- Email: [email protected]
Legal safeguards for the Internet
Legal safeguards for the Internet August Bequai
merely to sell their products and services to consumers and other businesses, but also to streamline their daily operations and bring down their costs. The Internet is touted daily in the US press as a crucial vehicle for commerce in the Zlst century - an electronic ‘Panama Canal’ that will help US companies expand their global presence. But there are also the sceptics. Those who point to the security risks associated with the Internet. They note that until the problem of security is addressed, the Internet wilI prove of limited value to the business community; relegating its role to that of an “electronic wonderland”.
Federal Computer And Abuse Act This Act makes it a crime
to access a computer that operates in interstate of foreign commerce, without authorization or in excess of authorization. The US Secret Service and FBI have primary responsibility for investigating violations of the Act; these are punishable by substantial fines and imprisonment of up to 10 years for a first offence.
Further an intended fraud by accessing a computer system. Transmit programs, information, codes, or commands, for the purpose of damaging a computer system; or delaying or denying its use. Transmit data, codes, or programs that modify or impair medical information.
The Act makes it illegal to: Gain unauthorized access to classified information pertaining to national defense or foreign relations; where the intent is to cause injury to US interests or assist a foreign government. Access information contained in the financial records of financial institutions, credit card issuers, or consumer reporting agencies which relates to a consumer.
With the above in mind, some US companies are turning to legal safeguards to address the security problem connected to the Internet. To cite a few:
Computer Audit Update l December 0 1996, Elsevier Science Ltd.
Access the computer systems of an agency of the US government; which adversely affects the government’s use of such a system.
1996
Knowingly and with the intent to defraud, traffic in any computer access passwords.
Copyright Act This has proven effective in safeguarding computer programs and other intellectual property employed over the Internet. The safeguards take on one of several forms: l
Subject matter - ownership in all original
works of authorship that are fixed in a tangible medium of expression; from which the works can be reproduced or otherwise communicated either directly or with the aid of a machine or device. Protected works include all literary works (computer programs and digital databases are included); as well as audiovisual works, pictorial works, and sound recordings. The Act defines a computer program as “a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result.” Exclusive rights - the copyright safeguards here are limited to the expression of ideas; not processes, procedures, methods of operation, and the like. Save for a few exceptions, the Act accords the owner of a copyright the exclusive rights to: reproduce the work; prepare derivative works based on the copyrighted works; distribute copies of the copyrighted work to the public by sale or other transfer of ownership; and perform or display the copyrighted work publicly. Infringement - an individual who violates any of the provisions of the Act, is an infrin-
purposes; nature of the copyrighted work; amount and substantiality of the portion used in relation to the copyrighted work as a whole; and effect of the use upon the potential market for or value of the copyrighted work. The scope of fair use is an issue of ongoing debate in the context of the Internet, where information in digital format is easily and quickly exchanged.
get-. Under the Act, this would include any governmental instrumentality or any officer or employee of such an instrumentality; even when acting in an official capacity. Remedies - the Act provides for both temporary and permanent injunctions, the impounding and disposition of infringing articles, monetary damages, costs and attorneys fees.
Criminal sanctions the Act also provides that any person who infringes a copyright, willfully and for purposes of commercial advantage, shall face fines of up to $250 000 and/or imprisonment for up to 10 years. Fair use - this is an affirmative defense. In determining whether a use is fair, however, a court will consider the following: the purpose and character of the use; including whether it is of a commercial nature or for nonprofit
Online safeguards application of the act to the Internet, Intranets, bulletin board systems, and the like, has created the threat of potential liability for various intermediaries for copyright infringement. This is especially true where the intermediaries are more amenable to personal jurisdiction than the originator of the alleged infringing work.
Lanham Act Trademarks are another important form of intellectual property safeguards for the Internet. The Act provides: l
Scope - trademark safeguards are designed to protect the name, design, or other indicia of origin under which a seller distinguishes his goods and services from those of another. The Act defines a trademark as
Computer
Audit Update l December 1996 0 1996, Elsevier Science Ltd.
main names. These are the alphanumeric addresses of an Internet user; consisting of a word or words such as an individual’s, organization’s or company’s name, a brand name or trademark, or any other word commonly associated with a particular user.
any word, name, symbol, device, or any combination thereof; which is used by a person or which a person has a bona fide intention to use in commerce. Safeguards - the Act is limited to those marks which are inherently distinctive or have acquired secondary meaning; which invoke a connection in the consumer’s mind between the mark and the provider of the goods or service. Marks that are merely descriptive of a product do not inherently qualify.
