2BackgroundComputer security is similar to any other subject in the society.As it changes our lives, laws will be enacted to:Enable desired behaviors.Prohibit undesired behaviors.Laws may have been overly restrictive, limiting business options, such as in the area of importing and exporting encryption technology.In other cases, legislation is being implemented slowly and this fact has hindered business initiatives, such as in digital signatures.
3ObjectivesUpon completion of this lesson, the learner will be able to:List laws and rules concerning importing and exporting encryption software.List laws that govern computer access and trespass.List laws that govern encryption and digital rights management.List laws that govern digital signatures.List computer security laws that govern privacy in various industries.List laws that enforce ethical behavior.
4Encryption Restrictions Governments control the encryption technology.The level of control varies from outright banning to little or no regulation.Control over import and export is a vital method of maintaining a level of control over encryption technology in general.Laws and restrictions center on cryptography.Commercial transactions and network communications have expanded the use of cryptographic methods to include secure network communications.
5United States LawExport controls on commercial encryption products are administered by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce.Encryption protection has been accorded the same level of attention as the export of weapons for war.With the rise of the Internet, this position has somewhat relaxed.The United States updated its encryption export regulations to provide treatment consistent with the regulations adopted by the European Union (EU).The member nations of the Wassenaar Arrangement agreed to remove key length restrictions on encryption hardware and software.This action effectively removed “mass market” encryption products from the list of dual-use items controlled by the Wassenaar Arrangement.
6United States LawThe U.S. encryption export control policy rests on three principles:Review of encryption products prior to sale.Streamlined post-export reporting.License review of certain exports of strong encryption to foreign government end users.U.S. rules require notification to the BIS for export in all cases.
7United States LawThe restrictions are lessened for “Mass Market” products as defined by all of the following:They are generally available to the public by being sold, without restriction, from stock at retail selling points by any of these means:Over-the-counter transactionsMail-order transactionsElectronic transactionsTelephone call transactions
8United States LawThe restrictions are lessened for “Mass Market” products as defined by all of the following (continued):The cryptographic functionality cannot be easily changed by a user.They are designed for installation by a user without substantial support by the supplier.Details of the items are accessible and will be provided to the appropriate authority in the exporter's country to ascertain compliance with export regulations.Mass-market commodities and software employing a key length greater than 64 bits for the symmetric algorithm must be reviewed in accordance with BIS regulations.
9Non-U.S. LawsExport control rules for encryption technologies fall under the Wassenaar Arrangement.The Wassenaar Arrangement was established to contribute to regional and international security and stability.It promotes transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.Many nations have more restrictive policies than those agreed upon as part of the Wassenaar Arrangement.
10Digital Signature Laws On October 1, 2000, the Electronic Signatures in Global and National Commerce Act was enforced in the United States.The existence of the E-Sign law and Uniform Electronic Transactions Act (UETA) has enabled e-commerce transactions to proceed.The resolution of the technical details via court actions will probably have little effect on consumers.
11Digital Signature Laws Non-U.S. LawsThe UN General Assembly adopted the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.These model laws have become the basis for many national and international efforts in this area.
12Digital Signature Laws CanadaAdopted a national model bill for electronic signatures to promote e-commerce.Uniform Electronic Commerce Act (UECA) allows the use of electronic signatures in communications with the government.Individual Canadian provinces have passed similar legislation.They define digital signature provisions for e-commerce and government use.
13Digital Signature Laws The European UnionThe European Commission adopted a Communication on Digital Signatures and Encryption: “Toward a European Framework for Digital Signatures and Encryption.”This communication states that a common framework at the EU level is urgently needed to:Stimulate the free circulation of digital signature related products and services within the Internal market.Stimulate the development of new economic activities linked to electronic commerce.Facilitate the use of digital signatures across national borders.On May 4, 2000, the European Parliament and Council approved the common position adopted by the Council.
14Digital Rights Management The Digital Millennium Copyright Act (DMCA) was enacted on October 20, 1998.This Act makes it illegal to develop, produce, and trade any device or mechanism designed to circumvent technological controls used in copy protection.Copy protection methods are cryptographic in nature.This provision has the ability to eliminate and/or severely research into encryption, and the strengths and weaknesses of specific methods.The Digital Millennium Copyright Act (Section 1201(g)) allows exemptions for legitimate research.
15Digital Rights Management There are specific exemptions for research, provided four elements are satisfied:The person has lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work.Such act is necessary to conduct such encryption research.The person made a good faith effort to obtain authorization before the circumvention.Such act does not constitute infringement under this title.
16Privacy LawsGovernments in Europe and the United States have taken different approaches to control privacy via legislation.
17United States LawsThe Electronic Communications Privacy Act (ECPA) of 1986 addresses myriad legal privacy issues related computers and technology specific to telecommunications.Sections of this law address , cellular communications, workplace privacy, and other electronic communication issues.Prohibits an employer's monitoring an employee's computer usage, including , unless consent is obtained.Protects electronic communications from wiretap and outside eavesdropping.Users have a reasonable expectation of privacy under the Fourth Amendment to the Constitution.
