CIS3360: Security in Computing
Legal and Ethical Issues
Cliff Zou
Spring 2012
2
Resources Used
Modified based on Prof. Ratan Guha’s CIS3360 lecture notes
References: C. Pfleeger and S. Pfleeger “Security in
Computing”, 4th Edition Prentice Hall Inc.(ISBN 0-13-239077-9)
Example Case: Information about CyberSpy US court orders keylogger
CyberSpy to halt software sales The Federal Trade Commission (FTC) won an injunction
today against software vendor and keylogger developer CyberSpy. The US district court ruling prohibits CyberSpy from selling or operating its RemoteSpy software package.
By Joel Hruska | Last updated November 18, 2008 7:37 PM
http://arstechnica.com/security/news/2008/11/us-court-orders-keylogger-cyberspy-to-halt-software-sales.ars
(source)
3
Outline Copyright History of Copyright in USA The Digital Millennium Copyright Act (DMCA) Patents Trademarks Trade Secrets Agreement NDA (Non-disclosure agreement) Computer Ethics Ten Commandments of Computer Ethics Computer Crimes
4
Copyright
Is a form of intellectual property law, protecting original works
including literary, dramatic, musical, and artistic works (e.g., poetry, novels, movies, songs, computer software & architecture) In essence, protect “creative contributions”
Does not protect facts, ideas, systems, methods of operation although it may protect the ways these things are expressed Example: protect “Viterbi algorithm” (CDMA)
Copyright Protection (1)
• Would cover an author’s words describing the dark and stormy night on which occurred the murder at the center of the mystery novel
• Would not cover the idea of making the events of a dark and stormy night central to a murder mystery
Copyright Protection (2) Copyright protection covers
• Reproduction [e.g., copying, quoting]
• Distribution [e.g., posting to Web pages]
• Adaptation [using with modifications]
• Display• Performance
Copyright Protection (3)
Applies to original works as soon as they are created and fixed in a tangible form
Does NOT require the registration of copyright, or notice that the work is copyrighted Patent needs registration before protection
Applies fully to electronic (Web) resources
Length of Copyright ProtectionsAnything published more than 75 years ago is now in
the public domainAnything created after 1 January 1978 is protected
for the life of the author plus 50 yearsOr, if the author is a corporation, for 75 years
from authorship or 100 years from creation (whichever is first)
Lots of exceptions govern works published between 1964 and 1977 and works created before 1 January 1978 but not published, or published between 1978 and 31 December 2002
Copyright Protection for Web Resources
• The fact that something is sent to you does not give you rights to it.– Copyright for an e-mail message belongs
to the sender of the message.• You cannot make copies of text,
images, or sounds from the Web without permission.– These things are still copyrighted, even
though anyone with a computer can get access to them.
Normally Copyright Requires…• That creators/owners of
an expression (authors, artists, musicians, programmers) be asked for permission to use their creations (and often be financially compensated for such use).
• It is their property which you are using.
• That stiff legal penalties be paid for violation of copyright:
• Most violations of copyright are matters of civil law.
• Excessive copying, though, is a felony.
History of Copyright in the U.S.(1) Copyright is provided for by the United States
Constitution of 1789 Article I, section 8 (the so-called “Commerce clause”)
specifies that “The Congress shall have the power … to promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”
• From Constitution of the United States (http://www.law.cornell.edu/constitution/constitution.table.html)
Note that the Constitution does NOT specify: How Congress shall “promote the progress” What a “limited time” is What makes one an author/inventor What is “exclusive right” What constitutes a writing or discovery
History of Copyright in the U.S. (2)
One year later, in 1790, the Congress enacted the first federal copyright law, protecting only maps, charts, and books.
In 1831, copyright protections were expanded to include musical compositions.
