Ethics, Week 13

Pirate Bay verdict, and ensuing crankiness
CFAA and the Citrin decision
Trust and SSL
Jurisdiction
Software trust
Voting
Linking

Ellen paper

Is ownership of the phone the deciding feature, or is it the employment relationship? Several people argued that the owner of the phone had a right to track it, but if that's the case, does the owner of the Loyola lab computers (that is, Loyola) have the right to your files, or to perform keystroke monitoring? The more traditional legal argument here is that the employer has the right to track the employees.

The grader's remarks are in pencil; mine are in pen. The grader provided tentative letter grades; these are not final: my numeric score in pen, X/20, is your grade. B=15. The grader was concerned with ethical analysis; I tended to accept a broader interpretation of that. Also, the grader was concerned with references.

Pirate Bay verdict

See http://thepiratebay.org. Yes, it's still up.

The four accused Pirates were convicted in Swedish court of having "assisted in making copyrighted files accessible". As in the United States, the standard for providing criminal assistance is relatively modest. And, on the face of it, the Pirates provided considerable assistance to file-sharers. The trickiest part is intent, and here the pirate logo is, well, strongly suggestive of intent. And the rest of the movies-want-to-be-free manifesto on the site is even more so.

Each defendant was fined ~$US 800,000, and sentenced to a year in jail. (Though Swedish prisons are relatively comfortable.) Of the four defendants, three are broke and wouldn't pay even if they could.

Why do so many commentators point out that the pirate bay doesn't actually host any of the content itself?

See:
http://torrentfreak.com/the-pirate-bay-trial-the-verdict-090417 (a few hours after the announcement)
http://news.cnet.com/8301-1023_3-10224201-93.html (a few days of reflection later)

Swedish Pirate Party doubles in size after the verdict -- Wired
What are these people thinking? I mean that seriously.

See also: http://oneswarm.cs.washington.edu. But note that, once you limit your file-sharing to within a trusted community, the pool is likely to be vastly smaller.

Terry Childs case documents

Childs is still in prison.

The case documents are back online at http://www.infoworld.com/d/data-management/terry-childs-case-in-its-own-words-928.

One possible reason Childs has been denied bail is the fact that a search of his residence just before his arrest turned up some 9mm ammunition, and Childs had in 1985 been convicted of a felony: armed robbery (with a knife). Possession of ammunition by a convicted felon is illegal in California (and many other states). Also, the fact that Childs had $10,000 in cash in his house was interpreted by the police as evidence that he was a flight risk. Finally, Childs lied to his supervisors when he said he had no past felony convictions, and lied again on the day of his management confrontation when he said his fiberWAN password no longer worked. Both of these are perhaps understandable, and in principle they shouldn't matter, but one doesn't know.

The most plausible charge against Childs is the allegation that he configured the routers not to store their configurations, and that this was done in order that if the network crashed, only he could ressurect it. (Failure to release a critical password to those who are not trained to appreciate it and possibly not authorized to have it is not exactly a plausible charge here.) From the arrest-warrant affidavit of police officer James Ramsay:

Mr Maupin [the city's security consultant] was also able to determine and validate that Mr Childs had, in fact, intentionally configured multiple Cisco network devices with a command that erases all configuration and data in the event that someone tries to restore administrative access or tries to perform disaster recovery. This command was created for military applications that require the deployment of network devices in areas that may have the possibility of hostile forces that could get physical access to network devices.

Officer Ramsay also was the one to tell Childs initially that failure to divulge the passwords was "a denial of service as defined under Penal Code violation Section 502(c)(5)". This claim remains farfetched, at face value, given the lack of clear authority within DTIS, although it might apply if Childs had withheld the password with malicious intent.

As for the configuration-to-erase claim, Childs' attorneys claimed in his bail-reduction motion that one of his colleagues, Carl Sian, intentionally kept (as for study) computer viruses, and later spread one to Childs (possibly accidentally). Somewhat later, Childs' supervisor Herb Tong made some technically inappropriate changes to the fiberWAN system. In light of those events, Childs may very well have felt that the "hardened" configuration of the routers was appropriate.

That document also claims that Childs had explicit permission from his supervisor, Herb Tong, to install the three modems.

International Airport Centers v Citrin

Generally the Computer Fraud & Abuse Act (CFAA) is viewed as being directed at "hackers" who break in to computer systems. However, nothing in the act requires that a network breakin be involved, and it is clear that Congress understood internal breakins to be a threat as well.

