Legal and Ethical Issues

This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.

I have edited and added material.

Dr. Stephen C. Hayne

Law v. Ethics Described by formal,

written documents Interpreted by courts Established by

government Applicable to everyone Priority determined by

courts if 2 laws conflict Court is final arbiter of

“right” Enforceable by police

and courts

Described by unwritten principles

Interpreted by each individual

Presented by philosophers, religions, prof’l groups

Personal choice Priority determined by

individual if 2 principles conflict

No external arbiter Limited enforcement

Types of Laws Criminal laws

conduct deserving of imprisonment Civil laws (tort law)

relationships between individuals and/or organizations

copyrights, trademarks, patents, trade secrets lawsuits seek compensation, not imprisonment

Regulatory laws public standards rules of the road, building codes, EPA standards

U.S. Constitutional Foundations for Rights Pertaining to Computers

First Amendment to the U.S. Constitution freedom of speech basis for “almost-anything-goes” (so far) on the

Internet Fourth Amendment to the U.S. Constitution

freedom from unreasonable search and seizure but voluntarily giving information precludes

protections to privacy Fifth Amendment to the U.S. Constitution

freedom from self-incrimination

U.S. Laws Pertaining to Computers Freedom of Information Act

feds must reveal info that is not classified or private

Privacy Act, 1974 (most important such law) govt can only collect secondary information

Military, IRS, Medicare, Social Security records data must be accurate, current, and safeguarded you must be notified of requests for your data you can find out what the govt knows about you private collections of data are NOT covered by this

U.S. Laws Pertaining to Computers Fair Credit Reporting Act

what types of data can be collected about you your right to know what they know about you integrity of the data is legally required

Equal Credit Opportunity Act collection of race/sex/religion data is illegal

Computer Crime Statute, 1984 computers related to work of the govt or banking

Cable Communications Privacy Act illegal to monitor video sales/rentals for profiling

U.S. Laws Pertaining to Computers Electronic Communications Privacy Act, 1986

intercepting (etc.) e-mail (etc.) is illegal but workplace e-mail (company tool) is not included!

Child Online Protection Act, (a.k.a.?) Children’s Online Privacy Protection Act, 1998

U.S. export regulations on cryptography relaxed in 1999

Digital Millennium Copyright Act, 1999 a new can of worms, being fought by ACM & others prohibits certain kinds of research on software

Legal Precedents Reno v. ACLU, 1997 (very important case)

Communications Decency Act lost to 1st Amendment Compuserve v. Cyberpromotions

spam is legal (sort of) Planned Parenthood v. Bucci

Bucci had no 1st Amendment or parody right to register www.plannedparenthood.com

Employers can scan employees’ e-mail ISPs may not be responsible for clients’ content

“don’t ask, don’t tell” is the safest policy for ISPs Content judged obscene in a receiving state led to

conviction of the sender, from another state

CO Computer Crimes Act

Enacted in 1990 Fairly comprehensive Key conditions - “authorization”

If you have authorization to use or access a resource then it’s ok

Definitions

A person is “without authority” He has no right or permission of the

owner to use a computer or he uses a computer in a manner exceeding such right/permission.

He uses a computer/network/email provider to transmit unsolicited bulk email in a manner contrary to the policies of the owner.

Computer Fraud

Any person who uses a computer/network w/o authority and with the intent to: Obtain property or services by false

pretenses, embezzle or commit larceny or Convert the property of another

Value >=$300, Class 5 felony Value < $300, Class 2 misdemeanor.

Computer Trespass

Any person who uses a computer, network w/o authority and with the intent

To temporarily or permanently remove, halt or disable any computer data, programs, software from a computer/network.

To cause a computer to malfunction regardless of how long.

Computer Trespass

Alter, erase any computer data, software;

Effect the creation or alteration of a financial instrument or an electronic transfer of funds;

Computer Trespass

Cause physical injury to the property of another;

Make or cause to be made an unauthorized copy in any form of data/software.

Computer Trespass

The “hacker site” clause Unlawful for any person knowingly to sell,

give, distribute, possess with the intent to sell, give or distribute software designed to facilitate, or enable the falsification of email transmission or routing information.

Falsify or forge email transmission or other routing information in connection with unsolicited bulk mail.

Tort Liability Too little security can be negligent

must be able to demonstrate that you have taken reasonable steps to ensure your org’s computer security.

Multinationals Headache Foreign Corrupt Practices Act (15 USC/78m)

If systems are insecure allowing intruder to destroy assets, audit trails THEN the CEO’s and others could face prosecution. Shareholders have grounds for suit.

Prosecution

Reference: Cheswick & Bellovin Log files as evidence

Forging logs is trivial w/privs. Key question is how reliable are your logs.

