Va-scanCopyright 2002, Marchany Unit 3 – Installing Solaris Randy Marchany VA Tech Computing Center.
Legal and Ethical Issues This presentation is an amalgam of presentations by Mark Michael, Randy...
-
Upload
darrell-dalton -
Category
Documents
-
view
220 -
download
0
Transcript of Legal and Ethical Issues This presentation is an amalgam of presentations by Mark Michael, Randy...
Legal and Ethical Issues
This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
Law v. Ethics Described by formal,
written documents Interpreted by courts Established by
government Applicable to everyone Priority determined by
courts if 2 laws conflict Court is final arbiter of
“right” Enforceable by police
and courts
Described by unwritten principles
Interpreted by each individual
Presented by philosophers, religions, prof’l groups
Personal choice Priority determined by
individual if 2 principles conflict
No external arbiter Limited enforcement
Types of Laws Criminal laws
conduct deserving of imprisonment Civil laws (tort law)
relationships between individuals and/or organizations
copyrights, trademarks, patents, trade secrets lawsuits seek compensation, not imprisonment
Regulatory laws public standards rules of the road, building codes, EPA standards
U.S. Constitutional Foundations for Rights Pertaining to Computers
First Amendment to the U.S. Constitution freedom of speech basis for “almost-anything-goes” (so far) on the
Internet Fourth Amendment to the U.S. Constitution
freedom from unreasonable search and seizure but voluntarily giving information precludes
protections to privacy Fifth Amendment to the U.S. Constitution
freedom from self-incrimination
U.S. Laws Pertaining to Computers Freedom of Information Act
feds must reveal info that is not classified or private
Privacy Act, 1974 (most important such law) govt can only collect secondary information
Military, IRS, Medicare, Social Security records data must be accurate, current, and safeguarded you must be notified of requests for your data you can find out what the govt knows about you private collections of data are NOT covered by this
U.S. Laws Pertaining to Computers Fair Credit Reporting Act
what types of data can be collected about you your right to know what they know about you integrity of the data is legally required
Equal Credit Opportunity Act collection of race/sex/religion data is illegal
Computer Crime Statute, 1984 computers related to work of the govt or banking
Cable Communications Privacy Act illegal to monitor video sales/rentals for profiling
U.S. Laws Pertaining to Computers Electronic Communications Privacy Act, 1986
intercepting (etc.) e-mail (etc.) is illegal but workplace e-mail (company tool) is not included!
Child Online Protection Act, (a.k.a.?) Children’s Online Privacy Protection Act, 1998
U.S. export regulations on cryptography relaxed in 1999
Digital Millennium Copyright Act, 1999 a new can of worms, being fought by ACM & others prohibits certain kinds of research on software
Legal Precedents Reno v. ACLU, 1997 (very important case)
Communications Decency Act lost to 1st Amendment Compuserve v. Cyberpromotions
spam is legal (sort of) Planned Parenthood v. Bucci
Bucci had no 1st Amendment or parody right to register www.plannedparenthood.com
Employers can scan employees’ e-mail ISPs may not be responsible for clients’ content
“don’t ask, don’t tell” is the safest policy for ISPs Content judged obscene in a receiving state led to
conviction of the sender, from another state
CO Computer Crimes Act
Enacted in 1990 Fairly comprehensive Key conditions - “authorization”
If you have authorization to use or access a resource then it’s ok
Definitions
A person is “without authority” He has no right or permission of the
owner to use a computer or he uses a computer in a manner exceeding such right/permission.
He uses a computer/network/email provider to transmit unsolicited bulk email in a manner contrary to the policies of the owner.
Computer Fraud
Any person who uses a computer/network w/o authority and with the intent to: Obtain property or services by false
pretenses, embezzle or commit larceny or Convert the property of another
Value >=$300, Class 5 felony Value < $300, Class 2 misdemeanor.
Computer Trespass
Any person who uses a computer, network w/o authority and with the intent
To temporarily or permanently remove, halt or disable any computer data, programs, software from a computer/network.
To cause a computer to malfunction regardless of how long.
Computer Trespass
Alter, erase any computer data, software;
Effect the creation or alteration of a financial instrument or an electronic transfer of funds;
Computer Trespass
Cause physical injury to the property of another;
Make or cause to be made an unauthorized copy in any form of data/software.
Computer Trespass
The “hacker site” clause Unlawful for any person knowingly to sell,
give, distribute, possess with the intent to sell, give or distribute software designed to facilitate, or enable the falsification of email transmission or routing information.
Falsify or forge email transmission or other routing information in connection with unsolicited bulk mail.
Tort Liability Too little security can be negligent
must be able to demonstrate that you have taken reasonable steps to ensure your org’s computer security.
Multinationals Headache Foreign Corrupt Practices Act (15 USC/78m)
If systems are insecure allowing intruder to destroy assets, audit trails THEN the CEO’s and others could face prosecution. Shareholders have grounds for suit.