In 1908, the Supreme Court ruled player-pianos’ uses of copyrighted music were not copyright violations but pieces of machinery Some of the tensions we’re now seeing between
copyrighted content and technology thus appeared nearly 100 years ago
History of Copyright in the U.S.(3)
In 1984, the Supreme Court ruled that private home videotaping does not infringe copyrights
In 1992, Congress passes the Audio Home Recording Act that restricts use of digital-recording tools and requires makers of blank tapes and copying devices to contribute to a royalty pool for musicians
History of Copyright in the U.S.(4) In 1998, Digital Millennium Copyright Act (DMCA)
specifies copyright protection for digital formats A range of court cases over the past several
years have been dealing with the ramifications of the DMCA
– Fonovisa v. Napster– Kelly v. Arriba Soft Corp. – U.S. v. Elcomsoft– Church of Scientology & Google
• You can google to find the details of these cases There are also a number of new statutory laws
pending that attempt to address copyrights in an electronic environment
– Consumer Broadband & Digital Television Act of 2002
The Digital Millennium Copyright Act (DMCA) On October 12, 1998, the U.S. Congress passed the
Digital Millennium Copyright Act. The DMCA amended title 17 of the US Code to
extend the reach of copyright, while limiting the liability of Online Providers from copyright infringement by their users.
Criminalizes the circumvention of measures taken to protect copyright.
Heightens the penalties for copyright infringement on the Internet.
On May 22, 2001 the European Union passed the EU Copyright Directive or EUCD, similar in many ways to the DMCA.
DMCA Titles Title I: implements the WIPO (World Intellectual
Property Organization) treaties; Title II: creates limitations on the liability of online
service providers; anti-circumvention measures Title III: creates an exemption for making a copy
of a computer program by activating a computer for purposes of maintenance or repair.
Title IV: misc. provisions relating to Copyright Office functions, etc. Title V: creates new form of protection for the
design of vessel hulls.
DMCA Highlights (1) Makes it a crime to circumvent anti-piracy
measures built into most commercial software. Outlaws the manufacture, sale, or distribution of
code-cracking devices used to illegally copy software. Does permit the cracking of copyright protection
devices, however, to conduct encryption research, assess product interoperability, and test computer security systems.
Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances.
In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.
DMCA Highlights (2) Service providers, however, are expected to
remove material from users' web sites that appears to constitute copyright infringement. Problem for MegaDownload website?
Limits liability of nonprofit institutions of higher education -- when they serve as online service providers and under certain circumstances -- for copyright infringement by faculty members or graduate students.
Requires that "webcasters" pay licensing fees to record companies.
DMCA Highlights (3)
Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users."
States explicitly that "[n]othing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use..."
DMCA Title II: 17 USC Ch.12
1201(a)(1), prohibits the act of circumventing a technological measure used by copyright owners to control access to their works
1201(a)(2) and 1201(b) outlaw the manufacture, sale, distribution or trafficking of tools and technologies that make circumvention possible
Penalties / Liability
§1203, 1204 provide BOTH civil and criminal liability;• Civil: temporary & permanent injunctions;
• Actual damages and any additional profits of the violator;
• Statutory damages:
• Criminal: fines up to $500,000 and/or 5 yrs in prison for 1st violation; Fines up to $1,000,000 and/or 10yrs for subsequent violation.
Results of DMCA Title II
DMCA’s Unintended Consequences Have Greater Impact than Intended Affect (preventing infringement) Chills Freedom of Expression and Scientific
Research Restricts Private Copying Rights Creates Monopolies – Impedes Competition Stifles Innovation
Patents What is a patent?
A patent is an exclusive right granted for an invention, which is a product or a process that provides a new way of doing something, or offers a new technical solution to a problem.
What does a patent do?
A patent provides protection for the invention to the owner of the patent. The protection is granted for a limited period, generally 20 years.
