HackLaw is a blog dedicated to discussing the legal issues in information security and developments that may have an impack on information security law.
Wednesday, January 25, 2012
Let's compare the new EU data privacy rules to the US ones being proposed throughout 2011 in both the House and the Senate, as well as the ones offered by the White House.
Probably the biggest difference comes in fines. The EU rules define specific levels of fines for infractions, starting at 0.5% of a corporation's turnover going all the way up to 2%. Keep in mind that this is "turnover" not profit. But the difference here is sharp. The US laws all set caps on damages, from $500,000 to $15,000,000. The US laws don't have any regard to the size of the company...presumably this would be determined by the FTC when they settle a claim. The definitions of how to determine what infractions merit what damages don't exist in the proposed US laws.
The EU has a host of other requirements. Every company with more than 250 people is required to have a Data Protection Officer, and there are strict rules around how this new position is to be treated. The position can only be fired for cause, for example. This presumably protects the position from being terminated if they take a hard line approach to privacy. The SAFE Data Act requires the appointment of "an officer as the point of contact with responsibility for the management of information security." In the US the position's tasks aren't defined. This person could be a janitor and still fulfill the requirements of the law. No offense to any janitors out there.
The law requires mandatory security assessments and 24 hour turnarounds on breach notifications. It creates the right to be forgotten and creates erasure and data portablility standards. The US takes a different approach to security...it looks at security on an industry by industry basis. While the US has offered up an "Online Privacy Bill of Rights", but does nothing for changing the status quo on security assessments or breach notification. While the FTC has issued recent rulings requiring Facebook to have annual security assessments, the feeling seems to be you are assumed to be secure until proven insecure. The better model would be the other way around.
Tuesday, January 24, 2012
5th Amendment = Encryption?
If this were the case, it would quickly become impossible for the criminal justice system to prove a lot of their cases.
Interesting theory. The 5th amendment says:
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
Looking at the parallel with the physical world, you can't refuse a valid search warrant for your house. Just because you have a safe in the house with a key, doesn't mean the police can't search it.
Now, if your computer were an artifically intelligent computer, implanted with your memories...then maybe she would have a point.
Thursday, January 19, 2012
Shrinking Public Domain
Perhaps the Supreme Court felt compelled to do something for copyright holders after the setbacks to SOPA and PIPA yesterday?
Thursday, January 12, 2012
Should There Be a Cyberwar Treaty, Part 2
In my previous article on whether there should be a cyberwar treaty, I argued that Cyberwar wasn’t like other types of conflict, and that it wasn’t likely that a treaty would ever happen.
Being a lawyer, I like to play devil’s advocate, so here’s a different perspective.
Jeffrey Carr, in his new edition of “Inside Cyber Warfare” says that there are currently 28 nation states that have cyber warfare capabilities. Does the rapid spread of Cyber Warfare capabilities mean that there should be a treaty? There are major differences in how Cyber conflicts would take place versus other types of conflicts. For example, unlike physical confrontation, any Nation in the world can attack any other Nation directly or indirectly. In addition, rogue political parties or factions within a nation can take actions that don’t necessarily represent the country’s views as a whole. Do the different dynamics of Cyber Warfare warrant a treaty? Does the amount of damage that can be caused by Cyber Warfare relative to the cost of hacking warrant a treaty?
How do we distinguish between Cyber Crime and Cyber Terrorism or Cyber Warfare? I think this is where progress is most likely to be made with any Cyber Treaties. In order to successfully track the global criminal, there needs to be a global network of cooperation between legal systems on a scale that doesn’t exist today. After 6,000 credit cards were stolen, the Israeli Government declared that this was an act of terrorism. Is that an overreaction? Should the Israeli Defense Forces respond by hacking the hacker?
Shouldn’t we be focusing on prevention? How much is law enforcement willing to engage with businesses and individuals to protect their information? How do we know when an incident of hacking should be escalated from being a law enforcement matter to being a national security matter?
