header image
September 12th, 2008 by dm Email, Law & Policy, Spam 2 Comments

This just in, from the Washington Post.

"The Virginia Supreme Court today invalidated the state’s "anti-spam" law, designed to prevent the sending of masses of unwanted e-mail, by saying the law broadly violated the First Amendment right to freedom of speech, in particular anonymous speech."

The Virginia spam law makes it a misdemeanor to send unsolicited bulk e-mail by using false transmission information, such as a phony domain name or Internet protocol address. The domain name is the e-mail address. The Internet protocol is a series of numbers, separated by periods, assigned to every e-mail account. The crime becomes a felony if more than 10,000 recipients are mailed in a 24-hour period.

Justice Agee, writing the opinion, held that the only way to engage in an anonymous protected speech would be to falsify IP address or domain name information, and because such act is prohibited by the Virginia spam law, the law must be struck.

We have written in the past about the freedom of border agents to search laptops at the border crossing points.

A new opinion (PDF) in United States v. Arnold by the Ninth Circuit Court of Appeals dated April 21, 2008, confirms this trend by holding that customs officers may examine electronic contents of a passenger’s laptop without reasonable suspicion. 

The Facts.  Arnold, a 43-year old arrived at Los Angeles International airport from the Philippines.  At Customs, he was asked for secondary inspection, where the officer asked him to turn on his laptop to determine whether it was functioning.  Once the computer booted up, the desktop showed folders named "Kodak Pictures" and "Kodak Memories."  The agents opened the folders and noticed pictures of nude women.  The agents then questioned Arnold about his computer, his trip, and upon review of the images, determined that there are several images which the agents believed were child pornography. 

The Opinion.  After a district court granted Arnold’s motion to suppress evidence, the Ninth Circuit reversed.  The Ninth Circuit based its opinion on Supreme Court precedent which held that the right of the United States to protect its border is paramount; however, such authority is not unlimited.  The two major exceptions for border searches without reasonable suspicion are searches  which cause "exceptional damage to property" or if the search was conducted in a "particularly offensive manner."  The Ninth Circuit held that the record did not support finding on either of the two exceptions and therefore the search was proper.

December 16th, 2007 by James Paulick Law & Policy none Comments

Proposed rule FRE 502’s goal is to limit the possible waiver of privileged attorney-client and attorney work-product material, but the underlying drive behind the amendment is to reduce the cost of electronic discovery. More specifically, the bill aims to reduce the costs of pouring over each document, file and email to determine whether that data contains otherwise privileged information.  The cost of this process is enormous, and parties still end up inadvertently disclosing some privileged information. This proposed amendment will codify the common practice of limited waiver agreements between parties, but I don’t believe it will significantly reduce the overall cost burden of searching for privileged information located in discoverable material.
 
The proposed amendment 502 has three logical parts. However, I will only be focusing on subsection (b) which states that when a disclosure of privileged is made in a federal proceeding or to a federal agency, the disclosure does not constitute a waiver if (1) the disclosure is inadvertent; (2) the holder of the privilege or protection took reasonable steps to prevent disclosure; and (3) the holder promptly took reasonable steps to rectify the error, including (if applicable) following Federal Rule of Civil Procedure 26(b)(5)(B).
 
Although rule 502 should be enacted to provide consistency among the federal jurisdictions, it is not going to save significant costs for two reasons. First, most parties already enter into agreements that effectively accomplish what 502 states.  A typical situation arises when parties both understand that they will be dealing with massive amounts of data, and both wish to relax the risk of disclosing privileged information. In fact, courts already encourage such agreements in the wake of electronic discovery. “Judges often encourage counsel to stipulate at the outset of discovery to a “nonwaiver” agreement … to “take back” inadvertently produced privileged materials…”, Hopson v. Mayor, 232 F.R.D. 228 at 232 (2005). However, these agreements are only effective between the parties to the contract, and inadvertent disclosure to third parties in the lawsuit still may result in a waiver. Chubb v. National Bank of Washington, 103 F.R.D. 52 at 68 (1984). Proposed rule 502 would apply a uniform protection from waiver of inadvertent disclosure to all parties. Regardless of the inconsistency between the agreements of today, and the uniform rule of tomorrow, the landscape of what constitutes a waiver will not change significantly. Therefore, the cost and burden of electronic discovery will persist.
 
