CHAPTER Legal Issues, Privacy, and Ethics In this chapter, you will •฀Learn฀about฀the฀laws฀and฀rules฀concerning฀importing฀and฀exporting฀encryption฀ software •฀Know฀the฀laws฀that฀govern฀computer฀access฀and฀trespass •฀Understand฀the฀laws฀that฀govern฀encryption฀and฀digital฀rights฀management •฀Learn฀about฀the฀laws฀that฀govern฀digital฀signatures •฀Learn฀about฀the฀laws฀that฀govern฀privacy฀in฀various฀industries฀with฀relation฀to฀ computer฀security •฀Explore฀ethical฀issues฀associated฀with฀information฀security Computer security is no different from any other subject in our society; as it changes our lives, laws are enacted to enable desired behaviors and prohibit undesired behaviors The one substantial difference between this aspect of our society and others is that the speed of advancement in the information systems world as driven by business, computer network connectivity, and the Internet is much greater than in the legal system of compromise and law-making In some cases, laws have been overly restrictive, limiting business options, such as in the area of importing and exporting encryption technology In other cases, legislation has been slow in coming and this fact has stymied business initiatives, such as in digital signatures And in some areas, it has been both too fast and too slow, as in the case of privacy laws One thing is certain: you will never satisfy everyone with a law, but it does delineate the rules of the game The cyber-law environment has not been fully defined by the courts Laws have been enacted, but until they have been fully tested and explored by cases in court, the exact limits are somewhat unknown This makes some aspects of interpretation more challenging, but the vast majority of the legal environment is known well enough that effective policies can be enacted to navigate this environment properly Policies and procedures are tools you use to ensure understanding and compliance with laws and regulations affecting cyberspace 53 CompTIA Security+ All-in-One Exam Guide, 3rd Edition 54 Cybercrime One of the many ways to examine cybercrime involves studying how the computer is involved in the criminal act Three types of computer crimes commonly occur: computer-assisted crime, computer-targeted crime, and computer-incidental crime The differentiating factor is how the computer is specifically involved from the criminal’s point of view Just as crime is not a new phenomenon, neither are computers, and cybercrime has a history of several decades What is new is how computers are involved in criminal activities The days of simple teenage hacking activities from a bedroom have been replaced by organizedcrime–controlled botnets (groups of computers commandeered by a malicious hacker) and acts designed to attack specific targets The legal system has been slow to react and law enforcement has been hampered by their own challenges in responding to the new threats posed by high-tech crime What comes to mind when most people think about cybercrime is a computer that is targeted and attacked by an intruder The criminal attempts to benefit from some form of unauthorized activity associated with a computer In the 1980s and ‘90s, cybercrime was mainly virus and worm attacks, each exacting some form of damage, yet the gain for the criminal was usually negligible Enter the 21st century, with new forms of malware, rootkits, and targeted attacks; criminals can now target individual users and their bank accounts In the current environment it is easy to predict where this form of attack will occur—if money is involved, a criminal will attempt to obtain what he considers his own fair share! A common method of criminal activity is computer-based fraud Advertising on the Internet is big business, and hence the “new” crime of click fraud is now a concern Click fraud involves a piece of malware that defrauds the advertising revenue counter engine through fraudulent user clicks eBay, the leader in the Internet auction space, and its companion PayPal are frequent targets of fraud Whether the fraud occurs by fraudulent listing, fraudulent bidding, or outright stealing of merchandise, the results are the same: a crime is committed As users move toward online banking and stock trading, so moves the criminal element Malware designed to install a keystroke logger and then watch for bank/brokerage logins is already making the rounds of the Internet Once the attacker finds the targets, he can begin looting accounts His risk of getting caught and prosecuted is exceedingly low Walk into a bank in the United States and rob it, and the odds are better than 95 percent that you will be doing time in federal prison after the FBI hunts you down and slaps the cuffs on your wrists Do the same crime via a computer, and the odds are even better than the opposite: less than percent of these attackers are caught and prosecuted The low risk of being caught is one of the reasons that criminals are turning to computer crime Just as computers have become easy for ordinary people to use, the trend continues for the criminal element Today’s cyber criminals use computers as tools to steal intellectual property or other valuable data and then subsequently market these materials through underground online forums Using the computer to physically isolate the criminal from the direct event of the crime has made the investigation and prosecution of these crimes much more challenging for authorities Chapter 3: Legal Issues, Privacy, and Ethics 55 EXAM TIP Computers฀are฀involved฀in฀three฀forms฀of฀criminal฀activity:฀the฀ computer฀as฀a฀tool฀of฀the฀crime,฀the฀computer฀as฀a฀victim฀of฀a฀crime,฀and฀the฀ computer฀that฀is฀incidental฀to฀a฀crime Common Internet Crime Schemes To find crime, just follow the money In the United States, the FBI and the National White Collar Crime Center (NW3C) have joined forces in developing the Internet Crime Complaint Center, an online clearinghouse that communicates issues associated with cybercrime One of the items provided to the online community is a list of common Internet crimes and explanations (www.ic3.gov/crimeschemes.aspx) A separate list offers advice on how to prevent these crimes through individual actions (www.ic3 gov/preventiontips.aspx) Here’s a list of common Internet crimes from the site: •฀ Auction฀Fraud •฀ Auction฀Fraud—Romania •฀ Counterfeit฀Cashier’s฀Check •฀ Credit฀Card฀Fraud •฀ Debt฀Elimination •฀ Parcel฀Courier฀E-mail฀Scheme •฀ Employment/Business฀Opportunities PART I The last way computers are involved with criminal activities is through incidental involvement Back in 1931, the U.S government used accounting records and tax laws to convict Al Capone of tax evasion Today, similar records are kept on computers Computers are also used to traffic child pornography and other illicit activities—these computers act more as storage devices than as actual tools to enable the crime Because child pornography existed before computers made its distribution easier, the computer is actually incidental to the crime itself With the three forms of computer involvement in crimes, coupled with increased criminal involvement, multiplied by the myriad of ways a criminal