Chapter 9 - Legal, Privacy, and Ethical Issues in Computer Security
Download
Report
Transcript Chapter 9 - Legal, Privacy, and Ethical Issues in Computer Security
Chapter 9 – Legal, Privacy, and
Ethical Issues in Computer Security
Program and data protection by
patents, copyrights, and trademarks
Computer Crime
Privacy
Ethical Analysis of computer security
situations
Codes of professional ethics
Motivation for studying legal issues
Know what protection the law
provides for computers and data
Appreciate laws that protect the
rights of others with respect to
computers, programs, and data
Understand existing laws as a basis
for recommending new laws to
protect compuuters, programs, and
data
Aspects of Protection of the
security of computers
Protecting computing systems
against criminals
Protecting code and data (copyright...)
Protecting programmers’ and
employers’ rights
Protecting private data about
individuals
Protecting users of programs
Protecting Programs and Data
Copyrights – designed to protect the
expression of ideas (not the idea!!!)
• Copyright law of 1978; Digital Millennium
Copyright Act of 1998
• Copyright gives the author exclusive right to
make copies of the expression and sell them to
the public
• “original works of authorship fixed in any
tangible medium of expression,… from which
they can be perceived, reproduced, or
otherwise communicated.”
Copyrights
Public domain- work owned by the
public, (e.g. government)
Work must be original to the author
“fair use of a copyrighted work, including
such use by reproduction I copies…for
purposes such as criticism, comment,
news reporting, teaching (including
multiple copies for classroom use),
scholarship or research.”
New owner can give away or sell object
Copyright
Each copy mist be marked with the
copyright symbol © or the word
Copyright, the year and the author’s name
U.S. copyright lasts for 70 years beyond
death of last surviving author or 95 years
after publication for a company
Copyright Infringement
Copyrights for computer software (cannot
copyright the algorithm)
You do not purchase a piece of software,
just the license to use it.
Computer menu design can be
copyrighted, but not “look and feel”
Digital Millennium Copyright Act
Digital objects can be subject to copyright
Crime to circumvent/disable antipiracy
functionality
Crime to manufacture, sell, or distribute
devices that disable antipiracy
functionality
Antipiracy devices can be used for
research and educational purposes
Acceptable to make a backup copy
Libraries can make up to three copies for
lending to other libraries
Patents
Protect inventions, tangible objects, or
ways to make them, not works of the
mind.
Patent designed to protect the device or
process for carrying out an idea, not the
idea itself.
Patent goes to person who invented the
object first
Algorithms are inventions and can be
patented
Trade Secrets
Information that gives one company
a competitive edge over others
Reverse engineering – study
finished object to determine how it is
manufactured or how it works
Trade secret protection can apply to
software
Protection for Computer Objects
Hardware can be patented
Firmware (hardware patent; code
protected as a trade secret)
Object code – copyrighted
Source code – either trade secret or
copyright
Documentation – copyright
COPYLEFT
(http://www.gnu.org/copyleft/copyleft.html#WhatIsCopyleft)
Information and the Law
Information as an Object
• Information is not depletable
• Information can be replicated
• Information has a minimal marginal cost
• Value of information is often time
dependent
• Information is often transferred
intangibly
Legal Issues Relating to
Information
Information Commerce
• Copy protection, freeware, controlled
distribution, mobile code/applets
Electronic Publishing
Protecting Data in a Database (who
owns?)
Electronic Commerce
Protecting Information
Criminal and Civil Law – statues
Tort Law (harm not occurring from
violation of a stature or from breach
of a contract) – Fraud
Contract Law (agreement between
two parties) – requires
• Offer
• Acceptance
• consideration
Rights of Employees and
Employers
Ownership of Products
Ownership of Patent – inventor owns the
Ownership of Copyright – author is presumed
Work for hire – “employer has right to
work
owner of the work
patent/copyright if the employee’s job function
included inventing the product”
Trade Secret Protection
Employment Contracts
Software Failures
What are the legal issues in selling
correct and usable software?
What are the moral or ethical issues
in producing correct and usable
software?
What are the moral or ethical issues
in finding, reporting, publicizing, and
fixing flaws?
