Information Systems

Security
Legal and Ethical Aspects
 Overview
• Cybercrime and computer crime
• Intellectual property issues
• Privacy
• Ethical issues

2
 Cybercrime / Computer
Crime
• Cybercrime is “criminal activity in which
computers or computer networks are a tool, a
target, or a place of criminal activity”
• Cybercrime usually utilizes networks;
computer crime may or may not use networks
• Department of Justice categorizes based on
computer’s role:
– as target
– as storage device
– as communications tool
3
 Cybercrime / Computer
Crime…
Computers as targets:
•to acquire information stored on that
computer system,
•to control the target system without
authorization or payment (theft of service),
or
•to alter the integrity of data or interfere with
the availability of the computer or server.
4
 Cybercrime / Computer
Crime…
Computers as storage devices:
•as a passive storage medium, for
example for:
– stolen password lists,
– credit card or calling card numbers,
– proprietary corporate information,
– pornographic image files, or
– "warez" (pirated commercial software).
5
 Cybercrime / Computer
Crime…
Computers as communications tools:
• often traditional crimes committed online.
Examples include:
– the illegal sale of prescription drugs, controlled
substances, alcohol, and guns;
– fraud;
– gambling;
– and child pornography.
6
Law Enforcement
Challenges

7
 Property

• The U.S. legal system, and legal systems

generally, distinguish three primary types
of property:
• real,
• personal and
• intellectual.

8
 Intellectual Property

• Intellectual property is any intangible

asset that consists of human knowledge
and ideas.
– Examples include software, data, novels, sound
recordings, the design of a new type of
mousetrap, or a cure for a disease.

9
 Intellectual Property
• There are three main types of intellectual
property for which legal protection is
available: copyrights, trademarks, and
patents.
• The legal protection is against
infringement, which is the invasion of the
rights secured by, copyrights, trademarks,
and patents.

10
Intellectual Property

11
 Copyright
• protects tangible or fixed expression of an
idea but not the idea itself
• is automatically assigned when created
• may need to be registered in some
countries
• exists when:
– proposed work is original
– creator has put original idea in concrete form
• e.g. literary works, musical works, dramatic works,
pantomimes and choreographic works, pictorial,
graphic, and sculptural works, motion pictures and
other audiovisual works, sound recordings,
architectural works, software-related works. 12
 Copyright Rights

Copyright owner has these exclusive rights,

protected against infringement:
•reproduction right- owner can make copy
•modification right- to make new or
derivative work
•distribution right - owner can sell, lease
•public-performance right
•public-display right (film, slide, TV)
13
 Patents
• Grant a property right to the inventor
– to exclude others from making, using, offering for
sale, or selling the invention
• Types:
– utility - any new and useful process, machine,
article of manufacture, or composition of matter
– design - new, original, and ornamental design for
an article of manufacture
– plant - discovers and asexually reproduces any
distinct and new variety of plant
• e.g. RSA public-key cryptosystem patent 1983-2000
14
 Trademarks

• A word, name, symbol, or device

– used in trade with goods
– indicate source of goods
– to distinguish them from goods of others
• Trademark rights may be used to:
– prevent others from using a confusingly similar
mark
– but not to prevent others from making the same
goods or from selling the same goods or services
under a clearly different mark
15
 Intellectual Property Issues
and Computer Security
• Software programs
– protect using copyright, perhaps patent
• Database content and arrangement
– protect using copyright
• Digital content audio / video / media /
web
– protect using copyright
• Algorithms ( eg. RSA)
– may be able to protect by patenting 16
 U.S. Digital Millennium
Copyright ACT (DMCA)-
1998
• Implements World Intellectual Property
Organization(WIPO) treaties to strengthen
protections of digital copyrighted materials
• Encourages copyright owners to use
technological measures to protect their
copyrighted works, including:
– measures that prevent access to the work
– measures that prevent copying of the
work
• Prohibits attempts to bypass measures
– both criminal and civil penalties for this 17
 U.S. Digital Millennium
Copyright ACT (DMCA)-
1998
• Specifically, the law states that "No person
shall circumvent a technological measure
that effectively controls access to a work
protected under this title."
• Among other effects of this clause, it
prohibits almost all unauthorized decryption
of content.

18
 U.S. Digital Millennium
Copyright ACT (DMCA)-
1998
• The law further prohibits the manufacture,
release, or sale of products, services, and
devices that can crack encryption designed
to thwart either access to or copying of
material unauthorized by the copyright
holder. Both criminal and civil penalties
apply to attempts to circumvent
technological measures and to assist in
such circumvention.
19
 DMCA Exemptions

• Certain actions are exempted from the

DMCA provisions:
– fair use
– reverse engineering
– encryption research
– security testing
– personal privacy
• Considerable concern exists that DMCA
inhibits legitimate security/crypto research
20
 Digital Rights
Management (DRM)
• Systems and procedures ensuring digital
rights holders are clearly identified and
receive stipulated payment for their works
– may impose further restrictions on their use
• No single DRM standard or architecture
• Goal often to provide mechanisms for the
complete content management lifecycle
• Provide persistent content protection for a
variety of digital content types / platforms /
media
21
DRM Components

22
 DRM Components…

• Content provider: Holds the digital rights of the

content and wants to protect these rights.
Examples are a music record label and a movie
studio.
• Distributor: provides distribution channels, such
as an online shop or a Web retailer. e.g. an online
distributor receives digital content from the content
provider and creates a Web catalogue presenting
the content and rights metadata for its promotion.

