Privacy And Surveillance

  • 2,021 views
Uploaded on

A history of worldwide and US Privacy laws and concepts, review of cellphone surveillance technology

A history of worldwide and US Privacy laws and concepts, review of cellphone surveillance technology

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,021
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
69
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Privacy Laws and Surveillance Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes
  • 2. Privacy and Surveillance Agenda
    • Who are we? InmanTechnologyIT
    • Current Legal Overview
      • Worldwide
      • US
    • US Legal Summary
    • Historical Overview
      • History of cellphone technology
      • Origin of cellphone surveillance-1990s
      • Cellphone surveillance categories
      • Surveillance requests
    • Privacy concepts
    • Classifications
      • Cellphone surveillance categories
    • CALEA
    • Timeline
    • California Laws
    • Massachusetts Law
  • 3. Privacy and Surveillance Table of Contents
    • Who are we? InmanTechnologyIT
    • Current Legal Overview
      • 6- Worldwide Overview
      • 7- Legal History
      • 8- US Legal overview
      • 9- Recent US Legal Activity
      • 10- US laws cited in Sen 773
      • 11- US Legal summary 1, 2
      • 13- Wiretapping vs. “Location technology”
      • 14- History of US Wiretap laws/rulings 1,2
      • 16-1998-2008 US Wiretaps Authorized
    • Cellphone surveillance
      • 13- History of cellphone technology
      • 14- Origin of cellphone surveillance-1990s
      • 15- Cellphone surveillance categories
      • 16- Surveillance requests
      • 17- Cellphone location methods, 1, 2
  • 4. Privacy and Surveillance Table of Contents
    • Specific Laws
      • 19- CALEA
      • 20- CALEA- ANSI / TIA J-STD-025
      • 22- CALEA 2005-6 revisions
      • 24- CALEA Extension to VoIP & ISPs
      • 25- California Laws
      • 26- Massachusetts Law
      • 27- Legal Jurisdiction
      • 28- High-profile data breaches
      • 29- Calling in the Experts
  • 5. Sarah Cortes, PMP, CISA
    • Clients:
      • Harvard University
      • Biogen
      • Fidelity
    • Professional Associations:
      • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature
    • Practice expertise
      • Complex Application Development/Implementation
      • IT Security/Privacy/Risk Management/Audit Management
      • Data Center Operations Management
      • Disaster Recovery/High Availability
      • Program/Project Management
    • Background
      • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments
      • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center
      • Coordinated over 65 audits per year
      • Previously ran major applications development for Trading/Analytics Systems
  • 6. Privacy and Surveillance Worldwide Legal Overview
    • UK and 47 European States
      • Article 8 of the European Convention on Human Rights
    • Canada
      • Personal Information Protection and Electronic Documents Act 1995-2004
    • Australia: Privacy Act of 1988
    • US: Multiple Federal Laws in 14 categories; plus:
      • Over 80 State of California Laws
      • State of Massachusetts Law
      • State of New Jersey Proposed Law
      • California Law now followed by similar laws in more than 40 states
  • 7. Privacy and Surveillance Legal History
    • Worldwide
      • Universal Declaration of Human Rights
      • UK – English Law and Prince Albert
    • US
      • Brandeis-Warren
      • Not explicit in US constitution
      • Prosser – 4 areas
      • Katz
      • Griswold v. Connecticut
        • Penumbras
      • Roe v. Wade
  • 8. Privacy and Surveillance US Legal Overview
    • Federal classifications:
      • Health privacy laws
      • Online privacy laws
      • Financial privacy laws
      • Communication privacy laws
      • Information privacy laws
      • Laws regarding privacy in one’s home
    • California classifications:
      • Health Information Privacy
      • Online Privacy
      • Constitutional Right to Privacy
      • Office of Privacy Protection
      • General Privacy
      • Identity Theft
      • Unsolicited Commercial Communications
  • 9. Privacy and Surveillance Recent US Legal Activity
    • 5/5/09 – Sen. xxx- Information and Communications Enhancement (ICE) Act of 2009 –creates White House Cyber CISO
    • 4/1/09 - Sen. 773 - Cybersecurity Act of 2009 – “kill-switch bill”
    • 3/3/2009- Latest Revision of US Criminal Code, Title 18 , Pt. I , Chap. 119 , § 2511 – it is a federal crime to tap a phone – “Interception and disclosure of wire, oral, or electronic communications prohibited”
    • 2/17/09- Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of American Recovery and Reinvestment Act of 2009
  • 10. Privacy and Surveillance US Legal Summary, cited in Sen. 773 (Cybersecurity Act of 2009)
    • (1) the Privacy Protection Act of 1980 ( 42 U.S.C. 2000aa );
    • (2) the Electronic Communications Privacy Act of 1986 ( 18 U.S.C. 2510 note);
    • (3) the Computer Security Act of 1987 ( 15 U.S.C. 271 et seq.; 40 U.S.C. 759 );
    • (4) the Federal Information Security Management Act of 2002 ( 44 U.S.C. 3531 et seq.);
    • (5) the E-Government Act of 2002 ( 44 U.S.C. 9501 et seq.);
    • (6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.)
