Privacy and Civil Liberties – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Minimizing your digital trail http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/21/minimizing-your-digital-trail/ Sat, 21 Mar 2015 14:55:50 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21210 Continue reading ]]> WASHINGTON — In popular culture, going “off the grid” is generally portrayed as either unsustainable or isolated: a protagonist angers some omniscient corporate or government agency and has to hole up in a remote cabin in the woods until he can clear his name or an anti-government extremist sets up camp, also in the middle of nowhere, living off the land, utterly cut off from society at large.

But is there a way to live normally while also living less visibly on the grid? What steps can you take to reduce your digital footprint that don’t overly restrict your movements?

What is a digital footprint?

Your digital footprint is the data you leave behind when you use a digital service—browse the web, swipe a rewards card, post on social media. Your digital footprint is usually one of two classifications: active or passive.

Your active digital footprint is any information you willingly give out about yourself, from the posts you put up on Facebook to the location information you give to your local mass transit system when you swipe your transit pass.

By contrast, your passive digital footprint is information that’s being collected about you without your express knowledge or authorization, for example, the “cookies” and “hits” saved when you visit a website. When you see personalized ads on Google, for example, those are tailored to you through collection of your personal preferences as inferred through collection of your passive digital footprint.

To assess my digital footprint, I looked through my wallet, my computer and my phone.

The footprint in your wallet

First, the wallet: I have several rewards cards, each representing a company that has a record of me in its database that shows how often I shop and what I buy, which is linked to my name, address, email and birthday—plus a security question in case I forget my password, usually my mother’s middle name.

While I would consider this information fairly benign—they don’t have my credit card information or my Social Security number—these companies can still make many inferences about me from my purchases. CVS, for example, could probably say fairly accurately if I’m sick based on my purchase of medications, whether I’m sexually active based on birth control purchases and any medical conditions I may have based on my prescription purchases.

If I wanted to minimize my digital footprint, I could terminate all my rewards accounts and refrain from opening any more. For me, though, it’s worth allowing these companies to collect my information in order to receive the deals, coupons and specials afforded me as a rewards member.

Next up is my transit pass, which is linked to my name, local address and debit card. The transit authority has a record of every time I swipe my way onto a city bus or train, a record of my movements linked to my name.

A minimal-footprint alternative to a transit pass is single-use fare cards. If purchased with cash, they would leave no record of my travels linked to my name. While this, like the rewards cards, is feasible, it’s far less convenient than the pass —so much less so that again I’m willing to compromise my privacy.

My debit card and insurance card are the two highest-value sources of personal information, but both are utterly necessary—living half a country away from my local credit union, I need my debit card to complete necessary transactions. My medical insurance card, relatively useless to identity thieves unless they have an ID with my name on it, does represent another large file in a database with my personal information—doctors’ visits, prescriptions and hospital stays for the past several years. People with just the physical card, not my license or information, can’t do much with that, but if a hacker gets to that information it could be very damaging.

No driver’s license? No credit card?

To minimize my digital footprint, then, I could pare down my wallet to just the absolute necessities—my insurance card, debit card and my license. You didn’t talk about your license

Computer footprint

If I’m guilty of leaving a large digital footprint, all my worst infractions probably happen across the Web.

Between Facebook, Twitter and Pinterest, I’ve broadcast my name, picture, email, hometown and general movements, if not my specific location, on each of those sites. Of the three, Facebook certainly has the most comprehensive picture of my life for the past seven years—where I’ve been, with whom, what I like and what I’m thinking.

If I wanted to take myself as far off the grid as feasible, simply deactivating the accounts wouldn’t work—Facebook keeps all your information there for you to pick up where you left off. You can permanently delete it with no option for recovery, but some information isn’t stored just on your account—messages exchanged with friends, for example, or any information shared with third-party apps.

If you keep using social networking sites, privacy policies change frequently, meaning that even if you choose the most restrictive privacy settings, you often have to go back and re-set them whenever the company changes its policy. Apps complicate things even further, farming out much of your information to third-party companies with different privacy policies.

Even if you’re vigilant about your privacy settings and eschew apps, your profile is only as private as your most public Facebook friend, said Paul Rosenzweig, a privacy and homeland security expert.

When shopping online, it’s important to check the privacy statements and security policies of the companies you’re using. If possible, purchase gift cards to the specific retailer or from credit card companies and use those to shop, so you don’t leave your credit card information vulnerable to breaches like that of Target.

I know that email is not my friend when it comes to online privacy, but I can’t operate without it.  I use Gmail on Google Chrome for my email, so I installed Mymail-Crypt. It’s one of several “pretty good protection,” or PGP, encryption programs. Using it, my messages appear to be a jumbled bunch of letters until the recipient decrypts it using their private key, which I can save to a key server, like the aptly named Keyserver, where it’s searchable by my email or key ID. I can then link to it on my personal profiles such as Facebook or LinkedIn. People can then send an encrypted email to me using my public key that cannot be read without my private key to unlock it. I’ve also started encrypting my G-Chats using Off the Record chat.

Email can be used against you. Phishers have started to send more sophisticated emails imitating individuals or companies you trust in order to convince you to give up information like your social security number or credit card data. Drew Mitnick a junior policy counselor at digital rights advocacy group Access Now, said you need to be vigilant no matter what you’re doing on the internet.

“Ensure that whoever you’re dealing with is asking for appropriate information within the scope of the service,” he said. In other words, Gap shouldn’t be asking for your Social Security number.

To limit cookies and other data collection during your Internet use, you can open incognito windows in Google Chrome. In incognito mode, the pages you view don’t stay in your browser or search histories or your cookie store—though your Internet service provider and the sites you visit still have a record of your browsing.

Finally, encrypt your hard drive. Privacy laws vary from state to state and country to country so the best way to ensure that you’re protected no matter where you are is to encrypt your computer and be careful not leave it where someone can mess with it, said Mitnick.

Phone footprint

Another source of vulnerability for many people is a smartphone. As long as you have a phone, you’re on the grid—phone companies can triangulate your position using cell phone towers and location services, and they log your calls. Beyond that, though, there are steps you can take to limit information people can access about you using your phone.

First, be judicious when installing apps. Carefully read the permissions an app requires for installation, and if you’re uncomfortable with them, don’t install it! Read privacy policies and terms of use so you know what data the app keeps on you.

Because I have a Windows phone, many of the basic apps (alarms, maps, Internet Explorer, music, and Microsoft Office) are Microsoft apps and use their terms of use and privacy policy, which is pretty good about not sharing my information with third parties. They also delete your account data after you delete their app, though it may take a few weeks.

I have several social apps, such as the aforementioned Facebook and Pinterest, for which the privacy settings are fairly similar to their desktop counterparts—not very private—with the added bonus of them now having access to my location and phone number. It’s entirely possible—and advisable, if you’re trying to leave a minimal footprint—to live without these apps, but I choose not to.

I’m selective about the apps I install on my phone. Aside from the apps that come with the phone and my social media apps, I only have Uber—and that has a lot of access to my phone. According to the app information, Uber can access my contacts, phone identity, location, maps, microphone, data services, phone dialer, speech and web browser. That’s a lot, and not all of it seems necessary—why does Uber need my contacts? Again, though, I chose to compromise my privacy on this one because the convenience, for me, outweighed the risk.