Just when is internal access a violation of the CFAA? Internal access is what Terry Childs is accused of.

In the 2006 Citrin case, the defendant deleted files from his laptop before going to work for himself. From http://technology.findlaw.com/articles/01033/009953.html:

Citrin ultimately decided to quit and go into business for himself, apparently in breach of his employment contract with the companies. Before returning the laptop to the companies, Citrin deleted all of the data in it, including not only the data he had collected [and had apparently never turned over to his employer -- pld], but also data that would have revealed to the companies improper conduct he had engaged in before he decided to quit. He caused this deletion using a secure-erasure program, such that it would be impossible to recover the deleted information.

His previous employer sued under the CFAA, noting that the latter contained a provision allowing suits against anyone who "intentionally causes damage without authorization to a protected computer". Citrin argued that he had authorization to use his company-provided laptop. The District Court agreed. The Seventh Circuit reversed, however, arguing in essence that once Citrin had decided to leave the company, and was not acting on the company's behalf, his authorization ended. Or (some guesswork here), Citrin's authorization was only for work done on behalf of his employer; work done against the interests of his employer was clearly not authorized.

Once again, the court looked at Citrin's actions in broad context, rather than in narrow technological terms.

Note that Citrin's specific act of deleting the files was pretty clearly an act that everybody involved understood as not what his employer wanted. This is not a grey-area case.

Compare this to the Terry Childs or Randall Schwartz cases. We don't have all the facts yet on Childs, but on a black-and-white scale these cases would seem at worst to be pale eggshell (that is, almost white). It seems very likely that Schwartz's intent was always to improve security at Intel; it seems equally likely that at least in the three modem-related charges against Childs there was absolutely no intent to undermine city security, or to act in any way contrary to what the city would have wanted if it had in fact any clue.

Trust

With all the concern about online theft, why do we trust online merchants at all? For that matter, why do we trust people we've met on facebook, etc?

Technological issues & trust: can we at least trust that we're talking to the person we think we're talking to?

Old-style PGP (Pretty Good Privacy) trust:
You need to VERIFY people's public keys (that the key matches the person). Otherwise you can get a bad key, write to them using it, and be victim of a man-in-the-middle attack.

(public key crypto: each person has a public key and a private key. If someone encrypts a message to you with your public key, you can decrypt it with your private key. Similarly, if you encrypt something with your private key, anyone can decrypt it with your public key, and in the process verify that it was encrypted with your private key. That last bit means that the message can act as your DIGITAL SIGNITURE.)

How can we be able to TRUST our keys?

Alice needs Bob's key.

She can meet Bob at a key-signing party. Bob can give her his key hash.
She can ask Chuck. Chuck says Bob's online keyhash is legit.
She can decide NOT to trust Chuck, at least about Bob, and ask Dora instead. Dora has never met Bob, but got Bob's keyhash from Ernie, who has.
She can ask someone who has a large group of signed verifications of keys. Three of them are signed verifications of Bob's key.

SSL certificates (TLS certificates)
SSL = secure socket layer, old name
TLS = transport-layer security, new name

Any pair of entities can negotiate a session key:

each gets others public key
each chooses some bits at random, encrypts with others' public key
exchange these; other side decrypts
now pick one key, or xor them, or concatenate them, or whatever.

You're guaranteed a random key provided the other side does not see your bits before choosing theirs. There are protocols to enforce that (eg exchanging encrypted bits and then exchanging special keys to decrypt them)

BUT: how do you know you're not about to give your credit card to a bad guy with whom you've just created a session key?

Ask landsend.com for their SSL certificate. Receive it. It includes digital signatures by well-known Certificate Authorities, or CAs. It also includes DNS name.

CHECK it by using known public key from one of the CAs. These keys are preinstalled in your browser.
This prevents man-in-the-middle attacks, but won't help if router or DNS is hacked

their SSL server uses public-key encryption to sign something with the current date/time; replay isn't feasible either.

What does this have to do with TRUST?

Do you trust the CAs listed in your browser? Huh? Have you even heard of any of them?

Edit => Preferences => Advanced => Encryption => View Certs

Note this is powerless against phishing attacks
Although the new Extended Valuation SSL Certs might. *Might*.