Prosecution
Reference: Cheswick & Bellovin Log files as evidence
Forging logs is trivial w/privs. Key question is how reliable are your logs.
Logs are NOT admissible normally as evidence per se. Testimony must show they are accurate, intact and authenticated in order to be admitted as evidence.
Logs are legally classified as hearsay.
Prosecution
Exceptions Business records
logs must be created real-time. logs must be kept as a REGULAR practice. keeping logs ONCE an incident is detected
won’t do. you must prove you USE the logs for business
decisions. This demonstrates your faith in the accuracy of the logs. If you rely on it, the more likely it’s ACCURATE.
Prosecution
Monitoring legal? Relevant US laws: ECPA: 18USC/3121-
3127,2510-2521,2701-2711 Email Privacy from PUBLIC service:
18 USC 2511, 2702 Put a MOTD stating you may be monitored.
Prosecution Venues
Any county, city where the act occurred In which the owner has his principal place of
business in the Commonwealth In which any offender had control or
possession of any proceeds of the violation From which to which or through which any
access to computer/network was made via wires, microwaves, electromagnetic waves.
Prosecution Venues
In which the offender lives In which any computer which is an
object or an instrument of the violation is located at the time of the offense.
Limitation of Prosecution
5 years after the commission of the last violation
1 year after the existence of the illegal act and the identity of the offender are discovered by the Commonwealth, by the owner or by anyone else who is damaged by such violation.
Difficulties in Prosecution
Common law concepts of fraud, theft and trespass didn’t fit in computer land.
Example: theft or larceny requires proof of the removal of the property. Copying computer info leaves the original untouched.
No physical entry to a computer - no trespass
Difficulties in Prosecution
Trade Secrets Prosecutor must demonstrate the info is a
trade secret. Is the offender an insider? No? then can’t
prosecute Example: Religious Technology Center Vs.
Netcom et al (Northern District of CA, 1995)
Difficulties in Prosecution
Defendant obtained secret internal docs.
Posted them in newsgroups He claimed he obtained the info from
some publicly available sites. Court concludes no trade secret
violation
Discussion
Key clause is the “without authority” Computer Trespass is probably the
most common offense. This clause covers most hacker activity Is the evidence there to prosecute?
Criminal justice is much harder to prove than Civil justice.
Copyrights Protect the expression of ideas
ideas themselves cannot be owned Intended for printed, performed, or artistic
works literary, dramatic, and musical works; characters pictorial, graphic, and sculptural works motion pictures, sound recordings, etc. databases (organization of facts)
Has been applied to software, even in firmware Software and documentation must be
copyrighted separately
Copyrights Requirements:
material must be original material must be expressed in a tangible way
Notification ©, year of publication, name of copyright owner protections are automatic even without notice!
Formal registration public record needed to file an infringement suit Register of Copyrights, Library of Congress
Washington, DC 20559
Protections of Copyrights
The copyright holder has the ability to maintain control of intellectual property
The copyright holder has the exclusive rights . . . to reproduce the work to prepare derivative works to distribute the work to display the work in public to perform the work in public
transmission, storage in RAM? storage on floppies, hard drives, CD-ROMs, etc.?
Fair Use of Copyrighted Materials
General guidelines in this Great Gray Area . . . Purpose: for-profit = black, non-profit = white Nature of material: actual material = white
sunrise times, atomic weights, value of , etc. Market impact: harm to the copyright holder in
the marketplace = black Gnu cannot give away Windows
Amount: copying a small fraction is whiter than copying a large fraction
Always give credit where credit is due!
Trademarks and Service Marks Protects owner of a very specific type of info: its
brand identity Can consist of words, abbreviations, letters,
numbers, colors, graphics, sounds or music Identical trademarks can exist in “parallel
universes” (separate states, separate industries) Misappropriated trademarks
in domain names in metatags (to attract hits by surfers) commercial products exist to scan for infringements
Patents Protect inventions (devices and processes)
chips, disk drives, other media can be patented algorithms, microcode probably can’t (RSA was)
Apply to results of science and technology Patent goes to whoever invented the device or
process first, not the person who filed first Process of applying for and obtaining a patent
is long and complex prove it hasn’t already been patented prove it is novel and nonobvious
Defending a Patent Every case of patent infringement, even a
small one, must be pursued; otherwise, the patent holder may lose all rights (A copyright holder can choose which battles to fight!)
