Government Threats to Privacy
Government threats to individuals can be rather obscure. Approaches to privacy vary from country to country, but two basic models are followed. The first is a regulatory model adopted by the government to provide guidance, laws, and enforcement for privacy and security. The second model is one of self-regulation and sectoral laws. Sectoral laws are specific to certain industries, technologies, and states. Laws get developed as a last resort and follow technology development. In countries such as Hong Kong, Canada, Australia, and New Zealand and in Central and Eastern Europe, governments have taken a very active role in privacy rights. A public position also has been developed in several of these countries to enforce a comprehensive data protection law. This position monitors compliance with the law and conducts investigations.
Other countries, such as the United States, have avoided general nationwide laws until very recently in favor of specific sectoral laws and have relied on industry self-regulation. Enforcement is much more difficult in countries following this type of regulation. More mechanisms are needed to enforce privacy rights because taking advantage of the consumer is easier. The U.S. Privacy Act of 1974 regulates federal government agency record keeping and disclosure practices and gives individuals access to public records. It also requires that personal information in agency files be accurate, complete, relevant, and timely. Since 1974, the act has been amended several times, and new laws have been passed involving privacy. New legislation will be continuously needed with each new technology, so protections frequently lag behind, exposing the consumer to privacy invasion.
A major shift in the EU has forced other countries to upgrade their privacy policies. The 1995 Data Protection Directive is a benchmark for national laws for processing personal information in electronic and manual files. The 1997 Telecommunications Directive includes specific protections covering telephone, digital television, mobile networks, and other telecommunications systems. These Directives detail the rights of the consumer, such as the right to know where the data originated, the right to have inaccurate data rectified, the right of recourse in the event of unlawful processing, and the right to withhold permission to use data in some circumstances. The Data Protection Directive contains strengthened protections over the use of sensitive personal data. In the cases of industries, such as the finance and insurance industries, security of personal data is paramount and the laws generally require “explicit and unambiguous” consent of use of the data.
One of the major differences in the European model is the enforcement capability of the laws. The EU stance is that the consumer should have the ability to go to a person or an authority who can act on her behalf and advocate her rights. Every EU country has a privacy commissioner or agency that enforces the rules, which is far ahead of steps the U.S. has taken to enforce the rights of consumers. Countries with which Europe does business must have a similar level of oversight in the future, and as mentioned in Chapter 3, “Privacy Organizations and Initiatives,” the Safe Harbor program is a step in this direction.
Even though this does sound great and we say that the EU has better enforcement procedures in place, practical implementation is still not ideal. EU businesses currently can do business with U.S. businesses that are not part of the Safe Harbor program. How these rules get enforced, by both EU and U.S. businesses and governments, is not well-defined. The rules on the books for the EU are stronger than U.S. rules and punishments, but all countries currently lack practical capabilities for enforcement.
Gramm-Leach-Bliley
Although the EU has taken steps to provide more security of data to the consumer, other countries such the U.S. have not been as progressive. The U.S. has been passing more laws recently, but a number of the laws have actually decreased the security of data and protection. One of the most far-reaching laws that has been passed is the Gramm-Leach-Bliley Act (GLB). Even though this law provides for more security of consumer data in the financial industry, it also opens up new paths to the dissemination of consumer data. GLB enables financial institutions to share information with “affiliated” companies, and they can share information with “nonaffiliated” companies following notice of a company's information sharing practices to the affected customers. However, consumers must be given an opt-out opportunity before the information can be shared with a nonaffiliated company.
Six key areas of security exist that GLB addresses that can also compromise consumer data protection mechanism. These areas are discussed in the following sections.
Assessing IT Environments and Understanding Security Risks
Of the industry sectors, the financial industry has generally been the most secure. When it comes to access to money, companies take very active measures regarding security. GLB mandates a higher level of security awareness and understanding. Organizations have to define both internal and Even though this law provides for more security of consumer external threats to security. Although the law recognizes the threats from both an internal and external perspective, the government is relying on industry self-regulation and sectoral laws to provide actual guidance and detailed steps to enforce the law. Organizations have general guidelines, but the interpretation of those guidelines has varied and can be misinterpreted. For the consumer, this means that while the government says that financial institutions must protect consumer data, the actual steps are left open. In the case of hackers gaining access to personal data such as credit card or bank account information, the devil is in the details.
