CHAPTER

Legal Issues, Privacy,
and Ethics
In this chapter, you will
•฀Learn฀about฀the฀laws฀and฀rules฀concerning฀importing฀and฀exporting฀encryption฀
software
•฀Know฀the฀laws฀that฀govern฀computer฀access฀and฀trespass
•฀Understand฀the฀laws฀that฀govern฀encryption฀and฀digital฀rights฀management
•฀Learn฀about฀the฀laws฀that฀govern฀digital฀signatures
•฀Learn฀about฀the฀laws฀that฀govern฀privacy฀in฀various฀industries฀with฀relation฀to฀
computer฀security
•฀Explore฀ethical฀issues฀associated฀with฀information฀security

Computer security is no different from any other subject in our society; as it changes
our lives, laws are enacted to enable desired behaviors and prohibit undesired behaviors. The one substantial difference between this aspect of our society and others is that
the speed of advancement in the information systems world as driven by business,
computer network connectivity, and the Internet is much greater than in the legal system of compromise and law-making. In some cases, laws have been overly restrictive,
limiting business options, such as in the area of importing and exporting encryption
technology. In other cases, legislation has been slow in coming and this fact has stymied business initiatives, such as in digital signatures. And in some areas, it has been
both too fast and too slow, as in the case of privacy laws. One thing is certain: you will
never satisfy everyone with a law, but it does delineate the rules of the game.
The cyber-law environment has not been fully defined by the courts. Laws have
been enacted, but until they have been fully tested and explored by cases in court, the
exact limits are somewhat unknown. This makes some aspects of interpretation more
challenging, but the vast majority of the legal environment is known well enough that
effective policies can be enacted to navigate this environment properly. Policies and
procedures are tools you use to ensure understanding and compliance with laws and
regulations affecting cyberspace.

53

3


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

54

Cybercrime
One of the many ways to examine cybercrime involves studying how the computer is
involved in the criminal act. Three types of computer crimes commonly occur: computer-assisted crime, computer-targeted crime, and computer-incidental crime. The differentiating factor is how the computer is specifically involved from the criminal’s point
of view. Just as crime is not a new phenomenon, neither are computers, and cybercrime
has a history of several decades.
What is new is how computers are involved in criminal activities. The days of
simple teenage hacking activities from a bedroom have been replaced by organizedcrime–controlled botnets (groups of computers commandeered by a malicious hacker)
and acts designed to attack specific targets. The legal system has been slow to react and
law enforcement has been hampered by their own challenges in responding to the new
threats posed by high-tech crime.
What comes to mind when most people think about cybercrime is a computer that
is targeted and attacked by an intruder. The criminal attempts to benefit from some
form of unauthorized activity associated with a computer. In the 1980s and ‘90s, cybercrime was mainly virus and worm attacks, each exacting some form of damage, yet the
gain for the criminal was usually negligible. Enter the 21st century, with new forms of
malware, rootkits, and targeted attacks; criminals can now target individual users and
their bank accounts. In the current environment it is easy to predict where this form of
attack will occur—if money is involved, a criminal will attempt to obtain what he considers his own fair share! A common method of criminal activity is computer-based
fraud. Advertising on the Internet is big business, and hence the “new” crime of click
fraud is now a concern. Click fraud involves a piece of malware that defrauds the advertising revenue counter engine through fraudulent user clicks.
eBay, the leader in the Internet auction space, and its companion PayPal are frequent targets of fraud. Whether the fraud occurs by fraudulent listing, fraudulent bidding, or outright stealing of merchandise, the results are the same: a crime is committed.
As users move toward online banking and stock trading, so moves the criminal element. Malware designed to install a keystroke logger and then watch for bank/brokerage logins is already making the rounds of the Internet. Once the attacker finds the
targets, he can begin looting accounts. His risk of getting caught and prosecuted is exceedingly low. Walk into a bank in the United States and rob it, and the odds are better

than 95 percent that you will be doing time in federal prison after the FBI hunts you
down and slaps the cuffs on your wrists. Do the same crime via a computer, and the
odds are even better than the opposite: less than 1 percent of these attackers are caught
and prosecuted.
The low risk of being caught is one of the reasons that criminals are turning to computer crime. Just as computers have become easy for ordinary people to use, the trend
continues for the criminal element. Today’s cyber criminals use computers as tools to
steal intellectual property or other valuable data and then subsequently market these
materials through underground online forums. Using the computer to physically isolate the criminal from the direct event of the crime has made the investigation and
prosecution of these crimes much more challenging for authorities.


Chapter 3: Legal Issues, Privacy, and Ethics

55

EXAM TIP Computers฀are฀involved฀in฀three฀forms฀of฀criminal฀activity:฀the฀
computer฀as฀a฀tool฀of฀the฀crime,฀the฀computer฀as฀a฀victim฀of฀a฀crime,฀and฀the฀
computer฀that฀is฀incidental฀to฀a฀crime.

Common Internet Crime Schemes
To find crime, just follow the money. In the United States, the FBI and the National
White Collar Crime Center (NW3C) have joined forces in developing the Internet
Crime Complaint Center, an online clearinghouse that communicates issues associated
with cybercrime. One of the items provided to the online community is a list of common Internet crimes and explanations (www.ic3.gov/crimeschemes.aspx). A separate
list offers advice on how to prevent these crimes through individual actions (www.ic3
.gov/preventiontips.aspx).
Here’s a list of common Internet crimes from the site:
•฀ Auction฀Fraud
•฀ Auction฀Fraud—Romania
•฀ Counterfeit฀Cashier’s฀Check

•฀ Credit฀Card฀Fraud
•฀ Debt฀Elimination
•฀ Parcel฀Courier฀E-mail฀Scheme
•฀ Employment/Business฀Opportunities

PART I

The last way computers are involved with criminal activities is through incidental
involvement. Back in 1931, the U.S. government used accounting records and tax laws
to convict Al Capone of tax evasion. Today, similar records are kept on computers.
Computers are also used to traffic child pornography and other illicit activities—these
computers act more as storage devices than as actual tools to enable the crime. Because
child pornography existed before computers made its distribution easier, the computer
is actually incidental to the crime itself.
With the three forms of computer involvement in crimes, coupled with increased
criminal involvement, multiplied by the myriad of ways a criminal can use a computer
to steal or defraud, added to the indirect connection mediated by the computer and the
Internet, computer crime of the 21st century is a complex problem indeed. Technical
issues are associated with all the protocols and architectures. A major legal issue is the
education of the entire legal system as to the serious nature of computer crimes. All
these factors are further complicated by the use of the Internet to separate the criminal
and his victim geographically. Imagine this defense: “Your honor, as shown by my client’s electronic monitoring bracelet, he was in his apartment in California when this
crime occurred. The victim claims that the money was removed from his local bank in
New York City. Now, last time I checked, New York City was a long way from Los Angeles, so how could my client have robbed the bank?”


