funsec mailing list archives
Re: NSLs, Other Privacy Issues
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 13 Mar 2013 21:02:59 -0400
On Tue, Mar 12, 2013 at 6:05 PM, John Bambenek <bambenek.infosec () gmail com> wrote:
I'm working on a quick study on the use of NSLs and other aspects of federal law/policy that impact computer privacy. Since, among other things, this tends to be a pretty "libertarian" leaning group, I figured I'd get your input on the things the US Gov't does that negatively impacts privacy and recommendations for alternatives (besides the obvious "stop it").
It depends whom you are and who you seek privacy from. For the average citizen, privacy is a myth and privacy laws are a dog and pony show. Law enforcement cooperation, executive orders, NSLs, abuses and lack of oversight make privacy a myth for most people. Government will go to the data sources and simply ask for cooperation - and usually get it. If they can't get what they want by asking, they will use other measures including court orders and breaking the law (or the former law). Confer: Google or the Telecoms, http://epic.org/privacy/nsl/, http://www.networkworld.com/community/node/48975 and https://www.eff.org/nsa-spying. I'm especially interested in data security failures, and how they affect privacy. The topics are usually closely related. For example, you often agree to share non-public and sensitive information with an organization with some expectation 'due dilligence'. Sometimes, the data is even governed by federal law, such as FERPA, HIPPA, SOX, etc. 46 states have data breach laws with varying levels of what constitutes 'sensitive' information (http://www.ncsl.org/issues-research/telecom/security-breach-legislation-2011.aspx). State data breach laws usually require notification, so a businesses liability is usually about 40 cents (the cost of a letter). Most states don't enforce their laws (California seems to be an exception). I've personally written to the Attorney General in my state of residence to alert of violations, but nothing has ever been done. After a breach, the laws strongly favor the fuck-ups who lost your data. I've watched every class action thrown out. For example, you can't even recover damages for credit monitoring services - it was not recognized as a damage and it was thrown out too: http://blog.ericgoldman.org/archives/2012/11/court_kicks_dat_1.htm. While legislation such as FERPA, HIPPA, SOX, etc give the allusion of privacy, they do not deliver. Its simply a shell game to make you feel like you have privacy. Take time to read, for example, HIPPA or SOX. Its a license to give away your data so that businesses and firms have little to no legal liability. Its a license to steal. As far as I know, the citizen or the user is not considered a victim even when its your data which is lost. Currently, the victims are the businesses who end up losing your data. As stewards of the data, they are not even held responsible or accountable after a loss. Recognizing the corporation as the victim occurred around 1987, if I recall correctly. The FTC could help by enforcing rules deceptive trade practices, such as a business claiming "industry standard data security and encryption" when the business does not practice it (https://www.idradar.com/news-stories/social-media/LinkedIn-Wins-Round-One-In-Data-Breach-Suit). It would be nice if the law recognized data as belonging to an individual, and businesses were just stewards of the data who must protect it. Users and individuals need recourse so they can be made whole; and users and individuals need punitive damages so 'do nothing' is no longer cost effective for a corporation. I expect we'll get legislative relief and punitive damages about the time we see software liability laws. It will probably be the latter of (a) the sun burning out, or (b) hell freezing over. Its just not going to happen while businesses can purchase and trade politicians like trading cards. Jeff By the way, I was stung by a data breach in the 1990s. It cost me over $10,000 to fix. I keep a close eye on data breaches through a number of Google alerts. As far as government and privacy, government is just another adversary in my threat model (seriously). I design my systems to keep them out, knowing full well they have judicial purview. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- NSLs, Other Privacy Issues John Bambenek (Mar 12)
- Re: NSLs, Other Privacy Issues Paul Ferguson (Mar 12)
- Re: NSLs, Other Privacy Issues Jeffrey Walton (Mar 13)
- Re: NSLs, Other Privacy Issues Jeffrey Walton (Mar 28)
- Re: NSLs, Other Privacy Issues Steve Pirk (Mar 28)