:Information Law and Policy Spring 10

Looks like my NPR addiction will keep me informed: http://www.npr.org/templates/story/story.php?storyId=125998549

Comments Off on The Quon Case Goes to the Show

Interesting background on the precursor to copyright, how intent has evolved over the years, and why we’re protecting the interests of someone decades after they’ve died: http://www.onthemedia.org/transcripts/2010/04/09/05

Comments Off on 300 Years of the Statute of Anne

By Dan Byler and Amy Haas

“Freedom of opinion and expression is a human right and a guarantor of human dignity… Privacy is a human right and guarantor of human dignity.” These words, from the Global Network Initiative, reflect a belief that cuts to the heart of modernity: humans have the right to freedom from unwarranted meddling. Privacy and freedom of expression are merely two sides of the same issue.

As we have read, the primary legal purpose of copyright law is to promote creative expression. In the case of free expression and privacy, a similar dynamic holds: privacy promotes freedom of expression. Consider, for instance, how your behavior would change if you knew you were the protagonist in The Truman Show or 1984. But privacy is far more than a means to the end of free expression. If this was the case, privacy would merely occupy a place in US legal code, not the Bill of Rights. In fact, privacy is a thing to be valued even if it did not promote freedom of expression.

Privacy rights have a long history in the United States, starting with the Bill of Rights, where the principle of privacy is implied in the Fourth Amendment. When courts assess Fourth Amendment claims, there is an emphasis on determining the “reasonableness” of search and seizure, and whether or not an individual’s “reasonable expectation of privacy” has been violated. Given that establishing boundaries for privacy in the physical world is complex, it is even more difficult for courts to offer strong privacy protections for the online environment. Under current Fourth Amendment doctrine, there is still considerable uncertainty whether Internet users can or should retain a “reasonable expectation of privacy” concerning information sent to network providers, especially with regard to stored e-mails.

The Fourth Amendment does not protect information revealed to third parties; therefore, an area of debate exists over whether or not files stored by ISPs should have Fourth Amendment protection if, in fact, ISPs act as third parties on behalf of Internet users. Adding to the complexity of the issue is the fact that most ISPs are private commercial service providers, not government entities. As a result, even if it were perfectly clear that the Fourth Amendment does protect files stored by ISPs, the ISPs (when not acting as agents for the government) can freely access all of the files stored on their servers under the private search doctrine and can then disclose them to the government without violating the Fourth Amendment.

Past Supreme Court cases have held that while the government’s placement of an electronic listening device in a public phone booth violated the Fourth Amendment (Katz v. United States, 389 U.S. 347, 1967), the government’s use of a pen register did not (Smith v. Maryland, 442 U.S. 735, 742, 1979). Both are forms of surveillance but as with written communication, the difference lies in the expectations of the  sender/receiver – one would expect that a third party would need to know the “to/from” information in order to route a message; whereas, the third party would not need to know the contents of the message to do so.

The case of Quon v. Arch Wireless exemplifies the ambiguities with which modern privacy regulation is fraught. In this case, the plaintiff alleged that he had a reasonable expectation of privacy regarding the contents of his text messages based on his supervisor’s informal policy, regardless of the fact that his pager was property of the police department, he had signed an employee agreement acknowledging the City of Ontario’s “Computer Usage, Internet and E-mail” policy, and had attended a meeting which expressly informed all present that pager messages were considered “public information and eligible for auditing.”  A case that seemed straight-forward in the beginning turned into a very complicated issue of determining whether Arch Wireless was acting as a Remote Computing Service (RCS) or an Electronic Communication Service (ECS). A classification of RCS would release Arch Wireless from liability; however, if Arch Wireless was considered an ECS, they would be held liable under the Stored Communications Act. The case teetered on being a semantic argument that could go either way but ultimately, Arch was determined to be an ECS based on Theofel v. Farey-Jones, 359 F. 3d 1066, 1070, 2004.

