The Legal Framework for Creating Trust in Cyberspace:

Security and PrivacySkopje

March 2006

James X. DempseyCenter for Democracy & Technology

Global Internet Policy Initiative

Overview: The Elements of Trust Online

1. Cybersecurity• Communications network reliability• Critical infrastructure protection -power, water• Cybercrime

2. Protection of government secrets• Protection of national security information• Other sensitive government information

3. Protection of intellectual property- business secrets - WIPO

4. Communications privacy - illegal interception

The Elements of Trust Online -2

5. Personal data protection (privacy of personally identifiable information)

6. E-signature and authentication

7. Consumer protection - e-commerce framework

8. Fraud, defamation - offline laws should be sufficient, but jurisdiction unresolved

Don’t forget the offline environment:Enforcement of contractsCredit card fraud

Part I: Information Security

Spam

Spam Percentage in Email

Source: MessageLabs Intelligence Annual Security Report. December 6, 2004

Spyware, Adware

Loss of Data

Phishing

Message purporting to be from eBay

Threatens account termination

Asks user to update information

Uses eBay and Trust-e logos for legitimacy

Links to non-ebay site

Looks like legitimate ebay site

Asks for account and credit card info

Sends info to phisher and not ebay

Intercepted Phishing Emails

Source: MessageLabs Intelligence Annual Security Report. December 6, 2004

Cybersecurity

• Many communications networks and other critical infrastructures are privately owned

• Cybersecurity is shared responsibility of gov't, service providers, software and hardware makers, and users (large and small).

• Cybersecurity strategy has many components:– industry standards and sound technology design – information sharing about threats/vulnerabilities (CERTs)– awareness, education of all users– R&D– criminal law– liability of computer/software makers under civil law?

Cybersecurity Guidelines

• OECD Guidelines for Security of Information Systems and Networks

• APEC Strategy and Statement on the Security of Info and Communications Infrastructure

• EU - Council Resolution 28• E-Japan Priority Policy Program (cybersecurity

incorporated)• Australia E-Security National Agenda• US National Strategy to Secure Cyberspace &

E-Government Act (cybersecurity included)

Common Themes in Int’l Guidelines

• Public-Private Partnerships• Public Awareness• Guidelines, International Standards• Information Sharing• Training and Education• Respect for Privacy• Vulnerability Assessment, Warning and

Response• International Cooperation

Gov’t Must Get Its Own House In Order

• Government should not dictate security technologies to industry until it has solved its own problems (that is, probably never)

• Elements of a National Cyber-Security Strategy.– Assessment of national vulnerabilities– Issuance of a public report that conceptualizes the issue and

raises awareness of policymakers and the public– Creation of a leadership structure within the executive

branch to oversee the development and implementation of policy

– Drafting of a detailed national plan based on dialogue with the private sector

– Structure and enforce responsibility– Adoption of legislation and guidelines addressing such

questions as information sharing and accountability.

Gov’t Must Get Its Own House In Order

• US E-Gov Act (2002) - Title III - limited to government systems - focuses on process, not technologies– Periodic assessment of risk– Adoption of policies and procedures– Chief Security Officer for every agency– Security awareness training– Detecting and responding to attacks– Annual reports to Congress on progress– Independent security evaluation– Office of Management and Budget (White House) authority

• Similar requirements may be appropriate for private sector, especially financial sector, medical data

Government secrets• Protection of national security information

– Definition: information generated by the government and its contractors, which, if publicly disclosed, will harm the national security.

– Important question: Can the judiciary or some other independent official review and overturn the decision of the Executive Branch to keep information secret.

• Other sensitive government information• Criminal investigative information• Private information about individuals in the hands of the gov’t

• Gov’t secrets online and off are defined the same. • Many countries deal with these issues in Freedom of

Information law:http://www.rz.uni-frankfurt.de/~sobotta/FOI.htmhttp://www.cfoi.org.uk/overseas.html.

