Privacy Laws and Surveillance Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtech...
Privacy and Surveillance   Agenda <ul><li>Who are we? InmanTechnologyIT </li></ul><ul><li>Current Legal Overview </li></ul...
Privacy and Surveillance   Table of Contents <ul><li>Who are we? InmanTechnologyIT </li></ul><ul><li>Current Legal Overvie...
Privacy and Surveillance   Table of Contents <ul><li>Specific Laws </li></ul><ul><ul><li>19- CALEA </li></ul></ul><ul><ul>...
Sarah Cortes, PMP, CISA <ul><li>Clients:  </li></ul><ul><ul><li>Harvard University </li></ul></ul><ul><ul><li>Biogen </li>...
Privacy and Surveillance   Worldwide Legal Overview <ul><li>UK and 47 European States  </li></ul><ul><ul><li>Article 8 of ...
Privacy and Surveillance   Legal History  <ul><li>Worldwide </li></ul><ul><ul><li>Universal Declaration of Human Rights </...
Privacy and Surveillance   US Legal Overview  <ul><li>Federal classifications: </li></ul><ul><ul><li>Health privacy laws  ...
Privacy and Surveillance   Recent US Legal Activity <ul><li>5/5/09 – Sen. xxx- Information and Communications Enhancement ...
Privacy and Surveillance   US Legal Summary, cited in Sen. 773  (Cybersecurity Act of 2009)  <ul><li>(1) the Privacy Prote...
Privacy and Surveillance   US Legal Summary <ul><li>Health privacy laws  </li></ul><ul><ul><li>1996-Health Insurance Porta...
Privacy and Surveillance   US Legal Summary (cont’d) <ul><li>Communication privacy laws  </li></ul><ul><ul><li>1978-Foreig...
Privacy and Surveillance   Wiretapping vs. “Location technology” <ul><li>Wiretapping- allowing simultaneous or recorded ea...
Privacy and Surveillance   History of   US Wiretap laws/rulings <ul><li>Wiretapping’s cool: </li></ul><ul><li>1928-Olmstea...
Privacy and Surveillance   History of   US Wiretap laws/rulings <ul><li>But  if you’re the President it’s cool.   </li></u...
Privacy and Surveillance   1 998-2008 US Wiretaps Authorized <ul><li>Table 7 </li></ul><ul><li>Authorized Intercepts Grant...
Privacy and Surveillance   History of cellphone technology <ul><li>1990s – cell companies started to transform communicati...
Privacy and Surveillance   Origin of cellphone surveillance-1990s <ul><li>Carriers originally tracked call initiation and ...
Privacy and Surveillance   C ellphone surveillance categories <ul><li>Pen register-ECPA- subpoena w/o judicial review  </l...
Privacy and Surveillance   C ellphone surveillance requests <ul><li>All subscribers near a particular cell tower in a ten-...
Privacy and Surveillance   C ellphone Location Methods, I <ul><li>Localization-Based Systems (LBS) </li></ul><ul><ul><li>N...
Privacy and Surveillance   C ellphone Location Methods, II <ul><li>Handset Based - Requires installation of client softwar...
Privacy and Surveillance   CALEA <ul><li>Communications Assistance for Law Enforcement Act of 1994 </li></ul><ul><li>estab...
Privacy and Surveillance   CALEA- ANSI / TIA J-STD-025 <ul><li>Developed by Carrier Industry consortium of technical repre...
Privacy and Surveillance   CALEA- ANSI / TIA J-STD-025 <ul><li>Technical requirements added after 1st version of J-STD-025...
Privacy and Surveillance   CALEA 2005-6 revisions <ul><li>Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected...
CALEA Extension to VoIP & ISPs <ul><li>Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” an...
Privacy and Surveillance   C alifornia Law <ul><li>Over 80 separate laws in 7 categories, 3 additional laws currently pend...