Cyber Criminals can automate crime. They can commit hundreds of crimes per second, and in fact they can perpetrate multiple of types of crimes all at the same time. Law Enforcement can’t automate catching criminals, prosecuting them, or incarcerating them. This is necessarily done one criminal at a time. Law Enforcement will always be slower than Cyber Criminals.
There are other types of warfare that do have treaties. The Geneva Convention covers many aspects of physical confrontation, but there has never been a formal international espionage treaty, which Cyber Warfare is more analogous to. This isn’t to say that this isn’t a great time to start.
One might ask, what other organizations are there that the 28 Cyber Warfare Club members already belong to? Interpol is one example. InterPol, has a staff of about 600 and a budget of 80 million. In contrast, the FBI has a staff of 35,500 and a budget of 8 billion. To me, this means by necessity, cybercriminals will go global to reduce their risk from being caught domestically by the biggest law enforcement agency in the world.
The lowest hanging fruit for a Cyber Security Treaty, then, is probably Cyber Crime, not Cyber Warfare. Countries could coordinate their Cyber Crime efforts, which makes a lot of sense, especially in a global economy.
A Cyber Warfare treaty could address analogs in Cyber Security similar kinds of things that are already addressed in the Geneva Convention. For example:
- Cyber Attacks should not be targeted at activities that kill non-combatants (like targeting commercial airlines.)
- Cyber Attacks should not deprive individuals of a fair trial if accused of a war crime.
- Cyber Attacks should not target Hospitals.
- Cyber Attacks should not target biological or nuclear weapons storage facilities.
Even these few examples create their own problems, however. What if, for example, a Nation State attacks a biological weapons or nuclear weapons production facility (as was the case with Stuxnet)? Does this actually help enforce the Geneva Convention? What if there is a danger to civilians around where these facilities are located?
At least one Cyber Warfare treaty was created last year. The ANZUS treaty between Australia and America was extended to include Cyber Attacks. If one country is attacked, then it is considered to be an attack on both. It might be likely that other alliances will consider similar extensions this year (NATO, the UN, etc.).
Monday, January 9, 2012
Say goodbye to the Video Privacy Protection Act
If someone posted a video of me having sex on the internet, which admittedly wouldn’t be very popular, I would sue them. Most likely I wouldn’t become very rich and very famous. Not like Paris Hilton or Kim Kardashian. Lawsuits for violations of privacy like this have made millions. Privacy lawsuits aren’t just limited to sex tapes, either. If you’re already famous, you can sue tabloids for following you around too much.
Unfortunately, if you aren’t already famous and haven’t made a sex tape, and you aren’t very pretty, privacy laws aren’t going to be helpful for much longer.
After Netflix successfully plies Congress to take the teeth out of the Video Privacy Protection Act (VPPA), there will be no longer be a sensible path for privacy laws to follow. The VPPA is the paradigm that we should follow to craft all future privacy laws. The VPPA creates a private right of action against corporations that violate privacy rules. This would allow individuals to take the initiative about privacy violations rather than waiting on overburdened and underfunded Attorney Generals to act on their behalf. Corporations might be worried about being overwhelmed by lawsuits. VPPA is an example of a privacy law that didn’t cause millions of lawsuits, rather it was successfully in place for 20 years and very few violations ever occurred.
Instead, we will be getting watered down privacy laws that are more like a license to violate privacy. Netflix is now one step closer to their dream of being able to share what movies you watch with other people. Last month, they were sent to mediation as the House passed an amendment to the VPPA.
The house has approved language that clarifies that the VPPA can support electronic signatures and allows Netflix and others to use either opt-in or opt-out for the sharing of information. The troubling part is that they allow for opt-out language. As a consumer, my privacy has been ensured for the last 23 years, and now it will suddenly be yanked away until I find out where they’ve buried the opt-out box on their website?
Specifically, the house bill would replace 18 USC 2710 (b)(2):
(B) to any person with the informed, written consent of the consumer given at the time the disclosure is sought;
(B) to any person with the informed written consent (including through an electronic means using the Internet) of the consumer given at one or both of the following times:
(i) The time the disclosure is sought.
(ii) In advance for a set period of time or until consent is withdrawn by such consumer.