CS 5950/6030

Computer Security and Information

Assurance
Section 9: Legal, Privacy, and
Ethical
Issues in Computer
Dr. Leszek Lilien
Security Department of Computer Science
Western Michigan University

Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger.

Using some slides courtesy of:
Prof. Aaron Striegel course taught at U. of Notre Dame
Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke (U. Idaho) taught at U.
Washington
Prof. Jussipekka Leiwo taught at Vrije Universiteit (Free U.), Amsterdam, The Netherlands
Slides not created by the above authors are 2006 by Leszek T. Lilien
Requests to use original slides for non-profit purposes will be gladly granted upon a written request.

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

9. Legal, Privacy, and Ethical

Issues in Computer Security

Human Controls Applicable to Computer Security:

9.1.
Basic Legal Issues
a)
b)
c)
d)

9.2.
9.3.
9.4.

Protecting Programs and Data

Information and the Law
Ownership Rights of Employees and Employers
Software Failures (and Customers)

Computer Crime
Privacy
Ethics

a) Introduction to Ethics
b) Case Studies of Ethics
c) Codes of Professional Ethics
2

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

9.1. Basic Legal Issues

Outline:
a) Protecting Programs and Data
b) Information and the Law
c) Ownership Rights of Employees and Employers
d) Software Failures (and Customers)

a) Protecting Programs and Data (1)

Copyrights designed to protect expression of ideas

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

(creative works of the mind)

Ideas themselves are free

Different people can have the same idea

The way of expressing ideas is copyrighted

Copyrights are exclusive rights to making copies of
expression

Copyright protects intellectual property (IP)

IP must be:

Original work

In some tangible medium of expression

---[OPTIONAL]--- Digital Millennium Copyright Act

(DMCA) of 1998

Clarified some copyright issues for digital objects

4

Protecting Programs and Data (2)

Patent designed to protect tangible objects, or ways

to make them (not works of the mind)

Protected entity must be novel & nonobvious

The first inventor who obtains patent gest his

invention protected against patent infrigement

Patents applied for algorithms only since 1981

Trade secret information that provides competitive

edge over others

Information that has value only if kept secret

Undoing release of a secret is impossible or very

difficult

Reverse engineering used to uncover trade secret is

legal!

T.s. protection applies very well to computer s/w

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

E.g., pgms that use algorithms unknown to others

5

---[OPTIONAL]-- Protecting Programs and Data (3)

Comparing Copyright, Patent and Trade Secret

Protection Copyright
Patent
Trade Secret
Inventionway Secret,
something
competitive
works
advantage

Protected
Object Made
Public

Yes; intention is
to promote
publication

Design filed at
Patent Office

No

Must
Distribute

Yes

No

No

Ease of filing

Very easy, do-ityourself

Very
complicated;
specialist
lawyer
suggested

No filing

Duration

Originators life
+ 70 yrs; 95 y.
For company

19 years

Indefinite

by Leszek T. Lilien,
2006

Expression of
idea, not idea
itself

Section 8 Computer Security and Information Assurance Spring

2006

Protects

Protecting Programs and Data (4)

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

---[OPTIONAL]--- How to protect:

H/w

Patent

Firmware (microcode)

Patent physical device, chip

Use trade secret protection

Copyright s/w such as embedded OS

Object code s/w

Copyright of binary code ??

Copyright of source code ??

Need legal precedents

Source code s/w

Use trade secret protection

Copyright reveals some code, facilitates

reverse engineering

Need legal precedents, too

7

b) Information and the Law (1)

by Leszek T. Lilien,
2006

Characteristics of information as an object of value

Not depletable

Can be replicated (buyer can become a seller)

Has minimal marginal cost (= cost to produce n-the copy

after producing n-1 copies)

Value is often time dependent (outdated => lower/no value)

Can be transferred intangibly

Section 8 Computer Security and Information Assurance Spring

2006

---[OPTIONAL]-- Legal issues for information

Information commerce

Need technological and legal protections for info seller

Electronic publishing

Cryptographic + legal solutions to protect sellers rights

Protecting data in DB

How to decide which DB is source for given data?