A precaution I’ve always taken is turning off my location service unless I need it. While my cell phone company can still track me, this prevents my apps from accessing my location. I don’t need Pinterest or Facebook to know where I am to get what I want out of the app, so I don’t provide that information to them.

One of the projects Access Now has been working on is “super cookies”—when you use your cell phone, the cell companies can attach unique identifiers to your browsing as you go across multiple sites. Many companies don’t even offer opt-outs. AT&T has now stopped using super cookies, but other companies still do so.

If you don’t already, use two-step verification whenever possible to ensure that no one but you is logging onto your accounts. This process, used by Gmail, has you enter your password and a one-time numerical code texted to a phone number you provide.

Set a passcode to your phone if you haven’t already, and make it something people couldn’t easily guess—don’t use your birthday, for example. I’ve started using random numbers and passwords generated for long-defunct accounts like my middle school computer login that I memorized years ago but that can’t be linked back to me.

Amie Stepanovich of Access Now suggested using four unrelated words strung together for online account passwords—they’re even harder to hack than the usual suggestions of capital and lowercase letters, symbols and numbers.

One final precaution you can take is to encrypt your device. Apple has already started encrypting its phones by default, and Google has promised to do so. Regardless, you can turn on encryption yourself. I have a Windows phone, which does not allow for easy encryption—in fact, I can’t encrypt my SD card at all. To encrypt my phone, I need to log in to Office 365 on my laptop and change my mobile device mailbox policies to require a password, encryption, and an automatic wipe after a number of passcode fails I choose. I then log into Office 365 on my phone to sync the new settings. It’s much more straightforward for an Android—just go to settings, security, and choose “Encrypt phone.”

Off the grid? Not even close

For me – and most people, it’s not feasible to live entirely off the grid. Between my debit card, various online accounts and smartphone, I pour my personal data into company and government databases every day. The trick is to live on the grid intelligently, only providing the information that is necessary and taking steps to protect your devices from unauthorized access.

]]>
Cleaning up after a cyber hack http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/20/infographic-cleaning-up-after-a-cyber-hack/ Fri, 20 Mar 2015 20:16:11 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21155 Continue reading ]]> WASHINGTON — The attacker inevitably has the upper hand when trying to hack a company, cybersecurity experts say.

A company must install security that proactively protects itself from attempted breaches coming in from all sides. A hacker has to find a single weak spot to gain access to the information he or she wants, whether that’s Social Security numbers or data to start a cyberwar.

When companies are facing hundreds of thousands of attempted hacks a day, it’s common for a successful breach to occur, said Mark Rasch, a former federal prosecutor of cyber crimes. Big names such as Home Depot, Target and Anthem Health Insurance have all recently been subject to data breaches.

Cyber experts agreed that companies need to have a step-by-step process in place to use following a hack. A fixed system ensures the attack is fully understood and prevents it from happening again, they said.

An important part in a company’s immediate reaction to a breach is having a quick response team “in place and ready to go,” said Paul Tiao, a partner in law firm Hunton and Williams’ global privacy and cybersecurity practice. Fast mobilization allows the team to stabilize the security system and address legal issues. The company may also wish to contact law enforcement in connection with its internal investigation.

This phase, which Rasch identifies as a step to “stop the bleeding,” lets the company launch an investigation into the details of the hack: how it happened and what was compromised.

Attackers seek all kinds of information on varying levels of importance and secrecy. Some are looking for personal information, including Social Security numbers and bank account numbers. These details are often accessed through credit card numbers, such was the case of Target, or theft of identities, such as with Anthem, Rasch said.

Others attempt to take trade secrets, private corporate intelligence and copyright information — all which can be used by a competing entity to infiltrate the company network. Attackers could use the data to damage the company or for personal gain.

Although attacks involving credit card and personal identity thefts attract media attention, breaches involving corporate information are actually more common, Rasch said.

“The reason we hear about those attacks has nothing to do with the size of the organization,” he said. “It has to do with the fact that there are laws that require those kinds of data breaches to be disclosed.”

Forty-seven states, with the exceptions of Alabama, New Mexico and South Dakota, have some sort of law that requires entities to tell affected individuals when their personal information has been compromised. However, the statutes do not extend to private company information, which allows these groups to hide such breaches from the public eye, Rasch said.

Tiao attributed some recent breaches to security lapses associated with outside vendors used by companies, as well as to company employees victimized by social engineering schemes.

Tiao’s latter point is supported by a recent paper titled “Hacking the Human Operating System” from Raj Samani, vice president and chief technology for the computer security software company McAfee. Samani identifies humans as the “weakest link in system security,” through which attackers infiltrate companies’ networks. Hackers can manipulate company employees and users through various persuasion techniques, Samani says, including using peer pressure on social media and sending catchy emails as clickbait.

With attackers’ strategies and technologies becoming more advanced and complex, it’s difficult for companies to be a step ahead of evolving hackers.

“In the 70s and 80s, hackers were typically lone experimenters,” Rasch, the former prosecutor, said. “In the 90s and 2000s, you started seeing organized groups of people hacking for profit. The next thing you started seeing is state-sponsored hacking, electronic espionage and now hacking as a tool of warfare.”

Even individual hackers are now part of bigger groups and organizations, Rasch said. Communities existing in the dark web allow hackers to exchange advice and tools that allow them to better their strategy.

Formal bands of hackers rally around an “ill-defined common scheme,” whether it’s political or social, Rasch said. He named Anonymous, a “hacktivist” group, and the Syrian Electronic Army, which uses pop-up messages to notify users they’ve been hacked, as some prominent organized sects that have emerged recently.

But more recently, hacking is being used for cyberwar and cyberterrorism — as in the case of North Korea infiltrating Sony Pictures Entertainment in late 2014. Rasch anticipates that cyber attacks will soon trickle into war and be used successfully hand-in-hand with physical combat.

“It could be as simple as using viruses or worms or malware to jam or shut down a nation’s air defenses, so that you can launch an attack and not get your plane shot out of the air,” Rasch said. “All the things you can do with a bomb, you can do with a logic bomb.”

Similar cyber attacks could be used to disrupt nations’ communications, transportation systems and power grids, Rasch said.

So what happens when a company realizes it’s been attacked?

The company must start to repair the existing damaging and notify affected customers in compliance with federal and state data breach notification laws — a process that must be done carefully, yet quickly, Tiao said.

It’s common for companies to send mass letters to their users after a hack has occurred. Days after a major attack affected more than 40 million credit cards at Target, the company sent out a letter in December 2013, disclosing what information had been compromised and advising users to be “vigilant for incidents of fraud and identity theft.”

Target also included a list of Frequently Asked Questions for customers, one of the common communications measure that Tiao suggested in response to a breach of customer personal information. He also recommended consulting public relation experts to deal with the risks, as well as designing a plan for communicating with the media. Litigation and disputes with regulatory agencies and customers are possible, Tiao said, so companies must be prepared to address those.

Entities must also look internally to complete the process of recovering from a hack. Rasch said that companies will assess their vulnerabilities to ensure they won’t experience a similar hack again.

“Every company, no matter their size, has to go back and look at ‘what are our family jewels?’ in terms of information.” Rasch said. “What we’re seeing now is that information security is critical to the operations of businesses of all sizes. There has to be an appreciation for that and a commitment of resources to protect that theft and to recover from breaches.”

By conducting an extensive review of a company’s information assets, its staff can address the most important cybersecurity vulnerabilities, Tiao said. Companies can strengthen their network security policies and practices, and train employees to be more secure and aware in cyberspace, he said.

