Tuesday, December 18, 2012

Instagram Apocalypse 2013

Everyone knows that the Mayans may or may not have predicted that the world will end on December 21, 2012.  Experts are now saying that there is another major calamity awaiting right around the corner for those of us who survive on January 16, 2013.  That's when Instagram's new privacy policy will take effect.

There are a number of reasons why this isn't the end of the world.

The EFF is claiming that by including language in the "Rights" section of Instagram’s new Terms of Use, Instagram will now be able to sell your photos to other companies.  This is an accurate reading of the terms "transferable" and "sub-licensable" that are added to the license you grant Instagram in order for them to display their photos on the site.  This reading, however, discounts the rest of that sentence which says the photos you post are still restricted to whatever privacy settings you already have in place and that the use must comply with Instagram's privacy policy.

There will probably be herds of Zombies after the Mayan Apocalypse walking around with their smartphones, wondering if an equally undead corporation might use their pictures of brains for their own purposes.  Like when Virgin Mobile of Australia took pictures from a 16 year old’s Flickr stream to use on bus stops for its wireless phone marketing campaign.  It has happened, and  that scenario is not allowed by Flickr’s current Terms of Use…so there aren’t any guarantees even if the Terms of Use are perfect.

There is also another explanation for Instagram’s change.  The privacy policy has certain limited uses for what Instagram is allowed to do with your content.  In addition to requiring that they respect your privacy settings, the privacy policy says that in case of a merger, the content you upload might be a part of what is transferred to the new company.  The Terms of Use "transfer" language is very common in software contracts and is typically used to protect in the event the company is sold or acquired so that their customers can't run away kicking and screaming. 

Is Facebook considering selling off Instagram?  Maybe they just want to have their options open if the world does come to an end on Friday?

Perhaps they need the language in order to do what Facebook is already doing when they let you "Like" news articles and other pages on sites outside of Facebook.  (Please feel free to "like" and/or "share" this article.)  Or maybe they have a new feature or product up their sleeve that necessitated a change.

Or it could be that Facebook is just bringing Instagram's Terms of Use into line with Facebook's existing policy that uses the same "transferrable" and "sub-licensable" language.  That’s probably it.

Tuesday, December 4, 2012

Safe Web Act Reauthorized

Some laws are permanently on the books.  Other laws have a sunset date...like the Bush Era Tax cuts.  Sunsets have become popular these days as a way of keeping Congress honest so they have to renew the laws if they think they worked out well.

The Safe Web Act was one of those laws.  Safe Web was passed in 2006 and granted the FTC the ability to share online fraud related data with foreign law enforcement.  In the last several years, the FTC has become the central clearinghouse in the US Federal government for all things identity theft related, so it's good to see this law renewed.

Read more about the bill at the Hillicon Valley blog:


The only catch is that there's another sunset. This time it's 2020.

Friday, November 30, 2012

Warrantless Wiretap-Dancing

Yesterday the Senate Judiciary Committee voted to update a law, the Electronic Communications Privacy Act, (ECPA), to require law enforcement to obtain a warrant before conducting searches of people’s online communications, including email, Facebook posts, Twitter updates, and documents stored online.  The full Senate is not expected to vote on the changes to the law until 2013. As written the ECPA is somewhat ironically named, since it currently allows law enforcement to view any data stored online for more than six months without a warrant.

Online privacy is good, right?  Which means warrantless searches are bad?  There is a lot of contention on the issue.  Law Enforcement’s chief argument is that the ECPA has been in place for 26 years, and nothing has gone wrong.  Privacy groups argue that the Internet is a different place than it was 25 years ago, so the law should be updated to reflect how people use it today.  Senator Leahey’s bill also weakens the privacy of video viewing history, to the benefit of companies like Hulu and Netflix, so overall any benefit to online privacy may be a wash.

Congress is examining these issues at the same time that an FBI investigation went to the heart of these issues.  The investigation into the affair between CIA Chief David Petraeus and his biographer, Paula Broadwell, presumably was done using some amount of warrantless wiretapping to gather emails related to the affair and the harassment of Jill Kelly by Broadwell.  This investigation will be at the forefront of the minds of the Congress when they take up the bill next year.

CNET last week discovered an alternate version of the amendment last week that would have instead expanded warrantless access to multiple types of online communications of private citizens, from email to Facebook posts, to 22 different federal agencies.  This would have been a reversal from Leahy’s earlier position, and may just have been a part of negotiations between the two sides.  Despite pressure from multiple Law Enforcement groups, Leahy released a statement denying that CNET’s reports were accurate.