  • 11. Privacy and Surveillance US Legal Summary
    • Health privacy laws
      • 1996-Health Insurance Portability and Accountability Act (HIPAA)
      • 1974-The National Research Act
    • Financial privacy laws
      • 1970-Bank Secrecy Act
      • 1998-Federal Trade Commission
      • 1999-Gramm-Leach-Bliley Act-GLB
      • 2002-Sarbanes-Oxley Act-SOX
      • 2003-Fair and Accurate Credit Transactions Act
    • Online privacy laws
      • 1986-Electronic Communications Privacy Act-ECPA-pen registers
      • 1986-Stored Communications Act-SCA
  • 12. Privacy and Surveillance US Legal Summary (cont’d)
    • Communication privacy laws
      • 1978-Foreign Intelligence Surveillance Act (FISA)
      • 1984-Cable Communications Policy Act
      • 1986-Electronic Communications Privacy Act (ECPA)
      • 1994-Digital Telephony Act - Communications Assistance for Law Enforcement Act-”CALEA” 18 USC 2510-2522
      • 2005-6 CALEA expansions
    • Education Privacy Laws
      • 1974-Family Educational Rights and Privacy Act-FERPA
    • Information privacy laws
      • 2001-US Patriot Act – expanded pen registers
    • Laws regarding privacy in the home
    • Other
      • 2005-Privacy Act - sale of online PII data for marketing
      • 1974-Privacy Act
  • 13. Privacy and Surveillance Wiretapping vs. “Location technology”
    • Wiretapping- allowing simultaneous or recorded eavesdropping of actual conversations.
    • “ Location technology” - use of a “pen register” or “trap-and-trace device” to identify the physical location of a device (cellphone) at an exact moment in time.
    • You can learn much more than you think simply by identifying “location.”
    • May, 2009 – Boston’s “craigslist killer” was identified by “location” technology.
  • 14. Privacy and Surveillance History of US Wiretap laws/rulings
    • Wiretapping’s cool:
    • 1928-Olmstead v. United States, 277 U.S. 438 ;
    • Dissented by privacy rock star Louis Brandeis and overruled by:
    • Not really, wiretapping violates 4th Amendment:
    • 1967-Katz v. United States, 389 U.S. 347 , and
    • 1967-Berger v. New York, 388 U.S . 41
    • It is also a Federal Crime:
    • 1968- Omnibus Crime Control and Safe Streets Act of 1968
    • 1994-Digital Telephony Act - Communications Assistance for Law Enforcement Act-”CALEA” 18 USC 2510-2522
    • 1/3/2007-Latest CALEA version: Title 18 USC, Pt. I, Chap. 119, § 2511
  • 15. Privacy and Surveillance History of US Wiretap laws/rulings
    • But if you’re the President it’s cool.
    • But if you’re the government and get a warrant, it’s Ok, too.
    • But even warrantless wiretapping is Ok too, if the target is a “foreign enemy.” Which means anybody, including us! Cool.
    • 1978-Foreign Intelligence Surveillance Act (FISA)
    • 1984-Cable Communications Policy Act
    • 1986-Electronic Communications Privacy Act (ECPA)
    • But actually, just kidding, now the government can wiretap anybody. But you can’t. Legally, that is.
    • 10/26/2001 – US Patriot Act – revised multiple laws
    • Technically, it’s easy and everybody knows how. Well lots of people do.