Source: World Intellectual Property Organization
http://www.wipo.int/aboutip/en/patents.html
Where do Patents Come From? “A patent is granted by a national patent office or by
a regional office that does the work for a number of countries, such as the European Patent Office and the African Regional Industrial Property Organization. Under such regional systems, an applicant requests protection for the invention in one or more countries, and each country decides as to whether to offer patent protection within its borders. The WIPO-administered Patent Cooperation Treaty (PCT) provides for the filing of a single international patent application which has the same effect as national applications filed in the designated countries. An applicant seeking protection may file one application and request protection in as many signatory states as needed.”
Where Do Patents Come From?
Some commonly encountered patent granting
agencies: United States Patent and Trademark
Organization
http://www.uspto.gov European Patent Office (30 member states)
http://ep.espacenet.com Japan Patent Office
http://www.jpo.go.jp/
Purpose of Enforcing Patents Stop an infringer from selling product (injunction) Barrier to entry Preserve market position Obtain settlement Receive $$$: Lost profits, royalties Preserve rights
Where will I see Patent Reference
Indexing and abstracting databases Some databases cover not only journal
articles, but also patents, with varying amounts of coverage SciFinder Scholar (1907-current)
• http://www.cas.org/products/sfacad/index.html Beilstein (prior to 1980)
References in books and articles References in other patents
How Do I Find Full-Text of Patent Online from http://www.uspto.gov
requires installation of TIFF viewer patents can only be printed one page at a time
Print copies ordered from the USPTO $3 per patent can be ordered via online, fax, mail, or phone delivery can take some time
Commercial patent suppliers MicroPatent http://www.micropatent.com delivery via email of PDF ~$7 per patent document
Trademarks
The trademarks program Protects trademark owner’s interest in
brand name value and good will Protects consumers from confusion
Trademark can be Words : "Coca Cola" Phrases : "Have it your way" Symbols : Sounds :
• example, sound of “Intel inside”
Purpose of Trademarks ProtectionA Trademark Filing Program has four
purposes:
1. To retain control over the quality and types of use of the marks
2. To provide a basis for challenging infringers
3. To prevent third parties from registering a company’s marks
4. To minimize the financial risk
Register the Trademark (1) Majority – first to file vs. first to use Some of the major commercial
countries – first to file France Germany Japan Spain
United States – based on actual use
Register the Trademark (2) Trademark rights are territorial. Some regional systems exist:
Community Trade Mark (Europe) OAPI (Africa) Madrid Protocol – International filing system,
but still depends on approval at the national level by the 57 member countries
Register the Trademark (3) Select registration in countries in which
the company will manufacture, distribute and/or license its mark
United States – Trademark rights extend only to the areas in which a market presence has been established.
United States – Presumption of exclusive rights through federal registration
Appropriate Form of the TrademarkComposite Marks
Register the entire composite mark Register the word portion of a mark alone Register the design element
Word Marks Register in foreign script as well as Roman
script (e.g., Hangul, Cyrillic, Arabic) Register the proper translation or
transliteration in Asian languages
Trademark Infringement
“Likelihood of confusion” standard Court looks at factors like
similarity of goods sophistication of consumers length of time that mark has been used wrongful intent
Trademark Dilution
Federal Trademark Dilution Act of 1996 prior to 1996 28 states had anti-dilution laws
Must show “famous” mark “actual dilution”
Need not show likelihood of confusion Dilution Theory
Identical or highly similar mark use lessens the capacity of the famous mark to identify and distinguish its goods
Tarnishes the reputation of the mark
Trade Secrets
Protected by state common law, unlike other IP
Grounded in policy of business ethics Rights can be perpetual, but are
nonexclusive Vague standards (e.g., “generally known”) All patents begin life as trade secrets
What can be Trade Secrets? Can be almost anything:
the “secret formula” information about customers and prospects business plans and strategies
Can be “re-creatable,” if sufficiently difficult E.g., a market survey
Secret or Not?
Look to relevant audience If commonly known in field, not a trade
secret Even if information is not generally
known to public But need not be unknown to everyone
Trade Secrets Protection
Advantage: long life, no disclosure does not expire as patents
Disadvantage: no exclusivity a third party is not prevented from
independently duplicating and using the secret information once it is discovered.
