more on looks like IP may suffer also

[David Farber <dave () farber net>]

Begin forwarded message:

From: DV Henkel-Wallace <gumby () henkel-wallace org>
Date: July 5, 2005 1:21:32 AM EDT
To: Declan McCullagh <declan () well com>
Cc: David Farber <dave () farber net>
Subject: Re: [IP] looks like IP may suffer also


I tried to look into this Specter-Leahy bill and it was interesting.

First of all, it was not easy to find anything but a summary of the  
bill (Personal Data Privacy and Security Act) online.  There is  
nothing on Specter's site; Leahy's site contains only a summary.   
Nothing on the Judicial subcommittee site nor the upcoming  
legislation site.  Is this proposed legislation for real?  My  
comments reflect what I saw on Leahy's site.

Second, if passed it might have a salutory effect on the use of  
social security numbers, although the horse has probably long since  
bolted.  In particular, it prohibits use of SSN as an account number,  
or even to require such a number (not clear how this interacts with,  
e.g., prescription drug sales in California).  Several sections also  
carve out a disclosure exemption which permits publication of the  
last four digits of the SSN (or "social" which is how it is jocularly  
referred to by Verizon Wireless' phone personnel when I speak to  
them).  I find this provision exciting because it may bring an end to  
the use of that ridiculous mechanism as an authenticator.

Third, it isn't quite clear what it tries to enforce.  If you are a  
commercial entity (as already discussed elsewhere) and you use an  
"identifier" for an "access device" (as defined elsewhere in the US  
code) you are covered.  However it's not clear what's personally  
identifiable in this regards: mail addresses can (unknown to be  
operator) actually be exploders and IP addresses can be NAT boxes.   
Does this give you a deniability exemption or not?

If the law presumes that an IP address or RFC822 address is  
"personally identifiable" then it does appear that both most open  
mailing lists (like IP) and any blog that uses google ads or amazon  
affiliate program would be covered, since /var/log contains  
"sensitive personally identifiable information" as described in the  
bill.  In fact not just the log files, but comments, trackbacks, mail  
archives, or even forwarded messages appear to be covered.

Well, we could all be up in arms by a proposal that doesn't even  
appear to be tenuously "real" yet.  But the real question is: Europe  
has had sensible database protection for many years, and it doesn't  
appear to have hurt European commerce (nor blogs nor mailing lists)  
any.  What should such protection look like in the USA?  Is this a  
step in the right direction or not?

-g


On 04 Jul 2005, at 18:43, David Farber wrote:


> > -----Original Message-----
> > From: politech-bounces () politechbot com
> > [mailto:politech-bounces () politechbot com] On Behalf Of Declan  
> > McCullagh
> > Sent: Thursday, June 30, 2005 12:14 AM
> > To: politech () politechbot com
> > Subject: [Politech] Preliminary analysis of new Specter-Leahy data  
> > security
> > bill: opinions? [priv]
> >
> > It's worth taking a close look at the new Specter-Leahy security  
> > breach
> > bill -- introduced Wednesday -- because it's the most  
> > comprehensive so
> > far and the leading candidate to be enacted into law this year. It's
> > even, at least in theory, going to be voted on in the Senate  
> > Judiciary
> > committee on Thursday:
> > http://judiciary.senate.gov/meeting_notice.cfm?id=1555
> >
> > The sections dealing with government use of databases seem generally
> > useful (though some loopholes exist, like the requirement that a
> > database is "primarily" of Americans before its use is covered --  
> > look
> > for the FBI to start inserting random Mexican names to get around the
> > "primarily" requirement). So let's look at the private sector  
> > components.
> >
> > Bear with me as we get a little technical here...
> >
> > Title III of the bill erects a complex regulatory scheme around any
> > "data broker." That's defined as a "business entity" that it's in the
> > regular business of "collecting, transmitting, or otherwise providing
> > personally identifiable information" of 5,000 or more people that are
> > not "customers" or "employees." Business entity is defined as any
> > organization, including a sole proprietorship, that's in the  
> > business of
> > making money, or a non-profit group that isn't.
> >
> > Well, Politech is a sole proprietorship -- I have some Google text  
> > ads
> > on politechbot.com that make a princely $10-$15 or so a month. If  
> > they
> > made more I wouldn't complain. And I'm pleased to say that the list
> > includes over 5,000 subscribers.
> >
> > Do I "collect[]" personal information? 18 USC 1028(d)(7) defines  
> > that as
> > "any name or number that may be used, alone or in conjunction with  
> > any
> > other information, to identify a specific individual." Mailman gives
> > subscribers the option of typing in their name, and obviously I have
> > everyone's email addresses. 18 USC 1028(d)(7)(C) explicitly  
> > includes any
> > "unique electronic identification number, address, or routing  
> > code" so
> > that seems to cover e-mail.
> >
> > So that makes me a highly-regulated "data broker" unless I can  
> > skate on
> > some other technicality. Again, I'm arguably in the business of
> > regularly "collecting" information from people are aren't  
> > "customers" --
> > you don't buy anything frome me. Let's assume I can't escape the rule
> > and continue this walk-through.
> >
> > If I am indeed a data broker, what must I do?
> >
> > * "Clearly and accurately" disclose all relevant "personal electronic
> > records" (maintained for disclosure to third parties) about an
> > individual if he or she asks me.
> > * "Develop and publish" a set of "procedures for correcting  
> > inaccurate
> > information."
> > * Offer to "investigate" "free of charge" any discrepancies.
> > * Provide an opportunity to insert a "100 word" notice of any  
> > dispute.
> >
> > If I don't, I can be sued and fined $1,000-$2,000 per violation  
> > per day.
> >
> > Title IV of the bill is far more exhausting. Any "business  
> > entity" (that
> > term again) including a sole proprietorship that collects, accesses,
> > transmits, stores, or disposes of personal info in digital form on  
> > over
> > 10,000 U.S. persons must create a "data privacy and security  
> > program."
> >
> > Well, there are over 10,000 Politech subscribers, and that's an even
> > broader definition (no requirement that it be limited to non- 
> > customers
> > or that the involvement be regular). So I'm likely covered. If that
> > happens, I must:
> >
> > * "Implement a comprehensive personal data privacy and security  
> > program"
> > * Create a "risk assessment" to "identify reasonably foreseeable"
> > vulnerabilities
> > * "Assess the likelihood" of security breaches
> > * "Assess the sufficiency" of my policies to protect against them
> > * Protect information by encrypting it
> > * Publish the "terms of such program"
> > * Do "regular testing of key controls" to test security
> > * Select only superior "service providers" after doing "due  
> > diligence"
> > * Regularly "monitor, evaluate, and adjust" my security policies
> >
> > If I don't, I can be fined up to $10,000 a day per violation.
> >
> > Oh, and there's Title IV Subtitle B. It's pretty much the same
> > definition, and requires me to:
> >
> > * In the case of a security breach of the Politech subscriber list, I
> > must notify the U.S. Secret Service and the state attorney general.
> > * And I must notify individual subscribers
> > * And I must notify consumer reporting agencies
> > * For individual subscribers, I must notify via physical mail to home
> > address, or if I can't, via telephone call to your home. There's no
> > provision for e-mail contact. But if I don't follow that procedures I
> > violate the law.
> > * I also must post this notice publicly on the Web and notify "major
> > media outlets"
> >
> > If I don't follow those rules, I can be fined up to $10,000 a day per
> > violation -- and if I "willfully" conceal the security breach, I  
> > can be
> > fined something like $250,000 and be imprisoned for up to five years.
> >
> > I recognize that senators Specter and Leahy are trying to target
> > ChoicePoint and Acxiom and so on. But their bill, as written, does  
> > not
> > appear to be written to include just those data warehouses. And given
> > that they've had months and (presumbly) very bright people  
> > drafting it,
> > that makes me worried.
> >
> > In fact, the definitions could cover, for instance, news  
> > organizations
> > (many news sites arguably provide personal information on  
> > thousands of
> > people, and People magazine's Web site certainly does). How about
> > popular blogs that have thousands of registered users? Search  
> > engines?
> > Google's phone number finding service? Libraries? Email service
> > providers? Alumni organizations for schools? Charities, like  
> > Golden Gate
> > National Parks Association? What about universities, especially in  
> > terms
> > of all the applications they get? Sweepstakes companies? I wonder if
> > probable supporters of this bill -- like the ACLU and EPIC -- would
> > enjoy having to follow all these complicated procedures (with the
> > penalty of fines or prison terms if they don't).
> >
> > I admit this is just my preliminary reading, but my sense is that  
> > these
> > requirements will end up being another version of Sarbanes-Oxley,  
> > with
> > the same destructive, wealth-eroding implications:
> > http://www.politechbot.com/2005/06/16/richard-rahn-on/
> >
> > Perhaps I'm wrong. I'd welcome responses (and "don't worry, trust
> > prosecutors' discretion" is not a useful one). If I'm right, how much
> > harm will be done in the name of "protecting privacy?"
> >
> > -Declan
> >
> > ---
> >
> > News article:
> > http://news.com.com/2100-7348_3-5769156.html
> >
> > Text of legislation (Leahy's floor statement is below):
> > http://i.i.com.com/cnwk.1d/pdf/ne/2005/Specter-Leahy.pdf
> >
> > Additional background material:
> > http://www.politechbot.com/docs/leahy.floor.statement.062905.txt
> > http://www.politechbot.com/docs/specter.leahy.sections.062905.doc
> > http://www.politechbot.com/docs/specter.leahy.summary.062905.doc
> > _______________________________________________
> > Politech mailing list
> > Archived at http://www.politechbot.com/
> > Moderated by Declan McCullagh (http://www.mccullagh.org/)
>
>
> -------------------------------------
> You are subscribed as gumby3 () henkel-wallace org
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/