Who owns data in a DB if it is public data (e.g., name+phone?)

E-commerce

How to prove that info delivered too late or is bad?

8

b) Information and the Law (2)

Copyright, patents, trade secrets cover some (not

all!) protection needs
Remaining protection needs can use law
mechanisms discussed below

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

Building precedents or contributing to legislating new laws

Law categories:
1) Criminal Law / Statutory Law
2) Civil Law
(I hope Im right with these subcategories)
2a) Common Law / Tort Law
2b) Contracts

b) Information and the Law (3)

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

Comparison of Criminal and Civil Law

Criminal Law

Civil Law

Defined by

Statutes

Common law (tort

l.)
Contracts

Cases
brought by

Government

Government
Individuals and
companies

Wronged
party

Society

Individuals and
companies

Remedy

Jail, fine

Damages, typically
monetary
10

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

c) Ownership Rights of Employees

and Employers (1)
Ownership rights are computer security issue

Concerned with protecting secrecy (confidentiality) and

integrity of works produced by employees of an employer

Ownership issues in emploee/employer relations:

Ownership of products

Products/ideas/inventions developed by employee after

hours might still be owned by her employer

Esp. if in the same line of business

Ownership of patents

If employer files for patent, employer (not employee

inventor) will own patent

Ownership of copyrights

Similar to patents

Trade secret protection

No registered inventor/authorowner can prosecute

for damages
11

Ownership Rights of Employees and Employers (2)

Type of employment has ownership consequences

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

Work for hire

All work done by employee is owned by

employer

Employment contracts

Often spell out ownership rights

Often includes agreement not to compete (for some

time after termination)

Non-competition is not always enforceable by law

Licenses

Programmer retains full ownership of

developed s/w

Grants license for a fee

12

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

d)

Software Failures (&

Customers) (1)
--[OPTIONAL]-- Issue 1: Software quality: is it
correct or not?

If not correct: ask for refund, replacement, fixing

Refund: possible

Replacement: if this copy damaged, or

improved in the meantine

Fixing: rarely legally enforced; instead,

monetary awards for damages

Correctness of s/w difficult to define/enforce

legally

Individual can rarely sue a major s/w vendor

Prohibitive costs for individual

13

Software Failures (& Customers) (2)

by Leszek T. Lilien,
2006

---[OPTIONAL]--- Issue 2: Reporting software flaws

Should we share s/w vulnerability info?

Both pros and cons

Vendor interests

Vendors (e.g., MS) dont want to react to individual

flaws

Section 8 Computer Security and Information Assurance Spring

2006

User interests

Would like to have fixes quickly

Responsible vulnerability reporting

How to report vulnerability info responsibly?

Prefer bundle a number of flaw fixes

E.g. First notify the vendor, give vendor a few weeks to fix
If vendor delays fixes, ask coordinator for help

Coordinatore.g., computer emergency response

center

Quality software is the real solution

The worlds does no need faster patches,

it needs better software
14

 by Leszek T. Lilien,
2006

9.2. Computer Crime (1)

Separate category for computer crime is needed

Because special laws are needed for CC

---[OPTIONAL]--- CC (special laws) need to deal with:

New rules of property for CC

Section 8 Computer Security and Information Assurance Spring

2006

Bits of info are now considered property (were not in 1984 case)

New rules of evidence for CC

Hard to prove authenticity of evidence for CC (easy to change!)