Senator Chuck Grassley (R-Iowa), is the ranking Republican on the Senate Judiciary Committee.  Grassley has expressed Law Enforcement’s perspective that creating new barriers for wiretaps could hamper investigations.  At least one amendment to the proposed legislation is expected that would create an exception to the warrant process for cases involving kidnapping, child pornography or violent crimes against women.

This comes after a Federal Appeals court okayed Warrantless Wiretapping in August.  A three judge panel of the 9th U.S. Circuit Court of Appeals wrote in their decision that “This case effectively brings to an end the plaintiffs’ ongoing attempts to hold the Executive branch responsible for intercepting telephone conversations without judicial authorization.”  The case involved two American attorneys who were spied on without warrants as a part of President George W. Bush’s secret terrorist surveillance program.

The case hinged on the issue of Sovereign Immunity.  Even though the United States was breaching its own wiretapping laws, the court reasoned, the plaintiffs could not bring suit against the government for the collection of the information itself.  The court did leave room for the plaintiffs to bring suit against the government if the information were used in some way.  The proposed changes to the ECPA wouldn’t affect the Sovereign Immunity issue, which means citizens still have no real recourse if the government doesn’t follow its own rules.

Not so simple?
It’s not surprising that wiretapping has increased as Law Enforcement has evolved along with the digital age.  The surprising part is that a solution has not come along that helps streamline the warrant requesting process.  The intention behind a warrant isn’t to slow down the searching process, or even to discourage it, but to ensure that a member of another branch of government is available to ensure probable cause exists for the search.  According to the ACLU, warrantless wiretapping has increased over 600% in the last 10 years.  If this continues, by 2020, the Justice Department may request over 100,000 warrantless wiretaps.  I think a long term question should be whether the already overburdened court system can handle even more requests in a timely fashion.

No one is saying that the increase in wiretapping is the result of more crime.  Most crime statistics show that over the last decade, crime rates are down.  Why more wiretaps, then?  Wiretaps represent the way our world has changed to be more data driven.  There is a longer paper trail than there used to be, so Law Enforcement has to follow it.

Thursday, July 26, 2012

Controversial Cybersecurity Act Vote Coming Soon?

This week, House Majority Leader Harry Reid hopes to finally bring the long awaited Cybersecurity Act of 2012 to the floor for debate.  Senator Joe Lieberman and the four co-sponsors of the Cybersecurity Act introduced a revised version last week, which they indicate incorporates extensive negotiations with the bill’s opponents.  The Hill’s Technology Blog reports that Senators Rockefeller and Feinstein are reaching out to key technology CEOs to help lend their support to the bill.

This is great, because if the bill doesn’t get voted on soon, it won’t happen this year.  President Obama has weighed in as well.  The President wrote a rare op-ed piece in the Wall Street Journal to boost support.  He writes, “The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements.”

This is in response to the bill’s critics who have stated that they would be concerned about the costs to businesses that would be imposed by the new law.  John McCain’s bill, in contrast, focuses on strengthening the government’s Cybersecurity, but stops short of mandating that businesses do the same.

All this should be read in light of the larger Cyber conflict that is currently going on.  New York Times writer David Sanger wrote last month that an inside source had confirmed what many had suspected, that the Obama administration had ordered a cyber attack against Iranian enrichment facilities.
Maybe this was a good thing.  There was no loss of life that we know of, compared to a conventional military strike against Iranian facilities.  A Cyber retaliation from the Iranians or their allies would have also been limited to computer infrastructure.

But the new Cybersecurity bill needs to be read in light of the fact that the US government dropped the most sophisticated Cyberweapon on the world that we have ever seen.  It’s been analyzed and perhaps reproduced by other countries.  And unlike a physical war where proximity to a conflict means greater risk, businesses are on the front lines of a Cyber conflict.  At a psychological level, most businesses don’t have the same outlook that a business in a war torn country might perceive their situation.

The reality of Cybersecurity in America is that it’s not just stolen identity that businesses need to worry about.  in November of 2011, for the first time, Robert Bryant, U.S. National Counterintelligence Executive released a report naming China as the world’s leading source of economic espionage, with Russia coming in a close second.  The reality is that by attacking an economy is the equivalent of holding a government hostage, as the Russians did against Georgian banks in 2008.

