Version 2/27/07
Support Material: Hackers, Hits and Chats
Keyterms: business models, click fraud, copyright, cybersquatting, free software, identity theft, intellectual property, IP Address, ISP, keywords, license, open source, pay per click, patent, phishing, privacy, rfid, scalability, streaming media, trademark

Law Privacy and Security Issues

• Global
• Jurisdiction
• Content Filtering
• Two Industries
• Fraud
• Intellectual Property
• Privacy
• Security

Global

The internet is a global marketplace without a truly global set of rules. Rules (laws) are typically set at the nation / state level, and harmonizing those rules at the global level is a complicated process. Without a truly global set of rules, the development of the internet as a global marketplace is impacted. Countries with the least prohibitive set of laws will tend to draw companies that want to exploit those laws in order to do business, as it really matters little where a business is set up, when it plans to operate on the global internet. This has occured for businesses that are registered in states and countries with less onerous tax codes for example.

Global agencies such as UNCITRAL and the WTO attempt to harmonize rules that are important to the functioning of the global internet. Whether these are rules with respect to intellectual property rights (first to file versus first to use with respect to trademarks for instance); freedom of speech and e-commerce in general (contracts and digital signatures: What Does It Mean When You Click: I Agree?: e-commerce contracts, digital signatures).

Specific Laws that have been developed to address the internet have been primarily targeted at copyright and the protection of children (which has in turn become a freedom of speech issue). These laws include:

• Communications Decency Act

• Child Online Protection Act

• Children's Internet Protection Act

Jurisdiction

Who has juridiction over transactions over the internet is a complicated question. Prior to the internet, most transactions occured with the physical presence of both the buyer and the seller, within one specific jurisdiction. The very nature of the internet creates scenarios where multiple jurisdictions are likely to be 'involved' in any single transaction. It will be important to note:

1. The location of the customer

2. The location of the business

3. The location of the servers

Two and three may well be in the same jurisdiction, but there are good reasons why a business may want to host its servers in a location other than where the business is registered. These reasons include cost, the need to protect the data from a local government (Google has recently moved data out of China), and the need to move data from an IP address that has been 'blocked'.

Thus now a customer can be based in the UK, purchasing from a US-based business, whose servers are actually based in Australia.

If a chinese national, traveling in Russia, sends a communication, while in Moscow, to an Australian national, who receives the communication while traveling in the UK, who has legal jurisdiction ? Note, the communication, while traveling through the internet, travels via ISPs based in the US.

If a US national, gambles online using a site that is based in a jurisdiction where online gambling is legal, who has broken the law, the site or the US national ?

Content Filtering

Given that customers are liable to abide by their local laws it would make sense to use some form of filtering at the local level (customer's ISP for instance) to make sure the content that can be accessed by the customer is appropriate for the local laws. This is a stance adopted by more restrictive regime's such as China and Burma, but has not been implemented with any degree of success in a more open society such as the United States.

The reasons for the lack of adoption of filtering technologies on a broad level are twofold:

1. They are somewhat ineffective

2. They change the role of the ISP to that of a publisher, which changes their liability

The ineffectiveness stems from two aspects:

• The difficulting filtering content based on keywords: breast is a word used in porn sites as well as sites for breast cancer for example

• The ease in which a site owner can reestablish a blocked site under a new IP address

Internet Filter : Censorship in cyberspace

Two Industries: Pornography: Gambling

Online Gambling
The US has onerous gambling laws and is also attempting to make online gambling illegal, even with sites that are based in jurisdictions where online gambling is legal. The US complains that online gambling potentially enables money laundering. Online Gambling-General Legal Issues

The issues related to jurisdiction allows businesses to operate in legal environments that are less of a burden, even if the business itself would create legal concerns in the home state of the customer. The US is also attempting to make it illegal for these sites to accept payments from US-based credit cards, in order to curb their ability to gain customers from the US.

The United States has pretty limiting gambling laws. Other parts of the world do not. Online gambling sites generate about $12 b in revenue from the US as these sites allow US citizens to do something they are not able to do in the physical world around them.