  • 16. Privacy and Surveillance 1 998-2008 US Wiretaps Authorized
    • Table 7
    • Authorized Intercepts Granted Pursuant to 18 U.S.C. 2519 as Reported in Wiretap Reports for Calendar Years 1998 – 2008
    • Wiretap Report Date
    • 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
    • Total authorized by year (reported through Dec 2008)
    • 1,447 1,546 1,386 1,695 1,543 1,788 1,992 2,100 2,306 2,208 1,891
  • 17. Privacy and Surveillance History of cellphone technology
    • 1990s – cell companies started to transform communications
    • McCaw Cellular dominated carriers
    • McCaw cellular sold to AT&T in 1994 for $11.4 billion
    • Craig McCaw was highest-paid CEO in the US
    • Criminals accounted for 70% of traffic
  • 18. Privacy and Surveillance Origin of cellphone surveillance-1990s
    • Carriers originally tracked call initiation and termination to reimburse each other
    • Surveillance-capable technology was baked into telco equipment
    • Criminals accounted for 70% of cellular traffic, cloning analog cellphones
    • Earliest cellphone surveillance was carriers pinpointing the location of bandwidth thieves
    • Legendary hacker Kevin Mitnick was caught by law enforcement, using a cellular modem that was detected by “location-aware technologies” developed by the phone companies to fight fraud
    • Move from analog to digital left law enforcement without required equipment
  • 19. Privacy and Surveillance C ellphone surveillance categories
    • Pen register-ECPA- subpoena w/o judicial review
    • Subscriber information-CALEA- subpoena w/o judicial review
    • Network “location” information-CALEA-cell towers, specific calls- requires judicial review
      • Past- Historical data - Who was using a specific tower at a specific moment in time, or where was a particular customer during a specific timeframe. Covered by CALEA
      • Present - Ping data - Network operators and some third-party providers are able to send a one-time ping to a phone to locate it at a specific time. Not covered by CALEA
      • Future - Prospective data - By tracking phones over a long period of time, and mapping individuals traffic, or larger traffic flows, it’s possible to predict where people are likely to be. Not covered by CALEA
  • 20. Privacy and Surveillance C ellphone surveillance requests
    • All subscribers near a particular cell tower in a ten-minute period, hoping to locate witnesses to a drug transaction
    • Provider might sell location information to a jealous spouse as a “family finder” service
    • Information on a missing child - company ordered to ping a phone every 15 minutes for 24 hours
    • All phone numbers contacted by a mobile phone found in a container ship that contained counterfeit condoms: carriers refused
    • Google only responds to search warrants about location info
    • Totalitarian Governments tracking employees of human rights organizations: staff disassembles phones prior to attending meeting or going to certain locations
    • Egyptian government requested from Vodaphone names of all who attended a certain event; Vodaphone refused
    • State of Wisconsin asked Amazon to list everyone who bought a particular book; court sided with Amazon’s refusal
    • Carriers get 100 requests a week for location info
    • No recording or oversight of requests
  • 21. Privacy and Surveillance C ellphone Location Methods, I
    • Localization-Based Systems (LBS)
      • Network based
      • Handset based (GPS)
      • Hybrid
    • Network Based- Utilizes service provider's network infrastructure to identify handset location
    • Advantages: can be implemented non-intrusively, without affecting handset.
    • Challenges
      • Accuracy varies
      • cell identification-least accurate, triangulation-most accurate
      • closely dependent on concentration of base station cells, urban environments achieve highest accuracy
      • Requires working closely with service provider:
      • entails the installation of hardware and software within the operator's infrastructure.
      • Legislative framework, such as E911 , required to compel service provider and safeguard privacy
  • 22. Privacy and Surveillance C ellphone Location Methods, II
    • Handset Based - Requires installation of client software on handset
    • Determines location by:
      • computing:
        • Location by cell identification
        • Signal strengths of the home and neighboring cells; or
        • latitude and longitude, if the handset is equipped with a GPS module
      • calculation then sent from the handset to a location server
    • Disadvantages: necessity of installing software on the handset.
      • Requires the active cooperation of subscriber
      • Requires software that can handle the different handset operating systems
      • Typically, only smart phones, such as Symbian or Windows Mobile are capable
      • Proposed work-around: manufacturer installs embedded hw/sw on handset
    • Challenges
      • Convincing different manufacturers to cooperate on a common mechanism and to address cost issue, so no headway
      • Address issue of foreign handsets roaming in the network
  • 23. Privacy and Surveillance CALEA
    • Communications Assistance for Law Enforcement Act of 1994
    • established requirement that phone carriers must be able to perform some wiretapping functions
      • actual functions defined by industry:
        • Telecommunications Industry Association J-STD-025
      • with input from law enforcement
    • operated by carriers, not law enforcement
    • does not limit what law enforcement can ask for in a subpoena
      • CALEA is a floor not a ceiling
    • did not apply to “private networks” or “information services”
      • the Internet was an “information service” in the eyes of Congress in 1994
  • 24. Privacy and Surveillance CALEA- ANSI / TIA J-STD-025
    • Developed by Carrier Industry consortium of technical representatives over a 4-year period
    • Requires real-time delivery to law enforcement
      • call ID information
        • origin or dialed phone number, etc.