Privacy and Surveillance   Massachusetts  Law <ul><li>8/2/2007-Identity Theft Law, Massachusetts General Law Chapter 93H <...
Privacy and Surveillance   Massachusetts Law Requirements <ul><li>Written information security program </li></ul><ul><li>P...
Privacy and Surveillance    Legal  Jurisdiction <ul><li>“ This regulation applies to all businesses and other legal entiti...
Privacy and Surveillance   Legal  Jurisdiction <ul><li>Do these laws apply only: </li></ul><ul><ul><li>To data stored phys...
Privacy and Surveillance   High-profile data breaches <ul><li>1/29/09 Department of Veterans Affairs agreed to pay $20 mil...
Privacy and Surveillance   Calling in the Experts
Privacy and Surveillance   Did you know….? <ul><li>Seven out of ten attacks are from… </li></ul>
Upcoming SlideShare
Loading in...5
×

Privacy And Surveillance

2,182

Published on

A history of worldwide and US Privacy laws and concepts, review of cellphone surveillance technology

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,182
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
73
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Privacy And Surveillance

  1. 1. Privacy Laws and Surveillance Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes
  2. 2. Privacy and Surveillance Agenda <ul><li>Who are we? InmanTechnologyIT </li></ul><ul><li>Current Legal Overview </li></ul><ul><ul><li>Worldwide </li></ul></ul><ul><ul><li>US </li></ul></ul><ul><li>US Legal Summary </li></ul><ul><li>Historical Overview </li></ul><ul><ul><li>History of cellphone technology </li></ul></ul><ul><ul><li>Origin of cellphone surveillance-1990s </li></ul></ul><ul><ul><li>Cellphone surveillance categories </li></ul></ul><ul><ul><li>Surveillance requests </li></ul></ul><ul><li>Privacy concepts </li></ul><ul><li>Classifications </li></ul><ul><ul><li>Cellphone surveillance categories </li></ul></ul><ul><li>CALEA </li></ul><ul><li>Timeline </li></ul><ul><li>California Laws </li></ul><ul><li>Massachusetts Law </li></ul>
  3. 3. Privacy and Surveillance Table of Contents <ul><li>Who are we? InmanTechnologyIT </li></ul><ul><li>Current Legal Overview </li></ul><ul><ul><li>6- Worldwide Overview </li></ul></ul><ul><ul><li>7- Legal History </li></ul></ul><ul><ul><li>8- US Legal overview </li></ul></ul><ul><ul><li>9- Recent US Legal Activity </li></ul></ul><ul><ul><li>10- US laws cited in Sen 773 </li></ul></ul><ul><ul><li>11- US Legal summary 1, 2 </li></ul></ul><ul><ul><li>13- Wiretapping vs. “Location technology” </li></ul></ul><ul><ul><li>14- History of US Wiretap laws/rulings 1,2 </li></ul></ul><ul><ul><li>16-1998-2008 US Wiretaps Authorized </li></ul></ul><ul><li>Cellphone surveillance </li></ul><ul><ul><li>13- History of cellphone technology </li></ul></ul><ul><ul><li>14- Origin of cellphone surveillance-1990s </li></ul></ul><ul><ul><li>15- Cellphone surveillance categories </li></ul></ul><ul><ul><li>16- Surveillance requests </li></ul></ul><ul><ul><li>17- Cellphone location methods, 1, 2 </li></ul></ul>
  4. 4. Privacy and Surveillance Table of Contents <ul><li>Specific Laws </li></ul><ul><ul><li>19- CALEA </li></ul></ul><ul><ul><li>20- CALEA- ANSI / TIA J-STD-025 </li></ul></ul><ul><ul><li>22- CALEA 2005-6 revisions </li></ul></ul><ul><ul><li>24- CALEA Extension to VoIP & ISPs </li></ul></ul><ul><ul><li>25- California Laws </li></ul></ul><ul><ul><li>26- Massachusetts Law </li></ul></ul><ul><ul><li>27- Legal Jurisdiction </li></ul></ul><ul><ul><li>28- High-profile data breaches </li></ul></ul><ul><ul><li>29- Calling in the Experts </li></ul></ul>
