1. CS 5950 Computer Security and Information Assurance Section 7: Legal, Privacy, and Ethical Issues in Computer Security Dr. Leszek Lilien Department of Computer Science Western Michigan University Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger. Using some slides courtesy of: Prof. Aaron Striegel — course taught at U. of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke (U. Idaho) — taught at U. Washington Prof. Jussipekka Leiwo — taught at Vrije Universiteit (Free U.), Amsterdam, The Netherlands Slides not created by the above authors are © 2006 by Leszek T. Lilien Requests to use original slides for non-profit purposes will be gladly granted upon a written request.

2. 2 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 7. Legal, Privacy, and Ethical Issues in Computer Security Human Controls Applicable to Computer Security: 7.1.Basic Legal Issues a)Protecting Programs and Data b) Information and the Law c)Ownership Rights of Employees and Employers d)Software Failures (and Customers) 7.2.Computer Crime 7.3.Privacy 7.4.Ethics a) Introduction to Ethics b) Case Studies of Ethics c) Codes of Professional Ethics

3. 3 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 7.1. Basic Legal Issues Outline: a)Protecting Programs and Data b) Information and the Law c)Ownership Rights of Employees and Employers d)Software Failures (and Customers)

4. 4 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 a)Protecting Programs and Data (1) Copyrights — designed to protect expression of ideas (creative works of the mind) Ideas themselves are free Different people can have the same idea The way of expressing ideas is copyrighted Copyrights are exclusive rights to making copies of expression Copyright protects intellectual property (IP) IP must be: Original work In some tangible medium of expression --SKIP-- Digital Millennium Copyright Act (DMCA) of 1998 Clarified some copyright issues for digital objects

5. 5 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 Protecting Programs and Data (2) Patent — designed to protect tangible objects, or ways to make them (not works of the mind) Protected entity must be novel & nonobvious The first inventor who obtains patent gest his invention protected against patent infrigement Patents applied for algorithms only since 1981 Trade secret — information that provides competitive edge over others Information that has value only if kept secret Undoing release of a secret is impossible or very difficult Reverse engineering used to uncover trade secret is legal! T.s. protection applies very well to computer s/w E.g., pgms that use algorithms unknown to others

6. 6 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 --SKIP-- Protecting Programs and Data (3) Comparing Copyright, Patent and Trade Secret Protection CopyrightPatentTrade Secret ProtectsExpression of idea, not idea itself Invention—way something works Secret, competitive advantage Protected Object Made Public Yes; intention is to promote publication Design filed at Patent Office No Must DistributeYesNo Ease of filingVery easy, do-it- yourself Very complicated; specialist lawyer suggested No filing DurationOriginator’s life + 70 yrs; 95 y. For company 19 yearsIndefinite Legal Protection Sue if unauthorized copy sold Sue if invention copied/reinvented Sue if secret improperly obtained

7. 7 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 Protecting Programs and Data (4) How to protect: H/w Patent Firmware (microcode) Patent physical device, chip Use trade secret protection Copyright s/w such as embedded OS Object code s/w Copyiright of binary code ?? Copyright of source code ?? Need legal precedents Source code s/w Use trade secret protection Copyright reveals some code, facilitates reverse engineering Need legal precedents, too

8. 8 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 b) Information and the Law (1) Characteristics of information as an object of value Not depletable Can be replicated (buyer can become a seller) Has minimal marginal cost (= cost to produce n-the copy after producing n-1 copies) Value is often time dependent (outdated => lower/no value) Can be transferred intangibly --SKIP-- Legal issues for information Information commerce Need technological and legal protections for info seller Electronic publishing Cryptographic + legal solutions to protect seller’s rights Protecting data in DB How to decide which DB is source for given data? Who owns data in a DB if it is public data (e.g., name+phone?) E-commerce How to prove that info delivered too late or is „bad”?

9. 9 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 b) Information and the Law (2) Copyright, patents, trade secrets cover some (not all!) protection needs Remaining protection needs can use law mechanisms discussed below Building precedents or contributing to legislating new laws Law categories: 1) Criminal Law / Statutory Law 2)Civil Law (I hope I’m right iwith these subcategories) 2a) Common Law / Tort Law 2b) Contracts

10. 10 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 b) Information and the Law (3) Comparison of Criminal and Civil Law Criminal LawCivil Law Defined byStatutesCommon law (tort l.) Contracts Cases brought by Government Individuals and companies Wronged party SocietyIndividuals and companies RemedyJail, fineDamages, typically monetary

11. 11 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 c) Ownership Rights of Employees and Employers (1) Ownership rights are computer security issue Concerned with protecting secrecy (confidentiality) and integrity of works produced by employees of an employer Ownership issues in emploee/employer relations: Ownership of products Products/ideas/inventions developed by employee after hours might still be owned by her employer Esp. if in the same „line of business” Ownership of patents If employer files for patent, employer (not employee—inventor) will own patent Ownership of copyrights Similar to patents Trade secret protection No registered inventor/author—owner can prosecute for damages

12. 12 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 Ownership Rights of Employees and Employers (2) Type of employment has ownership consequences Work for hire All work done by employee is owned by employer Employment contracts Often spell out ownership rights Often includes agreement not to compete (for some time after termination) Non-competition is not always enforceable by law Licenses Programmer retains full ownership of developed s/w Grants license for a fee

