Privacy And Surveillance
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Privacy And Surveillance

on

  • 3,210 views

A history of worldwide and US Privacy laws and concepts, review of cellphone surveillance technology

A history of worldwide and US Privacy laws and concepts, review of cellphone surveillance technology

Statistics

Views

Total Views
3,210
Views on SlideShare
3,204
Embed Views
6

Actions

Likes
0
Downloads
69
Comments
0

2 Embeds 6

http://www.slideshare.net 5
http://www.linkedin.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Privacy And Surveillance Presentation Transcript

  • 1. Privacy Laws and Surveillance Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes
  • 2. Privacy and Surveillance Agenda
    • Who are we? InmanTechnologyIT
    • Current Legal Overview
      • Worldwide
      • US
    • US Legal Summary
    • Historical Overview
      • History of cellphone technology
      • Origin of cellphone surveillance-1990s
      • Cellphone surveillance categories
      • Surveillance requests
    • Privacy concepts
    • Classifications
      • Cellphone surveillance categories
    • CALEA
    • Timeline
    • California Laws
    • Massachusetts Law
  • 3. Privacy and Surveillance Table of Contents
    • Who are we? InmanTechnologyIT
    • Current Legal Overview
      • 6- Worldwide Overview
      • 7- Legal History
      • 8- US Legal overview
      • 9- Recent US Legal Activity
      • 10- US laws cited in Sen 773
      • 11- US Legal summary 1, 2
      • 13- Wiretapping vs. “Location technology”
      • 14- History of US Wiretap laws/rulings 1,2
      • 16-1998-2008 US Wiretaps Authorized
    • Cellphone surveillance
      • 13- History of cellphone technology
      • 14- Origin of cellphone surveillance-1990s
      • 15- Cellphone surveillance categories
      • 16- Surveillance requests
      • 17- Cellphone location methods, 1, 2
  • 4. Privacy and Surveillance Table of Contents
    • Specific Laws
      • 19- CALEA
      • 20- CALEA- ANSI / TIA J-STD-025
      • 22- CALEA 2005-6 revisions
      • 24- CALEA Extension to VoIP & ISPs
      • 25- California Laws
      • 26- Massachusetts Law
      • 27- Legal Jurisdiction
      • 28- High-profile data breaches
      • 29- Calling in the Experts
  • 5. Sarah Cortes, PMP, CISA
    • Clients:
      • Harvard University
      • Biogen
      • Fidelity
    • Professional Associations:
      • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature
    • Practice expertise
      • Complex Application Development/Implementation
      • IT Security/Privacy/Risk Management/Audit Management
      • Data Center Operations Management
      • Disaster Recovery/High Availability
      • Program/Project Management
    • Background
      • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments
      • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center
      • Coordinated over 65 audits per year
      • Previously ran major applications development for Trading/Analytics Systems
  • 6. Privacy and Surveillance Worldwide Legal Overview
    • UK and 47 European States
      • Article 8 of the European Convention on Human Rights
    • Canada
      • Personal Information Protection and Electronic Documents Act 1995-2004
    • Australia: Privacy Act of 1988
    • US: Multiple Federal Laws in 14 categories; plus:
      • Over 80 State of California Laws
      • State of Massachusetts Law
      • State of New Jersey Proposed Law
      • California Law now followed by similar laws in more than 40 states
  • 7. Privacy and Surveillance Legal History
    • Worldwide
      • Universal Declaration of Human Rights
      • UK – English Law and Prince Albert
    • US
      • Brandeis-Warren
      • Not explicit in US constitution
      • Prosser – 4 areas
      • Katz
      • Griswold v. Connecticut
        • Penumbras
      • Roe v. Wade
  • 8. Privacy and Surveillance US Legal Overview
    • Federal classifications:
      • Health privacy laws
      • Online privacy laws
      • Financial privacy laws
      • Communication privacy laws
      • Information privacy laws
      • Laws regarding privacy in one’s home
    • California classifications:
      • Health Information Privacy
      • Online Privacy
      • Constitutional Right to Privacy
      • Office of Privacy Protection
      • General Privacy
      • Identity Theft
      • Unsolicited Commercial Communications
  • 9. Privacy and Surveillance Recent US Legal Activity
    • 5/5/09 – Sen. xxx- Information and Communications Enhancement (ICE) Act of 2009 –creates White House Cyber CISO
    • 4/1/09 - Sen. 773 - Cybersecurity Act of 2009 – “kill-switch bill”
    • 3/3/2009- Latest Revision of US Criminal Code, Title 18 , Pt. I , Chap. 119 , § 2511 – it is a federal crime to tap a phone – “Interception and disclosure of wire, oral, or electronic communications prohibited”
    • 2/17/09- Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of American Recovery and Reinvestment Act of 2009
