Interesting People mailing list archives
more on looks like IP may suffer also
From: David Farber <dave () farber net>
Date: Tue, 5 Jul 2005 04:34:18 -0400
Begin forwarded message: From: Marc <marcaniballi () hotmail com> Date: July 5, 2005 4:20:04 AM EDT To: dave () farber net Subject: RE: [IP] looks like IP may suffer also Dave, Declan; //----- Start of conspiracy theory rant -----// In the last 5 years, your lists (and, I'm sure, many others) have beenstrongly "lobbying" among their subscribers for awareness of the laws that
are being passed on Capitol Hill. DMCA, Patriot, etc. In all cases, the analysts and pundits of these lists have pointed out valid and shocking problems with these "works."Can anyone think of anyone who would like to see Politech, IP and their ilk
go away?How long could you keep a list running at $1000 / day in fines? And let's be
realistic - while they are secured to a reasonable degree, mailing list databases are not full of credit card numbers! A talented and motivatedattacker can get his hands on any listserve mailing list. Now, given that
the "motivated attacker" can't be motivated by cash profit, what would motivate them to steal the Politech/IP mailing list?! (Executive directive?!) And let's not forget the other "data" businesses out there! All manufacturing companies keep customer data, as do retail businesses and service businesses. Loyalty programs everywhere will be forced to change dramatically (or shut down) under this legislation! This new law couldeffectively allow a form of corporate extortion to be legally conducted by
the state!Isn't it amazing how many "other" headaches this administration attempts to
cure in the resolution of a major issue! It seems that every time thisadministration has dealt with a major issue (9/11, P2P, etc.) it has also "introduced" legislation to increase executive power, reduce constitutional rights and eliminate/silence their opposition. How much more of this before
words like fascism and totalitarianism start being used to describe the American system of government? By 2008, it may be too late to save the world's best democracy from itself. //----- End of conspiracy theory rant -----// Don't worry, be happy! (Fnord found in all US media) Marc -----Original Message-----From: owner-ip () v2 listbox com [mailto:owner-ip () v2 listbox com] On Behalf Of
David Farber Sent: Monday, July 04, 2005 9:44 PM To: Ip ip Subject: [IP] looks like IP may suffer also
-----Original Message----- From: politech-bounces () politechbot com [mailto:politech-bounces () politechbot com] On Behalf Of Declan McCullagh Sent: Thursday, June 30, 2005 12:14 AM To: politech () politechbot com Subject: [Politech] Preliminary analysis of new Specter-Leahy data security bill: opinions? [priv] It's worth taking a close look at the new Specter-Leahy security breach bill -- introduced Wednesday -- because it's the most comprehensive so far and the leading candidate to be enacted into law this year. It's even, at least in theory, going to be voted on in the Senate Judiciary committee on Thursday: http://judiciary.senate.gov/meeting_notice.cfm?id=1555 The sections dealing with government use of databases seem generally useful (though some loopholes exist, like the requirement that a database is "primarily" of Americans before its use is covered -- look for the FBI to start inserting random Mexican names to get around the "primarily" requirement). So let's look at the private sector components. Bear with me as we get a little technical here... Title III of the bill erects a complex regulatory scheme around any "data broker." That's defined as a "business entity" that it's in the regular business of "collecting, transmitting, or otherwise providing personally identifiable information" of 5,000 or more people that are not "customers" or "employees." Business entity is defined as any organization, including a sole proprietorship, that's in the business of making money, or a non-profit group that isn't. Well, Politech is a sole proprietorship -- I have some Google text ads on politechbot.com that make a princely $10-$15 or so a month. If they made more I wouldn't complain. And I'm pleased to say that the list includes over 5,000 subscribers. Do I "collect[]" personal information? 18 USC 1028(d)(7) defines that as "any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual." Mailman gives subscribers the option of typing in their name, and obviously I have everyone's email addresses. 