Among all of the data protection bills circulating in Congress, the House Energy and Commerce Committee approved on July 26th, a legislation designed to restrict the sale of Social Security numbers. The Social Security Number Protection Act (H.R. 1078), introduced by Rep. Markey, makes it a crime for a person to sell or purchase SSNs in violation of rules that would be promulgated by the Federal Trade Commission. The FTC would be given authority to determine appropriate exemptions and to enforce civil compliance with the bill’s restrictions. Under the bill, violators would be subject to civil penalties of $11,000 per violation.

Rep. Ed. Markey (D-Mass.) supported rationalized the proposed bill,

If someone actually obtains a Social Security number on the Internet, they have a critically important piece of information that can be used to locate a person, get access to their finances, or engage in a variety of other illegal activities. By stopping unregulated commerce in Social Security numbers, this bill will help reduce the incidence of pretexting crimes, identity thefts and other frauds or crimes involving misuse of a person’s Social Security number.

The bill contains important exceptions, e.g. for law enforcement, national security, emergency situations, and voluntary, affirmative written consent, and for legitimate consumer credit verification. The bill would also preempt any state statute or regulation that expressly restricts or prohibits the sale of Social Security numbers.

The movement behind this bill is more than clear to all of us - something needs to be done to stop the free flow of stolen or legitimately obtained SSNs. - The SSN has grown beyond what it was originally intended to do – uniquely identify recipients of benefits. When the SSN was first introduced, it was specifically pointed out that it would not be used to uniquely identify a person for any and all purposes and that the number was not meant to be a multipurpose personal identification number. Yet, years later, we have witnessed the "functionality creep" of the Social Security number as it is used for almost all government and some private sector purposes.

One of the problems with this pending legislation is that is somewhat resembles what CAN-SPAM did to address the problem of email spam. It allowed FTC to pursue spammers, it preempted "stronger" state laws, and in retrospect it did little to ease the problem of spam. Hopefully by the time this proposed legislation becomes a law, it would grow to be a stronger law that would squarely address the increasing problem of identity theft.

A 33-year-old Californian admitted illegally obtaining personal data on thousands of individuals and then using the information to obtain credit cards or otherwise conduct identity theft. In a plea agreement filed on July 17, 2006 with the U.S. District Court for Central District of California, Bryan Dill pleaded guilty to aggravated identity theft and other fraud related crimes. Sentencing is scheduled for September 25th.

In the plea, Dill admitted he accessed the Merlin database service claiming to be a private investigator. Dill used the database to obtain personal  information belonging to other people and used it to obtain credit cards on their behalf. Records suggest that Dill conducted at least 1,873 queries through the Merlin system to obtain information on approximately 5,875 people.  [DoJ press release.]

Merlin Information Services is a database of public and credit report records which allows [mostly] anybody to open an account by filling a form, pay a fee, and search records which may contain SSNs, DOB, among other interesting pieces of information.

What is troublesome in this case is the apparent lack of control on who can access the database and the potentially unlimited reach of information that can be obtained. It sort of becomes like a Russian roulette - we know that our records are in these databases, and we know that eventually they will be compromised, either technologically or socially, and then it is just a matter of luck whether our information will be extracted or not.

A new emerging cyber-threat  has been reported by antivirus and computer security vendors - installation of ‘ransomware’ on victims’ computers or servers which encrypts information on the affected machines and the subsequent demand of payment by attackers to release the information. The folks at Kaspersky Labs claim that they have seen an increase in ransomware but they deny that this problem has reached ‘epidemic’ levels. Among the main concerns is the increased encryption strength that has been noted over the past months - previously attackers used relatively weak encryption (56-bit) but recent ransomware has started using 660-bit encryption key, making any information recovery practically impossible.

A recent ransomware incident in Great Britain indicated the growing trend of ransomware attacks and the inability of law enforcement to deal properly with such incidents. Earlier this year, a Manchester woman unintentionally downloaded a trojan program which encrypted her files with a 30-character password and placed a note suggesting that she should not go to the police but instead buy pharmaceutical products in order to get the password and restore her files.

When she decided to report the incident to the police, her claim was met with shrug and an inadequate explanation by law enforcement,

We aren’t investigating the incident as it’s an Internet crime, and not within the GMP area — technically it’s international. Trying to find who did this it would be a monumental task. [statement by Greater Manchester Police spokeswoman]

Although the difficulties in tracking and prosecuting this case are enormous, it is very wrong for law enforcement to send the message that tracking the criminals is difficult or impossible. In groundbreaking and novel cases such as this one, law enforcement should put extra time and effort in making sure the trend stops, and not unintentionally encourage it.

Federal agencies that discover a data breach of personally identifiable information must report the breach to US-CERT (part of Department of Homeland Security) within one hour. The directive came from the July 12 memorandum issued by the Office of Management and Budget (OMB). According to Karen Evans, administrator of OMB’s Office of E-Government and Training, agencies should report breach incidents regardless of whether it is a confirmed or merely a suspected breach, and regardless of whether the information was held in electronic or in "physical" form.

