Recently in Government Category

EU Data Breach update

| No Comments | No TrackBacks
EU Commission Regulation No 611/2013 (PDF) outlines measures applicable to data breach notification under the amended 2009 EU e-Privacy Directive 2002/58/EC (PDF) of the European Parliament and of the Council on privacy and electronic communications.



Brian Owsley, former United States Magistrate Judge for the Southern District of Texas and current professor at Texas Tech University School of Law, published an article in the University of Pennsylvania Journal of Constitutional Law, Vol. 16, 2013 titled "The Fourth Amendment Implications of the Government's Use of Cell Tower Dumps in its Electronic Surveillance (PDF)". The paper addresses novel issues about electronic surveillance using cell tower dumps. 

Abstract:      
Privacy concerns resonate with the American people. Although the right to privacy is not explicitly protected in the United States Constitution, the Supreme Court has found the right to privacy rooted within the Constitution based on various amendments. In the modern era, with rapid advances in technology, threats to privacy abound including new surveillance methods by law enforcement. There is a growing tension between an individual's right to privacy and our collective right to public safety. This latter right is often protected by law enforcement's use of electronic surveillance as an investigative tool, but may be done at times inconsistent with constitutional rights. 

Recently, the American Civil Liberties Union brought to light the popular use of government surveillance of cell phones, including the gathering of all cell phone numbers utilizing a specific cell site location. Known as a "cell tower dump," such procedures essentially obtain all of the telephone number records from a particular cell site tower for a given time period: "A tower dump allows police to request the phone numbers of all phones that connected to a specific tower within a given period of time." State and federal courts have barely addressed cell tower dumps. However, the actions by most of the largest cell phone providers, as well as personal experience and conversations with other magistrate judges, strongly suggest "that it has become a relatively routine investigative technique" for law enforcement officials. 

No federal statute directly addresses whether and how law enforcement officers may seek a cell tower dump from cellular telephone providers. Assistant United States Attorneys, with the encouragement of the United States Department of Justice, apply for court orders authorizing cell tower dumps pursuant to a provision in the Electronic Communications Privacy Act of 1986. The pertinent provision poses a procedural hurdle less stringent than a warrant based on probable cause, which in turn raises significant constitutional concerns. 

This article provides a brief description of cellular telephone and cell-site technology in Part I. Next, Part II addresses the evolution of Fourth Amendment jurisprudence and argues that the reasonable expectation of privacy standard applies to electronic surveillance such as cell tower dumps. In Part III, the discussion follows the development of statutes addressing electronic surveillance and argues that cell tower dumps request more information than simply just telephone numbers. Part IV analyzes records from both cellular service providers and the federal government to conclude that cell tower dumps routinely occur. Part V assesses the few decisions that even discuss cell tower dumps and argues that the analysis is either non-existent or flawed regarding the use of the Stored Communications Act to permit cell tower dumps. Next, Part VI asserts that cell tower dumps cannot be analyzed pursuant to the Stored Communications Act because the language of the statute is inapplicable and the amount of information sought requires a warrant based on probable cause and concludes by proposing some protocols to safeguard individual privacy rights.


SOPA Hearing Transcript

| No Comments | No TrackBacks
The transcript (PDF) from the December 15, 2011 House Judiciary Committee markup of H.R. 3261, Stop Online Piracy Act (SOPA). This was one of the most infuriating sessions to watch live and reviewing the testimony and comments, in writing, a month later still boils my blood. There is a PrivacyWonk hosted copy available (PDF) in case the House moves the copy that is hosted there.

The markup session produced 495 pages of text, including the following gems:

Mr. Watt.  I thank the gentleman for yielding, and I just want to make a couple of points.  First of all, I want to go back to what my friend, Ms. Lofgren's comments she made and discourage any of us from talking about who has been bought off or even experts.  There has been a lot of money floating around in a lot of different places on this issue, and I just don't think it is worthy of us to be talking about who got bought off and who got hired by whom, especially when we start identifying the people.

Mr. Chaffetz.  Thank you, Mr. Chairman.  I have the greatest respect for you and for Ranking Member Conyers.  I do appreciate the manager's amendment.  I do think it is certainly better.   There is clearly a problem.  I understand that there is a problem, but I worry that this is the wrong remedy.  I was trying to think of a way to try to describe my concerns with this bill, but basically we are going to do surgery on the Internet, and we haven't had a doctor in the room tell us how we going to change these organs.  We are basically going to reconfigure the Internet and how it is going to work without bringing in the nerds, without bringing in the doctors.

Ms. Jackson Lee. ... And then, Mr. Chairman, if I might have a moment of personal privilege and just cite for my colleagues, because I do think that we should be respectful of each other, I am reading a tweet that has gone out from "GOP Rep King, Bored by the dialogue of Representative Jackson Lee."  I have no reason to think that anybody cares about my words, but I would offer to say that Mr. King owes the committee an apology, said that we are debating the Stop Online Piracy Act and that he is killing time by surfing the Internet.  I have never known Mr. King to have a multi-task capacity, but if that is his ability, I do think it is inappropriate while we are talking about serious issues, to have a member of the Judiciary Committee be so offensive.  So I am putting on the record, he is not here -- I -- 
Mr. Sensenbrenner.  Chairman, I demand the gentlewoman's words be taken down.  
Ms. Jackson Lee.  Well, I am not taking them down, so you can break this hearing because I am not.  I would ask Mr. --  ...

There is much more contained within the transcript. It is an almost 500 page demonstration of special interest lobbying, willful ignorance of the outside-the-beltway world and the internet.

