Presentation on theme: "CIS3360: Security in Computing Legal and Ethical Issues Cliff Zou Spring 2012."— Presentation transcript:
CIS3360: Security in Computing Legal and Ethical Issues Cliff Zou Spring 2012
2 Resources Used Modified based on Prof. Ratan Guha’s CIS3360 lecture notes References: C. Pfleeger and S. Pfleeger “Security in Computing”, 4 th Edition Prentice Hall Inc.(ISBN 0-13-239077-9)
Example Case: Information about CyberSpy US court orders keylogger CyberSpy to halt software sales The Federal Trade Commission (FTC) won an injunction today against software vendor and keylogger developer CyberSpy. The US district court ruling prohibits CyberSpy from selling or operating its RemoteSpy software package. By Joel Hruska | Last updated November 18, 2008 7:37 PMJoel Hruska http://arstechnica.com/security/news/2008/11/us-court- orders-keylogger-cyberspy-to-halt-software-sales.ars (source) http://arstechnica.com/security/news/2008/11/us-court- orders-keylogger-cyberspy-to-halt-software-sales.ars 3
Outline Copyright History of Copyright in USA The Digital Millennium Copyright Act (DMCA) Patents Trademarks Trade Secrets Agreement NDA (Non-disclosure agreement) Computer Ethics Ten Commandments of Computer Ethics Computer Crimes 4
Copyright Is a form of intellectual property law, protecting original works including literary, dramatic, musical, and artistic works (e.g., poetry, novels, movies, songs, computer software & architecture) m In essence, protect “creative contributions” Does not protect facts, ideas, systems, methods of operation although it may protect the ways these things are expressed m Example: protect “Viterbi algorithm” (CDMA)
Copyright Protection (1) Would cover an author’s words describing the dark and stormy night on which occurred the murder at the center of the mystery novel Would not cover the idea of making the events of a dark and stormy night central to a murder mystery
Copyright Protection (2) Copyright protection covers Reproduction [e.g., copying, quoting] Distribution [e.g., posting to Web pages] Adaptation [using with modifications] Display Performance
Copyright Protection (3) Applies to original works as soon as they are created and fixed in a tangible form Does NOT require the registration of copyright, or notice that the work is copyrighted m Patent needs registration before protection Applies fully to electronic (Web) resources
Length of Copyright Protections Anything published more than 75 years ago is now in the public domain Anything created after 1 January 1978 is protected for the life of the author plus 50 years Or, if the author is a corporation, for 75 years from authorship or 100 years from creation (whichever is first) Lots of exceptions govern works published between 1964 and 1977 and works created before 1 January 1978 but not published, or published between 1978 and 31 December 2002
Copyright Protection for Web Resources The fact that something is sent to you does not give you rights to it. – Copyright for an e-mail message belongs to the sender of the message. You cannot make copies of text, images, or sounds from the Web without permission. – These things are still copyrighted, even though anyone with a computer can get access to them.
Normally Copyright Requires… That creators/owners of an expression (authors, artists, musicians, programmers) be asked for permission to use their creations (and often be financially compensated for such use). It is their property which you are using. That stiff legal penalties be paid for violation of copyright: Most violations of copyright are matters of civil law. Excessive copying, though, is a felony.