Back to why we trust online vendors:

we check out companies (at least some of us do)
lack of bad experiences
belief bad things won't happen to us
credit card limited liability (not applicable to debit cards!)
???

Overall, it seems that lack of bad past experience has the most to do with why we trust. This seems to be the case with face-to-face and brick-and-mortar relationships just as much as with online situations.

What about personal sites? (Not necessarily dating, but those too.) How do we form online friendships (eg at discussion sites)? What makes us think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????

Jurisdiction online

jurisdictional issues: where did the sale take place? This one is very important for e-commerce.

Traditional three rules for lawsuit jurisdiction:

Purposeful availment: did defendant receive any benefit from the laws of the jurisdiction? If you're in South Dakota and you sell to someone in California, the laws of California would protect you if the buyer tried to cheat you. Generally, this is held to be the case even if you require payment upfront in all cases. The doctrine of purposeful availment means that, in exchange here for the benefits to you of California's laws, you submit to California's jurisdiction.
Where the act was done.
Whether the defendant has a reasonable expectation of being subject to that jurisdiction.

eHarmony lawsuits, for alleged discrimination against homosexuals

eHarmony is headquartered in California

New Jersey lawsuit by Eric McKinley, 2005
California lawsuit by Linda Carlson, 2007

How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?

Would it have mattered if eHarmony was a free service?

sales

trademarks
libel/defamation
criminal law

laws governing sales: seller can sue in his home state/country
This is more or less universal.

laws governing trademarks

Trademark scope
        The Blue Note Cafe was located in NYC
        The Blue Note, St Louis (actually Columbia, MO) was a club, sued for trademark infringement by Blue Note New York because they had a web site.
        The case: Bensusan Restaurant Corp v King, 937 F. Supp. 295 (SDNY 1996)
The case was brought in federal district court, which decided there was a lack of jurisdiction. Before that, however, note that the Missouri club began using the name in 1980, and the NYC club did not register the trademark until 1985. Note that, generally speaking, in this sort of situation the Missouri club retains the right to continue to use the name locally, while non-local use is reserved to the federal trademark-holder.

The district court did look at the "long-arm statute" of the "forum state", that is, New York. The New York law provides that

a New York court may exercise personal jurisdiction over a non-domiciliary who "in person or though an agent" commits a tortious act within the state.

The State-court interpretation of this was that the act had to be committed in New York State, and the federal court deferred to this interpretation.

Another part of the NY state law did provide for jurisdiction when the other party was outside the state. However, the law also

... restricted the exercise of jurisdiction under sub-paragraph (a)(3) to persons who expect or should reasonably expect the tortious act to have consequences in the state and in addition derive substantial revenue from interstate commerce

The second circuit decided that Blue Note Missouri did not derive revenue from interstate commerce. End of case.

Blue Note St Louis had a mostly passive web site, although they did advertise tickets online, to performances at the club itself. These tickets had to be picked up at the Missouri box office; they were never mailed. Does this matter? Does it matter that the tickets were technically not sold over the internet, but instead you had to call a phone number?

This case was decided on jurisdictional grounds: NY State did not have jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.

Domain names

zippo v zippo, 1997

See http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
    zippo lighters v zippo.com
    trademark infringement filed under PA state law, but filed in federal district court.
    PA "long arm" statute

zippo.com was a news service. They had email customers in PA, and two ISP customers.
    (1) the defendant must have sufficient "minimum contacts" with the forum state,
    (2) the claim asserted against the defendant must arise out of those contacts, and
    (3) the exercise of jurisdiction must be reasonable.

We find Dot Com's efforts to characterize its conduct as falling short of purposeful availment of doing business in Pennsylvania wholly unpersuasive. At oral argument, Defendant repeatedly characterized its actions as merely "operating a Web site" or "advertising." Dot Com also cites to a number of cases from this Circuit which, it claims, stand for the proposition that merely advertising in a forum, without more, is not a sufficient minimal contact. [FN7] This argument is misplaced. Dot Com has done more than advertise on the Internet in Pennsylvania. Defendant has sold passwords to approximately 3,000 subscribers in Pennsylvania and entered into seven contracts with Internet access providers to furnish its services to their customers in Pennsylvania. [emphasis added]

Decided JURISDICTIONAL issue, plus others: PA did have jurisdiction

Note the gray area between a completely passive website, just an "electronic billboard", and “the knowing and repeated transmission of computer files over the Internet”. Usually the latter means subscriber-specific information.

