5.1 The Ethical and Legal Implications of Information Systems

5.1.1 Introduction

Introduction Information systems have had an impact far beyond the world of business. New technologies create new situations that have never had to be confronted before. One issue is how to handle the new capabilities that these devices provide to users. What new laws are going to be needed for protection from misuse of new technologies. This chapter begins with a discussion of the impact of information systems has on user behavior or ethics. This will be followed with the new legal structures being put in place with a focus on intellectual property and privacy.

5.1.2 Information Systems Ethics 

The term ethics means “a set of moral principles” or “the principles of conduct governing an individual or a group.”1 Since the dawn of civilization, the study of ethics and their impact has fascinated mankind. But what do ethics have to do with information systems? The introduction of new technology can have a profound effect on human behavior. New technologies give us capabilities that we did not have before, which in turn create environments and situations that have not been specifically addressed in an ethical context. Those who master new technologies gain new power while those who cannot or do not master them may lose power. In 1913 Henry Ford implemented the first moving assembly line to create his Model T cars. While this was a great step forward technologically and economically, the assembly line reduced the value of human beings in the production process. The development of the atomic bomb concentrated unimaginable power in the hands of one government, who then had to wrestle with the decision to use it. Today’s digital technologies have created new categories of ethical dilemmas.

For example, the ability to anonymously make perfect copies of digital music has tempted many music fans to download copyrighted music for their own use without making payment to the music’s owner. Many of those who would never have walked into a music store and stolen a CD find themselves with dozens of illegally downloaded albums. Digital technologies have given us the ability to aggregate information from multiple sources to create profiles of people. What would have taken weeks of work in the past can now be done in seconds, allowing private organizations and governments to know more about individuals than at any time in history. This information has value, but also chips away at the privacy of consumers and citizens. 

5.1.3 Sidebar: Data Privacy, Facebook, and Cambridge Analytica 

In early 2018 Facebook acknowledged a data breach affecting 87 million users. The app “thisisyourdigitallife”, created by Global Science Research, informed users that they could participate in a psychological research study. About 270,000 people decided to participate in the research, but the app failed to tell users that the data of all of their friends on Facebook would be automatically captured as well. All of this data theft took place prior to 2014, but it did not become public until four years later. In 2015 Facebook learned about Global Science Research’s collection of data on millions of friends of the users in the research. Global Science Research agreed to delete the data, but it had already been sold to Cambridge Analytica who used it in the 2016 presidential primary campaign. The ensuing firestorm resulted in Mark Zuckerberg, CEO of Facebook, testifying before the U.S. Congress in 2018 on what happened and what Facebook would do in the future to protect users’ data. Congress is working on legislation to protect user data in the future, a prime example of technology advancing faster than the laws needed to protect users. More information about this case of data privacy can be 2 found at Facebook and Cambridge Analytica.

5.1.4 Code of Ethics 

A code of ethics is one method for navigating new ethical waters. A code of ethics outlines a set of acceptable behaviors for a professional or social group. Generally, it is agreed to by all members of the group. The document details different actions that are considered appropriate and inappropriate. A good example of a code of ethics is the Code of Ethics and Professional Conduct of the Association for Computing Machinery,3 an organization of computing professionals that includes academics, researchers, and practitioners. Here is a quote from the preamble: Commitment to ethical professional conduct is expected of every member (voting members, associate members, and student members) of the Association for Computing Machinery (ACM). This Code, consisting of 24 imperatives formulated as statements of personal responsibility, identifies the elements of such a commitment. It contains many, but not all, issues professionals are likely to face. Section 1 outlines fundamental ethical considerations, while Section 2 addresses additional, more specific considerations of professional conduct. Statements in Section 3 pertain more specifically to individuals who have a leadership role, whether in the workplace or in a volunteer capacity such as with organizations like ACM. Principles involving compliance with this Code are given in Section 4. 

In the ACM’s code you will find many straightforward ethical instructions such as the admonition to be honest and trustworthy. But because this is also an organization of professionals that focuses on computing, there are more specific admonitions that relate directly to information technology: 

• No one should enter or use another’s computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system peripherals, and computer time. 

• Designing or implementing systems that deliberately or inadvertently demean individuals or groups is ethically unacceptable. 

• Organizational leaders are responsible for ensuring that computer systems enhance, not degrade, the quality of working life. When implementing a computer system, organizations must consider the personal and professional development, physical safety, and human dignity of all workers. Appropriate human-computer ergonomic standards should be considered in system design and in the workplace. 

One of the major advantages of creating a code of ethics is that it clarifies the acceptable standards of behavior for a professional group. The varied backgrounds and experiences of the members of a group lead to a variety of ideas regarding what is acceptable behavior. While the guidelines may seem obvious, having these items detailed provides clarity and consistency. Explicitly stating standards communicates the common guidelines to everyone in a clear manner. 

A code of ethics can also have some drawbacks. First, a code of ethics does not have legal authority. Breaking a code of ethics is not a crime in itself. What happens if someone violates one of the guidelines? Many codes of ethics include a section that describes how such situations will be handled. In many cases repeated violations of the code result in expulsion from the group. 

In the case of ACM: “Adherence of professionals to a code of ethics is largely a voluntary matter. However, if a member does not follow this code by engaging in gross misconduct, membership in ACM may be terminated.” Expulsion from ACM may not have much of an impact on many individuals since membership in ACM is usually not a requirement for employment. However, expulsion from other organizations, such as a state bar organization or medical board, could carry a huge impact. 

Another possible disadvantage of a code of ethics is that there is always a chance that important issues will arise that are not specifically addressed in the code. Technology is quickly changing and a code of ethics might not be updated often enough to keep up with all of the changes. A good code of ethics, however, is written in a broad enough fashion that it can address the ethical issues of potential changes to technology while the organization behind the code makes revisions. 

Finally, a code of ethics could also be a disadvantage in that it may not entirely reflect the ethics or morals of every member of the group. Organizations with a diverse membership may have internal conflicts as to what is acceptable behavior. For example, there may be a difference of opinion on the consumption of alcoholic beverages at company events. In such cases the organization must make a choice about the importance of addressing a specific behavior in the code. 