However, Tiao stressed the need to be prepared before the attack comes and not to be entirely reactive in their approach to cybersecurity for a company. By being ready before the hack, the damage will not be as bad after an attack, he said.

Rasch echoed Tiao, saying that it can only be more beneficial to entities to be more aware and knowledgeable in cybersecurity efforts.

“Every organization needs to be able to understand the benefits and the risks associated with electronic commerce,” Rasch said. “That goes to McDonalds’ Corporation and all the way down to [Chicago-based] Edzo’s Burger Shop.”

]]>
FAA backed away from proposing privacy regulations for drones – but that might be a good thing, experts say http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/20/faa-backed-away-from-proposing-privacy-regulations-for-drones-but-that-might-be-a-good-thing-experts-say/ Fri, 20 Mar 2015 15:03:20 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21201 Continue reading ]]> WASHINGTON—When the Federal Aviation Administration released its proposed “framework of regulations” for governing the commercial use of small unmanned aircraft systems last month, people were surprised. After years of failing to act on a 2012 congressional order to develop regulations, the FAA’s proposal seemingly fell from the sky – unexpected, and as it turns out, an unexpected gift to the drone community.

But noticeably missing from the proposed regulations? Privacy.

And the FAA owned up to it. In a privacy impact assessment issued along with the proposed framework, the agency stated that it “acknowledges that privacy concerns have been raised about unmanned aircraft operations. … These issues are beyond the scope of this rulemaking.”

That makes sense, according to Matt Waite. Privacy is not in its wheelhouse.

“The FAA has said all along that it is not a privacy organization – It is an aviation safety organization. They don’t have the experience or the skill[set] to be in the privacy business,” Waite added.

A professor of journalism and founder of the Drone Journalism Lab at the University of Nebraska-Lincoln, Waite said that the FAA more or less intentionally walked away from building privacy regulations into its proposal. “They had been talking about it and had been claiming that that was the reason it was all being delayed [as] they were considering privacy regulations … But ultimately, nothing.”

Waite said that the implications of that choice suggest that states are going to have to make up the difference.

“The FAA has wisely backed off all privacy issues [because] there’s no need for a new federal privacy bureaucracy [when] states already have protections in place,” said Charles Tobin, a privacy rights lawyer and partner at Holland & Knight.

“The laws that are on the books are all technology agnostic. They apply to computers, they apply to still cameras, they apply to wireless microphones, they apply to video cameras … and there’s no reason that they can’t be applied – as already written – to UAVs,” Tobin added.

He said he understands why people are concerned, but suggests we look to history for any insight we might need. “Since the turn of the century, people have expressed concerns about every single new phase of technology [that has been] developed to allow people to gather information in public places and private places, and so over the decades, states have developed a strong series of statutes and precedents in the courts that deal with electronic surveillance, eavesdropping, trespassing and just about any other concern for invasion of privacy.”

To add additional statutes would be more than redundant, Tobin said. It would be confusing for everyone involved. It also leaves the possibility that one law could potentially violate the other.

While recognizing that the FAA made the appropriate call when it chose to step aside, Tobin said the baton has simply been passed on down the line. A presidential memorandum issued the same day as the FAA’s proposed regulations relays the responsibility to “develop a framework regarding privacy, accountability, and transparency for commercial and private UAS use” to the Department of Commerce. The memo states that the department must initiate a “multi-stakeholder engagement process” within 90 days of the memo’s release – so it must begin work by mid-May. According to Tobin, “the development of private industry best practices” by the Department of Commerce is a positive step – but it should avoid stepping further.

Government trying to involve itself in the regulation of a specific piece of technology is just a terrible idea, Waite said. “As we are already seeing, the government lags way behind technology when it comes to laws that would deal with that technology. It’s taken the FAA a long time to come up with rules for these drones and they’re flying around right now. They’re being used for commercial purposes even though the FAA says, ‘No, you can’t do that.’” Law will forever lag behind technology, he said.

“So if that’s the case, then legislatures and policymakers need to acknowledge and accept that and begin to craft rules that are technology agnostic,” Waite added. Because therein lies the solution to any concerns that privacy might be invaded.

Waite said that the key is deciding what we don’t want people to do – what we need to prevent from happening. “We need to start thinking about what we consider a reasonable expectation of privacy in our modern times. And if that’s not allowing [me to] photograph [someone] streaking in their backyard, then that’s great. We can say I can’t do that. But it shouldn’t matter how I do that, [just that] you don’t want me to do it.”

It’s about understanding what we’re offended by. And then realizing that if privacy was violated, then how it was done is unimportant, he added.

The drone-related privacy concerns of the average American are actually pretty obvious, Waite said. They’re afraid of a drone operator peering into their windows like a 21st Century peeping tom, or using them to stalk and harass people. And they’re also afraid that someone might gather information about them and their behaviors.

Amie Stepanovich, senior policy counsel for privacy advocacy group Access Now, said these concerns are genuine because drone technology is in a league of its own. “Drones have [the] capacity to bring a bunch of different surveillance technologies onto a singular platform and to reach into areas that other vehicles have not been able to get to. For example, up into very high buildings or into inside spaces.”

But many of the acts people are fearful of are actually crimes, Waite said. They’re already illegal. “It is illegal for you to fly up and peer in[to] someone’s window, those peeping tom laws already handle that.” He admitted that some states aren’t as advanced as others because they require that an offender physically be on the property to be prosecuted as a peeping tom. “[But] that doesn’t take a great leap of mind to fix that real quick,” he added.

Gathering information through surveillance is a different issue, however, one steeped with potential for abuse. Stepanovich said that limitations should be put in place to restrict the ways in which government agencies can use drone technology. “It’s highly advanced and gives them a great deal [of] increased capability and can be used to collect a great deal of information,” she said.

“We need things that will, for example, protect users’ location information from being collected and tracked. … It comes back to tracking people over time without a warrant and being able to pinpoint their exact location. And this is true with drones but … there are several other different kinds of technologies that are coming out. And we need to make sure that that information is adequately protected.”

The presidential memo issued in conjunction with the FAA’s proposal states that agencies must “comply with the Privacy Act of 1974, which, among other things, restricts the collection and dissemination of individuals’ information that is maintained in systems of records, including personally identifiable information.”

The White House’s assurance that government agencies will be held accountable to legacy privacy standards is a good thing, Stepanovich said, but she recommends further attribution and transparency.

“The FAA has a publicly accessible database of who is able to fly airplanes in any specific geographic area in the United States. But they haven’t made a similar commitment to do that for drone operators,” Stepanovich said. She calls that a double standard.

People won’t know which agency, company or person is behind the remote of the drone flying over their homes. They’re already fearful, so that’s not the best way to go about this, Stepanovich added.

“And so the FAA definitely has a role to play in protecting privacy,” and she recommends the agency operate a full registry. “We’re talking about transparency, requiring that drone users register what technology they are deploying on their drones, and what capacity these drones will have. This just gets at making sure people are aware of what’s going on in their own area,” she added.

“But it should be up to Congress and other agencies to ensure that users don’t violate one another’s privacy rights.” That requires a separate law, but Stepanovich said it would be a mistake to make a new law for a singular piece of technology.

Like Waite and Tobin, she advises technology agnosticism when it comes to lawmaking. Because technology changes frequently. And for that same reason, Stepanovich said the drone privacy debate is an important one: “It will definitely be worth paying attention to because it’s really deciding the future of this technology in the U.S.”