For more on SOPA, please see the opposition letter. Please use this letter and send to your representatives to add your voice to the debate.


My SOPA Opposition Letter

| No Comments | No TrackBacks
I like participating and love what the Center for Democracy and Technology and others are doing at the American Censorship Project. However, this is an issue I feel very strongly about and decided to sit down and compose my own letter & e-mail to my representative. There are two versions of the letter -- one for you to read and interact with on this blog and one for you to copy and paste and send to your representative. The second version removes formatting to ensure sources (URLs) transition through the "Write your Representative" pages.

To the Honorable <<Representative>>,

I am writing to express my staunch disapproval to H.R. 3261: Stop Online Piracy Act (SOPA) and S. 968: Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (PROTECTIP). There is no substantial disagreement with the goal of combating the online infringement of copyrights and trademarks; that is a valid and important aim. However, these bills are incredibly dangerous to the country. Some of the specific provisions are far more controversial and would do far more damage than the authors (the MPAA and other lobbying arms of the entertainment industry) of the bill or the "expert" testimony would suggest. A Politico article by Jennifer Martinez titled "Shootout at the digital corral" published on November 16, 2011, provides excellent detail on the bills and the simple fact that the entertainment lobby has outspent the technology lobby for the past two years. The entertainment lobby has bought and paid for these bills, spending over $200M in 2010 and 2011, that will substantially harm the still growing and increasingly important digital economy: making it impossible to innovate, killing start-ups, and any jobs associated with them.

The public reaction to these bills in the United States has been visceral. Opponents of the bill include: Google, Yahoo!, Facebook, Twitter, AOL, LinkedIn, eBay, Mozilla Corporation, the Brookings Institution and human rights organizations such as Reporters Without Borders, the Electronic Frontier Foundation, the ACLU, Human Rights Watch, and the Center for Democracy and Technology.

Sandia National Laboratories, a part of the U.S. Department of Energy, concluded that the SOPA legislation would "negatively impact U.S. and global cybersecurity and Internet functionality." Sandia joins Republican Representative Dan Lungren, who also worried that SOPA would undercut efforts to secure the internet with DNSSEC.

Harvard Business Review blogger James Allworth wrote, "Is this really what we want to do to the internet? Shut it down every time it doesn't fit someone's business model?" concluding that the bill would "give America its very own version of the Great Firewall of China." I do not believe this quote is hyperbole. The bill will significantly impair the freedom of the internet that we as a country have advocated very publicly. See Hillary Clinton's speech on Internet Freedom at GW University.

There has also been international outcry to the bills. The European Parliament passed (by a large majority) a resolution criticizing SOPA. The resolution emphasizes "the need to protect the integrity of the global Internet and freedom of communication by refraining from unilateral measures to revoke IP addresses or domain names." The United States has great allies in Europe and we would not be doing ourselves any favors by passing a bill that does *nothing* to protect us and everything to antagonize Europeans.

We cannot legislate an internet that protects everyone, everywhere, at every second. But we also cannot take the interests of a few companies' antiquated business models over the interest and rights of our citizens. SOPA and PROTECTIP are bad pieces of legislation. This fact is highlighted in the poor grasp of internet technology the bills put forward; the entertainment industry spent millions of dollars to produce pieces of legislation that *break* the internet. These bills represent the last throes of an industry failing to adapt to a new marketplace. These companies would have done better to take their $200M+ of lobbying and invest it in innovation, research and development, and job creation around that R&D.

Please help stop this bill.

Thank you,
<<Name>>

USMC Social Media Handbook

| No Comments | No TrackBacks
The United States Marine Corps has released a social media handbook (PDF) outlining acceptable uses of social media for Marines across the globe. "The social media principles provided in this handbook are intended to outline how our core values should be demonstrated, to guide Marines through the use of social media whether personally involved or when acting on behalf of the Marine Corps."

This is one of the more comprehensive social media handbooks I have come across. The Marines did a great job covering the uses of social media and the behavior the Corps expects in personal, family, and professional uses. It also, importantly, covers operational security (OPSEC), using social media for crisis communication, and provides safety tips.

This is a big step forward for the Marine Corps, which, in August of 2009, caused a controversy by outright "banning" social media on their unclassified, war fighting, network. This ban was smart; the media in their coverage of the ban, however, was not. The media took an overly dramatic viewpoint that the order, MARADMIN 458-09, would prevent Marines from using social media services to contact their families and friends, cutting off deployed Marines worldwide. This was far from the fact or intent of the order. The order sought a default-to-secure posture and offered a waiver process that would allow commands and units to engage on social media while also gathering data on legitimate uses throughout the Corps to make more informed decisions down the road (hence the one-year time frame). The ban affected operational networks, not the networks used for morale and welfare (USO, internet cafes, etc) -- a critical distinction missed by the press. Nonetheless, it started a ground swell within the DoD community that ended with the use of social media being green-lit by the DepSecDef in February of 2010. Full disclosure, I had a hand in the creation of the referenced maradmin as noted within the document.

Kudos to the Marine Corps for this excellent handbook and for embracing a new style of engagement for Marines, their families, their friends, and the world.

My one criticism is the section on facebook privacy and tracking. My assumption is that the handbook will not be updated as often as facebook, so the information will quickly become stale. A general overview or perhaps a common sense approach to privacy concerns on social networking sites would have been better suited in the document with a more expansive, and more easily updated, website showing Marines the specific steps needed to protect themselves.

