- Email: [email protected]
US focus
SEPTEMBER -
OCTOBER
THE C O M P U T E R L A W A N D S E C U R I T Y REPORT
34 The protection of the semiconductor topography, as required by EEC Council Directive 87/54/EEC, and as distinct from protection of the program incorporated in the chip, is not considered in this article. 35 For a detailed survey of output protection, see CLUK 1986, paras. 231-234, 566, 570. Where the output itself constitutes a work, the first owner of the copyright in the work will normally be the author; for films and records, the respective makers (1956 Act ss.4(1), 12(8), 13(10)). Where output results from the intervention of the operator using the equipment as a tool, the output will not normally reproduce the program: it will be of "Product B" type (cf. para.3.1.1) and the copyright in it (if any) will belong to the respectivecategoryof owner (or assignee)as provided by the 1956 Act. 36 1956 Act, s.13(5). For an interlocutory decision, see Sega Enterprises Ltd. v Richards (supra, footnote 15) in which the plaintiff claimed copyright in (1) a computer program, (2) drawings derived from the program and displayed on screen, and (3) the sequence of images recorded in the game board, as a film. Held, on motion, copyright in (1), no decision in (2) and (3): injunction.
The U.S. cases on videogame and moving picture protection are of interest, but must be related to the specific definition of "audiovisual works" in the U.S. Act, s.101: see e.g. Worlds of Wonder Inc. v Vector Intemontinental Inc. & ors (N.D. Ohio 1986, summary in (1986-87) 5 CLSR 6) and Frybarger (supra. footnote 29), In Broderbund (para.4.4.2)and Digital Communications v Softklone (supra, footnote29), oppositeconclusions were reached as to whether screen displays are protected by the program copyright. 37 See the cases mentioned in CLUK 1986, para.511. 38 Article 5(4) of the EEC Council Directive 87/54/EEC permits reproduction of chips in case of legitimate reverse engineering (Art.5(3)). It remains to be seen whether literary work program copyright will be affected by the legislation putting the Directive into force in the U.K. 39 For proposalsas to the rights (including those covering disclosure, access and machine operation control) which should be accorded in respect of computer programs, see s.5 of the WIPO Model Provisions (cf. footnote 1 (Part I)).
US FOCUS has crossed state lines; and finally, conspiracy7 which prohibits two or more individuals from planning to commit a federal crime. Perhaps the most interesting presentation at this session was Pilkington, who explained what prompted Illinois Attorney General's Office to propose new legislation on computer crimes. According to Pilkington, ALLNET, a private longdistance telephone company approached the Attorney General's Office and said it was having problems litigating computer and telephone fraud with the current laws. Although Illinois currently has a computer crime statute, 8 it has never really been used. Out of this request, the Attorney General conducted public hearings and, based on the results of those hearings, drafted a new law. The law repeals the old computer crime statute, calls for stiffer penalties for violators, and provision for the forfeiture of the equipment used to commit the crime (much like some US drug laws). Pilkington said fraud itself is not new, it has been around for some time, but what is new is the instrumentality - - the computer. She noted that the federal mail fraud statute 9 was passed in response to a new instrumentality - - - the mails. The "Developing a Computer Security Program" session was chaired by Barry Schrager and consisted of Bruce Spiro, Advanced Information Management; Richard Cashion, Tennessee Technological Institute; and Jack Stoller, UCCEL Corporation. This session reiterated the importance of preplanning, corporate policies, and access control. Spiro noted that access control is the key in remote user systems. The final session on computer security, "Investigating a Security Breach;' was chaired by Wayne Cerow of Cerow Investigations and consultants of Arizona and featured Carlton W. Fitzpatrick, of the Federal Law Enforcement Training Center, where he trains investigators on how to investigate computer crimes; Abigail Abraham, head of the Illinois State Police's Computer Crime Unit; and Barry W. Levy, Levy Security Consultants, a private security firm. Prior to establishing his own firm Levy, was with the Cook County Sheriff's Department. The session dealt with what to do and whom to call when you have reason to believe you have been a victim of computer abuse. Cerow discussed the team approach, noting that one person cannot handle all aspects of the investigation; you need specialists. Levy said that most computer crime cases
National Computer Conference 1987 - Chicago
The 1987 National Computer Conference (NCC '87) rolled into Chicago in June to very poor reviews. Once THE computer show in the United States, the NCC has fallen on hard times. Some of the industry giants - - - Unisys, Digital Equipment Corporation, Hewlett-Packard and Data General - - - were conspicuously absent and now the ACM (Association for Computing Machinery) is considering withdrawing their sponsorship, To combat its attendance woes, the NCC has hired a new management company to improve next year's show which, will be held in Los Angeles, May 31 - June 3, 1988. Computer security session at the NCC
