Before talking about Ethics and Law, we should look at the human cognition and understand some of our errors and biases. Our ethics and law try to address some of these errors.

Human Biases

The human factor in security incidents

Analysis of security incidents reveals, more often than not, human factor as a major cause
- Typically not deliberate – usually someone who was honestly trying to do their best
People who want to make decisions that are good for their own and/or their employer’s security, all too often make bad decisions

Most errors

Some combination of:
- Trying to do their jobs
- Insufficient security awareness
- Thinking others are like them
The result can be a disaster

Examples of human security errors

Carelessness, e.g.,
- Traveling with more data than needed
- Failing to encrypt confidential data
- Leaving confidential data / equipment unattended
Accidental disclosure, e.g.,
- Reading confidential data in a public place
- Holding confidential conversation in an “empty” public place (sensitive microphones can pick it up)
Misplaced trust in people or things, e.g.,
- Inadequate verification that someone is who they claim to be (falling for a fake ID, a fake badge)
- Believing that someone is who they appear to be (anyone can wear an official-looking “uniform”)
- Trusting a “complimentary” USB drive picked up at a booth during a convention
- Falling for crafty social

Incomplete info, bound rationality

Errors are caused by both lack of info, and the limited ability of humans to process info
- Computer analogy: Our outputs are computed with incomplete inputs and a limited/faulty CPU
Humans use simple and easy-to-use heuristics to both learn and make decisions
- They had survival value for ancient humans
- But today they result in worse decisions than those resulting from informed rational choice

Human decisions-making: Frequent pitfalls

Badly biased
- Far from what a correct analysis would dictate
Prone to fallacies
- Illusions – belief in untruths, disbelief in truths
- Bad estimates of likelihoods of possible futures
- Bad generalizations
Gives undue weight to the unimportant
- And under-weigh the more important

The Cognitive Bias Codex

https://www.sog.unc.edu/sites/www.sog.unc.edu/files/course_materials/Cognitive%20Biases%20Codex.pdf

Some common fallacies

Representativeness heuristics

Assesses similarity of events/objects/people
Groups them by similarity
Uses a prototype for each category

Base rate fallacy

Recall: Representativeness relies on similarity
When people repeatedly see (or read, or hear) A and B together, it causes them to mentally strengthen the association between A and B
- Because “edge” A,B is undirected, this can lead them to erroneously confuse P(A|B) with P(B|A)
- E.g., if most observed actions of type A were done by members of group B, people wrongly conclude that a random member of B is likely to do an

Neglect of probability

Subjects completely ignore probabilities, instead they focus entirely on the outcomes’ magnitudes

Availability heuristics

Easy to remember, therefore more recent events likely to happen
Judging an event to be more likely if its occurrences are recalled with relative ease

Hyperbolic discounting

Inconsistent discounting of future events
- Much more weight is placed on what arrives sooner than on what arrives later
- Favors short term (the present wins v. the future)
- Going to have one more drink, watch one more show, disregard of tomorrow morning. Joy now, disregard pain later

Status quo bias

Preference for things to stay relatively same

Valence effect

Tendency to over-estimate the likelihood of favorable outcomes

Self-serving bias

Belief that the odds for oneself are better than the odds for others
- Like valence effect, but “self relative to others”

Hindsight bias

Tendency to see a past event as having been predictable, even when it was not
- Information after the event influences recollection
- “I knew it all along”, “I could see it coming”, …
- Documented in many experiments

Illusion of control

Unfounded belief in ability to control events
In experiments with random outcomes, subjects believed they influenced the outcomes as long as they were given “controls” (such as light switches to flip, dice to roll, buttons to push, …)

Endowment effect

Value something more when you already have it
- Alice buys mug for $5, then wants $10 to sell it
- Alice values equally X and Y, won’t trade her X for a Y

Illusion of attention

Tendency to only see what is expected, what is the focus of attention

Overconfidence

Tendency to be more confident in one’s knowledge/abilities than what would be warranted by facts
- E.g., subjective confidence in knowing probabilities that are notoriously difficult to estimate

Wishful thinking

The desire for something to be true, leads to a belief that it is true. Occurs frequently in the

Rational Ignorance

When is it rational to choose ignorance?