can use a computer to steal or defraud, added to the indirect connection mediated by the computer and the Internet, computer crime of the 21st century is a complex problem indeed Technical issues are associated with all the protocols and architectures A major legal issue is the education of the entire legal system as to the serious nature of computer crimes All these factors are further complicated by the use of the Internet to separate the criminal and his victim geographically Imagine this defense: “Your honor, as shown by my client’s electronic monitoring bracelet, he was in his apartment in California when this crime occurred The victim claims that the money was removed from his local bank in New York City Now, last time I checked, New York City was a long way from Los Angeles, so how could my client have robbed the bank?” CompTIA Security+ All-in-One Exam Guide, 3rd Edition 56 •฀ Escrow฀Services฀Fraud •฀ Identity฀Theft •฀ Internet฀Extortion •฀ Investment฀Fraud •฀ Lotteries •฀ Nigerian฀Letter฀or฀“419” •฀ Phishing/Spoofing •฀ Ponzi/Pyramid฀Scheme •฀ Reshipping •฀ Spam •฀ Third฀Party฀Receiver฀of฀Funds Sources of Laws In the United States, three primary sources of laws and regulations affect our lives and govern actions Statutory laws are passed by the legislative branches of government, be it the Congress or a local city council Another source of laws and regulations is administrative bodies given power by other legislation The power of government sponsored agencies, such as the Environmental Protection Agency (EPA), the Federal Aviation Administration (FAA), the Federal Communications Commission (FCC), and others lie in this powerful ability to enforce behaviors through administrative rule making The last source of law in the United States is common law, which is based on previous events or precedent This source of this law is the judicial branch of government: judges decide on the applicability of laws and regulations All three sources have an involvement in computer security Specific statutory laws, such as the Computer Fraud and Abuse Act, govern behavior Administratively, the FCC and Federal Trade Commission (FTC) have made their presence felt in the Internet arena with respect to issues such as intellectual property theft and fraud Common law cases are now working their way through the judicial system, cementing the issues of computers and crimes into the system of precedents and the constitutional basis of laws EXAM TIP Three฀types฀of฀laws฀are฀commonly฀associated฀with฀cybercrime:฀ statutory฀law,฀administrative฀law,฀and฀common฀law Computer Trespass With the advent of global network connections and the rise of the Internet as a method of connecting computers between homes, businesses, and governments across the globe, a new type of criminal trespass can now be committed Computer trespass is the unauthorized entry into a computer system via any means, including remote network connections These crimes have introduced a new area of law that has both national Chapter 3: Legal Issues, Privacy, and Ethics 57 Convention on Cybercrime The Convention on Cybercrime is the first international treaty on crimes committed via the Internet and other computer networks The convention is the product of four years of work by Council of Europe experts, but also by the United States, Canada, Japan, and other countries that are not members of the organization of the member states of the European Council The current status of the convention is as a draft treaty, ratified by only two members A total of five members must ratify it to become law The main objective of the convention, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international cooperation This has become an important issue with the globalization of network communication The ability to create a virus anywhere in the world and escape prosecution because of lack of local laws has become a global concern The convention deals particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security It also contains a series of powers and procedures covering, for instance, searches of computer networks and interception It will be supplemented by an additional protocol making any publication of racist and xenophobic propaganda via computer networks a criminal offense Significant U.S Laws The United States has been a leader in the development and use of computer technology As such, it has a longer history with computers and with cybercrime than other countries Because legal systems tend to be reactive and move slowly, this leadership position has translated into a leadership position from a legal perspective as well The one advantage of this legal leadership position is the concept that once an item is identified and handled by the legal system in one jurisdiction, subsequent adoption in other jurisdictions is typically quicker PART I and international consequences For crimes that are committed within a country’s borders, national laws apply For cross-border crimes, international laws and international treaties are the norm Computer-based trespass can occur even if countries not share a physical border Computer trespass is treated as a crime in many countries National laws exist in many countries, including the EU, Canada, and the United States These laws vary by country, but they all have similar provisions defining the unauthorized entry into and use of computer resources for criminal activities Whether called computer mischief as in Canada, or computer trespass as in the United States, unauthorized entry and use of computer resources is treated as a crime with significant punishments With the globalization of the computer network infrastructure, or Internet, issues that cross national boundaries have arisen and will continue to grow in prominence Some of these issues are dealt with through the application of national laws upon request of another government In the future, an international treaty may pave the way for closer cooperation CompTIA Security+ All-in-One Exam Guide, 3rd Edition 58 Electronic Communications Privacy Act (ECPA) The Electronic Communications Privacy Act (ECPA) of 1986 was passed by Congress and฀signed฀by฀President฀Reagan฀to฀address฀a฀myriad฀of฀legal฀privacy฀issues฀that฀resulted฀ from the increasing use of computers and other technology specific to telecommunications Sections of this law address e-mail, cellular communications, workplace privacy, and a host of other issues related to communicating electronically A major provision was the prohibition against an employer’s monitoring an employee’s computer usage, including e-mail, unless consent is obtained Other legal provisions protect electronic communications from wiretap and outside eavesdropping, as users were assumed to have a reasonable expectation of privacy and afforded protection under the Fourth Amendment to the Constitution A common practice with respect to computer access today is the use of a warning banner These banners are typically displayed whenever a network connection occurs and serve four main purposes First, from a legal standpoint, they establish the level of expected privacy (usually none on a business system) and serve as consent to real-time monitoring฀ from฀ a฀ business฀ standpoint.