Re: NSLs, Other Privacy Issues

[Jeffrey Walton <noloader () gmail com>]

On Tue, Mar 12, 2013 at 6:05 PM, John Bambenek
<bambenek.infosec () gmail com> wrote:
> I'm working on a quick study on the use of NSLs and other aspects of
> federal law/policy that impact computer privacy.  Since, among other
> things, this tends to be a pretty "libertarian" leaning group, I figured
> I'd get your input on the things the US Gov't does that negatively
> impacts privacy and recommendations for alternatives (besides the
> obvious "stop it").
It depends whom you are and who you seek privacy from. For the average
citizen, privacy is a myth and privacy laws are a dog and pony show.
Law enforcement cooperation, executive orders, NSLs, abuses and lack
of oversight make privacy a myth for most people.

Government will go to the data sources and simply ask for cooperation
- and usually get it. If they can't get what they want by asking, they
will use other measures including court orders and breaking the law
(or the former law). Confer: Google or the Telecoms,
http://epic.org/privacy/nsl/,
http://www.networkworld.com/community/node/48975 and
https://www.eff.org/nsa-spying.

I'm especially interested in data security failures, and how they
affect privacy. The topics are usually closely related. For example,
you often agree to share non-public and sensitive information with an
organization with some expectation 'due dilligence'. Sometimes, the
data is even governed by federal law, such as FERPA, HIPPA, SOX, etc.

46 states have data breach laws with varying levels of what
constitutes 'sensitive' information
(http://www.ncsl.org/issues-research/telecom/security-breach-legislation-2011.aspx).
State data breach laws usually require notification, so a businesses
liability is usually about 40 cents (the cost of a letter). Most
states don't enforce their laws (California seems to be an exception).
I've personally written to the Attorney General in my state of
residence to alert of violations, but nothing has ever been done.

After a breach, the laws strongly favor the fuck-ups who lost your
data. I've watched every class action thrown out. For example, you
can't even recover damages for credit monitoring services - it was not
recognized as a damage and it was thrown out too:
http://blog.ericgoldman.org/archives/2012/11/court_kicks_dat_1.htm.

While legislation such as FERPA, HIPPA, SOX, etc give the allusion of
privacy, they do not deliver. Its simply a shell game to make you feel
like you have privacy. Take time to read, for example, HIPPA or SOX.
Its a license to give away your data so that businesses and firms have
little to no legal liability. Its a license to steal.

As far as I know, the citizen or the user is not considered a victim
even when its your data which is lost. Currently, the victims are the
businesses who end up losing your data. As stewards of the data, they
are not even held responsible or accountable after a loss. Recognizing
the corporation as the victim occurred around 1987, if I recall
correctly.

The FTC could help by enforcing rules deceptive trade practices, such
as a business claiming "industry standard data security and
encryption" when the business does not practice it
(https://www.idradar.com/news-stories/social-media/LinkedIn-Wins-Round-One-In-Data-Breach-Suit).

It would be nice if the law recognized data as belonging to an
individual, and businesses were just stewards of the data who must
protect it. Users and individuals need recourse so they can be made
whole; and users and individuals need punitive damages so 'do nothing'
is no longer cost effective for a corporation.

I expect we'll get legislative relief and punitive damages about the
time we see software liability laws. It will probably be the latter of
(a) the sun burning out, or (b) hell freezing over. Its just not going
to happen while businesses can purchase and trade politicians like
trading cards.

Jeff

By the way, I was stung by a data breach in the 1990s. It cost me over
$10,000 to fix. I keep a close eye on data breaches through a number
of Google alerts. As far as government and privacy, government is just
another adversary in my threat model (seriously). I design my systems
to keep them out, knowing full well they have judicial purview.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.