Reciprocity and fairness

Innate human desire to

Inequity aversion

Aversion to undeserved rewards
- Whether by others or by oneself

Survivorship bias

Concentrating on surviving entities
- Ignoring those that disappeared along the way

Gambler’s fallacy

The mistaken belief that if something happens more frequently than normal during some period, it will happen less frequently in future
- And vice-versa (first less frequently, then more)
Monte Carlo Casino on August 18, 1913
- Ball fell in black 26 times in a row in roulette
- Gamblers lost fortunes betting against black (in mistaken belief that past rolls influence future)

Anchoring

Tendency to attach (“anchor”) thoughts to a reference point (even apparently irrelevant)
- The random wheel experiment of 1974 (outcome influenced estimates of unrelated quantities)

Correlation related fallacies

Fallacies can arise when people use correlation between A and B to infer causality (“A causes B”)
Inferring causality is often easy, such as in examples:
- A = strong wind, B = fast rotation of windmills
- A = being a professional swimmer, B = having an athletic and streamlined body
- A = being good-looking / attractive, B = being in advertisements for consumer products

Confirmation Bias

Tendency to seek and interpret information in a way that confirms one’s preexisting beliefs
- Far less consideration to alternative possibilities
- Effect is stronger for emotionally charged issues and for deeply entrenched beliefs

Defective/Hasty generalization

Drawing general conclusions from a small number of observations (“proof by examples”)
- About groups of people based on few members
- About one’s resilience to cyber-attack based on the fact that all such past attack attempts failed
- About a farmer’s love for its turkey based on the fact that it fed and nurtured it for months
- About a species’ future survival based on the fact that it has so far avoided extinction

Example of non-representative sample

A company has stores in many locations
- Half the stores are very large, half are very small

Social bias

Abandoning one’s own belief or information under the influence of other people’s actions
Positive feedback at work: The more people follow an idea, the more others view it as true
- Similar to lock-in

Social bias and fraud

Social bias is exploited in affinity fraud

Following the herd

had survival value for early humans

Groupthink

Special case of social bias that afflicts decisionmaking groups that form a cohesive, close-knit, and consensus-oriented teams

Sunk cost (Concorde) fallacy

Justifying continued spending on a decision, based on the amounts already spent on it
- Sunk cost = cumulative cost already incurred

Sunk cost fallacy examples

Bob bought $50 non-refundable concert ticket
- He no longer feels like attending concert, attends anyway because of his wish to “not waste $50”

Loss aversion

Pain of a loss of X exceeds joy of a gain of X
- It’s a partial cause of the endowment effect

Ethics

What are ethics?

Systematic approaches to making choices
Ethics are choices

Metaethics?

Formal study of systems of ethics known as metaethics, subfield of philosophy
Normative vs applied
Primary focus on normative ethics, what you should do given situation

Basic ethics isn’t simple

Ethical systems need underlying goal, example:
- Do what is right (deontological)
- Ends justify a means
- Based on religion (golden rule)
- Are we just to all? Justice Theory
- Do ethics even matter?

Ethics in current society

Our society is primarily based on deontological principles, with some consideration of utilitarianism and justice
- It isnt whether you win or lose, its how you play the game
- Basic underlying idea of laws and regulations
  - Rules matter (miranda)
We don’t ignore the rules based on outcome
- I had to follow orders – this is not accepted during warcrime trials
- Whatever it takes – this is not accepted

Professional Ethics

Most professional organizations have a Code of Ethics / Conduct for guidance
These are intended to enhance trust of professional

Ethics are important

As responsible adults ethical choices in daily lives, has consequences that affect small or many. Indirect consequences
Concepts of honor and trust – reputation
Trust the software, system, people

Uncertainty

When you are unsure what is ethical you may
- Delay decision
- Regret
- Make poor choice
- Cause others to behave badly

What to do?