Increasingly chosen over patent Cheap self-help vs. expensive registration Short lifespan of innovation Patent infringement difficult to police
Three Types of Agreement
NDA (Non-disclosure agreements): reinforces obligation to respect confidence
Assignment: transfers rights to invention Noncompete: temporarily prohibits post-
employment competition
NDA (Non-disclosure agreement) NDA: Effect on behavior usually low NDAs are critical to preserving trade
secrets rights Even with the most discrete client, vendor,
or investor, the absence of an NDA can blow IP rights
Provides notice & proves reasonable efforts Standard NDA not controversial Prohibiting reverse engineering? Possible misuse of “residuals” clause
NDA v. Automatic Protection Absent an NDA, independent
contractors are under no obligation to keep trade secrets
Employees have obligation to employer even without agreement Even after termination, forever
Employee Assignment
Employee Assignment: Some effect
Rationale: what the company pays for Some states limit with “garage
inventor” statutes Problem of post-employment restriction
Non-Compete Clause (NCC)
In contract law one party (usually an employee) agrees not to pursue a similar profession or trade in competition against another party (usually the employer).
NonCompetes: Substantial effects Justification: avoid trade secret battle Vague standards (e.g., “reasonable time and scope”) Varying law
California: almost never enforced Some states: “blue pencil” rule
Trade Secret ≠ Non-compete Obligation to protect trade secret generally does not prohibit
working for competitor
Computer Ethics Computer ethics defined as the application of
classical ethical principles to the use of computer technology
Ethical problems related to computers are not unique but they tend to occur on a much larger scale and scope Scope: communications networks bring the world together Anonymity: beneficial but creates problems of integrity Reproducibility
Aspects of computer ethics: Analysis of the nature of problems related to the social impact
of computers Formulation and justification of policies needed to manage
computer technology
Categories of Computer Ethics Issues
Privacy Computers create a false sense of security People do not realize how vulnerable information stored on
computers are
Property Physical property Intellectual property (in both copyright and patent) Data as property
Access Access to computing technology Access to data
Accuracy Accuracy of information stored
Problems with Codes of Ethics A legal system is not a complete and
correct guide to moral behavior Codes of ethics are mostly voluntary May encounter situations for which the
code makes no explicit recommendations
Goodness cannot be defined through a list of Dos and Don'ts
You must use your internal sense of ethics
Ten Commandments of Computer Ethics (1)
You shall not use a computer to harm other people. Intentionally interfering with other people’s work
• E.g., your honeypots should not attack others
Invading the privacy of individuals• E.g., create a set of fake social networking accounts to collect other’s
private information by becoming their “friends”
You shall not interfere with other people's computer work. Degrading or disrupting equipment, software, or system
performance. Using resources to interfere with the proper operation of any
computer, or destroy data. Intentionally interfering with other people’s work Invading the privacy of individuals
Ten Commandments of Computer Ethics (2) You shall not snoop around in other
people's computer files. Using an account owned by another user, or allowing
another user to access your account. (Any problems which arise from the misuse of a user’s password will be that user’s responsibility.)
Invading the privacy of individuals
You shall not use a computer to steal. Using resources in any manner that violates Board
policy, federal, state, or local law including unauthorized copying or transmission of software.
Ten Commandments of Computer Ethics (3)
You shall not use a computer to bear false witness. Initiating or forwarding “chain” letters. Downloading, storing, printing, or distributing files or
messages that are profane, obscene, threatening, or that use language that offends or tends to degrade others.
Urban Legends (e.g. kidney transplants) Unproven rumors (e.g. free coca cola)
You shall not copy or use proprietary software for which you have not paid. Using resources in any manner that violates Board
policy, federal, state, or local law including unauthorized copying or transmission of software.
Ten Commandments of Computer Ethics (4)
You shall not use other people's computer resources without authorization or proper compensation. Using information obtained through network and computer
resources without giving proper credit to the source (plagiarism).