The NCC devoted three 90 minute sessions to computer security: "What is Computer Crime?" which dealt with the current definitions of computer crime; "Developing A Computer Security Program," or what to do before a crime happens; and "Investigating a Security Breach;' or what to do when a crime happens. The session, "What is Computer Crime?" featured Thomas P. Sullivan, the former US Attorney for the Northern District of Illinois, now with the Chicago law firm of Jenner & Block; Cathy Ann Pilkington, chief of the Medicaid Fraud Unit of the Illinois Attorney General's Office and one of the authors of Illinois' new Computer Crime Bill; and Linda Vetter of Key Logic. The session was chaired by Mitch Betts of Computerworld. Sullivan pointed out that, on the federal level, there are still some very powerful statutes on the books. He said many of these statutes were drafted long before computers, they include RICO (Rackateer Influenced and Corrupt Organizations Act), 1 which defines certain federal offences to be considered "racketeering"; wire fraud, 2 which prohibits schemes to defraud or obtain property by false pretences when interstate communication facilities are used; mail fraud, 3 which prohibits schemes to defraud or obtain property by false pretences when the mails are used; copyright infringement, 4 which protects copyrights; transportation of stolen property, 5 which prohibits transporting across state lines stolen property that has a value of $5,000 or more; receipt of stolen property,6 which prohibits the receipt of stolen property, valued at $5,000 or more which 28
T H E C O M P U T E R LAW A N D S E C U R I T Y R E P O R T
3 CLSR
necessary for survival in today's globally competitive world." "Of the five popular biometric techniques currently used for personal authentications, fingerprints offer the most costeffective solution," stated Dignan. "They're relatively easy to analyse and practically impossible to duplicate" he said; "the system is virtually foolproof." The scanning unit is about the size of a modem and contains a small optical reader. This unit is connected to a terminal or workstation with the ThumbScan software installed on the host computer. During Iogon, the host software requests the user to place a thumb or finger on the scanner. The scanned image is compared to the user's previously stored print on the host system. If the two match, access is granted. Both the signal from the scanner and the 180 byte fingerprint record stored on the host, is encrypted. Dignan noted the error rate, in the lab, for an authorised person not getting in was 1/2 of one percent and 1/10 of one percent for an unauthorised person getting in. ThumbScan hopes to be shipping internationally by October. Pricing, Dignan said, will be $995 for the reader, $9,500 for a mainframe software and $5,500 for mini-computers. Currently, ThumbScan can operate in PC DOS, DEC VAX, and IBM mainframe environments and with access control systems such as RACF, ACF-2, TOP SECRET, Guardian, and VMSECURE. For more information contact: ThumbScan, Two Mid-America Plaza, Suite 800, Oakbrook Terrace, Illinois 60181, Phone (312) 954-2336.
are discovered by accident: through audits, staff changes, or someone turning the person in. According to Levy, "The best schemes are still going." The differences between what a private security consultant or private citizen legally can or cannot do in an investigation versus what the police legally can or cannot do was discussed. It was noted that a private citizen has a far greater freedom concerning the questions he/she can ask or the evidence that can be gathered without a search warrant. Also, an employment agreement stating that discs and computer Iogons are considered property of the company and are subject to inspection would probably protect a company from an invasion of privacy charge by the employee who felt that inspecting their discs or Iogons was an invasion of privacy. Levy defined evidence as "whatever alerted you in the first place" that a crime had or was occurring. Abraham stressed that when copying files, employers should use a "nonsuspect" machine and a new utility. Finally, Fitzpatrick stressed the need to prosecute computer crimes.
Excellence in technology award During the NCC, William O. Bailey, vice chairman of Aetna Life & Casualty, chairman and chief executive officer of MBIA, Inc., received the 1987 Excellence in Technology Award. Sponsored by Business Week magazine, the Gartner Group, and the NCC, the award is presented annually to a chief executive officer for leadership in managing information technology. Past winners include Robert L. Crandall, chairman and chief executive officer of AMR Corporation and American Airlines, Inc., and Frederick W. Smith, chairman, chief executive officer, president and founder of Federal Express.