My two favorite parts of the manual are the introduction of the term "social media Marine" and a motto found on the last page of text in the handbook that reads:

"Engage the Community   •   Maintain Operations Security   •   Be Smart - Set the Example: In Life and Online"

A great message and motto for all DoD/Government social media engagements.

This is a great template/starting point for other DoD components and government agencies currently without a social media handbook/policy. I'd also urge the Marine Corps to embrace new media to deliver the content of this handbook. For example, using video to disseminate the policy.
"Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System," (PDF) by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze.

Abstract: APCO Project 25a ("P25") is a suite of wireless communications protocols used in the US and elsewhere for public safety two-way (voice) radio systems. The protocols include security options in which voice and data traffic can be cryptographically protected from eavesdropping. This paper analyzes the security of P25 systems against both passive and active adversaries. We found a number of protocol, implementation, and user interface weaknesses that routinely leak information to a passive eavesdropper or that permit highly efficient and difficult to detect active attacks. We introduce new selective subframe jamming attacks against P25, in which an active attacker with very modest resources can prevent specific kinds of traffic (such as encrypted messages) from being received, while emitting only a small fraction of the aggregate power of the legitimate transmitter. We also found that even the passive attacks represent a serious practical threat. In a study we conducted over a two year period in several US metropolitan areas, we found that a significant fraction of the "encrypted" P25 tactical radio traffic sent by federal law enforcement surveillance operatives is actually sent in the clear, in spite of their users' belief that they are encrypted, and often reveals such sensitive data as the such sensitive data as the names of informants in criminal investigations.


You may remember the awesome work Matt has done with Voting machine security (PDF), law enforcement wiretaps (PDF), and testifying about location-based technologies and services.

112th Privacy Legislation

| 1 Comment | No TrackBacks
Updated September 27, 2011.
Updated November 8, 2011.
Updated January 31, 2012.
Updated February 7, 2012. Please see changes below.


The post below details the current pieces of draft/for discussion bills proposed by Representatives and Senators of the 112th Congressional Session. This will be a living post as it is expected there will be hearings happening before the July 4th recess.  For your reading pleasure and enjoyment (because what privacy-focused person doesn't love reading policy?) the items detail the sponsors, bill name and number, and provide links to PDF copies of the bill and to Thomas for official bill statuses.  Enjoy.  Sometime soon, expect a post from PrivacyWonk comparing all of these bills (where applicable/appropriate).

9/27/2011: Three Senate bills have moved far ahead of the pack being passed out of the Senate Judiciary Committe. Senators Blumenthal, Leahy, and Feinstein all have bills (see below) that will now appear on the legislative calendar. CDT's Harley Geiger has great write up on them here.

1/31/2012: While SOPA/PIPA dominated much of December 2011 and January 2012, a privacy issue arose around CarrierIQ -- tracking software installed in millions of smart phones on multiple carriers -- in early December. Senator Al Franken demanded answers to questions, CarrierIQ put out a press release, and other Congress members have asked for a formal investigation. Coming out of all this, Representative Edward Markey (D-MA) published a draft cellphone privacy bill. Lastly, two bills have seen an increase in support. H.R. 1895, Do Not Track Kids Online and H.R. 1981, Protecting Children From Internet Pornographers Act of 2011. Details below.

Quick Stats
Pieces of Legislation: 19 introduced, 1 discussion draft
Representatives: 9
Senators: 9

Representative Bobby L. Rush (D-IL) reintroduced his privacy focused legislation from last year on Thursday, February 10th, 2011.  Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (PDF). (H.R. 611).
Status: Referred to the House Subcommittee on Commerce, Manufacturing, and Trade, no cosponsors have signed on.

Representative Jackie Speier (D-CA) introduced two pieces of legislation on Friday, February 11th, 2011, aimed at protecting personal information.  The Do Not Track Me Online Act of 2011 (H.R. 654) would give consumers the ability to prevent the collection and use of data on their online activities.  The Financial Information Privacy Act of 2011 (H.R. 653) would give consumers control of their own financial information.
H.R. 654 Status: Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 22 cosponsors have signed on.
H.R. 653 Status: Referred to the House Subcommittee on Financial Institutions and Consumer Credit. Seven cosponsors have signed on.

Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (PDF) (S. 799) on April 12, 2011. This bill aims to establish a baseline code of conduct for how personally identifiable information and information that can uniquely identify an individual or networked device are used, stored, and distributed.
Status: Referred to Committee on Commerce, Science, and Transportation. Two cosponsors have signed on.

Representative Cliff Stearns (R-FL) introduced the Consumer Privacy Protection Act of 2011 (H.R. 1528) on April 13, 2011, which seeks to "protect and enhance consumer privacy" both online and offline by imposing certain notice and choice requirements with respect to the collection and use of personal information. 
Status
: Referred to the Committee on Commerce, Science, and Transportation. Five cosponsors have signed on.

Representative Bobby L. Rush (D-IL) reintroduced the Data Accountability and Trust Act (PDF) (H.R. 1701) (formerly H.R. 2221 from the 111th) on May 4, 2011, which directs companies to establish policies on the use (collection, storage, sale, disposition, etc) of consumer personal information.  It also has a 60-day breach notification requirement.  Minimal changes to the original, the only substantial update was the definition of service provider.
Status: Referred to the House Committee on Energy and Commerce. Four cosponsors have signed on.

Senator Jay Rockefeller (D-WV), the Chairman of the Senate Committee on Commerce, Science and Transportation, introduced the "Do-Not-Track Online Act of 2011" (S. 913) on May 9, 2011. The bill requires the Federal Trade Commission to prescribe regulations regarding the collection and use of personal information obtained by tracking the online activity of an individual, and for other purposes (Do Not Track).
Status: Referred to the Committee on Commerce, Science, and Transportation. Two cosponsors have signed on.

