Information Security - Building Trust in Cyberspace iLaw Eurasia eGovernance Academy Tallinn December 2004 James X. Dempsey Center for Democracy & Technology

The Elements of Trust Online 1. Protection of government secrets Protection of national security information Other sensitive government information 2. Protection of intellectual property- business secrets 3. Cybersecurity –Communications network reliability –Critical infrastructure protection -power, water –Cybercrime 4. Communications privacy 5. Data privacy (privacy of personally identifiable information) 6. E-signature and authentication 7. Consumer protection 8. Accuracy of information, defamation

Government secrets Protection of national security information –Definition: information generated by the government and its contractors, which, if publicly disclosed, will harm the national security. –Important question: Can the judiciary or some other independent official review and overturn the decision of the Executive Branch to keep information secret. Other sensitive government information Criminal investigative information Private information about individuals in the hands of the gov’t Gov’t secrets online and off are defined the same. Many countries deal with these issues in Freedom of Information law:

Cybersecurity Many communications networks and other critical infrastructures are privately owned Cybersecurity is shared responsibility of gov't, service providers, software and hardware makers, and users (large and small). Cybersecurity strategy has many components: –industry standards and sound technology design –information sharing about threats/vulnerabilities (CERTs) –awareness, education of all users –R&D –criminal law –liability of computer/software makers under civil law?

Cybersecurity Guidelines OECD Guidelines for Security of Information Systems and Networks APEC Strategy and Statement on the Security of Info and Communications Infrastructure EU - Council Resolution 28 OAS E-Japan Priority Policy Program (cybersecurity incorporated) Australia E-Security National Agenda US National Strategy to Secure Cyberspace & E-Government Act (cybersecurity included)

Common Themes in Int’l Guidelines Public-Private Partnerships Public Awareness Guidelines, International Standards Information Sharing Training and Education Respect for Privacy Vulnerability Assessment, Warning and Response International Cooperation

Gov’t Must Get Its Own House In Order Government should not dictate security technologies to industry until it has solved its own problems (that is, probably never) US E-Gov Act - Title III - limited to government systems - focuses on process, not technologies –Periodic assessment of risk –Adoption of policies and procedures –Chief Security Officer for every agency –Security awareness training –Detecting and responding to attacks –Annual reports to Congress on progress –Independent security evaluation –Office of Management and Budget (White House) authority Similar requirements may be appropriate for private sector, especially financial sector, medical data

Privacy is an Element of Cybersecurity “Protection of privacy is a key policy objective in the European Union. It was recognized as a basic right under Article 8 of the European Convention on human rights. Articles 7 and 8 of the Charter of Fundamental Rights of the EU also provide the right to respect for family and private life, home and communications and personal data.” Communication from the Commission on Network and Information Security (2001)

OECD Cybersecurity Guidelines Emphasize Privacy Principle 5: “Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.”

Cybercrime Crimes against computers or communications –Interference with availability or integrity of data destroying data, altering data –Interference with availability of service Denial of service attacks –Interception of data in transit (unauthorized access to comms) –Unauthorized access to data (cyber trespass) CIA - Confidentiality, Integrity, Availability Crimes using computer –Fraud, dissemination of pornography, copyright infringement –Should not be treated as separate crimes Crimes where evidence is in computer –Any crime COE Convention on Cybercrime - good model, approach with caution

Criminal Law Has Limited Effect Under US law, such an is absolutely illegal Falsified header information - criminal and civil violation Hijacking another computer to send spam - criminal and aggravated civil violation Possible falsification of domain name registration information - criminal violation No valid physical address - civil violation No opt-out - civil violation Deceptive subject heading - civil violation Possible address harvesting - aggravated civil violation The solution to the cybercrime problem requires: International cooperation. Better technology design Education of users.

Phishing message  Message purporting to be from eBay  Threatens account termination  Asks user to update information  Uses eBay and Trust-e logos for legitimacy  Links to non-ebay site

Web site Looks like legitimate ebay site Asks for account and credit card info Sends info to phisher and not ebay

Intercepted Phishing s Source: MessageLabs Intelligence Annual Security Report. December 6, 2004

Investigation of Cybercrime To investigate cybercrime and crimes facilitated by computer, law enforcement agencies need access to –content of communications; –transactional (or traffic) data; –stored data; –data identifying subscriber (e.g., name)

COE Cybercrime Treaty - Art. 15 “Each party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this section are subject to conditions and safeguards provided for under its domestic law, which shall provide for adequate protection of human rights and liberties …. “Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.”