All three agree that the next 24 months will be very exciting. “We’re sort of in the early years of the Wild West stage here, where the rules and the court cases [haven’t happened] yet,” Waite said. “But things are going to happen and they’re going to be tested in court and they’re going to be squared to our constitutional values and when they are, we’ll actually have a fairly stable system.”

“But until then you’re going to have some crazy stuff going on,” Waite added. “You’re going to see people doing things that were never envisioned and you’re going to see [drones] being used in ways that we hadn’t thought of yet. And some of that’s going to be cool and neat and some of it’s going to be kind of ugly.”

One thing is guaranteed: The waiting game has just begun.

]]>
White House pushes for student data regulations http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/white-house-pushes-for-student-data-regulations/ Thu, 19 Mar 2015 21:32:07 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21196 Continue reading ]]> WASHINGTON — When the educational company ConnectEDU filed for bankruptcy about a year ago, it tried to do what any business would — sell off its most valuable asset: student data.

Millions of students submitted personal information such as email addresses, birth dates and test scores to the college and career planning company.

The Federal Trade Commission eventually stopped any transactions involving the data after noting that they violated ConnectEDU’s privacy policy.

Some student educational records are protected through the Family Educational and Privacy Rights Act, or FERPA. Originally signed into law in 1974, FERPA essentially protects the records schools collect on students and gives parents certain oversight and disclosure rights.

The growing influence of technology in classrooms and in administrative data collection, though, is making FERPA out-of-date.

Teachers, students and parents now routinely submit information to educational services companies, such as ConnectEDU. FERPA does not regulate how these companies use that data. And there is no other federal law that does. The companies’ own privacy policies are the only limit to what the companies can do with the information users provide.

The concern is that ConnectEDU may not be the only education technology company that is trying to sell its data to third parties.

ConnectEDU’s databases, for example, were filled with students’ personally identifiable information including names, birthdates, email addresses and telephone numbers. The sale of that information to other companies is not regulated.

In order to make FERPA up-to-date, President Barack Obama, in conjunction with partners in the private sector, called for a legislation to establish a national standard to protect students’ data in January.

“It’s pretty straightforward,” Obama said in a speech at the Federal Trade Commission. “We’re saying the data collected on students in the classroom can be used for educational purposes — to teach our children, not to market to our children. We want to prevent companies from selling student data to third parties for purposes other than education. We want to prevent any kind of profiling about certain students.”

Dubbed the Student Digital Privacy Act, the White House’s plan is loosely based on a 2014 California law that prohibits third-party education companies from selling student information. While other states have laws regulating and increasing the transparency, regulation and collection of student data, the California law seems to be the most far-reaching.

Because FERPA doesn’t cover third-party use, some private sector leaders have taken a vow to establish clear industry standards for protecting student data through the Student Privacy Pledge.

Created by the Future of Privacy Forum and the Software and Information Industry Association in the fall of 2014, Obama mentioned the pledge as an encouraging sign for the protection of student information.

“I want to encourage every company that provides these technologies to our schools to join this effort,” Obama said. “It’s the right thing to do. And if you don’t join this effort, then we intend to make sure that those schools and those parents know you haven’t joined this effort.”

So far, 123 companies have signed the pledge, including tech and education giants such as Apple, Microsoft, Google and Houghton Mifflin Harcourt.

“There was a lack of awareness, information and understanding about what school service providers did and didn’t do with data and what the laws required and allowed,” Mark Schneiderman, senior director of education policy at SIIA, said. “Rather than waiting for public policy and public debate to play itself out, we figured, let’s just step in and make clear that the industry is supporting schools, is using data only for school purposes, not selling the data, not doing other things that there was a perception out there that maybe [companies were doing].”

The National Parent-Teacher Association and other groups support the pledge, according to Schneiderman.

“It is imperative that students’ personal informational formation is protected at all times,” the National PTA wrote in a statement.

The companies that signed the pledge are not subject to any policing body, but by signing the pledge they show consumers their commitment to student privacy, Schneiderman said.

But many notable educational technology companies, like Pearson Education, have not signed the pledge. Pearson was recently the subject of a POLITICO investigative report that revealed that the company’s use of student data was unmonitored.

According to the report, Pearson claims it does not sell the students’ data it collects.

The College Board, ACT and Common Application are often viewed as integral to the college admissions process, but are also not included in the pledge.

Instead, these education companies point consumers to their privacy policies, which can often be difficult to understand because of the legal jargon and ambiguous terms.

Some groups such as the Parent Coalition for Student Privacy think the pledge and the privacy policies aren’t enough.

“We also need strong enforcement and security mechanisms to prevent against breaches,” Leonie Haimson, one of the group’s co-chairs, said in a statement responding to Obama’s speech. “This has been a year of continuous scandalous breaches; we owe it to our children to require security provisions at least as strict as in the case of personal health information.”

Out of the 12 commitments listed in the pledge, only one deals with preventing leaks or breaches.

The signees must “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks,” the pledge states.

Haimson said the policies are a decent start, but do not go nearly far enough in protecting educational data.

Regardless, a bill for a comprehensive national standard has yet to be introduced despite the White House’s push.

In early February, though, the White House said that it had been working closely with Republican Rep. Luke Messer of Indiana and Colorado Democrat Rep. Jared Polis to introduce a bipartisan bill to Congress.

The bill’s release is expected by the end of the month, according to Messer’s office.MINTZERPRIVACY (9) 2

]]>
Have an iPhone? The apps you use may collect unnecessary data, experts say http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/have-an-iphone-the-apps-you-use-may-collect-unnecessary-data-experts-say/ Thu, 19 Mar 2015 19:55:39 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21173 Continue reading ]]> WASHINGTON—Every time you use an app on you iPhone, the app is collecting data on you– that’s lots and lots of data. And experts say those bytes of information detailing your life, may not be needed to operate the application.

Initially, developers likely didn’t consider what information was needed to run the app,said Alan Butler, senior counsel at the Electronic Privacy Information Center. Instead, they built their programs to collect all of the data they could possibly need.

But that is the wrong approach, Butler said.

Beyond the type of information collected, app developers need to determine how long the information will be stored and how will it be kept secure, he said. The more data that is collected and stored, the great the threat for data breaches, Butler said.

So what data is being collected? Well, it depends on the company.

Some companies, like cell phone providers, automatically collect consumer information such as called numbers, times of calls, locations and cellular data usage.

Cell phone companies are limited in acting on automatically collected data. Companies can choose to archive and never use information or discard it after a certain amount of time said Paul Rosenzweig, author of Cyber Warfare: How Conflicts in Cyberspace are Challenging America and Changing the World.

With all of the information collected in addition to how frequently users bring their phones with them, Rosenzweig said, “your cellphone is you.”

Rosenzweig likened the process to something called the mosaic theory. According to the theory a collection of small data points can create a picture more representative than each piece of information individually.

Smartphones play into this mosaic by contributing to the information available about a user, especially one who chooses to use social media.Rosenzweig said a comprehensive image can be created of any individual, in part by just interacting with some of iPhone’s applications.

With data collection comes increased responsibility

The relationship that an iPhone user has with the company’s application is a business one.“Sharing is something we do in kindergarten,” Butler said. But when a user gives information access to apps such as Snapchat, they are doing so under the assumption that their data is going to be used properly.