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

56
•฀ Escrow฀Services฀Fraud

•฀ Identity฀Theft
•฀ Internet฀Extortion
•฀ Investment฀Fraud
•฀ Lotteries
•฀ Nigerian฀Letter฀or฀“419”
•฀ Phishing/Spoofing
•฀ Ponzi/Pyramid฀Scheme
•฀ Reshipping
•฀ Spam
•฀ Third฀Party฀Receiver฀of฀Funds

Sources of Laws
In the United States, three primary sources of laws and regulations affect our lives and
govern actions. Statutory laws are passed by the legislative branches of government, be it
the Congress or a local city council. Another source of laws and regulations is administrative bodies given power by other legislation. The power of government sponsored
agencies, such as the Environmental Protection Agency (EPA), the Federal Aviation Administration (FAA), the Federal Communications Commission (FCC), and others lie in
this powerful ability to enforce behaviors through administrative rule making. The last
source of law in the United States is common law, which is based on previous events or
precedent. This source of this law is the judicial branch of government: judges decide
on the applicability of laws and regulations.
All three sources have an involvement in computer security. Specific statutory laws,
such as the Computer Fraud and Abuse Act, govern behavior. Administratively, the FCC
and Federal Trade Commission (FTC) have made their presence felt in the Internet arena
with respect to issues such as intellectual property theft and fraud. Common law cases
are now working their way through the judicial system, cementing the issues of computers and crimes into the system of precedents and the constitutional basis of laws.
EXAM TIP Three฀types฀of฀laws฀are฀commonly฀associated฀with฀cybercrime:฀
statutory฀law,฀administrative฀law,฀and฀common฀law.

Computer Trespass
With the advent of global network connections and the rise of the Internet as a method

of connecting computers between homes, businesses, and governments across the
globe, a new type of criminal trespass can now be committed. Computer trespass is the
unauthorized entry into a computer system via any means, including remote network
connections. These crimes have introduced a new area of law that has both national


Chapter 3: Legal Issues, Privacy, and Ethics

57

Convention on Cybercrime
The Convention on Cybercrime is the first international treaty on crimes committed via
the Internet and other computer networks. The convention is the product of four years
of work by Council of Europe experts, but also by the United States, Canada, Japan, and
other countries that are not members of the organization of the member states of the
European Council. The current status of the convention is as a draft treaty, ratified by
only two members. A total of five members must ratify it to become law.
The main objective of the convention, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by
adopting appropriate legislation and fostering international cooperation. This has become an important issue with the globalization of network communication. The ability to create a virus anywhere in the world and escape prosecution because of lack of
local laws has become a global concern.
The convention deals particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security. It also contains a series
of powers and procedures covering, for instance, searches of computer networks and
interception. It will be supplemented by an additional protocol making any publication of racist and xenophobic propaganda via computer networks a criminal offense.

Significant U.S. Laws
The United States has been a leader in the development and use of computer technology. As such, it has a longer history with computers and with cybercrime than other
countries. Because legal systems tend to be reactive and move slowly, this leadership
position has translated into a leadership position from a legal perspective as well. The
one advantage of this legal leadership position is the concept that once an item is identified and handled by the legal system in one jurisdiction, subsequent adoption in
other jurisdictions is typically quicker.


PART I

and international consequences. For crimes that are committed within a country’s borders, national laws apply. For cross-border crimes, international laws and international
treaties are the norm. Computer-based trespass can occur even if countries do not share
a physical border.
Computer trespass is treated as a crime in many countries. National laws exist in
many countries, including the EU, Canada, and the United States. These laws vary by
country, but they all have similar provisions defining the unauthorized entry into and
use of computer resources for criminal activities. Whether called computer mischief as in
Canada, or computer trespass as in the United States, unauthorized entry and use of computer resources is treated as a crime with significant punishments. With the globalization of the computer network infrastructure, or Internet, issues that cross national
boundaries have arisen and will continue to grow in prominence. Some of these issues
are dealt with through the application of national laws upon request of another government. In the future, an international treaty may pave the way for closer cooperation.


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

58
Electronic Communications Privacy Act (ECPA)
The Electronic Communications Privacy Act (ECPA) of 1986 was passed by Congress
and฀signed฀by฀President฀Reagan฀to฀address฀a฀myriad฀of฀legal฀privacy฀issues฀that฀resulted฀
from the increasing use of computers and other technology specific to telecommunications. Sections of this law address e-mail, cellular communications, workplace privacy,
and a host of other issues related to communicating electronically. A major provision
was the prohibition against an employer’s monitoring an employee’s computer usage,
including e-mail, unless consent is obtained. Other legal provisions protect electronic
communications from wiretap and outside eavesdropping, as users were assumed to
have a reasonable expectation of privacy and afforded protection under the Fourth
Amendment to the Constitution.
A common practice with respect to computer access today is the use of a warning
banner. These banners are typically displayed whenever a network connection occurs

and serve four main purposes. First, from a legal standpoint, they establish the level of
expected privacy (usually none on a business system) and serve as consent to real-time
monitoring฀ from฀ a฀ business฀ standpoint.฀ Real-time฀ monitoring฀ can฀ be฀ conducted฀ for฀
security reasons, business reasons, or technical network performance reasons. The key
is that the banner tells users that their connection to the network signals their consent
to monitoring. Consent can also be obtained to look at files and records. In the case of
government systems, consent is needed to prevent direct application of the Fourth
Amendment. And the last reason is that the warning banner can establish the system or
network administrator’s common authority to consent to a law enforcement search.

