Thursday, August 25, 2011

The Privacy Bill of Rights

When it comes to the Federalist debates, I was always on the side that argued that creating a bill of rights would limit our rights rather than protect them. But, since we don’t live in that world, Congress is working on creating additional bills of rights (maybe this is just a fad). There was the recent Airline Passenger Bill of Rights. Now we’ve moved on to a Privacy Bill of Rights. Thanks goes to John McCain and John Kerry for putting their names behind this one.

The Privacy Bill of Rights would create 3 new rights for online users:

  • The Right to Security and Accountability
  • The Right to Notice and Individual Participation
  • The Right to Data Protection (which includes Data Minimization, Constraints on Distribution of Information, and The right to Data Integrity)

Like many of the current proposals for a Federal data privacy law, there is no private right of action. The bill relies on state Attorney’s General to pursue actions against companies who fall short on their privacy protections. The bill also has the highest per day civil penalties, but only a moderate maximum penalty when compared with the other bills on the table.

The FTC will have to issue rules which translate the Privacy Bill of Rights into something meaningful which businesses can follow. The bill provides for 180 days for the FTC to issue that guidance, but realistically…that process could take years. The FTC Red Flag rules were not implemented for 2 years due to confusion on the part of businesses as to who was covered and how to comply.

The bill requires an opt in for collection of information as well as an opt-out for advertising. This will go a long way to change the de facto PII collection and storage polices of web-based companies.

The 3 rights that I’m calling Data Protection (Data Minimization, Constraints on Distribution of Information, and The right to Data Integrity) are the most interesting part of the bill and set it apart from the rest of the bills out there. For example, the bill will restrict transfers of information to “unreliable third parties”. Presumably this means that spammers or companies who have been repeatedly hacked won’t be able to get personal information. The bill will prevent companies from combining multiple sets of personal information from multiple sources as well, which will put limits on data aggregators.

Finally, there is a data integrity component which requires companies to ensure the information that they collect is accurate. This is a very forward thinking aspect of the bill, and could have very broad reaching implications. This seems similar to requirements placed on the credit bureaus for credit scores.

Tuesday, August 16, 2011

How Many DMCA Notices does the RIAA send every year?

How Many DMCA Notices does the RIAA send every year? This is a question I've been asking myself (and others) for years now.

The solution was pretty obvious...on the tip of my proverbial nose the whole time.
The RIAA appears to use a sequential numbering system in its case tracking system. There is no way to tell what percentage of the cases represented in their case tracking actually lead to a generated DMCA notice. Duplicates or false positives may account for some percentage of this figure. Judging by the number of duplicates and false positives that we actually receive, I would guess not. In looking at the volume, however, I’d be willing to bet that each case number represents an individual DMCA notice.

Using the sequential numbers as a framework, you can now estimate how many DMCA notices were sent on a monthly basis. The numbers also vary widely over time, so you can’t assume that the same numbers of notices are sent every day. In one twenty four hour period in July, the numbers increment by nearly 600,000. Most 24 hour periods see less than 100,000.

Based on the claims that billions of dollars per year are lost to illegal file sharing, these numbers might seem low, however, the RIAA and others have never claimed to be able to catch 100% of all file sharing. This is undoubtedly a fraction. If you still think that these numbers are low, however, think about what these notices do to ISPs and Universities. Each notice probably takes between 30 minutes to address the forensic work that needs to be done to find the user, validate that there was network traffic at that time, send a notice to the user, and interact with the user afterwards. Even if only 20% of DMCA notices go to Universities, that means Universities probably spent nearly a million man hours responding to DMCA notices in 2010. In only the first 7 months of 2011, the RIAA has sent 4 million more notices than in all of 2010, which means the total for 2011 will probably be double that of 2011.

Monday, August 15, 2011

Should There Be a CyberWar Treaty?, Part 1

The Department of Defense released their Strategy For Operating In Cyberspace in July. In the document, they add Cyber to the traditional 4 domains...Land, Sea, Air, and Space.

This paper raises the question, at least in my mind: Should there be a Cyberwarfare treaty? I think the short answer is a definite “Maybe.”

I think a longer answer is that a arms treaty, like chemical or nuclear, is meant to deter the production of those types of weapons by government entities. Even if such a treaty were to be ratified, it would not stop other entities, whether commercial, criminal, or private from creating the same.

Similarly, all computer software has a shelf life, and this is also true for computer viruses. A hacker creating a computer virus is reliant upon an operating system. When those operating systems are updated, patched, or replaced, the virus ceases to have value. This is not true for other types of arms control. A 50 year old nuclear warhead is still dangerous.

What would such a treaty say? Should it be specific to the types of code that shouldn’t be written? Should it ban countries from producing soldier-hackers? Should it create an outright ban on the types of computer warfare that are not allowed? Should there be a Geneva Convention for the Internet?

All these conventions don’t fit the makeup of the internet. This is the internet where companies and technologies, whole computer languages, have lifecycles measured in months, not years. Assuming that a written treaty could apply is a misunderstanding of how the Internet is governed. Every aspect of the internet is governed by social convention, software licenses, and terms of service. These conventions necessarily change very quickly over time. Not to mention that even if such a treaty could be ratified, it would be obsolete by the time the ink was dry.

It would be great if Governments were willing to commit to one another that they won’t attack each others nuclear reactors with computer viruses. Jails. Air traffic Control systems. This misses the point of the greatest protection we already have…the one that worked throughout the cold war…mutually assured destruction. Because of Globalization, an attack on the US, would have immediate and drastic economic consequences for every other nation state in the world. Even a small scale attack on a major country would have similar consequences…given the amount of damage that the world has felt the problems in Ireland, Greece, and Portugal. And there is no reason to think that an attack would be limited to only one country at one time. If such an attack were to take place, it would be just as easy to attack everyone that is against your particular point of view.

A treaty like this would probably be unnecessary given current Alliances.

The best idea for a treaty like this would be a world wide treaty that includes all major players to share resources, visibility, intelligence, to protect critical infrastructure against non-state actors. This would be very similar to how many organizations as well as state governments have developed inter-organizational Information Security Advisory Councils to share real time threat information. Some large ISPs like AT&T and Verizon are offering this kind of real time threat monitoring from a world-wide perspective, so it would be a huge step in CyberSpace if governments took the same measures.

Click here for part 2 of my series on Cyber Warfare Treaties.

Monday, August 8, 2011

Cyberwar - Cyber Arms Dealers

Business Week has a nice article on the Cyberwarfront arms race:

I think the most interesting part about the article is the idea of a Cyber "Arms Dealer". This makes me wonder what other analogs to traditional warfare might be out there... Mercenary Hackers?