| |
 |
Sunday, May 11, 2003 |
Check these out
The Filter, a publication of the Berkman Center for Internet & Society at
Harvard Law School,
2. Edupage,
3. SANS Newsbites, .
4. NewsScan and Innovation, .
5. Internet Law & Policy Forum, .
6. BNA Internet Law News, .
7. The Ifra Trend Report,
.
10:00:27 PM 
|
|
Legal standards and technical standard handle different risks. When addressing the risks of disclosure of confidential information, lawyers need to be involved in evaluating the tradeoffs of costs and benefits. The code-writers are not well equipped to analyze the legal risks of any particular set of technological and coding tradeoffs.
DATA SECURITY MEASURES FAILING TO MATCH LEGAL EXPECTATIONS (Computerworld, 28 April 2003) -- Emerging legal expectations for data security and privacy are making it increasingly important for companies to demonstrate reasonable care in protecting their IT assets, say security and legal experts.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, as well as several proposed state and federal identity-theft prevention laws, impose significant security and administrative requirements on companies. The problem is that there are no regulation-specific technology standards or guidelines that companies can adopt to demonstrate compliance with these requirements. The regulations have considerably increased the legal exposure of companies in the event of security breaches, said Erin Kenneally, a forensic analyst and attorney at the San Diego Supercomputer Center in La Jolla, Calif. "From a legal-risk standpoint, it is a very unstable field," Kenneally said.
Because most of the laws are technology-agnostic, there is a "considerable level of interpretation" regarding how they should be implemented technologywise, said Lew Wagner, chief information security officer at the M.D. Anderson Cancer Center at the University of Texas in Houston. "At one level, they all boil down to access-control systems, audit-control systems, some sort of encryption capability for confidentiality and other administrative stuff, such as policy and training."
But because the legal view of due-care standards may differ from a technologist's view, in many cases, the courts will have to decide what acceptable standards are, said Jon Stanley, an attorney on the American Bar Association information security committee. "Something will become a standard because a court says it is a standard. And ultimately, litigation specialists will go into IT rooms and say, 'Here is what you are going to have to do' " to comply, Stanley said.
9:52:38 PM
|
|
Thanks to Vincent Polley:
MAKING IT HARDER FOR PRYING EYES (Wired, 5 May 2003) -- A bill in the
California state legislature would protect the anonymity of Internet users by requiring Internet service providers to send customers copies of subpoenas seeking to learn their identities. If passed, California's Internet Communications Protection Act would become the second state law requiring that consumers be alerted when an ISP is issued a subpoena to find out an anonymous Internet user's true identity. Virginia passed a similar statute last year. The debate over anonymous online speech has heated to a boil in recent years, with companies and individuals increasingly seeking to have ISPs and Web publishers subpoenaed to learn the names of online critics and people suspected of copyright violations. Yahoo alone expects to receive 600 civil subpoenas this year -- a 50 percent jump from 2002. Such requests seek a variety of personal information about Internet users, including full names, Social Security numbers, home addresses and pseudonyms they've used online. The California legislation would require ISPs to send copies of civil subpoenas to their customers by registered mail within 14 days of receiving them. If the customer decides to fight the request, he or she would have 30 days to serve both the ISP and the issuing party with written copies of the objection. ISPs that fail to comply with the act could be sued by their customers. "This bill would mean more privacy for regular Internet users," said Cindy Cohn, legal director of the Electronic Frontier Foundation, a digital rights advocacy group.
9:42:54 PM
|
|
Thanks to Vincent I. Polley for reminding us to be careful about what we say in our postings. A blogger can be liable anywhere.
STAKES HIGHER FOR CANADIAN WEB LIBEL (Globe and Mail, 22 April 2003) --
Anybody who posts defamatory information on the Internet is a broadcaster and can be sued as if they were a regular newspaper or broadcast outlet, an Ontario judge has ruled. The decision exposes defendants to far higher damages than had been the case, since a defamatory statement on the Internet can potentially be read by so many people around the world. Madam Justice Helen Pierce of the Ontario Superior Court ruled that while the Internet uses the same "infrastructure" as radio and television, it can reach a wider audience than either. "The court must recognize and give effect to the purpose of the act - including the mischief it seeks to ameliorate," she said. "In this act, that harm is the widespread damage to reputation when a mass audience receives defamatory material." Judge Pierce's ruling brings into play strict limits on the length of time broadcast plaintiffs have to initiate a libel action. In future, notice of such a suit must be served within six weeks of the plaintiff becoming aware of the posting, and then the plaintiff has three months in which to file a statement of claim.