@ Registration
- in the US the approval and registration of Internet domain names is administered by the InterNational net Information Center (InterNIC); under a cooperative agreement with the National Science Foundation in Washington, D.C. Domain names are granted and registered free of charge by InterNIC on a first come first served basis. InterNIC does not run trademark searches on domain names submitted for approval and registration, it merely checks its records to ensure that an identical domain name has not already been issued.
Infringement - occurs when someone other than the owner of the trademark, uses the same or a similar term; on the same or closeiy related goods or services. Remedies - the Act provides for the following civil remedies: an injunction against future infringement; the infringer’s profits; damages for past infringement suffered by the owner of the mark; destruction of all materials bearing the infringing mark; and the costs of the action. Some state trademark laws provide for criminal penalties for certain forms of infringement. Domain Names - trademark protection has been applied to do-
Computer Audit Update l December 0 1996, Elsevier Science Ltd.
An applicant for the domain name registration must do as follows: declare it has the right to use the name; declare a bona fide intention to use the name regularly on the Net; and declare the registration is not sought for any unlawful purpose, including trademark infringement.
1996
Electronic Communications Privacy Act Enacted in 1986, the Act codifies requirements for the interception of electronic communications by government officials; as well as creating privacy protections for stored electronic messages. Title I of the Act covers the acquisition and disclosure of communications streams; Title II covers acquisition and disclosure of stored information, and Title III covers the acquisition and disclosure of transactional information. Subsequent amendments to the Act have added safeguards in the area of videotape rental records. Penal sanctions - the Act has been employed to prosecute unauthorized access and disclosures of electronic communications. Anyone who intentionally accesses, without authorization, a facility through which an electronic communication service is provided; or intentionally exceeds an authorization to access that facility and thereby obtains alters or prevents authorized access, could face fines of up to $250 000 and/ or imprisonment for up to one year for a first offense, and up to two years for repeat offenders. If criminal intent cannot be shown, the tines run up to $5000 and the term of imprisonment
for up to six months. l
E-mail - the scope of the Act with respect to employer monitoring of employee E-mail continues to remain unclear. The Act does allow the provider of an electronic communication service to intercept messages for the “protection of the service’s property or rights”. However, the Act goes on to state that the provider shall not use service observing or random monitoring except for mechanical and service quality control checks. To negate an expectation of privacy claims, employers are required to advise employees that the system is to be used solely for business purposes; that any information stored and transmitted by them is accessible by management.
Fair Credit Reporting Act (FCRM This Act regulates the dissemination of consumer credit reports by consumer reporting agencies. Both consumer-reporting agencies and users of consumer reports are subject to civil liability for wilful noncompliance under the Act. This includes any damages sustained by the consumer; as well as punitive damage, and legal costs. In the event of
negligent noncompliance, the consumer may recover actual damages plus legal costs. The statute of limitations for bringing an action under the Act is two years from the date the liability arises. Unauthorized disclosures of consumer reports by consumer reporting agencies are subject to criminal penalties, including a fine of up to $5000; imprisonment of up to one year, or both.
Right to Financial Privacy Act This statute limits the right of the federal government to obtain financial records from banks and other financial institutions. To gain access under the Act, the government needs to provide a formal written statement that includes the nature of the records sought; as well as the purpose of the disclosure. A copy of the request must be sent to the financial institution’s customer, who has the right to challenge access by the government. There are exceptions which permit a financial institution to provide specific information when it suspects that a law has been violated. The information which can be provided is limited to the name or account involved; as well as the nature of the suspected unlawful activity. Federal agencies and financial institutions are civilly liable to customers for the wrongful
disclosure formation.
or financial
in-
Arms Export Control Act This law authorizes the President of the United States to regulate the import and export of articles and services that bear on national defense. Pursuant to the statute, the Secretary of State issues the International Traffic in Arms Regulations (ITAR). These list what constitute controlled defense articles. The furnishing to a foreign national of any technical data controlled under this Act, whether within or outside the US, constitutes a crime. Encryption systems, software, and algorithms have been defined to be defense articles for purposes of the Act. An appendage of the Cold War era, the Act has its critics. In an effort to relax its provisions, the US Congress is studying two proposed bills: l
Encrypted Communications Privacy Act: this bill was introduced in the US Senate (S. 1587) and contains a general declaration that the use of encryption by an American citizen, domestically or abroad, regardless of the algorithm selected, with or without a key escrow function, and with or without a third-party key escrow holer, is lawful. The bill would also provide for criminal penalties and civil liability for any
Computer
Audit Update l December 1996 0 1996, Elsevier Science Ltd.
