Reacting to the current troubling situation regarding data security and privacy in the U.S., two powerful senators introduced legislation yesterday designed to better protect sensitive personal information. Senator Arlen Specter (R-PA) and Senator Patrick Leahy (D-VT) – the two most powerful members of the Senate Judiciary Committee – put forward the “Data Privacy and Security Act of 2005″ on Wednesday, stating that “[i]nsecure databases have become the low-hanging fruit for hackers looking to steal identities and commit fraud …” The bill has six main goals:

• Increase criminal penalties for ID theft involving electronic data;

• Allow individuals to access and correct the personal information data brokers maintain regarding them;
• Require entities that maintain personal data to create internal policies for the protection of that data and “vet” third parties that they hire to process that data;
• Provide notice to individuals when a breach of their personal information occurs;
• Limit the buying, selling, or displaying of Social Security numbers without an individual’s consent; and
• Require the federal government to establish privacy and security rules for when it uses information from data brokers.

A press release regarding the bill’s introduction is available here. Also, click here to see a PDF of the complete legislation.

We will have more information here about the bill soon, once we’ve had a little more time to digest it. However, given the status of the bill’s two co-sponsors, this could very well be the data privacy and security bill that moves in the Senate this year.

Update: Many organizations filed comments with BIS (the rumor has it around 200). The only one that we have seen so far (besides the CRA link at the bottom) is by the Association of American Universities. Apparently many business groups filed as well, including several IT and trade associations. We’ll post links to the big ones as they come in.

Original Post 6/28/05: Yesterday USACM filed comments with the Department of Commerce expressing deep concern about its proposal to change rules that apply to foreign nationals working in the United States using sensitive equipment. The committee objected to the proposal, stating that it could place new and costly burdens on the information technology sector and universities, and exacerbate an already hostile environment for foreign-born researchers working in the U.S., while providing questionable security gains.
(more…)

Update: Press Release from USACM is below.

Original Post 6/27/05: At 10:30 this morning things looked bleak for the technology industry as headlines raced across the wire “Grokster Loses in Unanimous Decision.” Now that the dust has settled a bit, the Supreme Court’s decision actually looks quite balanced. (Justice Souter wrote the opinion of the court, while Justices Breyer and Ginsburg wrote the concurrences 1, 2).

The Justices did rule 9-0 against Grokster by overturning the 9th Circuit’s summary judgment that the Sony “safe-harbor” rule protects Grokster from any liability in this case. In doing so, however, the Court upheld the heart of Sony by not trying to quantify the tipping point of when a technology’s infringing uses outweigh its non-infringing ones, thereby creating liability for the developer. To many in the technology industry, such a vague test would have been devastating. The Justices stated:

(The Sony rule was at the heart of this matter, as it states companies that develop technology that can be used both for infringing and non-infringing purposes cannot be held liable strictly for producing the technology. For more background on Sony see the EFF’s website.)

The court did blast both Streamcast and Grokster’s behavior. It made numerous findings that the defendants went out of their way to encourage downloaders to share copyrighted material or be in a position to facilitate this activity. (Streamcast is the other defendant in the case.) In short, the court said bad actors, even if they are not directly infringing on copyright, cannot hide behind Sony, stating:

But the court did seek balance in this standard:

In doing so, the court creates an “inducement standard” that seems to be predicated on a company’s specific actions (i.e. sending out e-mails to its customers telling them how to download or use copyrighted material) or its business model. It seems likely that technology companies and innovators may find this standard too vague and still open to debate and interpretation. Further, given the current litigious nature of the copyright environment, the discovery process inherent in determining a company’s or developers intent may still be a burden on innovation. In fact, Ed Felten has some thoughtful things to say on freedom-to-tinker about the issues that this ruling raises for technology developers.

But the court’s decision could have been much worse, and its focus on behavior instead of technology is one that many in the community will likely find comforting, and it is a position that USACM has advocated for on many different technology issues.

This week we will try to post Congress’ take on the issue. Also, rumor has it that there will be a hearing on the subject in the House Judicary Committee on Thursday. We’ll try to cover that hearing as well.

(more…)

Update: We have a much more in-depth analysis and press release posted here.

This from the SCOTUS blog on the Grokster case (which we have covered in the past):

Here is the actual decision.

Here is the best story I’ve seen so far from the AP wire.

While this does not bode well for technologists, we have yet to read the actual decision to see the extent to which liability is extended to technology developers. You can be sure that there will be many more posts on the implication of the ruling (and we’ll put the ruling itself up when we get it). In the meantime, there are several good clearinghouses of information on the subject including:

• USACM Member Ed Felten’s blog
• EFF’s blog
• SCOTUS blog

Regular readers may recall that USACM, along with a number of law professors, filed an amicus brief in the case in support of Grokster.

