HackLaw is a blog dedicated to discussing the legal issues in information security and developments that may have an impack on information security law.
Tuesday, December 18, 2012
Instagram Apocalypse 2013
Tuesday, December 4, 2012
Safe Web Act Reauthorized
The Safe Web Act was one of those laws. Safe Web was passed in 2006 and granted the FTC the ability to share online fraud related data with foreign law enforcement. In the last several years, the FTC has become the central clearinghouse in the US Federal government for all things identity theft related, so it's good to see this law renewed.
Read more about the bill at the Hillicon Valley blog:
The only catch is that there's another sunset. This time it's 2020.
Friday, November 30, 2012
Thursday, July 26, 2012
Controversial Cybersecurity Act Vote Coming Soon?
This is great, because if the bill doesn’t get voted on soon, it won’t happen this year. President Obama has weighed in as well. The President wrote a rare op-ed piece in the Wall Street Journal to boost support. He writes, “The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements.”
This is in response to the bill’s critics who have stated that they would be concerned about the costs to businesses that would be imposed by the new law. John McCain’s bill, in contrast, focuses on strengthening the government’s Cybersecurity, but stops short of mandating that businesses do the same.
All this should be read in light of the larger Cyber conflict that is currently going on. New York Times writer David Sanger wrote last month that an inside source had confirmed what many had suspected, that the Obama administration had ordered a cyber attack against Iranian enrichment facilities.
Maybe this was a good thing. There was no loss of life that we know of, compared to a conventional military strike against Iranian facilities. A Cyber retaliation from the Iranians or their allies would have also been limited to computer infrastructure.
But the new Cybersecurity bill needs to be read in light of the fact that the US government dropped the most sophisticated Cyberweapon on the world that we have ever seen. It’s been analyzed and perhaps reproduced by other countries. And unlike a physical war where proximity to a conflict means greater risk, businesses are on the front lines of a Cyber conflict. At a psychological level, most businesses don’t have the same outlook that a business in a war torn country might perceive their situation.
The reality of Cybersecurity in America is that it’s not just stolen identity that businesses need to worry about. in November of 2011, for the first time, Robert Bryant, U.S. National Counterintelligence Executive released a report naming China as the world’s leading source of economic espionage, with Russia coming in a close second. The reality is that by attacking an economy is the equivalent of holding a government hostage, as the Russians did against Georgian banks in 2008.
Cybersecurity laws need to play catch up to the current state of the world where a rogue nation like Iran or North Korea with nothing to lose economically could lanuch a terrorist like attack against small or medium sized businesses with very weak defenses and wreak havoc. Unfortunately, the news today indicates that the bill is being fought on mostly partisan lines despite months of compromise that went into the new bill. Senator McCain wants to delay the bill and Heritage Action, a conservative advocacy group related to the Heritage Foundation indicated it will track lawmakers votes on their key vote scorecard.
Tuesday, June 5, 2012
What happens when a public company has your private data?
Obama ordered Stuxnet
This isn't really a surprise, since most people believed the US to be behind the attack, but it does continue Obama's M.O. of preferring special forces over direct and prolonged engagements.
If true, the real motivation for the attack was to prevent further escalation of a conflict. Had the virus not been discovered, perhaps the belief was that Iran would have assumed that the failures were accidental or that the virus wasn't targeted. After all, the world had never seen such a directed cyber attack before.
Tuesday, May 8, 2012
The Lieberman-Collins bill before congress would help pay to secure the nation's critical infrastructure like the power grid, water treatment plants, and the financial system. Does the government have a duty to protect the rest of the country?
I think it's a great question. One reason, the first sentance of this blog post - it's not "A" cyber war that we're talking about here...we can't talk about it like it isn't already happening. It's the current cyber war. If a city was hit by a tornado or hurricane, there is always disaster assistance that is available. It's important to a country, especially during a war to help rebuild so that the country can keep on functioning.
Another reason - can a small business really protect itself from a cyber attack from a government?
On the flip side of the issue of course, is risk tolerance. Businesses don't take security seriously largely because they don't need to. The only reason some companies have security programs is so they can comply with the Payment Card Industry Data Security Standards (PCI-DSS), and even then it is largely ignored (as we saw was the case with Sony last year). People are excellent judges of risk. As identity theft grows, they will tend to get better at creating passwords. Businesses, too, need to learn from these issues. But until the WAll Street Journal is covering a story about how a fortune 500 company closed it's doors because of a security breach, businesses won't invest what they need to to protect themselves. Despite Sony's breach last year, they are still in business and their stock seems to have been barely effected.
If the government steps in, then, and prevents businesses from having to deal with the ramifications of a security threat, then businesses never will treat the issue seriously.