key holder (escrow agent) who released the key other than either with the consent of the key owner or to authorized investigative or law enforcement officers. It would also make all sales of encryption within the US legal, no matter how strong the technology l
0utN0zu A quarterly security technical report addressing YOUR OWN security problems in-depth From a joint initiative between EAT (producers of COMPSEC), and the European computer security consultancy, Zergo Ltd, comes a unique new technical report - each issue probing a particular aspect of information security - addressing vital problem areas like 0 0
Security and Freedom through Encryption Act: this legislation bill was introduced in the US House of Representatives (H.R. 3011); it declares the use and sale of encryption equipment lawful, except when “in furtherance of a criminal offence”. In addition, the bill would bar compulsory access to encrypted information by investigative or law enforcement officers, except when such access is obtained pursuant to preexisting law.
Security
Learn to help yoursell:and ba preparedforpotential new pitWs. Each issue of the Information Security Technical ReDort devotes itself to a specific recent or newly emerging IT security issue with input from a team of internationally respected consultants. Detailed analysis of the issues provides a keen insight into the problems and enables the reader to determine and implement the necessary measures to avoid future pitfalls.
Reserve your inhmatkm
Summary
pack now by filling out and
returning the form below.
technical and personnel measures are available to US companies to secure their commercial transactions over the Internet, many have resorted to legal safeguards; largely the result of America’s litigious tradition. Whether this excessive reliance on the legal edit-ice to secure the Internet as a vehicle for electronic commerce will prove successful, remains to be seen. Other countries may learn from the American experience and foibles.
While
Computer Audit Update l December 0 1996, Elsevier Science Ltd.
Internet/TCP/IP
Open Systems Security l Physical Layer Security a EDI Security l Firewall Perspectives 0 X.400 Security Issues l Smartcard Developments l PGP, DES & RSA Developments l Windows 95, Windows NT Security l WARP Security
Please send me further details including forthcoming topics from the new Information Security Technical Report series.
Organisation iddress State
Post code/zip
Country
E-mail:
Tel:
Fax
Nature of Business
Return to: Alex Verhoeven. EAT. PO Box 150. Kidlington, Oxfdrd 0x5 IAS, UK. Tel: +44 1865 843654. Fax: + 44 1865 843971 upCi2ergo 36 E-mail: [email protected]
1996
ADVANCED TECHNOLOGY
merely to sell their products and services to consumers and other businesses, but also to streamline their daily operations and bring down their costs. The Internet is touted daily in the US press as a crucial vehicle for commerce in the Zlst century - an electronic ‘Panama Canal’ that will help US companies expand their global presence. But there are also the sceptics. Those who point to the security risks associated with the Internet. They note that until the problem of security is addressed, the Internet wilI prove of limited value to the business community; relegating its role to that of an “electronic wonderland”.
Federal Computer And Abuse Act This Act makes it a crime
to access a computer that operates in interstate of foreign commerce, without authorization or in excess of authorization. The US Secret Service and FBI have primary responsibility for investigating violations of the Act; these are punishable by substantial fines and imprisonment of up to 10 years for a first offence.
Further an intended fraud by accessing a computer system. Transmit programs, information, codes, or commands, for the purpose of damaging a computer system; or delaying or denying its use. Transmit data, codes, or programs that modify or impair medical information.
The Act makes it illegal to: Gain unauthorized access to classified information pertaining to national defense or foreign relations; where the intent is to cause injury to US interests or assist a foreign government. Access information contained in the financial records of financial institutions, credit card issuers, or consumer reporting agencies which relates to a consumer.
With the above in mind, some US companies are turning to legal safeguards to address the security problem connected to the Internet. To cite a few:
Computer Audit Update l December 0 1996, Elsevier Science Ltd.
Access the computer systems of an agency of the US government; which adversely affects the government’s use of such a system.
1996
Knowingly and with the intent to defraud, traffic in any computer access passwords.