  5. 5. Sarah Cortes, PMP, CISA <ul><li>Clients: </li></ul><ul><ul><li>Harvard University </li></ul></ul><ul><ul><li>Biogen </li></ul></ul><ul><ul><li>Fidelity </li></ul></ul><ul><li>Professional Associations: </li></ul><ul><ul><li>Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature </li></ul></ul><ul><li>Practice expertise </li></ul><ul><ul><li>Complex Application Development/Implementation </li></ul></ul><ul><ul><li>IT Security/Privacy/Risk Management/Audit Management </li></ul></ul><ul><ul><li>Data Center Operations Management </li></ul></ul><ul><ul><li>Disaster Recovery/High Availability </li></ul></ul><ul><ul><li>Program/Project Management </li></ul></ul><ul><li>Background </li></ul><ul><ul><li>SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments </li></ul></ul><ul><ul><li>As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center </li></ul></ul><ul><ul><li>Coordinated over 65 audits per year </li></ul></ul><ul><ul><li>Previously ran major applications development for Trading/Analytics Systems </li></ul></ul>
  6. 6. Privacy and Surveillance Worldwide Legal Overview <ul><li>UK and 47 European States </li></ul><ul><ul><li>Article 8 of the European Convention on Human Rights </li></ul></ul><ul><li>Canada </li></ul><ul><ul><li>Personal Information Protection and Electronic Documents Act 1995-2004 </li></ul></ul><ul><li>Australia: Privacy Act of 1988 </li></ul><ul><li>US: Multiple Federal Laws in 14 categories; plus: </li></ul><ul><ul><li>Over 80 State of California Laws </li></ul></ul><ul><ul><li>State of Massachusetts Law </li></ul></ul><ul><ul><li>State of New Jersey Proposed Law </li></ul></ul><ul><ul><li>California Law now followed by similar laws in more than 40 states </li></ul></ul>
  7. 7. Privacy and Surveillance Legal History <ul><li>Worldwide </li></ul><ul><ul><li>Universal Declaration of Human Rights </li></ul></ul><ul><ul><li>UK – English Law and Prince Albert </li></ul></ul><ul><li>US </li></ul><ul><ul><li>Brandeis-Warren </li></ul></ul><ul><ul><li>Not explicit in US constitution </li></ul></ul><ul><ul><li>Prosser – 4 areas </li></ul></ul><ul><ul><li>Katz </li></ul></ul><ul><ul><li>Griswold v. Connecticut </li></ul></ul><ul><ul><ul><li>Penumbras </li></ul></ul></ul><ul><ul><li>Roe v. Wade </li></ul></ul>
  8. 8. Privacy and Surveillance US Legal Overview <ul><li>Federal classifications: </li></ul><ul><ul><li>Health privacy laws </li></ul></ul><ul><ul><li>Online privacy laws </li></ul></ul><ul><ul><li>Financial privacy laws </li></ul></ul><ul><ul><li>Communication privacy laws </li></ul></ul><ul><ul><li>Information privacy laws </li></ul></ul><ul><ul><li>Laws regarding privacy in one’s home </li></ul></ul><ul><li>California classifications: </li></ul><ul><ul><li>Health Information Privacy </li></ul></ul><ul><ul><li>Online Privacy </li></ul></ul><ul><ul><li>Constitutional Right to Privacy </li></ul></ul><ul><ul><li>Office of Privacy Protection </li></ul></ul><ul><ul><li>General Privacy </li></ul></ul><ul><ul><li>Identity Theft </li></ul></ul><ul><ul><li>Unsolicited Commercial Communications </li></ul></ul>
  9. 9. Privacy and Surveillance Recent US Legal Activity <ul><li>5/5/09 – Sen. xxx- Information and Communications Enhancement (ICE) Act of 2009 –creates White House Cyber CISO </li></ul><ul><li>4/1/09 - Sen. 773 - Cybersecurity Act of 2009 – “kill-switch bill” </li></ul><ul><li>3/3/2009- Latest Revision of US Criminal Code, Title 18 , Pt. I , Chap. 119 , § 2511 – it is a federal crime to tap a phone – “Interception and disclosure of wire, oral, or electronic communications prohibited” </li></ul><ul><li>2/17/09- Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of American Recovery and Reinvestment Act of 2009 </li></ul>