  • 10. Privacy and Surveillance US Legal Summary, cited in Sen. 773 (Cybersecurity Act of 2009)
    • (1) the Privacy Protection Act of 1980 ( 42 U.S.C. 2000aa );
    • (2) the Electronic Communications Privacy Act of 1986 ( 18 U.S.C. 2510 note);
    • (3) the Computer Security Act of 1987 ( 15 U.S.C. 271 et seq.; 40 U.S.C. 759 );
    • (4) the Federal Information Security Management Act of 2002 ( 44 U.S.C. 3531 et seq.);
    • (5) the E-Government Act of 2002 ( 44 U.S.C. 9501 et seq.);
    • (6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.)
  • 11. Privacy and Surveillance US Legal Summary
    • Health privacy laws
      • 1996-Health Insurance Portability and Accountability Act (HIPAA)
      • 1974-The National Research Act
    • Financial privacy laws
      • 1970-Bank Secrecy Act
      • 1998-Federal Trade Commission
      • 1999-Gramm-Leach-Bliley Act-GLB
      • 2002-Sarbanes-Oxley Act-SOX
      • 2003-Fair and Accurate Credit Transactions Act
    • Online privacy laws
      • 1986-Electronic Communications Privacy Act-ECPA-pen registers
      • 1986-Stored Communications Act-SCA
  • 12. Privacy and Surveillance US Legal Summary (cont’d)
    • Communication privacy laws
      • 1978-Foreign Intelligence Surveillance Act (FISA)
      • 1984-Cable Communications Policy Act
      • 1986-Electronic Communications Privacy Act (ECPA)
      • 1994-Digital Telephony Act - Communications Assistance for Law Enforcement Act-”CALEA” 18 USC 2510-2522
      • 2005-6 CALEA expansions
    • Education Privacy Laws
      • 1974-Family Educational Rights and Privacy Act-FERPA
    • Information privacy laws
      • 2001-US Patriot Act – expanded pen registers
    • Laws regarding privacy in the home
    • Other
      • 2005-Privacy Act - sale of online PII data for marketing
      • 1974-Privacy Act
  • 13. Privacy and Surveillance Wiretapping vs. “Location technology”
    • Wiretapping- allowing simultaneous or recorded eavesdropping of actual conversations.
    • “ Location technology” - use of a “pen register” or “trap-and-trace device” to identify the physical location of a device (cellphone) at an exact moment in time.
    • You can learn much more than you think simply by identifying “location.”
    • May, 2009 – Boston’s “craigslist killer” was identified by “location” technology.
  • 14. Privacy and Surveillance History of US Wiretap laws/rulings
    • Wiretapping’s cool:
    • 1928-Olmstead v. United States, 277 U.S. 438 ;
    • Dissented by privacy rock star Louis Brandeis and overruled by:
    • Not really, wiretapping violates 4th Amendment:
    • 1967-Katz v. United States, 389 U.S. 347 , and
    • 1967-Berger v. New York, 388 U.S . 41
    • It is also a Federal Crime:
    • 1968- Omnibus Crime Control and Safe Streets Act of 1968
    • 1994-Digital Telephony Act - Communications Assistance for Law Enforcement Act-”CALEA” 18 USC 2510-2522
    • 1/3/2007-Latest CALEA version: Title 18 USC, Pt. I, Chap. 119, § 2511
  • 15. Privacy and Surveillance History of US Wiretap laws/rulings
    • But if you’re the President it’s cool.
    • But if you’re the government and get a warrant, it’s Ok, too.
    • But even warrantless wiretapping is Ok too, if the target is a “foreign enemy.” Which means anybody, including us! Cool.
    • 1978-Foreign Intelligence Surveillance Act (FISA)
    • 1984-Cable Communications Policy Act
    • 1986-Electronic Communications Privacy Act (ECPA)
    • But actually, just kidding, now the government can wiretap anybody. But you can’t. Legally, that is.
    • 10/26/2001 – US Patriot Act – revised multiple laws
    • Technically, it’s easy and everybody knows how. Well lots of people do.
  • 16. Privacy and Surveillance 1 998-2008 US Wiretaps Authorized
    • Table 7
    • Authorized Intercepts Granted Pursuant to 18 U.S.C. 2519 as Reported in Wiretap Reports for Calendar Years 1998 – 2008
    • Wiretap Report Date
    • 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
    • Total authorized by year (reported through Dec 2008)
    • 1,447 1,546 1,386 1,695 1,543 1,788 1,992 2,100 2,306 2,208 1,891
  • 17. Privacy and Surveillance History of cellphone technology
    • 1990s – cell companies started to transform communications
    • McCaw Cellular dominated carriers
    • McCaw cellular sold to AT&T in 1994 for $11.4 billion
    • Craig McCaw was highest-paid CEO in the US
    • Criminals accounted for 70% of traffic
  • 18. Privacy and Surveillance Origin of cellphone surveillance-1990s
    • Carriers originally tracked call initiation and termination to reimburse each other
    • Surveillance-capable technology was baked into telco equipment
    • Criminals accounted for 70% of cellular traffic, cloning analog cellphones
    • Earliest cellphone surveillance was carriers pinpointing the location of bandwidth thieves
    • Legendary hacker Kevin Mitnick was caught by law enforcement, using a cellular modem that was detected by “location-aware technologies” developed by the phone companies to fight fraud
    • Move from analog to digital left law enforcement without required equipment