Establishing Information Security Policies
GLB requires financial institutions to install risk controls for “foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems.” From an auditing perspective, such controls include authentication, access control, and encryption systems. The law doesn't specify what protections should be employed, leaving it up to individual organizations to Even though this law provides for more security of consumer determine how to best mitigate their risks, hire outside companies to perform audits, and implement the security fixes necessary to protect data. Intrusion-detection systems are encouraged, but no specific details are given on how these systems should operate or how they should be implemented. Even though it is not the function of laws to provide technical details, it is the function of the law to provide enforcement and guidelines one how these requirements should be met.
Regular Independent Assessments
The ever-changing IT environment requires constant updates for security weaknesses and updates of the knowledgebase of the individuals doing the actual testing of security and privacy weaknesses. For this reason, GLB requires regular independent third-party assessment testing of financial institutions' IT environments for security weaknesses that can allow an intruder to gain access to consumer information. The frequency of assessment testing, the credentials of the organization doing the testing, and the skill set required are all left to the discretion of the individual company. Regulation boards provide some insight into the assurance and sufficient analysis provided by third parties, but the law does not provide any real guidance on this issue. The consumer can't gain any comfort that the third party doing the testing actually conducts a thorough analysis of the environment and finds all potential Even though this law provides for more security of consumer avenues of information compromise. Again, the consumer must rely on industry self-regulation and sectoral laws for the enforcement and competence of the testing measures. A whitepaper published by Datamonitor in November 2000, titled “eSecurity—removing the roadblock to eBusiness,” showed that more than 50% of businesses worldwide spend just 5% or less of their IT budgets on securing their networks.
As an example of where the IT budgets are being spent, we can look at the virus prevention industry. All the laws being passed focus mainly on hacker attacks and laws regarding computer use, but virus prevention is a good place to see where laws are lacking in the protection of computer systems. Laws such as GLB and HIPAA and the EU regulations for Safe Harbor status provide a lot of direction, but practical steps such as virus prevention are not built in to laws or can't be built in to laws because that would be too specific.
ICSA.Net released the “2000 Computer Virus Prevalence Survey” on virus attacks, which details the following statistics:
The number of corporations infected by viruses has risen by 20% this year alone.
99.67% of companies surveyed experienced at least one virus encounter during the survey period.
51% claimed they had at least one “virus disaster” during the 12-month period before they were surveyed.
The monthly rate of infection per 1,000 PCs has nearly doubled every year since 1996.
80% said the “LoveLetter” virus was their most recent virus disaster.
The reported damage estimate from the “LoveLetter” virus is as much as $10 billion.
The reported damage estimate from the “Melissa” virus was $385 million.
Including hard and soft dollar figures, the true cost of virus disasters is between $100,000 and $1 million per company.
GLB does not specify the percentage of the IT budget or security budget required to secure environments or where money should be allocated, such as for virus protection. Hard numbers are difficult to apply to the need for security and the actual dollars spent on security. While the government would find determining and enforcing dollar figures for security very difficult, not providing any guidance on what statistics companies should strive to meet for security needs can be just as detrimental to the consumer.
User Training and Security Awareness Programs
For any company to keep up with the day-to-day changes in security of technology, constant knowledge transfer is required. IT employees must be made aware almost on a daily basis of advancements in technology as well as hacking techniques to provide a strong defense. GLB recognizes the need for training and security awareness and requires Even though this law provides for more security of consumer financial institutions to develop security awareness and education programs that ensure their employees are properly trained in security procedures and policies, but the extent of how detailed the programs must be or whether certification is required for employees is not covered. Each organization can define its own programs and determine how in-depth the knowledge of security issues needs to be. Enforcement of this part of GLB will be difficult because training can be a very subjective issue that can be addressed through various mechanisms, all of which have the potential of not helping one iota in securing consumer information.
If GLB specified some certification process that training would accomplish, business would have a benchmark to reach to be in compliance with this part of GLB. Leaving it up to each individual company to set its own training requirements is a sure way for poor training in security to be conducted—to the detriment of the consumer. Training costs money, and cutting the training budget is guaranteed to happen.
