privacy and surveillance
Post on 14-May-2015
2.140 Views
Preview:
DESCRIPTION
TRANSCRIPT
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 11
Privacy Laws and Privacy Laws and SurveillanceSurveillance
Sarah Cortes, PMP, CISASarah Cortes, PMP, CISA
www.inmantechnologyIT.comwww.inmantechnologyIT.comSarah’s blog: SecurityWatchSarah’s blog: SecurityWatch
Sarah’s ITtechEx columnSarah’s ITtechEx column
twitter: SecuritySpytwitter: SecuritySpy
LinkedIn: Sarah CortesLinkedIn: Sarah Cortes
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 22
Privacy and SurveillancePrivacy and Surveillance
AgendaAgenda
Who are we? InmanTechnologyITWho are we? InmanTechnologyIT Current Legal OverviewCurrent Legal Overview
• WorldwideWorldwide• USUS
US Legal SummaryUS Legal Summary Historical OverviewHistorical Overview
• History of cellphone technologyHistory of cellphone technology• Origin of cellphone surveillance-1990sOrigin of cellphone surveillance-1990s• Cellphone surveillance categoriesCellphone surveillance categories• Surveillance requestsSurveillance requests
Privacy conceptsPrivacy concepts ClassificationsClassifications
• Cellphone surveillance categoriesCellphone surveillance categories CALEACALEA TimelineTimeline California LawsCalifornia Laws Massachusetts LawMassachusetts Law
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 33
Privacy and SurveillancePrivacy and Surveillance Table of ContentsTable of Contents
Who are we? InmanTechnologyITWho are we? InmanTechnologyIT Current Legal OverviewCurrent Legal Overview
• 6- Worldwide Overview6- Worldwide Overview• 7- Legal History7- Legal History• 8- US Legal overview8- US Legal overview• 9- Recent US Legal Activity9- Recent US Legal Activity• 10- US laws cited in Sen 77310- US laws cited in Sen 773• 11- US Legal summary 1, 211- US Legal summary 1, 2• 13- Wiretapping vs. “Location technology”13- Wiretapping vs. “Location technology”• 14- History of US Wiretap laws/rulings 1,214- History of US Wiretap laws/rulings 1,2• 16-1998-2008 US Wiretaps Authorized16-1998-2008 US Wiretaps Authorized
Cellphone surveillanceCellphone surveillance• 13- History of cellphone technology13- History of cellphone technology• 14- Origin of cellphone surveillance-1990s14- Origin of cellphone surveillance-1990s• 15- Cellphone surveillance categories15- Cellphone surveillance categories• 16- Surveillance requests16- Surveillance requests• 17- Cellphone location methods, 1, 217- Cellphone location methods, 1, 2
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 44
Privacy and SurveillancePrivacy and Surveillance Table of ContentsTable of Contents
Specific LawsSpecific Laws• 19- CALEA19- CALEA• 20- CALEA- ANSI / TIA J-STD-02520- CALEA- ANSI / TIA J-STD-025• 22- CALEA 2005-6 revisions22- CALEA 2005-6 revisions• 24- CALEA Extension to VoIP & ISPs24- CALEA Extension to VoIP & ISPs• 25- California Laws25- California Laws• 26- Massachusetts Law26- Massachusetts Law• 27- Legal Jurisdiction27- Legal Jurisdiction• 28- High-profile data breaches28- High-profile data breaches• 29- Calling in the Experts29- Calling in the Experts
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 55
Sarah Cortes, PMP, CISASarah Cortes, PMP, CISA Clients: Clients:
• Harvard UniversityHarvard University• BiogenBiogen• FidelityFidelity
Professional Associations:Professional Associations:• Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the
Massachusetts Legislature Massachusetts Legislature
Practice expertisePractice expertise• Complex Application Development/ImplementationComplex Application Development/Implementation• IT Security/Privacy/Risk Management/Audit ManagementIT Security/Privacy/Risk Management/Audit Management• Data Center Operations ManagementData Center Operations Management• Disaster Recovery/High AvailabilityDisaster Recovery/High Availability• Program/Project ManagementProgram/Project Management
BackgroundBackground• SVP in charge of Security, DR, IT Audit, and some Data Center Operations at SVP in charge of Security, DR, IT Audit, and some Data Center Operations at
Putnam InvestmentsPutnam Investments• As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan
failed over to our facility from the World Trade Center 99th floor data centerfailed over to our facility from the World Trade Center 99th floor data center• Coordinated over 65 audits per yearCoordinated over 65 audits per year• Previously ran major applications development for Trading/Analytics SystemsPreviously ran major applications development for Trading/Analytics Systems
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 66