Surveillance Standards –Standards specified in legislation –Independent approval (preferably judicial) –Limited to serious crimes –Strong factual basis –Exhaustion of other approaches –Surveillance limited scope and duration –Minimization - evidence of wrongdoing –Use limitation - criminal justice and national security –Notice to target after completion of investigation –Redress for violations of standards European Court of Human Rights

Elements of Surveillance Law - Real-Time Interception -ECHR Standards for interception must be spelled out clearly in legislation, with sufficient precision to protect against arbitrary application. Approval should be obtained from an independent official (preferably a judge). Only for the investigation of serious offenses. Only upon a strong factual showing of reason to believe that the target of the search is engaged in criminal conduct. Only when it is shown that other less intrusive techniques will not suffice.

Elements of Surveillance Law -2 Each surveillance order should cover only specifically designated persons or accounts. The rules should be technology neutral – all one-to-one communications should in general be treated the same, whether they involve voice, fax, images or data, wireline or wireless, digital or analog. The scope and length of time of the interception should be limited. The surveillance should be conducted in such a way as to reduce the intrusion on privacy to the minimum necessary to obtain the needed evidence.

Elements of Surveillance Law -3 Information seized or intercepted for criminal investigative purposes may not be used for other ends (except national security). Summary reports back to the approving judge. In criminal investigations, all those who have been the subject of interception should be notified after the investigation concludes, whether or not charges result. Personal redress should be provided for violations of the privacy standards.

Transactional Data Also known as traffic data - connection data, dialed numbers, IP addresses, time, date, duration …. Disclosure implicates privacy interests. Malone, ECHR. But real-time surveillance may be authorized under a standard lower than that applicable to content interception and for all crimes. Internet poses special challenge: drawing line between content and traffic data. COE, Explanatory Report, para. 227.

Stored Data May be content or traffic data. Data stored with user - treated like any other evidence in the home or office and subject to protections accorded written documents. Data stored with service provider or other third party - disclosure generally implicates privacy interests. Distinction may be drawn between immediate seizure and procedures for delivery to government: –Immediate seizure usually requires highest form of approval. –Voluntary disclosures by service providers permitted in some cases - exceptions should be narrowly drawn.

Data Retention Should service providers be required to keep traffic data beyond time needed operationally? EU law permits but does not require states to adopt data retention laws. COE Cybercrime Treaty does not require companies to retain data or modify their systems to facilitate interception. US law does not require data retention. US law and the COE treaty provide for data preservation upon government request, with disclosure based on appropriate authorization.

Encryption On balance, strong encryption contributes to security and prevention of crime more than it facilitates crime OECD Guidelines and 1998 EC report supported availability of encryption. Canada, Germany, Ireland, France, Belgium, US, among others have eliminated or loosened restrictions on encryption. “The use of encryption technologies … [is] becoming indispensable, particularly with the growth in wireless access.” EC Commun- ication, Creating a Safer Info Society, 2001.

Anonymity In order to … enhance the free expression of information and ideas, member sates should respect the will of users not to disclose their identity.” COE Declaration, “An increasing variety of authentication mechanisms is required to meet our different needs in the environments in which we interact. In some environments, we may need or wish to remain anonymous.” EC Communication, "People who have been stealing our movies believe they are anonymous on the Internet. They are wrong. We know who they are, and we will go after them.” MPAA Pres. Dan Glickman, Washington Internet Daily, Nov 5, 2004

Summary Privacy and security are two sides of the same coin. Cybercrime legislation is one component of cybersecurity. Government will need access to communications and data, subject to procedural safeguards. Network security is the shared responsibility of the gov’t and the private sector. –Gov't protects its own networks, contributes to awareness, info sharing R&D. Government should not impose technical mandates. Laws will not make computer networks more secure. The problem of cybersecurity will be solved only when makers of computer technology build more secure systems and when owners, operators and users of computer systems operate their systems in more secure manner.

Consumer Privacy Consumer privacy protection in the US and Europe, as well as under the guidelines of the OECD, is based on the following principles: –Notice and Consent –Collection Limitation –Use/Disclosure Limitation –Retention Limitation –Accuracy –Access –Security –Enforcement EU data protection directive, 95/46/EC, html (unofficial) html

EU Electronic Communications Privacy Directive Article 4 - a provider of a publicly available electronic communications service must take appropriate technical and organizational measures to safeguard the security of its services. Article 5 - Member States are required to adopt national legislation to ensure the confidentiality of communications. –Expressly extends this confidentiality obligation to traffic data. –Such laws should prohibit listening, tapping, storage or other kinds of interception or surveillance of communications without the consent of the users concerned or pursuant to strictly limited legal authority, as permitted under Article 15 Article 9 - location data can be collected and used only in anonymous form or with the consent of users to the extent and for the duration necessary for the provision of value added services –

EU Electronic Communications Privacy Directive Article 6 - As a general rule, traffic data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication. –Limited data storage for billing permitted. Article 7 - Subscribers have the right to receive non- itemized bills if they do not want records kept of their calling behavior. Article 8 - Where Caller ID is offered, the service provider must offer calling parties, free of charge, the possibility to easily block presentation of the calling line number on a per-call and per-line basis. Must offer the called party the possibility to reject incoming calls where presentation of Caller ID has been blocked by the calling party.