Posting personal communication without the original author’s consent.
You shall not appropriate other people's intellectual output. Posting personal communication without the original author’s
consent. Using information obtained through network and computer
resources without giving proper credit to the source (plagiarism).
Ten Commandments of Computer Ethics (5)
You shall think about the social consequences of the program you are writing or the system you are designing. Initiating or forwarding “chain” letters. Downloading, storing, printing, or distributing files or
messages that are profane, obscene, threatening, or that use language that offends or tends to degrade others.
You shall always use a computer in ways that show consideration and respect for your fellow humans. Downloading, storing, printing, or distributing files or
messages that contain information considered dangerous to the public at large.
Computer Crime
Any crime in which computer-related technology is encountered.
The commission of illegal acts through the use of a computer or against a computer system.
“An act committed in violation of criminal or civil codes using electronic or digital technologies for unauthorized activities and transactions”
Types of Computer Crime
Business attacks Financial attacks Terrorist attacks Grudge attacks Fun attacks
Most Common Computer Crimes
Fraud by computer manipulation Computer forgery Damage to or modifications of computer
data or programs Unauthorized access to computer
systems and service Unauthorized reproduction of legally
protected computer programs
Computer Crimes Are Hard to Prosecute
Lack of understanding Lack of physical evidence Lack of recognition of assets Lack of political impact Complexity of case Age of defendant (Juveniles)
Lack of updated law for the new technology
Computer Crimes Are Hard to Catch
Multinational activity No international laws for computer crimes
Complexity Networked attacks hard to trace E.g., attacker uses a chain of “stepping stones”
to conduct an attack• These stepping stones are all around the world
The Fight Against Computer Crimes The role in combating cyber crime is
essentially two-fold:
(1) preventing cyber attacks before they occur or limiting their scope by disseminating warnings and advisories about threats so that potential victims can protect themselves
(2) responding to attacks that do occur by investigating and identifying the perpetrator
Existing Laws Used for Computer Crimes
U.S. Computer Fraud and Abuse Act U.S. Economic Espionage Act U.S. Electronic Funds Transfer Act U.S. Freedom of Information Act U.S. Privacy Act U.S. Electronic Communications Privacy Act U.S. Patriot Act Gramm-Leach-Bliley Act HIPAA CAN Spam Act
61
U.S. Computer Fraud and Abuse Act
Unauthorized access to a computer containing data protected for the national defense or foreign relations concerns
Unauthorized access to a computer containing certain banking or financial information
Unauthorized access, use, modification, destruction, or disclosure of a computer or information in a computer operated on behalf of the U.S. government
Accessing without permission a “protected computer,” which the courts now interpret to include any computer connected to the Internet
Computer fraud Transmitting code that causes damage to a computer
system or network Trafficking in computer passwords
U.S. Economic Espionage Act
This act outlaws use of a computer for foreign espionage to benefit a foreign country or business or theft of trade secrets (1996)
U.S. Electronic Funds Transfer Act This law prohibits use, transport, sale,
receipt, or supply of counterfeit, stolen, altered, lost, or fraudulently obtained debit instruments in interstate or foreign commerce
US Privacy Act (1974)
This act protects the privacy of personal data collected by the government. An individual is allowed to determine What data
65
HIPAA (Health Insurance Portability and Accountability Act- Public Law 104-191, 1996) Part I – Rights of workers to maintain health
insurance coverage after their employment was terminated
Part II – Protection of the privacy of individuals’ medical records. Healthcare providers must perform standard security practices such as Enforce need to know Ensure minimum necessary disclosure Designate a privacy officer Document information security practices Track disclosure of information Develop a method for patients’ inspection and
copying of their information
66
Computer Crime Cases
List of computer crime criminals: http://en.wikipedia.org/wiki/
List_of_computer_criminals Timeline of hacker history:
http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
Lecture IA-32 Architecture 67