Legal and Ethical Issues

Major Topics Protecting Programs and DataInformation and the LawRights of Employees and EmployersSoftware FailuresComputer CrimePrivacyEthical Issues in Computer Security

Relationship to Security Relationship of topics discussed to

computer security is not always clear

Legal and ethical issues involving computers are often, not always, security issues

Example: Ownership of program code

Legal IssuesLaws provide a framework in which

security issues can/must be addressed

ConstraintsThings you can’t do

RequirementsThings you must do

FrameworksThings you can use

Ethical Issues Ethics involves generally accepted

standards of proper behavior Ethical principle – “an objectively

defined standard of right and wrong” Ethical system – “a set of ethical

principles” The United States is an ethically

pluralistic society

Ethical Principles Consequence-based: teleology

EgoismUtilitarianism

Rule-based: deontologyRule-deontologyPersonal

Professional codes of ethics

Law and EthicsIt is possible for an action to be

legal but not ethicalIt is possible for an action to be

ethical but not legalWhat these actions are depends

upon the ethical and legal systems used

Law and Security Law may specify information that must

be kept confidential Medical information: HIPAA Student information: FERPA

Law may specify information that must be released FOIA – Freedom of Information Act –

applies to many government records

Privacy IssuesCombine legal requirements and

social expectationsPrivacy refers to protection/release

of personal informationConfidentiality refers to

protection/release of information in general

Personal Story 1: Medical Privacy

I went for a medical test for osteoporosis. The results were shown to me on a

computer screen also containing results from other patients.

Clear violation of HIPAA/other privacy rules Not a major problem since I did not

recognize/remember any of the names seen.

Personal Story 2: Password Disclosure

I was setting up a computer display in a database course

When I signed on to the DB system, my password was displayed.

So I changed my password. Whose fault?

Mine – I should have checked display. DB – It should not have displayed password in

clear.

Personal Story 3: Credit Card Theft

I received a call from local police that my credit card had been found in possession of an apparent credit card thief. (He had lots of stolen cards.)

I got a new credit card/number. No improper charges were made. Whose fault:

Thief – He stole it! Mine – I could have kept better track of the card.

Personal Story 4: Another Credit Card Theft

I received a notification that I was to be sent a new AMEX card and did not get it even though my husband got his.

AMEX notified me that my card was showing unusual usage patterns.

Multiple charges were posted that I had not made.

Card apparently stolen from mailbox.

Personal Story 4 (continued)

AMEX removed improper charges. I received a new card. I did not receive any information about

eventual outcome of situation. Note redundancy in system:

Mail notification of card issuance.Tracking of usage patterns.

Some Privacy Issues

Identity theft Data mining Carnivore Passport Anonymity Computer voting E.U. Data Protection Act (personal data) Gramm-Leach-Bliley (financial information) HIPAA (health information)

Some Privacy Laws

US Privacy Act US Electronic Communications Privacy Act US Patriot Act

Software Ownership

Protecting information about software

Possible protection mechanisms:Trade secretCopyright (DMCA)Patent

Trade Secret

Confidential business informationMust be kept secretCoke formulaDiebold code for DREsTrade secrets may be lost

Independent discoveryReverse engineering

Copyright

Protect expressions of ideasBut not the ideas themselves

Limited time period Programs may be copyrighted DMCA – Digital Millennium Copyright Act Copy protection mechanisms

Sony-BMG XCP

Patents

Patents protect inventionsNovelNonobvious

Computer programsPatents allowed since 1981ControversialAlmost 40 years of prior art

Who Owns Software?The developer

Company? Individual?

Considerations Employment contract Work for hire Relationship to employment License

Criminal vs. Civil Law

Criminal law – actions against the state Statutes

Civil law – actions against individuals/other private entities Precedents

Contract law – actions in violation of a contract

How are Computer Crimes Different from Other Crimes?

Unfamiliarity of criminal justice system with computers and computer terminology

Need to deal with intangible and easily copied property

International IssuesLaws are different in different countries.Computer networks are international.Who has “jurisdiction” over a computer

crime?Can software/data be effectively

excluded?Privacy concernsCryptography