Cybersecurity laws need to play catch up to the current state of the world where a rogue nation like Iran or North Korea with nothing to lose economically could lanuch a terrorist like attack against small or medium sized businesses with very weak defenses and wreak havoc.  Unfortunately, the news today indicates that the bill is being fought on mostly partisan lines despite months of compromise that went into the new bill.  Senator McCain wants to delay the bill and Heritage Action, a conservative advocacy group related to the Heritage Foundation indicated it will track lawmakers votes on their key vote scorecard.

Tuesday, June 5, 2012

What happens when a public company has your private data?

What happens when a public company has your private data?  It used to be that Facebook was owned and operated by a private citizen.  Sure it was fun to question his motives.  Those were the days.  Maybe it wouldn’t have changed if Facebook shares had started to skyrocket from the getgo, but they didn’t.  And now they have shareholders to think about.  So what happens to Privacy when Facebook shares drop like an anchor?  

The shareholders start to yank the leash.

This week, Facebook announced they will start allowing individuals under the age of 13 to join its site.  A bit of background here, most Internet companies have policies against catering to kids younger than 13, not because they care about the kids, but because they have to comply with a set of guidelines called the Children's Online Privacy Protection Act  or COPPA.  COPPA requires service providers to verify that they have their parent’s consent, usually by taking a credit card number or having their parents call a telephone number.
To sweeten the IPO, look at the changes they made in the final weeks before their IPO.  They announced a major change to their privacy policy.  They will now “retain data for as long as necessary to provide services to users and others”.  This is after FB was fined $138,000 in 2011 inIreland for keeping a deleted user’s data.

Now back to children under 13.  Zuckerberg was quoted in 2011 with saying that kids should be allowed on Facebook.  Not for selfish reasons, of course, but because he thinks that it could help with their education.  Because they can learn a lot from other students.  And why not allow kids on Facebook?  Lots of parents create accounts for their kids while they are still in the womb…like the Superbowl commercial for Google where the parents create an account and start emailing their child pictures and stories.

Lawmakers are highly concerned that Facebook is opening up to children under 13 to create a whole new market of potential advertises for themselves.  You can already sell targeted ads by age group, so why not start targeting kids with more sugar cereals and toys and movies.  Because maybe kids don’t watch so many commercials anymore.  Thanks TiVo!

Of course, Facebook also announced that they will allow their users to vote on the new change.  To be binding on the company, whatever the vote turns out, 30% of the users or 270 million people need to click.  US National voter turnout in 2010 was only about 37% and only 90 million people voted.  Only Facebook knows how many of their 900+ million users are very active on the site, my guess is that it is probably less than 50%, but it would be astounding that enough people would vote, for or against, the privacy policy changes.  So one might ask...is the vote just going through the motions?

Obama ordered Stuxnet

According to an upcoming book by New York Times chief Washington correspondent, David Sanger, it was Obama who ordered the Stuxnet attack against Iran's nuclear program.

This isn't really a surprise, since most people believed the US to be behind the attack, but it does continue Obama's M.O. of preferring special forces over direct and prolonged engagements.

If true, the real motivation for the attack was to prevent further escalation of a conflict.  Had the virus not been discovered, perhaps the belief was that Iran would have assumed that the failures were accidental or that the virus wasn't targeted.  After all, the world had never seen such a directed cyber attack before.

Tuesday, May 8, 2012

Interesting article on NPR about whether businesses should foot the bill for a Cyber War.

The Lieberman-Collins bill before congress would help pay to secure the nation's critical infrastructure like the power grid, water treatment plants, and the financial system.  Does the government have a duty to protect the rest of the country?

I think it's a great question.  One reason, the first sentance of this blog post - it's not "A" cyber war that we're talking about here...we can't talk about it like it isn't already happening.  It's the current cyber war.  If a city was hit by a tornado or hurricane, there is always disaster assistance that is available.  It's important to a country, especially during a war to help rebuild so that the country can keep on functioning.

Another reason - can a small business really protect itself from a cyber attack from a government?

On the flip side of the issue of course, is risk tolerance.  Businesses don't take security seriously largely because they don't need to.  The only reason some companies have security programs is so they can comply with the Payment Card Industry Data Security Standards (PCI-DSS), and even then it is largely ignored (as we saw was the case with Sony last year).  People are excellent judges of risk.  As identity theft grows, they will tend to get better at creating passwords.  Businesses, too, need to learn from these issues.  But until the WAll Street Journal is covering a story about how a fortune 500 company closed it's doors because of a security breach, businesses won't invest what they need to to protect themselves.  Despite Sony's breach last year, they are still in business and their stock seems to have been barely effected.

