The Community for Technology Leaders
Green Image
Issue No. 04 - July-August (2004 vol. 2)
ISSN: 1540-7993
pp: 12-15
The Delicate Balance Security and Privacy
Adam Stone
With new international protocols coming into effect and further domestic law-enforcement measures pending, rarely have the twin weights of national security and personal liberty hung in such a delicate balance. This became clear at the Computers, Freedom & Privacy (CFP) Conference held 21–23 April in Berkeley, Calif., where hot topics included unseen ramifications of the USA Patriot Act; a new push by law enforcement to wiretap voice-over-IP (VoIP) communications; and the need to prevent abuses of technology at the international level.
Although the Patriot Act might be good for overall security, it raises serious privacy concerns, according to Andrew Grosso, principle attorney for Andrew Grosso and Associates and former assistant United States attorney, who addressed the CFP crowd. On the positive side, "the Patriot Act brings a lot of surveillance and intelligence efforts out of the Dark Ages and into the 21st century, in that there are a lot of tools that now can legitimately be used," Grosso says. For example, the act makes possible a greater exchange of information among domestic and international law enforcement.
"But there is a bad side, and that is that it is very one-sided in favoring law enforcement's ability to get information about people, without giving them the opportunity to attempt to protect that information," Grosso adds. The act permits using wiretaps without requiring authorities to specify who is being tapped or where the tapping occurs.
The Patriot Act likewise opens the door to potential technology abuses, such as providing funding for government database improvements, while offering no protections in terms of how those databases will be used. If, for example, investigators use these enhanced repositories to cross-reference or share information, Grosso suggests, this could lead to law enforcement compiling incriminating information to which it otherwise might not have had access.
Even beyond the Patriot Act, several technology issues are headed for collision with the US Constitution, according to Mike Godwin, senior technology counsel at Public Knowledge, a Washington, D.C.-based organization that supports a balanced approach to copyright and technology policy.
Godwin points to email privacy. Although communications privacy has been much bandied about, a related development has received little attention: government efforts to extend wiretapping capabilities to include VoIP communications.
Early this year, the US Federal Bureau of Investigations and the US Department of Justice asked the US Federal Communications Commission (FCC) to insist that VoIP providers rewire their networks so that law enforcement will be able to listen to subscribers' conversations, thus expanding the Communications Assistance for Law Enforcement Act of 1994. CALEA currently requires telecommunications service providers to provide law enforcement with wiretapping access, but it does not apply to VoIP or Internet Service Providers (ISPs). Because that limitation has long been applied to Internet services in general, this latest effort by law enforcement to change the rules has raised concern among privacy advocates. Nor is this merely a theoretical concern: federal and local law enforcement intercepted some 2.2 million conversations with court approval in 2002, according to the Administrative Office of the US Courts.
Should the FCC give a thumbs-up to VoIP wiretapping, the technology community could find itself saddled with a complex requirement. With all the diverse information found on the Internet, combined with the various forms of VoIP now available, Godwin says that it is "unclear which 'wire' has to be tapped."
On the international scene, the CFP conference took a hard look at the UN's World Summit on the Information Society (WSIS), which in December 2003 drew 10,000 delegates from around the globe to Geneva. In their examination of surveillance technologies, WSIS delegates broke new ground, according to Stephanie Perrin, president of Digital Discretion, a Canadian consulting firm.
"Privacy advocates like myself are concerned about the dumping and testing of surveillance technologies in countries where civil rights and civil liberties are not an issue," Perrin says. "I think WSIS marked a turning point. Traditional human rights groups [that normally] focused on hard tacks issues, like torture, murder, and political prisoners, started paying more serious attention to surveillance technologies and the immense potential for harm they pose in countries that have inadequate law and respect for civil liberties."
This new focus has direct consequences for those in the technology development business. "Companies that are developing even relatively innocuous technology—hand geometry readers, RFIDs, and so on—and selling it in such countries are at risk if dictators start to use the technology in unacceptable ways," Perrin says.
The risk is that human-rights groups will target not just the dictator but the developer as well, which is never good for business. In fact, this might be the big lesson for the technology community: do what you want to do, but think about how it will be used.
"The role of the technology community is to devise technology. At the research phase, you don't want people to feel fettered," says Bruce Schneier, security technologist and author of Beyond Fear: Thinking Sensibly about Security in an Uncertain World. "In a sense, [researchers] should not make the decisions about whether it is worth it or not."
But research is only part of the equation, he added. When it comes to the engineering phase, future uses become a real consideration. "An engineer should build things with an eye toward the trade-off" between security and privacy," he says. "If you can build it in a way that better safeguards privacy, do it that way."
Adam Stone is a freelance technology writer based in Annapolis, Maryland.
Corporate Security Under Siege
Benjamin Alfonsi
In March 2004, Symantec released its semiannual Internet Security Threat report, which assesses global security trends. Symantec based its conclusions on data extracted from 500 surveyed companies, its six security operations centers, and nine response labs located around the world.
In the first half of 2003, one-sixth of the surveyed companies reported serious security breaches; in the second half of the year, half did, and these security breaches show no signs of stopping. 2004 has already "outperformed" last year in the level of corporate security threats, breaches, and newly exposed vulnerabilities.
Sharon Ruckman, senior director of Symantec's Security Response division, says that, "since the first of January, there have been 19 major events with a severity scale of three or higher [on a 1 to 5 scale]."
From bad to worse
Worms, viruses, backdoors, and Trojans continue to be problematic, but blended threats, such as the volatile Bugbear.B worm, are on the rise. These blended threats, which combine the worst aspects of worms, viruses, backdoors, and Trojans by using multiple methods and techniques, accounted for more than half of the top 10 malicious code submissions in the latter part of 2003. "We're seeing an evolutionary trend in terms of blended threats," Ruckman says. "They're more sophisticated and more dangerous."
Threats to privacy and confidentiality were the fastest growing threats. The increasingly malicious corporate security attacks are highlighted not only by their severity, but also by the motivations behind them. "There are more sophisticated adversaries out there trying to gain a financial or competitive advantage," says Brad Wood, senior network security engineer at BBN Technologies.
Although new vulnerabilities have increased only five percent in 2003, the vulnerabilities discovered were, and continue to be, far more severe. According to Jason Claycomb, chairman of the Security Council of the Technology Executives Club, today's vulnerabilities are by and large "shockingly easy" to exploit.
"After being attacked once, you're more vulnerable than you were before to future attacks," says Edmond Cooley, professor of electronic and computer engineering and director of IT at Dartmouth College. "As more and more systems become networked internationally, they become more vulnerable…at least at first. As we look at the convenience of networking, we have to be cognizant of the vulnerabilities. I think we're starting to realize that now. What we're finding is that vulnerabilities are being discovered as quickly as they are being remedied."
Corporate security
Symantec's report singles out viruses and worms as posing increasingly dangerous threats. "Last year, we saw a troubling increase in the threats posed by Win32-based viruses and worms [two and one-half times as many]," Ruckman says. "And that trend has continued in 2004."
"The new variations of viruses and worms that are on the horizon are much more malicious," Claycomb says. "One of these days, there will be something capable of permanently deleting hard drives or shutting down entire networks."
Benjamin Alfonsi is a freelance technology writer based in New York.
News Briefs