The memorandum defines "personally identifiable information" as:

any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.

Although this is an encouraging requirement in the direction of government transparency, especially in light of some recent government data breaches, the one hour requirement may be little too rigid. If agencies are to conform to this, they would have little time to actually figure out what happened and make a meaningful report to US-CERT. By rushing the reporting, US-CERT may be swamped by premature and inaccurate data that it may not be able to distinguish real threats and breaches from mere mistakes.

According to Reps. Bachus (R-Ala.) and Pearce (R-N.M.), any proposal in Congress to limit consumers’ ability to unmask the identities of Web sites with whom they transact business would amount to a "radical change" that would interfere with consumers’ ability to adequately protect themselves. In a hearing entitled "ICANN and the Whois Database: Providing Access to Protect Consumers from Phishing," the Representatives strongly opposed measures to limit consumers’ ability to query the WHOIS database maintaining information on every registered domain name.

Many of our readers know that the WHOIS database was originally intended as a tool for efficient communication with domain owners over domain or hosting technical issues. However, as time went on, other parties started using the database for a variety [of illegal] purposes, e.g. as a source of email addresses to be spammed, or physical addresses to be used as part of a scam. In addition, exposing private information in plain text and unprotected on the Internet makes many legitimate domain name owners somewhat nervous - having a name, a telephone number, a physical address, and list of other domain names owned by an individual can prove to be very useful to cybercriminals.

In April, ICANN (Internet Corporation for Assigned Names and Numbers) decided that it should do more to protect the privacy rights of domain name owners and an ICANN advisory task force recommended to ICANN’s board that it revamp its policy approach to WHOIS by limiting access to the data for technical administration purposes only. Intellectual property owners and government agencies have objected to this proposal, fearing that if adopted, it could hinder IP or law enforcement efforts. Even though no one at the hearing argued that law enforcement should not have unfettered access to the database, the issue was framed as whether consumer access to Whois might be bargained away in effort to strike a deal that would permit continued access to the data by private entities, such as IP owners and banks, who have come to depend on the data for their own enforcement efforts.

In addition, Rep. Bachus, with FTC and Department of Commerce support, indicated that he was worried that limiting consumer access to WHOIS could deprive consumers of their "first line of defense" in protecting themselves and thus forced to complain to the Federal Trade Commission which would be swamped with consumer complaints. The problem with this claim, however, is that 1) WHOIS information, especially in cases when potential fraud is involved, is very often inaccurate, and 2) consumers may lack the technical savvy discover to sift out the true identity of the registrant. Marc Rothernberg, executive director of the Electronic Privacy Information Center, suggested that WHOIS data should be treated similar to the department of motor vehicles records - not widely available to the public, but accessible in appropriate and somewhat narrowly defined circumstances.

See more information on the hearing and witness testimony.

A recent research presented at the Workshop on Economics of Information Security at the University of Cambridge suggested that 46 percent of almost 2,5000 access points in Indianapolis were not running any form of encryption.

So far so good, and let’s assume that Indianapolis is fairly representative area for the rest of the country when it comes to securing Wi-Fi. Most of the researchers participating in the workshop criticized the default settings of Wi-Fi routers which leaves networks running without security and without encrypting traffic, "People just really don’t care about Wi-Fi security, and open Wi-Fi at home is a nice big target," said Matthew Hottell, lecturer in informatics at Indiana University. "Defaults (settings) are king."

What troubles this author is comments from some security experts that as long as people’s devices were secure, having a secured network is unnecessary. Here is what "security expert" Bruce Schneier said, 

I have a completely open Wi-Fi network. Firstly, I don’t care if my neighbors are using my network. Secondly, I’ve protected my computers. Thirdly, it’s polite. When people come over they can use it.

Really? Many in the security field would claim that no networked machine is 100% secure. How would Mr. Schneier guarantee that his device is 100% secure? What happened to the layered security models requiring adequate protection at each level? Just because we want to be polite to our neighbors does not mean that we should encourage people lifting the security of their networks hoping that they know how to secure the devices inside their networks and praying that security vulnerabilities would not be discovered and exploited faster than they can be patched. Thank you, Mr. Schneier, but I’d rather secure my network AND device. As far as my neighbors - you are not downloading illegal movies on my bandwidth!

As it usually happens in a hot and popular issue, there are many congressmen who want to be the ones to take credit for the legislation that protects the public from evil and thus gain political capital. In theory this is good, as long as Congress is able to sort through the pending bills, combine and resolve conflicting provisions, and get the law enacted quickly. Seems this is not the case with the data breach legislation pending in Congress.

