Computer Security: Computer Security: Principles and PracticePrinciples and Practice

First EditionFirst Edition

by William Stallings and Lawrie Brownby William Stallings and Lawrie Brown

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 18 – Chapter 18 – Legal and Ethical Legal and Ethical AspectsAspects

Legal and Ethical AspectsLegal and Ethical Aspects

touch on a few topics including:touch on a few topics including: cybercrime and computer crimecybercrime and computer crime intellectual property issuesintellectual property issues privacy privacy ethical issuesethical issues

Cybercrime / Computer CrimeCybercrime / Computer Crime

““criminal activity in which computers or computer criminal activity in which computers or computer networks are a tool, a target, or a place of criminal networks are a tool, a target, or a place of criminal activity”activity”

categorize based on computer’s role:categorize based on computer’s role: as targetas target as storage deviceas storage device as communications toolas communications tool

more comprehensive categorization seen in more comprehensive categorization seen in Cybercrime Convention, Computer Crime SurveysCybercrime Convention, Computer Crime Surveys

Law Enforcement ChallengesLaw Enforcement Challenges

Intellectual PropertyIntellectual Property

CopyrightCopyright

protects tangible or fixed expression of an idea protects tangible or fixed expression of an idea but not the idea itselfbut not the idea itself

is automatically assigned when createdis automatically assigned when created may need to be registered in some countriesmay need to be registered in some countries exists when:exists when:

proposed work is originalproposed work is original creator has put original idea in concrete formcreator has put original idea in concrete form e.g. literary works, musical works, dramatic works, e.g. literary works, musical works, dramatic works,

pantomimes and choreographic works, pictorial, pantomimes and choreographic works, pictorial, graphic, and sculptural works, motion pictures and graphic, and sculptural works, motion pictures and other audiovisual works, sound recordings, other audiovisual works, sound recordings, architectural works, software-related works.architectural works, software-related works.

Copyright RightsCopyright Rights

copyright owner has these exclusive copyright owner has these exclusive rights, protected against infringement:rights, protected against infringement: reproduction rightreproduction right modification rightmodification right distribution rightdistribution right public-performance rightpublic-performance right public-display rightpublic-display right

PatentsPatents grant a property right to the inventorgrant a property right to the inventor

to exclude others from making, using, offering for sale, to exclude others from making, using, offering for sale, or selling the inventionor selling the invention

types:types: utility - any new and useful process, machine, article of utility - any new and useful process, machine, article of

manufacture, or composition of mattermanufacture, or composition of matter design - new, original, and ornamental design for an design - new, original, and ornamental design for an

article of manufacturearticle of manufacture plant - discovers and asexually reproduces any distinct plant - discovers and asexually reproduces any distinct

and new variety of plantand new variety of plant

e.g. RSA public-key cryptosystem patente.g. RSA public-key cryptosystem patent

TrademarksTrademarks

a word, name, symbol, or device a word, name, symbol, or device used in trade with goodsused in trade with goods indicate source of goods indicate source of goods to distinguish them from goods of othersto distinguish them from goods of others

trademark rights may be used to:trademark rights may be used to: prevent others from using a confusingly similar markprevent others from using a confusingly similar mark but not to prevent others from making the same but not to prevent others from making the same

goods or from selling the same goods or services goods or from selling the same goods or services under a clearly different markunder a clearly different mark

Intellectual Property Issues Intellectual Property Issues and Computer Securityand Computer Security

software programssoftware programs protect using copyright, perhaps patentprotect using copyright, perhaps patent

database content and arrangementdatabase content and arrangement protect using copyrightprotect using copyright

digital content audio / video / media / webdigital content audio / video / media / web protect using copyrightprotect using copyright

algorithmsalgorithms may be able to protect by patentingmay be able to protect by patenting

U.S. Digital Millennium U.S. Digital Millennium Copyright ACT (DMCA)Copyright ACT (DMCA)

implements WIPO treaties to strengthens implements WIPO treaties to strengthens protections of digital copyrighted materialsprotections of digital copyrighted materials

encourages copyright owners to use encourages copyright owners to use technological measures to protect their technological measures to protect their copyrighted works, including:copyrighted works, including: measures that prevent access to the work measures that prevent access to the work measures that prevent copying of the workmeasures that prevent copying of the work

prohibits attempts to bypass the measuresprohibits attempts to bypass the measures have both criminal and civil penalties for thishave both criminal and civil penalties for this

DMCA ExemptionsDMCA Exemptions

certain actions are exempted from the certain actions are exempted from the DMCA provisions:DMCA provisions: fair usefair use reverse engineeringreverse engineering encryption researchencryption research security testingsecurity testing personal privacypersonal privacy

considerable concern exists that DMCA considerable concern exists that DMCA inhibits legitimate security/crypto researchinhibits legitimate security/crypto research

Digital Rights Management Digital Rights Management (DRM)(DRM)

systems and procedures ensuring digital rights systems and procedures ensuring digital rights holders are clearly identified and receive holders are clearly identified and receive stipulated payment for their worksstipulated payment for their works may impose further restrictions on their usemay impose further restrictions on their use

no single DRM standard or architectureno single DRM standard or architecture goal often to provide mechanisms for the goal often to provide mechanisms for the

complete content management lifecyclecomplete content management lifecycle provide persistent content protection for a provide persistent content protection for a

variety of digital content types / platforms / variety of digital content types / platforms / media media