Representative Cliff Stearns (R-FL) and Representative Jim Matheson (D-UT) introduced the Data Accountability and Trust Act of 2011 (H.R. 1841) on May 11, 2011, which seeks to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach. This bill is built on Representative Bobby Rush's original DATAct from the 111th.
Status: Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. One cosponsor has signed on.

Representatives Ed Markey (D-MA) and Joe Barton (R-TX) introduced the Do Not Track Kids Act of 2011 (PDF) (H.R. 1895) on May 13, 2011. The bill amends the historic Children's Online Privacy Protection Act of 1998 (COPPA), will extend, enhance and update the provisions relating to the collection, use and disclosure of children's personal information and establishes new protections for personal information of children and teens.
Status: Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 18 cosponsors have signed on.

Senator Patrick Leahy (D-VT) introduced two Senate Bills to address both consumer privacy and citizen privacy. The first, introduced on May 17, 2011 to modernize and update the Electronic Communications Privacy Act titled Electronic Communications Privacy Act Amendments Act of 2011 (PDF) (S. 1011).  The second bill, introduced on June 6, 2011, titled Personal Data Privacy and Security Act of 2011 (PDF) (S.1151). This is an update and reintroduction of Leahy's 2009 bill of the same title.
S. 1011 Status: Read twice and referred to Committee on the Judiciary, no cosponsors have signed on.
S. 1151 Status: Placed on Senate Legislative Calendar under General Orders. Calendar No. 181. Four cosponsors have signed on. On 11/7/2011, Senator Leahy filed Additional/Minority views in Senate Report 112-091, the DHS Appropriations Bill of 2012.

Sen. Ron Wyden (D-OR) and Rep. Jason Chaffetz (R-Utah) introduced Geolocation Privacy and Surveillance ("GPS") Act (PDF). (S. 1212) and (H.R.2168) on June 15, 2011 that creates a legal framework designed to give government agencies, commercial entities and private citizens clear guidelines for when and how geolocation information can be accessed and used.
S.1212 Status: Referred to the Senate Committee on the Judiciary, one cosponsor has signed onto the bill.
H.R. 2168 Status: Referred to the Subcommittee on Crime, Terrorism, and Homeland Security. 10 cosponsors have signed on.

Senators Mark Pyyor (D-AR) and Senator Jay Rockefeller (D-WV) introduced the Data Security and Breach Notification Act (PDF) (S. 1207) on June 15, 2011.  This is a reintroduction of a bill originally proposed by Senator Pryor in 2010.  The bill aims to require businesses and nonprofit organizations that store consumers' personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. 
Status: Referred to the Committee on Commerce, Science, and Transportation. One cosponsor has signed on.
NB: Politico featured a story with S. 1207 as the center piece, describing the Senator's efforts to arrive a consensus and expressing their hopes to hit the December markup.

Senators Al Franken (D-MN) and Richard Blumenthal (D-CT) introduced the Location Privacy Protection Act of 2011 (PDF),  one-page overview (PDF) (S. 1223) on June 16, 2011 that would require companies/app developers to receive express consent from users of mobile devices like smartphones and tablets before sharing information about those users' location with third parties. Will update this post as more information becomes available. Franken gets the best headline out of this: Congress to Device Makers: Don't Track Me, Bro
Status: Read twice and referred to the House Committee on the Judiciary. Six cosponsors has signed on.

Representative Mary Bono Mack (R-CA) introduced the Secure and Fortify (SAFE) Data Act  (PDF) (H.R. 2577) on July 18, 2011.  The bill aims to establish standards of breach notification and would require organizations to notify people affected by a data breach and the Federal Trade Commission (FTC) within 48 hours. This bill was previously discussed during a House Energy and Commerce Committee panel/mark-up session held on June 15, 2011.
Status: Referred to House Commerce Subcommittee on Commerce, Manufacturing and Trade. No cosponsors have signed on.

Senator Dianne Feinstein (D-CA) introduced the Data Breach Notification Act of 2011 (PDF) (S. 1408) on July 22, 2011.  This is the same legislation Senator Feinstein has introduced in the 111th session (see: S. 139). The legislation is focused only on breach notification and does not introduce security requirements. It mandates multiple notifications depending on the severity of the breach (i.e., individual, secret service, FTC, etc) and gives States AGs power to bring civil suits and does not offer any private right of action.
Status: Committee on the Judiciary. Ordered to be reported with an amendment in the nature of a substitute favorably. No cosponsors have signed on. 2/6/2012: Placed on Senate Legislative Calendar under General Orders. Calendar No. 310.

The Congressional Budget Office (CBO) has scored S. 1408. The report, released October 31, 2011, "estimates that implementing S. 1408 would cost about $3 million annually for the FTC and federal law enforcement agencies to specify how the required notification procedures would work. CBO expects that most government agencies would incur negligible costs to implement the legislation."

Representative Lamar Smith (R-TX) introduced the Protecting Children From Internet Pornographers Act of 2011 (PDF) (H.R. 1981) on May 25, 2011. This bill mandates that Internet Service Providers keep incredibly detailed logs, for up to 18 months, on all customers to facilitate the prosecution of child pornography, including internet protocol addresses (i.e. all IP addresses assigned), customer names, addresses, phone records, type and length of service, and credit card numbers, and more.  Status: On July 28, 2011 the House Judiciary Committee conducted a final roll call vote (PDF) and approved the bill, 19-10 to move before the entire House for a vote. 39 cosponsors have signed on. On November 10, 2011 house report 112-281 Part 1 discussing the bill was published. On December 16, 2011 the bill was placed on the Union Calendar, Calendar No. 224.

