Embed Size (px)
Citation preview
Information Security -Building Trust in Cyberspace
iLaw Eurasia
eGovernance AcademyTallinn
13-17 December 2004
James X. DempseyCenter for Democracy & Technology
The Elements of Trust Online
1. Protection of government secrets• Protection of national security information• Other sensitive government information
2. Protection of intellectual property- business secrets3. Cybersecurity
– Communications network reliability– Critical infrastructure protection -power, water– Cybercrime
4. Communications privacy5. Data privacy (privacy of personally identifiable information)6. E-signature and authentication7. Consumer protection 8. Accuracy of information, defamation
Government secrets• Protection of national security information
– Definition: information generated by the government and its contractors, which, if publicly disclosed, will harm the national security.
– Important question: Can the judiciary or some other independent official review and overturn the decision of the Executive Branch to keep information secret.
• Other sensitive government information• Criminal investigative information• Private information about individuals in the hands of the gov’t
• Gov’t secrets online and off are defined the same. • Many countries deal with these issues in Freedom of
Information law:http://www.rz.uni-frankfurt.de/~sobotta/FOI.htmhttp://www.cfoi.org.uk/overseas.html.
Cybersecurity
• Many communications networks and other critical infrastructures are privately owned
• Cybersecurity is shared responsibility of gov't, service providers, software and hardware makers, and users (large and small).
• Cybersecurity strategy has many components:– industry standards and sound technology design – information sharing about threats/vulnerabilities (CERTs)– awareness, education of all users– R&D– criminal law– liability of computer/software makers under civil law?
Cybersecurity Guidelines
• OECD Guidelines for Security of Information Systems and Networks
• APEC Strategy and Statement on the Security of Info and Communications Infrastructure
• EU - Council Resolution 28• OAS• E-Japan Priority Policy Program (cybersecurity
incorporated)• Australia E-Security National Agenda• US National Strategy to Secure Cyberspace &
E-Government Act (cybersecurity included)
Common Themes in Int’l Guidelines
• Public-Private Partnerships• Public Awareness• Guidelines, International Standards• Information Sharing• Training and Education• Respect for Privacy• Vulnerability Assessment, Warning and
Response• International Cooperation
Gov’t Must Get Its Own House In Order
• Government should not dictate security technologies to industry until it has solved its own problems (that is, probably never)
• US E-Gov Act - Title III - limited to government systems - focuses on process, not technologies– Periodic assessment of risk– Adoption of policies and procedures– Chief Security Officer for every agency– Security awareness training– Detecting and responding to attacks– Annual reports to Congress on progress– Independent security evaluation– Office of Management and Budget (White House) authority
• Similar requirements may be appropriate for private sector, especially financial sector, medical data
Privacy is an Element of Cybersecurity
“Protection of privacy is a key policy objective in the European Union. It was recognized as a basic right under Article 8 of the European Convention on human rights. Articles 7 and 8 of the Charter of Fundamental Rights of the EU also provide the right to respect for family and private life, home and communications and personal data.” Communication from the Commission on Network and Information Security (2001)
OECD Cybersecurity Guidelines Emphasize Privacy
Principle 5:
“Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.”
Cybercrime
• Crimes against computers or communications– Interference with availability or integrity of data
• destroying data, altering data
– Interference with availability of service• Denial of service attacks
– Interception of data in transit (unauthorized access to comms)– Unauthorized access to data (cyber trespass)
• CIA - Confidentiality, Integrity, Availability
• Crimes using computer– Fraud, dissemination of pornography, copyright infringement– Should not be treated as separate crimes
• Crimes where evidence is in computer– Any crime
COE Convention on Cybercrime - good model, approach with caution
Criminal Law Has Limited Effect
Under US law, such an email is absolutely illegal• Falsified header information - criminal and civil violation• Hijacking another computer to send spam - criminal and aggravated
civil violation• Possible falsification of domain name registration information - criminal
violation• No valid physical address - civil violation• No opt-out - civil violation• Deceptive subject heading - civil violation• Possible address harvesting - aggravated civil violation
The solution to the cybercrime problem requires:• International cooperation.• Better technology design• Education of users.
