Pages: pp. 12-15
With new international protocols coming into effect and further domestic law-enforcement measures pending, rarely have the twin weights of national security and personal liberty hung in such a delicate balance. This became clear at the Computers, Freedom & Privacy (CFP) Conference held 21–23 April in Berkeley, Calif., where hot topics included unseen ramifications of the USA Patriot Act; a new push by law enforcement to wiretap voice-over-IP (VoIP) communications; and the need to prevent abuses of technology at the international level.
Although the Patriot Act might be good for overall security, it raises serious privacy concerns, according to Andrew Grosso, principle attorney for Andrew Grosso and Associates and former assistant United States attorney, who addressed the CFP crowd. On the positive side, "the Patriot Act brings a lot of surveillance and intelligence efforts out of the Dark Ages and into the 21st century, in that there are a lot of tools that now can legitimately be used," Grosso says. For example, the act makes possible a greater exchange of information among domestic and international law enforcement.
"But there is a bad side, and that is that it is very one-sided in favoring law enforcement's ability to get information about people, without giving them the opportunity to attempt to protect that information," Grosso adds. The act permits using wiretaps without requiring authorities to specify who is being tapped or where the tapping occurs.
The Patriot Act likewise opens the door to potential technology abuses, such as providing funding for government database improvements, while offering no protections in terms of how those databases will be used. If, for example, investigators use these enhanced repositories to cross-reference or share information, Grosso suggests, this could lead to law enforcement compiling incriminating information to which it otherwise might not have had access.
Even beyond the Patriot Act, several technology issues are headed for collision with the US Constitution, according to Mike Godwin, senior technology counsel at Public Knowledge, a Washington, D.C.-based organization that supports a balanced approach to copyright and technology policy.
Godwin points to email privacy. Although communications privacy has been much bandied about, a related development has received little attention: government efforts to extend wiretapping capabilities to include VoIP communications.
Early this year, the US Federal Bureau of Investigations and the US Department of Justice asked the US Federal Communications Commission (FCC) to insist that VoIP providers rewire their networks so that law enforcement will be able to listen to subscribers' conversations, thus expanding the Communications Assistance for Law Enforcement Act of 1994. CALEA currently requires telecommunications service providers to provide law enforcement with wiretapping access, but it does not apply to VoIP or Internet Service Providers (ISPs). Because that limitation has long been applied to Internet services in general, this latest effort by law enforcement to change the rules has raised concern among privacy advocates. Nor is this merely a theoretical concern: federal and local law enforcement intercepted some 2.2 million conversations with court approval in 2002, according to the Administrative Office of the US Courts.
Should the FCC give a thumbs-up to VoIP wiretapping, the technology community could find itself saddled with a complex requirement. With all the diverse information found on the Internet, combined with the various forms of VoIP now available, Godwin says that it is "unclear which 'wire' has to be tapped."
On the international scene, the CFP conference took a hard look at the UN's World Summit on the Information Society (WSIS), which in December 2003 drew 10,000 delegates from around the globe to Geneva. In their examination of surveillance technologies, WSIS delegates broke new ground, according to Stephanie Perrin, president of Digital Discretion, a Canadian consulting firm.
"Privacy advocates like myself are concerned about the dumping and testing of surveillance technologies in countries where civil rights and civil liberties are not an issue," Perrin says. "I think WSIS marked a turning point. Traditional human rights groups [that normally] focused on hard tacks issues, like torture, murder, and political prisoners, started paying more serious attention to surveillance technologies and the immense potential for harm they pose in countries that have inadequate law and respect for civil liberties."
This new focus has direct consequences for those in the technology development business. "Companies that are developing even relatively innocuous technology—hand geometry readers, RFIDs, and so on—and selling it in such countries are at risk if dictators start to use the technology in unacceptable ways," Perrin says.
The risk is that human-rights groups will target not just the dictator but the developer as well, which is never good for business. In fact, this might be the big lesson for the technology community: do what you want to do, but think about how it will be used.
"The role of the technology community is to devise technology. At the research phase, you don't want people to feel fettered," says Bruce Schneier, security technologist and author of Beyond Fear: Thinking Sensibly about Security in an Uncertain World. "In a sense, [researchers] should not make the decisions about whether it is worth it or not."
But research is only part of the equation, he added. When it comes to the engineering phase, future uses become a real consideration. "An engineer should build things with an eye toward the trade-off" between security and privacy," he says. "If you can build it in a way that better safeguards privacy, do it that way."
Adam Stone is a freelance technology writer based in Annapolis, Maryland.
In March 2004, Symantec released its semiannual Internet Security Threat report, which assesses global security trends. Symantec based its conclusions on data extracted from 500 surveyed companies, its six security operations centers, and nine response labs located around the world.
In the first half of 2003, one-sixth of the surveyed companies reported serious security breaches; in the second half of the year, half did, and these security breaches show no signs of stopping. 2004 has already "outperformed" last year in the level of corporate security threats, breaches, and newly exposed vulnerabilities.
Sharon Ruckman, senior director of Symantec's Security Response division, says that, "since the first of January, there have been 19 major events with a severity scale of three or higher [on a 1 to 5 scale]."
Worms, viruses, backdoors, and Trojans continue to be problematic, but blended threats, such as the volatile Bugbear.B worm, are on the rise. These blended threats, which combine the worst aspects of worms, viruses, backdoors, and Trojans by using multiple methods and techniques, accounted for more than half of the top 10 malicious code submissions in the latter part of 2003. "We're seeing an evolutionary trend in terms of blended threats," Ruckman says. "They're more sophisticated and more dangerous."
Threats to privacy and confidentiality were the fastest growing threats. The increasingly malicious corporate security attacks are highlighted not only by their severity, but also by the motivations behind them. "There are more sophisticated adversaries out there trying to gain a financial or competitive advantage," says Brad Wood, senior network security engineer at BBN Technologies.
Although new vulnerabilities have increased only five percent in 2003, the vulnerabilities discovered were, and continue to be, far more severe. According to Jason Claycomb, chairman of the Security Council of the Technology Executives Club, today's vulnerabilities are by and large "shockingly easy" to exploit.
"After being attacked once, you're more vulnerable than you were before to future attacks," says Edmond Cooley, professor of electronic and computer engineering and director of IT at Dartmouth College. "As more and more systems become networked internationally, they become more vulnerable…at least at first. As we look at the convenience of networking, we have to be cognizant of the vulnerabilities. I think we're starting to realize that now. What we're finding is that vulnerabilities are being discovered as quickly as they are being remedied."
Symantec's report singles out viruses and worms as posing increasingly dangerous threats. "Last year, we saw a troubling increase in the threats posed by Win32-based viruses and worms [two and one-half times as many]," Ruckman says. "And that trend has continued in 2004."
"The new variations of viruses and worms that are on the horizon are much more malicious," Claycomb says. "One of these days, there will be something capable of permanently deleting hard drives or shutting down entire networks."
Benjamin Alfonsi is a freelance technology writer based in New York.