Monday, April 30, 2012
Facebook "Likes" Not Protected Speech?
CISPA Defections Begin
Friday, April 27, 2012
CISPA - The Government's consolation prize for not passing SOPA
Why would this bill be fast-tracked while other data security bills or data privacy bills have been stymied for years?
Does this bill simply legalize the warrantless wiretapping that is already being done throughout the country?
Rather than being an attack on the first amendment like SOPA, CISPA attacks the fourth amendment to the constitution. The Fourth Amendment of the Constitution says:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
A good question to ask might be what is an unreasonable search? For Law Enforcement, if you see someone in public committing a crime, they can act. Why is there an expectation of privacy for communications over Facebook? Over email? It is probably very reasonable to expect that Law Enforcement can look at all publicly available information on Facebook. Is it reasonable to let them look at information that a user has expressly defined as private? Keep in mind that no one is saying that Law Enforcement can't get a warrant to access the information.
Of course, none of these questions are posed in the bill. Instead, CISPA purports to create a more secure Internet. How does it attempt to do this? One blogger site took Representatives Rogers and Ruppersberger to task over their own lack of security on their congressional web pages, including broken certificates, lack of HTTPS and broken links.
CNET has a great breakdown of how CISPA would impact an individual citizen.
When asked about whether the government could use this private information to spy on its own citizens, one Representative, Dan Boren (D-Oklahoma) said: "The government is not the enemy." I don't think this would be comforting to most Americans, given the low approval rating of Congress right now.
So why isn't there greater oposition from all the same organizations that were against SOPA? One answer might be that SOPA requred a lot of intervention on the part of search engines or payment processors (think Google, Yahoo, PayPal, etc.) They would have had to have dedicated people to respond to requests and to develop technology to help respond. CISPA would mostly impact ISPs, who in large part support the legislation.
Thursday, March 29, 2012
America losing the Cybersecurity war?
Lots of doom and gloom.
Monday, March 19, 2012
McCain vs. Lieberman - SecureIT vs. Cybersecurity Act of 2012
I'm not sure how long it took McCain and the other Senators to write their counterproposal bill. It isn't clear whether the bill was already in progress or whether they started last month after hearing about the competing legislation. In any event, McCain’s bill was introduced only a week after the Lieberman bill. The Lieberman purports to have been the result of 3 years of negotiation and research. Mostly, the McCain bill appears to be a hodgepodge of the Cybersecurty Act of 2012 and other preexisting bills, with a ton of deletions and insertions of partisan elements.
Let’s look at the similarities and differences between the two bills:
Both bills have some provision for a Federal Cyber Scholarship-for-service program. The McCain bill copies word for word the first paragraph of the Lieberman bill. Where the Lieberman bill has provisions for how many scholarships are to be given (1,000) and provides for full tuition, the McCain bill provides no guidance on how many scholarships will be given, and only provides for tuition for 2 years of study. The Lieberman bill requires students to enter into a commitment for the same amount of time they spent in school, while the McCain bill requires one and a half times.
If I were a student, I’m not sure I’d be interested in the McCain offer. Less money for longer indentured servitude? Unfortunately, not many students would be able to sign up for the McCain proposal, since the McCain bill specifies that no additional funding will be allocated for Cybersecurity. This means that any money for scholarships would have to be carved out of departments individual budgets…presumably why the McCain bill doesn’t specify a specific number of scholarships. Presumably that number would be close to 0.
No new funding is problematic where issues of national security and defense come into play. If the national air traffic control network, for example, needs to be completely scrapped and a new secure network needs to be deployed, how could that be accomplished under the McCain bill? The FAA would have to carve that out of its budget, and small upgrades would have to happen over a long period of time. This is perhaps why Lieberman and Rockefeller have been so outspoken in their criticism of the McCain bill since the counterproposal.
The Lieberman bill has several sections that the McCain bill is missing entirely:
- Information Sharing
- Public Awareness Reports
- International Cooperation
The McCain bill has several sections that the Lieberman bill is missing:
- High Performance Computing
- Criminal Penalties
The Lieberman bill only mentions High Performance Computing once to make one small amendment while the McCain bill focuses on it for several pages. My only thought here is why? McCain’s changes to the High Performance Computing act of 1991 don’t even really have anything to do with security. The changes mostly read as funding modifications, which make me think this whole bill is about pork, and not security.
The Criminal Penalties section amends the Computer Fraud and Abuse Act, but mostly focuses on stiffening penalties and forfeiture of property directly or indirectly gained by said fraud and abuse. While these are okay goals of the act and could potentially be added to the Lieberman bill, the miss the point of the reality of hacking today. The most successful hackers operate internationally and are very difficult to capture. The McCain bill does nothing to address this new reality.
