Transcript EE579U

EE579U
Information Systems Security
and Management
7. Information Security Law revisited
Professor Richard A. Stanley
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #1
Overview of Today’s Class
• Review of last class (#5 -- #6 was the midterm)
• More about information security Law
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #2
Last time…
• Computer crime is a fast-growing area of
illegal activity
• “That’s where the money is”
• Computers (and networks) are regulated by
a large and growing body of law
• Both civil and criminal issues involved
• Liability is a major consideration for any
business or practitioner
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #3
Law
• You have had a basic grounding in the law
in the last class
• This class seeks to expand your
understanding of how law is classified,
made, and enforced…
• And how it affects our world of information
systems
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #4
Definitions of Laws - 1
• Laws are often considered commands, a means for
controlling people’s conduct in society.
• Law can be defined as a means of social control
having four characteristics:
– A scheme of social control
– A method to protect social interests,
– It accomplishes its purpose by recognizing a capacity in
persons to influence the conduct of others
– Law provides courts and legal procedures to help the
person with this capacity
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #5
Definitions of Laws - 2
• Law can regulate human conduct and through the
courts it can resolve controversies.
– Justice is a purpose and objective of government and
civil society. Apparently the achievement of justice
depends upon the concept of right and wrong in the
society involved. One goal of justice in our society, as
stated in the Declaration of Independence, is to secure
for all “life, liberty and the pursuit of happiness.”
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #6
Classifications of Law - 1
• Common Law
– rules of law created by the courts through judicial
decisions
• Stare decisis (Latin: to stand by things decided)
– courts “make law” as part of the process of deciding
cases and controversies before them – case law is
created in the process
– Stare decisis is essentially the doctrine of precedent.
Courts cite to stare decisis when an issue has been
previously brought to the court and a ruling already
issued. Generally, courts will adhere to the previous
ruling, though this is not universally true
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #7
The Stare Decisis Dilemma
Source: Jon Roland, “How stare decisis Subverts the Law,” from http://www.constitution.org/col/0610staredrift.htm
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #8
Classifications of Law – 2
• Precedent is established for future cases when a
rule of law has been announced and followed by
courts so that the rule has become settled by
judicial decision
• Civil Law systems rely primarily on legislative
enactments, rather than judicial decisions, for law.
Any court in a civil law system must defer to the
legislation for the answer to a legal issue. This is
not the system of law within the U.S.A.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #9
Classifications of Law – 3
• Public Law involves those matters that regulate
society as opposed to individuals interacting.
Examples of public law include constitutional law,
administrative law and criminal law.
– Constitutional Law---involves the interpretation and
application of either the federal or state constitution.
– Administrative Law--describes the legal principles
that apply to government agencies, bureaus, boards and
commissions.
– Criminal Law--encompasses all legal aspects of crime
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #10
Classifications of Law – 4
• Private Law encompasses those legal problems
and relationships that exist between individuals.
Private law is traditionally separated into the law
of contracts, the law of torts, and the law of
property.
– Contract Law – addresses agreements between two
parties.
– Tort Law – addresses wrongs other than a breach of
contract, by which one party injures another.
– Property Law – deals with ownership and possession
of both tangible things and intangible rights.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #11
Did We Get It Wrong
in Our Last Class?
• In that course, you learned that law could be
classified into criminal law and civil law
• That is a perfectly acceptable way of
classifying laws, and is commonly used
– The term civil law as used in this classification
scheme means something different from the
same term as used on Slide 9
• Refers to all non-criminal laws and activities
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #12
Just for Good Measure
• Law can also be classified between substance and
procedure
– Substantive law defines the legal relationship of
people with other people or between them and the state.
– Procedural law deals with the method and means by
which substantive law is made and administered, the
time allowed for one party to sue another and the rules
of law governing the process of the lawsuit are
examples of procedural laws.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #13
Why Do We Care?