Scrutinizing Business Relationships
The financial sector, companies that handle money and securities, are the only ones covered by GLB. Although other laws are being passed, such as HIPAA, that address other sectors, the key strengths of GLB will not be applied to them. Within the scope of GLB are many partner companies that work with financial institutions that are not Even though this law provides for more security of consumer covered by GLB but still have full access to consumer financial information. Using the same self-regulation that is central to other U.S. privacy laws, GLB puts the onus on the financial institutions to scrutinize their business partners to ensure they have adequate security and implementations of security measures. Each company must inspect its partners' security programs and determine the credibility and accuracy of their security measures and whether it should do business with them. The consumer has to have faith in his financial institution to say no to a business partner who does not have very strict security polices. How often do we think this will happen?
An example is your credit card company teaming up with a telephone provider. The bank will tell you that if you sign up with its partner telephone company, it will give you reward points, free long-distance minutes, or some bonus for signing up. For the bank to send you this information, it might have already shared your information with its partner, and your information has been spread beyond the bank's control.
The restriction of GLB would apply only to the bank in this example. After your information is shared with its partner telephone company, it is not secured by GLB. The bank is responsible for determining whether its partner has adequate security in place. Many businesses don't have enough security to begin with. How will they determine if others are secure?
As with the benchmarks for training, the same problem exists with partners. No benchmarks, certifications, or criteria exist for business partners to meet security requirements. Each company can apply strong or weak security measures to its partners as it sees fit.
Reviewing and Updating Procedures
As mentioned already, security is a daily practice. A company is secure only at any given instance. New attacks are developed each day that can compromise consumer data, whether it's stored on a company's servers or on the home user's desktop. In the case in which financial institutions hold your information, GLB requires companies to have a program for reviewing, amending, and upgrading their security programs. How companies Even though this law provides for more security of consumer do this—whether on a daily, weekly, monthly, or quarterly basis—is not fully defined. Policies do not have to be updated daily, but practices and steps to keep the technology secure is a daily effort. In the example of viruses floating around on the Internet, a daily practice is required to ensure that a company's servers and data are not attacked and infected. As we saw in August 2001, the Code Red Worm infected thousands of servers and had the capability of modifying systems and destroying data if a server was vulnerable. Instead of just modifying Web pages and infecting systems, the Code Red virus could just have easily copied data or destroyed data, affecting the average consumer who has information on the infected system. According to Internet Security Systems, 71,402 virus attacks were reported in the fourth quarter of 2000 alone. IDC Asia/Pacific reported an estimated 25% of major companies in the Pacific Rim do not employ the use of virus protection on their systems. Without specific guidelines and enforcement provided by some governmental body, companies will be lax in their update procedures and always be behind the latest security breach, exposing consumer data to attack.
Most U.S. laws passed recently have been left intentionally ambiguous in how financial institutions, as well as other industry sectors, should protect consumer information. Although this does provide flexibility in how the law is interpreted, the flexibility can mean loss of security for consumers if companies feel that too much money must be spent on security issues. Without oversight bodies to enforce the ambiguous laws, consumer information will always be last on the priority list companies have for making money and staying in business. The compliance date has already passed for GLB to be enacted by companies, yet many are still not in compliance.
Enforcing compliance over the hundred or thousands of U.S. companies affected by GLB is next to impossible for the government. Penalties for noncompliance with GLB by insurers and health plans will be established under the state implementing laws and regulations, thus dispersing the responsibility and weakening the security model of the law. The government has yet to prosecute a company for violation of GLB. This results in differing punishments between states. Noncompliance so far doesn't really mean much, because prosecution or punishments have not yet been enforced.
Several government agencies are responsible for monitoring GLB, including the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve System (FRS), the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
Health Insurance Portability and Accountability Act of 1996
The U.S. Department of Health and Human Services (HHS) published regulations establishing privacy standards that must be met to be in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Part of the challenge is the use of electronic communication of patient information (individually identifiable information transmitted or stored in any form, such as paper, oral, or electronic that concerns the individual's past, present, or future physical or mental health). Because all electronic communications are subject to attack, the HHS developed standards to protect patients' personal information. Several of the requirements of the law include
Insurers and hospitals must obtain written consent to use or disclose information for treatment, payment, or health care operations.
The use and disclosure of protected health information is permitted by any organization restricted by HIPAA without the individual's consent, authorization, or agreement for specified public policy purposes (for example, public health activities, law enforcement purposes, research, and serious threats to health or safety).
Organizations restricted by HIPAA must “reasonably ensure” that all uses and disclosures of information are limited to the minimum amount of information required.
