Interesting People mailing list archives
more on looks like IP may suffer also
From: David Farber <dave () farber net>
Date: Tue, 5 Jul 2005 04:01:29 -0400
Begin forwarded message: From: DV Henkel-Wallace <gumby () henkel-wallace org> Date: July 5, 2005 1:21:32 AM EDT To: Declan McCullagh <declan () well com> Cc: David Farber <dave () farber net> Subject: Re: [IP] looks like IP may suffer also I tried to look into this Specter-Leahy bill and it was interesting.First of all, it was not easy to find anything but a summary of the bill (Personal Data Privacy and Security Act) online. There is nothing on Specter's site; Leahy's site contains only a summary. Nothing on the Judicial subcommittee site nor the upcoming legislation site. Is this proposed legislation for real? My comments reflect what I saw on Leahy's site.
Second, if passed it might have a salutory effect on the use of social security numbers, although the horse has probably long since bolted. In particular, it prohibits use of SSN as an account number, or even to require such a number (not clear how this interacts with, e.g., prescription drug sales in California). Several sections also carve out a disclosure exemption which permits publication of the last four digits of the SSN (or "social" which is how it is jocularly referred to by Verizon Wireless' phone personnel when I speak to them). I find this provision exciting because it may bring an end to the use of that ridiculous mechanism as an authenticator.
Third, it isn't quite clear what it tries to enforce. If you are a commercial entity (as already discussed elsewhere) and you use an "identifier" for an "access device" (as defined elsewhere in the US code) you are covered. However it's not clear what's personally identifiable in this regards: mail addresses can (unknown to be operator) actually be exploders and IP addresses can be NAT boxes. Does this give you a deniability exemption or not?
If the law presumes that an IP address or RFC822 address is "personally identifiable" then it does appear that both most open mailing lists (like IP) and any blog that uses google ads or amazon affiliate program would be covered, since /var/log contains "sensitive personally identifiable information" as described in the bill. In fact not just the log files, but comments, trackbacks, mail archives, or even forwarded messages appear to be covered.
Well, we could all be up in arms by a proposal that doesn't even appear to be tenuously "real" yet. But the real question is: Europe has had sensible database protection for many years, and it doesn't appear to have hurt European commerce (nor blogs nor mailing lists) any. What should such protection look like in the USA? Is this a step in the right direction or not?
-g On 04 Jul 2005, at 18:43, David Farber wrote:
-----Original Message----- From: politech-bounces () politechbot com[mailto:politech-bounces () politechbot com] On Behalf Of Declan McCullaghSent: Thursday, June 30, 2005 12:14 AM To: politech () politechbot comSubject: [Politech] Preliminary analysis of new Specter-Leahy data securitybill: opinions? [priv]It's worth taking a close look at the new Specter-Leahy security breach bill -- introduced Wednesday -- because it's the most comprehensive sofar and the leading candidate to be enacted into law this year. It'seven, at least in theory, going to be voted on in the Senate Judiciarycommittee on Thursday: http://judiciary.senate.gov/meeting_notice.cfm?id=1555 The sections dealing with government use of databases seem generally useful (though some loopholes exist, like the requirement that adatabase is "primarily" of Americans before its use is covered -- lookfor the FBI to start inserting random Mexican names to get around the"primarily" requirement). So let's look at the private sector components.Bear with me as we get a little technical here... Title III of the bill erects a complex regulatory scheme around any "data broker." That's defined as a "business entity" that it's in the regular business of "collecting, transmitting, or otherwise providing personally identifiable information" of 5,000 or more people that are not "customers" or "employees." Business entity is defined as anyorganization, including a sole proprietorship, that's in the business ofmaking money, or a non-profit group that isn't.Well, Politech is a sole proprietorship -- I have some Google text ads on politechbot.com that make a princely $10-$15 or so a month. If theymade more I wouldn't complain. And I'm pleased to say that the list includes over 5,000 subscribers.Do I "collect[]" personal information? 18 USC 1028(d)(7) defines that as "any name or number that may be used, alone or in conjunction with anyother information, to identify a specific individual." Mailman gives subscribers the option of typing in their name, and obviously I haveeveryone's email addresses. 