History of Copyright in the U.S.(1) Copyright is provided for by the United States Constitution of 1789 m Article I, section 8 (the so-called “Commerce clause”) specifies that “The Congress shall have the power … to promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.” From Constitution of the United States (http://www.law.cornell.edu/constitution/constitution.tabl e.html)http://www.law.cornell.edu/constitution/constitution.tabl e.html Note that the Constitution does NOT specify: m How Congress shall “promote the progress” m What a “limited time” is m What makes one an author/inventor m What is “exclusive right” m What constitutes a writing or discovery
History of Copyright in the U.S. (2) One year later, in 1790, the Congress enacted the first federal copyright law, protecting only maps, charts, and books. In 1831, copyright protections were expanded to include musical compositions. In 1908, the Supreme Court ruled player- pianos’ uses of copyrighted music were not copyright violations but pieces of machinery m Some of the tensions we’re now seeing between copyrighted content and technology thus appeared nearly 100 years ago
History of Copyright in the U.S.(3) In 1984, the Supreme Court ruled that private home videotaping does not infringe copyrights In 1992, Congress passes the Audio Home Recording Act that restricts use of digital- recording tools and requires makers of blank tapes and copying devices to contribute to a royalty pool for musicians
History of Copyright in the U.S.(4) In 1998, Digital Millennium Copyright Act (DMCA) specifies copyright protection for digital formats A range of court cases over the past several years have been dealing with the ramifications of the DMCA –Fonovisa v. Napster –Kelly v. Arriba Soft Corp. –U.S. v. Elcomsoft –Church of Scientology & Google You can google to find the details of these cases There are also a number of new statutory laws pending that attempt to address copyrights in an electronic environment –Consumer Broadband & Digital Television Act of 2002
The Digital Millennium Copyright Act (DMCA) On October 12, 1998, the U.S. Congress passed the Digital Millennium Copyright Act. The DMCA amended title 17 of the US Code to extend the reach of copyright, while limiting the liability of Online Providers from copyright infringement by their users. Criminalizes the circumvention of measures taken to protect copyright. Heightens the penalties for copyright infringement on the Internet. On May 22, 2001 the European Union passed the EU Copyright Directive or EUCD, similar in many ways to the DMCA.
DMCA Titles Title I: implements the WIPO (World Intellectual Property Organization) treaties; Title II: creates limitations on the liability of online service providers; anti-circumvention measures Title III: creates an exemption for making a copy of a computer program by activating a computer for purposes of maintenance or repair. Title IV: misc. provisions relating to Copyright Office functions, etc. Title V: creates new form of protection for the design of vessel hulls.
DMCA Highlights (1) Makes it a crime to circumvent anti-piracy measures built into most commercial software. Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software. m Does permit the cracking of copyright protection devices, however, to conduct encryption research, assess product interoperability, and test computer security systems. m Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances. In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.
DMCA Highlights (2) Service providers, however, are expected to remove material from users' web sites that appears to constitute copyright infringement. m Problem for MegaDownload website? Limits liability of nonprofit institutions of higher education -- when they serve as online service providers and under certain circumstances -- for copyright infringement by faculty members or graduate students. Requires that "webcasters" pay licensing fees to record companies.
DMCA Highlights (3) Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users." States explicitly that "[n]othing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use..."
DMCA Title II: 17 USC Ch.12 1201(a)(1), prohibits the act of circumventing a technological measure used by copyright owners to control access to their works 1201(a)(2) and 1201(b) outlaw the manufacture, sale, distribution or trafficking of tools and technologies that make circumvention possible
Penalties / Liability §1203, 1204 provide BOTH civil and criminal liability; Civil: temporary & permanent injunctions; Actual damages and any additional profits of the violator; Statutory damages: Criminal: fines up to $500,000 and/or 5 yrs in prison for 1st violation; Fines up to $1,000,000 and/or 10yrs for subsequent violation.
Results of DMCA Title II DMCA’s Unintended Consequences Have Greater Impact than Intended Affect (preventing infringement) m Chills Freedom of Expression and Scientific Research m Restricts Private Copying Rights m Creates Monopolies – Impedes Competition m Stifles Innovation
Patents What is a patent? A patent is an exclusive right granted for an invention, which is a product or a process that provides a new way of doing something, or offers a new technical solution to a problem. What does a patent do? A patent provides protection for the invention to the owner of the patent. The protection is granted for a limited period, generally 20 years. Source: World Intellectual Property Organization http://www.wipo.int/aboutip/en/patents.html
Where do Patents Come From? “A patent is granted by a national patent office or by a regional office that does the work for a number of countries, such as the European Patent Office and the African Regional Industrial Property Organization. Under such regional systems, an applicant requests protection for the invention in one or more countries, and each country decides as to whether to offer patent protection within its borders. The WIPO-administered Patent Cooperation Treaty (PCT) provides for the filing of a single international patent application which has the same effect as national applications filed in the designated countries. An applicant seeking protection may file one application and request protection in as many signatory states as needed.”
