1 Legal and Ethical Issues Facing Computer & Network Security Researchers Aaron Burstein UC Berkeley School of Information November 23, 2009
2 Constraints on Network Research U.S. law is often unclear (and unfriendly). Ethical issues are novel, and the scientific context changes rapidly.
3 Overview Law Electronic Communications Privacy Act (ECPA) Collecting and sharing network packet traces Running infected hosts Computer Fraud & Abuse Act (CFAA) Copyright / Digital Millennium Copyright Act (DMCA) Ethics Basic principles Human Subjects Research & Institutional review boards (IRBs)
4 COMMUNICATIONS PRIVACY LAW
5 Network Research: Privacy Law Issues Common research activities: Collecting network measurement data Packet headers Payload Publishing network traces Collecting mobile device traces E.g., Location data
6 ECPA at a Glance Content Non-content Real-time Wiretap Act Pen/Trap Stored Stored Communications Act
7 Electronic Communications Privacy Act (ECPA) Wiretap Act (18 U.S.C ) Prohibits real-time interception of communications contents Stored Communications Act (18 U.S.C ) Prohibits certain disclosures of content and noncontent/addressing information Pen/Trap statute (18 U.S.C ) Prohibits real-time interception of noncontent/addressing information
8 Disclosure vs. Internal Use Real-time, contents Stored contents Voluntary disclosure OK? No No Internal use OK? No Yes Real-time, noncontent Stored, noncontent No Yes (to non-govt recipient) Yes Yes
9 No Research Exemptions in ECPA! Some trace collection permitted by: Consent of users or Provider exception (allowing network operators to monitor networks to defend them) Limitations Individual consent hard to get Blanket consent (e.g., as part of a network s terms of service) may provide little information about data collection, use Provider exception requires collaboration with operational IT staff
10 Other Privacy Issues State laws Two-party rule in state wiretap laws International laws EU member nations generally have stricter privacy laws Interaction with human subjects regulations
11 How ECPA Affects Cybersecurity Research (1) Activity: Collecting full-packet traces in realtime Relevant law: Wiretap Act Applies to any network (government, enterprise, WiFi, university, etc.) Need consent or sufficient link to operational network protection for provider exception Wiretap Act continues to cover traces after they are recorded If collection violates law, disclosure probably does too.
12 How ECPA Affects Cybersecurity Research (2) Activity: Collecting packet-header traces in real-time Relevant law: Pen/Trap statute Consent, provider exceptions available Also an exception for network operation, maintenance, and testing Legally stored data become subject to SCA
13 How ECPA Affects Cybersecurity Research (3) Activity: Sharing or publishing packet traces Relevant law: SCA Applies only to public service providers: commercial ISPs but not businesses Full-packet traces: disclosure prohibited without consent, subpoena Packet header traces: disclosure allowed unless given to governmental entity Much broader than law enforcement; hampers some public releases
14 COMPUTER FRAUD & ABUSE ACT (CFAA)
15 CFAA & Network Research Botnet infiltration (and response?) Running malicious code in testbeds Collecting data from online services Running honeynets to interact with attackers
16 CFAA Elements Protected computer Any computer connected to the Internet Access Not defined in statute Authorization Not defined in statute Obtaining information / causing loss Penalties scale with type, value of information obtained Loss is not defined
17 Is the CFAA as Broad as It Sounds? Perhaps... United States v. Lori Drew (2009) Access means to obtain information from Authorization may be set by Terms of Service But U.S. Const. limits criminal application of CFAA in TOS breach cases. Insufficient clarity + arbitrary enforcement = unconstitutional vagueness
18 Testbeds: Legal Issues Concern: What if worms, viruses escape testbed containment? CFAA prohibits (1) knowingly causing transmission of code and (2)intentionally or recklessly causing damage Unclear whether accidents meet this standard of intent
19 ETHICAL ISSUES
20 Overview 1. Basic ethical principles / theories 2. Human subjects research and ethical compliance
21 Ethical Frameworks Consequentialism The moral rightness of an act depends only on its consequences. Deontological theories Morality is prescribed by individual rights, duties.
22 Research Ethics Belmont Report crafted principles for human subjects research (HSR) Respect for persons Beneficence Justice Common Rule codifies Belmont principles Defines research, human subject, consent, institutional review board (IRB) Applies to any HSR at an organization receiving federal research funding
23 Navigating Human Subjects Review
25 Ethical Trouble Spots for Network Research Is it HSR? Waiver of Informed Consent May be waived if impracticable to obtain Deception Minimal risk No adverse effect on subjects rights, welfare Non-deceptive research design impracticable
26 IRB Review: Easing the Pain Exemptions Studies of existing, publicly available data Studies of data recorded so that subjects cannot be identified, directly or through IDs Note: IRB decides whether research is exempt. Expedited review Research involves no more than minimal risk Allows quick(er) protocol approval
27 Ethics Beyond HSR Issues Harm to the researcher s organization (e.g., university) Harm to other users Accelerating the arms race Confusing researchers roles When to report malicious activity to... Victims? Law enforcement?
28 Law & Ethics in Research Frontiers Studies of security-related behavior Downloading malware Checking binary signatures Ignoring A/V warnings Conditioning users to ignore security Infiltrating cybercrime organizations DMCA take down studies Active probes
31 Software Analysis: Contract Issues EULAs typically prohibit reverse engineering, other processes that reveal vulnerabilities Courts usually enforce them but important issues remain unsettled: Pre-emption by patent law Tension with First Amendment
32 Software Analysis: DMCA Issues No person shall circumvent a technological measure that effectively controls access to a work protected by the Copyright Act But: courts, U.S. DOJ have found that the DMCA does not prohibit conducting research on or publishing papers about software vulnerabilities. Caveats: Publishing actual circumvention software might violate DMCA. Restrictions in EULAs still apply.
