II.    Laws as Tools for Computer Security

 

  1. Privacy Laws and Legislation

    Loss of privacy is a danger that continues to grow with the proliferation of computerized data banks. The computer’s ability to collect, store and manipulate vast amounts of data, and its ability to retrieve selected items from these data banks, almost instantaneously allows the collection and distribution of personal information that can affect one’s pri¬vacy. One of the primary defenses against the loss of individual privacy is the enactment of legislation by national and state legislatures. The basic concern of privacy legislation has been the control and protection of information on or about individuals.

    Privacy protection laws have been passed in most developed countries. Early in 1970, the U. S. introduced the Fair Credit and Reporting Act that governs the processing, access, and disclosure of credit information. The U. S. Privacy Act of 1974 and the Canadian Privacy Act of 1975 are examples of laws that mandate protection of individual pri¬vacy. Other countries also have enacted laws related to individual privacy including the Swedish Data Act of 1973, the German Federal Data Protection Act of 1977, the French Act on Data Processing of 1978, the Danish Acts on Private Registers and the Austrian Federal Data Protection Act of 1978. At the international level, the OECD Transborder Data Flow Guidelines address the topic of the flow of information across international borders, perhaps to jurisdictions where privacy laws may differ from the originating venue.

  2. Intellectual Property Laws

    Intellectual property relates to secrets, names, ideas and other similar concepts. The creator of this type of property -- whether it is a book, a play, a program, or a musical composition -- has certain rights to this property. Four bodies of intellectual property law protect different aspect of these ideas and their practical applications.

    1. Trade Secrets Law

      A trade secret protects something of value and usefulness. This law protects the unique and secret aspects of ideas, known only to the discoverer or his confidants. Once disclosed the trade secret is lost as such and can only be protected under one of the following laws. The application of trade secret law is very important in the computer field, where even a slight head start in the development of software or hardware can provide a signifi¬cant competitive advantage.

    2. Patent Law

      A patent can protect the unique and secret aspect of an idea. It is very difficult to obtain a patent compared to a copyright (please see discussion below). With computer software, complete disclosure is required; the patent holder must disclose the complete details of a program to allow a skilled programmer to build the program. Moreover, a United States software patent will be unenforceable in most other countries.

    3. Copyright Law

      Copyright law provides a very significant legal tool for use in protecting computer software, both before a secu¬rity breach and certainly after a security breach. This type of breach could deal with misappropriation of data, computer programs, documentation, or similar material. For this reason the information security specialist will want to be familiar with basic concepts of to copyright law.

      The United States, United Kingdom, Australia, and other countries have now amended or revised their copyright legislation to provide explicit copyright laws to protect computer program. Copyright law in the United States is governed by the Copyright Act of 1976 that preempted the field from the states. Formerly, the United States had a dual state and federal system. In other countries, such as Canada, the courts have held that the un-revised Copyright Act is broad enough to protect computer programs.

    4. Trademark Law

      The name given to the software is often as important as the protection of the software itself and must be pro¬tected. Trade names for well known products have gained great value as their commercial recognition has in¬creased. Trademark laws exist under both state common laws and federal status. Trademark rights arise upon ‘first usage’ of the trademark in commerce.

      Trademarks should be used to protect the names of any software packages. Simply using a trademark gives one common-law rights to continue using it. If the trademark is registered with the Patent and Trademark Office the holder has the rights to use the trademark anywhere business is conducted.

  3. Federal Laws

    Federal laws, such as the Privacy Act of 1974 and the Foreign Corrupt Practices Act, were used to combat computer crime during the late 1970’s and early 1980’s. The Ribicoff Computer Crime Bill of 1978 was used as a basis for many of the first state computer crime laws as well as Federal legislation. During 1984, Congress enacted the first federal provisions, within several bills, specifically outlawing certain types of computer abuse. These provisions prohibited the unauthorized use of computers in three areas:

    • They made it a felony to access a computer to obtain classified military or foreign policy information.
    • They prohibited access to a computer to obtain financial or credit information without authorization.
    • They made it a misdemeanor to access a federal computer to modify or destroy data.

    During 1986, the 99th Congress allowed for modification of Title 18 of the United States Code, which includes Section 1030 (fraud and related activity in connection with computers). The Federal Computer Crime Statute, as mentioned above, was put in place in 1984 and provided criminal penalties only for stealing national security related data or for trespassing into government computers and computerized information of individuals’ credit histories. The 1986 modifications of this statute made it clear that acts of simple trespass into government computers are punish¬able, authorized prosecution of those who traffic in compute passwords and strengthened the 1984 law by expanding protected data beyond federal databases to those holding government - related data such as banks or other financial institutions.

