home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 26.3 Civil Actions Chapter 26
Computer Security and U.S. Law
Next: 27. Who Do You Trust?
 

26.4 Other Liability

When you operate a computer, you have more to fear than break-ins and physical disasters. You also need to worry that the actions of some of your own users (or yourself) may result in violation of the law, or civil action. Here, we present a few notable concerns in this area.

The law is changing rapidly in the areas of computer use and abuse. It is also changing rapidly with regard to networks and network communication. We cannot hope to provide information here that will be up-to-date for very long. For instance, one outstanding reference in this area, Internet & Network Law 1995, by William J. Cook[5] summarizes some of the recent rulings in computer and network law in the year 1995. Mr. Cook's report has almost 70 pages of case summaries and incidents, all of which represent recent decisions. As more people use computers and networks, and as more commercial interests are tied into computing, we can expect the pace of new legislation, legal decisions, and other actions to increase. Therefore, as with any other aspect of the law, you are advised to seek competent legal counsel if you have any questions about whether these concerns may apply to you.[6] Keep in mind that the law functions with a logic all its own - one that is puzzling and confounding to people who work with software. The law is not necessarily logical and fair, nor does it always embody common sense.

[5] Of the law firm Willian Brinks Hofer Gilson & Lione in Chicago.

[6] And don't make it a one-time visit, either. With the rapid pace of change, you need to track the changes if there is any chance that you might be affected by adverse changes in the law.

26.4.1 Munitions Export

In Section 6.7.2, "Cryptography and Export Controls" , we described some of the export control regulations in effect in the United States. Although largely quite silly and short-sighted, they are nonetheless the law and you may encounter problems if you are in violation.

One reading of the regulations suggests that anyone who exports encryption software outside the country, or makes it available to foreign nationals who are not permanent residents, is in violation of the statutes unless a license is obtained first; such licenses are notoriously difficult to obtain. It may also be the case that granting access to certain forms of advanced supercomputing equipment (even granting accounts) to foreign nationals is in violation of the law.

You may believe that you are not exporting any prohibited software. However, stop and think for a moment. Does your anonymous FTP repository contain encryption software of any kind? Does your WWW server have any pages with encryption software? Do you run a mailing list or remailer that can be used to send encryption software outside the U.S.? If the answer to any of those is "yes," you should consider seeking legal advice on this issue as you may be classified as an "exporter." Violation of the export control acts are punishable (upon conviction) with hefty fines and long jail terms.

A further potential violation involves access to the software by non-citizens. If any of your employees (or students) are not U.S. citizens or permanent residents, and if they have access to encryption software or advanced computing hardware, you are likely to be in violation of the law. Note that one interpretation of the law implies that if you only provide an account that is used by someone else to obtain controlled software you may still be liable. (If you do, you are probably in good company, because nearly all major universities and software vendors in the country are in the same position. This fact may be little comfort if Federal agents show up at your door, however.)

An even more bizarre and interesting aspect of the law indicates that you may be in violation of the export control laws if you provide encryption software to U.S. citizens living and working in the U.S. - provided that they are working for a company under non-U.S. control. Thus, even if you are a U.S. citizen, and you download a copy of PGP or DES to your workstation in your office (in Washington, Chicago, Atlanta, Houston, Phoenix, Portland, Los Angeles, Fairbanks, or Honolulu), you are now an international arms exporter and potential criminal if your company is majority owned or controlled by parties outside the U.S. This liability is personal, not corporate.

The whole matter of export controls on encryption software is under study by various government groups, and is the subject of several lawsuits in Federal court. The status of this situation will undoubtedly change in the next few years. We hope that it will change to something more reasonable, but you should be sure to stay informed.

26.4.2 Copyright Infringement

Items other than software can be copyrighted. Images in your WWW pages, sound clips played through your gopher and WWW servers, and documents you copied from other sites to pad your own collection all have copyrights associated with them. On-line databases, computer programs, and electronic mail are copyrighted as well. The law states that as soon as something is expressed in a tangible form, it has a copyright associated with it. Thus, as soon as the bits are on your disk, they are copyrighted, whether a formal notice exists or not.