฀ Real-time฀ monitoring฀ can฀ be฀ conducted฀ for฀ security reasons, business reasons, or technical network performance reasons The key is that the banner tells users that their connection to the network signals their consent to monitoring Consent can also be obtained to look at files and records In the case of government systems, consent is needed to prevent direct application of the Fourth Amendment And the last reason is that the warning banner can establish the system or network administrator’s common authority to consent to a law enforcement search Computer Fraud and Abuse Act (1986) The฀Computer฀Fraud฀and฀Abuse฀Act฀(CFAA)฀of฀1986,฀amended฀in฀1994,฀1996,฀and฀in฀ 2001 by the Patriot Act, serves as the current foundation for criminalizing unauthorized access to computer systems The CFAA makes it a crime to knowingly access a computer or computer system that is a government computer or is involved in interstate or foreign communication, which in today’s Internet-connected age can be almost any machine The act sets financial thresholds, which were lowered by the Patriot Act, but in light of today’s investigation costs, these are easily met The act also makes it a crime to knowingly transmit a program, code, or command that results in damage Trafficking in passwords or similar access information is also criminalized This is a wide-sweeping act, but the challenge of proving a case still exists Patriot Act The Patriot Act of 2001, passed in response to the September 11 terrorist attack on the World Trade Center buildings in New York, substantially changed the levels of checks and balances in laws related to privacy in the United States This law extends the tap and trace provisions of existing wiretap statutes to the Internet and mandates certain technological modifications at ISPs to facilitate electronic wiretaps on the Internet The act also permitted the Justice Department to proceed with its rollout of the Carnivore program, an eavesdropping program for the Internet Much controversy exists over Carnivore, but until it’s changed, the Patriot Act mandates that ISPs cooperate and facilitate Chapter 3: Legal Issues, Privacy, and Ethics 59 Gramm-Leach-Bliley Act (GLB) In November 1999, President Clinton signed the Gramm-Leach-Bliley Act, a major piece of legislation affecting the financial industry with significant privacy provisions for individuals The key privacy tenets enacted in GLB included the establishment of an opt-out method for individuals to maintain some control over the use of the information provided in a business transaction with a member of the financial community GLB is enacted through a series of rules governed by state law, federal law, securities law, and federal rules These rules cover a wide range of financial institutions, from banks and thrifts, to insurance companies, to securities dealers Some internal information sharing฀is฀required฀under฀the฀Fair฀Credit฀Reporting฀Act฀(FCRA)฀between฀affiliated฀companies, but GLB ended sharing with external third-party firms Sarbanes-Oxley (SOX) In the wake of several high-profile corporate accounting/financial scandals in the United States, the federal government in 2002 passed sweeping legislation overhauling the financial accounting standards for publicly traded firms in the United States These changes were comprehensive, touching most aspects of business in one way or another With฀respect฀to฀information฀security,฀one฀of฀the฀most฀prominent฀changes฀is฀Section฀404฀ controls, which specify that all processes associated with the financial reporting of a firm must be controlled and audited on a regular basis Since the majority of firms use computerized systems, this placed internal auditors into the IT shops, verifying that the systems had adequate controls to ensure the integrity and accuracy of financial reporting These controls have resulted in controversy over the cost of maintaining these controls versus the risk of not using them Section฀404฀requires฀firms฀to฀establish฀a฀control-based฀framework฀designed฀to฀detect or prevent fraud that would result in misstatement of financials In simple terms, these controls should detect insider activity that would defraud the firm This has significant impacts on the internal security controls, because a system administrator with root level access could perform many, if not all, tasks associated with fraud and would have the ability to alter logs and cover his or her tracks Likewise, certain levels of power users of financial accounting programs would also have significant capability to alter records Payment Card Industry Data Security Standards (PCI DSS) The payment card industry, including the powerhouses of MasterCard and Visa, designed a private sector initiative to protect payment card information between banks and merchants This is a voluntary, private sector initiative that is proscriptive in its security guidance Merchants and vendors can choose not to adopt these measures, but the standard has a steep price for noncompliance; the transaction fee for noncompliant PART I monitoring The Patriot Act also permits federal law enforcement personnel to investigate computer trespass (intrusions) and enacts civil penalties for trespassers CompTIA Security+ All-in-One Exam Guide, 3rd Edition 60 vendors can be significantly higher, fines up to $500,000 can be levied, and in extreme cases the ability to process credit cards can be revoked The PCI DSS is a set of six control objectives, containing a total of 12 requirements: Build and Maintain a Secure Network Requirement Install and maintain a firewall configuration to protect cardholder data Requirement Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement Protect stored cardholder data Requirement Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement Use and regularly update anti-virus software Requirement Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7฀ Restrict฀access฀to฀cardholder฀data฀by฀business฀need-toknow Requirement Assign a unique ID to each person with computer access Requirement 9฀ Restrict฀physical฀access฀to฀cardholder฀data Regularly฀Monitor฀and฀Test฀Networks Requirement 10 cardholder data Track and monitor all access to network resources and Requirement 11฀ Regularly฀test฀security฀systems฀and฀processes Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security for all employees and contractors Import/Export Encryption Restrictions Encryption technology has been controlled by governments for a variety of reasons The level of control varies from outright banning to little or no regulation The reasons behind the control vary as well, and control over import and export is a vital method of maintaining a level of control over encryption technology in general The majority of the laws and restrictions are centered on the use of cryptography, which was until recently used mainly for military purposes The advent of commercial transactions and network communications over public networks such as the Internet has expanded the Chapter 3: Legal Issues, Privacy, and Ethics 61 U.S Law Export controls on commercial encryption products are administered by the Bureau of Industry and Security (BIS) in the U.S Department of Commerce The responsibility for export control and jurisdiction was transferred from the State Department to the Commerce฀ Department฀ in฀ 1996฀ and฀ most฀ recently฀ updated฀ on฀ June฀ 6,฀ 2002.