5.1.5 Sidebar: Acceptable Use Policies 

Many organizations that provide technology services to a group of constituents or the public require agreement to an Acceptable User Policy (AUP) before those services can be accessed. Similar to a code of ethics, this policy outlines what is allowed and what is not allowed while someone is using the organization’s services. An everyday example of this is the terms of service that must be agreed to before using the public Wi-Fi at Starbucks, McDonald’s, or even a university. Here is an example of an acceptable use policy from Virginia Tech. 

Just as with a code of ethics, these acceptable use policies specify what is allowed and what is not allowed. Again, while some of the items listed are obvious to most, others are not so obvious: 

• “Borrowing” someone else’s login ID and password is prohibited. 

• Using the provided access for commercial purposes, such as hosting your own business website, is not allowed. 

• Sending out unsolicited email to a large group of people is prohibited. 

As with codes of ethics, violations of these policies have various consequences. In most cases, such as with Wi-Fi, violating the acceptable use policy will mean that you will lose your access to the resource. While losing access to Wi-Fi at Starbucks may not have a lasting impact, a university student getting banned from the university’s Wi-Fi (or possibly all network resources) could have a large impact. 

5.1.6 Intellectual Property 

One of the domains that has been deeply impacted by digital technologies is intellectual property. Digital technologies have driven a rise in new intellectual property claims and made it much more difficult to defend intellectual property. Intellectual property is defined as “property (as an idea, invention, or process) that derives from the work of the mind or intellect.”4 This could include creations such as song lyrics, a computer program, a new type of toaster, or even a sculpture. 

Practically speaking, it is very difficult to protect an idea. Instead, intellectual property laws are written to protect the tangible results of an idea. In other words, just coming up with a song in your head is not protected, but if you write it down it can be protected. 

Protection of intellectual property is important because it gives people an incentive to be creative. Innovators with great ideas will be more likely to pursue those ideas if they have a clear understanding of how they will benefit. In the US Constitution, Article 8, Section 8, the authors saw fit to recognize the importance of protecting creative works: Congress shall have the power . . . To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

An important point to note here is the “limited time” qualification. While protecting intellectual property is important because of the incentives it provides, it is also necessary to limit the amount of benefit that can be received and allow the results of ideas to become part of the public domain. Outside of the US, intellectual property protections vary. You can find out more about a specific country’s intellectual property laws by visiting the World Intellectual Property Organization. The following sections address three of the best-known intellectual property protections: copyright, patent, and trademark.

5.1.7 Copyright 

Copyright is the protection given to songs, computer programs, books, and other creative works. Any work that has an “author” can be copyrighted. Under the terms of copyright, the author of a work controls what can be done with the work, including: 

• Who can make copies of the work. 

• Who can make derivative works from the original work. 

• Who can perform the work publicly. 

• Who can display the work publicly. 

• Who can distribute the work. 

Many times, a work is not owned by an individual but is instead owned by a publisher with whom the original author has an agreement. In return for the rights to the work, the publisher will market and distribute the work and then pay the original author a portion of the proceeds. Copyright protection lasts for the life of the original author plus seventy years. In the case of a copyrighted work owned by a publisher or another third party, the protection lasts for ninetyfive years from the original creation date. For works created before 1978, the protections vary slightly. You can see the full details on copyright protections by reviewing the Copyright Basics document available at the US Copyright Office’s website. 

5.1.8 Obtaining Copyright Protection

In the United States a copyright is obtained by the simple act of creating the original work. In other words, when an author writes down a song, makes a film, or develops a computer program, the author has the copyright. However, for a work that will be used commercially, it is advisable to register for a copyright with the US Copyright Office. A registered copyright is needed in order to bring legal action against someone who has used a work without permission. 

5.1.9 First Sale Doctrine 

If an artist creates a painting and sells it to a collector who then, for whatever reason, proceeds to destroy it, does the original artist have any recourse? What if the collector, instead of destroying it, begins making copies of it and sells them? Is this allowed? The first sale doctrine is a part of copyright law that addresses this, as shown below5 : 

The first sale doctrine, codified at 17 U.S.C. § 109, provides that an individual who knowingly purchases a copy of a copyrighted work from the copyright holder receives the right to sell, display or otherwise dispose of that particular copy, notwithstanding the interests of the copyright owner. 

Therefore, in our examples the copyright owner has no recourse if the collector destroys the artwork. But the collector does not have the right to make copies of the artwork. 

5.1.10 Fair Use 

Another important provision within copyright law is that of fair use. Fair use is a limitation on copyright law that allows for the use of protected works without prior authorization in specific cases. For example, if a teacher wanted to discuss a current event in class, copies of the copyrighted new story could be handed out in class without first getting permission. Fair use is also what allows a student to quote a small portion of a copyrighted work in a research paper.

 Unfortunately, the specific guidelines for what is considered fair use and what constitutes copyright violation are not well defined. Fair use is a well-known and respected concept and will only be challenged when copyright holders feel that the integrity or market value of their work is being threatened. The following four factors are considered when determining if something constitutes fair use: 

1. The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes; 

2. The nature of the copyrighted work; 

3. The amount and substantiality of the portion used in relation to the copyrighted work as a whole; 

4. The effect of the use upon the potential market for, or value of, the copyrighted work. 

If you are ever considering using a copyrighted work as part of something you are creating, you may be able to do so under fair use. However, it is always best to check with the copyright owner to be sure you are staying within your rights and not infringing upon theirs. 

5.1.11 Sidebar: The History of Copyright Law 

As noted above, current copyright law grants copyright protection for seventy years after the author’s death, or ninety-five years from the date of creation for a work created for hire. But it was not always this way. 

The first US copyright law, which only protected books, maps, and charts, provided protection for only 14 years with a renewable term of 14 years. Over time copyright law was revised to grant protections to other forms of creative expression, such as photography and motion pictures. Congress also saw fit to extend the length of the protections, as shown in the following chart. Today, copyright has become big business with many businesses relying on the income from copyright protected works for their income. 

