Transcript Legal and Policy Framework Supporting Development of the

Information Security Building Trust in Cyberspace
iLaw Eurasia
eGovernance Academy
Tallinn
13-17 December 2004
James X. Dempsey
Center for Democracy & Technology
The Elements of Trust Online
1. Protection of government secrets
•
•
Protection of national security information
Other sensitive government information
2. Protection of intellectual property- business secrets
3. Cybersecurity
–
–
–
Communications network reliability
Critical infrastructure protection -power, water
Cybercrime
4. Communications privacy
5. Data privacy (privacy of personally identifiable
information)
6. E-signature and authentication
7. Consumer protection
8. Accuracy of information, defamation
Government secrets
•
Protection of national security information
–
–
•
Other sensitive government information
•
•
•
•
Definition: information generated by the government and its
contractors, which, if publicly disclosed, will harm the national
security.
Important question: Can the judiciary or some other
independent official review and overturn the decision of the
Executive Branch to keep information secret.
Criminal investigative information
Private information about individuals in the hands of the gov’t
Gov’t secrets online and off are defined the same.
Many countries deal with these issues in Freedom of
Information law:
http://www.rz.uni-frankfurt.de/~sobotta/FOI.htm
http://www.cfoi.org.uk/overseas.html.
Cybersecurity
• Many communications networks and other
critical infrastructures are privately owned
• Cybersecurity is shared responsibility of gov't,
service providers, software and hardware
makers, and users (large and small).
• Cybersecurity strategy has many components:
–
–
–
–
–
–
industry standards and sound technology design
information sharing about threats/vulnerabilities (CERTs)
awareness, education of all users
R&D
criminal law
liability of computer/software makers under civil law?
Cybersecurity Guidelines
• OECD Guidelines for Security of Information
Systems and Networks
• APEC Strategy and Statement on the Security
of Info and Communications Infrastructure
• EU - Council Resolution 28
• OAS
• E-Japan Priority Policy Program (cybersecurity
incorporated)
• Australia E-Security National Agenda
• US National Strategy to Secure Cyberspace &
E-Government Act (cybersecurity included)
Common Themes in Int’l Guidelines
•
•
•
•
•
•
•
Public-Private Partnerships
Public Awareness
Guidelines, International Standards
Information Sharing
Training and Education
Respect for Privacy
Vulnerability Assessment, Warning and
Response
• International Cooperation
Gov’t Must Get Its Own House In Order
• Government should not dictate security technologies to
industry until it has solved its own problems (that is,
probably never)
• US E-Gov Act - Title III - limited to government systems
- focuses on process, not technologies
–
–
–
–
–
–
–
–
Periodic assessment of risk
Adoption of policies and procedures
Chief Security Officer for every agency
Security awareness training
Detecting and responding to attacks
Annual reports to Congress on progress
Independent security evaluation
Office of Management and Budget (White House) authority
• Similar requirements may be appropriate for private
sector, especially financial sector, medical data
Privacy is an Element of Cybersecurity
“Protection of privacy is a key policy objective
in the European Union. It was recognized
as a basic right under Article 8 of the
European Convention on human rights.
Articles 7 and 8 of the Charter of
Fundamental Rights of the EU also provide
the right to respect for family and private life,
home and communications and personal
data.” Communication from the Commission
on Network and Information Security (2001)
OECD Cybersecurity Guidelines
Emphasize Privacy
Principle 5:
“Security should be implemented in a manner
consistent with the values recognised by
democratic societies including the freedom to
exchange thoughts and ideas, the free flow of
information, the confidentiality of information
and communication, the appropriate
protection of personal information, openness
and transparency.”
Cybercrime
• Crimes against computers or communications
– Interference with availability or integrity of data
• destroying data, altering data
– Interference with availability of service
• Denial of service attacks
– Interception of data in transit (unauthorized access to comms)
– Unauthorized access to data (cyber trespass)
• CIA - Confidentiality, Integrity, Availability
• Crimes using computer
– Fraud, dissemination of pornography, copyright infringement
– Should not be treated as separate crimes
• Crimes where evidence is in computer
– Any crime
COE Convention on Cybercrime - good model, approach
with caution
Criminal Law Has Limited Effect
Under US law, such an email is absolutely illegal
• Falsified header information - criminal and civil violation
• Hijacking another computer to send spam - criminal and
aggravated civil violation
• Possible falsification of domain name registration information criminal violation
• No valid physical address - civil violation
• No opt-out - civil violation
• Deceptive subject heading - civil violation
• Possible address harvesting - aggravated civil violation
The solution to the cybercrime problem requires:
• International cooperation.