But when it’s not, what then?

Ensuring companies are using data for the right reasons is not an easy task, Butler said. That’s why EPIC supports a strong consumer bill of rights, guaranteeing consumers online protections, he added.

President Barack Obama has supported such legislation since 2012, but none of his efforts have made it out of Congress.

The administration’s 2015 proposal is scaled back in comparison to its 2012 approach, EPIC said in a March statement.  Not only does the proposal lack adequate consumer protections but may also burden businesses, EPIC said.

EPIC has a code of fair information practices, which is rooted in five principles–no personal record-keeping systems can be kept private, a person must be able to find out information recorded about them, prevent it from being used incorrectly, amend incorrect  information and organizations with collected data must protect against its misuse. EPIC suggests crafting better legislation that aligns  with its code.

WILLIAMSGILMOREAPPS(1)

]]>
Tor and the darknet: shining a light on the web’s darkest corners http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/tor-and-the-darknet-shining-a-light-on-the-webs-darkest-corners/ Thu, 19 Mar 2015 19:27:22 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21165 Continue reading ]]> WASHINGTON– The term darknet conjures up scary images of a place where the darkest, most dubious members of the World Wide Web go to practice illicit activities. But the darknet and programs like Tor that allow for hidden sites and anonymous browsing help those online evade an online presence looking over their shoulders.

Despite many attempts, Tor has not been able to be cracked in a meaningful way and governments have not been able to successfully deanonymize Tor users. With the only alternative being to ban the program, which in itself is difficult, government agencies are attempting to index and track the growing activity on the darknet.

“Like everything else, Tor is a tool and tools are neutral,” said Paul Rosenzweig, a cybersecurity consultant and a former Homeland Security deputy assistant secretary in the Bush administration. “You can either throw the baby out with the bathwater and ban the tool or find some way to regulate it.”

What is the darknet and tor?

TorTo understand the darknet, one must first understand the surface web and the deep web.

The surface web is everything that can be accessed through a search engine such as Google. This consists of basic websites that have their pages indexed and accessible to the public.

The deep web is everything that cannot be accessed by a search engine. This includes private content blocked by a login requirement or unindexed pages on a forum. It is estimated that the deep web is far larger than the surface web.

The darknet consists of sites that are intentionally hidden and can only be accessed through the use of encrypted browsers like Tor. These sites can host drug and firearm marketplaces or child pornography. More benignly, you can find hidden message boards where journalists and political dissidents from oppressed countries can communicate.

“Tor helps people be activists by giving them the anonymity they might need,” said Cooper Quintin, a technologist at the Electronic Frontier Foundation, a digital civil rights advocacy group.  “Speaking out against the power structures could be a very dangerous proposition.”

Tor is an acronym that stands for The Onion Router. Onion routing was developed in the 1990s by the Navy in order to secure military communication. The code for Tor was released free to the public in 2004 and thus the darknet was born.

Today Tor receives 80 percent of its funding from the Defense Advanced Research Projects Agency.

It works by maintaining a network of volunteer servers around the world. Normally when accessing a web page, you connect directly to the server you are trying to access. Tor instead bounces your request randomly around through its scattered servers before finally reaching the desired site.

On top of that, Tor encrypts your communications when entering the Tor network and then unencrypts it on the way out. It also strips away part of the information you send out that includes identifiable information. Each stop on your request’s path through the network only unencrypts enough information to see the location of the previous stop in order to know where to send it next. These layers of encryptions allude to an onion where Tor gets its name.

How to access the Darknet

Accessing the darknet is surprisingly easy. Downloading Tor is as easy as downloading other browsers such Google Chrome and Mozilla Firefox. Darknet web addresses can be found through a simple google search.

Hiddenwiki.org provides an extensive list of darknet .onion sites that provide services ranging from renting a hacker to hiring a hitman. It is hard to know how many of these sites are simply law enforcement sting operations without actually purchasing the services. The ease of access of some of these sites makes the legitimacy of the services dubious.

AgoraThe Agora Marketplace has become the successor to the now defunct online drug marketplace Silk Road. Sites like Agora gives users a sense of reassurance based on a user’s seller rating. If a seller has a high rating, one can assume that he or she has had many successful transactions and can be trusted. It also makes it harder for law enforcement to set up a sting operations before building up their rating.

The currency used for these services are called bitcoins, an encrypted currency bought and sold over the internet and unregulated by any banking authority. Transfer of bitcoins are completely anonymous, making them the perfect currency for the darknet.

The current price of one bitcoin is about $290 but fluctuates often.

Taking stock of traffic on Tor

Researchers have been able to study traffic on Tor by setting up their own Tor servers and analyzing the traffic sent through them. They cannot find specific information on Tor users but by analyzing keywords in the data they can generally make assumptions to what kind of sites traffic is heading.

A study done by Gareth Owen at the University of Portsmouth in the United Kingdom concluded that about 80 percent of traffic moving through their Tor servers were heading towards sites pertaining to child abuse.

This finding does not necessarily prove that Tor is primarily used for child pornography because there is no way to know why each user is visiting the site.

“They could be law enforcement, they could be researchers, they could be bots just scanning the Tor hidden services,” Quentin said. “There’s no way to tell.”

More positive research on the uses of Tor comes from Eric Jardine at the Centre for International Governance Innovation. He was able to find a correlation between the oppressiveness of a country’s government and the amount of its Tor users in the country.

“People are using Tor because they lack political rights, but they are also using Tor for evil purposes,” Jardine said.

Reigning in the Darknet

Policing the Darknet is actually quite difficult because the technology behind Tor has not been cracked by any spy agency or government. There are a few methods for policing Tor users but they can only work on some of the users, some of the time.

“The cryptology behind Tor is pretty solid and it’s unlikely that the NSA would be able to crack it,” Quentin said.

There are a few methods to police darknet activity but none can effectively regulate the darknet on a grand scale.

The simplest way is for law enforcement to set up sting operations. They can either create their own hidden website or create an account on an existing one and conduct an illegal transaction. If a buyer is purchasing a physical item, an address must be given and law enforcement can simply arrive at the buyer’s doorstep once the package arrives.

It is much more difficult to arrest the people that host some of these illegal sites. The only reason why Ross Ulbricht, the founder of Silk Road, was arrested was because he was found discussing Silk Road on an Internet forum with an account linked to his actual email address.

Timing correlation attacks are a less effective way used by law enforcement to track Tor users. The process works by looking at the time a request moves through the initial server and matching it with the time a request moves out the final server and towards the hidden site. One could reasonably assume if the times match up that a specific user was accessing a specific site.

Although this method may be able to track the online movements of a few tor users, it is a long way off from effectively breaking tor.

“There is technological barriers to their ability to effectively police the darknet,” Jardine said. “The ability to directly track IP addresses doesn’t exist at this time.”

Conclusion

Tor and the darknet can be used in an increasing number of ways as concerns about the sanctity of online privacy grow.

“Whether the net benefits outweigh the costs depends on one’s perspective,” Jardine said. “In a liberal democracy it is hard to argue that a technology with a dual use can be banned just because one of those uses is criminal.”

 

]]>
Long-ignored government practice lets IRS skirt fourth and fifth amendments http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/long-ignored-government-practice-lets-irs-skirt-fourth-and-fifth-amendments/ Thu, 19 Mar 2015 14:58:20 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21101 Continue reading ]]> WASHINGTON — When Jeffrey Hirsch went to deposit money at his bank one morning in May 2012, his whole life changed. The teller told him the entire contents of his account—nearly half a million dollars—had been seized by the Internal Revenue Service.