฀ Rules฀ governing฀ exports฀ of฀ encryption฀ are฀ found฀ in฀ the฀ Export฀ Administration฀ Regulations฀ (EAR),฀15฀C.F.R.฀Parts฀730–774.฀Sections฀740.13,฀740.17,฀and฀742.15฀are฀the฀principal฀ references for the export of encryption items Needless to say, violation of encryption export regulations is a serious matter and is not an issue to take lightly Until recently, encryption protection was accorded the same level of attention as the export of weapons for war With the rise of the Internet, widespread personal computing, and the need for secure connections for e-commerce, this position has relaxed somewhat The United States updated its encryption export regulations to provide treatment consistent with regulations adopted by the EU, easing export and re-export restrictions among the 15 EU member states and Australia, the Czech Republic,฀Hungary,฀Japan,฀New฀Zealand,฀Norway,฀Poland,฀and฀Switzerland.฀The฀member nations of the Wassenaar Arrangement agreed to remove key length restrictions on encryption hardware and software that is subject to certain reasonable levels of encryption strength This action effectively removed “mass-market” encryption products from the list of dual-use items controlled by the Wassenaar Arrangement The U.S encryption export control policy continues to rest on three principles: review of encryption products prior to sale, streamlined post-export reporting, and license review of certain exports of strong encryption to foreign government end users The current set of U.S rules requires notification to the BIS for export in all cases, but the restrictions are significantly lessened for mass-market products as defined by all of the following: •฀ They฀are฀generally฀available฀to฀the฀public฀by฀being฀sold,฀without฀restriction,฀ from stock at retail selling points by any of these means: •฀ Over-the-counter฀transactions •฀ Mail-order฀transactions •฀ Electronic฀transactions •฀ Telephone฀call฀transactions •฀ The฀cryptographic฀functionality฀cannot฀easily฀be฀changed฀by฀the฀user •฀ They฀are฀designed฀for฀installation฀by฀the฀user฀without฀further฀substantial฀ support by the supplier PART I use of cryptographic methods to include securing of network communications As is the case in most rapidly changing technologies, the practice moves faster than law Many countries still have laws that are outmoded in terms of e-commerce and the Internet Over time, these laws will be changed to serve these new uses in a way consistent with each country’s needs CompTIA Security+ All-in-One Exam Guide, 3rd Edition 62 •฀ When฀necessary,฀details฀of฀the฀items฀are฀accessible฀and฀will฀be฀provided,฀upon฀ request, to the appropriate authority in the exporter’s country in order to ascertain compliance with export regulations Mass-market฀commodities฀and฀software฀employing฀a฀key฀length฀greater฀than฀64฀bits฀ for the symmetric algorithm must be reviewed in accordance with BIS regulations Restrictions฀on฀exports฀by฀U.S.฀persons฀to฀terrorist-supporting฀states฀(Cuba,฀Iran,฀Iraq,฀ Libya, North Korea, Sudan, or Syria), their nationals, and other sanctioned entities are not changed by this rule As you can see, this is a very technical area, with significant rules and significant penalties for infractions The best rule is that whenever you are faced with a situation involving the export of encryption-containing software, consult an expert and get the appropriate permission, or a statement that permission is not required, first This is one case where it is better to be safe than sorry Non-U.S Laws Export control rules for encryption technologies fall under the Wassenaar Arrangement, an international arrangement on export controls for conventional arms and dual-use goods and technologies The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations Participating states, of which the United States is one of 33, will seek, through their own national policies and laws, to ensure that transfers of these items not contribute to the development or enhancement of military capabilities that undermine these goals, and are not diverted to support such capabilities Many nations have more restrictive policies than those agreed upon as part of the Wassenaar฀Arrangement.฀Australia,฀New฀Zealand,฀the฀United฀States,฀France,฀and฀Russia฀ go further than is required under Wassenaar and restrict general-purpose cryptographic software as dual-use goods through national laws The Wassenaar Arrangement has had a significant impact on cryptography export controls, and there seems to be little doubt that some of the nations represented will seek to use the next round to move toward a more repressive cryptography export control regime based on their own national laws There are ongoing campaigns to attempt to influence other members of the agreement toward less restrictive rules, and in some cases no rules These lobbying efforts are based on e-commerce and privacy arguments In addition to the export controls on cryptography, significant laws prohibit the use and possession of cryptographic technology In China, a license from the state is required฀for฀cryptographic฀use.฀In฀some฀other฀countries,฀including฀Russia,฀Pakistan,฀Venezuela, and Singapore, tight restrictions apply to cryptographic uses France relinquished tight state control over the possession of the technology in 1999 One of the driving points behind France’s action is the fact that more and more of the Internet technologies have built-in cryptography Digital rights management, secure USB solutions, digital signatures, and Secure Sockets Layer (SSL)–secured connections are examples of Chapter 3: Legal Issues, Privacy, and Ethics 63 Digital Signature Laws On October 1, 2000, the Electronic Signatures in Global and National Commerce Act (commonly called the E-Sign law) went into effect in the United States This law implements a simple principle: a signature, contract, or other record may not be denied legal effect, validity, or enforceability solely because it is in electronic form Another source of law on digital signatures is the National Conference of Commissioners on Uniform State Laws’ Uniform Electronic Transactions Act (UETA), which has been adopted in more than 20 states A number of states have adopted a nonuniform version of UETA, and the precise relationship between the federal E-Sign law and UETA has yet to be resolved and will most likely be worked out through litigation in the courts over complex technical issues Many states have adopted digital signature laws, the first being Utah in 1995 The Utah law, which has been used as a model by several other states, confirms the legal status of digital signatures as valid signatures, provides for use of state-licensed certification authorities, endorses the use of public key encryption technology, and authorizes online databases called repositories, where public keys would be available The Utah act specifies