Where Do Patents Come From? Some commonly encountered patent granting agencies: m United States Patent and Trademark Organization http://www.uspto.gov m European Patent Office (30 member states) http://ep.espacenet.com m Japan Patent Office http://www.jpo.go.jp/
Purpose of Enforcing Patents Stop an infringer from selling product (injunction) Barrier to entry Preserve market position Obtain settlement Receive $$$: Lost profits, royalties Preserve rights
Where will I see Patent Reference Indexing and abstracting databases Some databases cover not only journal articles, but also patents, with varying amounts of coverage m SciFinder Scholar (1907-current) http://www.cas.org/products/sfacad/index.html m Beilstein (prior to 1980) References in books and articles References in other patents
How Do I Find Full-Text of Patent Online from http://www.uspto.govhttp://www.uspto.gov m requires installation of TIFF viewer m patents can only be printed one page at a time Print copies ordered from the USPTO m $3 per patent m can be ordered via online, fax, mail, or phone m delivery can take some time Commercial patent suppliers m MicroPatent http://www.micropatent.comhttp://www.micropatent.com m delivery via email of PDF m ~$7 per patent document
Trademarks The trademarks program m Protects trademark owner’s interest in brand name value and good will m Protects consumers from confusion Trademark can be m Words : "Coca Cola" m Phrases : "Have it your way" m Symbols : m Sounds : example, sound of “Intel inside”
Purpose of Trademarks Protection A Trademark Filing Program has four purposes: 1. To retain control over the quality and types of use of the marks 2. To provide a basis for challenging infringers 3. To prevent third parties from registering a company’s marks 4. To minimize the financial risk
Register the Trademark (1) Majority – first to file vs. first to use Some of the major commercial countries – first to file m France m Germany m Japan m Spain United States – based on actual use
Register the Trademark (2) Trademark rights are territorial. Some regional systems exist: m Community Trade Mark (Europe) m OAPI (Africa) m Madrid Protocol – International filing system, but still depends on approval at the national level by the 57 member countries
Register the Trademark (3) Select registration in countries in which the company will manufacture, distribute and/or license its mark United States – Trademark rights extend only to the areas in which a market presence has been established. United States – Presumption of exclusive rights through federal registration
Appropriate Form of the Trademark Composite Marks m Register the entire composite mark m Register the word portion of a mark alone m Register the design element Word Marks m Register in foreign script as well as Roman script (e.g., Hangul, Cyrillic, Arabic) m Register the proper translation or transliteration in Asian languages
Trademark Infringement “Likelihood of confusion” standard Court looks at factors like m similarity of goods m sophistication of consumers m length of time that mark has been used m wrongful intent
Trademark Dilution Federal Trademark Dilution Act of 1996 m prior to 1996 28 states had anti-dilution laws Must show m “famous” mark m “actual dilution” Need not show likelihood of confusion Dilution Theory m Identical or highly similar mark use lessens the capacity of the famous mark to identify and distinguish its goods m Tarnishes the reputation of the mark
Trade Secrets Protected by state common law, unlike other IP Grounded in policy of business ethics Rights can be perpetual, but are nonexclusive Vague standards (e.g., “generally known”) All patents begin life as trade secrets
What can be Trade Secrets? Can be almost anything: m the “secret formula” m information about customers and prospects m business plans and strategies Can be “re-creatable,” if sufficiently difficult m E.g., a market survey
Secret or Not? Look to relevant audience m If commonly known in field, not a trade secret m Even if information is not generally known to public m But need not be unknown to everyone
Trade Secrets Protection Advantage: long life, no disclosure m does not expire as patents Disadvantage: no exclusivity m a third party is not prevented from independently duplicating and using the secret information once it is discovered. Increasingly chosen over patent m Cheap self-help vs. expensive registration m Short lifespan of innovation m Patent infringement difficult to police
Three Types of Agreement NDA (Non-disclosure agreements): reinforces obligation to respect confidence Assignment: transfers rights to invention Noncompete: temporarily prohibits post- employment competition