Many now think that the protections last too long. The Sonny Bono Copyright Term Extension Act has been nicknamed the “Mickey Mouse Protection Act,” as it was enacted just in time to protect the copyright on the Walt Disney Company’s Mickey Mouse character. Because of this term extension, many works from the 1920s and 1930s that would have been available now in the public domain are still restricted. 

5.1.12 The Digital Millennium Copyright Act 

As digital technologies have changed what it means to create, copy, and distribute media, a policy vacuum has been created. In 1998, the US Congress passed the Digital Millennium Copyright Act (DMCA), which extended copyright law to take into consideration digital technologies. Two of the best-known provisions from the DMCA are the anti-circumvention provision and the “safe harbor” provision. 

• The anti-circumvention provision makes it illegal to create technology to circumvent technology that has been put in place to protect a copyrighted work. This provision includes not just the creation of the technology but also the publishing of information that describes how to do it. While this provision does allow for some exceptions, it has become quite controversial and has led to a movement to have it modified. 

• The “safe harbor” provision limits the liability of online service providers when someone using their services commits copyright infringement. This is the provision that allows YouTube, for example, not to be held liable when someone posts a clip from a copyrighted movie. The provision does require the online service provider to take action when they are notified of the violation (a “takedown” notice). For an example of how takedown works, here’s how YouTube handles these requests: YouTube Copyright Infringement Notification. 

Many think that the DMCA goes too far and ends up limiting our freedom of speech. The Electronic Frontier Foundation (EFF) is at the forefront of this battle. In discussing the anti-circumvention provision, the EFF states: Yet the DMCA has become a serious threat that jeopardizes fair use, impedes competition and innovation, chills free expression and scientific research, and interferes with computer intrusion laws. If you circumvent DRM [digital rights management] locks for noninfringing fair uses or create the tools to do so you might be on the receiving end of a lawsuit.

5.1.13 Sidebar: Creative Commons 

A previous chapter introduced the topic of open-source software. Opensource software has few or no copyright restrictions. The creators of the software publish their code and make their software available for others to use and distribute for free. This is great for software, but what about other forms of copyrighted works? If an artist or writer wants to make their works available, how can they go about doing so while still protecting the integrity of their work? Creative Commons is the solution to this problem. 

Creative Commons is a nonprofit organization that provides legal tools for artists and authors. The tools offered make it simple to license artistic or literary work for others to use or distribute in a manner consistent with the author’s intentions. Creative Commons licenses are indicated with the symbol. It is important to note that Creative Commons and public domain are not the same. When something is in the public domain, it has absolutely no restrictions on its use or distribution. Works whose copyrights have expired are in the public domain. 

By using a Creative Commons license, authors can control the use of their work while still making it widely accessible. By attaching a Creative Commons license to their work, a legally binding license is created. Here are some examples of these licenses: 

• CC-BY. This is the least restrictive license. It lets others distribute and build upon the work, even commercially, as long as they give the author credit for the original work. 

• CC-BY-SA. This license restricts the distribution of the work via the “share-alike” clause. This means that others can freely distribute and build upon the work, but they must give credit to the original author and they must share using the same Creative Commons license. 

• CC-BY-NC. This license is the same as CC-BY but adds the restriction that no one can make money with this work. NC stands for “non-commercial.” 

• CC-BY-NC-ND. This license is the same as CC-BY-NC but also adds the ND restriction, which means that no derivative works may be made from the original. 

These are a few of the more common licenses that can be created using the tools that Creative Commons makes available. For a full listing of the licenses and to learn much more about Creative Commons, visit their web site. 

5.1.14 Patent 

Patents are another important form of intellectual property protection. A patent creates protection for someone who invents a new product or process. The definition of invention is quite broad and covers many different fields. Here are some examples of items receiving patents: 

• circuit designs in semiconductors;

• prescription drug formulas; 

• firearms; 

• locks; 

• plumbing; 

• engines; 

• coating processes; and 

• business processes. 

Once a patent is granted it provides the inventor with protection from others infringing on his or her patent. A patent holder has the right to “exclude others from making, using, offering for sale, or selling the invention throughout the United States or importing the invention into the United States for a limited time in exchange for public disclosure of the invention when the patent is granted.”7 As with copyright, patent protection lasts for a limited period of time before the invention or process enters the public domain. In the US, a patent lasts twenty years. This is why generic drugs are available to replace brand-name drugs after twenty years.

5.1.15 Obtaining Patent Protection 

Unlike copyright, a patent is not automatically granted when someone has an interesting idea and writes it down. In most countries a patent application must be submitted to a government patent office. A patent will only be granted if the invention or process being submitted meets certain conditions. 

• Must be original. The invention being submitted must not have been submitted before. 

• Must be non-obvious. You cannot patent something that anyone could think of. For example, you could not put a pencil on a chair and try to get a patent for a pencil-holding chair. 

• Must be useful. The invention being submitted must serve some purpose or have some use that would be desired. 

The job of the patent office is to review patent applications to ensure that the item being submitted meets these requirements. This is not an easy job. In 2017 the US Patent Office granted 318,849 patents, an increase of 5.2% over 2016.8 The current backlog for a patent approval is 15.6 months. Information Technology firms have applied for a significant number of patents each year. Here are the top five I.T. firms in terms of patent applications filed since 2009. The percent indicate the percent of total I.T. patents filed since 2009. Notice that over half of patent filings come from just these five corporations. 

• International Business Machines (IBM) 21.6% 

• Microsoft Corporation 14.2% • AT & T, Inc. 7.1% 

• Alphabet (Google), Inc. 5.0% 

• Sony Corporation 4.7% 

You might have noticed that Apple is not in the top five listing. Microsoft holds the lead in Artificial Intelligence (AI) patents. 

5.1.16 Sidebar: What Is a Patent Troll? 

The advent of digital technologies has led to a large increase in patent filings and therefore a large number of patents being granted. Once a patent is granted, it is up to the owner of the patent to enforce it. If someone is found to be using the invention without permission, the patent holder has the right to sue to force that person to stop and to collect damages. 