Defending a patent is hard Alleged infringer can claim:
two inventions are sufficiently different a prior infringement was not opposed the original object was not novel, not patentable I invented it first
Trade Secrets
Information that gives one company a competitive edge over its competitors
Information is NOT revealed by filing for a patent
Therefore, it MUST be kept secret Employment contracts often
contain nondisclosure clauses
Copyrights v. Patents v. Trade Secrets
Copyright Patent Trade Secret object protected expression of
idea invention of a working device
secret competitive advantage
object public? yes yes no
object distributed?
yes device--yes design--no
no
filing easy? yes no (special lawyers & searches needed)
no filing at all!
duration of protection
corporation: 75 yrs individual: 50 yrs after death
19 years
legal remedy sue; $250,000/ 5 years
sue sue
Digital Millennium Copyright Act
Passed by US Congress in 1998 Protect information that is
transmitted, stored, published and otherwise used in electronic form.
Goes beyond mere restatement of prohibitions of copyright misuse.
DMCA
Prohibits reverse engineering AND public disclosure of the means whereby someone attempts to protect copyrighted information through digital signature, encryption, etc.
Analogy: DMCA makes it a criminal or civil offense to crack a safe lock in the hope that this will further protect the safe contents.
DMCA
Logic Flaw: the locks themselves are information and so the DMCA proscribes the legitimate study of such information.
Many contend this is a violation of free speech under the first amendment of the US Constitution.
DMCA No person shall manufacture, import,
offer to the public, provide or otherwise traffic in any technology, product, services, device, component or part thereof that:
A) is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner….
DMCA
B) has only limited commercially significant purpose or use other than to circumvent protection afforded by a technological measure that effectively protects a right of a copyright owner under this title…
DMCA
C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner…..
DMCA Analysis
“circumvent a technological measure” is defined to be: Descramble a work, to decrypt an
encrypted work or to otherwise avoid, bypass, remove, deactivate, or impair a technological measure without the authority of the copyright owner.
DMCA Analysis
Computer code is information therefore speech.
Lawyers think code is something built into their computer and therefore part of the HW.
HW is not protected by the 1st Amendment.
DMCA Analysis
DMCA equates software and scientific analysis of software to the manufacture and mass production of hardware devices.
Computer code is expression of logic and therefore the embodiment of thought. Thought is speech so code is speech.
DMCA Analysis
Had the DMCA stopped here, this would have been ok.
BUT DMCA prohibits the “trafficking” in anything (not just code) which may be used to decrypt or circumvent copyright protection mechanisms including those mechanisms expressed by code.
DMCA Analysis
Problem: to analyze an encryption scheme is to analyze a thought. Discussion of the scheme in any form is to engage in speech.
DMCA considers this “trafficking” and doesn’t distinguish between language (English, Urdu, Mathematical, C, Fortran)
DMCA Analysis
In order to understand a field of endeavor, the latest developments must be studied.
Conclusions from these studies must be discussed among peers.
Analysis of strengths, weaknesses, comparisons with others would be considered violations.
DMCA Analysis - Civil Felton v. RIAA
Felton intended to publish a paper describing the encryption technology used by RIAA for CDs.
RIAA threatened a civil suit under the DMCA if they published it.
Felton countersued to declare DMCA unconstitutional. Lawsuit dismissed because RIAA merely threatened to sue.
DMCA Analysis - Civil
DOJ claims the DMCA provides safe harbors to its prohibitions. Conduct necessary to engage in
encryption research Conduct necessary to engage in
security testing of a computer system DMCA provided all protection
necessary for his research.
DMCA Analysis - Civil
Problem: What is “Necessary”? Who determines what is necessary?
The courts? Law enforcement? Does the researcher need advance
permission? Since “necessary” is ambiguous the
statute should be unconstitutional.
DMCA Analysis - Civil
RIAA tried to get around this by sending Felton a letter saying they had changed their mind and would not sue . Removing the lawsuit threat makes his point moot which is what happened.
However, 1st Amendment protection still holds.
DMCA Analysis - Criminal
Criminal offense to violate DMCA “willfully and for the purposes of commercial or private financial gain.” EDU research, nonprofit libraries, exempt
What about corporate research? Bell Labs and MIT examples Ignored by the DMCA
DMCA Analysis - Criminal
US v. Elcom Sklyarov wrote a program that
circumvented Adobe license protection feature for e-books.
Adobe went the criminal route because he’s not a US citizen.
Elcom was indicted for trafficking.
DMCA Analysis - Criminal
Charged with distributing a finished product that allows you to make multiple, unauthorized copies of ebooks.
Clearer to resolve since Elcom’s program is the circumvention mechanism.
Problem: it’s an attractive nuisance. It’s not illegal per se unless it’s used.
DMCA Analysis - Criminal
Second problem: Elcom is located in Russia where the DMCA doesn’t apply. There is no allegation that the US alone was targeted in the marketing plan.
Applying US laws to global commerce and our criminal laws to foreign nationals based SOLELY on their Internet activities is questionable.
DMCA Conclusions
DMCA supporters fail to understand digital business rules have changed.
Constitutional issues arise when trying to balance fair use vs. free speech.
International commerce implications are serious.
http://www-2.cs.cmu.edu/~dst/DeCSS/Gallery/index.html