Senator Richard Blumenthal (D-CT) introduced the Personal Data Protection and Breach Accountability Act of 2011 (PDF) (S.1535) on September 8, 2011. The 100-page bill aims to regulate companies that store information for more than 10,000 people. The bill aims to deter preventable breaches, minimize consumer harm, promote a robust security platform, and uses a very big stick for compliance. Individuals found to consistently violating these provisions face a maximum sentence of five years in prison and/or a $1 million fine. This is one the most severe penalties put forward in a privacy focused bill. Further, the bill requests coordination between the FBI and Secret Service to produce reports on enforcement actions, breach trends, and the efficacy of post-breach notifications.
Status: Placed on Senate Legislative Calendar under General Orders. Calendar No. 182. One cosponsor has signed on.

Representative Ed Markey (D-MA) released a discussion draft of Mobile Device Privacy Act (PDF) on January 30, 2012. The bill would require companies to disclose if they are using tracking software (i.e. CarrierIQ), what information the software collects, and whom it shares the information with. Consumers would have to provide express consent to any data collection or transmission, and third parties would have to have documented policies in place to secure the data they collect. Companies that want to transfer data to third parties would have to file applications with the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC). Enforcement falls under FTC Unfair and Deceptive trade practices.
Status: Discussion Draft, not officially introduced.


If you would like to voice concern or support for any of the bills, you can easily find you Representative and/or Senator through http://www.opencongress.org/people/representatives.


Special thanks to:
Hunton and Williams privacy blog for providing some quick source material -- http://www.huntonprivacyblog.com/
ThreatLevel -- http://www.wired.com/threatlevel/2011/06/gps-warrant-proposal/
Cecilia Kang -- http://www.washingtonpost.com/blogs/post-tech/post/franken-blumenthal-introduce-mobile-privacy-bill/2011/06/15/AGjZqCWH_blog.html
PrivacyLives for the draft of the Franken bill -- http://www.privacylives.com/senators-introduce-the-location-privacy-protection-act-of-2011/2011/06/15/
Privacy Insider - http://www.insideprivacy.com/united-states/feinstein-introduces-breach-notice-bill-senate-committee-may-consider-breach-notice-proposals-shortl/
CDT/ABC News Opinion: http://abcnews.go.com/Technology/tech-agenda-bills-carry-enormous-implications-technology/story?id=14522085


UPDATE 6/15/2011:
  • House hearing to discuss draft of Rep. Mary Bono Mack's data security bill starting now. Watch livestream at:http://www.ustream.tv/channel-popup/energyandcommerce2322
  • Senator Wyden and Representative Chaffetz dropped their bipartisan geolocation bill
  • Senators Franken and Blumenthal release a one-page overview of their legislation...
  • Senators Pryor and Rockefeller reintroduced data breach legislation
  • Fixed broken Thomas links above
UPDATE 6/16/2011:
  • Received final version of Al Franken's bill that was introduced on June 16, 2011.
UPDATE 6/29/2011:
  • Updated with Rep. Rush and Stearns/Matheson's versions of the Data Accountability and Trust Act of 2011
  • Updated cosponsor stats for all bills
  • Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, John D. Rockefeller, held a full committee hearing on privacy and data security. Archived webcast available: Privacy and Data Security: Protecting Consumers in the Modern World
UPDATE 8/2/2011:
  • Added H.R. 2577, S. 139, and H.R. 1981
UPDATE 9/27/2011:
  • Updated Status and cosponsors for all bills.
  • Added S.1535
UPDATE 11/7/2011:
  • Updated sponsor count on H.R. 654 (19 to 20)
  • Updated sponsor count on H.R. 1528 (4 to 5)
  • Added link to S. 1151, Senator Leahy's additional/minority views on DHS Appropriations bill
  • Updated sponsor count on S.1212 (0 to 1)
  • Updated sponsor count on H.R. 2168 (6 to 8)
  • Added Politico link on S.1207
  • Added CBO Score on S.1408
UPDATE 01/31/2012:
  • Added Rep. Markey's Discussion Draft
  • Updated sponsor count on H.R. 654 (20 to 22)
  • Updated sponsor count on H.R. 1707 (3 to 4)
  • Updated sponsor count on H.R. 1895 (6 to 18)
  • Updated sponsor count on H.R. 2168 (8 to 10)
  • Updated sponsor count on S. 1223 (5 to 6)
  • Updated sponsor count on H.R. 2168 (25 to 39)
UPDATE 02/07/2012:
  • Updated status of S. 1408, placed on Senate Legislative Calendar under General Orders. Calendar No. 310 as of 2/6/2012.

Hello and welcome to day 2 of CFP 2011. Work got in the way this morning and I was forced to watch the morning sessions via webcast while multitasking at the office -- so no blog of the first few sessions. I will be live blogging to the best of my ability today to provide those unable to attend a small window into the conference.  Be sure to check the CFP media page for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf

Please note: Live blogging is both for me and you.  These are my notes from the conference.  Nothing should be taken as a direct quote.  These are living posts.  Edits will be made.