Phishing E-mail message
Message purporting to be from eBay
Threatens account termination
Asks user to update information
Uses eBay and Trust-e logos for legitimacy
Links to non-ebay site
Web site
Looks like legitimate ebay site
Asks for account and credit card info
Sends info to phisher and not ebay
Intercepted Phishing Emails
Source: MessageLabs Intelligence Annual Security Report. December 6, 2004
Investigation of Cybercrime
• To investigate cybercrime and crimes facilitated by computer, law enforcement agencies need access to – content of communications;– transactional (or traffic) data;– stored data;– data identifying subscriber (e.g., name)
COE Cybercrime Treaty - Art. 15
• “Each party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this section are subject to conditions and safeguards provided for under its domestic law, which shall provide for adequate protection of human rights and liberties … .
• “Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.”
Surveillance Standards– Standards specified in legislation– Independent approval (preferably judicial)– Limited to serious crimes– Strong factual basis– Exhaustion of other approaches– Surveillance limited scope and duration– Minimization - evidence of wrongdoing– Use limitation - criminal justice and national security– Notice to target after completion of investigation– Redress for violations of standards
European Court of Human Rights http://www.internetpolicy.net/practices/#13
Elements of Surveillance Law - Real-Time Interception -ECHR
• Standards for interception must be spelled out clearly in legislation, with sufficient precision to protect against arbitrary application.
• Approval should be obtained from an independent official (preferably a judge).
• Only for the investigation of serious offenses.• Only upon a strong factual showing of reason to
believe that the target of the search is engaged in criminal conduct.
• Only when it is shown that other less intrusive techniques will not suffice.
Elements of Surveillance Law -2
• Each surveillance order should cover only specifically designated persons or accounts.
• The rules should be technology neutral – all one-to-one communications should in general be treated the same, whether they involve voice, fax, images or data, wireline or wireless, digital or analog.
• The scope and length of time of the interception should be limited.
• The surveillance should be conducted in such a way as to reduce the intrusion on privacy to the minimum necessary to obtain the needed evidence.
Elements of Surveillance Law -3
• Information seized or intercepted for criminal investigative purposes may not be used for other ends (except national security).
• Summary reports back to the approving judge.
• In criminal investigations, all those who have been the subject of interception should be notified after the investigation concludes, whether or not charges result.
• Personal redress should be provided for violations of the privacy standards.
Transactional Data
• Also known as traffic data - connection data, dialed numbers, IP addresses, time, date, duration … .
• Disclosure implicates privacy interests. Malone, ECHR.
• But real-time surveillance may be authorized under a standard lower than that applicable to content interception and for all crimes.
• Internet poses special challenge: drawing line between content and traffic data. COE, Explanatory Report, para. 227.
Stored Data
• May be content or traffic data. • Data stored with user - treated like any other evidence
in the home or office and subject to protections accorded written documents.
• Data stored with service provider or other third party - disclosure generally implicates privacy interests.
• Distinction may be drawn between immediate seizure and procedures for delivery to government:– Immediate seizure usually requires highest form of
approval.– Voluntary disclosures by service providers
permitted in some cases - exceptions should be narrowly drawn.
Data Retention
• Should service providers be required to keep traffic data beyond time needed operationally?
• EU law permits but does not require states to adopt data retention laws.
• COE Cybercrime Treaty does not require companies to retain data or modify their systems to facilitate interception.
• US law does not require data retention. • US law and the COE treaty provide for data
preservation upon government request, with disclosure based on appropriate authorization.
Encryption
• On balance, strong encryption contributes to security and prevention of crime more than it facilitates crime.
• 1997 OECD Guidelines and 1998 EC report supported availability of encryption.