Computer Fraud and Abuse Act (1986)
The฀Computer฀Fraud฀and฀Abuse฀Act฀(CFAA)฀of฀1986,฀amended฀in฀1994,฀1996,฀and฀in฀
2001 by the Patriot Act, serves as the current foundation for criminalizing unauthorized
access to computer systems. The CFAA makes it a crime to knowingly access a computer or computer system that is a government computer or is involved in interstate or
foreign communication, which in today’s Internet-connected age can be almost any
machine. The act sets financial thresholds, which were lowered by the Patriot Act, but
in light of today’s investigation costs, these are easily met. The act also makes it a crime
to knowingly transmit a program, code, or command that results in damage. Trafficking
in passwords or similar access information is also criminalized. This is a wide-sweeping
act, but the challenge of proving a case still exists.

Patriot Act
The Patriot Act of 2001, passed in response to the September 11 terrorist attack on the
World Trade Center buildings in New York, substantially changed the levels of checks
and balances in laws related to privacy in the United States. This law extends the tap
and trace provisions of existing wiretap statutes to the Internet and mandates certain
technological modifications at ISPs to facilitate electronic wiretaps on the Internet. The
act also permitted the Justice Department to proceed with its rollout of the Carnivore
program, an eavesdropping program for the Internet. Much controversy exists over Carnivore, but until it’s changed, the Patriot Act mandates that ISPs cooperate and facilitate



Chapter 3: Legal Issues, Privacy, and Ethics

59

Gramm-Leach-Bliley Act (GLB)
In November 1999, President Clinton signed the Gramm-Leach-Bliley Act, a major
piece of legislation affecting the financial industry with significant privacy provisions
for individuals. The key privacy tenets enacted in GLB included the establishment of an
opt-out method for individuals to maintain some control over the use of the information provided in a business transaction with a member of the financial community.
GLB is enacted through a series of rules governed by state law, federal law, securities law,
and federal rules. These rules cover a wide range of financial institutions, from banks
and thrifts, to insurance companies, to securities dealers. Some internal information
sharing฀is฀required฀under฀the฀Fair฀Credit฀Reporting฀Act฀(FCRA)฀between฀affiliated฀companies, but GLB ended sharing with external third-party firms.

Sarbanes-Oxley (SOX)
In the wake of several high-profile corporate accounting/financial scandals in the United States, the federal government in 2002 passed sweeping legislation overhauling the
financial accounting standards for publicly traded firms in the United States. These
changes were comprehensive, touching most aspects of business in one way or another.
With฀respect฀to฀information฀security,฀one฀of฀the฀most฀prominent฀changes฀is฀Section฀404฀
controls, which specify that all processes associated with the financial reporting of a
firm must be controlled and audited on a regular basis. Since the majority of firms use
computerized systems, this placed internal auditors into the IT shops, verifying that the
systems had adequate controls to ensure the integrity and accuracy of financial reporting. These controls have resulted in controversy over the cost of maintaining these controls versus the risk of not using them.
Section฀404฀requires฀firms฀to฀establish฀a฀control-based฀framework฀designed฀to฀detect or prevent fraud that would result in misstatement of financials. In simple terms,
these controls should detect insider activity that would defraud the firm. This has significant impacts on the internal security controls, because a system administrator with
root level access could perform many, if not all, tasks associated with fraud and would
have the ability to alter logs and cover his or her tracks. Likewise, certain levels of power users of financial accounting programs would also have significant capability to alter
records.


Payment Card Industry Data Security Standards
(PCI DSS)
The payment card industry, including the powerhouses of MasterCard and Visa, designed a private sector initiative to protect payment card information between banks
and merchants. This is a voluntary, private sector initiative that is proscriptive in its security guidance. Merchants and vendors can choose not to adopt these measures, but
the standard has a steep price for noncompliance; the transaction fee for noncompliant

PART I

monitoring. The Patriot Act also permits federal law enforcement personnel to investigate computer trespass (intrusions) and enacts civil penalties for trespassers.


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

60
vendors can be significantly higher, fines up to $500,000 can be levied, and in extreme
cases the ability to process credit cards can be revoked. The PCI DSS is a set of six control objectives, containing a total of 12 requirements:
1. Build and Maintain a Secure Network
Requirement 1 Install and maintain a firewall configuration to protect
cardholder data
Requirement 2 Do not use vendor-supplied defaults for system
passwords and other security parameters
2. Protect Cardholder Data
Requirement 3 Protect stored cardholder data
Requirement 4 Encrypt transmission of cardholder data across open,
public networks
3. Maintain a Vulnerability Management Program
Requirement 5 Use and regularly update anti-virus software
Requirement 6 Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
Requirement 7฀ Restrict฀access฀to฀cardholder฀data฀by฀business฀need-toknow

Requirement 8 Assign a unique ID to each person with computer access
Requirement 9฀ Restrict฀physical฀access฀to฀cardholder฀data
5. Regularly฀Monitor฀and฀Test฀Networks
Requirement 10
cardholder data

Track and monitor all access to network resources and

Requirement 11฀ Regularly฀test฀security฀systems฀and฀processes
6. Maintain an Information Security Policy
Requirement 12 Maintain a policy that addresses information security
for all employees and contractors

Import/Export Encryption Restrictions
Encryption technology has been controlled by governments for a variety of reasons. The
level of control varies from outright banning to little or no regulation. The reasons behind the control vary as well, and control over import and export is a vital method of
maintaining a level of control over encryption technology in general. The majority of
the laws and restrictions are centered on the use of cryptography, which was until recently used mainly for military purposes. The advent of commercial transactions and
network communications over public networks such as the Internet has expanded the