If the government steps in, then, and prevents businesses from having to deal with the ramifications of a security threat, then businesses never will treat the issue seriously.

Monday, April 30, 2012

Facebook "Likes" Not Protected Speech?

ArsTechnica has a great summary of the case of Bland v. Roberts, which has ruled that Facebook "Likes" are not protected speech under the 1st Amendment.  The case was decided in the Eastern District Court of Virginia, so it could be appealed a couple of times before hitting the Supreme Court...  There have been lots of other cases where something didn't have to actually constitute speech to be protected under the 1st Amendment, so it isn't clear if this case would stand if appealed.

CISPA Defections Begin

An update on my last post, CISPA - The Government's consolation prize for not passing SOPA, it looks like the measure has already lost some of its original supporters.  According to a story on TheHill.com, seven of the original cosponsors of the Cyber Information Sharing and Protection Act (CISPA) abandoned ship and voted "No" on the bill. 


Friday, April 27, 2012

CISPA - The Government's consolation prize for not passing SOPA

Yesterday, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA).  While the bill was introduced with bibartisan sponsors, the bill passed the house on mostly party lines...Republican "yes" votes were 206 and Democrat "No" votes were 140.  Both sponsors were the ranking members of the House Intelligence Committee.  42 democrats supported the bill while 28 republicans were against it, including Republican U.S. representative and presidential candidate Ron Paul who called it "Big Brother writ large".  President Obama has threatened to veto the legislation if it remains in its current form, but Obama waffled on his support of SOPA, so who know what could happen in an election year.

Some questions:

Why would this bill be fast-tracked while other data security bills or data privacy bills have been stymied for years?

Does this bill simply legalize the warrantless wiretapping that is already being done throughout the country?

Rather than being an attack on the first amendment like SOPA, CISPA attacks the fourth amendment to the constitution. The Fourth Amendment of the Constitution says:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

A good question to ask might be what is an unreasonable search?  For Law Enforcement, if you see someone in public committing a crime, they can act.  Why is there an expectation of privacy for communications over Facebook?  Over email?  It is probably very reasonable to expect that Law Enforcement can look at all publicly available information on Facebook.  Is it reasonable to let them look at information that a user has expressly defined as private?  Keep in mind that no one is saying that Law Enforcement can't get a warrant to access the information.

Of course, none of these questions are posed in the bill. Instead, CISPA purports to create a more secure Internet.  How does it attempt to do this?  One blogger site took Representatives Rogers and Ruppersberger to task over their own lack of security on their congressional web pages, including broken certificates, lack of HTTPS and broken links. 

CNET has a great breakdown of how CISPA would impact an individual citizen.

When asked about whether the government could use this private information to spy on its own citizens, one Representative, Dan Boren (D-Oklahoma) said: "The government is not the enemy."  I don't think this would be comforting to most Americans, given the low approval rating of Congress right now.

So why isn't there greater oposition from all the same organizations that were against SOPA?  One answer might be that SOPA requred a lot of intervention on the part of search engines or payment processors (think Google, Yahoo, PayPal, etc.)  They would have had to have dedicated people to respond to requests and to develop technology to help respond.  CISPA would mostly impact ISPs, who in large part support the legislation.

Monday, March 19, 2012

McCain vs. Lieberman - SecureIT vs. Cybersecurity Act of 2012

Senator John McCain along with 5 other Republican senators released their counterproposal to the Lieberman-Collins Cybersecurity Act of 2012 released last month. The bill is called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology (Secure IT) Act. Let me start by saying that when I see a bill that cleverly named so as to have an acronym that is readable, I immediately wonder how serious the authors of a bill are about its passage. I can't think of any bills off the top of my head that have actually passed that have been so named. HIPAA? Sarbanes Oxley? Digital Millenium Copyright Act?

I'm not sure how long it took McCain and the other Senators to write their counterproposal bill. It isn't clear whether the bill was already in progress or whether they started last month after hearing about the competing legislation. In any event, McCain’s bill was introduced only a week after the Lieberman bill. The Lieberman purports to have been the result of 3 years of negotiation and research. Mostly, the McCain bill appears to be a hodgepodge of the Cybersecurty Act of 2012 and other preexisting bills, with a ton of deletions and insertions of partisan elements.