23
 DRM Components…

• Consumer: Uses the system to access the digital

content by retrieving downloadable or streaming
content through the distribution channel and then
paying for the digital license. The player/viewer
application used by the consumer takes charge of
initiating license request to the clearinghouse and
enforcing the content usage rights.

24
 DRM Components…

• Clearinghouse: Handles the financial

transaction for issuing the digital license
to the consumer and pays royalty fees
to the content provider and distribution
fees to the distributor accordingly. The
clearinghouse is also responsible for
logging license consumptions for every
consumer.
25
 DRM Components…
• In this model, the distributor need not enforce the
access rights. Instead, the content provider
protects the content in such a way (typically
encryption) that the consumer must purchase a
digital license and access capability from the
clearinghouse. The clearinghouse consults usage
rules provided by the content provider to
determine what access is permitted and the fee
for a particular type of access. Having collected
the fee, the clearinghouse credits the content
provider and distributor appropriately.
26
 DRM System Architecture

• The system is accessed by parties in three roles:

• Rights holders are the content providers, who
either created the content or have acquired rights
to the content.
• Service providers include distributors and
clearinghouses.
• Consumers are those who purchase the right to
access to content for specific uses.

27
 DRM System
Architecture…
• There is a system interface to the services
provided by the DRM system:
• Identity management: mechanisms for unique
entities, such as parties and content.
• Content management: processes and functions
to manage the content lifecycle.
• Rights management: processes and functions
needed to manage rights, rights holders, and
associated requirements.
28
 DRM System
Architecture…

• Below these management modules are

common functions:
• Security/Encryption
• Authentication and authorization
• Billing/Payments
• Delivery

29
 DRM System
Architecture…
• The security/encryption module provides
functions to encrypt content and to sign license
agreements.
• The identity management service makes use of
the authentication and authorization functions
to identify all parties in the relationship. Using
these functions, the identity management service
includes the following: Allocation of unique party
identifiers, User profile and preferences, User's
device management, Public key management.
30
 DRM System
Architecture…

• Billing/payments functions deal with the

collection of usage fees from consumers
and the distribution of payments to rights
holders and distributors.
• Delivery functions deal with the delivery
of content to consumers

31
 DRM System
Architecture…

32
 Privacy
• Overlaps with computer security
• Has dramatic increase in scale of info
collected and stored
– motivated by law enforcement, national
security, economic incentives
• Individuals increasingly aware of access and
use of personal / private info
• Concerns about the extent to which privacy
has been compromised has resulted in a
range of responses and legal and technical
approaches and to reinforcing privacy rights
33
 EU Privacy Law
• European Union Data Protection Directive
was adopted in 1998 to:
– ensure member states protect
fundamental privacy rights when
processing personal info
– prevent member states from restricting
the free flow of personal info within EU
• Organized around principles of:
– notice, consent, consistency, access,
security, onward transfer, enforcement
34
 EU Privacy Law
Principles
• Notice: organizations must notify individuals what
personal information they are collecting, the uses
of that information, and what choices the
individual may have.
• Consent: individuals must be able to choose
whether and how their personal information is
used by, or disclosed to, third parties. They have
the right not to have any sensitive information
collected or used without express permission,
including race, religion, health, union membership,
beliefs, and sex life. 35
 EU Privacy Law
Principles…

• Consistency: organizations may use

personal information only in accordance
with the terms of the notice given the data
subject and the choices they make on its
use
• Access: individuals must have the right
and ability to access their information and
correct, modify, or delete any portion of it.
36
 EU Privacy Law
Principles…
• Security: organizations must provide adequate
security, using technical and other means, to
protect the integrity and confidentiality of personal
information.
• Onward transfer: third parties receiving personal
information must provide the same level of privacy
protection as the organization from whom the
information is obtained.
• Enforcement: grants a private right of action to
data subjects when organizations do not follow the
law. 37
 US Privacy Law
Privacy Act of 1974 which:
•permits individuals to determine records kept
•permits individuals to forbid records being
used for other purposes
•permits individuals to obtain access to records
•ensures agencies properly collect, maintain,
and use personal info
•creates a private right of action for individuals
•also have a range of other privacy laws

38
 US Privacy Law

• The 1974 Privacy Act covers government

records, but a number of other U.S. laws
have been enacted that cover other areas,
including: Banking and financial records,
Credit , Medical and health insurance
records, Children's privacy, Electronic
communications.