Privacy and SurveillancePrivacy and Surveillance Worldwide Legal OverviewWorldwide Legal Overview
UK and 47 European States UK and 47 European States • Article 8 of the European Convention on Human Rights Article 8 of the European Convention on Human Rights
CanadaCanada• Personal Information Protection and Electronic Documents Act Personal Information Protection and Electronic Documents Act
1995-20041995-2004
Australia: Australia: Privacy Act of 1988Privacy Act of 1988
US: US: Multiple Federal Laws in 14 categories; plus:Multiple Federal Laws in 14 categories; plus:• Over 80 State of California LawsOver 80 State of California Laws• State of Massachusetts LawState of Massachusetts Law• State of New Jersey Proposed LawState of New Jersey Proposed Law• California Law now followed by similar laws in more than 40 California Law now followed by similar laws in more than 40
statesstates
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 77
Privacy and SurveillancePrivacy and Surveillance
Legal History Legal History
WorldwideWorldwide• Universal Declaration of Human RightsUniversal Declaration of Human Rights• UK – English Law and Prince AlbertUK – English Law and Prince Albert
USUS• Brandeis-WarrenBrandeis-Warren• Not explicit in US constitutionNot explicit in US constitution• Prosser – 4 areasProsser – 4 areas• KatzKatz• Griswold v. ConnecticutGriswold v. Connecticut
PenumbrasPenumbras• Roe v. Wade Roe v. Wade
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 88
Privacy and SurveillancePrivacy and Surveillance
US Legal Overview US Legal Overview Federal classifications:Federal classifications:
• Health privacy laws Health privacy laws • Online privacy laws Online privacy laws • Financial privacy laws Financial privacy laws • Communication privacy laws Communication privacy laws • Information privacy lawsInformation privacy laws• Laws regarding privacy in one’s homeLaws regarding privacy in one’s home
California classifications:California classifications:• Health Information PrivacyHealth Information Privacy • Online PrivacyOnline Privacy • Constitutional Right to PrivacyConstitutional Right to Privacy • Office of Privacy ProtectionOffice of Privacy Protection • General PrivacyGeneral Privacy • Identity TheftIdentity Theft • Unsolicited Commercial CommunicationsUnsolicited Commercial Communications
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 99
Privacy and SurveillancePrivacy and Surveillance
Recent US Legal ActivityRecent US Legal Activity
5/5/09 – Sen. xxx- Information and Communications 5/5/09 – Sen. xxx- Information and Communications Enhancement (ICE) Act of 2009 –creates White House Cyber Enhancement (ICE) Act of 2009 –creates White House Cyber CISOCISO
4/1/09 - Sen. 773 - Cybersecurity Act of 2009 – “kill-switch bill”4/1/09 - Sen. 773 - Cybersecurity Act of 2009 – “kill-switch bill” 3/3/2009- Latest Revision of US Criminal Code, 3/3/2009- Latest Revision of US Criminal Code, Title 18Title 18, Pt. I, , Pt. I,
Chap. 119Chap. 119, § 2511 – it is a federal crime to tap a phone – , § 2511 – it is a federal crime to tap a phone – “Interception and disclosure of wire, oral, or electronic “Interception and disclosure of wire, oral, or electronic communications prohibited” communications prohibited”
2/17/09- Health Information Technology for Economic and 2/17/09- Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of American Recovery Clinical Health Act (HITECH Act), part of American Recovery and Reinvestment Act of 2009and Reinvestment Act of 2009
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1010
Privacy and SurveillancePrivacy and Surveillance
US Legal Summary, cited in Sen. 773 US Legal Summary, cited in Sen. 773 (Cybersecurity Act of 2009) (Cybersecurity Act of 2009)
(1) the Privacy Protection Act of 1980 ((1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa42 U.S.C. 2000aa);); (2) the Electronic Communications Privacy Act of 1986 ((2) the Electronic Communications Privacy Act of 1986 (
18 U.S.C. 251018 U.S.C. 2510 note); note); (3) the Computer Security Act of 1987 ((3) the Computer Security Act of 1987 (15 U.S.C. 27115 U.S.C. 271 et seq.; et seq.;
40 U.S.C. 75940 U.S.C. 759);); (4) the Federal Information Security Management Act of 2002 ((4) the Federal Information Security Management Act of 2002 (
44 U.S.C. 353144 U.S.C. 3531 et seq.); et seq.); (5) the E-Government Act of 2002 ((5) the E-Government Act of 2002 (44 U.S.C. 950144 U.S.C. 9501 et seq.); et seq.); (6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et (6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et
seq.)seq.)