Chapter 3: Legal Issues, Privacy, and Ethics

61

U.S. Law
Export controls on commercial encryption products are administered by the Bureau of
Industry and Security (BIS) in the U.S. Department of Commerce. The responsibility
for export control and jurisdiction was transferred from the State Department to the
Commerce฀ Department฀ in฀ 1996฀ and฀ most฀ recently฀ updated฀ on฀ June฀ 6,฀ 2002.฀ Rules฀

governing฀ exports฀ of฀ encryption฀ are฀ found฀ in฀ the฀ Export฀ Administration฀ Regulations฀
(EAR),฀15฀C.F.R.฀Parts฀730–774.฀Sections฀740.13,฀740.17,฀and฀742.15฀are฀the฀principal฀
references for the export of encryption items.
Needless to say, violation of encryption export regulations is a serious matter and is
not an issue to take lightly. Until recently, encryption protection was accorded the same
level of attention as the export of weapons for war. With the rise of the Internet, widespread personal computing, and the need for secure connections for e-commerce, this
position has relaxed somewhat. The United States updated its encryption export regulations to provide treatment consistent with regulations adopted by the EU, easing export
and re-export restrictions among the 15 EU member states and Australia, the Czech
Republic,฀Hungary,฀Japan,฀New฀Zealand,฀Norway,฀Poland,฀and฀Switzerland.฀The฀member nations of the Wassenaar Arrangement agreed to remove key length restrictions on
encryption hardware and software that is subject to certain reasonable levels of encryption strength. This action effectively removed “mass-market” encryption products from
the list of dual-use items controlled by the Wassenaar Arrangement.
The U.S. encryption export control policy continues to rest on three principles:
review of encryption products prior to sale, streamlined post-export reporting, and
license review of certain exports of strong encryption to foreign government end users.
The current set of U.S. rules requires notification to the BIS for export in all cases,
but the restrictions are significantly lessened for mass-market products as defined by all
of the following:
•฀ They฀are฀generally฀available฀to฀the฀public฀by฀being฀sold,฀without฀restriction,฀
from stock at retail selling points by any of these means:
•฀ Over-the-counter฀transactions
•฀ Mail-order฀transactions
•฀ Electronic฀transactions
•฀ Telephone฀call฀transactions
•฀ The฀cryptographic฀functionality฀cannot฀easily฀be฀changed฀by฀the฀user.
•฀ They฀are฀designed฀for฀installation฀by฀the฀user฀without฀further฀substantial฀
support by the supplier.

PART I

use of cryptographic methods to include securing of network communications. As is

the case in most rapidly changing technologies, the practice moves faster than law.
Many countries still have laws that are outmoded in terms of e-commerce and the Internet. Over time, these laws will be changed to serve these new uses in a way consistent
with each country’s needs.


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

62
•฀ When฀necessary,฀details฀of฀the฀items฀are฀accessible฀and฀will฀be฀provided,฀upon฀
request, to the appropriate authority in the exporter’s country in order to
ascertain compliance with export regulations.
Mass-market฀commodities฀and฀software฀employing฀a฀key฀length฀greater฀than฀64฀bits฀
for the symmetric algorithm must be reviewed in accordance with BIS regulations.
Restrictions฀on฀exports฀by฀U.S.฀persons฀to฀terrorist-supporting฀states฀(Cuba,฀Iran,฀Iraq,฀
Libya, North Korea, Sudan, or Syria), their nationals, and other sanctioned entities are
not changed by this rule.
As you can see, this is a very technical area, with significant rules and significant
penalties for infractions. The best rule is that whenever you are faced with a situation
involving the export of encryption-containing software, consult an expert and get the
appropriate permission, or a statement that permission is not required, first. This is one
case where it is better to be safe than sorry.

Non-U.S. Laws
Export control rules for encryption technologies fall under the Wassenaar Arrangement,
an international arrangement on export controls for conventional arms and dual-use
goods and technologies. The Wassenaar Arrangement has been established in order to
contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods
and technologies, thus preventing destabilizing accumulations. Participating states, of
which the United States is one of 33, will seek, through their own national policies and
laws, to ensure that transfers of these items do not contribute to the development or

enhancement of military capabilities that undermine these goals, and are not diverted
to support such capabilities.
Many nations have more restrictive policies than those agreed upon as part of the
Wassenaar฀Arrangement.฀Australia,฀New฀Zealand,฀the฀United฀States,฀France,฀and฀Russia฀
go further than is required under Wassenaar and restrict general-purpose cryptographic
software as dual-use goods through national laws. The Wassenaar Arrangement has had
a significant impact on cryptography export controls, and there seems to be little doubt
that some of the nations represented will seek to use the next round to move toward a
more repressive cryptography export control regime based on their own national laws.
There are ongoing campaigns to attempt to influence other members of the agreement
toward less restrictive rules, and in some cases no rules. These lobbying efforts are based
on e-commerce and privacy arguments.
In addition to the export controls on cryptography, significant laws prohibit the use
and possession of cryptographic technology. In China, a license from the state is required฀for฀cryptographic฀use.฀In฀some฀other฀countries,฀including฀Russia,฀Pakistan,฀Venezuela, and Singapore, tight restrictions apply to cryptographic uses. France relinquished
tight state control over the possession of the technology in 1999. One of the driving
points behind France’s action is the fact that more and more of the Internet technologies have built-in cryptography. Digital rights management, secure USB solutions, digital signatures, and Secure Sockets Layer (SSL)–secured connections are examples of


Chapter 3: Legal Issues, Privacy, and Ethics

63

Digital Signature Laws
On October 1, 2000, the Electronic Signatures in Global and National Commerce Act
(commonly called the E-Sign law) went into effect in the United States. This law implements a simple principle: a signature, contract, or other record may not be denied legal
effect, validity, or enforceability solely because it is in electronic form. Another source
of law on digital signatures is the National Conference of Commissioners on Uniform
State Laws’ Uniform Electronic Transactions Act (UETA), which has been adopted in
more than 20 states. A number of states have adopted a nonuniform version of UETA,
and the precise relationship between the federal E-Sign law and UETA has yet to be resolved and will most likely be worked out through litigation in the courts over complex

technical issues.
Many states have adopted digital signature laws, the first being Utah in 1995. The
Utah law, which has been used as a model by several other states, confirms the legal
status of digital signatures as valid signatures, provides for use of state-licensed certification authorities, endorses the use of public key encryption technology, and authorizes
online databases called repositories, where public keys would be available. The Utah
act specifies a negligence standard regarding private encryption keys and places no limit on liability. Thus, if a criminal uses a consumer’s private key to commit fraud, the
consumer is financially responsible for that fraud, unless the consumer can prove that
he or she used reasonable care in safeguarding the private key. Consumers assume a
duty of care when they adopt the use of digital signatures for their transactions, not unlike the care required for PINs on debit cards.
From a practical standpoint, the existence of the E-Sign law and UETA has enabled
e-commerce transactions to proceed, and the resolution of the technical details via
court actions will probably have little effect on consumers. It is worth noting that consumers will have to exercise reasonable care over their signature keys, much as they
must over PINs and other private numbers. For the most part, software will handle
these issues for the typical user.