Technology Behind the Challenge to Locational Privacy

  • Topic One: Geolocation: Risks and Rewards
    James Kasprzak: Professor of Systems Management, National Defense University;
    James Churbuck: Assistant Professor of Systems Management, National Defense University

    An overview of Geolocation, including its history and technology, and the policy implications for privacy and information assurance. Various types of geolocation technologies are covered, from GPS to cell phone apps. Each topic will be illustrated and presented to the audience for comment and analysis. The session will be wrapped up with some consideration of trends in geolocation, some predictions for the future, and suggestions for the preservation of privacy. 60 minutes.
  • Topic Two: Privacy for Mobile Users: Laptops, Location-Based Services and Location-Sharing
    Janne Lindqvist: Carnegie Mellon University

    What kind of information leaks about you every time you open your laptop, even before you have had the chance to do anything with your computer? What kinds of privacy risks are there in using location-based services? Why do people check-in on foursquare despite the numerous research reports of concerns about location-sharing technologies? In this tutorial, we discuss privacy problems and solutions with laptops, location-based services and location-sharing systems. 30 minutes.
JK -- Wants to discuss the technology of geolocation and what their limits are. Overview of GPS -- a military system that is a remnant of the cold war.  It was intended to provide nuclear ballistic missile guidance and to provide nuclear launch detection capability.  In its free time, it provides access for civilian applications through a separate channel. The military designed the civilian application to be fuzzy, up to 100m; however, geeks have hacked away and used terrestrial fixed position items such as a radio station antenna to provide clearer pinpointing, up to 3in.  It cost 1.5B to put the first set of GPS satellites. There are other methods of precise location -- including cell tower, wifi, rfid, and transaction points (POS sale, i.e. Giant). Combined with GPS, this can provide great location info. FCC regulated that all cell phones must have GPS capacity; now we have thousands of terminals accessing GPS and communicating across a the cell/wifi network channels. Explan difference between passive and active RFID. Used an example of the Operation Desert Sabre and the "Hail Mary" maneuver as the power of GPS and military applications. New civilian applications of GPS: Flash Crowds, Geotourism, Location Art [He actually gave a nod to William Gibson's Spook Country too!], Augmented Reality,Personal Location Services, etc. Points to IPv6 as tipping point for the future of geolocation services as *everything* would be addressable.

JC -- Discussed background as a naval aviator and how important it was to know where you were. Fun historical fact: in the British Royal Navy only officers were taught how to navigate, in order to prevent mutiny. Provided an overview of software like MobileME and its practical uses (monitoring his son). Then we watched a 4square ad...Then Please Rob Me...[TomTom and Dutch police...Sunshine on Apple/Google GPS/Wifi data collection...[all the old examples...]

JL -- Identifiers and Protocol stacks...used a picture of fruit covered layered cake as a visualization of a the stack.  Fruit = application; bottom of layer cake = MAC address. Threats: ID device/user, location tracking, etc. MAC Address 48bits hexadecimal format, i.e. aa:1a:1b:2b:3a:4a. Tracking mitigation: change MAC address every time you log into an access point [brilliant!].  MAC address is an explicit identifier. Implicit identifiers such as SSIDs.  Devices cache these SSIDs to provider faster network connectivity. The set of cached network names is a privacy risk as it will produce a unique identifier for an individual as they move between access points. Services such as Wigle.net exploit SSID and GPS. Mitigation strategies?  Reduce number of probes.  Don't cache. JL produced a paper (PDF) and solution to re-use crypto in WiFi for privacy-preservicng access-point discovery.  [Great presentation!] JL has a website specifically for this conference that provides a tutorial on WiFi and location based services: http://www.cs.cmu.edu/~jklindqv/CFP2011/

Keynote Address: Senator Patrick Leahy (D-VT)

Awesome twitter premonition... @Jim_Harper: Will Senator Leahy tell his #privacy joke about a reporter coming to his house in Vermont?... #cfpconf

Seven minutes later, he did.  First time I heard the joke but I'm guessing Jim has heard it many times before.

Senator Leahy delivered his remarks which were consist with all other public remarks he has delivered.


Keynote Address: Bruce Schneier

Full Keynote available here: http://cfp.acm.org/wordpress/2011/06/keynote-address-bruce-schneier-the-rhetoric-of-cyberwar/

Going to focus on Cybersecurity and the debate around it...Bruce went about discussing the language surrounding the cyber conflict -- for example, cyber katrina, cyber armageddon, declaring war on websites, etc.  Using very extreme terminology to convince the level of threat.

"Perhaps cyberwar is so easy kids can do it" ~discussing the conviction of the 22 year old in Tallinn.

"We dont know if this was state sponsored or kids playing politics"

In America we hate using the word 'war' when it's a real war, but we love using the word 'war' when it's not.

Its not that we're fighting a cyber war but are seeing war-like tactics used in cyber conflicts.

GhostNet -- very large, sophisticate, surveillance network. Assumption that china was behind it.

A lot of people who watch China see the hacking not as state sponsored but state ignored.

Stuxnet -- first military grade cyber weapon we've ever gotten our hands out. A lot of investigative reporting says that US and Israel were responsible.

Discussed Anonymous and LulSec and the things they have pulled off.  For example, Anonymous telling NATO not to challenge them.

Right now on the internet, the attacker has the advantage.

The politics worries me more than the actual events.  We are in the early years of a cyber arms race. Lots of cyber war rhetoric. Lots of money being spent.  It has all the hallmarks and dangers of an arms race.

The idea of war changes the debate and changes the solution space.  Things we'd never agree to in peacetime we agree to when using the word 'war.'

Curtailing anonymity on the net directly dependent on whether we are at war or at peace.