We see in the readings two forms of response to the legal ambiguities surrounding privacy legislation. On the one hand, the Global Network Initiative calls for the coordinated actions of member businesses to uphold the privacy and freedom of expression in their dealings with governments and business partners. Digital Due Process takes another approach, calling for the simplification and clarification of legal standards regarding privacy laws. (Consider, for example, the absurd legal distinctions that put “read” vs “unread” emails in distinct legal categories for the purposes of surveillance, or which render files stored in a cloud computing arrangement less protected than those which reside on one’s computer. What, for instance, is a business traveler to do: keep files on his or her laptop, subjecting it to search at any U.S. port of entry, or keep it in secure cloud services, subjecting it to possible warrantless search?)

Despite the clear synergy between privacy and freedom of expression, the two needs are also at odds. For instance, one could achieve near-complete privacy by forfeiting all personal expression. (This is known as being a hermit, by the way.) At the other extreme, extreme self-expression is a form of self-disclosure—a tacit relinquishment of a certain privacies. What is certain is that we feel that the right to self-expression, self-disclosure, and privacy are our rights—not privileges bestowed on us by our government, employer, or family. In general, U.S. laws attempt to balance the privacy rights of individuals against the law enforcement needs of government. Where applicable, considerations are made for third parties involved in the exchange of personal information, such as mobile service providers.

One interesting battleground for these tensions is Burning Man, an annual arts festival held in Nevada’s Black Rock desert. The festival maintains a reputation for fostering unfettered free expression, but came under fire by the Electronic Frontier Foundation last year for its draconian photography policy, which states “I understand that I have no rights to make any non-personal use of any image, film, or video footage obtained at the event, and that I cannot sell, transfer, or give the footage or completed film or video to any other party, except for personal use, and I agree to inform anyone to whom I give any footage, film, or video that it can only be used for personal use.” Yet Burning Man insists that this legal strong-arming is in defense of its participants: “There are but two essential reasons we maintain these increased controls on behalf of our community: to protect our participants so that images that violate their privacy are not displayed, and to prevent companies from using Burning Man to sell products”. Paradoxically, it seems the only way to protect the free expression of Burning Man participants is to protect their privacy—by limiting the free expression of Burning Man photographers. Is there a middle ground?

1 Comment

During our class discussion, many raised the issue that the language in the FTC v. TJX agreement and the California law on security are pretty vague. How can a company determine what are “reasonable and appropiate security measures to protect specified personal information of California residents”? Do they always have to hire a consultant? What happens when the technology of today is going to be obsolete tomorrow?

Organizations such as the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) developed a set of guidance materials for IT governance that may help companies understand what is reasonable and appropriate from the perspective of the industry. Just as Deirdre pointed out in class, looks like an effort of the industry to self-regulate to prevent the government to come up with legislation about it.

Nevertheless, the COBIT framework provides companies with a set of guidelines to follow and a set of metrics to measure against. Although it is not as visible and transparent as the emissions parameter, it may become a differentiator and consumers may start pushing companies to implement standards such as COBIT or ISO/IEC 27002.

Comments Off on Reasonable security?

Comcast: 1, FCC: 0.  The U.S. Court of Appeals (D.C. circuit) handed down a ruling today that looks like a serious blow to net neutrality:

A federal appeals court ruled on Tuesday that regulators had limited power over Web traffic under current law. The decision will allow Internet service companies to block or slow specific sites and charge video sites like YouTube to deliver their content faster to users.

In addition to narrowly granting Comcast the right to arbitrarily tweak throughput for different types of traffic (such as BitTorrent), this decision has implications for the Obama administration’s plans to increase broadband access, as well as a potential chilling effect on innovation itself: what happens to adoption of the next Google, Facebook, or Twitter when a network provider decides to crank the spigot down?

1 Comment

Some of you may have received an email yesterday (4/5/10) from our ASUC President Miguel Daal (subject: Vote April 6 – 8 ASUC Elections, April 24 Boat Cruise & Credit/Debit):

————————————————————–
Credit/Debit Card Fraud:
A wave of credit/debit card fraud has hit UC students in the last two
weeks. Carefully check your recent credit and debit card statements,
and encourage your friends to do the same. If you are a victim, it
is *very important* that you file a police report with the City of
Berkeley PD so that the source of the credit card number leak can
be found. A report takes 5 minutes: call (510) 981-5900 to talk to
an officer.
————————————————————–

Is TJX history is repeating itself? (albeit on a smaller scale); the banks have complained of many UC students have to report stolen credit card, identity theft, etc, and are trying to identify the source of the leak. This trace connection is obviously really difficult to determine and I wonder what the culprit’s fate will be. I’m curious if they recorded there information in clear text.