Logs are NOT admissible normally as evidence per se. Testimony must show they are accurate, intact and authenticated in order to be admitted as evidence.

Logs are legally classified as hearsay.

Prosecution

Exceptions Business records

logs must be created real-time. logs must be kept as a REGULAR practice. keeping logs ONCE an incident is detected

won’t do. you must prove you USE the logs for business

decisions. This demonstrates your faith in the accuracy of the logs. If you rely on it, the more likely it’s ACCURATE.

Prosecution

Monitoring legal? Relevant US laws: ECPA: 18USC/3121-

3127,2510-2521,2701-2711 Email Privacy from PUBLIC service:

18 USC 2511, 2702 Put a MOTD stating you may be monitored.

Prosecution Venues

Any county, city where the act occurred In which the owner has his principal place of

business in the Commonwealth In which any offender had control or

possession of any proceeds of the violation From which to which or through which any

access to computer/network was made via wires, microwaves, electromagnetic waves.

Prosecution Venues

In which the offender lives In which any computer which is an

object or an instrument of the violation is located at the time of the offense.

Limitation of Prosecution

5 years after the commission of the last violation

1 year after the existence of the illegal act and the identity of the offender are discovered by the Commonwealth, by the owner or by anyone else who is damaged by such violation.

Difficulties in Prosecution

Common law concepts of fraud, theft and trespass didn’t fit in computer land.

Example: theft or larceny requires proof of the removal of the property. Copying computer info leaves the original untouched.

No physical entry to a computer - no trespass

Difficulties in Prosecution

Trade Secrets Prosecutor must demonstrate the info is a

trade secret. Is the offender an insider? No? then can’t

prosecute Example: Religious Technology Center Vs.

Netcom et al (Northern District of CA, 1995)

Difficulties in Prosecution

Defendant obtained secret internal docs.

Posted them in newsgroups He claimed he obtained the info from

some publicly available sites. Court concludes no trade secret

violation

Discussion

Key clause is the “without authority” Computer Trespass is probably the

most common offense. This clause covers most hacker activity Is the evidence there to prosecute?

Criminal justice is much harder to prove than Civil justice.

Copyrights Protect the expression of ideas

ideas themselves cannot be owned Intended for printed, performed, or artistic

works literary, dramatic, and musical works; characters pictorial, graphic, and sculptural works motion pictures, sound recordings, etc. databases (organization of facts)

Has been applied to software, even in firmware Software and documentation must be

copyrighted separately

Copyrights Requirements:

material must be original material must be expressed in a tangible way

Notification ©, year of publication, name of copyright owner protections are automatic even without notice!

Formal registration public record needed to file an infringement suit Register of Copyrights, Library of Congress

Washington, DC 20559

Protections of Copyrights

The copyright holder has the ability to maintain control of intellectual property

The copyright holder has the exclusive rights . . . to reproduce the work to prepare derivative works to distribute the work to display the work in public to perform the work in public

transmission, storage in RAM? storage on floppies, hard drives, CD-ROMs, etc.?

Fair Use of Copyrighted Materials

General guidelines in this Great Gray Area . . . Purpose: for-profit = black, non-profit = white Nature of material: actual material = white

sunrise times, atomic weights, value of , etc. Market impact: harm to the copyright holder in

the marketplace = black Gnu cannot give away Windows

Amount: copying a small fraction is whiter than copying a large fraction

Always give credit where credit is due!

Trademarks and Service Marks Protects owner of a very specific type of info: its

brand identity Can consist of words, abbreviations, letters,

numbers, colors, graphics, sounds or music Identical trademarks can exist in “parallel

universes” (separate states, separate industries) Misappropriated trademarks

in domain names in metatags (to attract hits by surfers) commercial products exist to scan for infringements

Patents Protect inventions (devices and processes)

chips, disk drives, other media can be patented algorithms, microcode probably can’t (RSA was)

Apply to results of science and technology Patent goes to whoever invented the device or

process first, not the person who filed first Process of applying for and obtaining a patent

is long and complex prove it hasn’t already been patented prove it is novel and nonobvious

Defending a Patent Every case of patent infringement, even a

small one, must be pursued; otherwise, the patent holder may lose all rights (A copyright holder can choose which battles to fight!)

Defending a patent is hard Alleged infringer can claim:

two inventions are sufficiently different a prior infringement was not opposed the original object was not novel, not patentable I invented it first

Trade Secrets

Information that gives one company a competitive edge over its competitors

Information is NOT revealed by filing for a patent

Therefore, it MUST be kept secret Employment contracts often

contain nondisclosure clauses

Copyrights v. Patents v. Trade Secrets

Copyright Patent Trade Secret object protected expression of

idea invention of a working device

secret competitive advantage

object public? yes yes no

object distributed?

yes device--yes design--no

no

filing easy? yes no (special lawyers & searches needed)

no filing at all!

duration of protection

corporation: 75 yrs individual: 50 yrs after death

19 years

legal remedy sue; $250,000/ 5 years

sue sue

Digital Millennium Copyright Act

Passed by US Congress in 1998 Protect information that is

transmitted, stored, published and otherwise used in electronic form.