18United States LawsThe use of a warning banner typically displayed whenever a network connection occurs serves four main purposes:They establish the level of expected privacy (usually none on a business system) and serve as consent to real-time monitoring from a business standpoint.The banner tells the user that their connection to the network signals their consent to monitoring.Consent can also be obtained to look at files and records.In government systems, consent is needed to prevent direct application of the Fourth Amendment. The warning banner establishes the system/network administrator's common authority to consent to a law enforcement search.
19United States LawsThe Patriot Act of 2001 substantially changed the levels of checks and balances in U.S. privacy laws.It extends the tap and trace provisions of wiretap statutes to the Internet.It mandates technological modifications at ISPs to facilitate electronic wiretaps on the Internet.It permits the Justice Department to roll out of the Carnivore program – an eavesdropping program for the Internet.It permits federal law enforcement personnel to investigate computer trespass and enacts civil penalties for trespassers.
20United States LawsIn 1999, the Gramm-Leach-Bliley Active Directory, which has privacy provisions for individuals, affected the financial industry.GLB privacy provisions include an opt-out method for individuals.Some internal information sharing is required under the Fair Credit Reporting Act (FCRA) between affiliated companies, but GLB ended sharing to external third-party firms.
21United States LawsThe Identity Theft and Assumption Deterrence Act (ITADA) governs identity privacy and the establishment of identity theft crimes.It is a violation of the federal law to use another's identity knowingly.The collection of information is governed by GLB, which makes it illegal for someone to gather identity information on another person under false pretenses.Student records have even further protections under the Family Education Records and Privacy Act of 1974.
22United States LawsFair and Accurate Credit Transactions Act of 2003 includes identity-theft provisions.They are designed to be consumer-friendly.They include a free credit report annually.They require merchants to leave all but the last five digits of a credit card number off store receipts.They establish a national system of fraud detection allowing consumers to have a single number to call to receive advice, set off a nationwide fraud alert, and protect their credit standing.
23United States LawsMedical and health information and privacy implications. The U.S. Congress enacted the Health Insurance Portability & Accountability Act (HIPAA) of 1996.HIPAA mandates changes in the way health and medical data is stored, exchanged, and used.HIPAA restricts data transfers to ensure privacy, including security standards and electronic signature provisions.Mandates a uniform level of protection regarding all health information of an individual and is housed or transmitted electronically.
24United States LawsThe standard mandates safeguards for physical storage, maintenance, transmission, and access to individuals' health information.Organizations that use electronic signatures will have to meet standards ensuring information integrity, signer authentication, and nonrepudiation.This law was designed to help users to fight identity theft through early notification of the loss of control over personal information stored in computer systems. In other words, it is designed to force firms to notify users whenever their personal information has become compromised.
25European LawsThe governments of Europe have developed a comprehensive concept of privacy administered via a set of statutes known as data protection laws.These privacy statutes cover all personal data, whether collected and used by the government or private firms.These laws are administered by the state and national data protection agencies in each country.
26European LawsPrivacy laws in Europe focus on the concept that privacy is a fundamental human right that demands protection through government administration.The Data Protection Directive has a provision allowing the European Commission to block transfers of personal data to any country outside the EU.The EU expressed concerns about the adequacy of data protection in the United States following the differences in approach between the United States and the EU with respect to data protection.U.S. organizations that voluntarily joined an arrangement known as Safe Harbor would be considered adequate in terms of data protection.European LawsA difference between the U.S. and European regulations lies in where control is exercised. In Europe, the right of control over privacy is balanced in such a way as to favor consumers.
27Computer TrespassComputer trespass is unauthorized entry into a computer system via any means, including remote network connections. The unauthorized entry into a computer system via any means, including remote network connections.For crimes that are committed within a country's borders, national laws apply.For cross-border crimes, international laws and international treaties are the norm.Enforcement actions stemming from these agreements have been rare, with most actions employing national laws where applicable.
28Computer Trespass Computer trespass is a crime in many countries. National laws exist in many countries, including the EU, Canada, and the United States.These laws vary by state, but they all have similar provisions defining the unauthorized entry into, and use of, computer resources as a crime.Convention on CybercrimeThe product of four years of work by the Council of Europe, United States, Canada, Japan, and other countries.The convention is similar to a draft treaty.
29Computer Trespass Convention on Cybercrime Pursues a common criminal policy aimed at protecting the society against cybercrime by adopting legislation and promoting international cooperation.The convention deals with infringements of copyright, computer-related fraud, child pornography, and violations of network security.
30Ethics Sarbanes-Oxley Act of 2002 It targets a series of financial reporting irregularities at the highest levels of corporate leadership.Although it is aimed at the senior executive’s abuse of financial reporting systems, these systems are major IT components of a firm.Notes: The inclusion of IT becomes a de facto standard event. Sarbanes-Oxley Act of 2002Should the tampering of the electronic records that maintain a company’s ability to perform accurate financial reporting occur, the potential for a violation under this statute can occur.
31EthicsSarbanes-Oxley has ramifications through the chain of information used to report the current state of corporate financial condition.Controls and oversight over all processes used to produce financial reports must include aspects of the Enterprise Resource Planning (ERP) software and the business processes surrounding how it performs its specific functions in the enterprise.Validation of results from this process are subject to review and given the complexity of the process, reviews and audits of IS processes can be used for monitoring compliance.