• Canada, Germany, Ireland, France, Belgium, US, among others have eliminated or loosened restrictions on encryption.
• “The use of encryption technologies … [is] becoming indispensable, particularly with the growth in wireless access.” EC Commun-ication, Creating a Safer Info Society, 2001.
Anonymity
• In order to … enhance the free expression of information and ideas, member sates should respect the will of users not to disclose their identity.” COE Declaration, 2003.
• “An increasing variety of authentication mechanisms is required to meet our different needs in the environments in which we interact. In some environments, we may need or wish to remain anonymous.” EC Communication, 2001.
• "People who have been stealing our movies believe they are anonymous on the Internet. They are wrong. We know who they are, and we will go after them.” MPAA Pres. Dan Glickman, Washington Internet Daily, Nov 5, 2004
Summary• Privacy and security are two sides of the same coin.• Cybercrime legislation is one component of cybersecurity.• Government will need access to communications and data,
subject to procedural safeguards.• Network security is the shared responsibility of the gov’t and the
private sector.– Gov't protects its own networks, contributes to awareness,
info sharing R&D.• Government should not impose technical mandates.• Laws will not make computer networks more secure. The
problem of cybersecurity will be solved only when makers of computer technology build more secure systems and when owners, operators and users of computer systems operate their systems in more secure manner.
Consumer Privacy
• Consumer privacy protection in the US and Europe, as well as under the guidelines of the OECD, is based on the following principles:– Notice and Consent– Collection Limitation– Use/Disclosure Limitation– Retention Limitation– Accuracy– Access– Security– Enforcement
EU data protection directive, 95/46/EC, http://www.cdt.org/privacy/eudirective/EU_Directive_.html (unofficial)
EU Electronic Communications Privacy Directive
• Article 4 - a provider of a publicly available electronic communications service must take appropriate technical and organizational measures to safeguard the security of its services.
• Article 5 - Member States are required to adopt national legislation to ensure the confidentiality of communications. – Expressly extends this confidentiality obligation to traffic data. – Such laws should prohibit listening, tapping, storage or other kinds of
interception or surveillance of communications without the consent of the users concerned or pursuant to strictly limited legal authority, as permitted under Article 15
• Article 9 - location data can be collected and used only in anonymous form or with the consent of users to the extent and for the duration necessary for the provision of value added services
–
EU Electronic Communications Privacy Directive
• Article 6 - As a general rule, traffic data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication. – Limited data storage for billing permitted.
• Article 7 - Subscribers have the right to receive non-itemized bills if they do not want records kept of their calling behavior.
• Article 8 - Where Caller ID is offered, the service provider must offer calling parties, free of charge, the possibility to easily block presentation of the calling line number on a per-call and per-line basis. Must offer the called party the possibility to reject incoming calls where presentation of Caller ID has been blocked by the calling party.
EU Electronic Communications Privacy Directive
• Article 15 (1) provides that Member States may adopt legislative measures to restrict the scope of rights and obligations provided in Articles
• 5 (confidentiality of communications, • 6 (automatic erasure of transactional data), • 8 (regarding caller ID) and • 9 (regarding location information)
when the restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defense, or public security or for the prevention, investigation, detection and prosecution of criminal offenses or to prevent unauthorized use of the electronic communications system. –
Privacy by Design• Building privacy into the technology. • Collection limitation
– Don’t transmit, collect, retain, or share data unless essential
– Example: Log retention• Authentication ≠ Identification
– Limit personally identifiable data– Allow for anonymity, pseudonymity, proxies, trust agents
• Enhance user control
Privacy by Design• P3P - the Platform for Privacy Preferences
• www.w3.org/p3p• www.p3ptoolbox.org
• User control• E.g., Wireless location: Handset versus network
• Privacy Enhancing Technology• Encryption• Anonymizers• Free or pre-paid services• Cash - the best privacy technology in the world
Spam Percentage in Email
Source: MessageLabs Intelligence Annual Security Report. December 6, 2004
EU Electronic Communications Privacy Directive
• Spam - opt-in (prior relationship - opt-out)• Traffic data marketing - opt-in• Cookies - opt-out
– clear and precise information on their purposes and the opportunity to refuse them.