Let’s look at the similarities and differences between the two bills:

Both bills have some provision for a Federal Cyber Scholarship-for-service program. The McCain bill copies word for word the first paragraph of the Lieberman bill. Where the Lieberman bill has provisions for how many scholarships are to be given (1,000) and provides for full tuition, the McCain bill provides no guidance on how many scholarships will be given, and only provides for tuition for 2 years of study. The Lieberman bill requires students to enter into a commitment for the same amount of time they spent in school, while the McCain bill requires one and a half times.

If I were a student, I’m not sure I’d be interested in the McCain offer. Less money for longer indentured servitude? Unfortunately, not many students would be able to sign up for the McCain proposal, since the McCain bill specifies that no additional funding will be allocated for Cybersecurity. This means that any money for scholarships would have to be carved out of departments individual budgets…presumably why the McCain bill doesn’t specify a specific number of scholarships. Presumably that number would be close to 0.

No new funding is problematic where issues of national security and defense come into play. If the national air traffic control network, for example, needs to be completely scrapped and a new secure network needs to be deployed, how could that be accomplished under the McCain bill? The FAA would have to carve that out of its budget, and small upgrades would have to happen over a long period of time. This is perhaps why Lieberman and Rockefeller have been so outspoken in their criticism of the McCain bill since the counterproposal.

The Lieberman bill has several sections that the McCain bill is missing entirely:

  • Information Sharing

  • Public Awareness Reports

  • International Cooperation
The Lieberman bill creates affirmative authorities to monitor and defend against cybersecurity threats and allows for coordination of cyber issues within the US government. It addresses FISMA and attempts to address Federal agency purchasing and planning for Information Security, and explicitly discusses savings. It has considerations of international coordination. Finally, it creates the notion of Federal and non-Federal Cybersecurity Exchanges which would allow for the sharing of both classified and non-classified information. The Lieberman bill seems to be attempting to address the issue with Federal agencies claims that they were not allowed to share information prior to September 11th, 2001, one of the main drivers behind the Patriot Act and the creation of the Department of Homeland Security.

The McCain bill has several sections that the Lieberman bill is missing:

  • High Performance Computing

  • Criminal Penalties

The Lieberman bill only mentions High Performance Computing once to make one small amendment while the McCain bill focuses on it for several pages. My only thought here is why? McCain’s changes to the High Performance Computing act of 1991 don’t even really have anything to do with security. The changes mostly read as funding modifications, which make me think this whole bill is about pork, and not security.

The Criminal Penalties section amends the Computer Fraud and Abuse Act, but mostly focuses on stiffening penalties and forfeiture of property directly or indirectly gained by said fraud and abuse. While these are okay goals of the act and could potentially be added to the Lieberman bill, the miss the point of the reality of hacking today. The most successful hackers operate internationally and are very difficult to capture. The McCain bill does nothing to address this new reality.

Thursday, February 23, 2012

Obama proposes Privacy Bill of Rights

Today, the White House released it's proposal for a Privacy Bill of Rights. The press release is entitled "We Can't Wait". Sound familiar? It's because John Kerry and John McCain proposed this last summer.

Obama's proposal goes much further in terms of scope. The proposal includes several key principles:

1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control,companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
4. Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.

Wednesday, February 22, 2012

McCain Disses the Department of Homeland Security, Dashes Hopes for Security Bill in 2012

Senator John McCain last week dissed the Department of Homeland Security, stating that the NSA is better suited to preventing cyberattacks. Wait, what? The NSA has tremendous cyber capabilities, don't get me wrong. But wasn't DHS formed to prevent the kinds of bureaucratic nightmares of sharing information between agencies. The DHS has a National Cybersecurity Center charged with protecting US Government communications networks.

This comes after a bipartisan committee of Senators including Joe Lieberman, Jay Rockafeller, and Susanne Collins brought a new bill last week that, at least on paper, had a good chance of passing this year. McCain and 8 other Senators rushed to criticize the bill, potentially dashing any hopes of passing a Cybersecurity bill this year. This bill is purported to have incorporated many of the proposals on Cybersecurity over the past several years, so potentially it was on the fast track to passage...and maybe it still does.