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1111
Privacy and SurveillancePrivacy and Surveillance
US Legal SummaryUS Legal Summary
Health privacy laws Health privacy laws • 1996-Health Insurance Portability and Accountability Act 1996-Health Insurance Portability and Accountability Act
(HIPAA)(HIPAA)• 1974-The National Research Act1974-The National Research Act
Financial privacy laws Financial privacy laws • 1970-Bank Secrecy Act1970-Bank Secrecy Act• 1998-Federal Trade Commission1998-Federal Trade Commission• 1999-Gramm-Leach-Bliley Act-GLB1999-Gramm-Leach-Bliley Act-GLB• 2002-Sarbanes-Oxley Act-SOX2002-Sarbanes-Oxley Act-SOX• 2003-Fair and Accurate Credit Transactions Act2003-Fair and Accurate Credit Transactions Act
Online privacy laws Online privacy laws • 1986-Electronic Communications Privacy Act-ECPA-pen 1986-Electronic Communications Privacy Act-ECPA-pen
registersregisters• 1986-Stored Communications Act-SCA1986-Stored Communications Act-SCA
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1212
Privacy and SurveillancePrivacy and Surveillance
US Legal Summary (cont’d)US Legal Summary (cont’d)
Communication privacy laws Communication privacy laws • 1978-Foreign Intelligence Surveillance Act (FISA)1978-Foreign Intelligence Surveillance Act (FISA)• 1984-Cable Communications Policy Act1984-Cable Communications Policy Act• 1986-Electronic Communications Privacy Act (ECPA)1986-Electronic Communications Privacy Act (ECPA)• 1994-Digital Telephony Act - Communications Assistance for Law 1994-Digital Telephony Act - Communications Assistance for Law
Enforcement Act-”CALEA” 18 USC 2510-2522 Enforcement Act-”CALEA” 18 USC 2510-2522 • 2005-6 CALEA expansions2005-6 CALEA expansions
Education Privacy LawsEducation Privacy Laws• 1974-Family Educational Rights and Privacy Act-FERPA1974-Family Educational Rights and Privacy Act-FERPA
Information privacy lawsInformation privacy laws• 2001-US Patriot Act – expanded pen registers2001-US Patriot Act – expanded pen registers
Laws regarding privacy in the homeLaws regarding privacy in the home OtherOther
• 2005-Privacy Act 2005-Privacy Act - sale of online PII data for marketing - sale of online PII data for marketing • 1974-Privacy Act1974-Privacy Act
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1313
Privacy and SurveillancePrivacy and Surveillance
Wiretapping vs. “Location technology”Wiretapping vs. “Location technology”
Wiretapping- allowing simultaneous or recorded Wiretapping- allowing simultaneous or recorded eavesdropping of actual conversations.eavesdropping of actual conversations.
““Location technology” - use of a “pen register” or “trap-and-Location technology” - use of a “pen register” or “trap-and-trace device” to identify the physical location of a device trace device” to identify the physical location of a device (cellphone) at an exact moment in time.(cellphone) at an exact moment in time.