13. 13 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 d)Software Failures (& Customers) (1) --SKIP-- Issue 1: Software quality: is it „correct” or not? If not correct: ask for refund, replacement, fixing Refund: possible Replacement: if this copy damaged, or improved in the meantine Fixing: rarely legally enforced; instead, monetary awards for damages Correctness of s/w difficult to define/enforce legally Individual can rarely sue a major s/w vendor Prohibitive costs for individual

14. 14 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 Software Failures (& Customers) (2) Issue 2: Reporting software flaws Should we share s/w vulnerability info? Both pros and cons Vendor interests Vendors (e.g., MS) don’t want to react to individual flaws Prefer bundle a number of flaw fixes User interests Would like to have fixes quickly Responsible vulnerability reporting How to report vulnerability info responsibly? E.g. First notify the vendor, give vendor a few weeks to fix If vendor delays fixes, ask „coordinator” for help Coordinator—e.g., computer emergency response center Quality software is the real solution „The worlds does no need faster patches, it needs better software”

15. 15 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 7.2. Computer Crime (1) Separate category for computer crime is needed Because special laws are needed for CC ---SKIP-- CC (special laws) need to deal with: New rules of property for CC Bits of info are now considered property (were not in 1984 case) New rules of evidence for CC Hard to prove authenticity of evidence for CC (easy to change!) Value of integrity and confidentiality/privacy Value of privacy is now recognized by several federal/state laws Value of data Courts understand value of data better Acceptance of computer terminology Law lags behind technology in acceptance of new terminology

16. 16 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 --SKIP-- Computer Crime (2) CC (special laws) need to deal with—cont. Difficulty of defining CC Legal community is slow in accommodating advances in computing Law change is cautious/conservative by nature Difficulty of prosecuting CC Reasons: Lack of understanding / lack of physical evidence / lack of recognition of assets / lack of political impact / complexity of CC cases / lenient treatment of juveniles comitting CCs

17. 17 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 Computer Crime (3) Examples of American statutes related to CC ---SKIP-- 1974 — US Privacy Act Protects privacy of data collected by the executive branch of federal gov’t 1984 — US Computer Fraud and Abuse Act Penalties: max{100K, stolen value} and/or 1 to 20 yrs 1986 — US Electronic Communications Privacy Act Protects against wiretapping Exceptions: court order, ISPs 1996 — US Economic Espionage Act 2001 — USA Patriot Act — US Electronic Funds Transfer Act — US Freedom of Information Act

18. 18 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 --SKIP-- Computer Crime (4) International CC Laws 1994 — EU Data Protection Act Restricted Internet content — e.g., China Cryptography use — different laws in different countries Why computer criminals are hard to catch Multinational activity Complexity E.g., attackers „bouncing” attacks thru many places to cover tracks Law is not precise Problems with „computer,” object value, privacy Cryptography Challenges Controls on its use internally (allowing gov’t to track illegal activities) and for export Free speech issues: restricting Gov’t wanted key escrows (remember Clipper?)

19. 19 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 7.3. Privacy (1) Identity theft – the most serious crime against privacy Threats to privacy Aggregation and data mining Poor system security Government threats Gov’t has a lot of people’s most private data Taxes / homeland security / etc. People’s privacy vs. homeland security concerns The Internet as privacy threat Unencrypted e-mail / web surfing / attacks Corporate rights and private business Companies may collect data that U.S. gov’t is not allowed to Privacy for sale Many traps Accepting frequent-buyer cards reduces your privacy

20. 20 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 Privacy (2) Controls for protecting privacy Authentication Anonymity Needed also in computer voting Pseudonymity Legal privacy controls 1996 — HIPAA Privacy of individuals’ medical records 1998 — EU Data Protection Act Privacy protections stronger than in the U.S. 1999 — Gramm-Leach-Bliley Act Privacy of data for customers of financial institutions

21. 21 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 7.4. Ethics a) Introduction to Ethics (1) Law vs. Ethics Law alone can’t restrict human behavior Impractical/impossible to describe/enforce all acceptable behaviors Ethics/morals are sufficient self-controls for most people Contrast of law and ethics – Table 9-3, p. 606 --SKIP-- Characteristics of ethics Ethics is not religion (but religions include ethical principles) Ethical principles are not universal Vary in different cultures Vary even in different individuals in the same culture Ethics is pluralistic in nature In sharp contrast to science and technology that often has only one correct answer

22. 22 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 --SKIP-- Introduction to Ethics (2) Systems of ethics 1)Consequence-based — do what results in greatest good, least harm 1a) Egoism I do what’s good for me 1b) Utilitarianism I do what’s brings greatest collective good 2)Rules-based (deontology) — do what is prescribed by certain universal, self-evident, natural rules of proper conduct Could be based on religion on philosophy

23. 23 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 --SKIP-- b) Case Studies of Ethics Read especially: Case II: Privacy rights (p.612) Case VIII: Ethics of Hacking or Cracking (p. 619)

24. 24 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 c) Codes of Professional Ethics Different codes of professional ethics Computer Ethics Institute 10 Commandments of Computer Use – Fig. 9.3, p. 625 IEEE – Fig. 9-1, p. 623 ACM – Fig. 9-2, p. 624

25. 25 Section 8 – Computer Security and Information Assurance – Spring 2006 © by Leszek T. Lilien, 200 6 End of Section 7 (Ch.9)