Hirsch, a small business owner from Long Island, was never accused of a crime. Yet he would not see his $446,651.11 again for nearly three years due to the IRS’s civil asset forfeiture program, which allows the agency to seize money without filing criminal charges and keep it, in many cases, indefinitely.

Under federal law, banks are required to report cash deposits exceeding $10,000 to the Treasury Department, and account holders are forbidden from “structuring” deposits smaller than the $10,000 threshold to avoid the reporting requirement. If the IRS suspects someone is “structuring” their deposits, it can take their money without filing a criminal complaint.

The program was designed to help the federal government intercept the drug trade during the 1980s “war on drugs.” But the IRS has increasingly gone after small business owners and others who make frequent, small deposits.

“These laws were intended to target drug dealers and other hardened criminals engaged in money laundering or other criminal activity,” said Robert Johnson, Hirsch’s attorney. “In practice, however, the IRS enforces the structuring laws against innocent Americans who have no idea that depositing less than $10,000 in the bank could possibly get them in trouble with the law.”

Hirsch owns and operates Bi-County Distributors, a small business that distributes products to convenience stores on Long Island. The company had multiple accounts closed due its frequent cash deposits, which—when more than $10,000—require burdensome paperwork from the bank. Hirsch’s accountant recommended staying below the limit, so Hirsch often made cash deposits under $10,000.

On the basis of civil asset forfeiture, the IRS seized Hirsch’s money in May 2012 and held it for more than two years without issuing any charges against him. Twice, Hirsch said, the government offered settlements that would require him to surrender “a substantial portion” of the money.

“I rejected these offers as I felt that I had done nothing wrong and should not be forced to give up my hard-earned money for no reason,” Hirsch said. “I lived with that stress for over two-and-a-half years.”

Hirsch said the seizure drove his business “to the edge of insolvency,” forcing him to take extended lines of credit. In an attempt to demonstrate his innocence, he paid an accounting firm $25,000 to audit his own business.

“Government officials did not question the results of the audit and did not suggest that they were in possession of any evidence of wrongdoing by anyone associated with the business,” Hirsch said. “Nonetheless, the government still refused to return the money.”

To get seized funds back, property owners have to go to court against the Department of Justice—often a lengthy and expensive process.

In January, after a front-page story on civil asset forfeiture was published in The New York Times, the government agreed to return Hirsch’s money.

“In this country, people are supposed to be innocent until proven guilty. But, in the eyes of the IRS, I was guilty until proven innocent—forced to prove my own innocence to get my property back,” Hirsch said. “No other American should be put through the nightmare I experienced.”

But Hirsch’s case is not unique.

Documents obtained by the Institute for Justice, a national law firm that litigates property rights, show that the IRS conducted more than 2,500 of these seizures from 2005 to 2012.

In that seven-year period, the agency collected more than $242 million in suspected structuring violations. At least a third of those seizures “arose from nothing more than a series of cash transactions under $10,000, with no other criminal activity alleged,” according to the report.

And under federal law, the IRS gets to keep this money. Funds seized through civil forfeiture are deposited in the Treasury Forfeiture Fund, which is available for use by the IRS without any appropriation by Congress.

“Shockingly, the government uses the money that it takes through civil forfeiture to pad the budgets of the very agencies that seize the money,” said Johnson, who also works for the Institute for Justice. “The result is a legal system in which the deck is stacked against ordinary Americans.”

While the issue went largely unnoticed until late last year, lawmakers on Capitol Hill—both Republican and Democrat—are now looking for change from the long-embattled agency.

The House Oversight Subcommittee’s first hearing of the new Congress called on IRS Commissioner John Koskinen to testify. He was met with harsh criticism.

Rep. Mike Kelly, R-Pa., went so far as to compare civil asset forfeiture to torture. “You talk about waterboarding, this is waterboarding at its worst,” he said.

The IRS has promised to change. Koskinen apologized to the small business owners at the hearing and said the agency would no longer pursue civil seizure on structuring grounds “unless there are exceptional circumstances.”

“We’ve changed the policy from our standpoint,” Koskinen said.

But Johnson isn’t satisfied with the IRS’ promise.

“The only surefire reform of civil forfeiture is to eliminate the practice entirely, and to require all forfeiture to proceed under the criminal laws,” Johnson said. “Short of that, the IRS policy change—limiting application of the structuring laws to funds derived from illegal sources—should be codified in statute, and without any open-ended loophole for ‘exceptional’ cases.”

Many lawmakers also aren’t satisfied with the IRS’s “exceptional circumstances” standard.

In January, Sen. Rand Paul, R-Ky., and Rep. Tim Walberg, R-Mich., introduced a bill that would curb IRS forfeiture abuses by stopping the IRS from seizing funds without criminal charges and make it simpler and faster for innocent property owners to get their money back.

The bill is only in the primary stages of the legislative process, but some sort of remedial legislation is likely to receive support.

“It is wrong without any criminal evidence to seize anyone’s property,” Kelly said. “This flies in the face of everything we are as a country.”

]]>
In ‘Parks and Recreation,’ a vision for the future of consumer data privacy issues   http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/in-parks-and-recreation-a-vision-for-the-future-of-consumer-data-privacy-issues/ Thu, 19 Mar 2015 14:54:21 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21132 Continue reading ]]> On a sunny morning in Pawnee, Indiana, a notification pops up on Leslie Knope’s phone: “Open Your Door.” Looking outside, she finds a drone at her doorstep, floating effortlessly, cradling a box addressed to her.

“Hey, Leslie Knope!” it chimes as it drops its cargo.

People have only been able to use drones for recreational, research or government purposes in the U.S., but the Federal Aviation Administration has proposed rules that would expand drones for any use, especially for commercial purposes. Yet the final season of NBC’s “Parks and Recreation,” set in a not-too-distant 2017, envisions a world in which your internet provider can listen to your every conversation, read every email and text, and use that information to predict your mood and deliver packages to your door. The offending company is Grizzyl, a bubbly, gleefully 21st century Internet and cell phone provider that shamelessly violates its customers’ privacy.

For ardent libertarian Ron Swanson, who destroys a drone and brings it to Leslie, (“This is a flying robot that I just shot out of the sky when it tried to deliver me a package”), the threat of such technology is philosophically horrifying, bringing him together with the liberal Knope to try to stop the behavior. While he originally blames others for making themselves vulnerable to that kind of invasion, he later changes his tune when his own privacy is threatened outside of his control.

For liberal Knope, the concern is more universal, with the actions of a corporation infringing upon its customers rights concerning from a populist perspective. As in many episodes, she sees the government serving as an activist voice, protecting its citizens from harm from an ill-intentioned private company.

By placing characters only two years from now, the show’s creators envisioned a future that’s within our reach. In the show’s view, the future has troubling implications for consumers, with sophisticated technology making it easier than ever for companies to pry into their user’s lives.

Below, we’ve compiled a list of technologies and actions made by Grizzyl. With their predictions of a soon-to-be future in mind, we examine the likelihood of each event coming true, and the current legal structures that govern them.