a negligence standard regarding private encryption keys and places no limit on liability Thus, if a criminal uses a consumer’s private key to commit fraud, the consumer is financially responsible for that fraud, unless the consumer can prove that he or she used reasonable care in safeguarding the private key Consumers assume a duty of care when they adopt the use of digital signatures for their transactions, not unlike the care required for PINs on debit cards From a practical standpoint, the existence of the E-Sign law and UETA has enabled e-commerce transactions to proceed, and the resolution of the technical details via court actions will probably have little effect on consumers It is worth noting that consumers will have to exercise reasonable care over their signature keys, much as they must over PINs and other private numbers For the most part, software will handle these issues for the typical user Non-U.S Signature Laws The United Nations has a mandate to further harmonize international trade With this in mind, the UN General Assembly adopted the United Nations Commission on International฀Trade฀Law฀(UNCITRAL)฀Model฀Law฀on฀E-Commerce.฀To฀implement฀specific฀ PART I common฀ behind-the-scenes฀ use฀ of฀ cryptographic฀ technologies.฀ In฀ 2007,฀ the฀ United฀ Kingdom passed a new law mandating that when requested by UK authorities, either police or military, encryption keys must be provided to permit decryption of information associated with terror or criminal investigation Failure to deliver either the keys or decrypted data can result in an automatic prison sentence of two to five years Although this seems reasonable, it has been argued that such actions will drive certain financial entities off shore, as the rule applies only to data housed in the UK As for deterrence, the two-year sentence may be better than a conviction for trafficking in child pornography; hence the law seems not to be as useful as it seems at first glance CompTIA Security+ All-in-One Exam Guide, 3rd Edition 64 technical aspects of this model law, more work on electronic signatures was needed The General฀ Assembly฀ then฀ adopted฀ the฀ UNCITRAL฀ Model฀ Law฀ on฀ Electronic฀ Signatures.฀ These model laws have become the basis for many national and international efforts in this area Canadian Laws Canada was an early leader in the use of digital signatures Singapore, Canada, and the U.S state of Pennsylvania were the first governments to have digitally signed an interstate contract This contract, digitally signed in 1998, concerned the establishment of a Global Learning Consortium between the three governments (source: Krypto-Digest Vol 1฀No.฀749,฀June฀11,฀1998).฀Canada฀went฀on฀to฀adopt฀a฀national฀model฀bill฀for฀electronic signatures to promote e-commerce This bill, the Uniform Electronic Commerce Act (UECA), allows the use of electronic signatures in communications with the government The law contains general provisions for the equivalence between traditional and electronic signatures (source: BNA ECLR,฀May฀27,฀1998,฀p.฀700)฀and฀is฀modeled฀ after฀the฀UNCITRAL฀Model฀Law฀on฀E-Commerce฀(source:฀BNA ECLR, September 13, 2000,฀p.฀918).฀The฀UECA฀is฀similar฀to฀Bill฀C-54฀in฀authorizing฀governments฀to฀use฀electronic technology to deliver services and communicate with citizens Individual Canadian provinces have passed similar legislation defining digital signature provisions for e-commerce and government use These laws are modeled after the฀UNCITRAL฀Model฀Law฀on฀E-Commerce฀to฀enable฀widespread฀use฀of฀e-commerce฀ transactions These laws have also modified the methods of interactions between the citizens and the government, enabling electronic communication in addition to previous forms European Laws The European Commission adopted a Communication on Digital Signatures and Encryption: “Towards a European Framework for Digital Signatures and Encryption.” This communication states that a common framework at the EU level is urgently needed to stimulate “the free circulation of digital signature related products and services within the Internal Market” and “the development of new economic activities linked to electronic commerce” as well as “to facilitate the use of digital signatures across national borders.” Community legislation should address common legal requirements for certificate authorities, legal recognition of digital signatures, and international cooperation This communication was debated, and a common position was presented to the member nations for incorporation into national laws On฀ May฀ 4,฀ 2000,฀ the฀ European฀ Parliament฀ and฀ Council฀ approved฀ the฀ common฀ position adopted by the council In June 2000, the final version Directive 2000/31/EC was adopted The directive is now being implemented by member states To implement the articles contained in the directive, member states will have to remove barriers, such as legal form requirements, to electronic contracting, leading to uniform digital signature laws across the EU Chapter 3: Legal Issues, Privacy, and Ethics 65 Digital Rights Management PART I The ability to make flawless copies of digital media has led to another “new” legal issue For years, the music and video industry has relied on technology to protect its rights with respect to intellectual property It has been illegal for decades to copy information, such as music and videos, protected by copyright Even with the law, for years people have made copies of music and videos to share, violating the law This had not had a significant economic impact in the eyes of the industry, as the copies made were of lesser quality and people would pay for original quality in sufficient numbers to keep the economics of the industry healthy As such, legal action against piracy was typically limited to large-scale duplication and sale efforts, commonly performed overseas and subsequently shipped to the United States as counterfeit items The ability of anyone with a PC to make a perfect copy of digital media has led to industry fears that individual piracy actions could cause major economic issues in the recording industry To protect the rights of the recording artists and the economic health of the industry as a whole, the music and video recording industry lobbied the U.S Congress for protection, which was granted under the Digital Millennium Copyright Act฀(DMCA)฀on฀October฀20,฀1998.฀This฀law฀states฀the฀following:฀“To฀amend฀title฀17,฀ United States Code, to implement the World Intellectual Property Organization Copyright Treaty and Performances and Phonograms Treaty, and for other purposes.” Most of this law was well crafted, but one section has drawn considerable comment and criticism A section of the law makes it illegal to develop, produce, and trade any device or mechanism designed to circumvent technological controls used in copy protection Although on the surface this seems a reasonable requirement, the methods used in most cases are cryptographic in nature, and this provision had the ability to eliminate and/or severely limit research into encryption and the strengths and weaknesses of specific methods A provision, Section 1201(g) of DMCA, was included to provide for specific relief and allow exemptions for legitimate research With this section, the law garnered industry support from several organizations such as the Software & Information฀ Industry฀ Association฀ (SIIA),฀ Recording฀ Industry฀ Association฀ of฀ America฀ (RIAA),฀ and Motion Picture Association of America (MPAA) Based on these inputs, the U.S Copyright Office issued a report supporting the DMCA in a required report to the Congress.