    In June, the US House Oversight committee received a US Department of Homeland Security progress report on the National Cybersecurity Strategy's implementation. The report shows both progress and remaining work in implementing the strategy, which was issued early last year. It also shows that an assessment of vulnerabilities to critical infrastructures is targeted for 2005, with a process for assessing Internet weaknesses due later this year. Perhaps the most publicized achievement in the report is the establishment of a public–private structure for responding to national-level cyber incidents by designating the US Computer Emergency Readiness Team (US-CERT) as the department's cybersecurity operational body. Carnegie Mellon University-based US-CERT, which launched a national cyberalert system in January 2004, now includes the former Federal Computer Incident Response Center.

    Europe's emerging digital media market is crippled under red tape and mounting copyright levies, according to a group of technology firms. Groups representing software and consumer electronics manufacturers told European Commission members that obstacles must be overcome if new online music and video download services are to survive. The group recommends that the commission develop a single, EU-wide license and cap charges that increase digital media player prices. The technology industry also wants the commission to look at streamlining royalty collection and developing an industry-recognized standard for digital rights management—necessary for protecting media from digital piracy.

    The US House of Representatives' Energy and Commerce subcommittee voted unanimously for a bill that requires Internet spyware suppliers to notify users before loading new software on their machines. The bill, introduced by Representatives Mary Bono (R-California) and Ed Towns (D-New York), would allow the US Federal Trade Commission to seek millions of dollars in fines for logging users' keystrokes or stealing their identities. It also would require that spyware be easily removable.

    The Induce Act, a bill introduced in mid-June in the US Senate, would reshape copyright law by prohibiting file-trading networks and some consumer electronics devices because they could be used for unlawful purposes. If passed, it would make whoever "aids, abets, induces (or) counsels" copyright violations liable for those violations. The act represents copyright holders' latest legislative attempt to address the growing threat of peer-to-peer networks common with pirated music, movies, and software. Induce stands for "Inducement Devolves into Unlawful Child Exploitation," a reference to Capitol Hill's oft-stated concern that file-trading networks are a source of unlawful pornography.

    A US House of Representatives bill, HR107, would overturn a major provision of the Digital Millennium Copyright Act of 1998 (DMCA), which bars consumers from circumventing encryption on digital media products even if they only intend to make copies for personal use. It aims to "amend the Federal Trade Commission Act to provide that the advertising or sale of a mislabeled copy-protected music disc is an unfair method of competition and an unfair and deceptive act or practice, and for other purposes." DMCA was intended as a way to stop piracy, but critics say it gave copyright holders far more control than intended while eroding Americans' fair use rights. They also worry that the law has criminalized otherwise innocent activities, such as making a personal copy of a purchased CD, or trying to get a DVD to play on a computer running Linux.