      • actions
        • dialing digits, call abandoned, call waiting toggling, etc.
      • communication itself
    • Must not be detectable by subject
    • Over a dedicated circuit in a specific format
  • 25. Privacy and Surveillance CALEA- ANSI / TIA J-STD-025
    • Technical requirements added after 1st version of J-STD-025
      • provide content of subject-initiated conference calls
      • identify active parties of a multiparty call
      • provide all dialing and signaling information including use of features
      • provide notification that a line is ringing or busy
      • provide timing information to correlate call-identifying information with the call content
      • provide digits dialed by a subject after the initial call
  • 26. Privacy and Surveillance CALEA 2005-6 revisions
    • Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPs
      • an “interconnected VoIP provider” provides VoIP service along with dial-out to PSTN and dial-in from PSTN
    • also covers connection between private network and Internet
    • implementation date 2007
    • justified under “substantial replacement” clause in original CALEA
      • in court, 1st decision supported FCC - being appealed
      • Most subsequent decisions, 40 out of 42, did not support government requests
  • 27. CALEA Extension to VoIP & ISPs
    • Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPs
      • an “interconnected VoIP provider” provides VoIP service along with dial-out to PSTN and dial-in from PSTN
    • also covers connection between private network and Internet
    • implementation date Mar 2007
      • but no standards yet
    • justified under “substantial replacement” clause in original CALEA
      • in court, 1st decision supported FCC - being appealed
  • 28. Privacy and Surveillance C alifornia Law
    • Over 80 separate laws in 7 categories, 3 additional laws currently pending
    • California's groundbreaking 2002 security breach notification law was followed by similar laws in more than 40 states
    • Enforcement path unclear for less clear categories of California resident
    • Definition of “organizations doing business in the State of California” and “California resident” unclear
      • Anyone who stores data on a California resident?
      • Anyone who stores data on on-California residents on media located in California?
      • How can companies be sure if their records of non-California residents are correct? i.e. not covered
      • Covers temporary residents?
      • Can potentially cover any company doing business anywhere in the world
  • 29. Privacy and Surveillance Massachusetts Law
    • 8/2/2007-Identity Theft Law, Massachusetts General Law Chapter 93H
    • 9/19/2008-201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth
    • Consortium of industry technical representatives currently providing continuing commentary
    • Original implementation date twice suspended
    • Current implementation date January, 2010
    • Enforcement path unclear for less clear categories of Massachusetts employees/consumers
    • First law to require encryption for employee data (Nevada law required encryption for consumer data)
    • Requires a training module in terms of the law
    • Vendor management issues
  • 30. Privacy and Surveillance Massachusetts Law Requirements
    • Written information security program
    • Passwords, encryption for laptops
    • Risk assessments
    • Security policies around records retention
    • Policies and procedures to prevent terminated employees from gaining access
    • Physical access control policies and procedures
    • Security incident response policies
    • Monitoring for unauthorized access
    • Encryption of PII on laptops and other portable devices
    • Encryption of PII data in transmission
  • 31. Privacy and Surveillance Legal Jurisdiction
    • “ This regulation applies to all businesses and other legal entities that own, license, collect, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”
    • Do these laws apply if you:
      • Have employees in the state/country?
      • Have customers in the state/country?
      • Have neither, but traffic in data of Massachusetts residents?
      • Store data physically in the state/ country?
      • How do you know if any of the above are true?
      • Are a private individual, a non-profit or a government agency?
      • Pay taxes in the state/country?
  • 32. Privacy and Surveillance Legal Jurisdiction
    • Do these laws apply only:
      • To data stored physically in the state/ country? Probably not
  • 33. Privacy and Surveillance High-profile data breaches
    • 1/29/09 Department of Veterans Affairs agreed to pay $20 million to military personnel to settle a 2006 case involving the theft of a laptop from an employee's home that contained the unencrypted personal records of 26.5 million military veterans and their spouses.
    • Massachusetts: TJX and BJ's Wholesale
    • ChoicePoint Inc., the Atlanta-based provider of identification services for the insurance and real estate industries, revealed in March that criminals had gained unauthorized access to aggregated personal data of 145,000 people.
  • 34. Privacy and Surveillance Calling in the Experts
  • 35. Privacy and Surveillance Did you know….?
    • Seven out of ten attacks are from…