Worries about US military commandeering private assists like major US backbones to mount cyber-attacks

[Great presentation by Bruce.  Good delivery, analysis, and whit.  Going to go ahead and say best one of the conference so far.]


The Privacy Profession -- Corporate Apologists, or Agents of Positive Change?

Moderator: Trevor Hughes: President and CEO, International Association of Privacy Professionals (IAPP)
Panelists:
Mary Ellen Callahan: Chief Privacy Officer, Department of Homeland Security (Deputy CPO John Kropf filling in)
Nuala O'Connor Kelly: Senior Counsel and Information Governance & Chief Privacy Leader, General Electric (Filling in for Trevor)
Jonathan Cantor: Chief Privacy Officer / Director of Open Government, Department of Commerce
Doug Miller - Privacy @ AOL


Panelists introduced their backgrounds and path to privacy. Everyone's story was similar, no one chose privacy.

Quoting a tweet from Ian Glazer, "Most CPOs I meet all have the same back story, quoting Tom Waits, "they all start out w/ bad directions" & up in privacy."

Interesting convo here...nothing really to write about...lots of experience stories for government and corporate CPOs.

Jonathan Cantor working NSTIC issues at Commerce along with many other issues that DoC is taking a position on.  Sounds like a great place and great time to be involved with privacy there.

Privacy is not just a legal or IT issue, it's a larger human rights issue.  People who do privacy are in a great position to lead those conversations.






Hello and welcome to day 2 of CFP 2011. Thanks to the glorious DC Metro system, I arrived 30 minutes late and missed the keynote speech. I will be live blogging to the best of my ability today to provide those unable to attend a small window into the conference.  Be sure to check the CFP media page for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf

Please note: Live blogging is both for me and you.  These are my notes from the conference.  Nothing should be taken as a direct quote.  These are living posts.  Edits will be made.

Keynote Address: Mona Eltahawy

Missed it...*shakes first at metro system*

Cybersecurity Beyond the Kill Switch: Government Powers and Cybersecurity Policy

Panel organized by Joshua Gruenspecht: Cybersecurity Fellow, Center for Democracy and Technology.
Moderator: Greg Nojeim: Senior Counsel and Director of Project on Freedom, Security and Technology, Center for Democracy and Technology
Panelists:
Liesyl Franz: Vice President for Cybersecurity and Global Public Policy, TechAmerica (Industry Perspective)
Susan Morgan: Executive Director, Global Network Initiative (US Implications of tech policies)
Micah Sherr: Assistant Professor of Computer Science, Georgetown University (PETs, Surveillance, etc)
Michael Seeds: Legislative Director, Representative Mac Thornberry

GN - introduced the panel topics and put an emphasis on getting *away* from the idea of a kill switch. LF will provide industry perspective. SM will provide a review of the international implications of US tech policies and what foreign governments are doing within the US. MS will discuss PET, surveillance technology, and more.  Lastly, MSeeds will discuss Congressional actions.

LF - TechAmerica is an industry trade association. Briefly touching the kill switch idea, LF stated she thought that given the design of our infrastructure she thought the idea of a kill switch was not feasible. [Not necessarily true, if a few peering locations went dark at the same time it would be fairly effective (though not totally) in shutting off the internet]. Wants information exchange to be bolstered for industry to government sharing. To ensure there is no retribution for sharing cyber attack information, Don't restrict companies or internet in a way that constrains flexible & dynamic way. [Agreed. If we kill innovation, we kill the internet and the tech landscape in many ways]

MS -- Claimed Token Nerd status on the panel. Kill Switch: isolating a network is very difficult. With the way our networks are designed, there are too many access points to simply "pull a plug."  Following a checklist does not provide true security [Compliance is not security!  Amen.] Discussed how most attacks are hidden and obfuscated through the use of botnets and multiple attack locations.  Also discussed that a problem with packet filtering and analysis is problematic because the packets may contain PII. [Yes, this is true.  However, with automated tools and filters a lot of the PII can simply be ignored.  You can also use signatures and heuristics based analysis]. How can we share information safely between industry and government?  Use signatures, heuristics, and malware patterns [! hah].  Computer science as a discipline isn't advanced enough to collect data the way the govt wants it to. Micah would like to triple the investment in academic research on cybersecurity and computer science [Amen].

SM -- Business need to understand their role in the protection of human rights.  Professor John Ruggie developed the Protect Respect and Remedy framework (PDF).  The Framework has been incorporated into the OECD guidelines. Looking at the roll of business, industry, state in human rights.  Freedom of expression online and the roles of business in that.

MSeeds -- Where the house is in developing Cybersecurity legislation....Thornburry is looking at multiple buckets.  Including new legislation, updating current legislation, and looking at tools we have to protect our current critical infrastructure. ...More legislation updates that weren't new...Mentioned the Defense Industrial base (DIB) project where the DoD/NSA is sharing classified signatures with ISPs and major telecoms. 

GN -- for the DIB project, what is the flowback to the government after they share those classified signatures?  For example, the DoD/NSA could easily say "watch out for this signature" but what the signature could be doing is watching out for one person. I would be very concerned about the flow back to the government.  Susan -- foreign govt says to provide of secure communication system that we want you to design a system in thsi way because that would allow us to more easily wiretap within the confines of our laws. Is there any principle that a company could rely on to resist that?

SM -- In terms of principals that GNI has created within the last few years....something a company could do is look at these principals and say "we signed up for these principals, we can't fulfill your request." [But facing the loss of a huge government contract would a company really hold on to those principals or acquiesce to the request?]