Non-U.S. Signature Laws
The United Nations has a mandate to further harmonize international trade. With this
in mind, the UN General Assembly adopted the United Nations Commission on International฀Trade฀Law฀(UNCITRAL)฀Model฀Law฀on฀E-Commerce.฀To฀implement฀specific฀

PART I

common฀ behind-the-scenes฀ use฀ of฀ cryptographic฀ technologies.฀ In฀ 2007,฀ the฀ United฀
Kingdom passed a new law mandating that when requested by UK authorities, either
police or military, encryption keys must be provided to permit decryption of information associated with terror or criminal investigation. Failure to deliver either the keys or
decrypted data can result in an automatic prison sentence of two to five years. Although
this seems reasonable, it has been argued that such actions will drive certain financial
entities off shore, as the rule applies only to data housed in the UK. As for deterrence,
the two-year sentence may be better than a conviction for trafficking in child pornography; hence the law seems not to be as useful as it seems at first glance.



CompTIA Security+ All-in-One Exam Guide, 3rd Edition

64
technical aspects of this model law, more work on electronic signatures was needed. The
General฀ Assembly฀ then฀ adopted฀ the฀ UNCITRAL฀ Model฀ Law฀ on฀ Electronic฀ Signatures.฀
These model laws have become the basis for many national and international efforts in
this area.

Canadian Laws
Canada was an early leader in the use of digital signatures. Singapore, Canada, and the
U.S. state of Pennsylvania were the first governments to have digitally signed an interstate contract. This contract, digitally signed in 1998, concerned the establishment of a
Global Learning Consortium between the three governments (source: Krypto-Digest Vol.
1฀No.฀749,฀June฀11,฀1998).฀Canada฀went฀on฀to฀adopt฀a฀national฀model฀bill฀for฀electronic signatures to promote e-commerce. This bill, the Uniform Electronic Commerce
Act (UECA), allows the use of electronic signatures in communications with the government. The law contains general provisions for the equivalence between traditional
and electronic signatures (source: BNA ECLR,฀May฀27,฀1998,฀p.฀700)฀and฀is฀modeled฀
after฀the฀UNCITRAL฀Model฀Law฀on฀E-Commerce฀(source:฀BNA ECLR, September 13,
2000,฀p.฀918).฀The฀UECA฀is฀similar฀to฀Bill฀C-54฀in฀authorizing฀governments฀to฀use฀electronic technology to deliver services and communicate with citizens.
Individual Canadian provinces have passed similar legislation defining digital signature provisions for e-commerce and government use. These laws are modeled after
the฀UNCITRAL฀Model฀Law฀on฀E-Commerce฀to฀enable฀widespread฀use฀of฀e-commerce฀
transactions. These laws have also modified the methods of interactions between the
citizens and the government, enabling electronic communication in addition to previous forms.

European Laws
The European Commission adopted a Communication on Digital Signatures and Encryption: “Towards a European Framework for Digital Signatures and Encryption.” This
communication states that a common framework at the EU level is urgently needed to
stimulate “the free circulation of digital signature related products and services within
the Internal Market” and “the development of new economic activities linked to electronic commerce” as well as “to facilitate the use of digital signatures across national
borders.” Community legislation should address common legal requirements for certificate authorities, legal recognition of digital signatures, and international cooperation. This communication was debated, and a common position was presented to the
member nations for incorporation into national laws.
On฀ May฀ 4,฀ 2000,฀ the฀ European฀ Parliament฀ and฀ Council฀ approved฀ the฀ common฀

position adopted by the council. In June 2000, the final version Directive 2000/31/EC
was adopted. The directive is now being implemented by member states. To implement
the articles contained in the directive, member states will have to remove barriers, such
as legal form requirements, to electronic contracting, leading to uniform digital signature laws across the EU.


Chapter 3: Legal Issues, Privacy, and Ethics

65
Digital Rights Management
PART I

The ability to make flawless copies of digital media has led to another “new” legal issue.
For years, the music and video industry has relied on technology to protect its rights
with respect to intellectual property. It has been illegal for decades to copy information,
such as music and videos, protected by copyright. Even with the law, for years people
have made copies of music and videos to share, violating the law. This had not had a
significant economic impact in the eyes of the industry, as the copies made were of
lesser quality and people would pay for original quality in sufficient numbers to keep
the economics of the industry healthy. As such, legal action against piracy was typically
limited to large-scale duplication and sale efforts, commonly performed overseas and
subsequently shipped to the United States as counterfeit items.
The ability of anyone with a PC to make a perfect copy of digital media has led to
industry fears that individual piracy actions could cause major economic issues in the
recording industry. To protect the rights of the recording artists and the economic health
of the industry as a whole, the music and video recording industry lobbied the U.S.
Congress for protection, which was granted under the Digital Millennium Copyright
Act฀(DMCA)฀on฀October฀20,฀1998.฀This฀law฀states฀the฀following:฀“To฀amend฀title฀17,฀
United States Code, to implement the World Intellectual Property Organization Copyright Treaty and Performances and Phonograms Treaty, and for other purposes.” Most
of this law was well crafted, but one section has drawn considerable comment and