Organizations restricted by HIPAA can disclose protected health information to “business associates,” if the associate has security measures in place.
Patients must have adequate notice of privacy practices by organizations restricted by HIPAA.
Patients have the right to access protected health information stored by organizations restricted by HIPAA.
Organizations restricted by HIPAA must implement administrative requirements (including designating a privacy official; training workforce members; and establishing administrative, technical, and physical safeguards for information).
Compliance with the privacy standards set forth in HIPAA is the responsibility of the HHS's Office of Civil Rights. It relies on a voluntary basis first, and then if that fails, it establishes civil and criminal penalties. As we see from just a brief look at the HIPAA implementation, it looks somewhat similar to the GLB rules on consumer information. Plenty of sharing of patient information occurs; the use of new technologies opens a vast area of attack simply because security has not been a mainstay of the health care environment in the past; patients do not have the right to restrict their information in certain scenarios; and specific guidelines have not been defined for terms such as “reasonably ensure.” HIPAA is more strict in detailing requirements for administrative requirements and requiring security technologies be used to secure data.
For health plans and insurers, HIPAA and GLB address similar regulatory issues and can affect companies in the same way with regard to updating systems, implementing security, and sharing consumer data across companies and affiliates. HIPAA is not as weak and easy to abuse as GLB is. Because some companies will fall under both statues, regulations must be coordinated so that there are not dual hurdles that a company must go through. In the FTC's final rule on GLB, it is noted that “it appears likely there will be overlap between HIPAA and the financial privacy rules.” The Department of Health and Human Services will be consulted by regulatory agencies to ensure no duplication of effort exists. HHS noted that “GLB has caused concern and confusion among health plans that are subject to our privacy regulation.” Federal HIPAA regulations preempt all “contrary” state laws unless a state law is more stringent; this is one of the main problems faced by consumers in countries such as the U.S. The varying laws across states can cause confusion and allow the opportunity for government to take advantage of consumer privacy. Having multiple government agencies involved in anything is a sure way to cause confusion.
The Patriot Act of 2001
In the wake of the terrorist attacks in the U.S. on September 11, 2001, several U.S. laws have been considered to provide more power to law enforcement to track terrorists and other types of criminals. One law that was signed was the Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001. This law gives federal investigators broader authority to track phone and Internet activities. While aimed at terrorist activities, the language covers other types of activity as well.
Civil liberties activists protested the law, which would allow wiretap orders under foreign intelligence rules. The law also allows law enforcers to obtain Internet records under so-called “trap-and-trace” orders. The attacks on the U.S. helped push this law past the privacy concerns of many groups, but a provision in the law states that Congress will review it in two years. Part of the law expands the capabilities of the FBI's DCS1000 program. ISPs must make their systems more available to the DCS1000 program, although the law does provide for a judge to review the FBI's Internet wiretaps.
The Tax Man Giveth Away
When consumers fill out tax returns, very personal data is submitted to the government; in exchange for giving up this personal information, consumers usually have some right to the protection of their information. They expect that this information will be used for the purpose for which it was given and do not expect to be annoyed, pressured, harassed, or harmed by its use.
A benefit (or detriment) of technology advancement is the easy methods now available for paying taxes and checking tax information. Many consumers now pay taxes online, exposing themselves to entirely new hacking techniques. From the client side of the tax transaction, a hacker can gain access to your home computer and pull up your Quicken information and capture your data. From the server side of the tax transaction, government servers can be hacked, and information can be stolen directly from the server. You have the ability to secure your own information on your home computer, but you have no ability to affect the government server's security. Unlike the weak guidelines provided by GLB for companies, strict guidelines for government resources are followed for security. However, this doesn't mean they can't be hacked; it's just harder for an attacker to gain information. Although securing technology is defined by government standards, access through legal means to tax information without the consent of the consumer is a very real possibility.
One such example of legal information dissemination was featured in an MSNBC news story. Via a Web site, as shown in Figure 4.1, anyone can enter a name and state where the person filed taxes and see whether the IRS owes that person money. Do you really want the general public knowing you are owed money?
Figure 4.1. The IRS owes you money.