The rise in patents has led to a new form of profiteering called patent trolling. A patent troll is a person or organization who gains the rights to a patent but does not actually make the invention that the patent protects. Instead, the patent troll searches for those who are illegally using the invention in some way and sues them. In many cases the infringement being alleged is questionable at best. For example, companies have been sued for using Wi-Fi or for scanning documents, technologies that have been on the market for many years. 

Recently, the U.S. government has begun taking action against patent trolls. Several pieces of legislation are working their way through the U.S. Congress that will, if enacted, limit the ability of patent trolls to threaten innovation. You can learn a lot more about patent trolls by listening to a detailed investigation conducted by the radio program This American Life, by clicking this link. 

5.1.17 Trademark 

A trademark is a word, phrase, logo, shape or sound that identifies a source of goods or services. For example, the Nike “Swoosh,” the Facebook “f”, and Apple’s apple (with a bite taken out of it) are all trademarked. The concept behind trademarks is to protect the consumer. Imagine going to the local shopping center to purchase a specific item from a specific store and finding that there are several stores all with the same name! 

Two types of trademarks exist – a common law trademark and a registered trademark. As with copyright, an organization will automatically receive a trademark if a word, phrase, or logo is being used in the normal course of business (subject to some restrictions, discussed below). A common law trademark is designated by placing “TM” next to the trademark. A registered trademark is one that has been examined, approved, and registered with the trademark office, such as the Patent and Trademark Office in the US. A registered trademark has the circle-R (®) placed next to the trademark. 

While most any word, phrase, logo, shape, or sound can be trademarked, there are a few limitations. A trademark will not hold up legally if it meets one or more of the following conditions: 

• The trademark is likely to cause confusion with a mark in a registration or prior application. 

• The trademark is merely descriptive for the goods/services. For example, trying to register the trademark “blue” for a blue product you are selling will not pass muster. 

• The trademark is a geographic term. 

• The trademark is a surname. You will not be allowed to trademark “Smith’s Bookstore.” 

• The trademark is ornamental as applied to the goods. For example, a repeating flower pattern that is a design on a plate cannot be trademarked. 

As long as an organization uses its trademark and defends it against infringement, the protection afforded by it does not expire. Because of this, many organizations defend their trademark against other companies who’s branding even only slightly copies their trademark. For example, Chick-fil-A has trademarked the phrase “Eat Mor Chikin” and has vigorously defended it against a small business using the slogan “Eat More Kale.” Coca-Cola has trademarked the contour shape of its bottle and will bring legal action against any company using a bottle design similar to theirs. Examples of trademarks that have been diluted and have now lost their protection in the US include: “aspirin” (originally trademarked by Bayer), “escalator” (originally trademarked by Otis), and “yoyo” (originally trademarked by Duncan). 

5.1.18 Information Systems and Intellectual Property 

The rise of information systems has resulted in rethinking how to deal with intellectual property. From the increase in patent applications swamping the government’s patent office to the new laws that must be put in place to enforce copyright protection, digital technologies have impacted our behavior. 

5.1.19 Privacy 

The term privacy has many definitions, but for purposes here, privacy will mean the ability to control information about oneself. The ability to maintain our privacy has eroded substantially in the past decades, due to information systems. 

5.1.20 Personally Identifiable Information 

Information about a person that can be used to uniquely establish that persons identity is called personally identifiable information, or PII. This is a broad category that includes information such as: 

• Name; 

• Social Security Number; 

• Date of birth; 

• Place of birth; 

• Mother‘s maiden name; 

• Biometric records (fingerprint, face, etc.); 

• Medical records; 

• Educational records; 

• Financial information; and 

• Employment information. 

Organizations that collect PII are responsible to protect it. The Department of Commerce recommends that “organizations minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission.” They go on to state that “the likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores.”10 Organizations that do not protect PII can face penalties, lawsuits, and loss of business. In the US, most states now have laws in place requiring organizations that have had security breaches related to PII to notify potential victims, as does the European Union. 

Just because companies are required to protect your information does not mean they are restricted from sharing it. In the US, companies can share your information without your explicit consent (see the following sidebar), though not all do so. Companies that collect PII are urged by the FTC to create a privacy policy and post it on their website. The State of California requires a privacy policy for any website that does business with a resident of the state (see http://www.privacy.ca.gov/lawenforcement/laws.htm). 

While the privacy laws in the US seek to balance consumer protection with promoting commerce, privacy in the European Union is considered a fundamental right that outweighs the interests of commerce. This has led to much stricter privacy protection in the EU, but also makes commerce more difficult between the US and the EU. 

5.1.21 Non-Obvious Relationship Awareness 

Digital technologies have given people many new capabilities that simplify and expedite the collection of personal information. Every time a person comes into contact with digital technologies, information about that person is being made available. From location to web-surfing habits, your criminal record to your credit report, you are constantly being monitored. This information can then be aggregated to create profiles of each person. 

While much of the information collected was available in the past, collecting it and combining it took time and effort. Today, detailed information about a person is available for purchase from different companies. Even information not categorized as PII can be aggregated in such a way that an individual can be identified. 

This process of collecting large quantities of a variety of information and then combining it to create profiles of individuals is known as Non-Obvious Relationship Awareness, or NORA. First commercialized by big casinos looking to find cheaters, NORA is used by both government agencies and private organizations, and it is big business. 

In some settings NORA can bring many benefits such as in law enforcement. By being able to identify potential criminals more quickly, crimes can be solved sooner or even prevented before they happen. But these advantages come at a price, namely, our privacy. 

5.1.22 Restrictions on Data Collecting 

In the United State the government has strict guidelines on how much information can be collected about its citizens. Certain classes of information have been restricted by laws over time and the advent of digital tools has made these restrictions more important than ever. 

Children’s Online Privacy Protection Act 

Websites that collect information from children under the age of thirteen are required to comply with the Children’s Online Privacy Protection Act (COPPA), which is enforced by the Federal Trade Commission (FTC). To comply with COPPA, organizations must make a good-faith effort to determine the age of those accessing their websites and, if users are under thirteen years old, must obtain parental consent before collecting any information. 