The standard practice on the Internet has been that something exported with a public-access server is for public use, unless otherwise noted. However, this practice is not in keeping with the way the law is currently phrased. Furthermore, some items that you obtain from an intermediate party may have had owner and copyright information removed. This does not absolve you of any copyright liability if you use that material.

In particular, recent rulings in various courts have found that under certain circumstances system operators can be sued as a contributing party, and thus held partially liable, for copyright infringement committed by users of their systems. Types of infringement include:

  • Posting pictures, artwork, and images on FTP sites and WWW sites without appropriate permission, even if the items are not clearly identified regarding owner, subject, or copyright.

  • Posting excerpts from books, reports, and other copyrighted materials via mail, FTP , or Usenet postings.

  • Posting sound clips from films, TV shows, or other recorded media without approval of the copyright holders.

  • Posting scanned-in cartoons from newspapers or magazines.

  • Reposting news articles from copyrighted sources.

  • Reposting of email. Like paper mail, email has a copyright held by the author of the email as soon as it is put in tangible form. The act of sending the mail to someone does not give the recipient copyright interest in the email. Standard practice on the net is not in keeping with the way the law is written. Thus, forwarding email may technically be a violation of the copyright law.

The best defense against possible lawsuits is to carefully screen everything you post or make available to be certain you know its copyright status. Furthermore, make all your users aware of the policy you set in this regard, and then periodically audit to ensure that the policy is followed. Having an unenforced policy will likely serve you as well as no policy - that is, not at all.

Also, beware of "amateur lawyers" who tell you that reuse of an image or article is "fair use" under the law. There is a very precise definition of fair use, and you should get the opinion from a real lawyer who knows the issues. After all, if you get sued, do you think that a reference to an anonymous post in the alt.erotica.lawyers.briefs Usenet newsgroup is going to convince the judge that you took due diligence to adhere to the law?

If anyone notifies you that you are violating their copyright with something you have on your system, you should investigate immediately . Any delay could cause additional problems. (However, we are not necessarily advocating that you pull your material from the network any time you get a complaint.)

26.4.2.1 Software piracy and the SPA

The Software Publishers Association ( SPA ) is one of several organizations funded by major software publishers. One of its primary goals is to cut down on the huge amount of software piracy that is regularly conducted worldwide. Although each individual act of unauthorized software copying and use may only deprive the vendor of a few hundred dollars at most, the sheer numbers of software pirates in operation makes the aggregate losses staggering: worldwide losses are estimated in the billions of dollars per year. Figures from various sources cited by Mr. Cook in Internet & Network Law 1995 indicate:

  • Worldwide losses from software piracy alone may be as high as $15 billion per year.

  • 94% of the software in the Peoples Republic of China is pirated.

  • 92% of the software in use in Japan is pirated.

  • 50% of the software in use in Canada is pirated.

Although there are criminal penalties for unauthorized copying, these penalties are only employed against organized software piracy organizations. Instead, SPA and others rely on civil-law remedies. In particular, the SPA can obtain a court order to examine your computer systems for evidence of unlicensed copies of software. Should such copies be found without supporting documentation to show valid licenses, you may be subject to a lawsuit resulting in substantial damages. Many companies and universities have settled with the SPA with regard to these issues, with fines totaling in the many hundreds of thousands of dollars. This amount is in addition to the many thousands of dollars paid to vendors for any unlicensed software that is found.

Although the SPA has primarily been focused on software piracy in the PC domain, they will probably expand their scope into the UNIX marketplace as more shrink-wrapped software becomes available for UNIX machines. Of additional concern are the new generations of emulators that let your UNIX machine operate as a "PC" inside a window on your workstation. These emulators run PC software as well as (and sometimes faster than) a plain desktop PC. The danger is having unlicensed PC software on your workstations for use in these emulators.

