Network Security Essentials Chapter 13

Fourth Edition by William Stallings Lecture slides by Lawrie Brown

Chapter 13 Legal and Ethical Aspects

touch

on a few topics including:

cybercrime and computer crime intellectual property issues privacy ethical issues

Cybercrime / Computer Crime

criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity categorize based on computers role:

as target as storage device as communications tool

more comprehensive categorization seen in Cybercrime Convention, Computer Crime Surveys

Law Enforcement Challenges

Intellectual Property

Copyright

protects tangible or fixed expression of an idea but not the idea itself is automatically assigned when created may need to be registered in some countries exists when:

proposed work is original creator has put original idea in concrete form e.g. literary works, musical works, dramatic works, pantomimes and choreographic works, pictorial, graphic, and sculptural works, motion pictures and other audiovisual works, sound recordings, architectural works, software-related works.

Copyright Rights
copyright

owner has these exclusive rights, protected against infringement:

reproduction right modification right distribution right public-performance right public-display right

Patents

grant a property right to the inventor

to exclude others from making, using, offering for sale, or selling the invention
utility - any new and useful process, machine, article of manufacture, or composition of matter design - new, original, and ornamental design for an article of manufacture plant - discovers and asexually reproduces any distinct and new variety of plant

types:

e.g. RSA public-key cryptosystem patent

Trademarks

a word, name, symbol, or device

used in trade with goods indicate source of goods to distinguish them from goods of others prevent others from using a confusingly similar mark but not to prevent others from making the same goods or from selling the same goods or services under a clearly different mark

trademark rights may be used to:

Intellectual Property Issues and Computer Security

software

programs
content and arrangement

protect using copyright, perhaps patent protect using copyright

database

digital

content audio / video / media / web

protect using copyright may be able to protect by patenting

algorithms

U.S. Digital Millennium Copyright ACT (DMCA)

implements

WIPO treaties to strengthens protections of digital copyrighted materials encourages copyright owners to use technological measures to protect their copyrighted works, including:

measures that prevent access to the work measures that prevent copying of the work

prohibits

attempts to bypass the measures

have both criminal and civil penalties for this

DMCA Exemptions
certain

actions are exempted from the DMCA provisions:

fair use reverse engineering encryption research security testing personal privacy

considerable

concern exists that DMCA inhibits legitimate security/crypto research

Digital Rights Management (DRM)

systems and procedures ensuring digital rights holders are clearly identified and receive stipulated payment for their works

may impose further restrictions on their use

no single DRM standard or architecture goal often to provide mechanisms for the complete content management lifecycle provide persistent content protection for a variety of digital content types / platforms / media

DRM Components

DRM System Architecture

Privacy
overlaps

with computer security have dramatic increase in scale of info collected and stored

motivated by law enforcement, national security, economic incentives

but

individuals increasingly aware of access and use of personal / private info concerns on extent of privacy compromise have seen a range of responses

EU Privacy Law
European

Union Data Protection Directive was adopted in 1998 to:

ensure member states protect fundamental privacy rights when processing personal info prevent member states from restricting the free flow of personal info within EU

organized

around principles of:

notice, consent, consistency, access, security, onward transfer, enforcement

US Privacy Law
have

Privacy Act of 1974 which:

permits individuals to determine records kept permits individuals to forbid records being used for other purposes permits individuals to obtain access to records ensures agencies properly collect, maintain, and use personal info creates a private right of action for individuals

also

have a range of other privacy laws

Organizational Response

An organizational data protection and privacy policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information. Compliance with this policy and all relevant data protection legislation and regulations requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personal information should be implemented.

Common Criteria Privacy Class

Privacy and Data Surveillance

Ethical Issues
have

many potential misuses / abuses of information and electronic communication that create privacy and security problems ethics:

a system of moral principles relating benefits and harms of particular actions to rightness and wrongness of motives and ends of them

ethical

behavior here not unique but do have some unique considerations

in scale of activities, in new types of entities

Ethical Hierarchy

Ethical Issues Related to Computers and Info Systems

some ethical issues from computer use:

repositories and processors of information producers of new forms and types of assets instruments of acts symbols of intimidation and deception

those who understand / exploit technology, and have access permission, have power over these issue is balancing professional responsibilities with ethical or moral responsibilities

Ethical Question Examples

whistle-blower

when professional ethical duty conflicts with loyalty to employer e.g. inadequately tested software product organizations and professional societies should provide alternative mechanisms

potential

conflict of interest

e.g. consultant has financial interest in vendor which should be revealed to client

Codes of Conduct

1. 2. 3. 4. 5.

ethics not precise laws or sets of facts many areas may present ethical ambiguity many professional societies have ethical codes of conduct which can:
be a positive stimulus and instill confidence be educational provide a measure of support be a means of deterrence and discipline enhance the profession's public image

Codes of Conduct

see ACM, IEEE and AITP codes place emphasis on responsibility other people have some common themes:
1. 2. 3. 4. 5. 6.

7.

dignity and worth of other people personal integrity and honesty responsibility for work confidentiality of information public safety, health, and welfare participation in professional societies to improve standards of the profession the notion that public knowledge and access to technology is equivalent to social power

Summary
reviewed

a range of topics:

cybercrime and computer crime intellectual property issues privacy ethical issues