You can learn much more than you think simply by identifying You can learn much more than you think simply by identifying “location.”“location.”
May, 2009 – Boston’s “craigslist killer” was identified by May, 2009 – Boston’s “craigslist killer” was identified by “location” technology.“location” technology.
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1414
Privacy and SurveillancePrivacy and Surveillance
History ofHistory of US Wiretap laws/rulingsUS Wiretap laws/rulings
Wiretapping’s cool:Wiretapping’s cool: 1928-Olmstead v. United States, 277 U.S. 438; 1928-Olmstead v. United States, 277 U.S. 438; Dissented by privacy rock star Louis Brandeis and overruled Dissented by privacy rock star Louis Brandeis and overruled
by:by:
Not really, wiretapping violates 4th Amendment:Not really, wiretapping violates 4th Amendment: 1967-Katz v. United States, 389 U.S. 347, and 1967-Katz v. United States, 389 U.S. 347, and 1967-Berger v. New York, 388 U.S. 411967-Berger v. New York, 388 U.S. 41
It is also a Federal Crime:It is also a Federal Crime: 1968-Omnibus Crime Control and Safe Streets Act of 1968 1968-Omnibus Crime Control and Safe Streets Act of 1968 1994-Digital Telephony Act - Communications Assistance for 1994-Digital Telephony Act - Communications Assistance for
Law Enforcement Act-”CALEA” 18 USC 2510-2522 Law Enforcement Act-”CALEA” 18 USC 2510-2522 1/3/2007-Latest CALEA version: Title 18 USC, Pt. I, Chap. 119, 1/3/2007-Latest CALEA version: Title 18 USC, Pt. I, Chap. 119,
§ 2511§ 2511
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1515
Privacy and SurveillancePrivacy and Surveillance
History ofHistory of US Wiretap laws/rulingsUS Wiretap laws/rulings
ButBut if you’re the President it’s cool. if you’re the President it’s cool.
But But if you’re the government and get a warrant, it’s Ok, too. if you’re the government and get a warrant, it’s Ok, too.
ButBut even warrantless wiretapping is Ok too, if the target is a “foreign even warrantless wiretapping is Ok too, if the target is a “foreign enemy.” Which means anybody, including us! Cool.enemy.” Which means anybody, including us! Cool.
1978-Foreign Intelligence Surveillance Act (FISA) 1978-Foreign Intelligence Surveillance Act (FISA) 1984-Cable Communications Policy Act1984-Cable Communications Policy Act 1986-Electronic Communications Privacy Act (ECPA)1986-Electronic Communications Privacy Act (ECPA)
ButBut actually, just kidding, now the government can wiretap anybody. actually, just kidding, now the government can wiretap anybody. But But youyou can’t. Legally, that is. can’t. Legally, that is.
10/26/2001 – US Patriot Act – revised multiple laws10/26/2001 – US Patriot Act – revised multiple laws
Technically, it’s easy and everybody knows how. Well lots of people do.Technically, it’s easy and everybody knows how. Well lots of people do.