฀This฀seemed฀to฀settle฀the฀issues฀until฀the฀RIAA฀threatened฀to฀sue฀an฀academic฀research team headed by Professor Felten from Princeton University The issue behind the suit was the potential publication of results demonstrating that several copy protection methods were flawed in their application This research came in response to an industry-sponsored challenge to break the methods After breaking the methods developed and published by the industry, Felten and his team prepared to publish their findings The฀RIAA฀objected฀and฀threatened฀a฀suit฀under฀provisions฀of฀DMCA.฀After฀several฀years฀ of litigation and support of Felten by the Electronic Freedom Foundation (EFF), the case was eventually resolved in the academic team’s favor, although no case law to prevent further industry-led threats was developed This might seem a remote issue, but industries have been subsequently using the DMCA to protect their technologically inspired copy protection schemes for such CompTIA Security+ All-in-One Exam Guide, 3rd Edition 66 products as laser-toner cartridges and garage-door openers It is doubtful that the U.S Congress intended the law to have such effects, yet until these issues are resolved in court, the DMCA may have wide-reaching implications The act has specific exemptions for research provided four elements are satisfied: (A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work; (B) such act is necessary to conduct such encryption research; (C) the person made a good faith effort to obtain authorization before the circumvention; and (D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986 Additional exemptions are scattered through the law, although many were pasted in during various deliberations on the act and not make sense when the act is viewed as a whole The effect of these exemptions upon people in the software and technology industry is not clear, and until restrained by case law, the DMCA gives large firms with deep legal pockets a potent weapon to use against parties who disclose flaws in encryption technologies used in various products Actions have already been initiated against individuals and organizations who have reported security holes in products This will be an active area of legal contention as the real issues behind digital rights management have yet to be truly resolved Privacy The advent of interconnected computer systems has enabled businesses and governments to share and integrate information This has led to a resurgence in the importance of privacy laws worldwide Governments in Europe and the United States have taken different approaches in attempts to control privacy via legislation Many social and philosophical differences have led to these differences, but as the world becomes interconnected, understanding and resolving them will be important Privacy can be defined as the power to control what others know about you and what they can with this information In the computer age, personal information forms the basis for many decisions, from credit card transactions to purchase goods, to the ability to buy an airplane ticket and fly domestically Although it is theoretically possible to live an almost anonymous existence today, the price for doing so is high— from higher prices at the grocery store (no frequent shopper discount), to higher credit costs, to challenges with air travel, opening bank accounts, and seeking employment U.S Privacy Laws Identity privacy and the establishment of identity theft crimes is governed by the Identity Theft and Assumption Deterrence Act, which makes it a violation of federal law to knowingly use another’s identity The collection of information necessary to this is Chapter 3: Legal Issues, Privacy, and Ethics 67 Health Insurance Portability & Accountability Act (HIPAA) Medical and health information also has privacy implications, which is why the U.S Congress enacted the Health Insurance Portability & Accountability Act (HIPAA) of 1996 HIPAA calls for sweeping changes in the way health and medical data is stored, exchanged, and used From a privacy perspective, significant restrictions of data transfers to ensure privacy are included in HIPAA, including security standards and electronic signature provisions HIPAA security standards mandate a uniform level of protections regarding all health information that pertains to an individual and is housed or transmitted electronically The standard mandates safeguards for physical storage, maintenance, transmission, and access to individuals’ health information HIPAA mandates that organizations that use electronic signatures will have to meet standards ensuring information integrity, signer authentication, and nonrepudiation These standards leave to industry the task of specifying the technical solutions and mandate compliance only to significant levels of protection as provided by the rules being released by industry Gramm-Leech-Bliley Act (GLB) In the financial arena, GLB introduced the U.S consumer to privacy notices, where firms must disclose what they collect, how they protect the information, and with whom they will share it Annual notices are required as well as the option for consumers to opt out of the data sharing The primary concept behind U.S privacy laws in the financial arena is the notion that consumers be allowed to opt out This was strengthened in GLB to include specific wording and notifications as well as the appointment of a privacy officer for the firm California Senate Bill 1386 (SB 1386) California Senate Bill 1386 (SB 1386) was a landmark law concerning information disclosures It mandates that Californians be notified whenever personally identifiable information is lost or disclosed Since the passage of SB 1386, numerous other states have modeled legislation on this bill, and although national legislation has been blocked by political procedural moves, it will eventually be passed European Laws The EU has developed a comprehensive concept of privacy administered via a set of statutes known as data protection laws These privacy statutes cover all personal data, whether collected and used by government or private firms These laws are administered PART I also governed by GLB, which makes it illegal for someone to gather identity information on another under false pretenses In the education area, privacy laws have existed for฀years.