What about google.com? Should Illinois courts have jurisdiction?

Internationally, we already looked at LICRA v Yahoo, filed in France (and won by LICRA) for Yahoo's selling of Nazi memorabilia on its auction site in the US. Yahoo had initially agreed to comply with the French order, and then later changed its mind, and filed suit in the US asking that the US court declare that the french court did not have jurisdiction. That case ended in a draw (specifically, in a declaration that the case was not "ripe").

Suppose your bank makes an error. Where do you sue them? What if their only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank. SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB online. Some money disappeared. Soma lost their lawsuit in Utah [Michael Shamos]

NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions about whether US patent law extends to other countries.

Butler v Beer Across America
http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
BAA is an Illinois company selling beer over the internet. Butler's minor son ordered beer, and it was delivered to him despite rules that required an adult signature. Butler sued BAA under an Alabama law that makes it illegal to sell alcohol to minors. In this case, Butler lost her bid to get Alabama jurisdiction, though the case was transferred by the Alabama court to Illinois.

Deciding that the sale of beer by Illinois defendants to an Alabama minor on the Internet occurred in Illinois, the federal court held that a single sale was insufficient minimum contacts to establish personal jurisdiction over the defendants in Alabama.

Cybersquatting:

This is somewhat related to trademark disputes, but an essential component is the claim that one party doesn't really want the trademark, but just wants to "extort" money from the other side.

See http://www.networksolutions.com/legal/dispute-policy.jsp

Uniform Domain Name Dispute Resolution Policy -- ICANN

4(b). Evidence of Registration and Use in Bad Faith. For the purposes of Paragraph 4(a)(iii), the following circumstances, in particular but without limitation, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith:

(i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or

(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or

(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or

(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the complainant's mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location.

========

Also AntiCybersquatting Consumer Protection Act.

Some form of bad faith is usually necessary. But not always, if the effect is to resemble a famous trademark and if you have good lawyers. Sometimes the only "bad faith" or "intent to profit" is the offer of the domain holder to settle the case by selling the domain to the plaintiff.

All this is really about trademarks, not about jurisdiction. But the "flat" namespace of the web makes all trademark disputes national, or even global.

vw.net: virtual works
    http://www.news.com/2100-1023-238287.html

Peculiarity: vw.net, a one-man company with James Anderson as principle, offered to sell the name to volkswagen in 1998, and threatened to auction the name off if volkswagen did not buy. This triggers a presumption of domain-name squatting.

"A federal appeals court in Virginia [2001] affirmed a lower court's ruling that online service provider Virtual Works Inc. violated the 1999 Anticybersquatting Consumer Protection Act when it registered the domain vw.net with the intent to sell it to Volkswagen of America."

"Grimes' [Anderson's early partner] deposition reveals that when registering vw.net, he and Anderson specifically acknowledged that vw.net might be confused with Volkswagen by some Internet users," Wilkinson wrote. "They nevertheless decided to register the address for their own use, but left open the possibility of one day selling the site to Volkswagen 'for a lot of money'."

See http://vwx.com. Oops, I guess not; that site is now for sale. At one point, it was about Anderson's side of the case.

A possibly important point was that virtual works never used the abbreviation "vw" except in the domain name.

They (vw.net) lost.

Is this about cybersquatting? Or is it about the (lack of) rights of the Little Guy to use their trademark in good faith?

american.com: formerly owned by cisco, now a private 'zine (the airline is aa.com)

gateway 2000 v gateway.com
    gateway.com was a computer consulting firm, run by Alan Clegg. There was absolutely no evidence that Clegg foresaw that in the year 2000 the name gateway2000.com would become obsolete, and reserved gateway.com in anticipation of a domain sale.

yahoo.com v yahooka.com [which see]
    Case was actually never filed

state-law libel and jurisdiction

A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del. April 23, 1998), found that Delaware's long arm statute did NOT reach the defendant, who posted allegedly libelous and slanderous false statements about the plaintiff on his Internet site. The statute provided for jurisdiction over tortious activity outside of Delaware ONLY if defendant regularly conducted business in the state. The court found that access in Delaware to defendant's Internet posting did not constitute sufficient contact to support the exercise of personal jurisdiction.