• There are many issues in information
systems that are governed by law
• You need to know enough to know when to
call for expert help from the attorneys, and
have at least a basic understanding of what
they are talking about when the talk with
you about their view of your systems and
their potential legal problems.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #14
An Example
• The Boston Globe of 19 October 2003
reports how the newspaper was able to
purchase Governor Romney’s credit report
for $125 on-line.
–
–
–
–
Is this legal?
If not, who broke the law?
What can be done about it?
How would you deal with it if your IT system
were involved?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #15
Goldshield Web Page Home
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #16
Need Personal Data?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #17
Some Other Sources
•
•
•
•
Intelius
Skip Trace
Skipease
…and many, many more
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #18
What’s The Problem?
• Virtually every IT system contains
information, or links to information, that
can be misused
• In nearly every case, misuse of that
information is a criminal offense, and/or can
also be actionable under property or tort law
• This is not a situation any IT system
management team wants to be in
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #19
Subpoena
• Is a written court order requiring the attendance of
the person named in the subpoena at a specified
time and place for the purpose of being questioned
under oath concerning a particular matter which is
the subject of an investigation, proceeding, or
lawsuit
• A subpoena may also require the production of a
paper, document, or other object relevant to the
particular investigation, proceeding, or lawsuit
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #20
If You Receive a Subpoena
• You must either…
– Comply
– Apply to the proper court to vacate or modify
the subpoena
• Neither of these is a “do-it-yourself”
activity
• Subpoenas are increasingly being used to
investigate matters involving IT systems
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #21
Fourth Amendment
• “The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall
not be violated, and no Warrants shall issue,
but upon probable cause, supported by Oath
or affirmation, and particularly describing
the place to be searched, and the persons or
things to be seized.”
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #22
Search Warrant
• A warrant, issued by competent authority
(normally a judge of court), authorizing an
examination or search of specified premises for
goods stolen, secreted, or concealed
• Search warrants are quite specific—they do not
permit sweeping blanket searches
• Legal basis is compliance with the Fourth
Amendment to the Constitution, which limits
unreasonable search and seizure
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #23
What About Computers?
• To determine whether an individual has a
reasonable expectation of privacy in
information stored in a computer, it helps to
treat the computer like a closed container
such as a briefcase or file cabinet. The Fourth
Amendment generally prohibits law
enforcement from accessing and viewing
information stored in a computer without a
warrant if it would be prohibited from
opening a closed container and examining its
contents in the same situation.
http://www.cybercrime.gov/s&smanual2002.htm#_I_
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #24
Issues
• Courts have differed in their interpretation of the
Fourth Amendment as applied to computers
– Fifth Circuit held that the computer was effectively a
closed container
– Tenth Circuit viewed each file as a container
• Protection may be lost if computer is in possession
of a third party, or if control of files is lost
• Fourth Amendment does not apply to searches
conducted by private parties who are not
government agents
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #25
Search Warrants and You
• This is not generally an area in which you
can seek a priori legal opinion
• Interfering with agents performing a search
authorized by a proper warrant is usually a
crime, whether anything is found or not
• The increase in computer-based crime has
dramatically increased the issuance of
warrants in the information systems area
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #26
There Are Many Issues
• Stewardship of property in your system
– Intellectual property
– Information of which you are unaware
• Availability of information about warrants,
etc. targeting your system is available on the
Internet
• What to do if information about you is
made public, even if it is incorrect?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #27
“It’s Not Fair”
• When caught or challenged, many allege
they are victims of selective enforcement
• This claim is nearly always specious
– It is physically impossible to catch all the
criminals all the time. Does this mean that
none should be prosecuted?