  10. 10. Privacy and Surveillance US Legal Summary, cited in Sen. 773 (Cybersecurity Act of 2009) <ul><li>(1) the Privacy Protection Act of 1980 ( 42 U.S.C. 2000aa ); </li></ul><ul><li>(2) the Electronic Communications Privacy Act of 1986 ( 18 U.S.C. 2510 note); </li></ul><ul><li>(3) the Computer Security Act of 1987 ( 15 U.S.C. 271 et seq.; 40 U.S.C. 759 ); </li></ul><ul><li>(4) the Federal Information Security Management Act of 2002 ( 44 U.S.C. 3531 et seq.); </li></ul><ul><li>(5) the E-Government Act of 2002 ( 44 U.S.C. 9501 et seq.); </li></ul><ul><li>(6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.) </li></ul>
  11. 11. Privacy and Surveillance US Legal Summary <ul><li>Health privacy laws </li></ul><ul><ul><li>1996-Health Insurance Portability and Accountability Act (HIPAA) </li></ul></ul><ul><ul><li>1974-The National Research Act </li></ul></ul><ul><li>Financial privacy laws </li></ul><ul><ul><li>1970-Bank Secrecy Act </li></ul></ul><ul><ul><li>1998-Federal Trade Commission </li></ul></ul><ul><ul><li>1999-Gramm-Leach-Bliley Act-GLB </li></ul></ul><ul><ul><li>2002-Sarbanes-Oxley Act-SOX </li></ul></ul><ul><ul><li>2003-Fair and Accurate Credit Transactions Act </li></ul></ul><ul><li>Online privacy laws </li></ul><ul><ul><li>1986-Electronic Communications Privacy Act-ECPA-pen registers </li></ul></ul><ul><ul><li>1986-Stored Communications Act-SCA </li></ul></ul>
  12. 12. Privacy and Surveillance US Legal Summary (cont’d) <ul><li>Communication privacy laws </li></ul><ul><ul><li>1978-Foreign Intelligence Surveillance Act (FISA) </li></ul></ul><ul><ul><li>1984-Cable Communications Policy Act </li></ul></ul><ul><ul><li>1986-Electronic Communications Privacy Act (ECPA) </li></ul></ul><ul><ul><li>1994-Digital Telephony Act - Communications Assistance for Law Enforcement Act-”CALEA” 18 USC 2510-2522 </li></ul></ul><ul><ul><li>2005-6 CALEA expansions </li></ul></ul><ul><li>Education Privacy Laws </li></ul><ul><ul><li>1974-Family Educational Rights and Privacy Act-FERPA </li></ul></ul><ul><li>Information privacy laws </li></ul><ul><ul><li>2001-US Patriot Act – expanded pen registers </li></ul></ul><ul><li>Laws regarding privacy in the home </li></ul><ul><li>Other </li></ul><ul><ul><li>2005-Privacy Act - sale of online PII data for marketing </li></ul></ul><ul><ul><li>1974-Privacy Act </li></ul></ul>
  13. 13. Privacy and Surveillance Wiretapping vs. “Location technology” <ul><li>Wiretapping- allowing simultaneous or recorded eavesdropping of actual conversations. </li></ul><ul><li>“ Location technology” - use of a “pen register” or “trap-and-trace device” to identify the physical location of a device (cellphone) at an exact moment in time. </li></ul><ul><li>You can learn much more than you think simply by identifying “location.” </li></ul><ul><li>May, 2009 – Boston’s “craigslist killer” was identified by “location” technology. </li></ul>
  14. 14. Privacy and Surveillance History of US Wiretap laws/rulings <ul><li>Wiretapping’s cool: </li></ul><ul><li>1928-Olmstead v. United States, 277 U.S. 438 ; </li></ul><ul><li>Dissented by privacy rock star Louis Brandeis and overruled by: </li></ul><ul><li>Not really, wiretapping violates 4th Amendment: </li></ul><ul><li>1967-Katz v. United States, 389 U.S. 347 , and </li></ul><ul><li>1967-Berger v. New York, 388 U.S . 41 </li></ul><ul><li>It is also a Federal Crime: </li></ul><ul><li>1968- Omnibus Crime Control and Safe Streets Act of 1968 </li></ul><ul><li>1994-Digital Telephony Act - Communications Assistance for Law Enforcement Act-”CALEA” 18 USC 2510-2522 </li></ul><ul><li>1/3/2007-Latest CALEA version: Title 18 USC, Pt. I, Chap. 119, § 2511 </li></ul>