A further danger involves your users. If some of your users are running a clandestine "warez" site from your FTP server, the SPA or vendors might conceivably seek financial redress from you to help cover the loss, even if you do not know about the server and otherwise don't condone the behavior.[7]

[7] Whether they would succeed in such an action is something we cannot know. However, almost anything is possible if a talented attorney were to press the case.

Your best defense in these circumstances is to clearly state to your users that no unlicensed use or possession of software is allowed under any circumstances. Having internal audits of software is one way you can check compliance with this policy. If software cannot be documented as paid for and original, then it should be deleted. Having up-to-date and per-machine log books is one way to track versions of software.

26.4.3 Trademark Violations

Note that use of trademark phrases, symbols, and insignia without the permission of the holders of the trademark may lead to difficulties. In particular, don't put corporate logos on your WWW pages without permission from the corporations involved. Holders of trademarks must carefully regulate and control the manner in which their trademarks are used, or they lose protection of them. That means that you will probably hear from a corporate attorney if you put the logos for Sun, HP, Xerox, Microsoft, Coca-Cola, or other trademark holders on your WWW pages.

26.4.4 Patent Concerns

We've mentioned patent concerns elsewhere in the book. Firms and individuals are applying for (and receiving) patents on software and algorithms at an astonishing rate. Despite the wording of the Constitution and laws on patents, the Patent Office is continuing to award patents on obvious ideas, trivial advances, and pure algorithms. In the middle of 1995, they effectively granted patent protection to a prime number as well![8]

[8] Patent 5,373,560 covering the use of the prime number 98A3DF52 AEAE9799 325CB258 D767EBD1 F4630E9B 9E21732A 4AFB1624 BA6DF911 466AD8DA 960586F4 A0D5E3C3 6AF09966 0BDDC157 7E54A9F4 02334433 ACB14BCB was granted on December 13, 1994 to Roger Schlafly of California. Although the patent only covers the use of the number when used with Schalfly's algorithm, there is no other practical use for this particular number, because it is easier (and more practical) to generate a "random" prime number than to use this one.

The danger comes when you write some new code that involves an algorithm you read about, or simply developed based on obvious prior art. You may discover, when you try to use this in a wider market, that lawyers from a large corporation will tell you that you cannot use "their" algorithm in your code because it is covered by their patent. After a patent is granted, the patent holder controls the use of the patented item for 20 years from the date of filing - you aren't even supposed to use it for experimental purposes without their approval and/or license!

Many companies are now attempting to build up huge libraries of patents to use as leverage in the marketplace. In effect, they are submitting applications on everything they develop. This practice is sad,[9] because it will have an inhibitory effect on software development in the years to come. It is also sad to see business switch from a mode of competing based on innovation to a mode of competing based on who has the biggest collection of dubious patents.

[9] Indeed, it already has had negative effects. For instance, the patents on public key encryption have really hurt information security development in recent years.

Until the courts or Congress step in to straighten out this mess, there is not much you can do to protect yourself (directly). However, we suggest that you pursue some of the references given in Appendix D, Paper Sources to further educate yourself on the issues involved. Then consider contacting your elected representatives to make your views on the matter known.

26.4.5 Pornography and Indecent Material

Every time a new communications medium is presented, pornography and erotica seem to be distributed using it. Unfortunately, we live in times in which there are people in positions of political and legal influence who believe that they should be able to define what is and is not proper, and furthermore restrict access to that material. This belief, coupled with the fact that U.S. standards of acceptability of nudity and erotic language are more strict than in many places in the world, lead to conflict on the networks.

As this book goes to press, Congress has passed a law that makes it a criminal offense to put "indecent" material on a computer where a minor might encounter it. We have also heard of cases in which people have had their computers confiscated for having a computer image on disk, which they were unaware was present, that depicted activities that someone decided violated "community standards." There have also been cases where individuals in one state have been convicted of pornography charges in another state, even though the material was not considered obscene in the state where the system was normally accessed. And last of all, you can be in serious legal trouble for simply FTP ing an image of a naked minor, even if you don't know what is in the image at the time you fetch it.