The Senator could have just as easily said that the FBI should be in charge of preventing cyberattacks. The issue of CyberSecurity is like a hot potato. Should the Department of Defense and the NSA have the ball? Or DHS and the NCS? Or the Department of Justice and the FBI? How do you determine whether an attack is coming from a government or an individual? A crime syndicate or a hacktivist group? Ultimately prevention and education, like this bill supports, are the best ways of keeping us all out of trouble...aside from unplugging our computers. Hopefully that doesn't get lost.

Wednesday, January 25, 2012

EU updates privacy policy

Yesterday, Google announced a major overhaul of it's privacy policy to some loud criticism.

It's nice to see today that the EU has come out with its own updates to its privacy policy.

Let's compare the new EU data privacy rules to the US ones being proposed throughout 2011 in both the House and the Senate, as well as the ones offered by the White House.

Probably the biggest difference comes in fines. The EU rules define specific levels of fines for infractions, starting at 0.5% of a corporation's turnover going all the way up to 2%. Keep in mind that this is "turnover" not profit. But the difference here is sharp. The US laws all set caps on damages, from $500,000 to $15,000,000. The US laws don't have any regard to the size of the company...presumably this would be determined by the FTC when they settle a claim. The definitions of how to determine what infractions merit what damages don't exist in the proposed US laws.

The EU has a host of other requirements. Every company with more than 250 people is required to have a Data Protection Officer, and there are strict rules around how this new position is to be treated. The position can only be fired for cause, for example. This presumably protects the position from being terminated if they take a hard line approach to privacy. The SAFE Data Act requires the appointment of "an officer as the point of contact with responsibility for the management of information security." In the US the position's tasks aren't defined. This person could be a janitor and still fulfill the requirements of the law. No offense to any janitors out there.

The law requires mandatory security assessments and 24 hour turnarounds on breach notifications. It creates the right to be forgotten and creates erasure and data portablility standards. The US takes a different approach to security...it looks at security on an industry by industry basis. While the US has offered up an "Online Privacy Bill of Rights", but does nothing for changing the status quo on security assessments or breach notification. While the FTC has issued recent rulings requiring Facebook to have annual security assessments, the feeling seems to be you are assumed to be secure until proven insecure. The better model would be the other way around.

Tuesday, January 24, 2012

5th Amendment = Encryption?

A woman accused of bank fraud hopes to prevent the contents of her hard drive from being searched with encyrption.


If this were the case, it would quickly become impossible for the criminal justice system to prove a lot of their cases.

Interesting theory. The 5th amendment says:

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Looking at the parallel with the physical world, you can't refuse a valid search warrant for your house. Just because you have a safe in the house with a key, doesn't mean the police can't search it.

Now, if your computer were an artifically intelligent computer, implanted with your memories...then maybe she would have a point.

Thursday, January 19, 2012

Shrinking Public Domain

The Public Domain got a little bit smaller this week:


Perhaps the Supreme Court felt compelled to do something for copyright holders after the setbacks to SOPA and PIPA yesterday?

Thursday, January 12, 2012

Should There Be a Cyberwar Treaty, Part 2

In my previous article on whether there should be a cyberwar treaty, I argued that Cyberwar wasn’t like other types of conflict, and that it wasn’t likely that a treaty would ever happen.
Being a lawyer, I like to play devil’s advocate, so here’s a different perspective.

Jeffrey Carr, in his new edition of “Inside Cyber Warfare” says that there are currently 28 nation states that have cyber warfare capabilities. Does the rapid spread of Cyber Warfare capabilities mean that there should be a treaty? There are major differences in how Cyber conflicts would take place versus other types of conflicts. For example, unlike physical confrontation, any Nation in the world can attack any other Nation directly or indirectly. In addition, rogue political parties or factions within a nation can take actions that don’t necessarily represent the country’s views as a whole. Do the different dynamics of Cyber Warfare warrant a treaty? Does the amount of damage that can be caused by Cyber Warfare relative to the cost of hacking warrant a treaty?

How do we distinguish between Cyber Crime and Cyber Terrorism or Cyber Warfare? I think this is where progress is most likely to be made with any Cyber Treaties. In order to successfully track the global criminal, there needs to be a global network of cooperation between legal systems on a scale that doesn’t exist today. After 6,000 credit cards were stolen, the Israeli Government declared that this was an act of terrorism. Is that an overreaction? Should the Israeli Defense Forces respond by hacking the hacker?