criticism. A section of the law makes it illegal to develop, produce, and trade any device
or mechanism designed to circumvent technological controls used in copy protection.
Although on the surface this seems a reasonable requirement, the methods used in
most cases are cryptographic in nature, and this provision had the ability to eliminate
and/or severely limit research into encryption and the strengths and weaknesses of
specific methods. A provision, Section 1201(g) of DMCA, was included to provide for
specific relief and allow exemptions for legitimate research. With this section, the law
garnered industry support from several organizations such as the Software & Information฀ Industry฀ Association฀ (SIIA),฀ Recording฀ Industry฀ Association฀ of฀ America฀ (RIAA),฀
and Motion Picture Association of America (MPAA). Based on these inputs, the U.S.
Copyright Office issued a report supporting the DMCA in a required report to the Congress.฀This฀seemed฀to฀settle฀the฀issues฀until฀the฀RIAA฀threatened฀to฀sue฀an฀academic฀research team headed by Professor Felten from Princeton University. The issue behind the
suit was the potential publication of results demonstrating that several copy protection
methods were flawed in their application. This research came in response to an industry-sponsored challenge to break the methods. After breaking the methods developed
and published by the industry, Felten and his team prepared to publish their findings.
The฀RIAA฀objected฀and฀threatened฀a฀suit฀under฀provisions฀of฀DMCA.฀After฀several฀years฀
of litigation and support of Felten by the Electronic Freedom Foundation (EFF), the
case was eventually resolved in the academic team’s favor, although no case law to prevent further industry-led threats was developed.
This might seem a remote issue, but industries have been subsequently using the
DMCA to protect their technologically inspired copy protection schemes for such


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

66
products as laser-toner cartridges and garage-door openers. It is doubtful that the U.S.
Congress intended the law to have such effects, yet until these issues are resolved in
court, the DMCA may have wide-reaching implications. The act has specific exemptions
for research provided four elements are satisfied:
(A) the person lawfully obtained the encrypted copy, phonorecord, performance,
or display of the published work;
(B) such act is necessary to conduct such encryption research;

(C) the person made a good faith effort to obtain authorization before the
circumvention; and
(D) such act does not constitute infringement under this title or a violation of
applicable law other than this section, including section 1030 of title 18 and those
provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
Additional exemptions are scattered through the law, although many were pasted in
during various deliberations on the act and do not make sense when the act is viewed
as a whole. The effect of these exemptions upon people in the software and technology
industry is not clear, and until restrained by case law, the DMCA gives large firms with
deep legal pockets a potent weapon to use against parties who disclose flaws in encryption technologies used in various products. Actions have already been initiated against
individuals and organizations who have reported security holes in products. This will
be an active area of legal contention as the real issues behind digital rights management
have yet to be truly resolved.

Privacy
The advent of interconnected computer systems has enabled businesses and governments to share and integrate information. This has led to a resurgence in the importance of privacy laws worldwide. Governments in Europe and the United States have
taken different approaches in attempts to control privacy via legislation. Many social
and philosophical differences have led to these differences, but as the world becomes
interconnected, understanding and resolving them will be important.
Privacy can be defined as the power to control what others know about you and
what they can do with this information. In the computer age, personal information
forms the basis for many decisions, from credit card transactions to purchase goods, to
the ability to buy an airplane ticket and fly domestically. Although it is theoretically
possible to live an almost anonymous existence today, the price for doing so is high—
from higher prices at the grocery store (no frequent shopper discount), to higher credit
costs, to challenges with air travel, opening bank accounts, and seeking employment.

U.S. Privacy Laws
Identity privacy and the establishment of identity theft crimes is governed by the Identity Theft and Assumption Deterrence Act, which makes it a violation of federal law to
knowingly use another’s identity. The collection of information necessary to do this is



Chapter 3: Legal Issues, Privacy, and Ethics

67

Health Insurance Portability & Accountability Act (HIPAA)
Medical and health information also has privacy implications, which is why the U.S.
Congress enacted the Health Insurance Portability & Accountability Act (HIPAA) of
1996. HIPAA calls for sweeping changes in the way health and medical data is stored,
exchanged, and used. From a privacy perspective, significant restrictions of data transfers
to ensure privacy are included in HIPAA, including security standards and electronic
signature provisions. HIPAA security standards mandate a uniform level of protections
regarding all health information that pertains to an individual and is housed or transmitted electronically. The standard mandates safeguards for physical storage, maintenance, transmission, and access to individuals’ health information. HIPAA mandates
that organizations that use electronic signatures will have to meet standards ensuring
information integrity, signer authentication, and nonrepudiation. These standards
leave to industry the task of specifying the technical solutions and mandate compliance
only to significant levels of protection as provided by the rules being released by industry.

Gramm-Leech-Bliley Act (GLB)
In the financial arena, GLB introduced the U.S. consumer to privacy notices, where
firms must disclose what they collect, how they protect the information, and with
whom they will share it. Annual notices are required as well as the option for consumers to opt out of the data sharing. The primary concept behind U.S. privacy laws in the
financial arena is the notion that consumers be allowed to opt out. This was strengthened in GLB to include specific wording and notifications as well as the appointment
of a privacy officer for the firm.

California Senate Bill 1386 (SB 1386)
California Senate Bill 1386 (SB 1386) was a landmark law concerning information
disclosures. It mandates that Californians be notified whenever personally identifiable
information is lost or disclosed. Since the passage of SB 1386, numerous other states

have modeled legislation on this bill, and although national legislation has been
blocked by political procedural moves, it will eventually be passed.

European Laws
The EU has developed a comprehensive concept of privacy administered via a set of
statutes known as data protection laws. These privacy statutes cover all personal data,
whether collected and used by government or private firms. These laws are administered

PART I

also governed by GLB, which makes it illegal for someone to gather identity information on another under false pretenses. In the education area, privacy laws have existed
for฀years.฀Student฀records฀have฀significant฀protections฀under฀the฀Family฀Education฀Records฀and฀Privacy฀Act฀of฀1974,฀including฀significant฀restrictions฀on฀information฀sharing. These records operate on an opt-in basis, as the student must approve the disclosure of information prior to the actual disclosure.