Internet Pornography
As we have discussed previously, the Porn Industry has been a pioneer in many aspects of internet development. This ranges from the development of early business models; security and privacy issues and the development of streaming media. The industry does however present major concerns from a legal standpoint. The three broad legal issues it faces are:

1. Prohibition of types of porn in various jurisdictions

2. Accessibility of porn to those underage

3. Age of the models

For the first issue the biggest concern is Child Pornography, which most jurisdictions agree is unlawful. Some jurisdictions do disagree as to what consistutes the legal age of a child however (16 or 18); which creates a problem for images of models under 18 (over 16) that can be viewed in the US for instance.

A major issue for Porn sites is how to verify the age of the customer. Using a credit card is one method, on the assumption that ownership of a credit card implies a specific age. Sites also have customers 'click' on age verification agreements, but of course anyone can click on a notice online. There are third party sites that can be used as a clearinghouse to verify age, but really this is an area which has not proved conclusive. The physical nature of purchasing porn in an offline world provides much more tangible proof for age verification.

Sites also need to verify the performers that are used are of legal age.

Internet Pornography-Legal Status

Fraud

Internet Fraud is a significant cost to business and consumers online. Fraud can range from Click Fraud, which is designed to manipulate pay per click programs; Hurricane Katrina fraud, costing aid agencies significantly by posing as benevolent funds; Nigerian Scam (the movement of large sums of money out of a country like Nigeria, which requires the receiver pay a small downpayment in order to share in the imaginary windfall); and phishing used for identity theft. Internet Fraud exploits the anonymity of the internet and the scalability of communications.

Intellectual Property

It is critical that IP laws are robust around the world to creat global commerce. Abuse of intellectual property rights has led to excessive piracy of software and music in certain parts of the world such as China. It is estimated that piracy costs the software industry about $30 b per year (a third of software in use has been pirated). There has been some debate about the "victimless crime" nature of software piracy, and the benefits piracy has on the industry in terms of distribution. Others also argue that all software should be free.

The three elements of intellectual property are:

• Copyright: Digital Millennium Copyright Act: Copyright infringement of software: Copyright infringement

• Patent

• Trademark

Copyright provides rights to the author of a piece of work over a specific period of time. Specifically software (written code), books, music and films. Authors use a license to describe the use of the "property". Copyright protection is typically provided for a fixed period of time, and there is a 'fair use' clause that allows the use of the property in certain cases. For example, I am able to write notes about the books we use for this course as a result of the fair use clause.

Google has recently caused much consternation with its proposed Book Project, which is designed to copy and catalog libraries of books. This project is designed to allow users to easily search books and get extracts of content from books as a result of the searches. Opponents of the project cry copyright foul. In a related case Perfect 10 is suing Google over use of thumb nail images that Google uses for search. perfect 10 claims this damages their ability to sell these into the cell phone market.

A more unusual 'movement' on the internet is the free software movement, also known as open source. They use special licenses for their work that ensures the work remains 'free'. While copyright is designed to offer protection to authors, and therefore provide incentive to innovate, a belief of the free software movement is that this protection actually stifles innovation by removing the work from open access for others to innovate. Successful free software projects include Linux and Firefox.

Patent protects an invention, a process. Thus it matters little how the invention was created (the code), it is the process itself, the outcome, that is protected. Patent protection has received considerable criticism in software development, due to the trivial nature of some of the patents granted, and the ability to acquire patents for processes that have yet to be developed (essentially stifling access to innovation in certain markets).

Amazon has been criticized for the former with its one click purchase process. It has since changed its philosophy on the use of patents. RIM (Blackberry) has recently settled its Patent case with NTP. NTP acquired a Patent for a process it had not developed, in the early 1990s. This process was developed with the popular Blackberry service, which then fell victim of a lawsuit from the original patent holder. NTP has been accused of being a patent troll.