Copyright Act This has proven effective in safeguarding computer programs and other intellectual property employed over the Internet. The safeguards take on one of several forms: l
Subject matter - ownership in all original
works of authorship that are fixed in a tangible medium of expression; from which the works can be reproduced or otherwise communicated either directly or with the aid of a machine or device. Protected works include all literary works (computer programs and digital databases are included); as well as audiovisual works, pictorial works, and sound recordings. The Act defines a computer program as “a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result.” Exclusive rights - the copyright safeguards here are limited to the expression of ideas; not processes, procedures, methods of operation, and the like. Save for a few exceptions, the Act accords the owner of a copyright the exclusive rights to: reproduce the work; prepare derivative works based on the copyrighted works; distribute copies of the copyrighted work to the public by sale or other transfer of ownership; and perform or display the copyrighted work publicly. Infringement - an individual who violates any of the provisions of the Act, is an infrin-
purposes; nature of the copyrighted work; amount and substantiality of the portion used in relation to the copyrighted work as a whole; and effect of the use upon the potential market for or value of the copyrighted work. The scope of fair use is an issue of ongoing debate in the context of the Internet, where information in digital format is easily and quickly exchanged.
get-. Under the Act, this would include any governmental instrumentality or any officer or employee of such an instrumentality; even when acting in an official capacity. Remedies - the Act provides for both temporary and permanent injunctions, the impounding and disposition of infringing articles, monetary damages, costs and attorneys fees.
Criminal sanctions the Act also provides that any person who infringes a copyright, willfully and for purposes of commercial advantage, shall face fines of up to $250 000 and/or imprisonment for up to 10 years. Fair use - this is an affirmative defense. In determining whether a use is fair, however, a court will consider the following: the purpose and character of the use; including whether it is of a commercial nature or for nonprofit
Online safeguards application of the act to the Internet, Intranets, bulletin board systems, and the like, has created the threat of potential liability for various intermediaries for copyright infringement. This is especially true where the intermediaries are more amenable to personal jurisdiction than the originator of the alleged infringing work.
Lanham Act Trademarks are another important form of intellectual property safeguards for the Internet. The Act provides: l
Scope - trademark safeguards are designed to protect the name, design, or other indicia of origin under which a seller distinguishes his goods and services from those of another. The Act defines a trademark as
Computer
Audit Update l December 1996 0 1996, Elsevier Science Ltd.
main names. These are the alphanumeric addresses of an Internet user; consisting of a word or words such as an individual’s, organization’s or company’s name, a brand name or trademark, or any other word commonly associated with a particular user.
any word, name, symbol, device, or any combination thereof; which is used by a person or which a person has a bona fide intention to use in commerce. Safeguards - the Act is limited to those marks which are inherently distinctive or have acquired secondary meaning; which invoke a connection in the consumer’s mind between the mark and the provider of the goods or service. Marks that are merely descriptive of a product do not inherently qualify.
@ Registration
- in the US the approval and registration of Internet domain names is administered by the InterNational net Information Center (InterNIC); under a cooperative agreement with the National Science Foundation in Washington, D.C. Domain names are granted and registered free of charge by InterNIC on a first come first served basis. InterNIC does not run trademark searches on domain names submitted for approval and registration, it merely checks its records to ensure that an identical domain name has not already been issued.
Infringement - occurs when someone other than the owner of the trademark, uses the same or a similar term; on the same or closeiy related goods or services. Remedies - the Act provides for the following civil remedies: an injunction against future infringement; the infringer’s profits; damages for past infringement suffered by the owner of the mark; destruction of all materials bearing the infringing mark; and the costs of the action. Some state trademark laws provide for criminal penalties for certain forms of infringement. Domain Names - trademark protection has been applied to do-
Computer Audit Update l December 0 1996, Elsevier Science Ltd.
An applicant for the domain name registration must do as follows: declare it has the right to use the name; declare a bona fide intention to use the name regularly on the Net; and declare the registration is not sought for any unlawful purpose, including trademark infringement.
1996
Electronic Communications Privacy Act Enacted in 1986, the Act codifies requirements for the interception of electronic communications by government officials; as well as creating privacy protections for stored electronic messages. Title I of the Act covers the acquisition and disclosure of communications streams; Title II covers acquisition and disclosure of stored information, and Title III covers the acquisition and disclosure of transactional information. Subsequent amendments to the Act have added safeguards in the area of videotape rental records. Penal sanctions - the Act has been employed to prosecute unauthorized access and disclosures of electronic communications. Anyone who intentionally accesses, without authorization, a facility through which an electronic communication service is provided; or intentionally exceeds an authorization to access that facility and thereby obtains alters or prevents authorized access, could face fines of up to $250 000 and/ or imprisonment for up to one year for a first offense, and up to two years for repeat offenders. If criminal intent cannot be shown, the tines run up to $5000 and the term of imprisonment
for up to six months. l
E-mail - the scope of the Act with respect to employer monitoring of employee E-mail continues to remain unclear. The Act does allow the provider of an electronic communication service to intercept messages for the “protection of the service’s property or rights”. However, the Act goes on to state that the provider shall not use service observing or random monitoring except for mechanical and service quality control checks. To negate an expectation of privacy claims, employers are required to advise employees that the system is to be used solely for business purposes; that any information stored and transmitted by them is accessible by management.