See Bahlieda v. Santa --
9:29:19 PM
|
|
Thanks to Vincent I. Polley:
USE A HONEYPOT, GO TO PRISON? (SecurityFocus, 16 April 2003) -- Using a
honeypot to detect and surveil computer intruders might put you on the
working end of federal wiretapping beef, or even get you sued by the next
hacker that sticks his nose in the trap, a Justice Department attorney
warned Wednesday. "There are some legal issues here, and they are not
necessarily trivial, and they're not necessarily easy," said Richard
Salgado, senior counsel for the Department of Justice's computer crime unit,
speaking at the RSA Conference here Wednesday. An increasingly popular
technique for detecting would-be intruders, a honeypot is a type of hacker
flypaper: a system that sits on an organization's network for no other
purpose than to be hacked, in theory diverting attackers away from genuinely
valuable targets and putting them in an closely monitored environment where
every keystroke can be analyzed. But that monitoring is what federal
criminal law calls "interception of communications," said Salgado, a felony
that carries up to five years in prison. Fortunately for honeypot
operators, there are exemptions to the Federal Wiretap Act that could be
applied to some honeypot configurations, but they still leave many hacker
traps in a legal danger zone. One exemption permits interception of a
communication if one of the parties consents to it the monitoring. To that
end, Salgado suggested that honeypots display a banner message warning that
use of the computer is monitored. "You can banner your honeypot... and
you've got the argument that they saw the banner, continued using the
system, and consented to monitoring," he said. But most hackers don't
penetrate a system through the front door -- telneting in or surfing to a
web page -- and if they never see the banner, they haven't consented to
monitoring. "It's not the silver bullet."
9:22:21 PM
|
|
It wasn't public key infrastructure or encryption or asymmetric algorithms or all that stuff that clipper chip was about. The bad guys were doing something more sophisitcated already. Just don't export any pictures with hidden messages.
Western intelligence officials say they have learned that instructors at Osama bin Laden's camps in remote Afghanistan train his followers in the high-tech secret-messaging technique.
And French investigators believe that suspects arrested in an alleged plot to blow up the U.S. Embassy in Paris were to get the go-ahead for the attack via a message hidden in a picture posted on the Internet, former French defense official Alexis Debat told ABCNEWS.
One of the men in custody, described by French officials as a computer nerd well-versed in the messaging technique, was captured with a notebook full of secret codes. "This code book is major breakthrough in the investigation," said Debat.
Covered Writing
To transmit a hidden message, the sender uses specialized software to hide a text message [~] or a graphical file such as a building plan [~] inside another file, such as an image file or an MP3 music file.
http://more.abcnews.go.com/sections/primetime/dailynews/primetime_011004_steganography.html
http://www.nypost.com/news/worldnews/57502.htm
9:18:24 PM
|
|
All this controversy over preventing spam simply points up one aspect of our current political atmosphere where we, collectively as a nation, are intent on prevention as the right idea for security. At one time we focussed more on providing remedies when there is harm. We used to think of that as freedom. Now, we don't wmphasize the freedom of people to speak---as in sending spam---we emphasize the freedom of people to keep from being psoken to---as in forestalling spam. It's a part of the same mindset that puts soldiers in fatigues at airports and trainstations. On a bigger scale, it is the idea of preemption in foreign policy. My advice is, be careful what you wish for, you may get it.
From Declan McCullagh
[Brad makes some very good points. Previous Politech message: http://www.politechbot.com/p-04741.html --Declan]
---
Date: Sat, 10 May 2003 23:05:39 -0700
From: Brad Templeton
To: Declan McCullagh
Cc: politech@politechbot.com
Subject: Re: FC: Rich Kulawiec's Draconian idea to rid the Net of spam, forever
In-Reply-To: <5.2.1.1.0.20030510194520.02730000@mail.well.com>
Organization: http://www.templetons.com/brad
10:13:11 AM
|
|
© Copyright 2003 Noel D. Humphreys.
|
|
