III. Laws and Legislation as Options to Control Computer Crime

  1. License Agreements:
  2. A common practice in the computer industry is to license the use of software rather than sell it outright. This is particularly true with mainframe software and much of the microcomputer software. The law related to license agreements is complex and of interest to the computer security specialist since a company’s liability could be substantial if infringements occur. A license agreement is a contract that permits the licensee to exercise owner’s rights under certain conditions and constraints for a fixed period. The extent of those rights varies from one license to another. Under a license agreement, the right to use computer hardware or software is often limited and defined. These constraints may include number of hours of use per period, the location of use, limits on the number of copies that may be made, limits on the number of terminals that can be used and similar items. Obligations of secrecy are often imposed as part of the license agreement.

    A license agreement is also a device for legally forbidding copying of computer programs. Under a license agreement, the developer remains the owner of the program. The publisher, the owner of the license, is only allowed to market the program under certain constraints imposed by the license agreement. When we pay a software vender for a computer disk and written documentation, we do not actually purchase the software. Instead, we have only paid for a license to use the software. We only have the right to use the software as specified in the license agreement. A distinction must be made between the purchasing of software and obtaining a license to use software.

    A number of actions should be taken to ensure the owner’s proprietary rights. Owners should limit the use of their software to certain purposes, times, and conditions so that its confidentiality is maintained. Instead of selling an unlimited right to copy a program, the owner will ordinarily specify the number of copies that the purchaser can make. The matter of royalties should be agreed upon between the developer and the licensee. The license should clearly allocate the legal responsibilities of the developer and licensee so that should any liability for infringements or program defects occur, a specify procedure can be followed to resolve the dispute.

    There are a number of forms of license agreements, including box-top and shrink-wrap license agreements. These are agreements that are put on the outside of the package containing the software. They may be printed on the box or be held in place by a transparent plastic package wrapping. Typically, agreements warn the purchaser that they are only acquiring the license to use the program and specify clearly the rights of the licensee. Upon opening the package the licensee has accepted the terms of the license agreement.

  3. Intellectual Property Laws, (Trade Secrets, Patents, Copyright and Trademarks)

    A trade secret is any information, process, or idea that a company considers confidential and it is not generally known in the industry. This secret gives the company a competitive advantage over others. Its existence is simply based on the obligation of confidentiality among the parties involved. Unlike the copyright law, which is discussed below, it can only offer limited protection related to ideas such as a program, formula, or device.

    Trade secrecy is probably the simplest and the most widely used method to protect software. Owners of a trade secret have exclusive rights to its use and they may license another person to use their innovation for some specified purpose. Under no circumstances should the licensee violate the agreement by disclosing the secret to unauthorized person or use it for unauthorized purposes.

    The trade secrets law may be used to protect object code as well as source code. Unlike the copyright, it is not a federal law. So, it is practicable in most situations to protect source codes by the trade secrets law and the object code by the copyright law. If object code is only protected as a trade secret, it can only be used as a secret and it cannot be mass marketed. Theoretically, a seller can require every user to sign a nondisclosure agreement when they acquire software. However, it would be inconvenient and unnecessary. Thus, copyright is often viewed as a better alternative when software is sold.

    The trade secrets law may not pose any legal restrictions in some cases. People may obtain software or other items covered by trade secrets agreements accidentally or intentionally without signing a nondisclosure agreement. Once the secret gets out, it is opened to others forever. Another problem is ‘independent discovery’ that means other people may develop the same program independently without being legally responsible for any trade restriction. “Reverse engineering” is legally the same as independent discovery.

    In many instances, trade secrets protection is preferable to copyright and patent protection. There is too much confusion in the legal profession regarding patent and copyright protection of software for developers to feel justified in entrusting their competitive advantages to those two forms of protection. With the patent and copyright, developers are required to make the development public as a perquisite for protection. Since trade secrets protection does not require any registration with government agencies, it is often viewed as a simpler form of protection. Protection exists once creation begins and it is quite a natural practice for a developer to protect his innovation by keeping it confidential.

    Using trade secrets protection has a number of drawbacks. First, a trade secret exists only as long as it is still a secret. A developer may be required to go to great lengths to establish and ensure the continued confidentiality of the innovation. Second, developers cannot restrict their competitor from discovering the new idea independently. Third, widespread trade secrets protection may tend to stifle technological development since it encourages jealous safeguarding of software improvements rather than the free interchange of new ideas.

    As mentioned above the use of the patent is impractical for the protection of software and is certainly a viable alternative for hardware protection. While there may be an occasion when a program might be patentable, confusion and uncertainty in the law creates doubt that a patent would be feasible. The costs of a patent are prohibitive compared to the cost of a copyright.

    A copyright owner has the exclusive right to reproduce his work. Copyrights can also be obtained if an author transfers the right to a third party. This applies to software as well as literature and art. Under the Copyright Act, a person who copies an idea for a program and not the actual code should not have infringed on the author’s copyright. Unfortunately, this look and feel doctrine has been supported by only a few cases in the courts. These cases involve defendants who stole the code of the plaintiff and wrote the same program in a different language.

    Microcomputer software presents a particular problem since many individuals are involved in the use of this software. Section 117 of the copyright laws, specifically the 1980 amendment, deals with a law that addresses the problem of backup copies of software. This section states that users have the right to create backup copies of their software. That is, users may legally create a backup copy of software if it is to be held in archive. Many software companies provide a free backup copy to users that precludes the need for to users purchase software intended to defeat copy protection systems and subsequently create copies of their software. If the software purchased is actually leased, you may in fact not even be able to make backup copies of the software. The distinction between leasing and buying is contained within the software documentation. The copyright statement is also contained in the software documentation. The copyright laws regarding leased material state that the leasor may say what the leaseholder can and cannot do with the software. So it is entirely up to the owner of the software as to whether or not users may make backup copies of the software. At a time when federal laws relating to copyright protection are evolving, several states are considering legislation that would bar unauthorized duplication of software.