Value of integrity and confidentiality/privacy

Value of privacy is now recognized by several federal/state

laws

Value of data

Courts understand value of data better

Acceptance of computer terminology

Law lags behind technology in acceptance of new

terminology
15

---[OPTIONAL]--- Computer Crime (2)

CC (special laws) need to deal withcont.

by Leszek T. Lilien,
2006

Difficulty of defining CC

Legal community is slow in accommodating

advances in computing

Difficulty of prosecuting CC

Section 8 Computer Security and Information Assurance Spring

2006

Law change is cautious/conservative by nature

Reasons:
Lack of understanding / lack of physical evidence /
lack of recognition of assets / lack of political impact /
complexity of CC cases / lenient treatment of juveniles
comitting CCs

16

---[OPTIONAL]--- Computer Crime (3)

by Leszek T. Lilien,
2006

Examples of American statutes related to CC

1974 US Privacy Act

1984 US Computer Fraud and Abuse Act

Section 8 Computer Security and Information Assurance Spring

2006

Penalties: max{100K, stolen value} and/or 1 to 20 yrs

1986 US Electronic Communications Privacy

Act

Protects privacy of data collected by the executive

branch of federal govt

Protects against wiretapping

Exceptions: court order, ISPs

1996 US Economic Espionage Act

2001 USA Patriot Act
US Electronic Funds Transfer Act
US Freedom of Information Act
17

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

---[OPTIONAL]--- Computer Crime (4)

International CC Laws

1994 EU Data Protection Act

Restricted Internet content e.g., China

Cryptography use different laws in different

countries

Why computer criminals are hard to catch

Multinational activity

Complexity

E.g., attackers bouncing attacks thru many places to cover tracks

Law is not precise

Problems with computer, object value, privacy

Cryptography Challenges

Controls on its use internally (allowing govt to track illegal

activities) and for export

Free speech issues: restricting

Govt wanted key escrows (remember Clipper?)

18

9.3. Privacy (1)

Identity theft the most serious crime against privacy

by Leszek T. Lilien,
2006

Threats to privacy

Aggregation and data mining

Poor system security

Government threats

Section 8 Computer Security and Information Assurance Spring

2006

Govt has a lot of peoples most private data

Taxes / homeland security / etc.

Peoples privacy vs. homeland security concerns

The Internet as privacy threat

Unencrypted e-mail / web surfing / attacks

Corporate rights and private business

Companies may collect data that U.S. govt is not allowed to

Privacy for sale - many traps

Free is not free

E.g., accepting frequent-buyer cards reduces your

privacy
19

Privacy (2)

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

Controls for protecting privacy

Authentication

Anonymity

Needed also in computer voting

Pseudonymity

Legal privacy controls

--OPTIONAL-
1996 HIPAA

1998 EU Data Protection Act

Privacy of individuals medical records

Privacy protections stronger than in the U.S.

1999 Gramm-Leach-Bliley Act

Privacy of data for customers of financial institutions

20

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

9.4. Ethics
a) Introduction to Ethics (1)

Law vs. Ethics

Law alone cant restrict human behavior

Ethics/morals are sufficient self-controls for most

people
Contrast of law and ethics Table 9-3, p. 606

Impractical/impossible to describe/enforce all acceptable

behaviors

---[OPTIONAL]--- Characteristics of ethics

Ethics is not religion (but religions include ethical principles)

Ethical principles are not universal

Vary in different cultures

Vary even in different individuals in the same culture

Ethics is pluralistic in nature

In sharp contrast to science and technology that often has

only one correct answer
21

---[OPTIONAL]--- Introduction to Ethics (2)

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

Systems of ethics
1) Consequence-based do what results in
greatest good, least harm
1a) Egoism
I do whats good for me

1b) Utilitarianism
I do whats brings greatest collective good
2)

Rules-based (deontology) do what is

prescribed by certain universal, self-evident,
natural rules of proper conduct
Could be based on religion on philosophy

22

---[OPTIONAL]---

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

Ethics

b) Case Studies of

Read especially:

Case II: Privacy rights (p.612)

Case VIII: Ethics of Hacking or Cracking (p. 619)

23

c) Codes of Professional Ethics

Different codes of professional ethics

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

Computer Ethics Institute

10 Commandments of Computer Use Fig. 9.3,

p. 625

---[OPTIONAL]--
IEEE Fig. 9-1, p. 623

ACM Fig. 9-2, p. 624

24

Section 8 Computer Security and Information Assurance Spring

2006

by Leszek T. Lilien,
2006

End of Section 9
Student project presentations
follow

25