Good passwords are critical to good security. Which usually keeps regulators, journalists, and plaintiff lawyers away. Do you know how long your password will stand up using a brute force? You can check here.

The University of Texas at Austin’s McCombs School of Business has confirmed that almost 200,000 electronic records have been accessed illegally.  The university confirmed that it learned late last week that Social Security Numbers and biographical information of students, alumni, faculty and staff might have been compromised. This is University of Texas‘ second major breach in three years.

In light of the almost daily announcements of thousands of records being stolen from various institutions do we really need a federal data breach notification law, similar to what Congress has been working over the past months? Let’s assume that Congress passes such law and that all data breaches must be reported. What would happen then? Big breaches will be widely publicized but over time people will become immune to the news of hundreds of thousands of personal records being stolen.

So what is the solution? It seems that over the past few years the free-market advocates who argued that the bad publicity (or the potential of bad publicity should a breach occur) would make institutions secure their systems. Obviously this hasn’t happened. Should Congress try to mandate some sort of minimum data protection requirements, instead of data breach reporting requirements? Congress has created similar legislation (HIPAA for example) where the main goal is protecting privacy, but this legislation has made medical institutions that are subject to it increase their system security. Why not impose similar requirements to all major data processors?

Recent reports of the Bush Administration’s subpoenas against major search engines are not without a strategy. BBC reports on increased efforts of the Attorney General Gonzales to push for measures that would allow law enforcement to combat what the AG has called epidemic" of child pornography.

Gonzales has proposed changes in the law under the Child Pornography and Obscenity Prevention Amendments of 2006 (COPA’s earlier version was declared unconstitutional by the Supreme Court) where ISPs would be required to report child pornography and bolster penalties for those parties who fail to do so. In addition, Gonzales also wants to find ways to require ISPs to retain records (logs) of user’s activities for longer period of time so that law enforcement can have a longer trail when tracking an alleged offender.

The European Union’s Directive on Data Retention mandates ISPs in Europe to preserve call and Internet records for a period of 6 to 24 months (as specified by each EU country’s government). It seems that AG Gonzales seeks to impose similar obligations to US ISPs which, under current law, are not required to maintain any records of ordinary activity (unless of course they are served with a timely subpoena.) Attorney General’s statement on these new proposed requirements included,

The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of internet service providers.
…
Unfortunately, the failure of some internet service providers to keep records has hampered our ability to conduct investigations in this area.

The debate in the US as to ISP data retention requirements has already started, and Gonzales’ statements will definitely help fuel the conversation. At stake are vital interests to subscriber privacy and law enforcement’s ability to prevent and catch among some of the most heinous crimes.

The answer, according to Representative Ed Whitfield (R-Ky), is "No." Mr. Whitfield is the chair of the House Oversight and Investigations Subcommittee hearing testimony on the increase of child pornography and exploitation as a result of the proliferation of webcams and online video streaming.

According to the testimony of a victim, Atlanta-based Earthlink Inc., one of the largest Internet service providers in the United States, sent a webcam to a 13-year old boy as a free promotion. Now 19 years old, he testified that he was contacted within minutes of setting up the video camera, which sits on top of the computer and broadcasts the images of the person at the keyboard. Adult men promised him favors–money, gifts and more computer equipment. The victim was "befriended" and exploited by the men, he testified, despite filtering technology and an attentive mother, for six years. His father was one of the 1,500 "customers" profiting from the business.

This testimony prompted Rep. Whitfield’s comment that a 13-year old shouldn’t need a webcam. Is he right?