  • 19. Privacy and Surveillance C ellphone surveillance categories
    • Pen register-ECPA- subpoena w/o judicial review
    • Subscriber information-CALEA- subpoena w/o judicial review
    • Network “location” information-CALEA-cell towers, specific calls- requires judicial review
      • Past- Historical data - Who was using a specific tower at a specific moment in time, or where was a particular customer during a specific timeframe. Covered by CALEA
      • Present - Ping data - Network operators and some third-party providers are able to send a one-time ping to a phone to locate it at a specific time. Not covered by CALEA
      • Future - Prospective data - By tracking phones over a long period of time, and mapping individuals traffic, or larger traffic flows, it’s possible to predict where people are likely to be. Not covered by CALEA
  • 20. Privacy and Surveillance C ellphone surveillance requests
    • All subscribers near a particular cell tower in a ten-minute period, hoping to locate witnesses to a drug transaction
    • Provider might sell location information to a jealous spouse as a “family finder” service
    • Information on a missing child - company ordered to ping a phone every 15 minutes for 24 hours
    • All phone numbers contacted by a mobile phone found in a container ship that contained counterfeit condoms: carriers refused
    • Google only responds to search warrants about location info
    • Totalitarian Governments tracking employees of human rights organizations: staff disassembles phones prior to attending meeting or going to certain locations
    • Egyptian government requested from Vodaphone names of all who attended a certain event; Vodaphone refused
    • State of Wisconsin asked Amazon to list everyone who bought a particular book; court sided with Amazon’s refusal
    • Carriers get 100 requests a week for location info
    • No recording or oversight of requests
  • 21. Privacy and Surveillance C ellphone Location Methods, I
    • Localization-Based Systems (LBS)
      • Network based
      • Handset based (GPS)
      • Hybrid
    • Network Based- Utilizes service provider's network infrastructure to identify handset location
    • Advantages: can be implemented non-intrusively, without affecting handset.
    • Challenges
      • Accuracy varies
      • cell identification-least accurate, triangulation-most accurate
      • closely dependent on concentration of base station cells, urban environments achieve highest accuracy
      • Requires working closely with service provider:
      • entails the installation of hardware and software within the operator's infrastructure.
      • Legislative framework, such as E911 , required to compel service provider and safeguard privacy
  • 22. Privacy and Surveillance C ellphone Location Methods, II
    • Handset Based - Requires installation of client software on handset
    • Determines location by:
      • computing:
        • Location by cell identification
        • Signal strengths of the home and neighboring cells; or
        • latitude and longitude, if the handset is equipped with a GPS module
      • calculation then sent from the handset to a location server
    • Disadvantages: necessity of installing software on the handset.
      • Requires the active cooperation of subscriber
      • Requires software that can handle the different handset operating systems
      • Typically, only smart phones, such as Symbian or Windows Mobile are capable
      • Proposed work-around: manufacturer installs embedded hw/sw on handset
    • Challenges
      • Convincing different manufacturers to cooperate on a common mechanism and to address cost issue, so no headway
      • Address issue of foreign handsets roaming in the network
  • 23. Privacy and Surveillance CALEA
    • Communications Assistance for Law Enforcement Act of 1994
    • established requirement that phone carriers must be able to perform some wiretapping functions
      • actual functions defined by industry:
        • Telecommunications Industry Association J-STD-025
      • with input from law enforcement
    • operated by carriers, not law enforcement
    • does not limit what law enforcement can ask for in a subpoena
      • CALEA is a floor not a ceiling
    • did not apply to “private networks” or “information services”
      • the Internet was an “information service” in the eyes of Congress in 1994
  • 24. Privacy and Surveillance CALEA- ANSI / TIA J-STD-025
    • Developed by Carrier Industry consortium of technical representatives over a 4-year period
    • Requires real-time delivery to law enforcement
      • call ID information
        • origin or dialed phone number, etc.
      • actions
        • dialing digits, call abandoned, call waiting toggling, etc.
      • communication itself
    • Must not be detectable by subject
    • Over a dedicated circuit in a specific format
  • 25. Privacy and Surveillance CALEA- ANSI / TIA J-STD-025
    • Technical requirements added after 1st version of J-STD-025