Bernard R Zajac Jr, Editorial Panelist Opinions expressed herein are those of the author and do not necessarily reflect those of ABC Corporation. Footnotes 1 18 U.S.C. sec. 1962 2 18 U.S.C. sec. 1343 3 18 U.S.C. sec. 1341 4 17 U.S.C. sec. 506(a) and 18 U.S.C. sec. 2319 5 18 U.S.C. sec. 2314 6 18 U.S.C. sec. 2315 7 18 U.S.C. sec. 371 8 II1. Rev. Stat. ch. 38 sec. 16-9 (1986) 9 18 U.S.C. sec. 1341
Fingerprint authentication arrives At the NCC, ThumbScan of Oakbrook Terrace, Illinois announced their fingerprint authentication system which, according to ThumbScan, "digitises and analyses a fingerprint within five seconds." Peter Dignan, president of ThumbScan, announcing the new product said, "Timely and convenient access to the corporate computers, communication networks and databases is
CURRENT AWARENESS NEWS
HIGHLIGHTS
processed data. The passage of this legislation suggests therefore that reform of the law concerning access to manual records is to be a piece-meal one with specific legislation where appropriate. The Act also applies to Scotland.
Legislation The Access to Personal Files Act 1987 received the Royal Assent just before the General Election. It opens up access to personal information held by a housing act local authority or the purpose of the authorities' tenancies. It also covers personal information held by local social services authorities "for the purpose of the authorities' social services functions." The right is contingent upon the Secretary of State making regulations after consulting the relevant authorities or bodies involved. The Act empowers him to impose obligations on the authorities to give access to the information, to rectify or make erasures in records containing inaccurate information and to provide for exemptions from disclosure or access. He is also empowered to introduce appropriate procedures to enforce the legislation and to provide for a review system. The Act is significant since it is the first time that manual records have been included in proposals to allow subject access. The Data Protection Act of course is only concerned with computer
A Bill to amend the Data Protection Act 1984? Mr. Harry Cohen M.R has published a discussion document outlining proposals to introduce a Data Protection Amendment Bill in the new session of Parliament. The purpose of the Bill will be to amend the existing Data Protection Act with the objective to make the Act less bureaucratic, more workable and more amenable to both data users and date subjects. Commenting on his proposals the M.P. said "The Bill builds on the existing framework experience and knowledge and thus preserves the work done by many individuals and organisations (including the Data Protection Registrar) who have established procedures to deal with the current legislation. My Bill starts from the premise that information relating to individuals stored on computer is, because of the flexibility of computers, more open to abuse than manually 29
OCTOBER
THE C O M P U T E R L A W A N D S E C U R I T Y REPORT
34 The protection of the semiconductor topography, as required by EEC Council Directive 87/54/EEC, and as distinct from protection of the program incorporated in the chip, is not considered in this article. 35 For a detailed survey of output protection, see CLUK 1986, paras. 231-234, 566, 570. Where the output itself constitutes a work, the first owner of the copyright in the work will normally be the author; for films and records, the respective makers (1956 Act ss.4(1), 12(8), 13(10)). Where output results from the intervention of the operator using the equipment as a tool, the output will not normally reproduce the program: it will be of "Product B" type (cf. para.3.1.1) and the copyright in it (if any) will belong to the respectivecategoryof owner (or assignee)as provided by the 1956 Act. 36 1956 Act, s.13(5). For an interlocutory decision, see Sega Enterprises Ltd. v Richards (supra, footnote 15) in which the plaintiff claimed copyright in (1) a computer program, (2) drawings derived from the program and displayed on screen, and (3) the sequence of images recorded in the game board, as a film. Held, on motion, copyright in (1), no decision in (2) and (3): injunction.
The U.S. cases on videogame and moving picture protection are of interest, but must be related to the specific definition of "audiovisual works" in the U.S. Act, s.101: see e.g. Worlds of Wonder Inc. v Vector Intemontinental Inc. & ors (N.D. Ohio 1986, summary in (1986-87) 5 CLSR 6) and Frybarger (supra. footnote 29), In Broderbund (para.4.4.2)and Digital Communications v Softklone (supra, footnote29), oppositeconclusions were reached as to whether screen displays are protected by the program copyright. 37 See the cases mentioned in CLUK 1986, para.511. 38 Article 5(4) of the EEC Council Directive 87/54/EEC permits reproduction of chips in case of legitimate reverse engineering (Art.5(3)). It remains to be seen whether literary work program copyright will be affected by the legislation putting the Directive into force in the U.K. 39 For proposalsas to the rights (including those covering disclosure, access and machine operation control) which should be accorded in respect of computer programs, see s.5 of the WIPO Model Provisions (cf. footnote 1 (Part I)).