• Better technology design
• Education of users.
Phishing E-mail
message
Message purporting to
be from eBay
Threatens account
termination
Asks user to update
information
Uses eBay and Trust-e
logos for legitimacy
Links to non-ebay site
Web site
Looks like
legitimate ebay
site
Asks for account
and credit card
info
Sends info to
phisher and
not ebay
Intercepted Phishing Emails
Source: MessageLabs Intelligence Annual Security Report. December 6, 2004
Investigation of Cybercrime
• To investigate cybercrime and crimes
facilitated by computer, law enforcement
agencies need access to
– content of communications;
– transactional (or traffic) data;
– stored data;
– data identifying subscriber (e.g., name)
COE Cybercrime Treaty - Art. 15
• “Each party shall ensure that the establishment,
implementation and application of the powers and
procedures provided for in this section are subject
to conditions and safeguards provided for under
its domestic law, which shall provide for adequate
protection of human rights and liberties … .
• “Such conditions and safeguards shall, as
appropriate in view of the nature of the procedure
or power concerned, inter alia, include judicial or
other independent supervision, grounds justifying
application, and limitation of the scope and the
duration of such power or procedure.”
Surveillance Standards
–
–
–
–
–
–
–
–
–
–
Standards specified in legislation
Independent approval (preferably judicial)
Limited to serious crimes
Strong factual basis
Exhaustion of other approaches
Surveillance limited scope and duration
Minimization - evidence of wrongdoing
Use limitation - criminal justice and national security
Notice to target after completion of investigation
Redress for violations of standards
European Court of Human Rights
http://www.internetpolicy.net/practices/#13
Elements of Surveillance Law Real-Time Interception -ECHR
• Standards for interception must be spelled out
clearly in legislation, with sufficient precision to
protect against arbitrary application.
• Approval should be obtained from an independent
official (preferably a judge).
• Only for the investigation of serious offenses.
• Only upon a strong factual showing of reason to
believe that the target of the search is engaged in
criminal conduct.
• Only when it is shown that other less intrusive
techniques will not suffice.
Elements of Surveillance Law -2
• Each surveillance order should cover only specifically designated
persons or accounts.
• The rules should be technology neutral – all one-to-one
communications should in general be treated the same, whether they
involve voice, fax, images or data, wireline or wireless, digital or
analog.
• The scope and length of time of the interception should be limited.
• The surveillance should be conducted in such a way as to reduce the
intrusion on privacy to the minimum necessary to obtain the needed
evidence.
Elements of Surveillance Law -3
• Information seized or intercepted for criminal investigative
purposes may not be used for other ends (except national
security).
• Summary reports back to the approving judge.
• In criminal investigations, all those who have been the
subject of interception should be notified after the
investigation concludes, whether or not charges result.
• Personal redress should be provided for violations of the
privacy standards.
Transactional Data
• Also known as traffic data - connection data, dialed
numbers, IP addresses, time, date, duration … .
• Disclosure implicates privacy interests. Malone,
ECHR.
• But real-time surveillance may be authorized under a
standard lower than that applicable to content
interception and for all crimes.
• Internet poses special challenge: drawing line
between content and traffic data. COE, Explanatory
Report, para. 227.
Stored Data
• May be content or traffic data.
• Data stored with user - treated like any other evidence
in the home or office and subject to protections
accorded written documents.
• Data stored with service provider or other third party disclosure generally implicates privacy interests.
• Distinction may be drawn between immediate seizure
and procedures for delivery to government:
– Immediate seizure usually requires highest form of
approval.
– Voluntary disclosures by service providers
permitted in some cases - exceptions should be
narrowly drawn.
Data Retention
• Should service providers be required to keep
traffic data beyond time needed operationally?
• EU law permits but does not require states to
adopt data retention laws.
• COE Cybercrime Treaty does not require
companies to retain data or modify their
systems to facilitate interception.
• US law does not require data retention.