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1616
Privacy and SurveillancePrivacy and Surveillance
11998-2008 US Wiretaps Authorized998-2008 US Wiretaps Authorized
Table 7Authorized Intercepts Granted Pursuant to 18 U.S.C. 2519 as Reported in Wiretap
Reports for Calendar Years 1998 – 2008
Wiretap Report Date 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
Total authorized by year (reported through Dec 2008)
1,447 1,546 1,386 1,695 1,543 1,788 1,992 2,100 2,306 2,208 1,891
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1717
Privacy and SurveillancePrivacy and Surveillance
History of cellphone technologyHistory of cellphone technology
1990s – cell companies started to 1990s – cell companies started to transform communicationstransform communications
McCaw Cellular dominated carriersMcCaw Cellular dominated carriers McCaw cellular sold to AT&T in 1994 McCaw cellular sold to AT&T in 1994
for $11.4 billionfor $11.4 billion Craig McCaw was highest-paid CEO in Craig McCaw was highest-paid CEO in
the USthe US Criminals accounted for 70% of trafficCriminals accounted for 70% of traffic
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1818
Privacy and SurveillancePrivacy and Surveillance
Origin of cellphone surveillance-1990sOrigin of cellphone surveillance-1990s Carriers originally tracked call initiation and Carriers originally tracked call initiation and
termination to reimburse each othertermination to reimburse each other Surveillance-capable technology was baked into Surveillance-capable technology was baked into
telco equipmenttelco equipment Criminals accounted for 70% of cellular traffic, Criminals accounted for 70% of cellular traffic,
cloning analog cellphonescloning analog cellphones Earliest cellphone surveillance was carriers Earliest cellphone surveillance was carriers
pinpointing the location of bandwidth thievespinpointing the location of bandwidth thieves Legendary hacker Kevin Mitnick was caught by law Legendary hacker Kevin Mitnick was caught by law
enforcement, using a cellular modem that was enforcement, using a cellular modem that was detected by “location-aware technologies” detected by “location-aware technologies” developed by the phone companies to fight fraud developed by the phone companies to fight fraud
Move from analog to digital left law enforcement Move from analog to digital left law enforcement without required equipmentwithout required equipment
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1919
Privacy and SurveillancePrivacy and Surveillance
CCellphone surveillance categoriesellphone surveillance categories Pen register-ECPA- subpoena w/o judicial review Pen register-ECPA- subpoena w/o judicial review Subscriber information-CALEA- subpoena w/o Subscriber information-CALEA- subpoena w/o
judicial reviewjudicial review Network “location” information-CALEA-cell towers, Network “location” information-CALEA-cell towers,
specific calls- requires judicial reviewspecific calls- requires judicial review• Past- Historical data - Who was using a specific tower at a Past- Historical data - Who was using a specific tower at a
specific moment in time, or where was a particular specific moment in time, or where was a particular customer during a specific timeframe. Covered by CALEAcustomer during a specific timeframe. Covered by CALEA
• Present - Ping data - Network operators and some third-Present - Ping data - Network operators and some third-party providers are able to send a one-time ping to a party providers are able to send a one-time ping to a phone to locate it at a specific time. Not covered by CALEAphone to locate it at a specific time. Not covered by CALEA
• Future - Prospective data - By tracking phones over a long Future - Prospective data - By tracking phones over a long period of time, and mapping individuals traffic, or larger period of time, and mapping individuals traffic, or larger traffic flows, it’s possible to predict where people are likely traffic flows, it’s possible to predict where people are likely to be. Not covered by CALEAto be. Not covered by CALEA
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2020
Privacy and SurveillancePrivacy and Surveillance
CCellphone surveillance requestsellphone surveillance requests All subscribers near a particular cell tower in a ten-minute period, All subscribers near a particular cell tower in a ten-minute period,
hoping to locate witnesses to a drug transaction hoping to locate witnesses to a drug transaction Provider might sell location information to a jealous spouse as a Provider might sell location information to a jealous spouse as a
“family finder” service“family finder” service Information on a missing child - company ordered to ping a phone Information on a missing child - company ordered to ping a phone
every 15 minutes for 24 hoursevery 15 minutes for 24 hours All phone numbers contacted by a mobile phone found in a All phone numbers contacted by a mobile phone found in a
container ship that contained counterfeit condoms: carriers refusedcontainer ship that contained counterfeit condoms: carriers refused Google only responds to search warrants about location infoGoogle only responds to search warrants about location info Totalitarian Governments tracking employees of human rights Totalitarian Governments tracking employees of human rights
organizations: staff disassembles phones prior to attending meeting organizations: staff disassembles phones prior to attending meeting or going to certain locationsor going to certain locations
Egyptian government requested from Vodaphone names of all who Egyptian government requested from Vodaphone names of all who attended a certain event; Vodaphone refusedattended a certain event; Vodaphone refused
State of Wisconsin asked Amazon to list everyone who bought a State of Wisconsin asked Amazon to list everyone who bought a particular book; court sided with Amazon’s refusal particular book; court sided with Amazon’s refusal
Carriers get 100 requests a week for location infoCarriers get 100 requests a week for location info No recording or oversight of requests No recording or oversight of requests
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2121
Privacy and SurveillancePrivacy and Surveillance
CCellphone Location Methods, Iellphone Location Methods, I Localization-Based Systems (LBS)Localization-Based Systems (LBS)
• Network based Network based • Handset based (GPS)Handset based (GPS)• Hybrid Hybrid
Network Based-Network Based-Utilizes service provider's network Utilizes service provider's network infrastructure to identify handset locationinfrastructure to identify handset location
Advantages: can be implemented non-intrusively, without Advantages: can be implemented non-intrusively, without affecting handset.affecting handset.
