Computer Security: Computer Security: Principles and PracticePrinciples and Practice

First EditionFirst Editionby William Stallings and Lawrie Brownby William Stallings and Lawrie Brown

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 18 Chapter 18 –– Legal and Ethical Legal and Ethical AspectsAspects

Legal and Ethical AspectsLegal and Ethical Aspects

touch on a few topics including:touch on a few topics including:cybercrime and computer crimecybercrime and computer crimeintellectual property issuesintellectual property issuesprivacy privacy ethical issuesethical issues

Cybercrime / Computer CrimeCybercrime / Computer Crime

““criminal activity in which computers or computer criminal activity in which computers or computer networks are a tool, a target, or a place of criminal networks are a tool, a target, or a place of criminal activityactivity””categorize based on computercategorize based on computer’’s role:s role:

as targetas targetas storage deviceas storage deviceas communications toolas communications tool

more comprehensive categorization seen in more comprehensive categorization seen in Cybercrime Convention, Computer Crime SurveysCybercrime Convention, Computer Crime Surveys

Law Enforcement ChallengesLaw Enforcement Challenges

Intellectual PropertyIntellectual Property

CopyrightCopyrightprotects tangible or fixed expression of an idea protects tangible or fixed expression of an idea but not the idea itselfbut not the idea itselfis automatically assigned when createdis automatically assigned when createdmay need to be registered in some countriesmay need to be registered in some countriesexists when:exists when:

proposed work is originalproposed work is originalcreator has put original idea in concrete formcreator has put original idea in concrete forme.g. literary works, musical works, dramatic works, e.g. literary works, musical works, dramatic works, pantomimes and choreographic works, pictorial, pantomimes and choreographic works, pictorial, graphic, and sculptural works, motion pictures and graphic, and sculptural works, motion pictures and other audiovisual works, sound recordings, other audiovisual works, sound recordings, architectural works, softwarearchitectural works, software--related works.related works.

Copyright RightsCopyright Rights

copyright owner has these exclusive copyright owner has these exclusive rights, protected against infringement:rights, protected against infringement:

reproduction rightreproduction rightmodification rightmodification rightdistribution rightdistribution rightpublicpublic--performance rightperformance rightpublicpublic--display rightdisplay right

PatentsPatentsgrant a property right to the inventorgrant a property right to the inventor

to exclude others from making, using, offering for sale, to exclude others from making, using, offering for sale, or selling the inventionor selling the invention

types:types:utility utility -- any new and useful process, machine, article of any new and useful process, machine, article of manufacture, or composition of mattermanufacture, or composition of matterdesign design -- new, original, and ornamental design for an new, original, and ornamental design for an article of manufacturearticle of manufactureplant plant -- discovers and asexually reproduces any distinct discovers and asexually reproduces any distinct and new variety of plantand new variety of plant

e.g. RSA publice.g. RSA public--key cryptosystem patentkey cryptosystem patent

TrademarksTrademarks

a word, name, symbol, or device a word, name, symbol, or device used in trade with goodsused in trade with goodsindicate source of goods indicate source of goods to distinguish them from goods of othersto distinguish them from goods of others

trademark rights may be used to:trademark rights may be used to:prevent others from using a confusingly similar markprevent others from using a confusingly similar markbut not to prevent others from making the same but not to prevent others from making the same goods or from selling the same goods or services goods or from selling the same goods or services under a clearly different markunder a clearly different mark

Intellectual Property Issues Intellectual Property Issues and Computer Securityand Computer Security

software programssoftware programsprotect using copyright, perhaps patentprotect using copyright, perhaps patent

database content and arrangementdatabase content and arrangementprotect using copyrightprotect using copyright

digital content audio / video / media / webdigital content audio / video / media / webprotect using copyrightprotect using copyright

algorithmsalgorithmsmay be able to protect by patentingmay be able to protect by patenting

U.S. Digital Millennium U.S. Digital Millennium Copyright ACT (DMCA)Copyright ACT (DMCA)

implements WIPO treaties to strengthens implements WIPO treaties to strengthens protections of digital copyrighted materialsprotections of digital copyrighted materialsencourages copyright owners to use encourages copyright owners to use technological measures to protect their technological measures to protect their copyrighted works, including:copyrighted works, including:

measures that prevent access to the work measures that prevent access to the work measures that prevent copying of the workmeasures that prevent copying of the work

prohibits attempts to bypass the measuresprohibits attempts to bypass the measureshave both criminal and civil penalties for thishave both criminal and civil penalties for this

DMCA ExemptionsDMCA Exemptions

certain actions are exempted from the certain actions are exempted from the DMCA provisions:DMCA provisions:

fair usefair usereverse engineeringreverse engineeringencryption researchencryption researchsecurity testingsecurity testingpersonal privacypersonal privacy

considerable concern exists that DMCA considerable concern exists that DMCA inhibits legitimate security/crypto researchinhibits legitimate security/crypto research

Digital Rights Management Digital Rights Management (DRM)(DRM)

systems and procedures ensuring digital rights systems and procedures ensuring digital rights holders are clearly identified and receive holders are clearly identified and receive stipulated payment for their worksstipulated payment for their works

may impose further restrictions on their usemay impose further restrictions on their use

no single DRM standard or architectureno single DRM standard or architecturegoal often to provide mechanisms for the goal often to provide mechanisms for the complete content management lifecyclecomplete content management lifecycleprovide persistent content protection for a variety provide persistent content protection for a variety of digital content types / platforms / media of digital content types / platforms / media