    US Senator John Kerry (D-Massachusetts) unveiled his plan for a US$30 billion package of technology investments during a policy speech in San Jose, California in late June. Kerry, the Democratic Party nominee for US president, said if elected he would create tax incentives to invest in startups, research and development, and broadband networks for rural areas and cities. Kerry also said he would spend the money to create high-tech jobs—and would finance that by selling unused TV transmission spectrum after the country moves from analog to digital television. Kerry also proposed equipping all first responders to emergencies—such as police and firefighters—with broadband connections by the end of 2006. Although high-speed Internet service in homes and small businesses grew by 42 percent last year to 28.2 million lines, Kerry said the US ranks 10th in the world in adopting broadband.


    The US Computer Emergency Readiness Team (US-CERT) warned Web surfers in late June to stop using Microsoft's Internet Explorer browser. US-CERT updated their earlier advisory that recommended the use of alternative browsers because there were significant vulnerabilities in technologies embedded in IE. US-CERT researchers said that the IE browser does not adequately validate the security context of a frame that has been redirected by a Web server, thus opening the door for an attacker to exploit the flaw by executing script in different security domains.

    The Anti-Phishing Working Group reported that the number of unique phishing attacks (in which unsolicited commercial email is used to direct Internet users to illegitimate e-commerce Web sites) increased six percent in May 2004 to 1,197, with an average of 38.6 reports each day, slightly higher than in April. Financial services companies continued to be the primary target of the scams, and Citibank customers were the most frequent target. The group, which is sponsored by Microsoft, VeriSign and antispam company Tumbleweed Communications, also said that scams using eBay and PayPal (an eBay company), were rampant in May.

    The UK-based Home Office says it will install iris-scanning technology in major UK airports in hopes of accelerating immigration times for those who travel in and out of the UK on a frequent basis (these travelers must register—only those that have previously complied with the UK's immigration laws will qualify), as well as increasing security. Sagem, based in France, will provide the Iris Recognition Immigration System. The first installation will be at Heathrow, with four other airports joining in 2005. The Home Office expects more than one million people will be registered to use the system within five years.

    The US Department of Homeland Security's Chief Security Officer Jack Johnson said that the DHS is facing a daunting task in deploying the Homeland Security Data Network. HSDN was envisioned to be at a level of security matching the Defense Department's Secure IP Router Network by the end of the year, and will be used for disseminating classified intelligence throughout the department and to other agencies. Much of the work must be outsourced, which is difficult because of the small pool of qualified personnel with the necessary security clearances in the private sector. The problems facing data sharing are not just technical—intelligence agencies whose product is supposed to be distributed to other federal agencies and state and local governments are requiring assurances that the data will be handled securely. These assurances are complicated; many agencies now under the umbrella of the DHS did not have intelligence roles before the department was created last year. Organizations such as the Federal Emergency Management Agency will now require access to classified data that did not cross their desks before.

    India is trying to improve its data protection for its booming software and outsourcing sectors. Officials of the National Association of Software and Service Companies said they will work with customers, regulators, and police to strengthen outsourcing in India. India exported US$12.5 billion of software and services in 2004 to March, up more than 30 percent from the previous year.


    The state-funded Korea Information Security Agency (KISA) signed a contract with Microsoft in late June, creating a joint effort against virus and hacking attacks (a memorandum of understanding was signed last November for the alliance). Microsoft will send computer security professionals to train KISA officials and other Internet service providers. KISA will make efforts to jointly develop applications with Microsoft to curb the spread of spam.

    America Online, BT, Comcast, EarthLink, Microsoft, and Yahoo have joined to form the Anti-Spam Technical Alliance (ASTA), which aims to fight spam by using existing technology and best practice rather than just looking for future technical solutions. Their statement of intent outlines best practices; they plan to update this document as necessary. Its first suggestion is that all providers remove open relays from their systems. It also calls on email providers to do a better job of informing users how they can combat spam. The group is examining ways to provide secure email identity.

    MessageLabs, an email filtering firm, reported that May 2004 was the worst month for spam on record. Of the 909 million inbound emails that MessageLabs Anti-Spam service scanned, 691.5 million were intercepted as spam—76 percent.

    The Electronic Privacy Information Center (EPIC), a public-interest organization, has filed a lawsuit in US federal court against the US Transportation Security Administration and the US Justice Department seeking the immediate release of information about government efforts to collect airline passenger data following the 9/11 attacks. The organization charges that TSA and the FBI have failed to adequately respond to Freedom of Information Act (FOIA) requests and have wrongfully withheld records. The complaint: the US alleges that TSA violated statutory time limits in responding to three separate FOIA requests. Several agencies and airlines have disclosed that they have collected and shared personal information about airline passengers since 9/11: JetBlue Airways shared more than five million passenger records with a Pentagon contractor in 2002, Northwest Airlines gave three months' worth of 2001 passenger data to NASA's Ames Research Center for use in a passenger profiling project, and an American Airlines contractor, Airline Automation, gave 1.2 million passenger records in June 2002 to four companies competing for TSA contracts. Most recently, the FBI has said that it ordered the nation's largest airlines to turn over millions of passenger records from the days after the terrorist attacks as part of a criminal investigation.

Scott L. Andresen
94 ms
(Ver 3.3 (11022016))