ChallengesChallenges• Accuracy variesAccuracy varies• cell identification-least accurate, triangulation-most accuratecell identification-least accurate, triangulation-most accurate• closely dependent on concentration of base station cells, urban closely dependent on concentration of base station cells, urban
environments achieve highest accuracyenvironments achieve highest accuracy• Requires working closely with service provider:Requires working closely with service provider:• entails the installation of hardware and software within the entails the installation of hardware and software within the
operator's infrastructure. operator's infrastructure. • Legislative framework, such as Legislative framework, such as E911E911, required to compel service , required to compel service
provider and safeguard privacyprovider and safeguard privacy
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2222
Privacy and SurveillancePrivacy and Surveillance
CCellphone Location Methods, IIellphone Location Methods, II Handset Based -Handset Based -Requires installation of client software on handsetRequires installation of client software on handset Determines location by:Determines location by:
• computing:computing: Location by cell identificationLocation by cell identification Signal strengths of the home and neighboring cells; or Signal strengths of the home and neighboring cells; or latitude and longitude, if the handset is equipped with a GPS modulelatitude and longitude, if the handset is equipped with a GPS module
• calculation then sent from the handset to a location servercalculation then sent from the handset to a location server Disadvantages: necessity of installing software on the handset. Disadvantages: necessity of installing software on the handset.
• Requires the active cooperation of subscriber Requires the active cooperation of subscriber • Requires software that can handle the different handset operating Requires software that can handle the different handset operating
systemssystems• Typically, only smart phones, such as Symbian or Windows Mobile are Typically, only smart phones, such as Symbian or Windows Mobile are
capablecapable• Proposed work-around: manufacturer installs embedded hw/sw on Proposed work-around: manufacturer installs embedded hw/sw on
handsethandset ChallengesChallenges
• Convincing different manufacturers to cooperate on a common mechanism and to Convincing different manufacturers to cooperate on a common mechanism and to address cost issue, so no headwayaddress cost issue, so no headway
• Address issue of foreign handsets roaming in the networkAddress issue of foreign handsets roaming in the network
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2323
Privacy and SurveillancePrivacy and Surveillance
CALEACALEA
Communications Assistance for Law Enforcement Communications Assistance for Law Enforcement Act of 1994Act of 1994
established requirement that phone carriers must established requirement that phone carriers must be able to perform some wiretapping functionsbe able to perform some wiretapping functions• actual functions defined by industry:actual functions defined by industry:
Telecommunications Industry Association J-STD-025Telecommunications Industry Association J-STD-025• with input from law enforcementwith input from law enforcement
operated by carriers, not law enforcementoperated by carriers, not law enforcement does not limit what law enforcement can ask for in does not limit what law enforcement can ask for in
a subpoenaa subpoena• CALEA is a floor not a ceilingCALEA is a floor not a ceiling
did not apply to “private networks” or “information did not apply to “private networks” or “information services”services”• the Internet was an “information service” in the eyes of the Internet was an “information service” in the eyes of
Congress in 1994Congress in 1994
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2424
Privacy and SurveillancePrivacy and Surveillance
CALEA- ANSI / TIA J-STD-025CALEA- ANSI / TIA J-STD-025
Developed by Carrier Industry consortium of Developed by Carrier Industry consortium of technical representatives over a 4-year technical representatives over a 4-year periodperiod
Requires real-time delivery to law Requires real-time delivery to law enforcementenforcement• call ID information call ID information
origin or dialed phone number, etc.origin or dialed phone number, etc.