18 USC 1028(d)(7)(C) explicitly includes any "unique electronic identification number, address, or routing code" so that seems to cover e-mail. So that makes me a highly-regulated "data broker" unless I can skate on some other technicality. Again, I'm arguably in the business of regularly "collecting" information from people are aren't "customers" -- you don't buy anything frome me. Let's assume I can't escape the rule and continue this walk-through. If I am indeed a data broker, what must I do? * "Clearly and accurately" disclose all relevant "personal electronic records" (maintained for disclosure to third parties) about an individual if he or she asks me. * "Develop and publish" a set of "procedures for correcting inaccurate information." * Offer to "investigate" "free of charge" any discrepancies. * Provide an opportunity to insert a "100 word" notice of any dispute. If I don't, I can be sued and fined $1,000-$2,000 per violation per day. Title IV of the bill is far more exhausting. Any "business entity" (that term again) including a sole proprietorship that collects, accesses, transmits, stores, or disposes of personal info in digital form on over 10,000 U.S. persons must create a "data privacy and security program." Well, there are over 10,000 Politech subscribers, and that's an even broader definition (no requirement that it be limited to non-customers or that the involvement be regular). So I'm likely covered. If that happens, I must: * "Implement a comprehensive personal data privacy and security program" * Create a "risk assessment" to "identify reasonably foreseeable" vulnerabilities * "Assess the likelihood" of security breaches * "Assess the sufficiency" of my policies to protect against them * Protect information by encrypting it * Publish the "terms of such program" * Do "regular testing of key controls" to test security * Select only superior "service providers" after doing "due diligence" * Regularly "monitor, evaluate, and adjust" my security policies If I don't, I can be fined up to $10,000 a day per violation. Oh, and there's Title IV Subtitle B. It's pretty much the same definition, and requires me to: * In the case of a security breach of the Politech subscriber list, I must notify the U.S. Secret Service and the state attorney general. * And I must notify individual subscribers * And I must notify consumer reporting agencies * For individual subscribers, I must notify via physical mail to home address, or if I can't, via telephone call to your home. There's no provision for e-mail contact. But if I don't follow that procedures I violate the law. * I also must post this notice publicly on the Web and notify "major media outlets" If I don't follow those rules, I can be fined up to $10,000 a day per violation -- and if I "willfully" conceal the security breach, I can be fined something like $250,000 and be imprisoned for up to five years. I recognize that senators Specter and Leahy are trying to target ChoicePoint and Acxiom and so on. But their bill, as written, does not appear to be written to include just those data warehouses. And given that they've had months and (presumbly) very bright people drafting it, that makes me worried. In fact, the definitions could cover, for instance, news organizations (many news sites arguably provide personal information on thousands of people, and People magazine's Web site certainly does). How about popular blogs that have thousands of registered users? Search engines? Google's phone number finding service? Libraries? Email service providers? Alumni organizations for schools? Charities, like Golden Gate National Parks Association? What about universities, especially in terms of all the applications they get? Sweepstakes companies? I wonder if probable supporters of this bill -- like the ACLU and EPIC -- would enjoy having to follow all these complicated procedures (with the penalty of fines or prison terms if they don't). I admit this is just my preliminary reading, but my sense is that these requirements will end up being another version of Sarbanes-Oxley, with the same destructive, wealth-eroding implications: http://www.politechbot.com/2005/06/16/richard-rahn-on/ Perhaps I'm wrong. I'd welcome responses (and "don't worry, trust prosecutors' discretion" is not a useful one). If I'm right, how much harm will be done in the name of "protecting privacy?" -Declan --- News article: http://news.com.com/2100-7348_3-5769156.html Text of legislation (Leahy's floor statement is below): http://i.i.com.com/cnwk.1d/pdf/ne/2005/Specter-Leahy.pdf Additional background material: http://www.politechbot.com/docs/leahy.floor.statement.062905.txt http://www.politechbot.com/docs/specter.leahy.sections.062905.doc http://www.politechbot.com/docs/specter.leahy.summary.062905.doc _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
------------------------------------- You are subscribed as marcaniballi () hotmail com To manage your subscription, go to http://v2.listbox.com/member/?listname=ipArchives at: http://www.interesting-people.org/archives/interesting- people/
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on looks like IP may suffer also David Farber (Jul 05)