Thursday, February 23, 2012
Obama proposes Privacy Bill of Rights
Obama's proposal goes much further in terms of scope. The proposal includes several key principles:
1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control,companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
4. Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.
Wednesday, February 22, 2012
McCain Disses the Department of Homeland Security, Dashes Hopes for Security Bill in 2012
This comes after a bipartisan committee of Senators including Joe Lieberman, Jay Rockafeller, and Susanne Collins brought a new bill last week that, at least on paper, had a good chance of passing this year. McCain and 8 other Senators rushed to criticize the bill, potentially dashing any hopes of passing a Cybersecurity bill this year. This bill is purported to have incorporated many of the proposals on Cybersecurity over the past several years, so potentially it was on the fast track to passage...and maybe it still does.
The Senator could have just as easily said that the FBI should be in charge of preventing cyberattacks. The issue of CyberSecurity is like a hot potato. Should the Department of Defense and the NSA have the ball? Or DHS and the NCS? Or the Department of Justice and the FBI? How do you determine whether an attack is coming from a government or an individual? A crime syndicate or a hacktivist group? Ultimately prevention and education, like this bill supports, are the best ways of keeping us all out of trouble...aside from unplugging our computers. Hopefully that doesn't get lost.
Wednesday, January 25, 2012
Let's compare the new EU data privacy rules to the US ones being proposed throughout 2011 in both the House and the Senate, as well as the ones offered by the White House.
Probably the biggest difference comes in fines. The EU rules define specific levels of fines for infractions, starting at 0.5% of a corporation's turnover going all the way up to 2%. Keep in mind that this is "turnover" not profit. But the difference here is sharp. The US laws all set caps on damages, from $500,000 to $15,000,000. The US laws don't have any regard to the size of the company...presumably this would be determined by the FTC when they settle a claim. The definitions of how to determine what infractions merit what damages don't exist in the proposed US laws.
The EU has a host of other requirements. Every company with more than 250 people is required to have a Data Protection Officer, and there are strict rules around how this new position is to be treated. The position can only be fired for cause, for example. This presumably protects the position from being terminated if they take a hard line approach to privacy. The SAFE Data Act requires the appointment of "an officer as the point of contact with responsibility for the management of information security." In the US the position's tasks aren't defined. This person could be a janitor and still fulfill the requirements of the law. No offense to any janitors out there.
The law requires mandatory security assessments and 24 hour turnarounds on breach notifications. It creates the right to be forgotten and creates erasure and data portablility standards. The US takes a different approach to security...it looks at security on an industry by industry basis. While the US has offered up an "Online Privacy Bill of Rights", but does nothing for changing the status quo on security assessments or breach notification. While the FTC has issued recent rulings requiring Facebook to have annual security assessments, the feeling seems to be you are assumed to be secure until proven insecure. The better model would be the other way around.
Tuesday, January 24, 2012
5th Amendment = Encryption?
If this were the case, it would quickly become impossible for the criminal justice system to prove a lot of their cases.
Interesting theory. The 5th amendment says:
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
Looking at the parallel with the physical world, you can't refuse a valid search warrant for your house. Just because you have a safe in the house with a key, doesn't mean the police can't search it.
Now, if your computer were an artifically intelligent computer, implanted with your memories...then maybe she would have a point.
Thursday, January 19, 2012
Shrinking Public Domain
Perhaps the Supreme Court felt compelled to do something for copyright holders after the setbacks to SOPA and PIPA yesterday?
Thursday, January 12, 2012
Should There Be a Cyberwar Treaty, Part 2
In my previous article on whether there should be a cyberwar treaty, I argued that Cyberwar wasn’t like other types of conflict, and that it wasn’t likely that a treaty would ever happen.
Being a lawyer, I like to play devil’s advocate, so here’s a different perspective.
Jeffrey Carr, in his new edition of “Inside Cyber Warfare” says that there are currently 28 nation states that have cyber warfare capabilities. Does the rapid spread of Cyber Warfare capabilities mean that there should be a treaty? There are major differences in how Cyber conflicts would take place versus other types of conflicts. For example, unlike physical confrontation, any Nation in the world can attack any other Nation directly or indirectly. In addition, rogue political parties or factions within a nation can take actions that don’t necessarily represent the country’s views as a whole. Do the different dynamics of Cyber Warfare warrant a treaty? Does the amount of damage that can be caused by Cyber Warfare relative to the cost of hacking warrant a treaty?