39
 Organizational Response

• ISO 17799 (Code of Practice for Information

Security Management) states the
requirement as follows:
• ISO 17799: Data protection and privacy
of personal information
• An organizational data protection and
privacy policy should be developed and
implemented…
40
 Organizational Response…

• “An organizational data protection and privacy

policy should be developed and implemented.
This policy should be communicated to all
persons involved in the processing of personal
information. Compliance with this policy and
all relevant data protection legislation and
regulations requires appropriate management
structure and control.”
41
 Organizational Response…

“Often this is best achieved by the appointment

of a person responsible, such as a data protection
officer, who should provide guidance to
managers, users, and service providers on their
individual responsibilities and the specific
procedures that should be followed.”

42
 Organizational Response…

“Responsibility for handling personal information

and ensuring awareness of the data protection
principles should be dealt with in accordance
with relevant legislation and regulations.
Appropriate technical and organizational
measures to protect personal information should
be implemented.”

43
 Common Criteria Privacy
Class
• The Common Criteria specification includes a
definition of a set of functional requirements in a
Privacy Class, which should be implemented in a
trusted system.
• The purpose of the privacy functions is to provide a
user protection against discovery and misuse of
identity by other users.
• It is primarily concerned with the privacy of an
individual with respect to their use of computer
resources, rather than the privacy of their personal
information. 44
 Common Criteria Privacy
Class…
• This specification shows a breakdown
of privacy into 4 major areas:
• Anonymity
• Pseudonymity
• Unlinkability
• Unobservability

45
Common Criteria Privacy
Class…

46
Privacy and Data
Surveillance

47
 Ethical Issues
• Ethics refers to a system of moral principles
that relates to the benefits and harms of
particular actions, and to the rightness and
wrongness of motives and ends of those
actions.
• What constitutes ethical behavior for those
who work with or have access to
information systems is not unique to this
context. The basic ethical principles
developed by civilizations apply.
48
 Ethical Issues
• Have potential misuses/abuses of information
and electronic communication that create
privacy and security problems
• ethics:
– a system of moral principles relating benefits
and harms of particular actions to rightness
and wrongness of motives and ends of them
• ethical behavior here not unique
• but do have some unique considerations
– in scale of activities, in new types of entities

49
 Ethical Issues

• Computer technology has involved

the creation of new types of entities
for which no agreed ethical rules have
previously been formed, such as
databases, Web browsers, chat
rooms, cookies, and so on.

50
 Ethical Hierarchy
• It has always been the case that those with
special knowledge or special skills have
additional ethical obligations beyond those
common to all humanity. We can illustrate
this in terms of an ethical hierarchy.
• At the top of the hierarchy are the ethical values
professionals share with all human beings, such
as integrity, fairness, and justice.

51
 Ethical Hierarchy…
• Being a professional with special training imposes
additional ethical obligations with respect to those
affected by his or her work.
• General principles applicable to all professionals
arise at this level.
• Finally, each profession has associated with it
specific ethical values and obligations related to the
specific knowledge of those in the profession and
the powers that they have to affect others. Most
professions embody all of these levels in a
professional code of conduct 52
Ethical Hierarchy…

53
 Ethical Issues Related to
Computers and Info
Systems
• Some ethical issues from computer use:
– repositories and processors of information
– producers of new forms and types of assets
– instruments of acts
– symbols of intimidation and deception
• Those who understand / exploit technology,
and have access permission, have power
over these
• Issue is balancing professional
responsibilities with ethical or moral
responsibilities 54
 Ethical Question Examples

• whistle-blower
– when professional ethical duty conflicts
with loyalty to employer
– e.g. inadequately tested software product
– organizations and professional societies
should provide alternative mechanisms
• potential conflict of interest
– e.g. consultant has financial interest in
vendor which should be revealed to client
55
 Codes of Conduct
• Ethics not precise laws or sets of facts
• Many areas may present ethical ambiguity
• Many professional societies have ethical
codes of conduct which can:
1. be a positive stimulus and instill confidence
2. be educational
3. provide a measure of support
4. be a means of deterrence and discipline
5. enhance the profession's public image

56
 Codes of Conduct
• See ACM, IEEE and AITP codes
• place emphasis on responsibility other people
• have some common themes:
1. dignity and worth of other people
2. personal integrity and honesty
3. responsibility for work
4. confidentiality of information
5. public safety, health, and welfare
6. participation in professional societies to improve
standards of the profession
7. the notion that public knowledge and access to
technology is equivalent to social power
57
 Summary

• Reviewed a range of topics:

– cybercrime and computer crime
– intellectual property issues
– privacy
– ethical issues

58
• ...coming to the end!
Any Problems, Please Email
Or Call
Good
Luck!
59