III. ETHICAL ISSUES

The foundations of all secure systems are the moral principles and practices and the professional standards of all employ­ees of the organization, i.e., while people are part of the solution, they are also most of the problem. The following issues are examples of security problems which an organization may have to deal with:

A. Ethics and Responsible Decision-Making

The foundation of all security systems is formed by moral principles and practices of those people involved and the standards of the profession. That is, while people are part of the solution, they are also most the problem. Security problems with which an organization may have to deal include: responsible decision-making, confidentiality, pri­vacy, piracy, fraud & misuse, liability, copyright, trade secrets, and sabotage. It is easy to sensationalize these topics with real horror stories; it is more difficult to deal with the underlying ethical issues involved.

The student should be made aware of his individual responsibility in making ethical decisions associated with infor­mation security.

B. Confidentiality & Privacy

Computers can be used symbolically to intimidate, deceive or defraud victims. Attorneys, government agencies and businesses increasingly use mounds of computer generated data quite legally to confound their audiences. Criminals also find useful phony invoices, bills and checks generated by the computer. The computer lends an ideal cloak for carrying out criminal acts by imparting a clean quality to the crime.

The computer has made the invasion of our privacy a great deal easier and potentially more dangerous than before the advent of the computer. A wide range of data are collected and stored in computerized files related to individu­als. These files hold banking information, credit information, organizational fund raising, opinion polls, shop at home services, driver license data, arrest records and medical records. The potential threats to privacy include the improper commercial use of computerized data, breaches of confidentiality by releasing confidential data to third parties, and the release of records to governmental agencies for investigative purposes.

The basic law that protects our privacy is the Fourth Amendment to the United States Constitution, which mandates that people have a right to be secure in homes and against unreasonable search and seizure. In addition, many laws have been enacted to protect the individual from having damaging information stored in computerized databases.

C. Piracy

Microcomputer software presents a particular problem since many individuals are involved in the use of this soft­ware. Section 117 of the copyright laws, specifically the 1980 amendment, deals with a law that addresses the prob­lem of backup copies of software. This section states that users have the right to create backup copies of their soft­ware. That is, users may legally create a backup copy of software if it is to be held in archive. Many software com­panies provide a free backup copy to users that precludes the need for to users purchase software intended to defeat copy protection systems and subsequently create copies of their software. If the software purchased is actually leased, you may in fact not even be able to make backup copies of the software. The distinction between leasing and buying is contained within the software documentation. The copyright statement is also contained in the software documentation. The copyright laws regarding leased material state that the leasor may say what the leaseholder can and cannot do with the software. So it is entirely up to the owner of the software as to whether or not users may make backup copies of the software. At a time when federal laws relating to copyright protection are evolving, sev­eral states are considering legislation that would bar unauthorized duplication of software.

The software industry is prepared to do battle against software piracy. The courts are dealing with an increasing number of lawsuits concerning the protection of software. Large software publishers have established the Software Protection Fund to raise between $500,000 and $1 million to promote anti-piracy sentiment and to develop addi­tional protection devices.

D. Fraud & Misuse

The computer can create a unique environment in which unauthorized activities can occur. Crimes in this category have many traditional names including theft, fraud, embezzlement, extortion, etc. Computer related fraud includes the introduction of fraudulent records into a computer system, theft of money by electronic means, theft of financial instruments, theft of services, and theft of valuable data.

E. Liability

Under the UCC, an express warranty is an affirmation or promise of product quality to the buyer and becomes a part of the basis of the bargain. Promises and affirmations made by the software developer to the user about the nature and quality of the program can also be classified as an express warranty. Programmers or retailers possess the right to define express warranties. Thus, they have to be realistic when they state any claims and predictions about the ca­pabilities, quality and nature of their software or hardware. They should consider the legal aspects of their affirma­tive promises, their product demonstrations, and their product description. Every word they say may be as legally effective as though stated in writing. Thus, to protect against liability, all agreements should be in writing. A dis­claimer of express warranties can free a supplier from being held responsible for any informal, hypothetical state­ments or predictions made during the negotiation stages.

Implied warranties are also defined in the United States by the UCC. These are warranties that are provided automatically in every sale. These warranties need not be in writing nor do they need to be verbally stated. They insure that good title will pass to the buyer, that the product is fit for the purpose sold, and that it is fit for the ordinary purposes for which similar goods are used (merchantability)..

F. Patent and Copyright Law

A patent can protect the unique and secret aspect of an idea. It is very difficult to obtain a patent compared to a copyright (please see discussion below). With computer software, complete disclosure is required; the patent holder must disclose the complete details of a program to allow a skilled programmer to build the program. Moreover, a United States software patent will be unenforceable in most other countries.

Copyright law provides a very significant legal tool for use in protecting computer software, both before a security breach and certainly after a security breach. This type of breach could deal with misappropriation of data, computer programs, documentation, or similar material. For this reason the information security specialist will want to be fa­miliar with basic concepts of to copyright law.

The United States, United Kingdom, Australia, and other countries have now amended or revised their copy­right legislation to provide explicit laws to protect computer program. Copyright law in the United States is governed by the Copyright Act of 1976 that preempted the field from the states. Formerly, the United States had a dual state and federal system. In other countries, such as Canada, the courts have held that the un-revised Copyright Act is broad enough to protect computer programs. In many of these countries the reform of copyright law is actively underway.

G. Trade Secrets

A trade secret protects something of value and usefulness. This law protects the unique and secret aspects of ideas, known only to the discoverer or his confidants. Once disclosed the trade secret is lost as such and can only be pro­tected under one of the following laws. The application of trade secret law is very important in the computer field, where even a slight head start in the development of software or hardware can provide a significant competitive ad­vantage.

H. Sabotage

The computer can be the object of attack in computer crimes such as the unauthorized use of computer facilities, al­ternation or destruction of information, data file sabotage and vandalism against a computer system. Computers have been shot, stabbed, short-circuited and bombed.

It is easy to sensationalize these topics with real horror stories; it is more difficult to deal with the underlying ethical issues involved.