18 USC 1028(d)(7)(C) explicitly includes any "unique electronic identification number, address, or routing code" sothat seems to cover e-mail.So that makes me a highly-regulated "data broker" unless I can skate onsome other technicality. Again, I'm arguably in the business ofregularly "collecting" information from people are aren't "customers" --you don't buy anything frome me. Let's assume I can't escape the rule and continue this walk-through. If I am indeed a data broker, what must I do? * "Clearly and accurately" disclose all relevant "personal electronic records" (maintained for disclosure to third parties) about an individual if he or she asks me.* "Develop and publish" a set of "procedures for correcting inaccurateinformation." * Offer to "investigate" "free of charge" any discrepancies.* Provide an opportunity to insert a "100 word" notice of any dispute.If I don't, I can be sued and fined $1,000-$2,000 per violation per day.Title IV of the bill is far more exhausting. Any "business entity" (thatterm again) including a sole proprietorship that collects, accesses,transmits, stores, or disposes of personal info in digital form on over 10,000 U.S. persons must create a "data privacy and security program."Well, there are over 10,000 Politech subscribers, and that's an evenbroader definition (no requirement that it be limited to non- customersor that the involvement be regular). So I'm likely covered. If that happens, I must:* "Implement a comprehensive personal data privacy and security program"* Create a "risk assessment" to "identify reasonably foreseeable" vulnerabilities * "Assess the likelihood" of security breaches * "Assess the sufficiency" of my policies to protect against them * Protect information by encrypting it * Publish the "terms of such program" * Do "regular testing of key controls" to test security* Select only superior "service providers" after doing "due diligence"* Regularly "monitor, evaluate, and adjust" my security policies If I don't, I can be fined up to $10,000 a day per violation. Oh, and there's Title IV Subtitle B. It's pretty much the same definition, and requires me to: * In the case of a security breach of the Politech subscriber list, I must notify the U.S. Secret Service and the state attorney general. * And I must notify individual subscribers * And I must notify consumer reporting agencies * For individual subscribers, I must notify via physical mail to home address, or if I can't, via telephone call to your home. There's no provision for e-mail contact. But if I don't follow that procedures I violate the law. * I also must post this notice publicly on the Web and notify "major media outlets" If I don't follow those rules, I can be fined up to $10,000 a day perviolation -- and if I "willfully" conceal the security breach, I can befined something like $250,000 and be imprisoned for up to five years. I recognize that senators Specter and Leahy are trying to targetChoicePoint and Acxiom and so on. But their bill, as written, does notappear to be written to include just those data warehouses. And giventhat they've had months and (presumbly) very bright people drafting it,that makes me worried.In fact, the definitions could cover, for instance, news organizations (many news sites arguably provide personal information on thousands ofpeople, and People magazine's Web site certainly does). How aboutpopular blogs that have thousands of registered users? Search engines?Google's phone number finding service? Libraries? Email serviceproviders? Alumni organizations for schools? Charities, like Golden Gate National Parks Association? What about universities, especially in termsof all the applications they get? Sweepstakes companies? I wonder if probable supporters of this bill -- like the ACLU and EPIC -- would enjoy having to follow all these complicated procedures (with the penalty of fines or prison terms if they don't).I admit this is just my preliminary reading, but my sense is that these requirements will end up being another version of Sarbanes-Oxley, withthe same destructive, wealth-eroding implications: http://www.politechbot.com/2005/06/16/richard-rahn-on/ Perhaps I'm wrong. I'd welcome responses (and "don't worry, trust prosecutors' discretion" is not a useful one). If I'm right, how much harm will be done in the name of "protecting privacy?" -Declan --- News article: http://news.com.com/2100-7348_3-5769156.html Text of legislation (Leahy's floor statement is below): http://i.i.com.com/cnwk.1d/pdf/ne/2005/Specter-Leahy.pdf Additional background material: http://www.politechbot.com/docs/leahy.floor.statement.062905.txt http://www.politechbot.com/docs/specter.leahy.sections.062905.doc http://www.politechbot.com/docs/specter.leahy.summary.062905.doc _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)------------------------------------- You are subscribed as gumby3 () henkel-wallace org To manage your subscription, go to http://v2.listbox.com/member/?listname=ipArchives at: http://www.interesting-people.org/archives/interesting- people/
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on looks like IP may suffer also David Farber (Jul 05)