“Responsible” Vulnerability
Reporting
Vendor must acknowledge a vulnerability report
confidentially to the reporter
Vendor must agree that the vulnerability exits (or
argue otherwise) to the reporter
Vendor must inform users of the vulnerability and
any available countermeasures within 30 days
Vendor may request from the reporter a 30-day
quiet period to allow users time to install patches
At the end of quiet period, vendor and report
agree upon a release date
Vendor shall credit reporter with having located
vulnerability
Computer Crime
Rules of Property
Rules of Evidence
Threats to Integrity and
Confidentiality
Value of Data
Acceptance of Computer Terminology
Computer Crime
Why Computer Crime is Hard to Define
Why Computer Crime is Hard to Prosecute
•
•
•
•
•
•
Lack of understanding
Lack of physical evidence
Lack of recognition of assets
Lack of political impact
Complexity of case
Juveniles
2002 Computer Crime and Security
Survey – CSI/FBI Report
Ninety percent of respondents detected computer
security breaches within the last twelve months.
Eighty percent acknowledged financial losses due
to computer breaches.
Forty-four percent (223 respondents) were willing
and/or able to quantify their financial losses.
These 223 respondents reported $455,848,000 in
financial losses.
For the fifth year in a row, more respondents
(74%) cited their Internet connection as a
frequent point of attack than cited their internal
systems as a frequent point of attack (33%).
Thirty-four percent reported the intrusions to law
enforcement. (In 1996, only 16% acknowledged
reporting intrusions to law enforcement.)
Examples of Statutes
U.S. Computer Fraud and Abuse Act
(1984)
U.S. Economic Espionage Act
U.S. Electronic Funds Transfer Act
U.S. Freedom of Information Act
U.S. Privacy Act
U.S. Electronic Communications Privacy
Act
USA Patriot Act
International Dimensions
Computer Crime
Why Computer Criminals Are Hard to
Catch
• No international laws on computer crime
• Complexity of crime
What Computer Crime Does Not Address
• Courts must interpret what a computer is
• Courts must determine the value of the loss
Cryptography and the Law
Controls on Use of Cryptography
Controls on Export of Cryptography
Cryptography and Free Speech
Cryptographic Key Escrow
• Clipper, Capstone, Fortezza
Current Policy (1998)
Privacy
IDENTITY THEFT
Threats to privacy
Aggregation and Data mining
Poor Security System (due diligence)
Government Threats
Computer use
Societal Goal
Corporate Rights and Private Business
Privacy for Sale
Controls Protecting Privacy
Authentication
Anonmity (anonymizers)
Computer Voting
Pseudonymity (Swiss bank account)
Legal Controls
• E.U. Data Protection Act (1998)
• Gramm-Leach-Biley Act (1999)
• HIPAA
Ethical Issues
Difference between law and ethics
• Ethic – objectively defined standard of right
and wrong (ethics are personal)
Studying Ethics
• Ethics and Religion
• Ethical Principles are not universal
• Ethics does not provide answers (ethical
pluralism)
• Ethical Reasoning
CASE STUDIES OF ETHICS
CODE OF ETHICS
IEEE (pg. 623)
ACM (pg. 624)
Computer Ethics Institute (pg. 625)
Social Engineering
“we have met the enemy and they
are us” - POGO
Social Engineering – “getting people
to do things that they wouldn’t
ordinarily do for a stranger” – The
Art of Deception, Kevin Mitnick
Controls
Reduce and contain the risk of
security breaches
“Security is not a product, it’s a
process” – Bruce Schneier [Using any
security product without
understanding what it does, and
does not, protect against is a recipe
for disaster.]
Education & Misinformation
SQL Slammer infected through MSDE
2000, a lightweight version of SQL
Server installed as part of many
applications from Microsoft (e.g.
Visio) as well as 3rd parties.
CodeRed infected primarily desktops
from people who didn't know that
the "personal" version of IIS was
installed.
Educate programmers and future
Conclusions
Every organization MUST have a
security policy
• Acceptable use statements
• Password policy
• Training / Education
Conduct a risk analysis to create a
baseline for the organization’s
security
Create a cross-functional security
team