****** Decided on JURISDICTIONAL grounds
DE did not have jurisdiction

Laws governing libel:

Truth is a defense, but can be expensive to prove. If you say something false about a public figure, they have to prove actual malice. If you say something false about anyone else, all they have to prove is that you were negligent.

We've seen Batzel v Cremers.

Cremers lost on the jurisdiction issue.

But what if the legal climate in the Netherlands was different for libel lawsuits? What if in the Netherlands the burden of proof lay with the plaintiff to prove something false, and Cremers was sued in a jurisdiction (eg England, which still has pro-plaintiff libel laws) where the burden of proof lay with the defendant?

Trusting software: how do we do this? What responsibility do vendors have?

We've seen that people form trust relationships based on a fairly limited set of positive experiences (though a limited set of negatives, as well). Sometimes it seems that software has a lot to live up to, in that we trust it because we don't see bad experiences, but it is so easy for software to take advantage of us.

collecting personal information
Sony "rootkit" cd driver

Email: who is responsible for keeping you safe from spam?
From embedded tags in html that reveal to the sender if you've viewed the email?

The images issue has been around for almost a decade; many email vendors (and many freemail providers) have been reluctant to support image-blocking until ~2006 or later. (There may be legitimate reasons for that: it may be perceived as a hard-to-understand option.)

Browsers: browsers do all sorts of identification of themselves when they connect. Some of that is important; some is questionable. Most browsers do not leak "private" information, though they do leak the browser and OS you are using. Furthermore, this is hard to change!

Try http://www.jms1.net/ie.shtml, with internet explorer. (Actually, go to jms1.net, and you get redirected to the linked site if you're using IE. At one point there was a page on the site that would simply make IE die.)

IE's entire ActiveX security model is broken; ActiveX is an approach to security where you trust any signed software. Java, on the other hand, trusts any source, but runs the software in a "sandbox" where it (hopefully) can't damage your machine.

What about cookies?

Many browser PLUGINS do leak some degree of private information. When you register a plugin, you connect some personal information to that plugin. Also, some plugins contact the mothership at regular intervals.

See spywareremove.com/remove-BrowserPlugins

SEVERAL media players (plugin or otherwise) may do some checking of licenses or with mothership before allowing play. Perhaps most players from media companies behave this way.

What about compatibility lock-in?

To what extent should your OS be required to act on your behalf?
Palladium (aka Next-Generation Secure Computing Base):
    locks you out of lots of things.
    Trusted side: can't be reached by debuggers or viruses
    Problem: machine now is autonomous; vendor has complete control. Do you trust your vendor?
    Software updates, file compatibility,

SONY case has the rights of users front and center.
Sony's 2005 copy-protection scheme : that installs a private CD driver AND a hidden "r00tkit" (so named by Mark Russinovitch, then of sysinternals.com) that conceals itself and hides some registry keys.

Is this legit?

How does it compare with Palladium (secure-computing platform)?

Users do click on a license agreement. Were they sufficiently warned?
(Software was apparently installed before the EULA came up; and in any event clearly the EULA did not explain just what was going on.)

Note from Mark Russinovich, via wikipedia:

He also mentioned that the XCP software installed silently before the EULA appeared, that the EULA does not mention the XCP software, and that there was no uninstaller, all of which are illegal in various ways in various jurisdictions. Several comments to the entry recommended a lawsuit against Sony BMG.

There is now a virus/worm out that takes advantage of the sony kit.

Sony issued an uninstall utility that didn't actually uninstall the software, but did make it visible. However, users had to supply an email address, which by Sony's privacy policy was eligible for spamming.

This or a later removal kit allegedly ADDED a bad ActiveX control.

While we're on the subject of Sony, there was a recent report (in print, which I can't find now) that a significant breakin at US Government sites was precipitated by flaws in the LimeWire file-sharing package. As in, under some circumstances LimeWire would share everything.

Trusting voting machines

If we trust our phones and calculators, why on earth shouldn't we trust voting machines?

Because nobody will gain from secretly having our phones and calculators give incorrect results. We would find out almost immediately, after all.

(And there are now phone viruses)


Look at the video at http://itpolicy.princeton.edu/voting/videos.html
Question to think about and for discussion:

    Who are we trusting when we use these machines in an election?
    How is this trust different with paper ballots?
    Why did they make the video (versus just writing a paper)?