US FOCUS has crossed state lines; and finally, conspiracy7 which prohibits two or more individuals from planning to commit a federal crime. Perhaps the most interesting presentation at this session was Pilkington, who explained what prompted Illinois Attorney General's Office to propose new legislation on computer crimes. According to Pilkington, ALLNET, a private longdistance telephone company approached the Attorney General's Office and said it was having problems litigating computer and telephone fraud with the current laws. Although Illinois currently has a computer crime statute, 8 it has never really been used. Out of this request, the Attorney General conducted public hearings and, based on the results of those hearings, drafted a new law. The law repeals the old computer crime statute, calls for stiffer penalties for violators, and provision for the forfeiture of the equipment used to commit the crime (much like some US drug laws). Pilkington said fraud itself is not new, it has been around for some time, but what is new is the instrumentality - - the computer. She noted that the federal mail fraud statute 9 was passed in response to a new instrumentality - - - the mails. The "Developing a Computer Security Program" session was chaired by Barry Schrager and consisted of Bruce Spiro, Advanced Information Management; Richard Cashion, Tennessee Technological Institute; and Jack Stoller, UCCEL Corporation. This session reiterated the importance of preplanning, corporate policies, and access control. Spiro noted that access control is the key in remote user systems. The final session on computer security, "Investigating a Security Breach;' was chaired by Wayne Cerow of Cerow Investigations and consultants of Arizona and featured Carlton W. Fitzpatrick, of the Federal Law Enforcement Training Center, where he trains investigators on how to investigate computer crimes; Abigail Abraham, head of the Illinois State Police's Computer Crime Unit; and Barry W. Levy, Levy Security Consultants, a private security firm. Prior to establishing his own firm Levy, was with the Cook County Sheriff's Department. The session dealt with what to do and whom to call when you have reason to believe you have been a victim of computer abuse. Cerow discussed the team approach, noting that one person cannot handle all aspects of the investigation; you need specialists. Levy said that most computer crime cases
National Computer Conference 1987 - Chicago
The 1987 National Computer Conference (NCC '87) rolled into Chicago in June to very poor reviews. Once THE computer show in the United States, the NCC has fallen on hard times. Some of the industry giants - - - Unisys, Digital Equipment Corporation, Hewlett-Packard and Data General - - - were conspicuously absent and now the ACM (Association for Computing Machinery) is considering withdrawing their sponsorship, To combat its attendance woes, the NCC has hired a new management company to improve next year's show which, will be held in Los Angeles, May 31 - June 3, 1988. Computer security session at the NCC
The NCC devoted three 90 minute sessions to computer security: "What is Computer Crime?" which dealt with the current definitions of computer crime; "Developing A Computer Security Program," or what to do before a crime happens; and "Investigating a Security Breach;' or what to do when a crime happens. The session, "What is Computer Crime?" featured Thomas P. Sullivan, the former US Attorney for the Northern District of Illinois, now with the Chicago law firm of Jenner & Block; Cathy Ann Pilkington, chief of the Medicaid Fraud Unit of the Illinois Attorney General's Office and one of the authors of Illinois' new Computer Crime Bill; and Linda Vetter of Key Logic. The session was chaired by Mitch Betts of Computerworld. Sullivan pointed out that, on the federal level, there are still some very powerful statutes on the books. He said many of these statutes were drafted long before computers, they include RICO (Rackateer Influenced and Corrupt Organizations Act), 1 which defines certain federal offences to be considered "racketeering"; wire fraud, 2 which prohibits schemes to defraud or obtain property by false pretences when interstate communication facilities are used; mail fraud, 3 which prohibits schemes to defraud or obtain property by false pretences when the mails are used; copyright infringement, 4 which protects copyrights; transportation of stolen property, 5 which prohibits transporting across state lines stolen property that has a value of $5,000 or more; receipt of stolen property,6 which prohibits the receipt of stolen property, valued at $5,000 or more which 28
T H E C O M P U T E R LAW A N D S E C U R I T Y R E P O R T
3 CLSR
necessary for survival in today's globally competitive world." "Of the five popular biometric techniques currently used for personal authentications, fingerprints offer the most costeffective solution," stated Dignan. "They're relatively easy to analyse and practically impossible to duplicate" he said; "the system is virtually foolproof." The scanning unit is about the size of a modem and contains a small optical reader. This unit is connected to a terminal or workstation with the ThumbScan software installed on the host computer. During Iogon, the host software requests the user to place a thumb or finger on the scanner. The scanned image is compared to the user's previously stored print on the host system. If the two match, access is granted. Both the signal from the scanner and the 180 byte fingerprint record stored on the host, is encrypted. Dignan noted the error rate, in the lab, for an authorised person not getting in was 1/2 of one percent and 1/10 of one percent for an unauthorised person getting in. ThumbScan hopes to be shipping internationally by October. Pricing, Dignan said, will be $995 for the reader, $9,500 for a mainframe software and $5,500 for mini-computers. Currently, ThumbScan can operate in PC DOS, DEC VAX, and IBM mainframe environments and with access control systems such as RACF, ACF-2, TOP SECRET, Guardian, and VMSECURE. For more information contact: ThumbScan, Two Mid-America Plaza, Suite 800, Oakbrook Terrace, Illinois 60181, Phone (312) 954-2336.