Secondly, subsection (b)(2) of proposed rule 502 still requires the holder of the privilege to take reasonable steps to prevent disclosure. I fail to see the realistic difference in the burden of “sifting for privileged information” before and after this rule is enacted regardless of the intentions of the authors of the amendment. The Judicial Conference Committee on Rules of Practice and Procedure states that:

 

 
“The proposed new rule facilitates discovery and reduces privilege-review costs by limiting the circumstances under which the privilege or protection is forfeited, which may happen if the privileged or protected information or material is produced in discovery. The burden and cost of steps to preserve the privileged status of attorney-client information and trial preparation materials can be enormous. Under present practices, lawyers and firms must thoroughly review everything in a client’s possession before responding to discovery requests. Otherwise they risk waiving the privileged status not only of the individual item disclosed but of all other items dealing with the same subject matter. This burden is particularly onerous when the discovery consists of massive amounts of electronically stored information.”

 

 
 Again, I agree with proposing a uniform policy, but I fail to see how the this rule will save the costs of electronic discovery. After this rule, parties are still going to have to pay the price and time of going through the data to meet the burden of taking “reasonable steps to prevent disclosure.” Perhaps we will just have to see exactly how that burden is applied. Most likely, firms will relax the scrutiny in which they inspect for privileged information, and rely on their overall prudent and reasonable undertakings after the fact to prove to the judge that they took “reasonable steps to prevent disclosure”. It remains to be seen. However, I see no windfall reduction in electronic discovery costs.
 
Although the proposed rule in all fairness to the authors will provide consistency among jurisdictions from a legal policy point of view, it still doesn’t address the enormous costs of sifting through gigabytes of electronic information in search of privileged information. 

November 9th, 2007 by dm 1030, Law & Policy, Phishing 2 Comments

Many of our readers know that the principal cybercrime statute in the United States is the Computer Fraud and Abuse Act, 18 U.S.C. 1030.  It has served well over the years since enaction but some prosecutors (and civil plaintiffs to which it also applies) have complained that it does not keep up with newer types of cybercrime. Possibly in response to these critics, Senators Hatch (UT), Biden (DE), and Cochran (MS) have introduced an amendment to Section 1030.

The new bill, "Cyber-Crime Act of 2007" (S. 2213) (Thomas tracker) would make three substantial amendments:

First, it would prohibit "conspiracy to commit an offense" as well as the offenses actually committed. Currently Section 1030 does not cover explicitly "conspiracy" to commit any of its prohibited offenses, although prosecution was possible under other "conspiracy" provisions of Title 18. This makes it explicit now.

Second, the bill seeks to expand the required damage to protected computers threshold from $5,000 in a one-year period to "damage affecting 10 or more protected computers during any one-year period."  Currently, in order to be able to prosecute a cybercriminal under some provisions of 1030, there must have been a minimum threshold of $5,000 in damages caused by the alleged cybercrime.  In many cases this was not an issue, for example where the cybercrime had a direct financial loss of $5,000. However, other cases may not be so clear-cut. For example, if a small company’s computer is breached and the company expends some time and effort to investigate and fix the problem, the question becomes whether the expenses that the company incurred meet the $5,000 threshold.  Should full-time employees’ time be calculated on a per-hour basis to determine damages? How should loss of good will be calculated if the breach becomes public? In some cases these questions have created difficult questions.

Other reasons to introduce the damages to 10 computers requiremens are a couple of relatively new types of crime - Distributed Denial of Service (DDoS) and botnets. Both are very closely interrelated in that the cybercriminal obtains control of a high number of computers (sometimes called ‘zombies’ and almost always substantially more than 10) which they use to disable Internet resources, send spam or phish emails, or use the substantial aggregate computing and network power of these botnets for other evil purposes.  Because by definition the owners of the zombie computers would not know that they are part of the botnet, they would not be able to assert damages and meet the $5,000 threshold.  Creating a 10 or more damaged computers provision would allow prosecution of botnet operators under Section 1030 without having to show monetary damages to a particular zombie machine. 

The reality is that botnet operators can possibly be targeted under Section 1030 for the damages they do as a result of using the botnet to commit a specific act (e.g. spam, phish, DDoS); however, the new proposed provision would allow prosecution before the cybercriminals strike, not after.  Kudos for giving tools for proactive legal measures against such acts.

The third of the proposed substantial amendments adds cyber-extortion and threats to reveal confidential information illegally obtained from computer to be computer damage and thus eligible for prosecution under 1030. This provision also aims to deal with a frequent type of cybercrime where there is no verifiable damage.  Cyber-extortion can take many forms, but most often the cybercriminals seek to obtain money or something of value in exchange of either i) not attacking or disabling a certain computer or network resource or ii) not releasing confidential information obtained in an illegal way.  The new provision covers these and similar situations.

The proposed amendments to Section 1030 are a good step towards catching up with cybercriminals. Senator Biden’s statement in connection with the proposed bill says that, the "[c]urrent law hasn’t kept up with the fast pace of new criminal technologies–right now there are holes in the law that cyber-criminals can readily exploit. The Cyber-Crime Act will fix this, update the law and put us one step ahead of the cyber-criminals, instead of one step behind."