The FBI and You
The FBI, one of the U.S.'s protective agencies, has gotten into the privacy game. The government's evolving infrastructure protection program has placed the National Infrastructure Protection Center (NIPC) at the FBI. The FBI's new developing role of protection might conflict with the traditional criminal investigative and foreign counterintelligence responsibilities. When hackers attack and compromise a company, rarely was the FBI notified. But more recently publicized cases have made it more acceptable and even necessary for a large company to call on the help of the FBI. With many attacks coming from abroad, companies have no other legal recourse but to notify the FBI. In the case where two Russian hackers broke into U.S. banks, the FBI was needed to lure the hackers to the U.S. and arrest them. The companies were unable to do anything without assistance from the FBI. But the FBI must still rely on voluntary cooperation from business to become involved in an attack.
But as with any government action or organization, the potential for it to overstep its boundaries is very real. In the case of the use of the FBI's information gathering tool, DCS1000 (Carnivore), consumer information can be easily captured by the FBI even if the consumer is not under surveillance. What happens to this information after it is captured is anybody's guess at this point in time. A bill has recently passed the House of Representatives in the U.S. to require the FBI and the attorney general to provide detailed reports on the use of DCS1000. Among requirements of the bill are how many times DCS1000 has been used, how the approval process to use it works, and any unauthorized information that has been gathered by the system. Justice Department officials have avoided complete details of the use of DCS1000, but what is known is that consumer e-mails and other information can be easily captured at the ISP level of communications on the Internet, subjecting thousands of consumers to privacy invasion during usage. This bill has not yet passed through the Senate, and consumers may be out of luck if it fails to pass into law.
When individuals and businesses ask for help from the FBI, there is no guarantee of how in-depth the FBI will take an investigation and what data will be captured and stored by the FBI. The data collected in cases is not guaranteed in any manner to be private and secure after it is obtained. How invasive the FBI will become when investigating a case might not be warranted or agreed on by the company needing help, but after the FBI is involved, control of the case usually falls to them and no recourse is available to the company or individual as to how their data is treated. There are no clear guidelines in the new role the FBI has taken on with regard to investigating a privacy compromise. Vague descriptions and assertions about technologies such as DCS1000 do not provide any assurance to consumers or businesses about how information will be collected, used, and stored.
Loss of Anonymity
Governments have been more assertive in cracking down on the right to anonymity in regard to distributing illegal pornographic materials, issuing libelous statements, and using technology in criminal activities. Courts in the U.S. have issued rulings requiring chat rooms or e-mail forums to reveal the names of people who post anonymous messages to support lawsuits. Making false claims on the Internet has resulted in prosecution. In one recent case, Mark S. Jakob, 23, accepted responsibility for one count of wire fraud and two counts of securities fraud for sending out a fake press release that affected the shares of Emulex. Shares of the Costa Mesa, California-based company fell by as much as 62% on August 25, the day Bloomberg News and other news organizations distributed the inaccurate information. Jakob was sentenced to jail time in August 2001. In early September 2000, a Canadian judge required an Internet service provider (ISP) to reveal a subscriber's identity after claims of defamation were made; the ISP complied. One anonymous remailer, anon.penet.fi, closed down after a Church of Scientology claimed copyright violations.
Chat rooms, which have always been a bastion of anonymity, have been forced to reveal users' personal information. In cases involving Yahoo! and AOL Time Warner, user information about people criticizing companies or revealing internal secrets has been revealed for lawsuits. AnswerThink took legal actions against 12 John Does in February 2000 for their negative comments posted in a Yahoo! chat room. The complaint claims defamation and breach of contract, and the user information was revealed. As you can see from these examples, anonymity on the Internet is no longer guaranteed.
Government Monitoring
Government monitoring of individuals and businesses has always been a mainstay of criminal investigations and prosecution. The changes we have seen in technology in the past several years and the laws that have been passed to increase the government's capability to monitor communications and activity of individuals have become more invasive. In addition to technologies such as DCS1000, the government is pressuring technology companies and ISPs to install monitoring devices. Laws being passed will force ISPs to reveal user information and show traffic generated by consumers under investigation.
The Federal Intrusion Detection Network (FIDNet), part of the National Security Plan, is another monitoring technology available to the government. The FIDNet described in the National Plan would be a government-wide system using artificial intelligence “intrusion detection” software to monitor contacts with sensitive government computers. Intrusion detection system would be connected, and data generated could be collated and analyzed. Plus, patterns and intruders could be identified across systems. FIDNet is available for civilian government computers, but it does not define which systems will be covered. Designated systems have been defined as the departments of Health and Human Services, Commerce, Transportation, and Treasury and the EPA. Although privacy groups have raised opposition to FIDNet, the government has said, “A preliminary legal review by the Justice Department has concluded that, subject to certain limitations, the FIDNet concept complies with the Electronic Communications Privacy Act (ECPA).” The owner of a system, including the government, is allowed to monitor use of its own system to protect itself, and FIDNet would not be breaking any laws against monitoring its own systems.