  15. 15. Privacy and Surveillance History of US Wiretap laws/rulings <ul><li>But if you’re the President it’s cool. </li></ul><ul><li>But if you’re the government and get a warrant, it’s Ok, too. </li></ul><ul><li>But even warrantless wiretapping is Ok too, if the target is a “foreign enemy.” Which means anybody, including us! Cool. </li></ul><ul><li>1978-Foreign Intelligence Surveillance Act (FISA) </li></ul><ul><li>1984-Cable Communications Policy Act </li></ul><ul><li>1986-Electronic Communications Privacy Act (ECPA) </li></ul><ul><li>But actually, just kidding, now the government can wiretap anybody. But you can’t. Legally, that is. </li></ul><ul><li>10/26/2001 – US Patriot Act – revised multiple laws </li></ul><ul><li>Technically, it’s easy and everybody knows how. Well lots of people do. </li></ul>
  16. 16. Privacy and Surveillance 1 998-2008 US Wiretaps Authorized <ul><li>Table 7 </li></ul><ul><li>Authorized Intercepts Granted Pursuant to 18 U.S.C. 2519 as Reported in Wiretap Reports for Calendar Years 1998 – 2008 </li></ul><ul><li>Wiretap Report Date </li></ul><ul><li>1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 </li></ul><ul><li>Total authorized by year (reported through Dec 2008) </li></ul><ul><li>1,447 1,546 1,386 1,695 1,543 1,788 1,992 2,100 2,306 2,208 1,891 </li></ul>
  17. 17. Privacy and Surveillance History of cellphone technology <ul><li>1990s – cell companies started to transform communications </li></ul><ul><li>McCaw Cellular dominated carriers </li></ul><ul><li>McCaw cellular sold to AT&T in 1994 for $11.4 billion </li></ul><ul><li>Craig McCaw was highest-paid CEO in the US </li></ul><ul><li>Criminals accounted for 70% of traffic </li></ul>
  18. 18. Privacy and Surveillance Origin of cellphone surveillance-1990s <ul><li>Carriers originally tracked call initiation and termination to reimburse each other </li></ul><ul><li>Surveillance-capable technology was baked into telco equipment </li></ul><ul><li>Criminals accounted for 70% of cellular traffic, cloning analog cellphones </li></ul><ul><li>Earliest cellphone surveillance was carriers pinpointing the location of bandwidth thieves </li></ul><ul><li>Legendary hacker Kevin Mitnick was caught by law enforcement, using a cellular modem that was detected by “location-aware technologies” developed by the phone companies to fight fraud </li></ul><ul><li>Move from analog to digital left law enforcement without required equipment </li></ul>
  19. 19. Privacy and Surveillance C ellphone surveillance categories <ul><li>Pen register-ECPA- subpoena w/o judicial review </li></ul><ul><li>Subscriber information-CALEA- subpoena w/o judicial review </li></ul><ul><li>Network “location” information-CALEA-cell towers, specific calls- requires judicial review </li></ul><ul><ul><li>Past- Historical data - Who was using a specific tower at a specific moment in time, or where was a particular customer during a specific timeframe. Covered by CALEA </li></ul></ul><ul><ul><li>Present - Ping data - Network operators and some third-party providers are able to send a one-time ping to a phone to locate it at a specific time. Not covered by CALEA </li></ul></ul><ul><ul><li>Future - Prospective data - By tracking phones over a long period of time, and mapping individuals traffic, or larger traffic flows, it’s possible to predict where people are likely to be. Not covered by CALEA </li></ul></ul>
