

Taxes / homeland security / etc.
People’s privacy vs. homeland security concerns
Companies may collect data that U.S. gov’t is not allowed to
Privacy for sale

Many traps

Accepting frequent-buyer cards reduces your privacy
19
© by Leszek T. Lilien, 2006-2010
Section 7 – Computer Security and Information Assurance
Privacy (2)

Controls for protecting privacy

Authentication

Anonymity

Needed also in computer voting

Pseudonymity

Legal privacy controls

1996 — HIPAA


1998 — EU Data Protection Act


Privacy of individuals’ medical records
Privacy protections stronger than in the U.S.
1999 — Gramm-Leach-Bliley Act

Privacy of data for customers of financial institutions
20
© by Leszek T. Lilien, 2006-2010
7.4. Ethics
a) Introduction to Ethics (1)

Law vs. Ethics

Law alone can’t restrict human behavior

Ethics/morals are sufficient self-controls for most people
Contrast of law and ethics – Table 11-3 (p.694/ed.4)


Section 7 – Computer Security and Information Assurance

Impractical/impossible to describe/enforce all acceptable
behaviors
--SKIP-- Characteristics of ethics

Ethics is not religion (but religions include ethical principles)

Ethical principles are not universal


Vary in different cultures
Vary even in different individuals in the same culture
Ethics is pluralistic in nature


In sharp contrast to science and technology that often has only
one correct answer
21
© by Leszek T. Lilien, 2006-2010
--SKIP-- Introduction to Ethics (2)

Systems of ethics
1) Consequence-based — do what results in greatest good,
least harm
1a) Egoism
I do what’s good for me
1b) Utilitarianism
Section 7 – Computer Security and Information Assurance
I do what’s brings greatest collective good
2) Rules-based (deontology) — do what is prescribed by
certain universal, self-evident, natural rules of proper
conduct
Could be based on religion on philosophy
22
© by Leszek T. Lilien, 2006-2010
Section 7 – Computer Security and Information Assurance
b) Case Studies of Ethics

Read especially:

Case II: Privacy rights (p.700/ed.4)

Case VIII: Ethics of Hacking or Cracking (p. 707/ed.4)
23
© by Leszek T. Lilien, 2006-2010
c) Codes of Professional Ethics

Different codes of professional ethics

IEEE – Fig. 11-1 (p. 711/ed.4)

ACM – Fig. 11-2 (p. 712/ed.4)
Section 7 – Computer Security and Information Assurance

Computer Ethics Institute

10 Commandments of Computer Use – Fig. 11.3 (p.
713/ed.4)
24
Section 7 – Computer Security and Information Assurance
End of Section 7 (Ch.9)
25
© by Leszek T. Lilien, 2006-2010