Make sure to check that you are not a victim!

It’s also interesting to consider the effect of this email notification. At a basic level, the overall awareness of this problem is not just limited to the small subgroup of student victims, but now the entire student population has been notified. I wonder if any groups will band together and protest or boycott whatever company/store/website/party (to be identified) lost their personal information.

Comments Off on UC student notification of possible identity theft

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier

One of the reasons security is so tough is because it’s next to impossible to make guarantees. People incorrectly think security is a binary property – Linux is secure, Windows isn’t, etc. You can show a system isn’t secure by finding a vulnerability. But to guarantee a system is “secure”, without further explanation, is meaningless. Unless you have an unlimited budget, 100 percent security is not an attainable or even desirable goal.

Imagine you’re a busy executive. You’ve got a budget, a timeline, and your job to keep. Your boss/shareholders/board is concerned about the security of your systems. Someone is trying to sell you a magical piece of technology that gives you “guaranteed” security. You may be tempted to buy. And you would be wasting your money.

It’s extremely common – if you walk through the RSA or Blackhat conference exhibition halls, you’ll find hundreds of companies marketing comprehensive security “solutions” that rely on deceptive claims and glossy packaging.

It’s why so many people in the security community rally against “security badge” services for web sites. Companies will sell you the right to display an image that lets your customers know your site is “secure”. McAfee Secure, TrustGuard, and Shopper Safe are just a few of the competitors. Most of these companies rely on automation and simple security scanning technologies. Many security researchers have found these services to be inadequate. There are even reports of attackers specifically targeting sites that relied on these services.

ControlScan, one of these web site scanning services, recently reached a settlement with the FTC agreeing that it misled customers about the frequency and effectiveness of its scans. ControlScan offered many badges with “little or no verification” of actual security practices. And while the badge showed the current date, the scans were often weekly or less frequent.

It will be interesting to follow the ramifications of this agreement to see how it impacts other security vendors. Many security companies rely on vague claims about the effectiveness of their products because it’s hard to sell incremental risk protection. Most buyers want immediate and complete solutions. When do bold claims become deception? Whose responsibility is it to verify the efficacy of a security technology? The FTC has made a stand against an obvious shyster, but will the “snake oil salesmen” of the security industry be shut down?

Comments Off on ControlScan and the FTC: We Don’t Need Your Stinkin’ Badges

Alex Smolen, Krishna Janakiraman, Satish Polisetti, Daniel Perry

TJ Maxx, a retail apparel company, failed to secure their customers’ private information. In-store networks transmitted sensitive data like credit card numbers and social security numbers to corporate networks in plain text, had inadequate authentication and authorization controls, and had no intrusion detection or prevention mechanisms. As a result, at least two security breaches occurred in 2005 and 2006 that caused millions of dollars of losses in money and time to customers and banks. In response to these breaches, the FTC deemed TJ Maxx’s lack of security an “unfair” business practice and reached an agreement with TJ Maxx to prevent future breaches. This agreement instructs TJ Maxx to use encryption before storing data, put dedicated employees in charge of an information security program, use better password systems, and submit to regular third-party audits. TJ Maxx agreed to this order and not penalized in any other way.

The TJ Maxx security breaches caused significant monetary loss to consumers and businesses. What law or set of laws can be used to hold TJ Maxx and similar companies liable? Why didn’t TJ Maxx have good security systems in the first place? There are several laws that relate to information security, but it is difficult for businesses to understand how to follow them and there is not always adequate definition and enforcement.