Notes: just booting with a clean memory card does NOT necessarily clear the machine! The bootloader in flash memory may have been corrupted. The machine loads a new bootloader from every card with a file fboot.nb0

Seals (which Diebold recommends) are often ignored, and if not then breaking them constitutes an effective DoS attack.

What about linking?

Is a link to a defamatory site a form of defamation?
(It probably depends on the context)

Is a link to "illegal" software forbidden?
2600 case: Universal v Reimerdes:
from wikipedia (http://en.wikipedia.org/wiki/Universal_v._Reimerdes)
In particular the Second Circuit ruled that linking on the Internet happened so fast that it could be restrained in ways that might not be constitutional for traditional media.
Also, apparently the defendants more or less admitted that they were providing links to deCSS for the purpose of making illegal DVD copies. Things might have been different had they linked for the purpose of research.

While we're at it, contemplate 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Is this a legal number?

Part of the issue with linking is that it can provide easy access to "forbidden" content such as circumvention software (deCSS) or copyrighted content (eg providing movie .torrents). For that part, providing the URL in "unlinked" form is probably also subject to regulation.

But the other part is conventional "deep links". These can be used to view a given page out of context, or to view a given page in a border provided by another page, or to avoid advertising. Should these kinds of links be subject to prohibition?

Is linking to a site a form of using that site without authorization? Possibly leading to a claim of trespass-of-chattels?

What about linking to other sites:
     bandwidth
     trademark
     avoidance of advertising

     cussedness/control

search engines do this CONSTANTLY.

For a while this was a serious issue, but it seems to be flaming out. Lots of sites still have bizarre linking policies, though.

http://dontlink.com; alas, active site work stopped in 2002.

But see: http://www.americanexpress.com/shared/copyright/webrules.html, item 9, "Linked Internet Sites"

Symantec has a different approach: http://www.symantec.com/about/profile/policies/legal.jsp#linking (2009)

Linking to Symantec's Web Site

Symantec permits anyone to link to Symantec's web site subject to the linker's compliance with the following terms and conditions:
A site that links to Symantec's web site:

May link to, but not replicate, content contained in Symantec's site;
Must not create a border environment or browser around content contained in Symantec's site;
Must not present misleading or false information about Symantec's services or products;
Must not misrepresent Symantec's relationship with the linker;
Must not imply that Symantec is endorsing or sponsoring the linker or the linker's services or products;
Must not use Symantec's logos or trade dress without prior written permission from Symantec;
Must not contain content that could be construed as obscene, libelous, defamatory, pornographic, or inappropriate for all ages;
Must not contain materials that would violate any laws;
Must agree that the link may be removed at any time upon Symantec's request pursuant to Symantec's reserved rights to rescind its consent to allow the link.

Rules 1-8 are entirely reasonable.

A few other issues

Employment and empowerment: Do computers take jobs away? Do they make jobs more stressful? Do they reduce worker privacy to an unacceptable or inappropriate degree?
Effects of computing and blogging on the political process: does it help democracy or diminish it? The "diminish" theory comes in part from the idea that parties can now target individual hot-button issues for most voters, and that the wealth of political information on the internet is so vast that only "insiders" and professionals can comprehend it.
Computers and risk. What is the probability of software failure? Under traditional mechanical analysis, it is either 0.0 or 1.0; it either doesn't fail, or it does. As the latter value implies complete failure every time, it was generally assumed to be 0.0. Can more plausible statistical models of failure be developed? If you understand the failure mode, why don't you just fix the software? Anyway, how do we analyze software risk? In cars? In air-traffic control systems?
Star wars: aka The Strategic Defense Initiative. This was to be a software-engineering project of such magnitude that it was inaccessible to traditional methods. It was also untestable, as the only meaningful test would be all-out nuclear war.
Given all that, software is much more reliable than it used to be. How do we adjust to that?
Professional ethics: what are programmers called upon to do? Network admins? Database managers?
How do we evaluate technology in the schools? What about the Kutztown 13? Do computers make kids better writers? Does mathematica make students better at math?
How anticompetitive is Microsoft? Was bundling Internet Exporer in with Windows an example of antitrust? Are there other anticompetitive actions Microsoft takes?
How binding are click licenses, and shrinkwrap licenses? This is a huge evolving area of both laws and ethics. Website terms-of-service are often held binding, at least to the extent that they limit site liability.

There are a bunch more, but I'm out of time.