DRM ComponentsDRM Components

DRM System ArchitectureDRM System Architecture

PrivacyPrivacy

overlaps with computer securityoverlaps with computer securityhave dramatic increase in scale of info have dramatic increase in scale of info collected and storedcollected and stored

motivated by law enforcement, national motivated by law enforcement, national security, economic incentivessecurity, economic incentives

but individuals increasingly aware of but individuals increasingly aware of access and use of personal / private infoaccess and use of personal / private infoconcerns on extent of privacy compromise concerns on extent of privacy compromise have seen a range of responseshave seen a range of responses

EU Privacy LawEU Privacy Law

European Union Data Protection Directive European Union Data Protection Directive was adopted in 1998 to:was adopted in 1998 to:

ensure member states protect fundamental ensure member states protect fundamental privacy rights when processing personal infoprivacy rights when processing personal infoprevent member states from restricting the prevent member states from restricting the free flow of personal info within EUfree flow of personal info within EU

organized around principles of:organized around principles of:notice, consent, consistency, access, security, notice, consent, consistency, access, security, onward transfer, enforcementonward transfer, enforcement

US Privacy LawUS Privacy Law

have Privacy Act of 1974 which:have Privacy Act of 1974 which:permits individuals to determine records keptpermits individuals to determine records keptpermits individuals to forbid records being permits individuals to forbid records being used for other purposes used for other purposes permits individuals to obtain access to recordspermits individuals to obtain access to recordsensures agencies properly collect, maintain, ensures agencies properly collect, maintain, and use personal info and use personal info creates a private right of action for individualscreates a private right of action for individuals

also have a range of other privacy lawsalso have a range of other privacy laws

Organizational ResponseOrganizational Response““An organizational data protection and privacy policy should be An organizational data protection and privacy policy should be developed and implemented. This policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of communicated to all persons involved in the processing of personal information. Compliance with this policy and all personal information. Compliance with this policy and all relevant data protection legislation and regulations requires relevant data protection legislation and regulations requires appropriate management structure and control. Often this is bestappropriate management structure and control. Often this is bestachieved by the appointment of a person responsible, such as a achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to data protection officer, who should provide guidance to managers, users, and service providers on their individual managers, users, and service providers on their individual responsibilities and the specific procedures that should be responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulatiodealt with in accordance with relevant legislation and regulations. ns. Appropriate technical and organizational measures to protect Appropriate technical and organizational measures to protect personal information should be implemented.personal information should be implemented.””

Common Criteria Privacy ClassCommon Criteria Privacy Class

Privacy and Data SurveillancePrivacy and Data Surveillance

Ethical IssuesEthical Issueshave many potential misuses / abuses of have many potential misuses / abuses of information and electronic communication information and electronic communication that create privacy and security problemsthat create privacy and security problemsethics:ethics:

a system of moral principles relating benefits a system of moral principles relating benefits and harms of particular actions to rightness and harms of particular actions to rightness and wrongness of motives and ends of themand wrongness of motives and ends of them

ethical behavior here not uniqueethical behavior here not uniquebut do have some unique considerationsbut do have some unique considerations

in scale of activities, in new types of entitiesin scale of activities, in new types of entities

Ethical HierarchyEthical Hierarchy

Ethical Issues Related to Ethical Issues Related to Computers and Info Systems Computers and Info Systems some ethical issues from computer use:some ethical issues from computer use:

repositories and processors of informationrepositories and processors of informationproducers of new forms and types of assetsproducers of new forms and types of assetsinstruments of actsinstruments of actssymbols of intimidation and deceptionsymbols of intimidation and deception

those who understand / exploit technology, and those who understand / exploit technology, and have access permission, have power over thesehave access permission, have power over theseissue is balancing professional responsibilities issue is balancing professional responsibilities with ethical or moral responsibilitieswith ethical or moral responsibilities

Ethical Question ExamplesEthical Question Examples

whistlewhistle--blowerblowerwhen professional ethical duty conflicts with when professional ethical duty conflicts with loyalty to employerloyalty to employere.g. inadequately tested software producte.g. inadequately tested software productorganizations and professional societies organizations and professional societies should provide alternative mechanismsshould provide alternative mechanisms

potential conflict of interestpotential conflict of intereste.g. consultant has financial interest in vendor e.g. consultant has financial interest in vendor which should be revealed to client which should be revealed to client

Codes of ConductCodes of Conductethics not precise laws or sets of factsethics not precise laws or sets of factsmany areas may present ethical many areas may present ethical ambiguityambiguitymany professional societies have ethical many professional societies have ethical codes of conduct which can:codes of conduct which can:

1.1. be a positive stimulus and instill confidencebe a positive stimulus and instill confidence2.2. be educationalbe educational3.3. provide a measure of supportprovide a measure of support4.4. be a means of deterrence and disciplinebe a means of deterrence and discipline5.5. enhance the profession's public imageenhance the profession's public image

Codes of ConductCodes of Conductsee ACM, IEEE and AITP codessee ACM, IEEE and AITP codesplace emphasis on responsibility other peopleplace emphasis on responsibility other peoplehave some common themes:have some common themes:

1.1. dignity and worth of other peopledignity and worth of other people2.2. personal integrity and honestypersonal integrity and honesty3.3. responsibility for workresponsibility for work4.4. confidentiality of informationconfidentiality of information5.5. public safety, health, and welfarepublic safety, health, and welfare6.6. participation in professional societies to improve participation in professional societies to improve

standards of the professionstandards of the profession7.7. the notion that public knowledge and access to the notion that public knowledge and access to

technology is equivalent to social powertechnology is equivalent to social power

SummarySummary

reviewed a range of reviewed a range of topics:topics:cybercrime and computer crimecybercrime and computer crimeintellectual property issuesintellectual property issuesprivacy privacy ethical issuesethical issues