NDA (Non-disclosure agreement) NDA: Effect on behavior usually low NDAs are critical to preserving trade secrets rights Even with the most discrete client, vendor, or investor, the absence of an NDA can blow IP rights Provides notice & proves reasonable efforts Standard NDA not controversial Prohibiting reverse engineering? Possible misuse of “residuals” clause
NDA v. Automatic Protection Absent an NDA, independent contractors are under no obligation to keep trade secrets Employees have obligation to employer even without agreement m Even after termination, forever
Employee Assignment Employee Assignment: Some effect Rationale: what the company pays for Some states limit with “garage inventor” statutes Problem of post-employment restriction
Non-Compete Clause (NCC) In contract law one party (usually an employee) agrees not to pursue a similar profession or trade in competition against another party (usually the employer). NonCompetes: Substantial effects Justification: avoid trade secret battle Vague standards (e.g., “reasonable time and scope”) Varying law m California: almost never enforced m Some states: “blue pencil” rule Trade Secret ≠ Non-compete Obligation to protect trade secret generally does not prohibit working for competitor
Computer Ethics Computer ethics defined as the application of classical ethical principles to the use of computer technology Ethical problems related to computers are not unique but they tend to occur on a much larger scale and scope m Scope: communications networks bring the world together m Anonymity: beneficial but creates problems of integrity m Reproducibility Aspects of computer ethics: m Analysis of the nature of problems related to the social impact of computers m Formulation and justification of policies needed to manage computer technology
Categories of Computer Ethics Issues Privacy m Computers create a false sense of security m People do not realize how vulnerable information stored on computers are Property m Physical property m Intellectual property (in both copyright and patent) m Data as property Access m Access to computing technology m Access to data Accuracy m Accuracy of information stored
Problems with Codes of Ethics A legal system is not a complete and correct guide to moral behavior Codes of ethics are mostly voluntary May encounter situations for which the code makes no explicit recommendations Goodness cannot be defined through a list of Dos and Don'ts You must use your internal sense of ethics
Ten Commandments of Computer Ethics (1) You shall not use a computer to harm other people. m Intentionally interfering with other people’s work E.g., your honeypots should not attack others m Invading the privacy of individuals E.g., create a set of fake social networking accounts to collect other’s private information by becoming their “friends” You shall not interfere with other people's computer work. m Degrading or disrupting equipment, software, or system performance. m Using resources to interfere with the proper operation of any computer, or destroy data. m Intentionally interfering with other people’s work m Invading the privacy of individuals
Ten Commandments of Computer Ethics (2) You shall not snoop around in other people's computer files. m Using an account owned by another user, or allowing another user to access your account. (Any problems which arise from the misuse of a user’s password will be that user’s responsibility.) m Invading the privacy of individuals You shall not use a computer to steal. m Using resources in any manner that violates Board policy, federal, state, or local law including unauthorized copying or transmission of software.
Ten Commandments of Computer Ethics (3) You shall not use a computer to bear false witness. m Initiating or forwarding “chain” letters. m Downloading, storing, printing, or distributing files or messages that are profane, obscene, threatening, or that use language that offends or tends to degrade others. m Urban Legends (e.g. kidney transplants) m Unproven rumors (e.g. free coca cola) You shall not copy or use proprietary software for which you have not paid. m Using resources in any manner that violates Board policy, federal, state, or local law including unauthorized copying or transmission of software.
Ten Commandments of Computer Ethics (4) You shall not use other people's computer resources without authorization or proper compensation. m Using information obtained through network and computer resources without giving proper credit to the source (plagiarism). m Posting personal communication without the original author’s consent. You shall not appropriate other people's intellectual output. m Posting personal communication without the original author’s consent. m Using information obtained through network and computer resources without giving proper credit to the source (plagiarism).
