1. Chapter 9 – Legal, Privacy, and Ethical Issues in Computer Security  Program and data protection by patents, copyrights, and trademarks  Computer Crime  Privacy  Ethical Analysis of computer security situations  Codes of professional ethics

2. Motivation for studying legal issues  Know what protection the law provides for computers and data  Appreciate laws that protect the rights of others with respect to computers, programs, and data  Understand existing laws as a basis for recommending new laws to protect compuuters, programs, and data

3. Aspects of Protection of the security of computers  Protecting computing systems against criminals  Protecting code and data ( copyright...)  Protecting programmers’ and employers’ rights  Protecting private data about individuals  Protecting users of programs

4. Protecting Programs and Data  Copyrights – designed to protect the expression of ideas (not the idea!!!) Copyright law of 1978; Digital Millennium Copyright Act of 1998Copyright law of 1978; Digital Millennium Copyright Act of 1998 Copyright gives the author exclusive right to make copies of the expression and sell them to the publicCopyright gives the author exclusive right to make copies of the expression and sell them to the public “original works of authorship fixed in any tangible medium of expression,… from which they can be perceived, reproduced, or otherwise communicated.”“original works of authorship fixed in any tangible medium of expression,… from which they can be perceived, reproduced, or otherwise communicated.”

5. Copyrights  Public domain- work owned by the public, (e.g. government)  Work must be original to the author  “fair use of a copyrighted work, including such use by reproduction I copies…for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship or research.”  New owner can give away or sell object

6. Copyright  Each copy mist be marked with the copyright symbol © or the word Copyright, the year and the author’s name  U.S. copyright lasts for 70 years beyond death of last surviving author or 95 years after publication for a company  Copyright Infringement  Copyrights for computer software (cannot copyright the algorithm)  You do not purchase a piece of software, just the license to use it.  Computer menu design can be copyrighted, but not “look and feel”

7. Digital Millennium Copyright Act  Digital objects can be subject to copyright  Crime to circumvent/disable antipiracy functionality  Crime to manufacture, sell, or distribute devices that disable antipiracy functionality  Antipiracy devices can be used for research and educational purposes  Acceptable to make a backup copy  Libraries can make up to three copies for lending to other libraries

8. Patents  Protect inventions, tangible objects, or ways to make them, not works of the mind.  Patent designed to protect the device or process for carrying out an idea, not the idea itself.  Patent goes to person who invented the object first  Algorithms are inventions and can be patented

9. Trade Secrets  Information that gives one company a competitive edge over others  Reverse engineering – study finished object to determine how it is manufactured or how it works  Trade secret protection can apply to software

10. Protection for Computer Objects  Hardware can be patented  Firmware (hardware patent; code protected as a trade secret)  Object code – copyrighted  Source code – either trade secret or copyright  Documentation – copyright  COPYLEFT ( http://www.gnu.org/copyleft/copyleft.html#WhatIsCopyleft)

11. Information and the Law  Information as an Object Information is not depletableInformation is not depletable Information can be replicatedInformation can be replicated Information has a minimal marginal costInformation has a minimal marginal cost Value of information is often time dependentValue of information is often time dependent Information is often transferred intangiblyInformation is often transferred intangibly

12. Legal Issues Relating to Information  Information Commerce Copy protection, freeware, controlled distribution, mobile code/appletsCopy protection, freeware, controlled distribution, mobile code/applets  Electronic Publishing  Protecting Data in a Database (who owns?)  Electronic Commerce

13. Protecting Information  Criminal and Civil Law – statues  Tort Law (harm not occurring from violation of a stature or from breach of a contract) – Fraud  Contract Law (agreement between two parties) – requires OfferOffer AcceptanceAcceptance considerationconsideration

14. Rights of Employees and Employers  Ownership of Products  Ownership of Patent – inventor owns the work  Ownership of Copyright – author is presumed owner of the work  Work for hire – “employer has right to patent/copyright if the employee’s job function included inventing the product”  Trade Secret Protection  Employment Contracts

15. Software Failures  What are the legal issues in selling correct and usable software?  What are the moral or ethical issues in producing correct and usable software?  What are the moral or ethical issues in finding, reporting, publicizing, and fixing flaws?