The NY Times has more information (and two follow-up articles) about the staggering loss of data at a credit card transaction processing company that came to light over the weekend:

An official of the company in question, CardSystems Solutions, has admitted that the company should not have been in possession of the information that was stolen in the first place – (more…)

Update - June 18: Details are emerging this weekend of a very large scale data breach of credit card data at a transaction processing center affecting some 40 million files. More details are available at the Washington Post and the NY Times.

Yesterday the Senate Commerce, Science & Transportation Committee held a hearing on identity theft. Senators heard testimony from, among others, Senators Schumer and Feinstein, the attorney general of Vermont, and each Federal Trade Commissioner (Deborah Platt Majoras , Orson Swindle, Thomas B. Leary, Pamela Jones Harbour, and Jon Leibowitz).

In his statement, Sen. Schumer described the numerous calls that his office and others are receiving currently from constituents on identity theft concerns, and he described how legislation that he has introduced with Sen. Nelson would empower consumers to cope with ID theft, better protect personal information, and provide for consumer notification in the event of data breaches. He also stated that, in light of the recent Citigroup data loss, language has been added to his bill to require that data in such transfers be encrypted.

EPIC has a good write-up of the hearing in their latest newsletter.

EDRi’s latest newsletter informs us about a recent article in the Irish Times [subscription required] describing the Irish government’s plans to subject their e-voting machines to additional security and risk-related scrutiny:

EDRi’s newsletter explains how last year the government “decided at the last minute to cancel the usage [of e-voting machines], after the Independent Commission on Electronic Voting concluded in an interim report” that it could not “satisfy itself as to the accuracy and secrecy of the system.” The commission’s full report is available here.

Meanwhile, as regular readers will know, ACM has a study underway currently looking into implementing the statewide voter-registration databases mandated by the Help America Vote Act. Study members are making good progress and expect to release a report this Fall.

The Washington Post has an article today about the ongoing work of private investigators to prevent policymakers (and some data brokers) from limiting their access to Social Security numbers, a key tool of their trade for tracking individuals:

However, considering the scope of recent data breaches, the surge in identity thefts, and the growing public awareness and concern over the relatively easy availability of their personal information, this author doubts that private investigators are finding many sympathetic policymakers.

Later this week, the Senate Commerce, Science & Transportation Committee is scheduled to hold a hearing on identity theft, featuring witnesses from the Federal Trade Commission and the National Association of Attorneys General.

On Saturday the storied team of Vint Cerf and Bob Kahn received ACM’s latest Turing Award for their work developing TCP/IP – the networking language of the Internet. The award is ACM’s highest and is considered by many to be the Nobel Prize of Computing. The Mercury News has a good story about the award.

I was able to go to the ceremony, and it was inspiring to see so many people responsible for truly critical innovations in the IT industry. What struck me was seeing different generations of greats at the same event, from Donald E. Knuth (who won the Turing Award in 1974 and wrote Art of Computer Programming) to visionary Larry Page (one of Google’s cofounders). Many spoke about both DARPA’s vision in funding Cerf and Kahn’s work and the importance of federal funding for high-risk/high-reward fundamental research.

These statements were particularly striking in light of all the attention this issue has received of late (see story #2 of our May ‘05 newsletter). Of course, the Computing Research Association has extensively covered these funding issues.

The NY Times is running an editorial today urging House members to support Rep. Rush Holt’s electronic voting bill (H.R. 550):

More information about EFF’s efforts on behalf of H.R. 550 can be found on Deep Links, their weblog.

Readers may recall that ACM issued a statement in 2004 calling for voter-verifiable physical records in electronic voting systems and improved reliability, security, and verifiability of public elections.

Update: The NY Times published a thoughtful follow-up article on data security today.

Citigroup has become the latest member of a group of large companies that have suffered major data losses or breaches in the last several months. As reported in today’s Washington Post:

Like other companies that have suffered similar data losses lately, Citigroup is offering extended credit monitoring to its customers. However, one has to wonder just what extended credit monitoring for 90 days will accomplish – especially in light of the persistence of digital data (it tends to stick around) and the fact that most people keep their original Social Security numbers their whole lives.
(more…)

The Electronic Privacy Information Center (EPIC) convened a meeting today to look into the range of policy, technical, and social issues surrounding national identification systems in light of the recently passed Real ID Act, something we’ve been quite active on recently. In April, USACM sent the Senate a letter outlining its concerns about the security aspects of the database provisions and its national ID implications. However, Congress ultimately left many of the concerns of USACM and the privacy community unaddressed.

In light of today’s EPIC event, USACM issued a press release calling for a reconsideration of Real ID’s provisions (click here for the full release):

Marc Rotenberg, EPIC’s executive director, began the meeting by pointing out how the Real ID Act had worked its way through the legislative process without any meaningful debate – (more…)

The NY Times ran an editorial today sounding the cybersecurity alarm (again):

Last March, USACM – keenly aware of the vulnerabilities associated with the systems that comprise the nation’s critical infrastructure – sent a letter to the U.S. Nuclear Regulatory Commission calling for stronger cybersecurity in power plants across the nation.

Note: the GAO report, Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities (GAO-05-434), is available (PDF) here.