Updated Laws
A recent study by McConnell International (http://www.mcconnellinternational.com) titled “Cyber Crime and Punishment? ArchaicLaws Threaten Global Information,” published in December 2000, shows the updates to the security and privacy laws for a number of countries (see Table 4.1).
From this study the following points can be made:
No standard exists for laws on privacy and security between countries. Each country is approaching this issue in its own manner. Even different states in the U.S. have many different laws applying to privacy.
No standard guidelines are developed that all countries can follow for a uniform code on security and privacy. The EU comes closest to codifying privacy laws across countries.
Most laws have not advanced enough to prosecute cybercrimes. Countries still rely on antiquated laws that cannot apply to the technology being used. Cybercrime prosecution does not work in most cases because standards have not been developed on how to prosecute a cybercrime and what evidence is necessary.
The punishment does not fit the crime in most privacy cases. It is hard to quantify data and personal information because it is not easily measurable.
Protection is being kept in the hands of private industry. Governments are not taking enough action to protect individuals and corporations. This is slowly changing, with several recent laws and bills before many government legislatures.
It is nearly impossible to prosecute across borders. The Council of Europe has come close to drafting standards for illegal access, illegal interception, data interference, system interference, computer-related forgery, computer-related fraud, and the aiding and abetting of these crimes.
| Country | Data Interception | Data Modification | Data Theft | Network Interference | Network Sabotage | Unauthorized Access | Virus Dissemination | Aiding and Abetting Cyber Crimes | Computer-Related Forgery | Computer-Related Fraud |
|---|---|---|---|---|---|---|---|---|---|---|
| DATA CRIMES | NETWORK CRIMES | ACCESS CRIMES | RELATED CRIMES | |||||||
| Australia | X | X | X | X | X | X | X | |||
| Brazil | X | X | X | X | ||||||
| Canada | X | X | X | X | X | X | X | X | ||
| Chile | X | X | X | X | X | |||||
| China | X | X | X | |||||||
| Czech Republic | X | X | X | X | X | |||||
| Denmark | X | X | X | |||||||
| Estonia | X | X | X | X | X | X | X | X | ||
| India | X | X | X | X | X | X | X | X | ||
| Japan | X | X | X | X | X | X | X | X | X | |
| Malaysia | X | X | X | X | ||||||
| Mauritius | X | X | X | X | X | X | X | X | ||
| Peru | X | X | X | X | X | X | X | |||
| Philippines | X | X | X | X | X | X | X | X | X | X |
| Poland | X | X | X | X | ||||||
| Spain | X | X | X | X | X | |||||
| Turkey | X | X | X | X | X | X | X | X | ||
| United Kingdom | X | X | X | X | X | |||||
| United States | X | X | X | X | X | X | X | X | X | |
The following list describes several countries' monitoring agencies:
Russia— The Federal Security Service (FSB) possesses investigatory powers. It conducts intelligence operations inside and outside Russia to enhance “the economic, scientific-technical and defense potential” of Russia. It can monitor Internet transmissions coming into and out of Russia. The Federal Agency for Government Communications and Information (FAPSI) has technical capabilities for monitoring communications and gathering intelligence.
People's Republic of China— The People's Republic of China (PRC) created a Ministry of State Security to stop “enemy agents, spies, and counterrevolutionary activities designed to…overthrow China's socialist system.” The Internet police agency was started in 1998.
Germany— Germany's Bundesnachrichtendienst (BND) has been engaged in intelligence gathering for nearly 50 years.
Israel— Israel has at least three official intelligence-gathering organizations: Mossad, Shin Bet, and Aman. Mossad handles surveillance outside of Israel, whereas Shin Bet conducts surveillance inside the country. Aman handles military intelligence.
France— The Secretariat General de la Defense Nationale (SGDN), the Direction du Renseignement Militaire (DRM), and the Direction Generale de la Securite Exterieure (DGSE) conduct surveillance and information gathering.
India— India's Central Bureau of Investigation (CBI) is tasked with the “preservation of values in public life” as well as “ensuring the health of the national economy.”
