2. Legal, Privacy, and Ethical Issues in
Computer Security
Human Controls Applicable to Computer Security:
Basic Legal Issues
a) Protecting Programs and Data
b) Information and the Law
c) Ownership Rights of Employees and Employers
d) Software Failures (and Customers)
Computer Crime
Privacy
Ethics
a) Introduction to Ethics
b) Case Studies of Ethics
c) Codes of Professional Ethics
3. Protecting Programs and Data
Copyrights — designed to protect expression of ideas (creative
works of the mind)
Ideas themselves are free
Different people can have the same idea
The way of expressing ideas is copyrighted
Copyrights are exclusive rights to making copies of
expression
Copyright protects intellectual property (IP)
IP must be:
Original work
In some tangible medium of expression
4. Patent — designed to protect tangible objects, or ways to make
them (not works of the mind)
Protected entity must be novel & nonobvious
The first inventor who obtains patent gest his invention
protected against patent infrigement
Patents applied for algorithms only since 1981
Trade secret — information that provides competitive edge over
others
Information that has value only if kept secret
Undoing release of a secret is impossible or very difficult
Reverse engineering used to uncover trade secret is legal!
T.s. protection applies very well to computer s/w
E.g., pgms that use algorithms unknown to others
5. Copyright Patent Trade Secret
Protects Expression of idea,
not idea itself
Invention—way
something works
Secret, competitive
advantage
Protected Object
Made Public
Yes; intention is to
promote publication
Design filed at
Patent Office
No
Must Distribute Yes No No
Ease of filing Very easy, do-it-
yourself
Very complicated;
specialist lawyer
suggested
No filing
Duration Originator’s life + 70
yrs; 95 y. For
company
19 years Indefinite
Legal Protection Sue if unauthorized
copy sold
Sue if invention
copied/reinvented
Sue if secret
improperly obtained
6. Protecting Programs and Data
How to protect:
H/w
Patent
Firmware (microcode)
Patent physical device, chip
Use trade secret protection
Copyright s/w such as embedded OS
Object code s/w
Copyiright of binary code
Copyright of source code
Need legal precedents
Source code s/w
Use trade secret protection
Copyright reveals some code, facilitates reverse
engineering
Need legal precedents, too
7. Information and the Law
Characteristics of information as an object of value
Not exhaustable
Can be replicated
Has minimal marginal cost
Value is often time dependent
Can be transferred intangibly
8. Criminal Law Civil Law
Defined by Statutes Common law (tort l.)
Contracts
Cases
brought by
Government Government
Individuals and
companies
Wronged
party
Society Individuals and
companies
Remedy Jail, fine Damages, typically
monetary
Comparison of Criminal and Civil Law
9. Ownership Rights of Employees and
Employers
Ownership rights are computer security issue
Concerned with protecting secrecy (confidentiality) and integrity of
works produced by employees of an employer
Ownership issues in emploee/employer relations:
Ownership of products
Products/ideas/inventions developed by employee after hours might
still be owned by her employer
Esp. if in the same „line of business”
Ownership of patents
If employer files for patent, employer will own patent
Ownership of copyrights
Similar to patents
Trade secret protection
No registered inventor/author—owner can prosecute
for damages
10. Ownership Rights of Employees and Employers (2)
Type of employment has ownership consequences
Work for hire
All work done by employee is owned by employer
Employment contracts
Often spell out ownership rights
Often includes agreement not to compete (for some time after
termination)
Non-competition is not always enforceable by law
Licenses
Programmer retains full ownership of developed s/w
Grants license for a fee
11. Software Failures (& Customers)
-If not correct: ask for refund, replacement, fixing
Refund: possible
Replacement: if this copy damaged, or improved in the
meantine
Fixing: rarely legally enforced; instead, monetary awards
for damages
Correctness of s/w difficult to define/enforce legally
Individual can rarely sue a major s/w vendor
Prohibitive costs for individual
12. Issue 2: Reporting software flaws
Should we share s/w vulnerability info?
Both pros and cons
Vendor interests
Vendors don’t want to react to individual flaws
Prefer bundle a number of flaw fixes
User interests
Would like to have fixes quickly
Responsible vulnerability reporting
How to report vulnerability info responsibly?
E.g. First notify the vendor, give vendor a few weeks to fix
If vendor delays fixes, ask „coordinator” for help
Coordinator—e.g., computer emergency response center
13. Computer Crime
Separate category for computer crime is needed
Because special laws are needed for CC
Value of integrity and confidentiality/privacy
Value of privacy is now recognized by several federal/state laws
Value of data
Courts understand value of data better
Acceptance of computer terminology
Law lags behind technology in acceptance of new terminology
14. Privacy
Identity theft – the most serious crime against privacy
Threats to privacy
Aggregation and data mining
Poor system security
The Internet as privacy threat
Unencrypted e-mail / web surfing / attacks
Corporate rights and private business
16. Introduction to Ethics
Law vs. Ethics
Law alone can’t restrict human behavior
Impractical/impossible to describe/enforce all acceptable behaviors
Ethics/morals are sufficient self-controls for most people
17. Most ethical and legal issues in computer system are in the area of individual’s
right to privacy versus the greater good of a larger entity i.e. a company or
a society. For example, tracking how employees use computers, crowd
surveillance, managing customer profiles, tracking a person’s travel with
passport and so on. A key concept in resolving this issues is to find out,
what is a person’s expectation of privacy. Classically, the ethical issues in
security system are classified into following 4 categories:
• Privacy: This deals with the right of an individual to control personal
information. It is the protection of personal or sensitive information.
Privacy is subjective. Different people have different ideas of what privacy
is and how much privacy they will trade for safety or convenience.
• Accuracy: This talks about the responsibility for the authenticity, fidelity
an accuracy of the information.
• Property: This determines who the owner of the information is and who
controls access.
• Accessibility: This deals with the issue of the type of information, an
organization has the right to collect. And in that situation, it also expects to
know the measures which will safeguard against any unforeseen
eventualities.