A new bill was introduced on June 26 by Sens. Bennett (R-Utah) and Carper (D-Del.) designed to create a uniform national standard to safeguard sensitive information and provide consumer notification of data security breaches. The Data Security Act of 2006 (S. 3568) is expected to be taken up by the Senate Banking Committee, which shares jurisdiction over data security with two other Senate committees. Under the proposed bill, companies would be required to notify their customers about data breaches posing a risk of "substantial harm or inconvenience," including identity theft or account fraud situations where consumers might experience financial loss or be forced to expend time and effort to correct false information. It is interesting the broad definition of harm that would trigger notification requirements - presumably any data breach would force a consumer to either expend time and effort to correct or false information or be threatened by financial loss.

Although financial institutions have similar requirements under current Gramm-Leach-Bliley Act of 1999, the new bill would apply to a broader range of entities if they handle sensitive information.

"Though current law requires financial institutions to protect the security and confidentiality of customer information, we have to expand this reach," said Bennett, who chairs the Senate Banking Subcommittee on Financial Institutions. "Many of the recent breaches in data security have occurred outside financial institutions’ networks."

Under the Bennett-Carper bill, "substantial  harm or inconvenience" would not include changing an account number or closing an account, sponsors said. Also, the measure would exempt notification that could not be used to commit identity theft or account fraud, including information that is encrypted or redacted. Also, a safe harbor is provided to financial institutions deemed in compliance with GLB requirements. To address the uniformity issue, a preemption provision is included that would preempt all state laws relating to security and breach notification, including the California data breach disclosure notification law we discussed some time ago.

However, not everything is so neat and clear in Congress these days. The Senate Judiciary Committee passed two different data breach bills in 2005. Sens. Specter (R-Pa) and Leahy (D-Vt) introduced the Personal Data Privacy and Security Act of 2005 (S. 1789) which would require notification broadly to "any resident in the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been accessed or acquired" as a result of data security breach. Exemption from this broad reporting requirement can be obtained only by filing with the U.S. Secret Service indicating that the breach poses "no significant risk of harm" to consumers.

A separate bill, introduced by Sen. Sessions (R-Ala.), called Notification of Risk to Personal Data Act (S. 1326) would require that consumers be notified when there is a "significant risk of identity theft."

In addition to the Senate bills, there are numerous data breach-related bills in the House as well. While it is nice to see that legislators are picking up on the emergency need of data breach legislation, it is not certain how quickly the politicians on the Hill will be able to reach an agreement on the terms and enact a good data breach law.

A letter, signed by 49 state attorneys general, urges Congress to require Internet service providers to meet a national data retention standard to assist law enforcement investigations of online sexual predators. One of the main reasons cited in the letter is the deletion of information critical to determining a suspect’s name and physical address by some ISPs.

As we wrote earlier in April, the debate as to what information should be retained by ISPs has started with Attorney General Gonzalez pushing for requirement of retaining subscriber logs for a period of 6 to 24 months. The state AGs agree with Gonzalez in that federal legislation is necessary to provide a uniform data retention framework instead of having to deal with potentially different

"While I am generally reluctant to relinquish state control over law enforcement issues, given the ubiquitous nature of the Internet, a national [data retention] standard is most appropriate," said John Suthers, attorney general of Colorado. Suthers spearheaded the letter in his capacity as chair of the Criminal Law Committee of the National Association of Attorneys General.

Currently, ISP data retention policies (or as many people call them ‘data destruction policies’) run the gamut from being as short as few days to year or more. Obviously, some ISPs have created a niche for themselves by advertising their short data retention policies and has attracted a number of customers with questionable activities. On the other hand, there is a fine line between violating users’ privacy and preserving all data. While one of the driving forces behind this proposed federal legislation is catching sexual predators, the information kept by ISPs would be subjecto to subpoena for any alleged offense. While many agree that there should be some minimum standard on retaining data, the balance between legitimate law enforcement needs and privacy concerns is a tricky one.

What do you do when you work for a large (and secret) government agency as an outside contractor and your work is constantly slowed down by bureaucracy and paperwork? One way to solve the problem, at least as one Mr. Colon did, is to hack FBI’s secret computer servers and obtain the passwords of thousands of employees and agents. This would certainly help you move around the bureaucracy machine faster, but will also likely get you some time in jail.

Washington Post reports on the case of Mr. Coon, a government consultant with BEA Systems, who used readily available software to obtain hashes of all passwords of FBI computer users and then run password cracking against the hashes thus obtaining the passwords of 38,000 employees, including access to top secret programs such as the Witness Protection Program and details on counterespionage activity. Mr. Colon was caught, fired from his job, and has since plead guilty to four counts of intentionally accessing a computer with exceeding authorized access and obtaining information from any department of the United States under 18 U.S.C. § 1030.

Colon’s lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list.

While Mr. Colon has only himself to blame, the FBI (and other agencies) should not wait to patch their systems to prevent users with simple hacking skills and seemingly benevolent (as in Mr. Colon’s case) or dangerously malicious ideas from accessing critical information.