  20. 20. Privacy and Surveillance C ellphone surveillance requests <ul><li>All subscribers near a particular cell tower in a ten-minute period, hoping to locate witnesses to a drug transaction </li></ul><ul><li>Provider might sell location information to a jealous spouse as a “family finder” service </li></ul><ul><li>Information on a missing child - company ordered to ping a phone every 15 minutes for 24 hours </li></ul><ul><li>All phone numbers contacted by a mobile phone found in a container ship that contained counterfeit condoms: carriers refused </li></ul><ul><li>Google only responds to search warrants about location info </li></ul><ul><li>Totalitarian Governments tracking employees of human rights organizations: staff disassembles phones prior to attending meeting or going to certain locations </li></ul><ul><li>Egyptian government requested from Vodaphone names of all who attended a certain event; Vodaphone refused </li></ul><ul><li>State of Wisconsin asked Amazon to list everyone who bought a particular book; court sided with Amazon’s refusal </li></ul><ul><li>Carriers get 100 requests a week for location info </li></ul><ul><li>No recording or oversight of requests </li></ul>
  21. 21. Privacy and Surveillance C ellphone Location Methods, I <ul><li>Localization-Based Systems (LBS) </li></ul><ul><ul><li>Network based </li></ul></ul><ul><ul><li>Handset based (GPS) </li></ul></ul><ul><ul><li>Hybrid </li></ul></ul><ul><li>Network Based- Utilizes service provider's network infrastructure to identify handset location </li></ul><ul><li>Advantages: can be implemented non-intrusively, without affecting handset. </li></ul><ul><li>Challenges </li></ul><ul><ul><li>Accuracy varies </li></ul></ul><ul><ul><li>cell identification-least accurate, triangulation-most accurate </li></ul></ul><ul><ul><li>closely dependent on concentration of base station cells, urban environments achieve highest accuracy </li></ul></ul><ul><ul><li>Requires working closely with service provider: </li></ul></ul><ul><ul><li>entails the installation of hardware and software within the operator's infrastructure. </li></ul></ul><ul><ul><li>Legislative framework, such as E911 , required to compel service provider and safeguard privacy </li></ul></ul>
  22. 22. Privacy and Surveillance C ellphone Location Methods, II <ul><li>Handset Based - Requires installation of client software on handset </li></ul><ul><li>Determines location by: </li></ul><ul><ul><li>computing: </li></ul></ul><ul><ul><ul><li>Location by cell identification </li></ul></ul></ul><ul><ul><ul><li>Signal strengths of the home and neighboring cells; or </li></ul></ul></ul><ul><ul><ul><li>latitude and longitude, if the handset is equipped with a GPS module </li></ul></ul></ul><ul><ul><li>calculation then sent from the handset to a location server </li></ul></ul><ul><li>Disadvantages: necessity of installing software on the handset. </li></ul><ul><ul><li>Requires the active cooperation of subscriber </li></ul></ul><ul><ul><li>Requires software that can handle the different handset operating systems </li></ul></ul><ul><ul><li>Typically, only smart phones, such as Symbian or Windows Mobile are capable </li></ul></ul><ul><ul><li>Proposed work-around: manufacturer installs embedded hw/sw on handset </li></ul></ul><ul><li>Challenges </li></ul><ul><ul><li>Convincing different manufacturers to cooperate on a common mechanism and to address cost issue, so no headway </li></ul></ul><ul><ul><li>Address issue of foreign handsets roaming in the network </li></ul></ul>