Fair Credit Reporting Act (FCRM This Act regulates the dissemination of consumer credit reports by consumer reporting agencies. Both consumer-reporting agencies and users of consumer reports are subject to civil liability for wilful noncompliance under the Act. This includes any damages sustained by the consumer; as well as punitive damage, and legal costs. In the event of
negligent noncompliance, the consumer may recover actual damages plus legal costs. The statute of limitations for bringing an action under the Act is two years from the date the liability arises. Unauthorized disclosures of consumer reports by consumer reporting agencies are subject to criminal penalties, including a fine of up to $5000; imprisonment of up to one year, or both.
Right to Financial Privacy Act This statute limits the right of the federal government to obtain financial records from banks and other financial institutions. To gain access under the Act, the government needs to provide a formal written statement that includes the nature of the records sought; as well as the purpose of the disclosure. A copy of the request must be sent to the financial institution’s customer, who has the right to challenge access by the government. There are exceptions which permit a financial institution to provide specific information when it suspects that a law has been violated. The information which can be provided is limited to the name or account involved; as well as the nature of the suspected unlawful activity. Federal agencies and financial institutions are civilly liable to customers for the wrongful
disclosure formation.
or financial
in-
Arms Export Control Act This law authorizes the President of the United States to regulate the import and export of articles and services that bear on national defense. Pursuant to the statute, the Secretary of State issues the International Traffic in Arms Regulations (ITAR). These list what constitute controlled defense articles. The furnishing to a foreign national of any technical data controlled under this Act, whether within or outside the US, constitutes a crime. Encryption systems, software, and algorithms have been defined to be defense articles for purposes of the Act. An appendage of the Cold War era, the Act has its critics. In an effort to relax its provisions, the US Congress is studying two proposed bills: l
Encrypted Communications Privacy Act: this bill was introduced in the US Senate (S. 1587) and contains a general declaration that the use of encryption by an American citizen, domestically or abroad, regardless of the algorithm selected, with or without a key escrow function, and with or without a third-party key escrow holer, is lawful. The bill would also provide for criminal penalties and civil liability for any
Computer
Audit Update l December 1996 0 1996, Elsevier Science Ltd.
key holder (escrow agent) who released the key other than either with the consent of the key owner or to authorized investigative or law enforcement officers. It would also make all sales of encryption within the US legal, no matter how strong the technology l
0utN0zu A quarterly security technical report addressing YOUR OWN security problems in-depth From a joint initiative between EAT (producers of COMPSEC), and the European computer security consultancy, Zergo Ltd, comes a unique new technical report - each issue probing a particular aspect of information security - addressing vital problem areas like 0 0
Security and Freedom through Encryption Act: this legislation bill was introduced in the US House of Representatives (H.R. 3011); it declares the use and sale of encryption equipment lawful, except when “in furtherance of a criminal offence”. In addition, the bill would bar compulsory access to encrypted information by investigative or law enforcement officers, except when such access is obtained pursuant to preexisting law.
Security
Learn to help yoursell:and ba preparedforpotential new pitWs. Each issue of the Information Security Technical ReDort devotes itself to a specific recent or newly emerging IT security issue with input from a team of internationally respected consultants. Detailed analysis of the issues provides a keen insight into the problems and enables the reader to determine and implement the necessary measures to avoid future pitfalls.
Reserve your inhmatkm
Summary
pack now by filling out and
returning the form below.
technical and personnel measures are available to US companies to secure their commercial transactions over the Internet, many have resorted to legal safeguards; largely the result of America’s litigious tradition. Whether this excessive reliance on the legal edit-ice to secure the Internet as a vehicle for electronic commerce will prove successful, remains to be seen. Other countries may learn from the American experience and foibles.
While
Computer Audit Update l December 0 1996, Elsevier Science Ltd.
Internet/TCP/IP
Open Systems Security l Physical Layer Security a EDI Security l Firewall Perspectives 0 X.400 Security Issues l Smartcard Developments l PGP, DES & RSA Developments l Windows 95, Windows NT Security l WARP Security
Please send me further details including forthcoming topics from the new Information Security Technical Report series.
Organisation iddress State
Post code/zip
Country
E-mail:
Tel:
Fax
Nature of Business
Return to: Alex Verhoeven. EAT. PO Box 150. Kidlington, Oxfdrd 0x5 IAS, UK. Tel: +44 1865 843654. Fax: + 44 1865 843971 upCi2ergo 36 E-mail: [email protected]
1996
ADVANCED TECHNOLOGY