are discovered by accident: through audits, staff changes, or someone turning the person in. According to Levy, "The best schemes are still going." The differences between what a private security consultant or private citizen legally can or cannot do in an investigation versus what the police legally can or cannot do was discussed. It was noted that a private citizen has a far greater freedom concerning the questions he/she can ask or the evidence that can be gathered without a search warrant. Also, an employment agreement stating that discs and computer Iogons are considered property of the company and are subject to inspection would probably protect a company from an invasion of privacy charge by the employee who felt that inspecting their discs or Iogons was an invasion of privacy. Levy defined evidence as "whatever alerted you in the first place" that a crime had or was occurring. Abraham stressed that when copying files, employers should use a "nonsuspect" machine and a new utility. Finally, Fitzpatrick stressed the need to prosecute computer crimes.
Excellence in technology award During the NCC, William O. Bailey, vice chairman of Aetna Life & Casualty, chairman and chief executive officer of MBIA, Inc., received the 1987 Excellence in Technology Award. Sponsored by Business Week magazine, the Gartner Group, and the NCC, the award is presented annually to a chief executive officer for leadership in managing information technology. Past winners include Robert L. Crandall, chairman and chief executive officer of AMR Corporation and American Airlines, Inc., and Frederick W. Smith, chairman, chief executive officer, president and founder of Federal Express.
Bernard R Zajac Jr, Editorial Panelist Opinions expressed herein are those of the author and do not necessarily reflect those of ABC Corporation. Footnotes 1 18 U.S.C. sec. 1962 2 18 U.S.C. sec. 1343 3 18 U.S.C. sec. 1341 4 17 U.S.C. sec. 506(a) and 18 U.S.C. sec. 2319 5 18 U.S.C. sec. 2314 6 18 U.S.C. sec. 2315 7 18 U.S.C. sec. 371 8 II1. Rev. Stat. ch. 38 sec. 16-9 (1986) 9 18 U.S.C. sec. 1341
Fingerprint authentication arrives At the NCC, ThumbScan of Oakbrook Terrace, Illinois announced their fingerprint authentication system which, according to ThumbScan, "digitises and analyses a fingerprint within five seconds." Peter Dignan, president of ThumbScan, announcing the new product said, "Timely and convenient access to the corporate computers, communication networks and databases is
CURRENT AWARENESS NEWS
HIGHLIGHTS
processed data. The passage of this legislation suggests therefore that reform of the law concerning access to manual records is to be a piece-meal one with specific legislation where appropriate. The Act also applies to Scotland.
Legislation The Access to Personal Files Act 1987 received the Royal Assent just before the General Election. It opens up access to personal information held by a housing act local authority or the purpose of the authorities' tenancies. It also covers personal information held by local social services authorities "for the purpose of the authorities' social services functions." The right is contingent upon the Secretary of State making regulations after consulting the relevant authorities or bodies involved. The Act empowers him to impose obligations on the authorities to give access to the information, to rectify or make erasures in records containing inaccurate information and to provide for exemptions from disclosure or access. He is also empowered to introduce appropriate procedures to enforce the legislation and to provide for a review system. The Act is significant since it is the first time that manual records have been included in proposals to allow subject access. The Data Protection Act of course is only concerned with computer
A Bill to amend the Data Protection Act 1984? Mr. Harry Cohen M.R has published a discussion document outlining proposals to introduce a Data Protection Amendment Bill in the new session of Parliament. The purpose of the Bill will be to amend the existing Data Protection Act with the objective to make the Act less bureaucratic, more workable and more amenable to both data users and date subjects. Commenting on his proposals the M.P. said "The Bill builds on the existing framework experience and knowledge and thus preserves the work done by many individuals and organisations (including the Data Protection Registrar) who have established procedures to deal with the current legislation. My Bill starts from the premise that information relating to individuals stored on computer is, because of the flexibility of computers, more open to abuse than manually 29