Use of commercial drones

In the show: After listening to its users phone calls, Grizzyl gathers its customers’ personal desires and sends them gifts they think they’ll appreciate via drone. While Donna receives two honey bears and boxes of sugarplums, coincidentally the pet names she and her fiancé use for each other, the characters on the show catch on to Grizzyl’s unethical business practices.

Today’s laws: Americans have very few options allowing them to use drones for commercial purposes. Companies may apply to the Federal Aviation Administration to authorize use of drones on a case-by-case basis. However, no existing legal framework allows for the widespread adoption of drones on a commercial basis, and the FAA describes its approach to the emerging technology as “incremental,” suggesting that you won’t see pizza-delivering drones anytime soon. The FAA Modernization and Reform Act of 2012 aimed to integrate unmanned aircraft by this year, but a recent government audit found that the FAA wouldn’t meet its September deadline. “There should be an eye toward integrating drones into our national airspace,” Peter Sachs, a lawyer specializing in drone law, said about these proposed regulations.

Tomorrow’s technology: When online retailer behemoth Amazon announced “Amazon Prime Air” last year, it seemed like an elaborate April Fool’s prank. Yet the company is dead serious about using the technology to deliver packages in as little as 30 minutes, sending the FAA a letter pushing for greater reforms. While Amazon predicts that drone deliveries will eventually be “as normal as seeing mail trucks on the road,” time will tell when their vision becomes a reality. However, with the FAA’s proposed regulations, drone operators would be required to stay within “eyesight” of their craft, according to Sachs. With this stipulation, it would be near impossible for vendors to use drones for deliveries.

Consumer data mining

In the show: After the characters receive individualized gift packages delivered by drone from Grizzyl, they quickly realize the only way they would have learned this information about them is through monitoring their calls and texts. Later, when Leslie visits the Grizzyl headquarters in disguise, the Grizzyl vice president of “Cool New Shiz” reveals he knew who she was all along by tracking her location from her phone. He says his company may know Leslie better than she knows herself. He tells her, “There’s nothing scary about Grizzyl. We just want to learn everything about everyone, track wherever they go and even what they’re about to do.”

Today’s laws: Despite the growing fascination with consumer privacy and cybersecurity in recent years, especially in the wake of Edward Snowden’s revelations about the National Security Agency’s program to gather millions of Americans’ phone and email records, no laws have yet to intensely regulate the act of consumer data mining. In Sorrell v. IMS Health Inc., the Supreme Court found that a Vermont statute that restricted the sale, disclosure and use of records that revealed the prescribing practices of individual doctors violated the First Amendment rights of data mining companies hired by pharmaceutical manufacturers. In a powerful feature story for Time Magazine in 2011, author Joel Stein sums up the current state of data mining for consumers: He contacts a range of private companies that gather information about him “in stealth,” creating a detailed picture of his life that’s been culled without his knowing.

Tomorrow’s technology: Though the debate about gathering and use data has typically been about government surveillance of private exchanges, companies such as Google, which could be seen as the real-life Grizzyl, already monitor emails sent over their Gmail network in order to tailor advertisements shown to particular Internet users. As Stein’s 2011 feature shows, companies already have an incredible ability to gather people’s information, something that will likely continue to grow unless Congress passes legislation limiting it.

Consumer agreements

In the show: When Leslie Knope discovers the data mining, she brings a lawsuit against Grizzyl. Leslie’s husband Ben argues that the agreement giving Pawnee free WiFi explicitly banned data mining. However, the company was able to sneak a clause “into the 27th update of a 500 page user agreement,” allowing them to monitor all communications sent over the network through Grizzyl products. As Ben said, “a person should not have to have an advanced law degree to avoid being taken advantage of by a multi-billion dollar company,” a sentiment oft repeated in today’s on-the-grid society. Ben compelled Grizzyl to be “upfront about what you’re doing and allow people the ability to opt out.”

Today’s laws: According to Ira Rheingold, executive director of the National Association of Consumer Advocates, the U.S. has little protection for consumers against how a private company constructs its consumer agreements. A report released by the Consumer Financial Protection Bureau, an independent government agency formed by the 2011 Dodd-Frank Wall Street reforms, showed that consumers often hand over their rights in consumer agreements without realizing it. They found that in 92 percent of credit card disputes that went to arbitration, consumers had signed contracts precluding their ability to sue without realizing it. In effect, even the savviest consumer, like Ben Wyatt, can be thwarted by a legal document that buries its most damaging clauses under pages of legal jargon, something that’s become commonplace in our society.

Tomorrow’s technology: When consumers sign these consumer agreements, they may unknowingly give up their right to sue, effectively stripping themselves of their right to take these corporations to trial in the event of an injustice. Sen. Al Franken, D-Minn., has championed the Arbitration Fairness Act, which works to “restore the rights of workers and consumers” in assuring them of transparency in civil litigation and prohibiting the usage of forced arbitration clauses in consumer agreements. While the bill has unsuccessfully been introduced in Congress since 2011, Franken plans on reintroducing it during this session.

 

]]>
Private sector remains wary of government efforts to increase cybersecurity collaboration http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/private-sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/ Thu, 19 Mar 2015 14:49:28 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21085 Continue reading ]]> WASHINGTON– President Barack Obama and lawmakers have announced plans to increase information sharing between the government and the private sector following data breaches at major companies. But companies are hesitant to join these initiatives because of liability and privacy concerns – and sharing information could put them at a competitive disadvantage.

Experts agree information sharing is essential in preventing and responding to cyber attacks, but the government and private sector bring different perspectives and strategies to mitigating the threats.

Companies need to take the approach that there is “strength in numbers,” said Greg Garcia, executive director of the Financial Services Sector Coordinating Council.

“To the extent that we can have what amounts to a neighborhood watch at a national scale, then were going to be better aware of the adversaries and what they’re up to and what they’re trying to do,” Garcia said.

One area where progress has been made is in the sharing of cybersecurity threat indicators, which identify the source of cyber attacks, said Mary Ellen Callahan, former chief privacy officer at the Department of Homeland Security. These indicators can include bad IP addresses, malware that’s embedded in emails or specific coding in software, she said.

DHS and the Mitre Corporation have developed programming languages to improve communication about cyber threat information between the government and the private sector. Structured Threat Information Expression and Trusted Automated Exchange of Indicator Information, known as STIX and TAXII respectively, are used in tandem to quickly share the information.

“It’s one thing to have these executive orders and things, but it’s another to have the technical enablers to make it easy for these companies to do it,” said John Wunder, lead cybersecurity engineer at Mitre. “You want to make it easy to share threat information in a way that you share exactly what you want.”

Yet, these programs haven’t fully developed and more participation is needed to make them effective, said Judith Germano, a senior fellow at New York University School of Law’s Center on Law and Security.

“I hear from companies that they are often less concerned about where the threat is coming from, but what is the threat and what can they do to stop it,” she said. “That’s the valuable information. Some of that is being shared and is very helpful, but it needs to be expanded.”

Last month, Obama announced an executive order promoting cybersecurity information sharing. The order encouraged the development of information sharing and analysis organizations to spearhead collaboration between the private sector and government. He tasked DHS with creating create a nonprofit organization to develop a set of standards for ISAOs.

Despite these efforts, robust information sharing is still lacking.

“Everyone wants information. Nobody wants to give information,” said Mark Seward, vice president of marketing at Exabeam, a big data security analytics company.