• US law and the COE treaty provide for data
preservation upon government request, with
disclosure based on appropriate authorization.
Encryption
• On balance, strong encryption contributes to
security and prevention of crime more than it
facilitates crime.
• 1997 OECD Guidelines and 1998 EC report
supported availability of encryption.
• Canada, Germany, Ireland, France, Belgium,
US, among others have eliminated or
loosened restrictions on encryption.
• “The use of encryption technologies … [is]
becoming indispensable, particularly with the
growth in wireless access.” EC Communication, Creating a Safer Info Society, 2001.
Anonymity
• In order to … enhance the free expression of
information and ideas, member sates should respect
the will of users not to disclose their identity.” COE
Declaration, 2003.
• “An increasing variety of authentication mechanisms
is required to meet our different needs in the
environments in which we interact. In some
environments, we may need or wish to remain
anonymous.” EC Communication, 2001.
• "People who have been stealing our movies believe
they are anonymous on the Internet. They are wrong.
We know who they are, and we will go after them.”
MPAA Pres. Dan Glickman, Washington Internet
Daily, Nov 5, 2004
Summary
• Privacy and security are two sides of the same coin.
• Cybercrime legislation is one component of cybersecurity.
• Government will need access to communications and data,
subject to procedural safeguards.
• Network security is the shared responsibility of the gov’t and the
private sector.
– Gov't protects its own networks, contributes to awareness,
info sharing R&D.
• Government should not impose technical mandates.
• Laws will not make computer networks more secure. The
problem of cybersecurity will be solved only when makers of
computer technology build more secure systems and when
owners, operators and users of computer systems operate their
systems in more secure manner.
Consumer Privacy
• Consumer privacy protection in the US and Europe,
as well as under the guidelines of the OECD, is
based on the following principles:
–
–
–
–
–
–
–
–
Notice and Consent
Collection Limitation
Use/Disclosure Limitation
Retention Limitation
Accuracy
Access
Security
Enforcement
EU data protection directive, 95/46/EC,
http://www.cdt.org/privacy/eudirective/EU_Directive_.
html (unofficial)
EU Electronic Communications Privacy Directive
• Article 4 - a provider of a publicly available electronic
communications service must take appropriate technical
and organizational measures to safeguard the security of
its services.
• Article 5 - Member States are required to adopt national
legislation to ensure the confidentiality of
communications.
– Expressly extends this confidentiality obligation to traffic data.
– Such laws should prohibit listening, tapping, storage or other kinds
of interception or surveillance of communications without the
consent of the users concerned or pursuant to strictly limited legal
authority, as permitted under Article 15
• Article 9 - location data can be collected and used only in
anonymous form or with the consent of users to the
extent and for the duration necessary for the provision of
value added services
EU Electronic Communications Privacy Directive
• Article 6 - As a general rule, traffic data must be erased
or made anonymous when it is no longer needed for the
purpose of the transmission of a communication.
– Limited data storage for billing permitted.
• Article 7 - Subscribers have the right to receive nonitemized bills if they do not want records kept of their
calling behavior.
• Article 8 - Where Caller ID is offered, the service provider
must offer calling parties, free of charge, the possibility to
easily block presentation of the calling line number on a
per-call and per-line basis. Must offer the called party the
possibility to reject incoming calls where presentation of
Caller ID has been blocked by the calling party.
EU Electronic Communications Privacy Directive
• Article 15 (1) provides that Member States may adopt
legislative measures to restrict the scope of rights
and obligations provided in Articles
•
•
•
•
5 (confidentiality of communications,
6 (automatic erasure of transactional data),
8 (regarding caller ID) and
9 (regarding location information)
when the restriction constitutes a necessary,
appropriate and proportionate measure within a
democratic society to safeguard national security,
defense, or public security or for the prevention,
investigation, detection and prosecution of criminal
offenses or to prevent unauthorized use of the
electronic communications system.
–
Privacy by Design
• Building privacy into the technology.