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) is a US law that protects the privacy of student education records. In brief, this law specifies that parents have a right to their child’s educational information until the child reaches either the age of eighteen or begins attending school beyond the high school level. At that point control of the information is given to the child. While this law is not specifically about the digital collection of information on the Internet, the educational institutions that are collecting student information are at a higher risk for disclosing it improperly because of digital technologies.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) singles out records related to health care as a special class of personally identifiable information. This law gives patients specific rights to control their medical records, requires health care providers and others who maintain this information to get specific permission in order to share it, and imposes penalties on the institutions that breach this trust. Since much of this information is now shared via electronic medical records, the protection of those systems becomes paramount. 

General Data Protection Regulation 

The European Union, in an effort to help people take control over their personal data, passed the General Data Protection Regulation (GDPR) in May 2016. While this protection applies to the countries in the EU, it is having an impact of U.S. companies using the Internet as well. The regulation went into effect May 25, 2018. 

EU and non-EU countries have different approaches to protecting the data of individuals. The focus in the U.S. has been on protecting data privacy so that it does not impact commercial interests. 

In the EU, the individual’s data privacy rights supersede those of business. Under GDPR data cannot be transferred to countries that do not have adequate data protection for individuals. Currently, those countries include, but are not limited to, the United States, Korea, and Japan. While the GDPR applies to countries in the EU, it is having an impact around the world as businesses in other countries seek to comply with this regulation. IEEE Spectrum. Retrieved from https://spectrum.ieee.org/telecom/internet/yourguide-to-the-gdpr11 One week prior to the effective date of May 25, 2018, only 60% of companies surveyed reported they would be ready by the deadline. Information Management retrieved from https://www.informationmanagement.com/opinion/playing-catch-up-with-the-general-dataprotection-regulation12 Clearly, the message of GDPR has gone out around the world. It is likely that greater data protection regulations will forthcoming from the U.S. Congress as well. 

Sidebar: Do Not Track 

When it comes to getting permission to share personal information, the US and the EU have different approaches. In the US, the “opt- out” model is prevalent. In this model the default agreement states that you have agreed to share your information with the organization and must explicitly tell them that you do not want your information shared. There are no laws prohibiting the sharing of your data, beyond some specific categories of data such as medical records. In the European Union the “opt-in” model is required to be the default. In this case you must give your explicit permission before an organization can share your information. 

To combat this sharing of information, the Do Not Track initiative was created. As its creators explain: 

Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. At present few of these third parties offer a reliable tracking opt out and tools for blocking them are neither user-friendly nor comprehensive. Much like the popular Do Not Call registry, Do Not Track provides users with a single, simple, persistent choice to opt out of third- party web tracking. 

Section Attributions

1. Merriam-Webster Dictionary. (n.d.). Ethics. Retrieved from http://www.merriam-webster.com/dictionary/ethics↵ 

2. Grigonis, H. (2018, April 5). Nine Things to Know About Facebook and Cambridge Analytica. Digital Trends. Retrieved from https://www.digitaltrends.com/socialmedia/what-facebook-users-should-know-about-cambridgeanalytica-and-privacy/

3. Association for Computing Machinery (1992, October 16) ACM Code of Ethics and Professional Conduct.

4. Merriam-Webster Dictionary. (n.d.). Intellectual Property. Retrieved from http://www.merriamwebster.com/dictionary/intellectual/property 

5. United States Department of Justice. (n.d.). Copyright Infringement – First Sale Doctrine. Retrieved fromhttps://www.justice.gov/archives/jm/criminal-resourcemanual-1854-copyright-infringement-first-sale-doctrine 

6. United States Copyright Office. (n.d.). Fair Use Index. Retrieved from http://www.copyright.gov/fls/fl102.html

7. United States Patent and Trademark Office (n.d.). What Is A Patent? Retrieved from http://www.uspto.gov/patents/

8. United States Patent and Trademark Office (n.d.). Visualization Center. Retrieved from http://www.uspto.gov/patents/ 

9. Bachmann, S. (2016, December 22). America’s Big 5 Tech companies increase patent filings, Microsoft holds lead in AI technologies. IP Watchdog. Retrieved from http://www.ipwatchdog.com/2016/12/22/big-techcompanies-increase-patent/id=76019/

10. McAllister, E., Grance, T., and Scarfone, K. (2010, April). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). National Institute of Standards and Technology. Retrieved from http://csrc.nist.gov/publications/ nistpubs/800-122/sp800-122.pdf

11. Sanz, R. M. G. (2018, April 30). Your Guide to the GDPR. IEEE Spectrum. Retrieved from https://spectrum.ieee.org/telecom/internet/your-guide-to- the-gdpr 

12. Zafrin, W. (2018, May 25). Playing Catch-up with the General Data Protection Regulation. Information Management. Retrieved from https://www.informationmanagement.com/opinion/playing-catch-up-with-the-generaldata-protection-regulation

13. Electronic Frontier Foundation. (n.d.). Do Not Track. Retrieved from http://donottrack.us/

5.2 Security

5.2: Computer Security

(original link: https://human.libretexts.org/Courses/Lumen_Learning/Book%3A_Information_Literacy_(Lumen)/19%3A_Computer_Concepts_4/19.2%3A_Computer_Security)

5.2.1 Introduction

Computer security is a branch of information technology known as information security which is intended to protect computers. Computer security has three main goals:

• Confidentiality: Making sure people cannot acquire information they should not (keeping secrets)

• Integrity: Making sure people cannot change information they should not (protecting data)

• Availability: Making sure people cannot stop the computer from doing its job.

Computer security involves telling computers what they are not to do. This makes computer security unique because most programming makes computers do things. Security takes much of a computers power.

Basic computer security methods (in approximate order of strength) can be:

• Limit access to computers to “safe” users.

• Peripherals which block any “unsafe” activity.

• Firewall and antivirus software.

An example of complexity and pervasiveness of the issue is vending machines, per Hackers Lurking in Vents and Soda Machines April 7, 2014 New York Times.