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

68
by state and national data protection agencies in each country. With the advent of the
EU, this common comprehensiveness stands in distinct contrast to the patchwork of
laws in the United States.
Privacy laws in Europe are built around the concept that privacy is a fundamental
human right that demands protection through government administration. When the
EU was formed, many laws were harmonized across the 15 member nations, and data
privacy was among those standardized. One important aspect of this harmonization is
the Data Protection Directive, adopted by EU members, which has a provision allowing the
European Commission to block transfers of personal data to any country outside the
EU that has been determined to lack adequate data protection policies. The differences
in approach between the U.S. and the EU with respect to data protection led to the EU
issuing expressions of concern about the adequacy of data protection in the U.S., a
move that could pave the way to the blocking of data transfers. After negotiation, it was

determined that U.S. organizations that voluntarily joined an arrangement known as
Safe Harbor would be considered adequate in terms of data protection.
Safe Harbor is a mechanism for self-regulation that can be enforced through trade
practice law via the FTC. A business joining the Safe Harbor Consortium must make
commitments to abide by specific guidelines concerning privacy. Safe Harbor members
also agree to be governed by certain self-enforced regulatory mechanisms, backed ultimately by FTC action.
Another major difference between U.S. and European regulation lies in where the
right of control is exercised. In European directives, the right of control over privacy is
balanced฀in฀such฀a฀way฀as฀to฀favor฀consumers.฀Rather฀than฀having฀to฀pay฀to฀opt฀out,฀as฀
in฀unlisted฀phone฀numbers,฀consumers฀have฀such฀services฀for฀free.฀Rather฀than฀having฀
to opt out at all, the default privacy setting is deemed to be the highest level of data
privacy, and users have to opt in to share information. This default setting is a cornerstone of the EU Data Protection Directive and is enforced through national laws in all
member nations.

Ethics
Ethics has been a subject of study by philosophers for centuries. It might be surprising
to note that ethics associated with computer systems has a history dating back to the
beginning of the computing age. The first examination of cybercrime occurred in the
late 1960s, when the professional conduct of computer professionals was examined
with respect to their activities in the workplace. If we consider ethical behavior to be
consistent with that of existing social norms, it can be fairly easy to see what is considered right and wrong. But with the globalization of commerce, and the globalization of
communications via the Internet, questions are raised about what is the appropriate social norm. Cultural issues can have wide-ranging effects on this, and although the idea
of an appropriate code of conduct for the world is appealing, it is as yet an unachieved
objective.
The issue of globalization has significant local effects. If a user wishes to express free
speech via the Internet, is this protected behavior or criminal behavior? Different lo-


Chapter 3: Legal Issues, Privacy, and Ethics


69

1

SANS Institute IT Code of Ethics

Version 1.0 - April 24, 2004
The SANS Institute
I will strive to know myself and be honest about my capability.
•฀ I฀will฀strive฀for฀technical฀excellence฀in฀the฀IT฀profession฀by฀maintaining฀and฀
enhancing my own knowledge and skills. I acknowledge that there are many
free resources available on the Internet and affordable books and that the lack
of my employer’s training budget is not an excuse nor limits my ability to stay
current in IT.
•฀ When฀possible฀I฀will฀demonstrate฀my฀performance฀capability฀with฀my฀skills฀
via projects, leadership, and/or accredited educational programs and will
encourage others to do so as well.
•฀ I฀will฀not฀hesitate฀to฀seek฀assistance฀or฀guidance฀when฀faced฀with฀a฀task฀beyond฀my฀
abilities or experience. I will embrace other professionals’ advice and learn
from their experiences and mistakes. I will treat this as an opportunity to learn
new techniques and approaches. When the situation arises that my assistance
is called upon, I will respond willingly to share my knowledge with others.
•฀ I฀will฀strive฀to฀convey฀any฀knowledge฀(specialist฀or฀otherwise)฀that฀I฀have฀
gained to others so everyone gains the benefit of each other’s knowledge.
•฀ I฀will฀teach฀the฀willing฀and฀empower฀others฀with฀Industry฀Best฀Practices฀
(IBP). I will offer my knowledge to show others how to become security
professionals in their own right. I will strive to be perceived as and be an
honest and trustworthy employee.
•฀ I฀will฀not฀advance฀private฀interests฀at฀the฀expense฀of฀end฀users,฀colleagues,฀
or my employer.

•฀ I฀will฀not฀abuse฀my฀power.฀I฀will฀use฀my฀technical฀knowledge,฀user฀rights,฀and฀
permissions only to fulfill my responsibilities to my employer.
1

© 2000-2008 The SANS™ Institute. Reprinted with permission.

PART I

cales have different sets of laws to deal with items such as free speech, with some recognizing the right, while others prohibit it. With the globalization of business, what are
the appropriate controls for intellectual property when some regions support this right,
while others do not even recognize intellectual property as something of value, but
rather something owned by the collective of society? The challenge in today’s business
environment is to establish and communicate a code of ethics so that everyone associated with an enterprise can understand the standards of expected performance.
A great source of background information on all things associated with computer
security,฀the฀SANS฀Institute,฀published฀a฀set฀of฀IT฀ethical฀guidelines฀in฀April฀2004:฀see฀
www.sans.org/resources/ethics.php?ref=3781.


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

70
•฀ I฀will฀avoid฀and฀be฀alert฀to฀any฀circumstances฀or฀actions฀that฀might฀lead฀to฀
conflicts of interest or the perception of conflicts of interest. If such
circumstance occurs, I will notify my employer or business partners.
•฀ I฀will฀not฀steal฀property,฀time฀or฀resources.
•฀ I฀will฀reject฀bribery฀or฀kickbacks฀and฀will฀report฀such฀illegal฀activity.
•฀ I฀will฀report฀on฀the฀illegal฀activities฀of฀myself฀and฀others฀without฀respect฀to฀the฀
punishments involved. I will not tolerate those who lie, steal, or cheat as a
means of success in IT.
I will conduct my business in a manner that assures the IT profession

is considered one of integrity and professionalism.
•฀ I฀will฀not฀injure฀others,฀their฀property,฀reputation,฀or฀employment฀by฀false฀or฀
malicious action.
•฀ I฀will฀not฀use฀availability฀and฀access฀to฀information฀for฀personal฀gains฀through฀
corporate espionage.
•฀ I฀distinguish฀between฀advocacy฀and฀engineering.฀I฀will฀not฀present฀analysis฀
and opinion as fact.
•฀ I฀will฀adhere฀to฀Industry฀Best฀Practices฀(IBP)฀for฀system฀design,฀rollout,฀
hardening and testing.
•฀ I฀am฀obligated฀to฀report฀all฀system฀vulnerabilities฀that฀might฀result฀in฀
significant damage.
•฀ I฀respect฀intellectual฀property฀and฀will฀be฀careful฀to฀give฀credit฀for฀other’s฀
work. I will never steal or misuse copyrighted, patented material, trade secrets
or any other intangible asset.
•฀ I฀will฀accurately฀document฀my฀setup฀procedures฀and฀any฀modifications฀I฀have฀
done to equipment. This will ensure that others will be informed of
procedures and changes I’ve made.
I respect privacy and confidentiality.
•฀ I฀respect฀the฀privacy฀of฀my฀co-workers’฀information.฀I฀will฀not฀peruse฀or฀
examine their information including data, files, records, or network traffic
except as defined by the appointed roles, the organization’s acceptable use
policy,฀as฀approved฀by฀Human฀Resources,฀and฀without฀the฀permission฀of฀
the end user.
•฀ I฀will฀obtain฀permission฀before฀probing฀systems฀on฀a฀network฀for฀
vulnerabilities.
•฀ I฀respect฀the฀right฀to฀confidentiality฀with฀my฀employers,฀clients,฀and฀users฀
except as dictated by applicable law. I respect human dignity.