Many of these laws are currently being applied selectively. In several cases, individuals have been arrested for downloading child pornography from several major online service providers. In the United States, the mere possession of child pornography is a crime. Yet the online service providers have not been harassed by law enforcement, even though the same child pornography resided on the online services' systems.

We won't comment on the nature of the laws involved, or the fanatic zeal with which some people pursue prosecution under these statutes. We will observe that if you or your users have images or text online (for FTP , WWW , Usenet, or otherwise) that may be considered "indecent" or "obscene," you may wish to discuss the issue with legal counsel. In general, the U.S. Constitution protects most forms of expression as "free speech." However, prosecution may be threatened or attempted simply to intimidate and cause economic hardship: this is not prohibited by the Constitution.

We should also point out that as part of any sensible security administration, you should know what you have on your computer, and why. Keep track of who is accessing material you provide, and beware of unauthorized use.

26.4.6 Liability for Damage

Suppose that one of your users puts up a nifty new program on your anonymous FTP site for people to use. It claims to protect any system against some threat, or fixes a vendor flaw. Someone at the Third National Bank of Hoople downloads it and runs the program, and the system then crashes, leading to thousands of dollars in damages.

Or perhaps you are browsing the WWW and discover an applet in a language such as Java that you find quite interesting. You install a link to it from your home page. Unfortunately, someone on the firewall machine at Big Whammix, Inc. clicks on the link and the applet somehow interacts with the firewall code to open an internal network to hackers around the world.

If your response to such incidents is, "Too bad. Software does that sometimes," then you are living dangerously. Legal precedent is such that you might be liable, at least partially, for damages in cases such as these. You could certainly be sued and need to answer in court to such charges, and that is not a pleasant experience. Think about explaining how you designed and tested the code, how you documented it, and how you warned other users about potential defects and side effects. How about the implied warranty?

Simply because "everyone on the net" does an action, does not mean that the action will convince a judge and jury that you aren't responsible for some of the mess that action causes. There have been many times in the history of the United States that people have been successfully sued for activity which was widespread. The mere fact that "everybody was doing it" did not stop some particular individuals from being found liable.

In general, you should get expert legal advice before providing any executable code to others, even if you intend to give the code away.

26.4.7 Harassment, Threatening Communication, and Defamation

Computers and networks give us great opportunities for communicating with the world. In a matter of moments, our words can be speeding around the world destined for someone we have never met in person, or for a large audience. Not only is this ability liberating and empowering, it can be very entertaining. Mailing lists, "chat rooms," MUDS , newsgroups, and more all provide us with news and entertainment.

Unfortunately, this same high-speed, high-bandwidth communications medium can also be used for less-than-noble purposes. Email can be sent to harass someone, news articles can be posted to slander someone, and online chats can be used to threaten someone with harm.

In the world of paper and telephones, there are legal remedies to harassing and demeaning communication. Some of those remedies are already being applied to the online world. We have seen cases of people being arrested for harassment and stalking online, and sued (successfully) for slander in posted Usenet articles. There have also been cases filed for violation of EEOC laws because of repeated postings that are sexually, racially, or religiously demeaning.[10]

[10] Note that the use of screen savers with inappropriate images can also contribute to such complaints.

Words can hurt others, sometimes quite severely. Often, words are a prelude or indicator of other potential harm, including physical harm. For this reason, you must have policies in place prohibiting demeaning or threatening postings and mailings from work-related accounts.[11] We further suggest that you have a policy in place prohibiting any form of anonymous posting or mailing from the workplace.

[11] We are strong advocates of free speech, and are bothered by too much "political correctness." However, free speech and artistic expression are not usually part of one's job function in most environments. Expression should be allowed from personal accounts outside the workplace, and those doing the expressing should be held accountable for the consequences of their speech.