EU Electronic Communications Privacy Directive Article 15 (1) provides that Member States may adopt legislative measures to restrict the scope of rights and obligations provided in Articles 5 (confidentiality of communications, 6 (automatic erasure of transactional data), 8 (regarding caller ID) and 9 (regarding location information) when the restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defense, or public security or for the prevention, investigation, detection and prosecution of criminal offenses or to prevent unauthorized use of the electronic communications system. –

Privacy by Design Building privacy into the technology. Collection limitation –Don’t transmit, collect, retain, or share data unless essential –Example: Log retention Authentication ≠ Identification –Limit personally identifiable data –Allow for anonymity, pseudonymity, proxies, trust agents Enhance user control

Privacy by Design P3P - the Platform for Privacy Preferences User control E.g., Wireless location: Handset versus network Privacy Enhancing Technology Encryption Anonymizers Free or pre-paid services Cash - the best privacy technology in the world

Spam Percentage in Source: MessageLabs Intelligence Annual Security Report. December 6, 2004

EU Electronic Communications Privacy Directive Spam - opt-in (prior relationship - opt-out) Traffic data marketing - opt-in Cookies - opt-out –clear and precise information on their purposes and the opportunity to refuse them. Directories - opt-out Data retention - permitted but not required for law enforcement or national security - disclosure requires independent approval Directive 2002/58/EC /telecoms/regulatory/new_rf/index_en.htm /telecoms/regulatory/new_rf/index_en.htm

Consumer Protection Success of e-commerce depends on legal system recognizing and promptly enforcing electronic contracts (business to business and business to consumer) Consumer protection includes –Prohibition on misleading advertising –Regulation of consumer financial services and credit –Rules against fraudulent billing –Complaint resolution –Right to refund if goods are not delivered or defective

Consumer Protection Before closing contract, consumer should be provided –Identity and address of supplier –Description of goods and their price –Procedure for payment, delivery and performance (if buying a service) –Notice of “right of withdrawal” European Parliament & Council Directive 97/7/EC (17 February 1997) on the protection of consumers in respect of distance contracts – mmerce/3information/law&ecommerce/legal/documents/319 97L0007/31997L0007_en.htmlhttp://europa.eu.int/information_society/topics/ebusiness/eco mmerce/3information/law&ecommerce/legal/documents/319 97L0007/31997L0007_en.html European Parliament & Council Directive 2000/31/EC (8 June 2000) on electronic commerce – _31ec/2000_31ec_en.pdfhttp://europa.eu.int/ISPO/ecommerce/legal/documents/2000 _31ec/2000_31ec_en.pdf

Electronic Signatures Four sets of issues –“Writing” –“Signature” –Identity –Confidentiality, integrity, non-repudiation Definitions Electronic signature - any authentication by electronic means. Digital signature - specific kind of e-signature using encryption. First step - assess the legal barriers to online commerce

E-Signatures - Int’l Models Model Law for Electronic Commerce developed by the United Nations Commission on International Trade Law (UNCITRAL)  UNCITRAL Model Law on Electronic Signatures  EU E-Signature Directive These models recommend a very complicated structure - they try to solve all problems at once, including the very difficult question of stranger-to-stranger transactions

Electronic Signatures  The focus on e-signature laws is often misplaced. E- signature legislation is not the most important policy reform needed to support e-commerce and ICT development.  For e-commerce to flourish, other legal reforms are needed.  Banking Reforms  Credit cards  Electronic Funds Transfer  Redress  Consumer Protection Rules  Enforcement of Contracts - Judicial System  A simple e-signature law based on “business choice” can resolve most of the basic questions facing e- commerce.

Electronic Signatures Most B2B commerce is not between strangers. Most B2C commerce does not draw trust from the signature. It is very hard, and probably not necessary, to solve the pure stranger-to- stranger

Simple Approach to Electronic Signatures “Business choice:” Parties to a transaction should be allowed to adopt any technology they mutually agree upon in conducting their e-commerce activities. Limit government involvement Avoid government involvement in e-commerce systems that would limit the development of competition or market choice, e.g. licensing requirements.  Technology neutrality - National e-signature laws should not exclusively require any particular technology for creating electronic signatures. OK: presumption of legal validity to electronic signatures that use PKI technology. Not acceptable to make PKI the only legally recognized technology for e-signatures. Except: government may require particular standards or technologies (e.g., PKI) in interactions with government.

More Information Global Internet Policy Initiative (GIPI) Center for Democracy and Technology(CDT) Information Technology Security Handbook infoDev project, World Bank (Dec. 2003) International Guide to Combatting Cybercrime American Bar Association (2003)