Chapter 3: Legal Issues, Privacy, and Ethics


71
•฀ I฀treasure฀and฀will฀defend฀equality,฀justice฀and฀respect฀for฀others.

Chapter Review
From a system administrator’s position, complying with cyber-laws is fairly easy. Add
warning banners to all systems that enable consent to monitoring as a condition of access. This will protect you and the firm during normal routine operation of the system.
Safeguard all personal information obtained in the course of your duties and do not
obtain unnecessary information merely because you can get it. With respect to the
various฀privacy฀statutes฀that฀are฀industry฀specific—GLB,฀FCRA,฀ECPA,฀FERPA,฀HIPAA—
refer to your own institution’s guidelines and policies. When confronted with aspects
of the U.S. Patriot Act, refer to your company’s general counsel, for although the act
may absolve you and the firm of responsibility, this act’s implications with respect to
existing law are still unknown. And in the event that your system is trespassed upon
(hacked), you can get federal law enforcement assistance in investigating and prosecuting the perpetrators.

Questions
To further help you prepare for the Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the list of
correct answers at the end of the chapter.
1. The VP of IS wants to monitor user actions on the company’s intranet. What is
the best method of obtaining the proper permissions?
A. A consent banner displayed upon login
B. Written permission from a company officer
C. Nothing, because the system belongs to the company
D. Written permission from the user
2. Your Social Security number and other associated facts kept by your bank are
protected by what law against disclosure?
A. The฀Social฀Security฀Act฀of฀1934
B. The Patriot Act of 2001
C. The Gramm-Leach-Bliley Act

D. HIPAA

PART I

•฀ I฀will฀not฀participate฀in฀any฀form฀of฀discrimination,฀whether฀due฀to฀race,฀
color, national origin, ancestry, sex, sexual orientation, gender/sexual identity
or expression, marital status, creed, religion, age, disability, veteran’s status, or
political ideology.


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

72
3. Breaking into another computer system in the United States, even if you do
not cause any damage, is regulated by what laws?
A. State law, as the damage is minimal
B. Federal law under the Identity Theft and Assumption Deterrence Act
C. Federal law under Electronic Communications Privacy Act (ECPA) of 1986
D. Federal law under the Patriot Act of 2001
4. Export of encryption programs is regulated by the
A. U.S. State Department
B. U.S. Commerce Department
C. U.S. Department of Defense
D. National Security Agency
5. For the FBI to install and operate Carnivore on an ISP’s network, what is
required?
A. A court order specifying items being searched for
B. An official request from the FBI
C. An impact statement to assess recoverable costs to the ISP
D. A written request from an ISP to investigate a computer trespass incident

6. True or false: Digital signatures are equivalent to notarized signatures for all
transactions in the United States.
A. True for all transactions in which both parties agree to use digital
signatures
B. True only for non-real property transactions
C. True only where governed by specific state statute
D. False, as the necessary laws have not yet passed
7. The primary factor(s) behind data sharing compliance between U.S. and
European companies is/are
A. Safe Harbor Provision
B. European Data Privacy Laws
C. U.S. FTC enforcement actions
D. All of the above
8. True or false: Writing viruses and releasing them across the Internet is a
violation of law.
A. Always true. All countries have reciprocal agreements under
international law.
B. Partially true. Depends on laws in country of origin.


Chapter 3: Legal Issues, Privacy, and Ethics

73
C. False. Computer security laws do not cross international boundaries.

9. Publication of flaws in encryption used for copy protection is a potential
violation of
A. HIPAA
B. U.S. Commerce Department regulations
C. DMCA

D. National Security Agency regulations
10. Violation of DMCA can result in
A. Civil fine
B. Jail time
C. Activity subject to legal injunctions
D. All of the above

Answers
1. A. A consent banner consenting to monitoring resolves issues of monitoring
with respect to the Electronic Communications Privacy Act (ECPA) of 1986.
2. C. The Gramm-Leach-Bliley Act governs the sharing of privacy information
with respect to financial institutions.
3. D. The Patriot Act of 2001 made computer trespass a felony.
4. B. Export controls on commercial encryption products are administered
by the Bureau of Industry and Security (BIS) in the U.S. Department of
Commerce.
5. B. The Patriot Act of 2001 mandated ISP compliance with the FBI Carnivore
program.
6. A. Electronic digital signatures are considered valid for transactions in the
United States since the passing of the Electronic Signatures in Global and
National Commerce Act (E-Sign) in 2001.
7. D. All of the above. The primary driver is European data protection laws
as enforced on U.S. firms by the FTC through the Safe Harbor provision
mechanism.
8. D. This is partially true, for not all countries share reciprocal laws. Some
common laws and reciprocity issues exist in certain international
communities—for example, the European Union—so some cross-border
legal issues have been resolved.

PART I


D. Partially true. Depends on the specific countries involved, the author of
the virus, and the recipient.


CompTIA Security+ All-in-One Exam Guide, 3rd Edition

74
9. C. This is a potential violation of the Digital Millennium Copyright Act of
1998 unless an exemption provision is met.
10. D. All of the above have been attributed to DMCA, including the jailing of
a฀Russian฀programmer฀who฀came฀to฀the฀United฀States฀to฀speak฀at฀a฀security฀
conference. See w2.eff.org/IP/DMCA/?f=20010830_eff_dmca_op-ed.html.