DRM ComponentsDRM Components

DRM System ArchitectureDRM System Architecture

PrivacyPrivacy

overlaps with computer securityoverlaps with computer security have dramatic increase in scale of info have dramatic increase in scale of info

collected and storedcollected and stored motivated by law enforcement, national motivated by law enforcement, national

security, economic incentivessecurity, economic incentives but individuals increasingly aware of but individuals increasingly aware of

access and use of personal / private infoaccess and use of personal / private info concerns on extent of privacy compromise concerns on extent of privacy compromise

have seen a range of responseshave seen a range of responses

EU Privacy LawEU Privacy Law

European Union Data Protection Directive European Union Data Protection Directive was adopted in 1998 to:was adopted in 1998 to: ensure member states protect fundamental ensure member states protect fundamental

privacy rights when processing personal infoprivacy rights when processing personal info prevent member states from restricting the prevent member states from restricting the

free flow of personal info within EUfree flow of personal info within EU organized around principles of:organized around principles of:

notice, consent, consistency, access, security, notice, consent, consistency, access, security, onward transfer, enforcementonward transfer, enforcement

US Privacy LawUS Privacy Law

have Privacy Act of 1974 which:have Privacy Act of 1974 which: permits individuals to determine records keptpermits individuals to determine records kept permits individuals to forbid records being permits individuals to forbid records being

used for other purposes used for other purposes permits individuals to obtain access to recordspermits individuals to obtain access to records ensures agencies properly collect, maintain, ensures agencies properly collect, maintain,

and use personal info and use personal info creates a private right of action for individualscreates a private right of action for individuals

also have a range of other privacy lawsalso have a range of other privacy laws

Organizational ResponseOrganizational Response ““An organizational data protection and privacy policy should be An organizational data protection and privacy policy should be

developed and implemented. This policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of communicated to all persons involved in the processing of personal information. Compliance with this policy and all personal information. Compliance with this policy and all relevant data protection legislation and regulations requires relevant data protection legislation and regulations requires appropriate management structure and control. Often this is best appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to data protection officer, who should provide guidance to managers, users, and service providers on their individual managers, users, and service providers on their individual responsibilities and the specific procedures that should be responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures regulations. Appropriate technical and organizational measures to protect personal information should be implemented.”to protect personal information should be implemented.”

Common Criteria Privacy ClassCommon Criteria Privacy Class

Privacy and Data SurveillancePrivacy and Data Surveillance

Ethical IssuesEthical Issues have many potential misuses / abuses of have many potential misuses / abuses of

information and electronic communication information and electronic communication that create privacy and security problemsthat create privacy and security problems

ethics:ethics: a system of moral principles relating benefits a system of moral principles relating benefits

and harms of particular actions to rightness and harms of particular actions to rightness and wrongness of motives and ends of themand wrongness of motives and ends of them

ethical behavior here not uniqueethical behavior here not unique but do have some unique considerationsbut do have some unique considerations

in scale of activities, in new types of entitiesin scale of activities, in new types of entities

Ethical HierarchyEthical Hierarchy

Ethical Issues Related to Ethical Issues Related to Computers and Info Systems Computers and Info Systems some ethical issues from computer use:some ethical issues from computer use:

repositories and processors of informationrepositories and processors of information producers of new forms and types of assetsproducers of new forms and types of assets instruments of actsinstruments of acts symbols of intimidation and deceptionsymbols of intimidation and deception

those who understand / exploit technology, and those who understand / exploit technology, and have access permission, have power over thesehave access permission, have power over these

issue is balancing professional responsibilities issue is balancing professional responsibilities with ethical or moral responsibilitieswith ethical or moral responsibilities

Ethical Question ExamplesEthical Question Examples

whistle-blowerwhistle-blower when professional ethical duty conflicts with when professional ethical duty conflicts with

loyalty to employerloyalty to employer e.g. inadequately tested software producte.g. inadequately tested software product organizations and professional societies organizations and professional societies

should provide alternative mechanismsshould provide alternative mechanisms potential conflict of interestpotential conflict of interest

e.g. consultant has financial interest in vendor e.g. consultant has financial interest in vendor which should be revealed to client which should be revealed to client

Codes of ConductCodes of Conduct ethics not precise laws or sets of factsethics not precise laws or sets of facts many areas may present ethical many areas may present ethical

ambiguityambiguity many professional societies have ethical many professional societies have ethical

codes of conduct which can:codes of conduct which can:1.1. be a positive stimulus and instill confidencebe a positive stimulus and instill confidence2.2. be educationalbe educational3.3. provide a measure of supportprovide a measure of support4.4. be a means of deterrence and disciplinebe a means of deterrence and discipline5.5. enhance the profession's public imageenhance the profession's public image

Codes of ConductCodes of Conduct

see ACM, IEEE and AITP codessee ACM, IEEE and AITP codes place emphasis on responsibility other peopleplace emphasis on responsibility other people have some common themes:have some common themes:

1.1. dignity and worth of other peopledignity and worth of other people2.2. personal integrity and honestypersonal integrity and honesty3.3. responsibility for workresponsibility for work4.4. confidentiality of informationconfidentiality of information5.5. public safety, health, and welfarepublic safety, health, and welfare6.6. participation in professional societies to improve participation in professional societies to improve

standards of the professionstandards of the profession7.7. the notion that public knowledge and access to the notion that public knowledge and access to

technology is equivalent to social powertechnology is equivalent to social power

SummarySummary

reviewed a range of reviewed a range of topics:topics: cybercrime and computer crimecybercrime and computer crime intellectual property issuesintellectual property issues privacy privacy ethical issuesethical issues