How do we distinguish between Cyber Crime and Cyber Terrorism or Cyber Warfare? I think this is where progress is most likely to be made with any Cyber Treaties. In order to successfully track the global criminal, there needs to be a global network of cooperation between legal systems on a scale that doesn’t exist today. After 6,000 credit cards were stolen, the Israeli Government declared that this was an act of terrorism. Is that an overreaction? Should the Israeli Defense Forces respond by hacking the hacker?
Shouldn’t we be focusing on prevention? How much is law enforcement willing to engage with businesses and individuals to protect their information? How do we know when an incident of hacking should be escalated from being a law enforcement matter to being a national security matter?
Cyber Criminals can automate crime. They can commit hundreds of crimes per second, and in fact they can perpetrate multiple of types of crimes all at the same time. Law Enforcement can’t automate catching criminals, prosecuting them, or incarcerating them. This is necessarily done one criminal at a time. Law Enforcement will always be slower than Cyber Criminals.
There are other types of warfare that do have treaties. The Geneva Convention covers many aspects of physical confrontation, but there has never been a formal international espionage treaty, which Cyber Warfare is more analogous to. This isn’t to say that this isn’t a great time to start.
One might ask, what other organizations are there that the 28 Cyber Warfare Club members already belong to? Interpol is one example. InterPol, has a staff of about 600 and a budget of 80 million. In contrast, the FBI has a staff of 35,500 and a budget of 8 billion. To me, this means by necessity, cybercriminals will go global to reduce their risk from being caught domestically by the biggest law enforcement agency in the world.
The lowest hanging fruit for a Cyber Security Treaty, then, is probably Cyber Crime, not Cyber Warfare. Countries could coordinate their Cyber Crime efforts, which makes a lot of sense, especially in a global economy.
A Cyber Warfare treaty could address analogs in Cyber Security similar kinds of things that are already addressed in the Geneva Convention. For example:
- Cyber Attacks should not be targeted at activities that kill non-combatants (like targeting commercial airlines.)
- Cyber Attacks should not deprive individuals of a fair trial if accused of a war crime.
- Cyber Attacks should not target Hospitals.
- Cyber Attacks should not target biological or nuclear weapons storage facilities.
Even these few examples create their own problems, however. What if, for example, a Nation State attacks a biological weapons or nuclear weapons production facility (as was the case with Stuxnet)? Does this actually help enforce the Geneva Convention? What if there is a danger to civilians around where these facilities are located?
At least one Cyber Warfare treaty was created last year. The ANZUS treaty between Australia and America was extended to include Cyber Attacks. If one country is attacked, then it is considered to be an attack on both. It might be likely that other alliances will consider similar extensions this year (NATO, the UN, etc.).
Monday, January 9, 2012
Say goodbye to the Video Privacy Protection Act
If someone posted a video of me having sex on the internet, which admittedly wouldn’t be very popular, I would sue them. Most likely I wouldn’t become very rich and very famous. Not like Paris Hilton or Kim Kardashian. Lawsuits for violations of privacy like this have made millions. Privacy lawsuits aren’t just limited to sex tapes, either. If you’re already famous, you can sue tabloids for following you around too much.
Unfortunately, if you aren’t already famous and haven’t made a sex tape, and you aren’t very pretty, privacy laws aren’t going to be helpful for much longer.
After Netflix successfully plies Congress to take the teeth out of the Video Privacy Protection Act (VPPA), there will be no longer be a sensible path for privacy laws to follow. The VPPA is the paradigm that we should follow to craft all future privacy laws. The VPPA creates a private right of action against corporations that violate privacy rules. This would allow individuals to take the initiative about privacy violations rather than waiting on overburdened and underfunded Attorney Generals to act on their behalf. Corporations might be worried about being overwhelmed by lawsuits. VPPA is an example of a privacy law that didn’t cause millions of lawsuits, rather it was successfully in place for 20 years and very few violations ever occurred.
Instead, we will be getting watered down privacy laws that are more like a license to violate privacy. Netflix is now one step closer to their dream of being able to share what movies you watch with other people. Last month, they were sent to mediation as the House passed an amendment to the VPPA.
The house has approved language that clarifies that the VPPA can support electronic signatures and allows Netflix and others to use either opt-in or opt-out for the sharing of information. The troubling part is that they allow for opt-out language. As a consumer, my privacy has been ensured for the last 23 years, and now it will suddenly be yanked away until I find out where they’ve buried the opt-out box on their website?
Specifically, the house bill would replace 18 USC 2710 (b)(2):
(B) to any person with the informed, written consent of the consumer given at the time the disclosure is sought;
(B) to any person with the informed written consent (including through an electronic means using the Internet) of the consumer given at one or both of the following times:
(i) The time the disclosure is sought.
(ii) In advance for a set period of time or until consent is withdrawn by such consumer.