Companies fear sharing information with the government could reveal corporate secrets or consumers’ private information, said Martin Libicki, a senior management scientist at the RAND Corporation. He added sharing information with the government could also pose legal risks if the information shows companies did not follow federal regulations.

Germano, who also runs a law firm focused on cybersecurity issues, says cybersecurity collaboration comes down to a matter of trust. The private sector, she said, is weary of the government.

“On one hand [the government is] reaching out as a friend and collaborator to work with companies,” she said. “On the other hand, the same government has an enforcement arm outstretched with the FTC, the SEC that if you do not comply, there can be repercussions, possible lawsuits and other regulatory action taken against you.”

Therefore, only information that is directly related to a threat should be shared and stored, said Callahan, now a partner at Jenner & Block. Further, she said when companies share a large amount of information at once it slows down the process of assessing the threat and they often share more information than is necessary.

The U.S. also lacks “an intelligent and forceful deterrence strategy” for cyber attacks, said Matthew Eggers, senior director of the U.S. Chamber of Commerce’s national security and emergency preparedness department, at a Congressional hearing earlier this month. He also said the government needs to provide more assistance to companies who have suffered from hacks.

“U.S. policymakers need to focus on pushing back against illicit actors and not on blaming the victims of cybersecurity incidents,” Eggers said. 

To address some of these concerns, Sen. Tom Carper, D-Del., introduced in February the Cyber Threat Sharing Act of 2015, which looks to provide liability protections for companies when they share cyber information with the government.

The bill would prohibit the government from using shared cyber threat data as evidence in a regulatory action against the company that shared the information. It also strengthens privacy protections and limits how shared data could be used. The bill has been referred to the Committee on Homeland Security and Governmental Affairs.

In February, Obama also called on the Director of National Intelligence to create the Cyber Threat Intelligence Integration Center, a national intelligence center aimed at “connecting the dots” on cyber threats. The center will “collect intelligence, manage incident response efforts, direct investigations” among other responsibilities.

However, experts remain skeptical about the center.

“What concerns me about that is if you read the president’s memoranda on [the Cyber Threat Intelligence Integration Center], it says that it’s consistent with privacy and civil liberties protections as relevant to that agency,” said Callahan, the Jenner & Block lawyer. “Well, the intelligence community, as you know, has reduced private protections.”

The center’s framework will be similar to that of the National Counterterrorism Center, which is a concern for Libicki, of the RAND Corporation.

“The last cyber attack had elements of terrorism in it. Does that mean we should look at this entire problem purely through the lens of counterterrorism?” Libicki said. “Why are you duplicating a methodological framework that culminates in a set of actions, like predator drones, which are totally inappropriate for cyber?”

Kathleen Butler, a spokesperson for the Office of the Director of National Intelligence, did not have any additional comment beyond the president’s announcement of the center as she said initial planning is still underway.

While experts say it will take time for the private sector to fully engage in the information sharing initiatives, the government’s efforts have been mostly positive.

“This is about enabling people to share what they know and get access to what others know such that protection can be more pervasive,” said Bobbie Stempfley, Mitre’s director of cybersecurity implementation. “That’s really a powerful concept.”

]]>
Internet currency Bitcoin lacks privacy protections http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/internet-currency-bitcoin-lacks-privacy-protections/ Thu, 19 Mar 2015 14:46:41 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21110 Continue reading ]]>

WASHINGTON — Bitcoin lacks the anonymity that many users have come to expect and desire, especially for a currency advertised as “cash for the Internet.”

All transactions made using the online currency is logged in a public ledger to ensure their validity.

“It’s inherent in the system to have it be transparent,” said Jim Harper, a senior fellow at the libertarian Cato Institute and a member of the board of directors at the Bitcoin Foundation. “You could have greater privacy if it was a system that one party controlled, but that would have costs relying on that party to get it right.”

Bitcoin is a digital currency that has no central authority and can be used, in many ways, like cash. Many businesses, from restaurants to WordPress, have begun to accept bitcoin as payment. To get started, it only takes a few minutes to go online to set up a Bitcoin wallet.

“It is fast and free,” said David Barrett, the CEO of Expensify, a company that supports Bitcoin use for international transactions. “It’s secure. And I would say it works everywhere in the world. And it is a very powerful technology for moving money around the world.”

Bitcoin offers an “acceptable level of privacy,” according to Bitcoin.org, which is managed by its developers. And for many Bitcoin users, any potential loss of privacy is an acceptable trade-off to circumvent traditional financial institutions.

“The idea of having this flexible payment system where you can pay someone on the other side of the world without having to turn to Western Union or something, that is quite an appealing concept,” said Sarah Meiklejohn, a lecturer at University College London who has done research on the currency.

Because this cybercurrency is not tied to any country or bank, it can be a relatively stable option for those in developing countries, where the local currency is often unreliable.

But, because of Bitcoin’s transparency, it is relatively easy to track a user’s entire transaction history. The public ledger shows the location of the Bitcoin user who is making a transaction as well as the history of the Bitcoin they are spending.

The public ledger shows a Bitcoin's transaction history and the user's location.

The public ledger shows a Bitcoin’s transaction history and the user’s location.

“It is kind of anonymous, but the second that you do any transaction with Bitcoin, every transaction is there,” said Barrett. “Once you pay me a bitcoin, basically I can look at the log and see every transaction you’ve made.”

Bitcoin.org claims no responsibility for any “losses, damages or claims,” for invasions of privacy or thefts, according to its terms and conditions. It suggests encrypting Bitcoin wallets and using secure connections to avoid thefts.

There are ways to improve the anonymity of the currency, but they require a concerted and technology-intensive effort that many do not even know is an option.

“There’s a thing called mixing, which is a process where you commingle your bitcoins with the bitcoins of others and the output of those transactions is harder to trace back to individuals,” said Harper, the Cato fellow. “It might make it a probabilistic calculation rather than drawing a direct line.”

This process is the equivalent to moving funds through banks in countries like the Cayman Islands and Panama which have strict bank-secrecy laws.

Today, some experts are cautious in accepting Bitcoin as a widespread currency. However, many see the Bitcoin concept as one that will remain.

“It’s actually a good alternative to a currency if there is inflation,” Barrett said. “In Venezuela and Africa, it is getting larger adoption. Russia also has a big growth in bitcoin. It’s a safer and less volatile way to keep your currency. Over time, Bitcoin will, in certain parts of the world, become a daily occurrence.”

Bitcoin and its supposed anonymity gained prominence in its role with the Silk Road, an online black marketplace known for selling illicit drugs and weapons. Buyers and sellers were able to connect virtually and use the cybercurrency to conduct anonymous transactions.

“This perception of anonymity might be driving groups towards Bitcoin, but then the transparency is giving law enforcement or anyone interested in these illicit transactions this beautiful view of all of these types of illicit transactions,” said Meiklejohn, the Bitcoin researcher. “Instead of going to somewhere like Western Union and wiring cash over to the Islamic State or whatever, if you’re doing it with Bitcoin then you are creating this paper trail that is never going to go away, literally ever.”

What may scare off more potential Bitcoin users, however, is not its lack of anonymity, it’s the volatility of the currency. In the last 12 months, the value of the currency has fallen by nearly half.

“Maybe I’m just cynical, but it’s hard to see why Bitcoin, as it is now, would achieve widespread adoption, which ultimately is what you would need to have any kind of stable currency,” Meiklejohn said. “So, as long as Bitcoin is this niche market, it is going to remain pretty volatile.”

]]>