First, think about your system of ethics. Your philosophical principles
- Golden rule
- Justice for all
Can you consult with an expert or mentor?
Is there a designated ombudsman?
Are you fully prepared for the consequences of your choice?
Note: ethics are for choices. If forced to choose then ethics may not apply

ACM and its Mission (Association for Computing Machinery)

Oldest and largest global society of computing researchers, practitioners and students
Mission – see a world where computing helps solve tomorrow’s problems, where we use knowledge and skills to advance profession and make positive impact
Nearly 100,000 members (2019)
- USA = 51%
- Europe 16%
- India 11%
- China 5%
75/25 professional / student
50/50 practiioner / researcher
20/80 female / male
Promote scientific scholarship
- Scientific stewardship
  - 535k full text ACM publications
  - 2.8M bibiliogrphic records
  - 2.5M unique visitors
  - Consider this for research assignments
Cutting-edge technical information for practitioners
- 170 conferences
- 37 special interests group
- Queue magazine
- Tech talks
- Webinars
- Books
Code of Conduct / Professional
- Adopted June 2018
  - Previous version 1992
- Worldwide participation
- Overwhelming consensus
- https://www.acm.org/code-of-ethics/

ACM Code of Ethics and Professional Conduct

Part1: General Ethical Principles

Contribute to society and human well-bening
Avoid harm
Be honest and trustworthy
Be fair
Honor property rights
Give proper credit for IP
Respect privacy of others
Honor confidentiality

Part2: Professional Responsibilities

Strive achieve highest quality
Maintain professional competence
Know and respect laws
Accept and provide reviews
Give evaluations of computer systems and impacts
Honor contracts
Improve understanding of computing and consequences

Part3: Professional Leadership Principles

Articulate social responsibilities
Manage personnel and resources to enhance quality of life
Etc.

Part4: Compliance with the code

Uphold and promote the principles of the code
Treat violations of this code as inconsistent with membership
- Dont join if not agree
- Can be banned from ACM

Other examples

IEEE Code of Conduct
ISSA Code of Ethics
- Performa professional in accordance to laws
- Promote security and best practices
- Maintain confidentiality of IP or sensitive info
- Diligence and honesty
- Avoid conflict of interest that may damage reputation or detrimental of employers, professionals, associations
- No harm

Law

Origins of Law

Originally, the edict of the chief/monarch
- Common in everything from tribes to nations
Religious institutions also observed this model
- E.g., the Catholic Church, learned rabbis and imams
As economic and social power diversified, power sharing became important
Philosophy provided grounds for “fairness” and acceptable behavior
- Different philosophies provide different grounding

Types of Laws

Criminal law
Civil Law
Administrative Law
Military Law
Law of the High Seas, etc. (treaty)

US Criminal Law General Practice

Congress passes authorizing law
Law enforcement investigates and gathers evidence based on complaint or direction
- Material is presented to US Attorney
US Attorney presents material to a grand jury
- Indictment may be returned
US Attorney brings case
- May seek plea bargain
Trial held in District Court
- Defendant chooses trial by judge or (petit) jury
- Judge sentences convicted defendant

Appeals

Defendant or US Attorney may petition Circuit Court (Court of Appeals) as an appeal
- Only allowed on matters of law or new evidence
Circuit Court hears case with 3 judges, or en banc with all
Parties may petition (writ of certiorari) US Supreme Court (SCOTUS) over matters of law
- May also seek emergency injunction or temporary restraining order

Notable features of US Law

Accused is considered innocent until proven guilty (derived from 6 th amendment)
US Constitution, Article I § 9
- Ex post facto laws not allowed = law must exist before being charged for it
- No bills of attainder allowed (Also Article 3 § 3) = cannot take family member instead
- Habeas Corpus may not be suspended except in special cases = have to show there was crime, allow trial, know when going prison
Fourth Amendment
- Warrants required for search
- No person may be compelled to testify against self
Defendants may demand an impartial jury (Art. 3 § 2, and 6 th Amendment)
Right to legal counsel (6 th Amendment

Federal Jurisdiction

For Federal action or authority, there must be:

Constitutional authority
Federal interest

In particular, courts are limited in what cases they can adjudicate, requiring

Standing of parties
Traceability to Federal statute or Constitution

There are similar issues for Federal law enforcement

1801 agents have arrest authority
1811 special agents/inspectors/deputy marshals can perform investigations
Some have state arrest power
A few also can enforce Uniform Code of Military Justice

Frontier Justice

Some lawyers’ USENET (mis)adventures 30+ years ago

Usenet (/ˈjuːznɛt/) is a worldwide distributed discussion system available on computers. It was developed from the general-purpose Unix-to-Unix Copy (UUCP) dial-up network architecture. Tom Truscott and Jim Ellis conceived the idea in 1979, and it was established in 1980.