Goes beyond mere restatement of prohibitions of copyright misuse.

DMCA

Prohibits reverse engineering AND public disclosure of the means whereby someone attempts to protect copyrighted information through digital signature, encryption, etc.

Analogy: DMCA makes it a criminal or civil offense to crack a safe lock in the hope that this will further protect the safe contents.

DMCA

Logic Flaw: the locks themselves are information and so the DMCA proscribes the legitimate study of such information.

Many contend this is a violation of free speech under the first amendment of the US Constitution.

DMCA No person shall manufacture, import,

offer to the public, provide or otherwise traffic in any technology, product, services, device, component or part thereof that:

A) is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner….

DMCA

B) has only limited commercially significant purpose or use other than to circumvent protection afforded by a technological measure that effectively protects a right of a copyright owner under this title…

DMCA

C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner…..

DMCA Analysis

“circumvent a technological measure” is defined to be: Descramble a work, to decrypt an

encrypted work or to otherwise avoid, bypass, remove, deactivate, or impair a technological measure without the authority of the copyright owner.

DMCA Analysis

Computer code is information therefore speech.

Lawyers think code is something built into their computer and therefore part of the HW.

HW is not protected by the 1st Amendment.

DMCA Analysis

DMCA equates software and scientific analysis of software to the manufacture and mass production of hardware devices.

Computer code is expression of logic and therefore the embodiment of thought. Thought is speech so code is speech.

DMCA Analysis

Had the DMCA stopped here, this would have been ok.

BUT DMCA prohibits the “trafficking” in anything (not just code) which may be used to decrypt or circumvent copyright protection mechanisms including those mechanisms expressed by code.

DMCA Analysis

Problem: to analyze an encryption scheme is to analyze a thought. Discussion of the scheme in any form is to engage in speech.

DMCA considers this “trafficking” and doesn’t distinguish between language (English, Urdu, Mathematical, C, Fortran)

DMCA Analysis

In order to understand a field of endeavor, the latest developments must be studied.

Conclusions from these studies must be discussed among peers.

Analysis of strengths, weaknesses, comparisons with others would be considered violations.

DMCA Analysis - Civil Felton v. RIAA

Felton intended to publish a paper describing the encryption technology used by RIAA for CDs.

RIAA threatened a civil suit under the DMCA if they published it.

Felton countersued to declare DMCA unconstitutional. Lawsuit dismissed because RIAA merely threatened to sue.

DMCA Analysis - Civil

DOJ claims the DMCA provides safe harbors to its prohibitions. Conduct necessary to engage in

encryption research Conduct necessary to engage in

security testing of a computer system DMCA provided all protection

necessary for his research.

DMCA Analysis - Civil

Problem: What is “Necessary”? Who determines what is necessary?

The courts? Law enforcement? Does the researcher need advance

permission? Since “necessary” is ambiguous the

statute should be unconstitutional.

DMCA Analysis - Civil

RIAA tried to get around this by sending Felton a letter saying they had changed their mind and would not sue . Removing the lawsuit threat makes his point moot which is what happened.

However, 1st Amendment protection still holds.

DMCA Analysis - Criminal

Criminal offense to violate DMCA “willfully and for the purposes of commercial or private financial gain.” EDU research, nonprofit libraries, exempt

What about corporate research? Bell Labs and MIT examples Ignored by the DMCA

DMCA Analysis - Criminal

US v. Elcom Sklyarov wrote a program that

circumvented Adobe license protection feature for e-books.

Adobe went the criminal route because he’s not a US citizen.

Elcom was indicted for trafficking.

DMCA Analysis - Criminal

Charged with distributing a finished product that allows you to make multiple, unauthorized copies of ebooks.

Clearer to resolve since Elcom’s program is the circumvention mechanism.

Problem: it’s an attractive nuisance. It’s not illegal per se unless it’s used.

DMCA Analysis - Criminal

Second problem: Elcom is located in Russia where the DMCA doesn’t apply. There is no allegation that the US alone was targeted in the marketing plan.

Applying US laws to global commerce and our criminal laws to foreign nationals based SOLELY on their Internet activities is questionable.

DMCA Conclusions

DMCA supporters fail to understand digital business rules have changed.

Constitutional issues arise when trying to balance fair use vs. free speech.

International commerce implications are serious.

http://www-2.cs.cmu.edu/~dst/DeCSS/Gallery/index.html