    The software industry is prepared to do battle against software piracy. The courts are dealing with an increasing number of lawsuits concerning the protection of software. Large software publishers have established the Software Protection Fund to raise between $500,000 and $1 million to promote anti-piracy sentiment and to develop additional protection devices.

  4. Employee Non-Disclosure Considerations:
  5. A non-disclosure agreement is an established form of agreement between employees and a company in which an employee agrees not to disclose trade secrets or other confidential information owned by the company to any unauthorized person. It provides a legal basis for future prosecution of employees who breach security. Thus, employers retain their ability to hire or fire employees and also maintain their legal right to protect their trade secrets. Some of the significant elements in non-disclosure agreements include: an indication and definition of which trade secrets are involved, an obligation for the agreement to continue beyond termination of employment, restraints on duplication of material and exit review procedures when an employee terminates employment.

    In fulfilling employees’ obligation under this agreement, employees promise not to disclose company trade secrets unless authorized in writing by the company. This agreement should remain in force even after employment has been terminated. Upon termination of employment the employees agree to surrender to the company all notes, records, and documentation that was used, created, or controlled by the employee.

    A non-disclosure agreement should stress that an employee should take his or her involvement with trade secrets seriously and must legally bind the signer from disclosing trade secrets. Should the signer disclose the secrets to others, he cannot legally make use of it without facing the possibility of an injunction.

  6. Contracts:
  7. Software development contracts can play a contributing role in any security program. The subject of buying and leasing software and hardware cannot be explored without some basic knowledge of contract law. Often the user rushes into the contracting stage by signing the supplier’s standard form of contract often called the sales order. This is done without documenting claims made by the salesman and without realizing that the sales order is legally binding. If the purchaser is to protect himself fully, he or she must include certain clauses in these contracts.

    Room does not allow a complete discussion contracts except for some of the important clauses that are of particular interest to the computer security specialist. The interested reader should refer to one or more of the references listed at the end of this module.

    Written contracts should always designate a time frame or timetable in which the hardware is to be installed or software completed. Specify details when various parts of a program shall be completed and tested or likewise when hardware components shall be installed. Outline in detail the functional specifications for performance criteria and interface specifications. Include a list of authorized signatures of both parties to the contract. Specify the method and timing of payments in detail. Include definitions of terms that require clarification. Allocate responsibilities between the two parties involved to include what is expected of each. If software is to be developed, a detailed description of the software must be included. The user and supplier must agree that both parties will use all the Uniform Commercial Code (UCC) rights, duties, and remedies. Include some form of progress reporting system for hardware installation or the programming of software, plus a warranty that the products produced or purchased will perform according to specifications; provide for program maintenance and provide for access to source code via such agreements as a source code escrow.

    Detailed specifications are very important in any contract. Put in writing exactly what the program is to do or how the hardware is to perform. Since the user is the one who determines the specific adequacies of a product, the more detailed the contract, the better the user position. The user and seller must agree on the form and level of performance acceptance tests for hardware or software. These tests should be directly related to the previously mentioned functional specifications. The best solution for obtaining functioning programs is to use care in selecting a programmer or software house that is competent, reliable and financially sound.

    For protection, users should formulate a payment schedule so that a payment is made as each phase of installation is completed, tested, and operating properly. Should the project be delayed, the supplier will be responsible for any loss to the user. This encourages suppliers to meet time schedules and provides some bargaining leverage between the user and the supplier of the hardware or software. Custom-designed programming is more likely to develop problems and take longer to debug. Therefore, users should take this possibility into consideration when negotiating with the contractor.

    Make provisions for maintenance of hardware and/or software. Include up-time commitments for hardware and performance specifications for software. Agree upon the replacement procedures for non-functioning hardware or software “Lemons” needs to be agreed upon.

  8. Warranties for Software and Hardware:
  9. Consider comprehensive warranties for any hardware or software leased or purchased an important element in any security program. As pointed out above, different rights and obligation arise from the sale or lease of computer software and hardware. The sale of a product gives rise to certain warranties by the seller. A warranty is a promise that a particular statement is true, that the software or computer hardware will work as specified. The genesis for warranties is the Uniform Commercial Code (UCC) which divides warranties into two types: express and implied. Few express warranties are used in the sale of computers or software. Implied warranties, which imply that a product is fit and proper for the function advertised, are very common.

    Under the UCC, an express warranty is an affirmation or promise of product quality to the buyer and becomes a part of the basis of the bargain. Promises and affirmations made by the software developer to the user about the nature and quality of the program can also be classified as an express warranty. Programmers or retailers possess the right to define express warranties. Thus, they have to be realistic when they state any claims and predictions about the capabilities, quality and nature of their software or hardware. They should consider the legal aspects of their affirmative promises, their product demonstrations, and their product description. Every word they say may be as legally effective as though stated in writing. Thus, to protect against liability, all agreements should be in writing. A disclaimer of express warranties can free a supplier from being held responsible for any informal, hypothetical statements or predictions made during the negotiation stages.

    Implied warranties are also defined by the UCC. These are warranties that are provided automatically in every sale. These warranties need not be in writing nor do they need to be verbally stated. They insure that good title will pass to the buyer, that the product is fit for the purpose sold, and that it is fit for the ordinary purposes for which similar goods are used (merchantability).