We have written about the prevalence of botnets and the fact that they are one of the major causes of modern-day cyberattacks. This is hardly in any dispute today. The debate is what should be done to fight the increasingly powerful botnets and there does not seem to be an easy answer.

Some have suggested that ISPs should be responsible for botnets as they (the ISPs) are the party in the channel of Internet traffic closest to the infected at-home zombie PC that is most capable of stopping the proliferation of malicious Internet traffic either  originating from an already infected zombie PC or targeting with the purpose to infect a PC within the ISPs network.

A recent report by the the Internet Security Operations Task Force (ISOTF) suggests that many ISPs not only fail to address a substantial number of botnet complaints, but some ISPs indicated in the report did not address any of the complaints directed at them.

The ISOTF report suggests that many ISPs are slow to react to botnet complaints. This is a troubling fact because the ISP is put on notice of a problem customer or a computer and the ISP fails to do anything to stop an already identified threat. This is not proactive scanning, detection, or prevention which may require sophistication network traffic shaping or detection. This is simple customer relationship management in approaching the complaint and resolving it in a timely fashion. In fairness to ISPs, many of which are small operations, they may not have the manpower and resources to deal with a large-scale botnet attack on their network and respond to all complaints in a timely fashion.

On the other side of the equation is the proactive botnet prevention. There are commercial services which provide real-time monitoring for ISPs. For example (and without any endorsement or personal interest), Arbor Networks offers a service called PeakFlow that continually monitors networks to look for threats such as DoS attacks. Of course such services cost money, but the ISP is in the best position to spread the cost throughout the subscribers. The customers would get at least some assurance that their at-home PCs would work better and be less likely to become botnet zombies. The ISP would free some resources from having to deal reactively with botnet complaints and be able to shift these resources to more productive tasks.

There are other aspects of this debate. For example, some would argue that it is not the ISPs business to filter traffic and determine on its own what kind of traffic should be filtered or not — a modified version of a net neutrality argument. Others argue that it is the end-user’s responsibility to ensure that his or her PC is properly protected and, if infected, to properly clean it up. However, such arguments seem to miss the point. ISPs should be able to protect their own infrastructure by having the sole authority to determine what is malicious traffic and act in appropriate way to stop such traffic. And although individual users should be responsible for their own PCs, the cumulative effect of zombie PCs within an ISPs network is to potentially threaten the ISPs operations and, again, the ISP should be able to act to protect itself.

There is no silver bullet for this problem. But if good technological solutions are available for ISPs to use, and if such solutions are economically feasible, an ISP should deploy them for their own networks’ sake and for the sake of the security of the Internet as a whole.

April 12th, 2007 by dm Law & Policy 1 Comments

Many information security officers face a difficult task in educating their user base on proper security practices and procedures. Education is a key element of a good security practice and Microsoft has given us all a hand in this process.

The Security Awareness Program developed by Microsoft includes a white paper Key Considerations for Developing Effective Information and Training Programs and an End User Security Awareness presentation template and video, providing material to help articulate what is involved with building an information security awareness and training program to your management and peers within your company. One cool thing is a set of templates for various types of communications (emails, powerpoint, factsheets, etc.) which allow easy customization to your audience but help convey important security awareness topics.

The entire package is a 120MB download but it is well worth it.

April 9th, 2007 by dm Law & Policy 2 Comments

Spreadsheets — often spread across servers, network drives, usb keys, or email messages — are what makes a modern business function properly. The information stored in Excel sheets is often critically important not only to the organization but also to the data subjects - ranging from business plans to competitive proposals or salary or HR data.

Considering the prevalence of data stored in Excel and the importance of such data, it is surprising that there are few good technical information security solutions to protect Excel data. Microsoft doesn’t provide much security with Excel. In fact, as Microsoft has stated, the security features in Excel are not actually there to provide security but to make life easier for users. For example, you can hide worksheets from users so as not to confuse them and you can apply what locking is available for the same reason: so that users just focus on what they need to do and not on other stuff.

Phil Howard has an article in the Register in which he criticizes all major enterprise spreadsheet management vendors for not focusing at the right place. Currently, such vendors put emphasis on Sarbanes-Oxley (and similar) compliance regulations - for example, the ability to track changes on spreadsheets so that there is an accountability track if a spreadsheet turns out to “misstate” corporate earnings by a major amount. This is an important task in corporate governance and after SarbOx regulations created a need and (pretty lucrative) market for such kind of software, many vendors have not looked at the building blocks of spreadsheet security.