Ten Commandments of Computer Ethics (5) You shall think about the social consequences of the program you are writing or the system you are designing. m Initiating or forwarding “chain” letters. m Downloading, storing, printing, or distributing files or messages that are profane, obscene, threatening, or that use language that offends or tends to degrade others. You shall always use a computer in ways that show consideration and respect for your fellow humans. m Downloading, storing, printing, or distributing files or messages that contain information considered dangerous to the public at large.
Computer Crime Any crime in which computer-related technology is encountered. The commission of illegal acts through the use of a computer or against a computer system. “An act committed in violation of criminal or civil codes using electronic or digital technologies for unauthorized activities and transactions”
Types of Computer Crime Business attacks Financial attacks Terrorist attacks Grudge attacks Fun attacks
Most Common Computer Crimes Fraud by computer manipulation Computer forgery Damage to or modifications of computer data or programs Unauthorized access to computer systems and service Unauthorized reproduction of legally protected computer programs
Computer Crimes Are Hard to Prosecute Lack of understanding Lack of physical evidence Lack of recognition of assets Lack of political impact Complexity of case Age of defendant (Juveniles) Lack of updated law for the new technology
Computer Crimes Are Hard to Catch Multinational activity m No international laws for computer crimes Complexity m Networked attacks hard to trace m E.g., attacker uses a chain of “stepping stones” to conduct an attack These stepping stones are all around the world
The Fight Against Computer Crimes The role in combating cyber crime is essentially two-fold: m (1) preventing cyber attacks before they occur or limiting their scope by disseminating warnings and advisories about threats so that potential victims can protect themselves m (2) responding to attacks that do occur by investigating and identifying the perpetrator
Existing Laws Used for Computer Crimes U.S. Computer Fraud and Abuse Act U.S. Economic Espionage Act U.S. Electronic Funds Transfer Act U.S. Freedom of Information Act U.S. Privacy Act U.S. Electronic Communications Privacy Act U.S. Patriot Act Gramm-Leach-Bliley Act HIPAA CAN Spam Act 61
U.S. Computer Fraud and Abuse Act Unauthorized access to a computer containing data protected for the national defense or foreign relations concerns Unauthorized access to a computer containing certain banking or financial information Unauthorized access, use, modification, destruction, or disclosure of a computer or information in a computer operated on behalf of the U.S. government Accessing without permission a “protected computer,” which the courts now interpret to include any computer connected to the Internet Computer fraud Transmitting code that causes damage to a computer system or network Trafficking in computer passwords
U.S. Economic Espionage Act This act outlaws use of a computer for foreign espionage to benefit a foreign country or business or theft of trade secrets (1996)
U.S. Electronic Funds Transfer Act This law prohibits use, transport, sale, receipt, or supply of counterfeit, stolen, altered, lost, or fraudulently obtained debit instruments in interstate or foreign commerce
US Privacy Act (1974) This act protects the privacy of personal data collected by the government. An individual is allowed to determine m What data 65
HIPAA (Health Insurance Portability and Accountability Act- Public Law 104-191, 1996) Part I – Rights of workers to maintain health insurance coverage after their employment was terminated Part II – Protection of the privacy of individuals’ medical records. Healthcare providers must perform standard security practices such as m Enforce need to know m Ensure minimum necessary disclosure m Designate a privacy officer m Document information security practices m Track disclosure of information m Develop a method for patients’ inspection and copying of their information 66
Computer Crime Cases List of computer crime criminals: m http://en.wikipedia.org/wiki/List_of_computer _criminals http://en.wikipedia.org/wiki/List_of_computer _criminals Timeline of hacker history: m http://en.wikipedia.org/wiki/Timeline_of_comp uter_security_hacker_history http://en.wikipedia.org/wiki/Timeline_of_comp uter_security_hacker_history Lecture IA-32 Architecture67