฀Student฀records฀have฀significant฀protections฀under฀the฀Family฀Education฀Records฀and฀Privacy฀Act฀of฀1974,฀including฀significant฀restrictions฀on฀information฀sharing These records operate on an opt-in basis, as the student must approve the disclosure of information prior to the actual disclosure CompTIA Security+ All-in-One Exam Guide, 3rd Edition 68 by state and national data protection agencies in each country With the advent of the EU, this common comprehensiveness stands in distinct contrast to the patchwork of laws in the United States Privacy laws in Europe are built around the concept that privacy is a fundamental human right that demands protection through government administration When the EU was formed, many laws were harmonized across the 15 member nations, and data privacy was among those standardized One important aspect of this harmonization is the Data Protection Directive, adopted by EU members, which has a provision allowing the European Commission to block transfers of personal data to any country outside the EU that has been determined to lack adequate data protection policies The differences in approach between the U.S and the EU with respect to data protection led to the EU issuing expressions of concern about the adequacy of data protection in the U.S., a move that could pave the way to the blocking of data transfers After negotiation, it was determined that U.S organizations that voluntarily joined an arrangement known as Safe Harbor would be considered adequate in terms of data protection Safe Harbor is a mechanism for self-regulation that can be enforced through trade practice law via the FTC A business joining the Safe Harbor Consortium must make commitments to abide by specific guidelines concerning privacy Safe Harbor members also agree to be governed by certain self-enforced regulatory mechanisms, backed ultimately by FTC action Another major difference between U.S and European regulation lies in where the right of control is exercised In European directives, the right of control over privacy is balanced฀in฀such฀a฀way฀as฀to฀favor฀consumers.฀Rather฀than฀having฀to฀pay฀to฀opt฀out,฀as฀ in฀unlisted฀phone฀numbers,฀consumers฀have฀such฀services฀for฀free.฀Rather฀than฀having฀ to opt out at all, the default privacy setting is deemed to be the highest level of data privacy, and users have to opt in to share information This default setting is a cornerstone of the EU Data Protection Directive and is enforced through national laws in all member nations Ethics Ethics has been a subject of study by philosophers for centuries It might be surprising to note that ethics associated with computer systems has a history dating back to the beginning of the computing age The first examination of cybercrime occurred in the late 1960s, when the professional conduct of computer professionals was examined with respect to their activities in the workplace If we consider ethical behavior to be consistent with that of existing social norms, it can be fairly easy to see what is considered right and wrong But with the globalization of commerce, and the globalization of communications via the Internet, questions are raised about what is the appropriate social norm Cultural issues can have wide-ranging effects on this, and although the idea of an appropriate code of conduct for the world is appealing, it is as yet an unachieved objective The issue of globalization has significant local effects If a user wishes to express free speech via the Internet, is this protected behavior or criminal behavior? Different lo- Chapter 3: Legal Issues, Privacy, and Ethics 69 SANS Institute IT Code of Ethics Version 1.0 - April 24, 2004 The SANS Institute I will strive to know myself and be honest about my capability •฀ I฀will฀strive฀for฀technical฀excellence฀in฀the฀IT฀profession฀by฀maintaining฀and฀ enhancing my own knowledge and skills I acknowledge that there are many free resources available on the Internet and affordable books and that the lack of my employer’s training budget is not an excuse nor limits my ability to stay current in IT •฀ When฀possible฀I฀will฀demonstrate฀my฀performance฀capability฀with฀my฀skills฀ via projects, leadership, and/or accredited educational programs and will encourage others to so as well •฀ I฀will฀not฀hesitate฀to฀seek฀assistance฀or฀guidance฀when฀faced฀with฀a฀task฀beyond฀my฀ abilities or experience I will embrace other professionals’ advice and learn from their experiences and mistakes I will treat this as an opportunity to learn new techniques and approaches When the situation arises that my assistance is called upon, I will respond willingly to share my knowledge with others •฀ I฀will฀strive฀to฀convey฀any฀knowledge฀(specialist฀or฀otherwise)฀that฀I฀have฀ gained to others so everyone gains the benefit of each other’s knowledge •฀ I฀will฀teach฀the฀willing฀and฀empower฀others฀with฀Industry฀Best฀Practices฀ (IBP) I will offer my knowledge to show others how to become security professionals in their own right I will strive to be perceived as and be an honest and trustworthy employee •฀ I฀will฀not฀advance฀private฀interests฀at฀the฀expense฀of฀end฀users,฀colleagues,฀ or my employer •฀ I฀will฀not฀abuse฀my฀power.฀I฀will฀use฀my฀technical฀knowledge,฀user฀rights,฀and฀ permissions only to fulfill my responsibilities to my employer © 2000-2008 The SANS™ Institute Reprinted with permission PART I cales have different sets of laws to deal with items such as free speech, with some recognizing the right, while others prohibit it With the globalization of business, what are the appropriate controls for intellectual property when some regions support this right, while others not even recognize intellectual property as something of value, but rather something owned by the collective of society? The challenge in today’s business environment is to establish and communicate a code of ethics so that everyone associated with an enterprise can understand the standards of expected performance A great source of background information on all things associated with computer security,฀the฀SANS฀Institute,฀published฀a฀set฀of฀IT฀ethical฀guidelines฀in฀April฀2004:฀see฀ www.sans.org/resources/ethics.php?ref=3781 CompTIA Security+ All-in-One Exam Guide, 3rd Edition 70 •฀ I฀will฀avoid฀and฀be฀alert฀to฀any฀circumstances฀or฀actions฀that฀might฀lead฀to฀ conflicts of interest or the perception of conflicts of interest If such circumstance occurs, I will notify my employer or business partners •฀ I฀will฀not฀steal฀property,฀time฀or฀resources •฀ I฀will฀reject฀bribery฀or฀kickbacks฀and฀will฀report฀such฀illegal฀activity •฀ I฀will฀report฀on฀the฀illegal฀activities฀of฀myself฀and฀others฀without฀respect฀to฀the฀ punishments involved I will not tolerate those who lie, steal, or cheat as a means of success in IT I will conduct my business in a manner that assures the IT profession is considered one of integrity and professionalism •฀ I฀will฀not฀injure฀others,฀their฀property,฀reputation,฀or฀employment฀by฀false฀or฀ malicious action •฀ I฀will฀not฀use฀availability฀and฀access฀to฀information฀for฀personal฀gains฀through฀ corporate espionage •฀ I฀distinguish฀between฀advocacy฀and฀engineering.฀I฀will฀not฀present฀analysis฀ and opinion as fact •฀ I฀will฀adhere฀to฀Industry฀Best฀Practices฀(IBP)฀for฀system฀design,฀rollout,฀ hardening and testing •฀ I฀am฀obligated฀to฀report฀all฀system฀vulnerabilities฀that฀might฀result฀in฀ significant damage •฀ I฀respect฀intellectual฀property฀and฀will฀be฀careful฀to฀give฀credit฀for฀other’s฀ work I will never steal or misuse copyrighted, patented material, trade secrets or any other intangible asset •฀ I฀will฀accurately฀document฀my฀setup฀procedures฀and฀any฀modifications฀I฀have฀ done to equipment This will ensure that others will be informed of procedures and changes I’ve made I respect privacy and confidentiality •฀ I฀respect฀the฀privacy฀of฀my฀co-workers’฀information.