Shouldn’t we be focusing on prevention? How much is law enforcement willing to engage with businesses and individuals to protect their information? How do we know when an incident of hacking should be escalated from being a law enforcement matter to being a national security matter?

Cyber Criminals can automate crime. They can commit hundreds of crimes per second, and in fact they can perpetrate multiple of types of crimes all at the same time. Law Enforcement can’t automate catching criminals, prosecuting them, or incarcerating them. This is necessarily done one criminal at a time. Law Enforcement will always be slower than Cyber Criminals.

There are other types of warfare that do have treaties. The Geneva Convention covers many aspects of physical confrontation, but there has never been a formal international espionage treaty, which Cyber Warfare is more analogous to. This isn’t to say that this isn’t a great time to start.

One might ask, what other organizations are there that the 28 Cyber Warfare Club members already belong to? Interpol is one example. InterPol, has a staff of about 600 and a budget of 80 million. In contrast, the FBI has a staff of 35,500 and a budget of 8 billion. To me, this means by necessity, cybercriminals will go global to reduce their risk from being caught domestically by the biggest law enforcement agency in the world.

The lowest hanging fruit for a Cyber Security Treaty, then, is probably Cyber Crime, not Cyber Warfare. Countries could coordinate their Cyber Crime efforts, which makes a lot of sense, especially in a global economy.

A Cyber Warfare treaty could address analogs in Cyber Security similar kinds of things that are already addressed in the Geneva Convention. For example:

  • Cyber Attacks should not be targeted at activities that kill non-combatants (like targeting commercial airlines.)

  • Cyber Attacks should not deprive individuals of a fair trial if accused of a war crime.

  • Cyber Attacks should not target Hospitals.

  • Cyber Attacks should not target biological or nuclear weapons storage facilities.

Even these few examples create their own problems, however. What if, for example, a Nation State attacks a biological weapons or nuclear weapons production facility (as was the case with Stuxnet)? Does this actually help enforce the Geneva Convention? What if there is a danger to civilians around where these facilities are located?

At least one Cyber Warfare treaty was created last year. The ANZUS treaty between Australia and America was extended to include Cyber Attacks. If one country is attacked, then it is considered to be an attack on both. It might be likely that other alliances will consider similar extensions this year (NATO, the UN, etc.).

Monday, January 9, 2012

Say goodbye to the Video Privacy Protection Act

If someone posted a video of me having sex on the internet, which admittedly wouldn’t be very popular, I would sue them. Most likely I wouldn’t become very rich and very famous. Not like Paris Hilton or Kim Kardashian. Lawsuits for violations of privacy like this have made millions. Privacy lawsuits aren’t just limited to sex tapes, either. If you’re already famous, you can sue tabloids for following you around too much.

Unfortunately, if you aren’t already famous and haven’t made a sex tape, and you aren’t very pretty, privacy laws aren’t going to be helpful for much longer.

After Netflix successfully plies Congress to take the teeth out of the Video Privacy Protection Act (VPPA), there will be no longer be a sensible path for privacy laws to follow. The VPPA is the paradigm that we should follow to craft all future privacy laws. The VPPA creates a private right of action against corporations that violate privacy rules. This would allow individuals to take the initiative about privacy violations rather than waiting on overburdened and underfunded Attorney Generals to act on their behalf. Corporations might be worried about being overwhelmed by lawsuits. VPPA is an example of a privacy law that didn’t cause millions of lawsuits, rather it was successfully in place for 20 years and very few violations ever occurred.

Instead, we will be getting watered down privacy laws that are more like a license to violate privacy. Netflix is now one step closer to their dream of being able to share what movies you watch with other people. Last month, they were sent to mediation as the House passed an amendment to the VPPA.

The house has approved language that clarifies that the VPPA can support electronic signatures and allows Netflix and others to use either opt-in or opt-out for the sharing of information. The troubling part is that they allow for opt-out language. As a consumer, my privacy has been ensured for the last 23 years, and now it will suddenly be yanked away until I find out where they’ve buried the opt-out box on their website?

Specifically, the house bill would replace 18 USC 2710 (b)(2):

(B) to any person with the informed, written consent of the consumer given at the time the disclosure is sought;


(B) to any person with the informed written consent (including through an electronic means using the Internet) of the consumer given at one or both of the following times:

(i) The time the disclosure is sought.

(ii) In advance for a set period of time or until consent is withdrawn by such consumer.