– This “defense” does not impress the courts and
is often viewed as the last resort of a scoundrel
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #28
Identity Fraud
• Deals with “false identification document”
– Making, transfer, use, possession all crimes
– Identity documents covered
• Any identification document issued under by or
under the authority of the United States
– Includes federal, state, local, foreign government,
international quasi-governmental organization
– Birth certificate, driver’s license, personal ID card
– Penalties up to 15 years imprisonment
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #29
Other Areas of Concern
• Intellectual property of all types
– Copyrights
– Patents
– Trade secrets
• Your responsibility for the actions of others
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #30
Legal Issues in Computer
Security
• Copyrights [17 USC]
–
–
–
–
–
–
–
Protect expression of ideas, not the idea itself
Gives author exclusive rights to copy & sell
Can cover “any tangible medium of expression”
Work must be original to the author
Subject to “fair use”
Marking required
Lasts for 50 years after death of last author (moving
target)
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #31
Copyrights Again
• Copyright valid without registration, but
registering helps insure protection
• Infringement resolved in the courts
• U. S. Govt. works in public domain, but not
all governments (cf. Crown Copyright)
• Programs can be copyrighted, but…
• Copyright limits distribution, not use
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #32
More About Copyrights
• Fair use of a copyrighted work, including
such use by reproduction in copies or
phonorecords or by any other means :
–
–
–
–
criticism
comment
news reporting
teaching (including multiple copies for
classroom use)
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #33
Copyright Infringement
• Basic statute is 17 USC § 506
– Title 17 deals with copyrights
– Section 506 treats remedies for infringement
– For legal consistency, penalties are in the
criminal title, Title 18
• Up to 3 years imprisonment, first offense
• Up to 6 years imprisonment, second or
subsequent offense
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #34
Music Sharing and Copyrights
• Recording Industry Association of America
(RIAA) is presently in process of suing
numerous individuals across America for
illegally sharing music
• The issue here is copyright violation, as the
owners of the copyrighted songs claim
economic loss by having their songs pirated
• Is this an IS security problem?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #35
Digital Millennium Copyright
Act (DMCA)
• Passed by Congress October 28, 1998
• Expands the protection of copyrighted
works on the Internet and in digital form
– “Black Box” Provisions
• Limits the liability of on-line service
providers for infringement of copyrighted
works
– Safe Harbor” Provisions
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #36
DMCA “Safe Harbor”
• Service providers, upon payment of $20 fee
and meeting reporting requirements, can
qualify for liability protection against
copyright infringement
– “Service provider” is defined broadly as “a
provider of online services or network access,
or the operator of facilities therefor”
• Providers must not interfere with “standard”
measures used to ID and protect copyrights
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #37
DMCA “Black Box”
• DMCA makes circumventing protective
technologies, such as encryption and passwords, a
violation of the law
• Removing, changing, or altering “copyright
management information” also a violation
• Even if your copyrighted work is not actually
copied, a person could be liable for attempting to
do so, or for giving others the tools and access to
do so
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #38
DMCA Observations
• This is a major extension of copyright law!
• Penalties for “black box” violations exceed
the penalties in 17 USC for infringement
• There is little, if any, case law yet
• Does this violate the “fair use” doctrine?
• Feared placing a damper on research into
cryptography and cryptanalysis
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #39
ElcomSoft, Dmitry Sklyarov
and the DMCA
• Sklyarov is a Russian programmer who, with his
company, ElcomSoft, developed a way to defeat
the encryption on Adobe eBooks, allegedly to
make backup copies or to be read audibly
• Sklyarov arrested July, 2001 in Las Vegas, and
charged with violating the DMCA
– Four circumvention counts, one conspiracy
– No copyright infringement counts
• Federal jury acquitted him on all counts, Dec 2002
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #40
Patents
• Protect inventions [35 USC]
• Object patented must be “nonobvious”
• Patent goes to first to invent (in U.S.)
– Goes to first to file in most other jurisdictions
• Requirements for patent
– Search for prior art
– Patent Office determination that it is novel
– Issuance of patent
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #41
What Can Be Patented?