• Collection limitation
– Don’t transmit, collect, retain, or share data unless
essential
– Example: Log retention
• Authentication ≠ Identification
– Limit personally identifiable data
– Allow for anonymity, pseudonymity, proxies, trust agents
• Enhance user control
Privacy by Design
• P3P - the Platform for Privacy Preferences
• www.w3.org/p3p
• www.p3ptoolbox.org
• User control
• E.g., Wireless location: Handset versus network
• Privacy Enhancing Technology
• Encryption
• Anonymizers
• Free or pre-paid services
• Cash - the best privacy technology in the world
Spam Percentage in Email
Source: MessageLabs Intelligence Annual Security Report. December 6, 2004
EU Electronic Communications Privacy Directive
• Spam - opt-in (prior relationship - opt-out)
• Traffic data marketing - opt-in
• Cookies - opt-out
– clear and precise information on their purposes
and the opportunity to refuse them.
• Directories - opt-out
• Data retention - permitted but not required for
law enforcement or national security disclosure requires independent approval
Directive 2002/58/EC
http://europa.eu.int/information_society/topics
/telecoms/regulatory/new_rf/index_en.htm
Consumer Protection
• Success of e-commerce depends on legal system
recognizing and promptly enforcing electronic
contracts (business to business and business to
consumer)
• Consumer protection includes
–
–
–
–
–
Prohibition on misleading advertising
Regulation of consumer financial services and credit
Rules against fraudulent billing
Complaint resolution
Right to refund if goods are not delivered or defective
Consumer Protection
• Before closing contract, consumer should be provided
– Identity and address of supplier
– Description of goods and their price
– Procedure for payment, delivery and performance (if buying a
service)
– Notice of “right of withdrawal”
• European Parliament & Council Directive 97/7/EC (17 February
1997) on the protection of consumers in respect of distance
contracts
– http://europa.eu.int/information_society/topics/ebusiness/eco
mmerce/3information/law&ecommerce/legal/documents/319
97L0007/31997L0007_en.html
• European Parliament & Council Directive 2000/31/EC (8 June
2000) on electronic commerce
– http://europa.eu.int/ISPO/ecommerce/legal/documents/2000
_31ec/2000_31ec_en.pdf
Electronic Signatures
Four sets of issues
– “Writing”
– “Signature”
– Identity
– Confidentiality, integrity, non-repudiation
Definitions
• Electronic signature - any authentication by electronic means.
• Digital signature - specific kind of e-signature using
encryption.
First step - assess the legal barriers to online commerce
E-Signatures - Int’l Models
• Model Law for Electronic Commerce developed by the
United Nations Commission on International Trade Law
(UNCITRAL) - 1996
 UNCITRAL Model Law on Electronic Signatures - 2001
 EU E-Signature Directive - 1999
These models recommend a very complicated structure they try to solve all problems at once, including the very
difficult question of stranger-to-stranger transactions
Electronic Signatures
 The focus on e-signature laws is often misplaced. Esignature legislation is not the most important policy
reform needed to support e-commerce and ICT
development.
 For e-commerce to flourish, other legal reforms are
needed.
 Banking Reforms
 Credit cards
 Electronic Funds Transfer
 Redress
 Consumer Protection Rules
 Enforcement of Contracts - Judicial System
 A simple e-signature law based on “business choice”
can resolve most of the basic questions facing ecommerce.
Electronic Signatures
• Most B2B commerce is not between
strangers.
• Most B2C commerce does not draw trust
from the signature.
• It is very hard, and probably not
necessary, to solve the pure stranger-tostranger
Simple Approach to Electronic Signatures
• “Business choice:” Parties to a transaction should
be allowed to adopt any technology they mutually
agree upon in conducting their e-commerce activities.
• Limit government involvement Avoid government
involvement in e-commerce systems that would limit
the development of competition or market choice, e.g.
licensing requirements.
 Technology neutrality - National e-signature laws
should not exclusively require any particular
technology for creating electronic signatures.
• OK: presumption of legal validity to electronic signatures
that use PKI technology.
• Not acceptable to make PKI the only legally recognized
technology for e-signatures.
• Except: government may require particular standards or
technologies (e.g., PKI) in interactions with government.
More Information
Global Internet Policy Initiative (GIPI)
http://www.internetpolicy.net
Center for Democracy and Technology(CDT)
http://www.cdt.org
Information Technology Security Handbook
infoDev project, World Bank (Dec. 2003)
http://www.infodev-security.net/handbook/
International Guide to Combatting Cybercrime
American Bar Association (2003)
http://www.abanet.org/abapubs/books/5450030I/