  23. 23. Privacy and Surveillance CALEA <ul><li>Communications Assistance for Law Enforcement Act of 1994 </li></ul><ul><li>established requirement that phone carriers must be able to perform some wiretapping functions </li></ul><ul><ul><li>actual functions defined by industry: </li></ul></ul><ul><ul><ul><li>Telecommunications Industry Association J-STD-025 </li></ul></ul></ul><ul><ul><li>with input from law enforcement </li></ul></ul><ul><li>operated by carriers, not law enforcement </li></ul><ul><li>does not limit what law enforcement can ask for in a subpoena </li></ul><ul><ul><li>CALEA is a floor not a ceiling </li></ul></ul><ul><li>did not apply to “private networks” or “information services” </li></ul><ul><ul><li>the Internet was an “information service” in the eyes of Congress in 1994 </li></ul></ul>
  24. 24. Privacy and Surveillance CALEA- ANSI / TIA J-STD-025 <ul><li>Developed by Carrier Industry consortium of technical representatives over a 4-year period </li></ul><ul><li>Requires real-time delivery to law enforcement </li></ul><ul><ul><li>call ID information </li></ul></ul><ul><ul><ul><li>origin or dialed phone number, etc. </li></ul></ul></ul><ul><ul><li>actions </li></ul></ul><ul><ul><ul><li>dialing digits, call abandoned, call waiting toggling, etc. </li></ul></ul></ul><ul><ul><li>communication itself </li></ul></ul><ul><li>Must not be detectable by subject </li></ul><ul><li>Over a dedicated circuit in a specific format </li></ul>
  25. 25. Privacy and Surveillance CALEA- ANSI / TIA J-STD-025 <ul><li>Technical requirements added after 1st version of J-STD-025 </li></ul><ul><ul><li>provide content of subject-initiated conference calls </li></ul></ul><ul><ul><li>identify active parties of a multiparty call </li></ul></ul><ul><ul><li>provide all dialing and signaling information including use of features </li></ul></ul><ul><ul><li>provide notification that a line is ringing or busy </li></ul></ul><ul><ul><li>provide timing information to correlate call-identifying information with the call content </li></ul></ul><ul><ul><li>provide digits dialed by a subject after the initial call </li></ul></ul>
  26. 26. Privacy and Surveillance CALEA 2005-6 revisions <ul><li>Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPs </li></ul><ul><ul><li>an “interconnected VoIP provider” provides VoIP service along with dial-out to PSTN and dial-in from PSTN </li></ul></ul><ul><li>also covers connection between private network and Internet </li></ul><ul><li>implementation date 2007 </li></ul><ul><li>justified under “substantial replacement” clause in original CALEA </li></ul><ul><ul><li>in court, 1st decision supported FCC - being appealed </li></ul></ul><ul><ul><li>Most subsequent decisions, 40 out of 42, did not support government requests </li></ul></ul>
  27. 27. CALEA Extension to VoIP & ISPs <ul><li>Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPs </li></ul><ul><ul><li>an “interconnected VoIP provider” provides VoIP service along with dial-out to PSTN and dial-in from PSTN </li></ul></ul><ul><li>also covers connection between private network and Internet </li></ul><ul><li>implementation date Mar 2007 </li></ul><ul><ul><li>but no standards yet </li></ul></ul><ul><li>justified under “substantial replacement” clause in original CALEA </li></ul><ul><ul><li>in court, 1st decision supported FCC - being appealed </li></ul></ul>
  28. 28. Privacy and Surveillance C alifornia Law <ul><li>Over 80 separate laws in 7 categories, 3 additional laws currently pending </li></ul><ul><li>California's groundbreaking 2002 security breach notification law was followed by similar laws in more than 40 states </li></ul><ul><li>Enforcement path unclear for less clear categories of California resident </li></ul><ul><li>Definition of “organizations doing business in the State of California” and “California resident” unclear </li></ul><ul><ul><li>Anyone who stores data on a California resident? </li></ul></ul><ul><ul><li>Anyone who stores data on on-California residents on media located in California? </li></ul></ul><ul><ul><li>How can companies be sure if their records of non-California residents are correct? i.e. not covered </li></ul></ul><ul><ul><li>Covers temporary residents? </li></ul></ul><ul><ul><li>Can potentially cover any company doing business anywhere in the world </li></ul></ul>