• actionsactions dialing digits, call abandoned, call waiting toggling, etc.dialing digits, call abandoned, call waiting toggling, etc.
• communication itselfcommunication itself Must not be detectable by subjectMust not be detectable by subject Over a dedicated circuit in a specific formatOver a dedicated circuit in a specific format
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2525
Privacy and SurveillancePrivacy and Surveillance
CALEA- ANSI / TIA J-STD-025CALEA- ANSI / TIA J-STD-025 Technical requirements added after 1st Technical requirements added after 1st
version of J-STD-025version of J-STD-025 provide content of subject-initiated conference provide content of subject-initiated conference
callscalls identify active parties of a multiparty callidentify active parties of a multiparty call provide all dialing and signaling information provide all dialing and signaling information
including use of featuresincluding use of features provide notification that a line is ringing or busyprovide notification that a line is ringing or busy provide timing information to correlate call-provide timing information to correlate call-
identifying information with the call content identifying information with the call content provide digits dialed by a subject after the initial provide digits dialed by a subject after the initial
callcall
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2626
Privacy and SurveillancePrivacy and Surveillance
CALEA 2005-6 revisionsCALEA 2005-6 revisions
Aug 2005 & May 2006 FCC orders extended CALEA Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPsto “interconnected VoIP providers” and ISPs• an “interconnected VoIP provider” provides VoIP service an “interconnected VoIP provider” provides VoIP service
along with dial-out to PSTN along with dial-out to PSTN andand dial-in from PSTN dial-in from PSTN also covers connection between private network also covers connection between private network
and Internetand Internet implementation date 2007 implementation date 2007 justified under “substantial replacement” clause in justified under “substantial replacement” clause in
original CALEAoriginal CALEA• in court, 1st decision supported FCC - being appealedin court, 1st decision supported FCC - being appealed• Most subsequent decisions, 40 out of 42, did not support Most subsequent decisions, 40 out of 42, did not support
government requestsgovernment requests
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2727
CALEA Extension to VoIP & ISPsCALEA Extension to VoIP & ISPs
Aug 2005 & May 2006 FCC orders extended CALEA to Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPs“interconnected VoIP providers” and ISPs• an “interconnected VoIP provider” provides VoIP service an “interconnected VoIP provider” provides VoIP service
along with dial-out to PSTN along with dial-out to PSTN andand dial-in from PSTN dial-in from PSTN also covers connection between private network and also covers connection between private network and
InternetInternet implementation date Mar 2007 implementation date Mar 2007
• but no standards yetbut no standards yet justified under “substantial replacement” clause in original justified under “substantial replacement” clause in original
CALEACALEA• in court, 1st decision supported FCC - being appealedin court, 1st decision supported FCC - being appealed
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2828
Privacy and SurveillancePrivacy and Surveillance
CCalifornia Lawalifornia Law Over 80 separate laws in 7 categories, 3 additional laws Over 80 separate laws in 7 categories, 3 additional laws
currently pendingcurrently pending California's groundbreaking 2002 security breach notification California's groundbreaking 2002 security breach notification
law was followed by similar laws in more than 40 stateslaw was followed by similar laws in more than 40 states Enforcement path unclear for less clear categories of California Enforcement path unclear for less clear categories of California
residentresident Definition of “organizations doing business in the State of Definition of “organizations doing business in the State of
California” and “California resident” unclearCalifornia” and “California resident” unclear• Anyone who stores data on a California resident?Anyone who stores data on a California resident?• Anyone who stores data on on-California residents on media Anyone who stores data on on-California residents on media
located in California?located in California?• How can companies be sure if their records of non-California How can companies be sure if their records of non-California
residents are correct? i.e. not coveredresidents are correct? i.e. not covered• Covers temporary residents? Covers temporary residents? • Can potentially cover any company doing business anywhere in Can potentially cover any company doing business anywhere in
the worldthe world
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2929
Privacy and SurveillancePrivacy and Surveillance
MassachusettsMassachusetts Law Law 8/2/2007-Identity Theft Law, Massachusetts General Law