One of the main problems faced by consumers in most countries is the patchwork system of laws that apply to privacy. The EU Directives are one of the few sets of statutes that provide a somewhat comprehensive approach to privacy. Rather than having many different laws applying to different aspects of the privacy issue, consumers would be better served with a uniform set of laws that are national in focus and can be applied to all sectors of business. In the U.S., the House Subcommittee on Commerce, Trade, and Consumer Protection has been examining the coverage of privacy laws in the U.S. and looking at the 30 federal statutes and numerous state laws that address privacy. “I will be one of the first to admit that the U.S. approach toward privacy has been piecemeal,” said Commerce Committee Chairman Billy Tauzin (RLA) in a statement. To meet the regulations that can often differ between states, companies that operate in the U.S. can incur large costs to abide by the laws. Often the costs are passed on to the consumer, or companies don't adhere to the laws correctly, so consumer privacy is compromised.
Council of Europe
One global initiative for protection against cybercrime is the treaty being developed by more than 40 countries, including the U.S., the EU, and Russia. The treaty will cover such aspects of computer crime as data crimes, network crimes, access crimes, computer forgery, and computer-related fraud. The cybercrime treaty is designed to aid police investigations by requiring Web sites and ISPs to collect and record information about their users. This has brought privacy groups to arms. The personal information that can be collected by ISPs and Web sites can be very damaging to consumers if it is disseminated. If a user is being investigated, he can be required to hand over “measures applied to protect the computer data,” or in other words, his cryptographic keys he uses to secure personal data.
Another key aspect of the treaty is the move to make it illegal to distribute some security software that can assist system administrators in protecting their own networks. Only users such as law enforcement agencies that the Council of Europe chooses would be allowed to have such tools. By making it illegal for administrators to own such security testing tools, the treaty will basically ensure that only the hackers will have access to security testing tools.
Even though this treaty is aimed at defining standards and uniformity of cybercrimes, the onus of enforcing the treaty will be on each individual country. One key requirement not in the treaty is that of privacy. The council has found dealing with the diverse privacy laws from different countries too difficult and has left out privacy regulations. “We cannot find an acceptable international standard in terms of privacy as it applies to this treaty,” said Henrik Kaspersen of the Council of Europe. The Global Internet Liberty Campaign says it believes “the draft treaty is contrary to well-established norms for the protection of the individual, that it improperly extends the police authority of national governments, that it will undermine the development of network security techniques, and that it will reduce government accountability in future law enforcement conduct.” The U.S. Justice Department has been involved in the drafting process, and when the treaty is complete, Congress will have to review it and decide whether it should be passed in the U.S.
Lack of Enforcement
Government descriptions of privacy and security continue to emphasize indirect, market-based incentives, self-regulation, and sectoral laws rather than nationwide legislative mandates to keep data secure. These mechanisms include the measurement of industry adherence to new information security standards by insurers when writing liability coverage, incorporation of such standards in accounting evaluations, and the influence such standards will exert on the business relations with customers. Many privacy groups find this tactic beneficial to consumer rights, but it has led to weak overall privacy measurements. The key element in all such schemes is information security standards and enforcement of such standards—an area where the private sector might well be ahead of most government agencies and regulations. However, the difference between industry sectors and even companies is vast and leaves many holes for consumer privacy compromise.
A clear example of the lack of enforcement capability in government legislations is the Spam Bill that is before Congress. Legislation introduced in February 2001 would prevent or greatly reduce unsolicited commercial e-mail (spam). But when lobbying began by associations that promote spam and such marketing schemes, the bill was amended in a congressional committee and stripped of some of its enforcement provisions. The government continues to let the industry regulate itself and seems to step in only when a crisis point arises, and then with halfway measures. Privacy advocates have blasted the new bill, which is before the House Judiciary Committee. “This bill is far too weak,” said Jason Catlett, president of Junkbusters Corp., a privacy advocacy organization in Green Brook, New Jersey. Junkbusters and the Coalition Against Unsolicited Commercial Email (CAUCE) are two of the privacy advocates that have vowed to fight the amended version of the bill, known as House Resolution 718. Insurers, accountants, lenders, and investors already understand the importance of information security and enforcement of security measures. However, without punishments that can affect a company if these measures are not met, consumers will continue to bear the brunt of attacks and loss of data and peace of mind.