GN -- question about sharing data in private manner

MS -- From a security stand point, what you're looking at and interested in may be one packet out of a trillion.  What we need to research is how to publish data about attacks while filtering out PII that may not be relevant or substantive to an investigation.  Dorothy Denning did research on this in the 80s at Georgetown.  There have been notable failures of when sharing data has failed...for example AOL's release of supposedly anonymized data.  [See I Love Alaska for a video based on the AOL search logs.]

Question from the audience about Deep packet Inspection (DPI)

MS -- As an internet user and a security research, I am not a big fan of DPI. We need to build something that doesnt have such a huge false positive rate...

GN -- Follow up: if I am a verizon or ATT providing huge bandwidths aren't I doing DPI to find those signatures?

MS -- Depends on the size of the pipe and processing power.

Question from audience about the next generation of internet. The current architecture is very client-server centric...now with the client side having as much power as it does would it be possible to create networks where the information resides on the client devices?

MS -- There need to be Confidentiality, Integrity, and Availability controls in place to protect data put in the cloud.  And they are in place.  We could do the same on the client side but these cloud services work...[and the controls are centralized and implemented uniformly vs. potential disparate implementations on client side]

Question from audience about international reciprocity of filtering and the efficacy of filtering.

MS -- Filtering systems are not effective for individuals who really want to get around them. Law Enforcement is also not great at this either.  Cited an example of DHS accidentally shutting down 84k wedbsites by taking down FreeDNS as part of a larger childporn takedown.

LF - GNI assessments of member co's planned for Q1 2012, results will show effectiveness.


Question from audience about data breach notification law...we have laws that protect consumers from identity theft, etc.  Is there any consideration being given to laws that would extend reporting time to advanced threat investigations?  Even if PII is only one or two percent of the compromised information.

MSeed -- There is consideration into that. There is a markup session on Mary Bono Mack's breach bill.

GN -- There are specific sections in the Leahy bill and the Whitehouse proposal that speak to Law enforcement and intelligence activities.



--------------------------------------

More panel notes below

--------------------------------------
Good morning from CFP 2011. I will be live blogging to the best of my ability today to provide those unable to attend a small window into the conference.  Be sure to check the CFP media page for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf

Please note: Live blogging is both for me and you.  These are my notes from the conference.  Nothing should be taken as a direct quote.  These are living posts.  Edits will be made.

Keynote Address
Cameron Kerry: General Counsel, Department of Commerce and privacy leader within the Obama administration:

Cameron Kerry discussed the information economy being built. How data has been used for both good -- economic opporunity and social and political change -- but acknowledged the risks associated with this increased data flow.  Touched on the administration's Comprehensive International Strategy for Cyberspace (PDF) to build out a cyberspace and internet environment that expands trust and the economy while denying criminals and terrorists the ability to exploit that info.

Discussed legislative draft that had uniformed breach reporting requirements to consolidate 46 state laws. The Administration's proposal would impose a new federal obligation on any business entity--with exemptions for certain health-care entities--in possession of personally identifiable information on more than 10,000 individuals to provide prompt notice to affected individuals about security breaches of certain personal data. See: democrats.senate.gov/pdfs/WH-cyber-breach-notice.pdf

Kerry touched on NSTIC, encouraging and facilitating a more secure internet.  Green papers on commercial data privacy, free flow of info for businesses, and more.  Commerce green paper series seek comment from individuals and industry to ensure they are capturing needs and way forward that is good for business. 

Commerce released a Cyber Security green paper last week with the goal of responding to threats while remaining dynamic and innovative: http://www.commerce.gov/news/press-releases/2011/06/08/commerce-department-proposes-new-policy-framework-strengthen-cybersec

Discussed recent breaches and the need to protect industries.  Highlighted Sony data breach and recent breaches targeting economic data flows (IMF, world bank, etc).  Mentioned attacks at Westboro Baptist Church, PBS, etc. He discussed the sophisticated attacks on RSA and subsequent downstream attacks at Lockheed Martin.

Discussed Department of Commerce's creation of a privacy officer position in response to data breaches internal and external to the agency.

In March, the DoC announced support of a Consumer Bill of Rights.  Based on Fair Information Practice Principles.  Commerce's policy will flush out what those principles will be.  They will not be a depature from the HEW principles or OECD but, rather, seeking to adapt them to the interactive and interconnected world of today.

What will it mean to do business under this dynamic privacy framework?  Privacy policies and notice of choice will still be fundamental building blocks.  Everyone recognizes that notice and choice by itself is not enough.  Everyone here is deeply concerned about data privacy --Kerry polled the crowd to ask who read privacy policies for personal use (not for work).  The crowd barely made a sound. 

Businesses must enter into a new partnership not defined by static privacy policies...but into a dynamic privacy framework that characterizes the regulatory approach and how the businesses deal with their customers and customer data.

Businesses need to enter into a conversation with their customers that will enable their customers to make appropriate trade offs on the use of their privacy through active choices and not through a one time click.  One example is the Just in Time approach.  These need to be contextualized so that they don't lose their functionality.

Mentioned Do Not Track and Privacy by Design.

We are entering a "Darker Scenario" -- breaches and risks and undermining the free flow of information.  As we move to a cloud computing world, the research shows that the barrier to entry is confidence in security and privacy.  It harkens back to the days of e-commerce.  But today if the CC companies themselves cant keep info security, if the gatekeepers to the system cant keep it secure (heartland data payment systems).  The response cant wait for legislation or regulation, it must begin yesterday.  What course the internet takes is in the hands of all stakeholders.  We cant afford to let this moment pass...the future is now.

Panels notes and more after the jump...