III. ETHICAL ISSUES
The foundations of all secure systems are the moral
principles and practices and the professional standards of all employees of
the organization, i.e., while people are part of the solution, they are also
most of the problem. The following issues are examples of security problems
which an organization may have to deal with:
A.
Ethics and Responsible Decision-Making
The foundation of all security systems is formed by
moral principles and practices of those people involved and the standards of the
profession. That is, while people are part of the solution, they are also most
the problem. Security problems with which an organization may have to deal
include: responsible decision-making, confidentiality, privacy, piracy, fraud
& misuse, liability, copyright, trade secrets, and sabotage. It is easy to
sensationalize these topics with real horror stories; it is more difficult to
deal with the underlying ethical issues involved.
The student should be made aware of his individual
responsibility in making ethical decisions associated with information
security.
B.
Confidentiality & Privacy
Computers can be used symbolically to intimidate,
deceive or defraud victims. Attorneys, government agencies and businesses
increasingly use mounds of computer generated data quite legally to confound
their audiences. Criminals also find useful phony invoices, bills and checks
generated by the computer. The computer lends an ideal cloak for carrying out
criminal acts by imparting a clean quality to the crime.
The computer has made the invasion of our privacy a
great deal easier and potentially more dangerous than before the advent of the
computer. A wide range of data are collected and stored in computerized files
related to individuals. These files hold banking information, credit
information, organizational fund raising, opinion polls, shop at home services,
driver license data, arrest records and medical records. The potential threats
to privacy include the improper commercial use of computerized data, breaches of
confidentiality by releasing confidential data to third parties, and the release
of records to governmental agencies for investigative purposes.
The basic law that protects our privacy is the
Fourth Amendment to the United States Constitution, which mandates that people
have a right to be secure in homes and against unreasonable search and seizure.
In addition, many laws have been enacted to protect the individual from having
damaging information stored in computerized databases.
C.
Piracy
Microcomputer software presents a particular
problem since many individuals are involved in the use of this software.
Section 117 of the copyright laws, specifically the 1980 amendment, deals with a
law that addresses the problem of backup copies of software. This section
states that users have the right to create backup copies of their software.
That is, users may legally create a backup copy of software if it is to be held
in archive. Many software companies provide a free backup copy to users that
precludes the need for to users purchase software intended to defeat copy
protection systems and subsequently create copies of their software. If the
software purchased is actually leased, you may in fact not even be able to make
backup copies of the software. The distinction between leasing and buying is
contained within the software documentation. The copyright statement is also
contained in the software documentation. The copyright laws regarding leased
material state that the leasor may say what the leaseholder can and cannot do
with the software. So it is entirely up to the owner of the software as to
whether or not users may make backup copies of the software. At a time when
federal laws relating to copyright protection are evolving, several states are
considering legislation that would bar unauthorized duplication of software.
The software industry is prepared to do battle
against software piracy. The courts are dealing with an increasing number of
lawsuits concerning the protection of software. Large software publishers have
established the Software Protection Fund to raise between $500,000 and $1
million to promote anti-piracy sentiment and to develop additional protection
devices.
D.
Fraud & Misuse
The computer can create a unique environment in
which unauthorized activities can occur. Crimes in this category have many
traditional names including theft, fraud, embezzlement, extortion, etc. Computer
related fraud includes the introduction of fraudulent records into a computer
system, theft of money by electronic means, theft of financial instruments,
theft of services, and theft of valuable data.
E.
Liability
Under the UCC, an express warranty is an
affirmation or promise of product quality to the buyer and becomes a part of the
basis of the bargain. Promises and affirmations made by the software developer
to the user about the nature and quality of the program can also be classified
as an express warranty. Programmers or retailers possess the right to define
express warranties. Thus, they have to be realistic when they state any claims
and predictions about the capabilities, quality and nature of their software
or hardware. They should consider the legal aspects of their affirmative
promises, their product demonstrations, and their product description. Every
word they say may be as legally effective as though stated in writing. Thus, to
protect against liability, all agreements should be in writing. A disclaimer
of express warranties can free a supplier from being held responsible for any
informal, hypothetical statements or predictions made during the negotiation
stages.
Implied warranties are also defined in the United
States by the UCC. These are warranties that are provided automatically in every
sale. These warranties need not be in writing nor do they need to be verbally
stated. They insure that good title will pass to the buyer, that the product is
fit for the purpose sold, and that it is fit for the ordinary purposes for which
similar goods are used (merchantability)..
F.
Patent and Copyright Law
A patent can protect the unique and secret aspect
of an idea. It is very difficult to obtain a patent compared to a copyright
(please see discussion below). With computer software, complete disclosure is
required; the patent holder must disclose the complete details of a program to
allow a skilled programmer to build the program. Moreover, a United States
software patent will be unenforceable in most other countries.
Copyright law provides a very significant legal
tool for use in protecting computer software, both before a security breach and
certainly after a security breach. This type of breach could deal with
misappropriation of data, computer programs, documentation, or similar material.
For this reason the information security specialist will want to be familiar
with basic concepts of to copyright law.
The United States, United Kingdom, Australia, and
other countries have now amended or revised their copyright legislation to
provide explicit laws to protect computer program. Copyright law in the United
States is governed by the Copyright Act of 1976 that preempted the field from
the states. Formerly, the United States had a dual state and federal system. In
other countries, such as Canada, the courts have held that the un-revised
Copyright Act is broad enough to protect computer programs. In many of these
countries the reform of copyright law is actively underway.
G.
Trade Secrets
A trade secret protects something of value and
usefulness. This law protects the unique and secret aspects of ideas, known only
to the discoverer or his confidants. Once disclosed the trade secret is lost as
such and can only be protected under one of the following laws. The
application of trade secret law is very important in the computer field, where
even a slight head start in the development of software or hardware can provide
a significant competitive advantage.
H.
Sabotage
The computer can be the object of attack in
computer crimes such as the unauthorized use of computer facilities, alternation
or destruction of information, data file sabotage and vandalism against a
computer system. Computers have been shot, stabbed, short-circuited and bombed.
It is easy to sensationalize these topics with real
horror stories; it is more difficult to deal with the underlying ethical issues
involved.