5.2.1 Malware

Malware, short for malicious software, is a kind of software that can be installed on a computer without approval from the computer’s owner. There are different kinds of malware that can hurt computers, such as viruses and spyware. These programs can steal passwords, delete files, collect personal information, or even stop a computer from working at all. Computer security or anti-malware software is usually good at stopping malware from installing itself. When security software isn’t installed, malware can get into the computer. Getting rid of malware can be difficult, even when using programs designed to remove it.

History

People first started writing malware in the 1970s and early 1980s. Computers were very simple then. They did not have any interesting information for malware to take. Instead, people wrote malware for fun[1] or just to show that they could.[2] Even the most common piece of malware from this time did not do damage to people’s computers.[3] In fact, malware was so rare that the word “malware” was not coined until 1990.[4]

More people started using the computers in the late 1990s and early 2000s. Computers were getting more complex just as fast.[5] People saw that they could use malware to get useful information now, like passwords and credit card information. So, more programmers started writing malware. The number of malware programs on the Internet has grown very quickly ever since then the late 1990s and is still growing today.[6] Experts think that 31.5% of the world’s computers have some type of malware installed.[7]

Purposes

The main reason people write malware is to hurt others and make money, usually by stealing or deleting important information. The Cryptolocker computer virus, for example, makes it so a person cannot use their own computer until they pay the malware writers for a software key to unlock it.[8] Another virus, CIH, tries to make it so the victim can never use their files or turn on their computer again.[9] Malicious keystroke logging software remembers everything a user types in and gives it to the malware author to read.[10]

World governments have written malware to hurt their enemies. Experts think that the United States government made a virus named Stuxnet to stop an important place in Iran from working.[11] The Chinese government probably used a virus to stop people from protesting its decisions.[12]

How Malware Gets Installed

There are a lot of ways malware can get onto someone’s computer. One common way is through email attachments. These attachments are usually sent from other computers that already have malware on them.[13] When someone downloads and opens the attachment, the virus installs and uses their computer to send itself to even more people.

Another way malware installs itself is when a victim gets malware just by going to a website with the malware hidden on it. This is called drive-by downloading. A user does not have to click anything for their computer to get infected from a drive-by download.[14] This kind of malware attack is usually found on websites that are not used a lot or whose security methods are very old. However, even current websites that people use all the time can host drive-by downloads when someone hacks the site.

People who write malware also get their programs onto computers by attaching them to real programs that people want. This is most common with pirated programs. This is because the downloader was doing something illegal and cannot complain to the authorities without getting in trouble themselves.[15] However, some non-piracy websites also put malware (or other unwanted programs that are almost as bad as malware) in a download with real, legal software in a process known as bundling. Computer security experts complain about websites that bundle real software with malware. Their complaints do not always stop the websites from bundling.[16]

Kinds of Malware

There are many different kinds of malware. Each acts a different way.

• Viruses are a kind of malware that need a user-run program to work.[17] They cannot copy themselves or move from one computer to another without a program to host it. Viruses are very common in pirated programs.[18] They can harm computers in many different ways, like deleting files and stealing passwords.[19]

• Worms are a lot like viruses and can cause the same kinds of damage. However, they’re able to move through the internet and copy themselves onto computers without help from a host program. This makes them more dangerous than a virus.[20] Worms are usually found in emails and drive-by downloads.[21]

• Trojan horses are like a much more dangerous version of a virus. They need a user to agree to run a program to work and cannot copy themselves from one computer to another. However, trojan horses can make the same problems a normal virus can make. They can also allow the malware writer to control the victim’s computer, install more malware, steal bank data, and more.[22] For example, ransomware is a type of trojan horse that stops a victim from using their files until they pay the person who wrote the malware.[23] Experts think that trojan horses are the most common type of malware in existence.[24]

• Adware is a type of malware that earns the program authors money with advertising. These programs show users ads and force them to use websites that make money for the malware writers. Adware will also find personal information about the victim (such as their age, race, and job). This is so the malware authors can sell the information to other people.[25] A user can usually uninstall adware easier than most malware. However, this is still difficult to do without a specially-designed program.[26]

• Spyware is a more dangerous kind of adware that steals more information from a user. Spyware can steal someone’s Internet traffic, account passwords, and anything they have typed into their computers. Spyware is also much harder to uninstall than adware is.[27]

Why Computers get Malware

There are a few reasons why computers get programs a user didn’t mean to install. One common reason is because of regular programs that have software bugs. Malware can use bugs, such as a buffer overflow, to make a program do something it was not designed to do.[28] Malware can also get onto a computer if it tricks a user into putting it there themselves. This can happen when a user plugs in a USB flash drive that has a virus on it already.[29] Malware also commonly uses social engineering to get users to run it, like pretending to be an important email attachment for work. Some malware even pretends to be an anti-malware program to get people to run it.[30]

How Malware is Stopped

Since malware is such a big problem, many companies make programs to try to stop it. These anti-malware programs have a lot of different ways to find malware. One is static analysis, which looks at the source code of a program before it is run. Then, if the program is similar to malware the static analysis program has seen before, the anti-malware program will stop the code from running. Another way of finding malware is dynamic analysis. Dynamic analysis runs only part of a program it is checking. If this part of the program tries to do anything that could be bad or harmful, the anti-malware program will not let the program run.[31]

Malware can also be stopped without a program. This can be done by not letting a computer connect to the Internet or other computers, called creating an air gap.[32] However, these computers can still get malware if someone puts it there another way. One example is when someone plugs in a USB drive that was already plugged into a computer with a virus.[33]

5.2.2 HTTP Cookie

An HTTP cookie (usually just called a cookie) is a simple computer file made of text. The information stored in cookies can be used to personalize the experience when using a website. A website can use cookies to find out if someone has visited a website before and record information (data) about what they did.

When someone is using a computer to browse a website, a personalized cookie file can be sent from the website’s server to the person’s computer. The cookie is stored in the web browser on the person’s computer. At some time in the future, the person may browse that website again. The website can send a message to the person’s browser, asking if a cookie from the website is already stored in the browser. If a cookie is found, then the data that was stored in the cookie before can be used by the website to tell the website about the person’s previous activity. Some examples where cookies are used include shopping carts, automatic login and remembering which advertisements have already been shown.