“Whoever invents or discovers any new and useful process,
machine, manufacture, or composition of matter, or any new
and useful improvement thereof, may obtain a patent therefor,
subject to the conditions and requirements of this title.”
35 USC § 101
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #42
More on Patents
• Valid for 20 years since US ratification of GATT
harmonization, earlier 17 years, not generally
renewable
• Requires disclosure of all working details
• A patent is a public document
• Infringement must be opposed. Claims:
–
–
–
–
This isn’t infringement
The patent is invalid
The invention is not novel
The infringer invented first
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #43
Patents and Software
• Software can be patented, and often is
– Read the license statement
• Easier to patent a process in which software
forms a part, but then use of the software
outside the process is not covered
• Not much case law yet
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #44
Patent Infringement
• Is a civil, not a criminal matter (property law)
– Cf. Copyright violations
• Remedies provided
– 35 USC § 271 defines infringement
– 35 USC § 281 provides for civil remedy
– 35 USC § 284 et seq. provide for damages
• If you participate in infringement, you could be a
defendant
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #45
Trade Secrets
• Give a competitive edge over others
• Must always be kept secret
• Applies well to software, especially since
the copyright act changes in 1978
• Hard to enforce (e.g. reverse engineering)
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #46
How to Protect Trade Secrets?
• Must enforce some degree of special
handling and secrecy to prove business’
intent to keep the information secret
• Example: recipe for Coca-Cola
–
–
–
–
Locked in Atlanta bank vault
Combination known to only 2 employees
These persons are never publicly identified
Both cannot travel on the same airplane
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #47
Enforcing Trade Secrets
• Every state has laws prohibiting theft of trade
secrets, so does the federal government
• Theft can constitute a crime under both state and
federal law
– e.g. Economic Espionage Act of 1996 (EEA) (18 USC
§ 1831-1839)
– Fines up to $500K (indiv.) / $5M (corporate), jail up to
ten years
– Law also applies to theft outside the US if the thief is a
US national or corporation
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #48
Who Owns Intellectual Property?
• Generally speaking, if you were paid to produce it
by your employer, they own the property
• If you produce it on your own time, but use skills
learned on the job, they may still own the
intellectual property!
• Intellectual property agreements are common, and
often in dispute
• Employment contracts may contain intellectual
property ownership clauses
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #49
Your Responsibilities
• As an employee?
• As a management staff member?
• As a technical staff member?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #50
What About Assistance to Law
Enforcement?
• This can be a win-win situation for law
enforcement and your company
• Be careful about doing something like this
without senior executive support, in writing
• Never confuse yourself with a law
enforcement agent
• Be cautious about practicing law without a
license
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #51
What About Multinational
Exposure?
• Most networks today have presence in
many jurisdictions and nations
• Laws are not uniform across jurisdictions
• Issues as to what is a crime, where the
crime occurred, and where jurisdiction rests
are largely unclear
• Forewarned is forearmed
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #52
Summary
• The law is increasingly an issue about
which information security professionals
must be aware and knowledgeable
• Law is a complex topic, and expert help is
needed to succeed here. Not for DIY.
• That said, you need to remain “on top of”
what is going on in the legal domain
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #53
Homework - 1
• You are the information security officer of
your company and are on duty. Six FBI
agents present themselves at the entrance to
the company with a search warrant for the
computers of one of your employees. What
do you do? During their search, they decide
to seize the computer of another employee
not named in the warrant. What do you do?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #54
Homework – 2
• In your morning mail at the company, you
receive a subpoena from the local federal
court demanding you turn over “all records
of electronic communications for the period
named.” What actions are you going to
take? In what order? What files or
information do you think should be turned
over? Who decides?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #55
Homework – 3
• As information security officer of your
organization, how do you plan to educate
your staff as to the elements of the law you
feel they need to know without generating a
lot of lost time and “barracks lawyering?”
Are you going to seek anyone else’s
assistance?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/6 #56