CHAPTERLEGAL AND ETHICAL ASPECTS23.1 Cybercrime and Computer CrimeTypes of Computer CrimeLaw Enforcement ChallengesWorking With Law Enforcement23.2 Intellectual PropertyTypes of Intellectual PropertyIntellectual Property Relevant to Network and Computer SecurityDigital Millennium Copyright ActDigital Rights Management23.3 PrivacyPrivacy Law and RegulationOrganizational ResponsePrivacy and Data Surveillance23.4 Ethical IssuesEthics and the IS ProfessionsEthical Issues Related to Computers and Information SystemsCodes of Conduct23.5 Recommended Reading and Web Sites23.6 Key Terms, Review Questions, and Problems23-1M24_STAL7044_05_SE_C23.QXD 12/3/09 12:16 PM Page 23-123-2 CHAPTER 23 / LEGAL AND ETHICAL ASPECTSThere are some dogs who wouldn’t debase what are to them sacred forms. A veryfine, very serious German Shepherd I worked with, for instance, grumbled noisilyat other dogs when they didn’t obey. When training him to retrieve, at one point Iset the dumbbell on its end for the fun of it. He glared disapprovingly at thedumbbell and at me, then pushed it carefully back into its proper position beforepicking it up and returning with it, rather sullenly.—Adam’s Task: Calling Animals by Name, Vicki HearneThe legal and ethical aspects of computer security encompass a broad range of topics,and a full discussion is well beyond the scope of this book. In this chapter, we touch ona few important topics in this area.23.1 CYBERCRIME AND COMPUTER CRIMEThe bulk of this book examines technical approaches to the detection, prevention,and recovery from computer and network attacks. One other tool is the deterrentfactor of law enforcement. Many types of computer attacks can be consideredcrimes and, as such, carry criminal sanctions. This section begins with a classificationof types of computer crime and then looks at some of the unique law-enforcementchallenges of dealing with computer crime.Types of Computer CrimeComputer crime, or cybercrime, is a term used broadly to describe criminal activityin which computers or computer networks are a tool, a target, or a place of criminalactivity.1These categories are not exclusive, and many activities can be character-ized as falling in one or more categories. The term cybercrime has a connotation ofthe use of networks specifically, whereas computer crime may or may not involvenetworks.The U.S. Department of Justice [DOJ00] categorizes computer crime based onthe role that the computer plays in the criminal activity, as follows:• Computers as targets: This form of crime targets a computer system, toacquire information stored on that computer system, to control the target sys-tem without authorization or payment (theft of service), or to alter theintegrity of data or interfere with the availability of the computer or server.Using the terminology of Chapter 1, this form of crime involves an attack ondata integrity, system integrity, data confidentiality, privacy, or availability.• Computers as storage devices: Computers can be used to further unlawfulactivity by using a computer or a computer device as a passive storagemedium. For example, the computer can be used to store stolen password lists,1This definition is from the New York Law School Course on Cybercrime, Cyberterrorism, and DigitalLaw Enforcement (information-retrieval.info/cybercrime/index.html).M24_STAL7044_05_SE_C23.QXD 12/3/09 12:16 PM Page 23-223.1 / CYBERCRIME AND COMPUTER CRIME 23-3credit card or calling card numbers, proprietary corporate information, porno-graphic image files, or “warez” (pirated commercial software).• Computers as communications tools: Many of the crimes falling within thiscategory are simply traditional crimes that are committed online. Examplesinclude the illegal sale of prescription drugs, controlled substances, alcohol,and guns; fraud; gambling; and child pornography.A more specific list of crimes, shown in Table 23.1, is defined in the interna-tional Convention on Cybercrime.2This is a useful list because it represents aninternational consensus on what constitutes computer crime, or cybercrime, andwhat crimes are considered important.Yet another categorization is used in the CERT 2006 annual E-crime Survey,the results of which are shown in Table 23.2. The figures in the second columnindicate the percentage of respondents who report at least one incident in thecorresponding row category. Entries in the remaining three columns indicatethe percentage of respondents who reported a given source for an attack.3Law Enforcement ChallengesThe deterrent effect of law enforcement on computer and network attacks correlateswith the success rate of criminal arrest and prosecution. The nature of cybercrime issuch that consistent success is extraordinarily difficult. To see this, consider what[KSHE06] refers to as the vicious cycle of cybercrime, involving law enforcementagencies, cybercriminals, and cybercrime victims (Figure 23.1).For law enforcement agencies, cybercrime presents some unique difficulties.Proper investigation requires a fairly sophisticated grasp of the technology.Although some agencies, particularly larger agencies, are catching up in this area,many jurisdictions lack investigators knowledgeable and experienced in dealingwith this kind of crime. Lack of resources represents another handicap. Some cyber-crime investigations require considerable computer processing power, communica-tions capacity, and storage capacity, which may be beyond the budget of individualjurisdictions. The global nature of cybercrime is an additional obstacle: Many crimeswill involve perpetrators who are remote from the target system, in another juris-diction or even another country. A lack of collaboration and cooperation withremote law enforcement agencies can greatly hinder an investigation. Initiativessuch as the international Convention on Cybercrime are a promising sign. TheConvention at least introduces a common terminology for crimes and a frameworkfor harmonizing laws globally.2The 2001 Convention on Cybercrime is the first international treaty seeking to address Internet crimesby harmonizing national laws, improving investigative techniques, and increasing cooperation amongnations. It was developed by the Council of Europe and has been ratified by 43 nations, including theUnited States. The Convention includes a list of crimes that each signatory state must transpose into itsown law.3Note