Advertised (massively) their immigration advisory services
Suffered retaliation (with impunity), e.g.,
Fake mail orders, fake pizza orders
“Cancelbots”
Spamming
…
Their ISP terminated their service

US Federal Laws

Example areas

Records and reports
- Concealment, removal, mutilation
Sabotage
Stolen property
Communications interception
Privacy protection
Malicious mischief
Theft
Unauthorized use
Trespass
Tampering (various degrees)
Unlawful duplication
Criminal possession
Theft of services
Fraudulent use of credit cards
Copyrights
- Infringements, remedies
Embezzlement and theft
Espionage
Censorship
Fraud and false statements
Mail fraud and swindles
Forgery
Eavesdropping
Child pornography
Human trafficking
…

Examples of Statutes

U.S. Computer Fraud and Abuse Act 1984
U.S. Economic Espionage Act
U.S. Electronic Funds Transfer Act
U.S. Freedom of Information Act
U.S. Privacy Act 1974
U.S. Electronic Communication Privacy Act 1986
Gramm-Leach-Bliley 1999 – piracy of data for customers of financial Institutions
HIPAA 1996
USA Patriot Act
CAN SPAM Act
California Breach Notification 2003
Identity Theft Enforcement and Restitution Act

US Computer Fraud and Abuse Act

Also known as the USFAA, U.S.C. 18 § 1030 (title 18 = all laws dealing with theft)

Knowingly accessing a computer without authorization to obtain national security data
Intentionally accessing a computer without authorization to obtain:
- Information contained in a financial record of a financial institution or contained in a file of a consumer reporting agency on a consumer.
- Information from any department or agency of the United States
- Information from any protected computer if the conduct involves an interstate or foreign communication
Intentionally accessing without authorization a government computer and affecting the use of the government’s operation of the computer
Knowingly accessing a protected computer with the intent to defraud and thereby obtaining anything of value.
Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
- Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
- The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
- Physical injury to any person.
- A threat to public health or safety.
- Damage affecting a government computer system.
Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization

HIPPA

Health Insurance Portability and Accountability Act

Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.
Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. It helps people keep their information private

Gramm-Leach-Bliley

Also known as GLB

The Financial Privacy Rule which governs the collection and disclosure of customers personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions such as credit reporting age

International Agreements/Acts

Generally, items covered in treaties

Council of Europe Agreement on Cybercrime 2001 (US, Canada, Japan, E.U. countries)
E.U. Data Protection Act
Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse (2007)
Treaties on Patents
United Nations Convention Against Transnational Organized Crime (2000)
UN Declaration of Human Rights

Laws in other nations

Country-dependent
Significant differences between countries
- Restrictions on cryptography
- Domestic restrictions
- Import / export restrictions
Burden of proof/guilt
Privacy
Language laws
- U.S. university sued in France (English-only web site) Georgia Tech
Lèse majesté in various forms (ruler, party, country)
- Lèse-majesté or lese-majesty is an offence against the dignity of a ruling head of state (traditionally a monarch but now more often a president) or the state itself. The English name for this crime is a borrowing from the French, where it means “a crime against The Crown.”[3]
Some apply across international borders, e.g. GDPR

A note on extradition

A person “P” present in country “X” is accused of a crime in country “Y”
The courts in country “Y” want the person so they can prosecute.
In international law, this generally requires the following:
- Countries “X” and “Y” must have an extradition treaty in place
- The act alleged against “P” must be a similar crime in country “X” as it is in “Y” if not explicitly designated otherwise in treaty
- (Possibly) the penalty for the crime in country “Y” cannot be unduly severe compared to the penalty in country “X”
But suppose person “P” claims that the charges are a ruse and politically or religiously motivated?
- An extradition trial is held in country “X” to determine if the person can stay.
Note that person “P” may continue to be in jeopardy if traveling internationally or visa revoked