  29. 29. Privacy and Surveillance Massachusetts Law <ul><li>8/2/2007-Identity Theft Law, Massachusetts General Law Chapter 93H </li></ul><ul><li>9/19/2008-201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth </li></ul><ul><li>Consortium of industry technical representatives currently providing continuing commentary </li></ul><ul><li>Original implementation date twice suspended </li></ul><ul><li>Current implementation date January, 2010 </li></ul><ul><li>Enforcement path unclear for less clear categories of Massachusetts employees/consumers </li></ul><ul><li>First law to require encryption for employee data (Nevada law required encryption for consumer data) </li></ul><ul><li>Requires a training module in terms of the law </li></ul><ul><li>Vendor management issues </li></ul>
  30. 30. Privacy and Surveillance Massachusetts Law Requirements <ul><li>Written information security program </li></ul><ul><li>Passwords, encryption for laptops </li></ul><ul><li>Risk assessments </li></ul><ul><li>Security policies around records retention </li></ul><ul><li>Policies and procedures to prevent terminated employees from gaining access </li></ul><ul><li>Physical access control policies and procedures </li></ul><ul><li>Security incident response policies </li></ul><ul><li>Monitoring for unauthorized access </li></ul><ul><li>Encryption of PII on laptops and other portable devices </li></ul><ul><li>Encryption of PII data in transmission </li></ul>
  31. 31. Privacy and Surveillance Legal Jurisdiction <ul><li>“ This regulation applies to all businesses and other legal entities that own, license, collect, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” </li></ul><ul><li>Do these laws apply if you: </li></ul><ul><ul><li>Have employees in the state/country? </li></ul></ul><ul><ul><li>Have customers in the state/country? </li></ul></ul><ul><ul><li>Have neither, but traffic in data of Massachusetts residents? </li></ul></ul><ul><ul><li>Store data physically in the state/ country? </li></ul></ul><ul><ul><li>How do you know if any of the above are true? </li></ul></ul><ul><ul><li>Are a private individual, a non-profit or a government agency? </li></ul></ul><ul><ul><li>Pay taxes in the state/country? </li></ul></ul>
  32. 32. Privacy and Surveillance Legal Jurisdiction <ul><li>Do these laws apply only: </li></ul><ul><ul><li>To data stored physically in the state/ country? Probably not </li></ul></ul>
  33. 33. Privacy and Surveillance High-profile data breaches <ul><li>1/29/09 Department of Veterans Affairs agreed to pay $20 million to military personnel to settle a 2006 case involving the theft of a laptop from an employee's home that contained the unencrypted personal records of 26.5 million military veterans and their spouses. </li></ul><ul><li>Massachusetts: TJX and BJ's Wholesale </li></ul><ul><li>ChoicePoint Inc., the Atlanta-based provider of identification services for the insurance and real estate industries, revealed in March that criminals had gained unauthorized access to aggregated personal data of 145,000 people. </li></ul>
  34. 34. Privacy and Surveillance Calling in the Experts
  35. 35. Privacy and Surveillance Did you know….? <ul><li>Seven out of ten attacks are from… </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×