• Directories - opt-out• Data retention - permitted but not required for law
enforcement or national security - disclosure requires independent approval
Directive 2002/58/EC http://europa.eu.int/information_society/topics/telecoms/regulatory/new_rf/index_en.htm
Consumer Protection
• Success of e-commerce depends on legal system recognizing and promptly enforcing electronic contracts (business to business and business to consumer)
• Consumer protection includes– Prohibition on misleading advertising– Regulation of consumer financial services and credit– Rules against fraudulent billing– Complaint resolution– Right to refund if goods are not delivered or defective
Consumer Protection
• Before closing contract, consumer should be provided– Identity and address of supplier– Description of goods and their price– Procedure for payment, delivery and performance (if buying a service)– Notice of “right of withdrawal”
• European Parliament & Council Directive 97/7/EC (17 February 1997) on the protection of consumers in respect of distance contracts– http://europa.eu.int/information_society/topics/ebusiness
/ecommerce/3information/law&ecommerce/legal/documents/31997L0007/31997L0007_en.html
• European Parliament & Council Directive 2000/31/EC (8 June 2000) on electronic commerce– http://europa.eu.int
/ISPO/ecommerce/legal/documents/2000_31ec/2000_31ec_en.pdf
Electronic Signatures
Four sets of issues– “Writing”– “Signature”– Identity– Confidentiality, integrity, non-repudiation
Definitions• Electronic signature - any authentication by electronic means.
• Digital signature - specific kind of e-signature using
encryption.
First step - assess the legal barriers to online commerce
E-Signatures - Int’l Models
• Model Law for Electronic Commerce developed by the United Nations Commission on International Trade Law (UNCITRAL) - 1996
UNCITRAL Model Law on Electronic Signatures - 2001 EU E-Signature Directive - 1999
These models recommend a very complicated structure - they try to solve all problems at once, including the very difficult question of stranger-to-stranger transactions
Electronic Signatures
The focus on e-signature laws is often misplaced. E-signature legislation is not the most important policy reform needed to support e-commerce and ICT development.
For e-commerce to flourish, other legal reforms are needed.
Banking Reforms Credit cards Electronic Funds Transfer
Redress Consumer Protection Rules
Enforcement of Contracts - Judicial System A simple e-signature law based on “business choice” can
resolve most of the basic questions facing e-commerce.
Electronic Signatures
• Most B2B commerce is not between strangers.
• Most B2C commerce does not draw trust from the signature.
• It is very hard, and probably not necessary, to solve the pure stranger-to-stranger
Simple Approach to Electronic Signatures
• “Business choice:” Parties to a transaction should be allowed to adopt any technology they mutually agree upon in conducting their e-commerce activities.
• Limit government involvement Avoid government involvement in e-commerce systems that would limit the development of competition or market choice, e.g. licensing requirements.
Technology neutrality - National e-signature laws should not exclusively require any particular technology for creating electronic signatures.
• OK: presumption of legal validity to electronic signatures that use PKI technology.
• Not acceptable to make PKI the only legally recognized technology for e-signatures.
• Except: government may require particular standards or technologies (e.g., PKI) in interactions with government.
More InformationGlobal Internet Policy Initiative (GIPI)
http://www.internetpolicy.net
Center for Democracy and Technology(CDT)
http://www.cdt.org
Information Technology Security Handbook
infoDev project, World Bank (Dec. 2003)
http://www.infodev-security.net/handbook/
International Guide to Combatting Cybercrime
American Bar Association (2003)
http://www.abanet.org/abapubs/books/5450030I/