33 Ethical Issues in Software Analysis Whether (and when) to notify software vendor How much detail to publish
34 Resources Legal Information Institute (http://www.law.cornell.edu/) Open access to US Constitution, US Code Common Rule Go to select title 45, part 46. Samuelson Clinic at UC Berkeley School of Law (http://www.samulesonclinic.org/) Reforming the ECPA to Enable a Culture of Cybersecurity Research (http://jolt.law.harvard.edu/) In-depth analysis of applicable privacy laws and proposal for a research exception to the ECPA
1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines
Code of Federal Regulations TITLE 45 PUBLIC WELFARE Department of Health and Human Services PART 46 PROTECTION OF HUMAN SUBJECTS * * * Revised January 15, 2009 Effective July 14, 2009 SUBPART A Basic HHS
Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act Dr. J.V.J. van Hoboken, A.M. Arnbak, LL.M. & Prof. Dr. N.A.N.M. van Eijk, with the assistance of N.P.H. Kruijsen, LL.M.
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
INFORMATION TECHNOLOGY User Standards and Guidelines Manual May 2010 Division of Information Technology http://www.palmbeachschools.org/it/security.asp Table of Contents 1. Introduction... 4 2. Definitions...
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
CUSTOMERS BANK ONLINE & MOBILE BANKING ACCESS AGREEMENT 1) Scope of Agreement 2) Definitions 3) Terms and Conditions of Online Banking A. Requirements B. Online Banking Services - General C. Electronic
IS YOUR PROJECT HUMAN SUBJECTS RESEARCH? A Guide for Investigators HUMAN SUBJECTS RESEARCH Research projects involving human subjects require review and approval by an Institutional Review Board. An IRB
Page 1 of 5 Purpose This regulation implements Board policy JS by setting forth specific procedures, requirements and restrictions and conditions governing student use of District Information Technology
Terms of Service As of Julyl 1, 2014 IMPORTANT LEGALLY BINDING AGREEMENT Box, Inc. ( Box ) is making the Box Service (as defined below) available to you ( You or Your ) because You are a faculty member,
Australian Code for the Responsible Conduct of Research REVISION OF THE JOINT NHMRC/AVCC STATEMENT AND GUIDELINES ON RESEARCH PRACTICE AUSTRALIAN CODE FOR THE RESPONSIBLE CONDUCT OF RESEARCH [This Code
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
28 CFR Part 23 CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES Executive Order 12291 1998 Policy Clarification 1993 Revision and Commentary 28 CFR Part 23 Executive Order 12291 These regulations are not
Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
2011 CONSUMER U.S. INTELLECTUAL DATA PRIVACY PROPERTY ENFORCEMENT IN A NETWORKED COORDINATOR WORLD: COVER ANNUAL TITLE REPORT HERE ON A FRAMEWORK FOR PROTECTING PRIVACY INTELLECTUAL AND PROMOTING PROPERTY
Ethical Principles of Psychologists and Code of Conduct Adopted August 21, 2002 Effective June 1, 2003 With the 2010 Amendments Adopted February 20, 2010 Effective June 1, 2010 Ethical Principles of Psychologists
United States Government Accountability Office Report to Congressional Requesters April 2014 INFORMATION SECURITY Agencies Need to Improve Cyber Incident Response Practices GAO-14-354 April 2014 INFORMATION
1.0 Purpose JHSPH Acceptable Use Policy Use of the Johns Hopkins Bloomberg School of Public Health (JHSPH) information technology (IT) resources is a privilege that is extended to users for the purpose
A REPORT BY HARVARD BUSINESS REVIEW ANALYTIC SERVICES Meeting the Cyber Risk Challenge Sponsored by ABOUT ZURICH INSURANCE GROUP Zurich Insurance Group (Zurich) is a leading multi-line insurance provider
Council of the European Union Brussels, 19 December 2014 (OR. en) Interinstitutional File: 2012/0011 (COD) 15395/14 LIMITE NOTE From: To: No. prev. doc.: DATAPROTECT 165 JAI 860 MI 965 DRS 167 DAPIX 167
Data protection Anonymisation: managing data protection risk code of practice 2 xx Contents 3 Contents Information Commissioner s foreword 4 Appendix 1 Glossary 48 1. About this code 6 2. Anonymisation
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
USONYX PTE LTD Unmanaged Service Agreement Page 1 PARTIES A. WHEREAS, USONYX provides hosting service(s); B. WHEREAS, Client desires USONYX to provide hosting service(s); C. WHEREAS, Client agrees to Acceptable
Prosecuting Computer Crimes H. Marshall Jarrett Director, EOUSA Michael W. Bailie Director, OLE Computer Crime and Intellectual Property Section Criminal Division OLE Litigation Series Ed Hagen Assistant
APPENDIX I ELEMENT FINANCIAL CORPORATION CODE OF BUSINESS CONDUCT AND ETHICS As of December 14, 2011 1. Introduction This Code of Business Conduct and Ethics ( Code ) has been adopted by our Board of Directors
HKSA 600 Issued September 2009; revised July 2010, May 2013, June 2014*, February 2015 Effective for audits of financial statements for periods beginning on or after 15 December 2009 Hong Kong Standard