Trademark provides the rights of the owner of a name, symbol, mark for protection to avoid consumer confusion. This applies specifically in the acquisition of domain names that are appropriate for a business' trademark. Trademark protection has typically resided at the nation state level, and the global nature of the internet has caused problems with the use of certain domain names. A secondary issue is the difference in countries with respect to "first to use" versus "first to file".

Cybersquatting is the behaviour of acquiring a domain name with the intention of reselling to a third party which has a higher perceived value for that name, or to exploit 'traffic' that domain name generates based on consumers' presumption of the purpose of the domain name. Much cybersquatting is to exploit the need for trademark holders to acquire their appropriate domain names. Domain names are a limited resource and efforts have been made to expand the top level domain (TLDs) to offer the ability for multiple companies to acquire the same name with a different TLD. Clearly the .com is the perceived standard, and companies that acquire domains with different TLDs without the acquisition of the .com can lose traffic to its .com alternative. The White House falls victim to this problem.

Privacy

Many of the privacy issues are covered in Chapter 8 of Search.

Who owns your personal date. The following includes a great discussion highlighting issues such as:

• "opt in" versus "opt out" data sharing practices

• burden is placed on the consumer who has his identity stolen, rather than on the company which served the thief

• the continued use of SSNs as a secret identifier

BJ's Wholesale Club Settles FTC Data-Protection Complaint highlights a case where a company had lax data protection processes in place. Crackers were able to access customer accounts, names, SSNs etc. and set up credit cards based on this information. The Leaky Corporation discusses this incident and the FTCs response to this case.

RFID TAGS - - IF YOU HAVEN'T HEARD OF THEM, YOU SOON WILL and like many other technologies RFID is a potential cause for concern for privacy advocates, some would argue much more vigorously the negative outcomes.

privacy versus personalization

California's "Shine the Light" Law Goes into Effect Jan. 1, 2005

online privacy US versus Europe: EU OKs Spam Ban, Online Privacy Rules

Security

Viruses Key issues:

• potential damage to computer
• how to protect against

How the following are different from viruses and how we can protect against them:

• Trojans
• Key stroke loggers
• Spyware
• Adware

Dangers of downloading software from the internet. Common Spam techniques to trick users into opening malicious code.

• Spoofing email address (very easy)
• Phishing (attempts daily)
• text links to eg. Http://www.paypal.com which are really images going to another site
• Social Engineering (eg. Hello, I'm your ISP I need you to download this bit of software and run it)

What Norton Security/Zone Alarm does What Norton Security/Zone Alarm doesn't protect against (eg. Difficulty of Trojans, key loggers) Cookies. Privacy issues Third party cookies

• privacy issues (lies with a third party)
• enabling/disabling in browsers, security levels
• Third party cookies and affiliate networks etc.

Passwords, automatic screen locks General Password Construction Guidelines Poor, weak passwords have the following characteristics:

• The password contains less than eight characters
• The password is a word found in a dictionary (English or foreign)
• The password is a common usage word such as:
  • Names of family, pets, friends, co-workers, fantasy characters, etc.
  • Computer terms and names, commands, sites, companies, hardware, software.
  • The words "", "sanjose", "sanfran" or any derivation.
  • Birthdays and other personal information such as addresses and phone numbers.
  • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

• Contain both upper and lower case characters (e.g., a-z, A-Z)
• Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
• Are at least eight alphanumeric characters long.
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.

Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. Here is a list of "dont's":

• Don't reveal a password over the phone to ANYONE
• Don't reveal a password in an email message
• Don't reveal a password to the boss
• Don't talk about a password in front of others
• Don't hint at the format of a password (e.g., "my family name")
• Don't reveal a password on questionnaires or security forms
• Don't share a password with family members
• Don't reveal a password to co-workers while on vacation

If someone demands a password have them call someone in the Information Security Department. Do not use the "Remember Password" feature of applications(e.g., Eudora, OutLook, Netscape Messenger). Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption. Change passwords at least once every six months (except system-level passwords which must be changed quarterly). The recommended change interval is every four months. If an account or password is suspected to have been compromised, report the incident to the IT team and change all passwords. Credits: This is based on the security templates from sans.org