An example of a law related to information security is CA State Bill 1386 which has subsequently been adopted in a similar form by most other states. In 2003, California SB 1386 amended civil codes 1798.29, 1798.82, and 1798.84 and introduced new privacy regulations that require that any organization that does business in California and stores unencrypted personal information to notify any California resident if their personal information was acquired by an unauthorized third party. Protected personal information includes social security numbers, financial information, as well as medical and health insurance information. Notification can be via mail or electronic, but must be given as quickly as possible. While there are no specified monetary penalties for violating these codes, an injured person can file a civil suit against a company. This law does provide a punitive mechanism for companies that fail to secure their information systems, but it focuses on breaches. If a company is unaware of a breach, or believes that no one will be able to win a suit claiming injury against them, than they may choose not send a notification. Alternatively, a company could decide that sending notifications is less expensive than implementing an effective information security program.

The California Office of Privacy Protection released recommended practices related to these new civil codes in May of 2008. The practices detail ways for an organization to manage an information security program centered around restricting internal access to personal information and notification to individuals or groups if there is a security breach of this information. Practices include allowing employees access to personal information on a ‘need to know’ basis, notifying individuals of a breach within ten days by first class mail or email, using encryption standards, and reviewing security standards annually. Implementation of all of the recommendations will almost undoubtedly be extremely costly for any business and the fact that they are not legally binding (i.e. no Safe Harbor) provides little assurance. The recommendations are also fairly vague, and there is no regulatory action enforcing compliance. They are simply “recommendations”.

The FTC consent agreement with TJ Maxx as well as SB 1386 and the associated recommendations demonstrate legal approaches to information security enforcement. The goal of these mechanisms is to ensure privacy and prevent security breaches in the future. However, each of these approaches is problematic and it is very hard to imagine a legal framework that can ensure information security. In his paper “The State of Information Security Law”, Smedinghoff mentions that there is no single statue that obligates a company to secure its information. Instead, there is a hodgepodge of federal, state and international laws that pertain to information security. Furthermore, these laws are segregated based on public versus private companies as well as by industry – finance, health care, e-commerce, etc. Even if a company wants to secure its information, it does not have clear set of legal obligations to work towards. Companies may be subject to several different information security laws based on their industry, the data they store, and the states they do business in.

Another major challenge for information security law is the ambiguity of the concept of “information security”. As Smedinghoff mentions, security is relative and the terms used in some of the statues are often hard to pin-down phrases like “reasonable (or) appropriate security”. This leaves businesses with little guidance as to what is required for legal compliance. A welcome trend is the emergence of laws that focus on the treatment of specific information like social security numbers or payment cards information as well as specific standards related to security controls like data retention or authentication.

From a company’s point of view, it is difficult to determine “what is applicable to us” when it comes to information security law. This could be an economic strain, especially for small companies that can’t afford legal or information security expertise. There is also an increasing trend towards outsourcing information systems to the “cloud”. This represents another unclear legal area – the obligations and liabilities of the company and the cloud provider. We have seen in other areas like privacy and copyright that technology moves extremely rapidly compared to the law. New technology presents new information security threats, which the law may not address.

There is no omnibus US information security legislation for businesses – in fact, it is almost the exact opposite. There are a variety of different laws related to different sectors and types of data. Even for large organizations, implementing an effective information security program to address these laws is challenging and costly. Information security is a big expense for many organizations, and yet overall security controls are still often bad. TJ Maxx is not alone – see Heartland, Card Systems, and Hannaford Brothers for other examples of large-scale breaches. As Smedingham states: “A key problem, however, is that the nature of the legal obligation to address security is often poorly understood by those levels in management charged with the responsibility, by the technical experts who must implement it, and by the lawyers who must ensure compliance. Yet, it is perhaps one of the most critical issues companies will face.” It seems that increased clarity, or potentially unification, of information security law would help improve the state of information security by giving businesses a clear objective, and if this objective included appropriate information security policy and controls, it would ultimately help the consumer.

1 Comment

Really relevant to our last assignment. Pretty great article. Talking about trend of people suing online content for negative light/ defamation in order to get people to take the content down.

http://www.onthemedia.org/transcripts/2010/04/02/07

1 Comment