What good does a tracking mechanism do if a spreadsheet is so insecure that can be manipulated easily? We should not be putting the cart in front of the horse. Instead, spreadsheet vendors (including Microsoft) should focus on providing adequate tools for spreadsheet security (cell locking, role-based access, etc.) before they focus on money- and headlines-making features. Because without baseline security the enterprise is likely to lose money and make the wrong headlines when it suffers a breach because of its poor lack of spreadsheet security.

I received this book a couple of weeks ago but my schedule was very busy so I just had a chance to review and comment on this new book. The book is a very interesting collection of essays from leading scholars and practitioners in the area focusing on the “newness” of cybercrime prosecution and law enforcement. This site aims to highlight the new ways of committing crime and the new ways that are required to prevent it, combat it, and prosecute it so the book is a good paper source for those readers who like this site.

Cybercrime Book CoverThe book is divided in five major parts - the new crime scene, the new types of crimes, the new cops, the new tools available for prosecution, and the new procedural aspects of cybercrime. Among the topics covered are crimes in virtual words, policy issues of cybercrimes, Internet surveillance, cybercrime conventions and legal issues surrounding digital evidence. The selection of authors is excellent - the presence of authors such as Orin Kerr, Susan Brenner, to name a few, lend a great deal of credibility to the entire collection.

My thought - an excellent selection of relevant materials. The timing of this book’s release cannot be better - legal crime issues in virtual worlds, surveillance of electronic communications, and the procedural and substantive legal issues with cybercrime are something courts and practitioners should be well familiar with.

You can purchase here.

Disclosure - I am not affiliated with any of the authors, editors, or the publisher of this book. I do not stand to gain monetarily or in any other way from this book.

February 23rd, 2007 by dm Law & Policy none Comments

Eric Goldman alerts us to a new bill pending in New York which would make it a crime to sell domain names to terrorist organizations. The relevant portion of the proposed bill is,

A person is guilty of criminal sale of an internet domain name to a terrorist group when he or she knowingly sells or provides without charge an internet domain name to any organization included on the list of organizations engaged in terrorist activities or who pose a terrorist threat compiled, maintained and updated by the state office of homeland security pursuant to paragraph (t) of subdivision two of section seven hundred nine of the executive law. Criminal sale of an internet domain name to a terrorist group is a class A misdemeanor.

Read the full text at New York State Legislature, search for bill A5026/S63 (direct linking not possible)

I do not doubt that the bill honestly aims to prevent terrorism by making it difficult for terrorist organizations to obtain web domain registrations, at least in the State of New York. But is this a practical solution? Let’s say that a domain name registrar who is located in New York has to comply with this law. What would they do? They would have to constantly update the list of terrorist organizations maintained by the local DHS office, then for each new domain registration compare against the list. Arguably, this can be automated to some degree.

The problem comes from the fact that the domain name registration system does not require a shred of verification as to the identity of the domain name registrant. In fact, many registrants, among them spammers, phishers, and terrorists, would not even bother putting the name and address information in proper format. The falsity and unreliability of the whois domain records are notorious. So why does the New York legislature think that registrants would start using their real information especially when they try to obtain a domain name for hostile purposes?

The law, if passed, would do no more than create some additional requirements on domain registrants who are subject to the law and not much else. Other than raising the cost of doing business to domain registrars with little effect, the legislature may think about how it can improve the reliability of the information provided by registrants in the first place.

February 22nd, 2007 by dm Law & Policy none Comments

Korea shows in the top of many statistics tracking spam, phish, zombies, or other various kinds of cybercrimes. Why is this?

There are few apparent reasons - the dominance of the Windows OS in Korea, anecdotal lack of interest in cybersecurity, and state-of-the-art Internet infrastructure make Korea a top choice for cybercriminals. The numbers showing Korea as one of the top producers of Internet threats is not due to Koreans’ bad manners or nature. In fact, most of the attacks originating from Korea are not even caused by Koreans - instead, criminals from all over the world target Korean computers and try to create zombie networks with Korean computers just because they are guaranteed high throughput and efficiency of their attacks.

Because roughly 14 million of the nation’s 15.5 households are connected to always-on high-speed Internet, Korea makes a prime target for virus and worm viruses. The Korean government even plans to increase the speed of the Internet to 100 megabits per second by 2010, about 50 times faster than the current speed.

The February 6 DDoS attack on critical DNS servers was attributed partially to a large number of Korean computers. Attackers tried to bring the Internet infrastructure by using zombie computers with high-speed Internet connection to send a flood of packets. The February 6 attacks were largely unsuccessful but it shows that in the future, with a larger number of PCs connected to a faster Internet service, such attacks may be successful.

Korea has done a great job in creating an exemplary Internet infrastructure and has achieved the highest broadband penetration in the world. But with success comes responsibility, and the Korean government should take steps to educate and protect technologically the network they have created.

« Previous entries