Crimes Spanning Countries

Currently, criminals are well-aware of the extradition limitations and base their operations accordingly
In some cases, criminal organizations are quasi-governmental and are careful not to operate within their home countries
Several countries operate with “sealed warrants” and track criminals
Interpol may also have sealed “red notices”
The US/UK others may use banking regulations to hinder criminals
Some countries may “hack back”

Copyrights

Copyrights

Copyright = exclusive right that the creator of an original work has to its use/dissemination
- Even if no explicit sign
Writing, music, art, performances
- Covers derivative works
Exists from the moment object fixed in tangible form
- Depends on treaty for international
- Life of author + 70 years for individual
- 120 years or 95 years after publication for “work for hire

Copyright Infringement

Direct infringement
- “Strict liability” rule: It does not matter whether the infringer thought she/he was breaking the law
Contributory infringement
- Knowingly contribute to infringement by other(s)
Vicarious liability
- Benefit financially from another party’s infringement, and
- Having control over that other party’s

Copyrights: Liability Limits

CDA “Safe Harbor” (Section 230)

Provisions that limit the liability of certain organizations
Some special condition must hold, e.g.,
- “Mere conduit”
- Caching
- Hosting
Examples
- An ISP
- A university

Intellectual Property – Patents

Patent = Exclusive legal rights to invention

Granted to inventor or assignee
Granted by a specific country
Limited in time (expiration date, usually 20 years)
Requires public disclosure of the invention
Solution to a specific technological problem (can be a product or a process) defined by claims
Solution must be novel, useful, and non-obvious
Can be difficult to enforce (even to detect) infringement
Defensive publication
- Detailed public disclosure of invention for the purpose of preventing others from patenting it
- Establishes “prior art”
- Can be anonymous
An alternative to patent: Trade secret
- Invention is kept confidential (no time limit)
- Use nondisclosure and employment agreements
- Can be vulnerable to reverse engineering

Reverse-Engineering

OK if for certain purposes (e.g., interoperability)
Lexmark v.s. Static Control
- Static Control had reverse-engineered Lexmark chips for the purpose of making and selling cartridges that are compatible with Lexmark printers
- Court upheld the right of Static Control to make parts that interoperate with goods of another manufacturer
- Static Control could afford the legal fight, an individual researcher (professor or grad student) typically cannot
Anti-competitive practices are rife (not only in printers)
- Cell phone batteries, automobile parts, …
2020 Decision in Apple vs. Corellium
HP OfficeJet episode
- On 9/13/2016, a firmware update from HP deliberately caused all HP OfficeJet printers to reject non-HP ink cartridges
- On 9/12/2016 a customer had a working printer, one day later it no longer worked
- The non-HP ink cartridge makers will (try to) produce cartridges that work with the new firmware
Some auto manufacturers now claim to own parts of a vehicle you bought and fully paid for
“Right to Repair” legislation is gaining ground in EU and some states

DCMA and Reverse Engineering

The Digital Millennium Copyright Act is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization. It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works.

Section 1201 of DMCA forbids “circumvention of copyright protection systems”
- Provides both criminal and civil penalties
- Not just for music and movies: Applies to software and hardware (even multi- purpose, as long as a purpose pertains to copyright protection)
Has been used to prevent reverse engineering
- Even when done by responsible researchers whose purpose is to analyze the security of deployed systems, inform their manufacturers of the flaws discovered, and help them fix those flaws
When honest, responsible researcher informs manufacturer of discovered flaws, a common reaction is a threat of a lawsuit under DMCA
- Manufacturer’s do not want their products’ internals investigated, use DMCA to prevent it
Manufacturers’ motivations include:
- Embarrassment caused by disclosure of the flaws
- The costs they’d have to incur to fix the flaws
- The “flaws” might be deliberate (and illegal

eof

solidfish

Cyber Ethics and Law

Human Biases

The Cognitive Bias Codex

Some common fallacies

Ethics

Law

Related