    The Computer Security Act of 1987 was the primary computer security legislation of the 100th Congress. The legis¬lation provides for a computer standards program within the National Bureau of Standards (now the National Institute of Standards and Technology [NIST]). This act states that NIST shall be responsible for developing stan¬dards and guidelines related to security and privacy for federal computer systems that store and process “sensitive” information. NIST is also tasked with issuing guidelines for training awareness, that must be followed by federal agencies. While NIST will set the standards for the area of “sensitive” information, the Department of Defense will retain jurisdiction over systems with classified information that require protection under Executive Order 12356.

  4. State Statutes

    The first ten states to adopt computer crime legislation were Arizona, California, Colorado, Florida, Illinois, Michigan, New Mexico, North Carolina, Rhode Island and Utah. Today some 48 states have passed computer crime legislation. These laws usually define computer crime in great detail including such terms as ‘theft of services’, ‘criminal use of the computer’, ‘deceiving a machine’, ‘computer fraud’, ‘computer program’, ‘computer network’, etc. Many of the state laws also specify the maximum fines and punishments. For example California’s computer crime law specifies a maximum $10,000 fine for accessing a computer for extortion. The Louisiana law specifies that an offender may be fined not more than $10,000 and imprisoned for not more than five years.

    The Maryland computer crime law concentrates on access to a computer, computer network, computer software, computer control language, and computer databases. Fines are not to exceed $1,000 and imprisonment not to exceed three years. It appears that the Maryland legislature does not think unauthorized computer access is a very serious matter. Damage or destruction of hardware is designated as an offense in the Minnesota law. Maximum fines are specified at not more than $10,000. The Montana law attempts to define the value of the electronic impulses, elec¬tronically produced data, computer software. Denial of computer use is defined as an unlawful act in the Nevada law. New Jersey law defines alteration and destruction of data as a crime. Extortion is mentioned in the North Carolina law. The Oklahoma law specifies a maximum fine of $100,000. Washington law uses the term computer trespass rather than access. The theft of trade secrets and intellectual property are addressed in the Wyoming law. Connecticut law has provisions that protect the privacy of individuals including the elimination of governmental immunity.

    These laws, plus additional ones that are being added each year, attempt to make computer related crime less attrac¬tive to individuals and groups who are willing to risk fines and imprisonment. For example, thirteen state legislatures proposed some 21 pieces of computer crime legislation during their 1987 sessions and during the 1988 sessions some seven states proposed legislation. These bills propose new definitions of computer crime, revised definitions of the terms used in existing laws, enhanced penalties, proposed authorization for certain agencies to conduct computer crime investigations and propose compensation procedures for victims of computer crimes.

    For example, a proposed California law would greatly broaden the state’s authority to prosecute computer crimes. The bill has been criticized as being too harsh. Under this bill punishment for unauthorized access to a computer would depend not only on the dollar value of the computer time used but also on the expense of assessing and repair¬ing damage to the system. One feature of the bill removes the burden of proving malicious intent on the part of the defendant. It also allows the seizure and confiscation of items seized as the result of a warrant or arrest. These items may be destroyed or distributed to a public entity or nonprofit corporation. An Illinois Senate bill also provided for forfeiture of any moneys, profits or proceeds acquired directly or indirectly as the result of a computer crime.

    Several bills refine or enhance existing laws. An Idaho Senate bill defined computer crime within the definitions of trade secrets. The Massachusetts legislature is considering a bill that establishes a commission to determine and re¬view the adequacy of current laws defining computer crime. Both New Mexico and North Dakota passed legislation which further defines or redefines computer crime and computer fraud. The Utah legislature has passed legislation to provide for compensation to the victims of computer crime.

    The Texas State Legislature passed legislation related to the intellectual property policies of institutions of higher education. One of the matters addressed in these bills was disclosure of scientific and technological developments including computer software. This act is a basis for the control and protection of computer software developed at institutions of higher education in Texas.

  5. DPMA Model Computer Crime Bill

    Apparently, at the state level, legislation is not uniform nor is it consistent. Work needs to be done to strengthen cur¬rent and proposed legislation at the state level. With this objective in mind, the DPMA has taken an active interest in this effort by calling for the improvement of existing computer crime laws. It has proposed and drafted a “Model Computer Crime Act.” The model act establishes civil procedures for redress of computer crime victims. The DPMA model act also proposes forfeiture of property, guidelines for what evidence will be considered in a computer crime case (rules of evidence), a good definition of computer crime, suggested punishments (including increased penalties for repeated violations) and suggestions for jurisdiction. Jurisdiction is a significant problem for the courts since the computer criminal may reside in one state or country while committing a crime in another via data communication systems.

    Security practitioners must keep abreast of current legislation even though the impact of these laws on the prospec¬tive perpetrator of a computer crime may not be great. A review of the literature shows that most researchers believe that the probability of being convicted of a computer crime is low and that when convicted the punishments are nominal. Strengthening our existing laws can have a positive impact deterring would-be perpetrators of computer crime.