฀I฀will฀not฀peruse฀or฀ examine their information including data, files, records, or network traffic except as defined by the appointed roles, the organization’s acceptable use policy,฀as฀approved฀by฀Human฀Resources,฀and฀without฀the฀permission฀of฀ the end user •฀ I฀will฀obtain฀permission฀before฀probing฀systems฀on฀a฀network฀for฀ vulnerabilities •฀ I฀respect฀the฀right฀to฀confidentiality฀with฀my฀employers,฀clients,฀and฀users฀ except as dictated by applicable law I respect human dignity Chapter 3: Legal Issues, Privacy, and Ethics 71 •฀ I฀treasure฀and฀will฀defend฀equality,฀justice฀and฀respect฀for฀others Chapter Review From a system administrator’s position, complying with cyber-laws is fairly easy Add warning banners to all systems that enable consent to monitoring as a condition of access This will protect you and the firm during normal routine operation of the system Safeguard all personal information obtained in the course of your duties and not obtain unnecessary information merely because you can get it With respect to the various฀privacy฀statutes฀that฀are฀industry฀specific—GLB,฀FCRA,฀ECPA,฀FERPA,฀HIPAA— refer to your own institution’s guidelines and policies When confronted with aspects of the U.S Patriot Act, refer to your company’s general counsel, for although the act may absolve you and the firm of responsibility, this act’s implications with respect to existing law are still unknown And in the event that your system is trespassed upon (hacked), you can get federal law enforcement assistance in investigating and prosecuting the perpetrators Questions To further help you prepare for the Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the list of correct answers at the end of the chapter The VP of IS wants to monitor user actions on the company’s intranet What is the best method of obtaining the proper permissions? A A consent banner displayed upon login B Written permission from a company officer C Nothing, because the system belongs to the company D Written permission from the user Your Social Security number and other associated facts kept by your bank are protected by what law against disclosure? A The฀Social฀Security฀Act฀of฀1934 B The Patriot Act of 2001 C The Gramm-Leach-Bliley Act D HIPAA PART I •฀ I฀will฀not฀participate฀in฀any฀form฀of฀discrimination,฀whether฀due฀to฀race,฀ color, national origin, ancestry, sex, sexual orientation, gender/sexual identity or expression, marital status, creed, religion, age, disability, veteran’s status, or political ideology CompTIA Security+ All-in-One Exam Guide, 3rd Edition 72 Breaking into another computer system in the United States, even if you not cause any damage, is regulated by what laws? A State law, as the damage is minimal B Federal law under the Identity Theft and Assumption Deterrence Act C Federal law under Electronic Communications Privacy Act (ECPA) of 1986 D Federal law under the Patriot Act of 2001 Export of encryption programs is regulated by the A U.S State Department B U.S Commerce Department C U.S Department of Defense D National Security Agency For the FBI to install and operate Carnivore on an ISP’s network, what is required? A A court order specifying items being searched for B An official request from the FBI C An impact statement to assess recoverable costs to the ISP D A written request from an ISP to investigate a computer trespass incident True or false: Digital signatures are equivalent to notarized signatures for all transactions in the United States A True for all transactions in which both parties agree to use digital signatures B True only for non-real property transactions C True only where governed by specific state statute D False, as the necessary laws have not yet passed The primary factor(s) behind data sharing compliance between U.S and European companies is/are A Safe Harbor Provision B European Data Privacy Laws C U.S FTC enforcement actions D All of the above True or false: Writing viruses and releasing them across the Internet is a violation of law A Always true All countries have reciprocal agreements under international law B Partially true Depends on laws in country of origin Chapter 3: Legal Issues, Privacy, and Ethics 73 C False Computer security laws not cross international boundaries Publication of flaws in encryption used for copy protection is a potential violation of A HIPAA B U.S Commerce Department regulations C DMCA D National Security Agency regulations 10 Violation of DMCA can result in A Civil fine B Jail time C Activity subject to legal injunctions D All of the above Answers A A consent banner consenting to monitoring resolves issues of monitoring with respect to the Electronic Communications Privacy Act (ECPA) of 1986 C The Gramm-Leach-Bliley Act governs the sharing of privacy information with respect to financial institutions D The Patriot Act of 2001 made computer trespass a felony B Export controls on commercial encryption products are administered by the Bureau of Industry and Security (BIS) in the U.S Department of Commerce B The Patriot Act of 2001 mandated ISP compliance with the FBI Carnivore program A Electronic digital signatures are considered valid for transactions in the United States since the passing of the Electronic Signatures in Global and National Commerce Act (E-Sign) in 2001 D All of the above The primary driver is European data protection laws as enforced on U.S firms by the FTC through the Safe Harbor provision mechanism D This is partially true, for not all countries share reciprocal laws Some common laws and reciprocity issues exist in certain international communities—for example, the European Union—so some cross-border legal issues have been resolved PART I D Partially true Depends on the specific countries involved, the author of the virus, and the recipient CompTIA Security+ All-in-One Exam Guide, 3rd Edition 74 C This is a potential violation of the Digital Millennium Copyright Act of 1998 unless an exemption provision is met 10 D All of the above have been attributed to DMCA, including the jailing of a฀Russian฀programmer฀who฀came฀to฀the฀United฀States฀to฀speak฀at฀a฀security฀ conference See w2.eff.org/IP/DMCA/?f=20010830_eff_dmca_op-ed.html  ... the appointment of a privacy officer for the firm California Senate Bill 138 6 (SB 138 6) California Senate Bill 138 6 (SB 138 6) was a landmark law concerning information disclosures It mandates that... signatures, and Secure Sockets Layer (SSL)–secured connections are examples of Chapter 3: Legal Issues, Privacy, and Ethics 63 Digital Signature Laws On October 1, 2000, the Electronic Signatures in... security,฀the฀SANS฀Institute,฀published฀a฀set฀of฀IT฀ethical฀guidelines฀in฀April฀2004:฀see฀ www.sans.org/resources/ethics.php?ref =37 81 CompTIA Security+ All-in-One Exam Guide, 3rd Edition 70 •฀ I฀will฀avoid฀and฀be฀alert฀to฀any฀circumstances฀or฀actions฀that฀might฀lead฀to฀