Cookies have been a problem for Internet privacy. This is because they can be used to track browsing behavior. Because of this, laws have been made in some countries to protect people’s privacy. There are many other options than cookies, but each option has its own problems.

Cookies have often been mistaken for computer programs. But cookies cannot do much on their own. They are simply a piece of data. They are often called spyware or viruses, but they are not either of these.

Most web browsers allow users to choose whether to accept cookies. If the user does not allow cookies, some websites will become unusable. For example, shopping baskets which use cookies do not work if the user does not allow cookies.

5.2.3 Protocols

Hypertext Transfer Protocol

Hypertext Transfer Protocol (often abbreviated to HTTP) is a communications protocol. It is used to send and receive webpages and files on the internet. It was developed by Tim Berners-Lee and is now coordinated by the W3C. HTTP version 1.1 is the most common used version today. It is defined in RFC 2616.

HTTP works by using a user agent to connect to a server. The user agent could be a web browser or spider. The server must be located using a URL or URI. This always contains http:// at the start. It normally connects to port 80 on a computer.

A more secure version of HTTP is called HTTPS. This contains https:// at the beginning of the URL. It encrypts all the information that is sent and received. This can stop malicious users such as hackers from stealing the information. HTTPS is often used on payment websites.

Request Message

The request message contains the following:

• Request line, such as GET /images/logo.gif HTTP/1.1, which requests the file logo.gif from the /images directory

• Headers, such as Accept-Language: en

• An empty line

• An optional message body

The request line and headers must all end with two characters: a carriage return followed by a line feed, often written <CR><LF>. The empty line must consist of only <CR><LF> and no other whitespace. In the HTTP/1.1 protocol, all headers except Host are optional.

A request line containing only the path name is accepted by servers to maintain compatibility with HTTP clients before the HTTP/1.0 standard. Even this site has a HTTP at its beginning.

Wired Equivalent Privacy

Wired Equivalent Privacy (also known as WEP) is a standard to use encryption in Wireless LANs. It was introduced in 1999.

In 2001, mathematicians showed that WEP is not very strong. A WEP connection could be decoded, with software that can be easily found, within minutes.[34] Because of this finding, IEEE created a new 802.11i group to fix the problems. By 2003, the Wi-Fi Alliance announced that Wi-Fi Protected Access (WPA) would replace WEP, which was a subset of then upcoming 802.11i amendment. Finally in 2004, they made it official and said that it would go ahead. It was part of the full 802.11i standard (also known as WPA2), the IEEE declared that both WEP-40 and WEP-104 are not recommended because they are not secure enough.[35]

Even though it only offers low security, WEP is still widely in use.[36] WEP is often the first security choice presented to users by router configuration tools even. Today, WEP provides a level of security that deters only accidental use. As a result, people can invade and enter the network.[37]

People sometimes call it Wireless Encryption Protocol, which is wrong.

Wi-Fi Protected Access

Wi-Fi Protected Access (also known as WPA and WPA2) is the name for a number of standards to use encryption on a Wireless LAN. The standards were created because researchers had found several weaknesses in Wired Equivalent Privacy. Wired Equivalent Privacy, or WEP was the standard that came before it. The protocol WPA2 implements most of the standard IEEE 802.11i.

Products that have the label WPA were designed to work with most cards, even those that came out before there was WPA. This is not true for access points though.

Products with the WPA2 implement all of the standard. This is more secure, but it may not work with some older cards.

5.2.4 Protection

Encryption

Encryption is a method which allows information (for example, a secret message) to be hidden so that it cannot be read without special knowledge (such as a password). Once this is done, using a secret code or cypher, the information is encrypted. Decryption is a way to change an encrypted piece of information back into unencrypted form. This is called the decrypted form. The study of encryption is called cryptography.

Examples

A simple kind of encryption for words is ROT13. In ROT13, letters of the alphabet are changed with each other using a simple pattern. For example, A changes to N, B changes to O, C changes to P, and so on. Each letter is “rotated” by 13 spaces. Using the ROT13 cipher, the words Simple English Wikipedia becomes Fvzcyr Ratyvfu Jvxvcrqvn. The ROT13 cipher is very easy to decrypt. Because there are 26 letters in the English alphabet, if a letter is rotated two times by 13 letters each time, the original letter will be obtained. So applying the ROT13 cipher a second time brings back the original text. When he communicated with his army, Julius Caesar sometimes used what is known as Caesar cipher today. This cipher works by shifting the position of letters: each letter is rotated by 3 positions.

Most kinds of encryption are more complex. Some are made only for text. Others are made for binary computer files like pictures and music. Today, the asymmetric encryption system used the most is RSA. Any computer file can be encrypted with RSA. AES is a common symmetric algorithm.

One-Time Pad

Most types of encryption can theoretically be cracked: an enemy might be able to decrypt a message without knowing the password, if he has clever mathematicians, powerful computers and lots of time. The one-time pad is special because, if it is used correctly, it is impossible to crack. There are three rules that must be followed:

• The secret key (password) must be longer than the secret message: if the message has 20 letters then the key must also have at least 20 letters.

• The secret key must be a random list of letters (e.g. KQBWLDA…)

• The secret key must only be used once. To send more than one message, a different key must be used for each one.

If these three rules are obeyed, then it is impossible to read the secret message without knowing the secret key. For this reason, during the Cold War, embassies and large military units often used one-time pads to communicate secretly with their governments. They had little books (“pads”) filled with random letters or random numbers. Each page from the pad could only be used once: this is why it is called a “one-time pad”.

Encryption on the Internet

Encryption is often used on the Internet, as many web sites use it to protect private information. On the Internet, several encryption protocols are used, such as Secure Sockets Layer (SSL), IPsec, andSSH. They use the RSA encryption system and others. The protocol for protected web browsing is called HTTPS. Mostly URL encryption contain MD5 Algorithm. Various algorithms are used in the internet market depending upon the need.

Antivirus Software

Antivirus software, if properly installed on a computer system, can prevent access to computer systems by unwanted computer programs. Viruses, worms or Trojan Horses can be used by criminals or mischievous people (called Crackers). They can be used to steal information or damage computer systems. If no antivirus software is installed, hackers may be able to access the information in the computer.