      • provide content of subject-initiated conference calls
      • identify active parties of a multiparty call
      • provide all dialing and signaling information including use of features
      • provide notification that a line is ringing or busy
      • provide timing information to correlate call-identifying information with the call content
      • provide digits dialed by a subject after the initial call
  • 26. Privacy and Surveillance CALEA 2005-6 revisions
    • Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPs
      • an “interconnected VoIP provider” provides VoIP service along with dial-out to PSTN and dial-in from PSTN
    • also covers connection between private network and Internet
    • implementation date 2007
    • justified under “substantial replacement” clause in original CALEA
      • in court, 1st decision supported FCC - being appealed
      • Most subsequent decisions, 40 out of 42, did not support government requests
  • 27. CALEA Extension to VoIP & ISPs
    • Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPs
      • an “interconnected VoIP provider” provides VoIP service along with dial-out to PSTN and dial-in from PSTN
    • also covers connection between private network and Internet
    • implementation date Mar 2007
      • but no standards yet
    • justified under “substantial replacement” clause in original CALEA
      • in court, 1st decision supported FCC - being appealed
  • 28. Privacy and Surveillance C alifornia Law
    • Over 80 separate laws in 7 categories, 3 additional laws currently pending
    • California's groundbreaking 2002 security breach notification law was followed by similar laws in more than 40 states
    • Enforcement path unclear for less clear categories of California resident
    • Definition of “organizations doing business in the State of California” and “California resident” unclear
      • Anyone who stores data on a California resident?
      • Anyone who stores data on on-California residents on media located in California?
      • How can companies be sure if their records of non-California residents are correct? i.e. not covered
      • Covers temporary residents?
      • Can potentially cover any company doing business anywhere in the world
  • 29. Privacy and Surveillance Massachusetts Law
    • 8/2/2007-Identity Theft Law, Massachusetts General Law Chapter 93H
    • 9/19/2008-201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth
    • Consortium of industry technical representatives currently providing continuing commentary
    • Original implementation date twice suspended
    • Current implementation date January, 2010
    • Enforcement path unclear for less clear categories of Massachusetts employees/consumers
    • First law to require encryption for employee data (Nevada law required encryption for consumer data)
    • Requires a training module in terms of the law
    • Vendor management issues
  • 30. Privacy and Surveillance Massachusetts Law Requirements
    • Written information security program
    • Passwords, encryption for laptops
    • Risk assessments
    • Security policies around records retention
    • Policies and procedures to prevent terminated employees from gaining access
    • Physical access control policies and procedures
    • Security incident response policies
    • Monitoring for unauthorized access
    • Encryption of PII on laptops and other portable devices
    • Encryption of PII data in transmission
  • 31. Privacy and Surveillance Legal Jurisdiction
    • “ This regulation applies to all businesses and other legal entities that own, license, collect, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”
    • Do these laws apply if you:
      • Have employees in the state/country?
      • Have customers in the state/country?
      • Have neither, but traffic in data of Massachusetts residents?
      • Store data physically in the state/ country?
      • How do you know if any of the above are true?
      • Are a private individual, a non-profit or a government agency?
      • Pay taxes in the state/country?
  • 32. Privacy and Surveillance Legal Jurisdiction
    • Do these laws apply only:
      • To data stored physically in the state/ country? Probably not
  • 33. Privacy and Surveillance High-profile data breaches
    • 1/29/09 Department of Veterans Affairs agreed to pay $20 million to military personnel to settle a 2006 case involving the theft of a laptop from an employee's home that contained the unencrypted personal records of 26.5 million military veterans and their spouses.
    • Massachusetts: TJX and BJ's Wholesale
    • ChoicePoint Inc., the Atlanta-based provider of identification services for the insurance and real estate industries, revealed in March that criminals had gained unauthorized access to aggregated personal data of 145,000 people.
  • 34. Privacy and Surveillance Calling in the Experts
  • 35. Privacy and Surveillance Did you know….?
    • Seven out of ten attacks are from…