16. “Responsible” Vulnerability Reporting  Vendor must acknowledge a vulnerability report confidentially to the reporter  Vendor must agree that the vulnerability exits (or argue otherwise) to the reporter  Vendor must inform users of the vulnerability and any available countermeasures within 30 days  Vendor may request from the reporter a 30-day quiet period to allow users time to install patches  At the end of quiet period, vendor and report agree upon a release date  Vendor shall credit reporter with having located vulnerability

17. Computer Crime  Rules of Property  Rules of Evidence  Threats to Integrity and Confidentiality  Value of Data  Acceptance of Computer Terminology

18. Computer Crime  Why Computer Crime is Hard to Define  Why Computer Crime is Hard to Prosecute Lack of understandingLack of understanding Lack of physical evidenceLack of physical evidence Lack of recognition of assetsLack of recognition of assets Lack of political impactLack of political impact Complexity of caseComplexity of case JuvenilesJuveniles

19. 2002 Computer Crime and Security Survey – CSI/FBI Report  Ninety percent of respondents detected computer security breaches within the last twelve months.  Eighty percent acknowledged financial losses due to computer breaches.  Forty-four percent (223 respondents) were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.  For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).  Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)

20. Examples of Statutes  U.S. Computer Fraud and Abuse Act (1984)  U.S. Economic Espionage Act  U.S. Electronic Funds Transfer Act  U.S. Freedom of Information Act  U.S. Privacy Act  U.S. Electronic Communications Privacy Act  USA Patriot Act  International Dimensions

21. Computer Crime  Why Computer Criminals Are Hard to Catch No international laws on computer crimeNo international laws on computer crime Complexity of crimeComplexity of crime  What Computer Crime Does Not Address Courts must interpret what a computer isCourts must interpret what a computer is Courts must determine the value of the lossCourts must determine the value of the loss

22. Cryptography and the Law  Controls on Use of Cryptography  Controls on Export of Cryptography  Cryptography and Free Speech  Cryptographic Key Escrow Clipper, Capstone, FortezzaClipper, Capstone, Fortezza  Current Policy (1998)

23. Privacy  IDENTITY THEFT  Threats to privacy  Aggregation and Data mining  Poor Security System (due diligence)  Government Threats  Computer use  Societal Goal  Corporate Rights and Private Business  Privacy for Sale

24. Controls Protecting Privacy  Authentication  Anonmity (anonymizers)  Computer Voting  Pseudonymity (Swiss bank account)  Legal Controls E.U. Data Protection Act (1998)E.U. Data Protection Act (1998) Gramm-Leach-Biley Act (1999)Gramm-Leach-Biley Act (1999) HIPAAHIPAA

25. Ethical Issues  Difference between law and ethics Ethic – objectively defined standard of right and wrong (ethics are personal)Ethic – objectively defined standard of right and wrong (ethics are personal)  Studying Ethics Ethics and ReligionEthics and Religion Ethical Principles are not universalEthical Principles are not universal Ethics does not provide answers (ethical pluralism)Ethics does not provide answers (ethical pluralism) Ethical ReasoningEthical Reasoning  CASE STUDIES OF ETHICS

26. CODE OF ETHICS  IEEE (pg. 623)  ACM (pg. 624)  Computer Ethics Institute (pg. 625)

28. Social Engineering  “we have met the enemy and they are us” - POGO  Social Engineering – “getting people to do things that they wouldn’t ordinarily do for a stranger” – The Art of Deception, Kevin Mitnick

29. Controls  Reduce and contain the risk of security breaches  “Security is not a product, it’s a process” – Bruce Schneier [Using any security product without understanding what it does, and does not, protect against is a recipe for disaster.]

30. Education & Misinformation  SQL Slammer infected through MSDE 2000, a lightweight version of SQL Server installed as part of many applications from Microsoft (e.g. Visio) as well as 3rd parties.  CodeRed infected primarily desktops from people who didn't know that the "personal" version of IIS was installed.  Educate programmers and future programmers of the importance of checking for buffer overflows.

31. Conclusions  Every organization MUST have a security policy Acceptable use statementsAcceptable use statements Password policyPassword policy Training / EducationTraining / Education  Conduct a risk analysis to create a baseline for the organization’s security  Create a cross-functional security team  “You are the weakest link”