Chapter 93H 9/19/2008-201 CMR 17.00 Standards for the Protection of 9/19/2008-201 CMR 17.00 Standards for the Protection of
Personal Information of Residents of the CommonwealthPersonal Information of Residents of the Commonwealth Consortium of industry technical representatives currently Consortium of industry technical representatives currently
providing continuing commentaryproviding continuing commentary Original implementation date twice suspendedOriginal implementation date twice suspended Current implementation date January, 2010Current implementation date January, 2010 Enforcement path unclear for less clear categories of Enforcement path unclear for less clear categories of
Massachusetts employees/consumersMassachusetts employees/consumers First law to require encryption for employee data (Nevada law First law to require encryption for employee data (Nevada law
required encryption for consumer data)required encryption for consumer data) Requires a training module in terms of the lawRequires a training module in terms of the law Vendor management issuesVendor management issues
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 3030
Privacy and SurveillancePrivacy and Surveillance
Massachusetts Law RequirementsMassachusetts Law Requirements• Written information security programWritten information security program• Passwords, encryption for laptopsPasswords, encryption for laptops• Risk assessmentsRisk assessments• Security policies around records retentionSecurity policies around records retention• Policies and procedures to prevent terminated Policies and procedures to prevent terminated
employees from gaining accessemployees from gaining access• Physical access control policies and proceduresPhysical access control policies and procedures• Security incident response policiesSecurity incident response policies• Monitoring for unauthorized accessMonitoring for unauthorized access• Encryption of PII on laptops and other portable Encryption of PII on laptops and other portable
devicesdevices• Encryption of PII data in transmission Encryption of PII data in transmission
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 3131
Privacy and SurveillancePrivacy and Surveillance
Legal Legal JurisdictionJurisdiction “This regulation applies to all businesses and other
legal entities that own, license, collect, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”
Do these laws apply if you:Do these laws apply if you:• Have employees in the state/country?Have employees in the state/country?• Have customers in the state/country?Have customers in the state/country?• Have neither, but traffic in data of Massachusetts Have neither, but traffic in data of Massachusetts
residents?residents?• Store data physically in the state/ country?Store data physically in the state/ country?• How do you know if any of the above are true?How do you know if any of the above are true?• Are a private individual, a non-profit or a government Are a private individual, a non-profit or a government
agency?agency?• Pay taxes in the state/country?Pay taxes in the state/country?
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 3232
Privacy and SurveillancePrivacy and Surveillance
Legal Legal JurisdictionJurisdiction
Do these laws apply only:Do these laws apply only:• To data stored physically in the state/ To data stored physically in the state/
country? Probably notcountry? Probably not
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 3333
Privacy and SurveillancePrivacy and Surveillance High-profile data breachesHigh-profile data breaches
1/29/09 Department of Veterans Affairs agreed to 1/29/09 Department of Veterans Affairs agreed to pay $20 million to military personnel to settle a pay $20 million to military personnel to settle a 2006 case involving the theft of a laptop from an 2006 case involving the theft of a laptop from an employee's home that contained the unencrypted employee's home that contained the unencrypted personal records of 26.5 million military veterans personal records of 26.5 million military veterans and their spouses.and their spouses.
Massachusetts: TJX and BJ's WholesaleMassachusetts: TJX and BJ's Wholesale ChoicePoint Inc., the Atlanta-based provider of ChoicePoint Inc., the Atlanta-based provider of
identification services for the insurance and real identification services for the insurance and real estate industries, revealed in March that criminals estate industries, revealed in March that criminals had gained unauthorized access to aggregated had gained unauthorized access to aggregated personal data of 145,000 people. personal data of 145,000 people.
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 3434
Privacy and SurveillancePrivacy and Surveillance
Calling in the ExpertsCalling in the Experts
04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 3535
Privacy and SurveillancePrivacy and Surveillance
Did you know….?Did you know….?
Seven out of ten attacks are from…Seven out of ten attacks are from…
top related