Most tests and experts claim that antivirus software is unable to prevent all attacks.[38] There are many different types of antivirus software. Many Antivirus programs can be downloaded for free. These versions usually have some features missing. The missing features are only available to those who buy the “full” version.

Antivirus software uses many ways to protect the computer. They often search for signs of viruses in every website that is visited. Most also do a regular scan of all the data and files on the computer’s hard disk.

Installing more than one antivirus is not a good idea. The 2 different antivirus software can interfere with each other.

Problems with Antivirus Software

Antivirus software can not always detect all viruses on a computer.

Sometimes antivirus software sees viruses in files that do not really have viruses. This is called a false positive.[39] The antivirus software will sometimes remove files from the computer that should not be removed. This may cause other programs to not work properly.

Firewall (Networking)

Originally, a firewall was a wall that was built to stop (or slow down) the spread of a fire. In terms of computer security, a firewall is a piece of software. This software monitors the network traffic. A firewall has a set of rules which are applied to each packet. The rules decide if a packet can pass, or whether it is discarded. Usually a firewall is placed between a network that is trusted, and one that is less trusted. When a large network needs to be protected, the firewall software often runs on a dedicated hardware, which does nothing else.

A firewall protects one part of the network against unauthorized access.

Different Kinds of Firewalls

• Packet filtering. Data travels on the internet in small pieces; these are called packets. Each packet has certain metadata attached, like where it is coming from, and where it should be sent to. The easiest thing to do is to look at the metadata. Based on rules, certain packets are then dropped or rejected. All firewalls can do this.it is known as network layer

• Stateful packet inspection. In addition to the simple packet filtering (above) this kind of firewall also keeps track of connections. A packet can be the start of a new connection, or it can be part of an existing connection. If it is neither of the two, it is probably useless and can be dropped.

• Application-layer firewalls. Application-layer firewalls do not just look at the metadata; they also look at the actual data transported. They know how certain protocols work, for example FTP or HTTP. They can then look if the data that is in the packet is valid (for that protocol). If it is not, it can be dropped.

Other Things Firewalls Are Used For

Firewalls can provide a secure connection between two networks. This is called tunnelling. The data may be encrypted. It is unencrypted at the other end. Since the firewalls are doing this, the rest of the network is unaware of it. An alternative is to provide a secure access (to the corporate network).

Network Address Translation

Very often, firewalls can translate IP addresses. That way, many computers can share a few public IP addresses. The firewall translates between the public and the private IP addresses.

Types of Firewalls

In general, there are two types of firewalls:

• Software-based firewalls: these are often run as additional programs on computers that are used for other things. They are often known as personal firewalls which can be updates on personal computers.

• Hardware-based firewalls: Hardware based firewalls run on a dedicated computer (or appliance). Often, these offer a better performance than software firewalls, but they are also more expensive.

What Firewalls Cannot Protect Against

Firewalls can protect against some problems (viruses and attacks) that come from the internet. They cannot protect against viruses, that come from infected media (like an infected office document on an USB flash drive).

5.2.5 Backup

A backup is a copy of some data. This copy can be used when the original data is changed, or lost. Losing data is common: A 2008 survey found that two thirds of respondents had lost files on their home PC.[40] Another purpose of backing up data is to have a copy that represents an earlier state of the data, before it was changed. Organizations may have rules which state how long data should be kept, and what kinds of data these rules apply to. In many countries, there are rules that specify that certain kinds of data need to be kept for a given time. An example of this is the data used for accounting.

Backups are a simple form of disaster recovery. Even though they are commonly seen as disaster recovery, they should be part of a disaster recovery plan. A disaster recovery plan is a documented set of procedures and tasks to perform to protect the consistency and integrity of a corporate IT system.

Different Backup Media

There are different types of backup systems that use different kinds of media. Common backup media includes:

• Different kinds of tapes, for example Digital Audio Tape, or LTO

• Hard disks

• Optical disks like CDs and DVDs

• Magneto-Optical Discs

• Emails

Some of the backup media are portable, and can easily be stored in a safe location. The problem with storing tapes in a bank safe, for example is that they are only available during the opening hours of the bank.

Another issue has commonly been the speed of the backup. Media such as digital tapes can store a lot of data, but accessing them is realtively slow. Tapes can only be read or written in sequence, while media such as hard disks or optical drives are basically random access. When data is backed up, its encoding is often changed. This makes it possible to use codes such as Cyclic redundancy checks, which can detect, and sometimes repair an error.

Reasons for Doing a Backup

Backups are usually done for one of the following reasons:

• Prevent data loss if there is a disaster (like a fire or hardware failure, or an intentional or unintentional deletion)

• Computer viruses or other programs make data unusable

• There is a logical error in the data

• Sudden computer shutdown which can be caused by power shortage.

Different Types of Backup

• A full backup copies all of the data. This means that if the main copy of the data is lost, we can bring it all back simply by copying the data back from the backup.

• A differential backup only copies the data that has changed since the last full backup. The reason we do this is that sometimes only a small amount of data has changed since the last full backup; this means we can do a differential backup much more quickly. If someone loses their data, and needs to get it back from a differential backup, they need to use the last full backup, to bring back all of their data. They then need to use the last differential backup to bring back everything that was changed between the full backup and the differential backup.

• An incremental backup only copies the data that has changed since the last incremental backup. This makes each backup quicker, because we are only copying what has changed since the last backup. To bring the data back, if the main copy of the data is lost, we need the last full backup, as well as all of the incremental backups that have been done since then. This means that bringing data back from an incremental backup is slower and more risky than differential or full backups.

How Long to Keep a Backup

The Grandfather-father-son system means that we keep different types of backup for different amounts of time. For example, we might do a backup every day, and keep a week’s worth of backups. We might then keep one backup for each week for a month, and one backup from each month for a year. This means that we have a backup of our data from a year ago, so that if we realise we need some data from a long time ago, we have that data available. We also have several copies of our recent data, in case one of them doesn’t work.