Cybercrime

• Crimes against computers or communications– Interference with availability or integrity of data

• destroying data, altering data

– Interference with availability of service• Denial of service attacks

– Interception of data in transit (unauthorized access to comms)– Unauthorized access to data (cyber trespass)

• CIA - Confidentiality, Integrity, Availability

• Crimes using computer– Fraud, dissemination of pornography, copyright infringement– Should not be treated as separate crimes

• Crimes where evidence is in computer– Any crime

COE Convention on Cybercrime - good model, approach with caution

Investigation of Cybercrime

• To investigate cybercrime and crimes facilitated by computer, law enforcement agencies need access to – content of communications;– transactional (or traffic) data;– stored data;– data identifying subscriber (e.g., name)

Phishing E-mail message

Message purporting to be from eBay

Threatens account termination

Asks user to update information

Uses eBay and Trust-e logos for legitimacy

Links to non-ebay site

Criminal Law Has Limited Effect

Under US law, such an email is absolutely illegal• Falsified header information - criminal and civil violation• Hijacking another computer to send spam - criminal and aggravated

civil violation• Possible falsification of domain name registration information - criminal

violation• No valid physical address - civil violation• No opt-out - civil violation• Deceptive subject heading - civil violation• Possible address harvesting - aggravated civil violation

The solution to the cybercrime problem requires:• International cooperation.• Better technology design• Education of users.

Privacy is an Element of Cybersecurity

“Protection of privacy is a key policy objective in the European Union. It was recognized as a basic right under Article 8 of the European Convention on human rights. Articles 7 and 8 of the Charter of Fundamental Rights of the EU also provide the right to respect for family and private life, home and communications and personal data.” Communication from the Commission on Network and Information Security (2001)

OECD Cybersecurity Guidelines

Principle 5:

“Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.”

Summary• Network security is the shared responsibility of the

gov’t and the private sector.• Gov't protects its own networks, contributes to

awareness, info sharing, and R&D.• A lot of work has been done and more needs to be

done by the private sector.• International consensus on strategy elements.• Cybercrime legislation is one key component of

cybersecurity.• Privacy and security are two sides of the same coin.• Don’t forget the basics of law reform and the enabling

environment.

Part II: Data Protection (Privacy)

Privacy in the Digital Age

• Online Privacy Risks– Collection of information to an extent never before possible:

click-stream data, location information.– Aggregation of data across time, space, applications,

vendors - creating a detailed dossier of activity and thought.– Retention is cheap and easy.– Distribution is cheap and easy too.

• Public opinion surveys and business experiences show that privacy is a major consumer concern and impediment to e-commerce and e-government.

• What is privacy?• Information privacy - principles for use of data.

Why Privacy Matters

Three Examples of How Privacy Concerns Arise in E-Government Projects

• Japan - Juki Net - national ID and information system - concerns about identity theft

• Australia - PKI and Health Records

• US - Social Security Records Online

Personal Data Protection

• Data Subject - the individual to whom the data pertains

• Data Controller - a governmental or private sector entity who is responsible for controlling the purposes and ways of personal data processing

• Processing - any use, recording, storing or publishing of data

• Data Handler or Processor - anyone who processes (uses) data on behalf of the controller

• User - anyone to whom data is disclosed for a permitted purpose

Personal Data Principles - 1

Consumer privacy protection in the US and Europe, under the guidelines of the OECD and APEC, and in the law of the Republic of Macedonia, is based on ten principles:

• Purpose Specification. Personal data shall be collected only for purposes that are concrete, clear and legally determined. The subsequent use of data should be limited to those purposes. Article 5, para. 1, item 2.

• Notice. The data subject shall be informed of the identity of the data controller and the purpose for which data are collected, as well as the rights of access and correction. Articles 10 and 11.

Personal Data Principles - 2

• Collection Limitation. Personal data should be collected only if it is appropriate, relevant and not excessive in relation to the purpose for which it is collected (no more data should be collected than is necessary to accomplish the stated purpose). Article 5, paragraph 1, item 3.

• Data Quality. Data should be accurate, complete, and up to date, taking into account the purposes for which they were collected. Article 5, paragraph 1, item 4. Upon request of the data subject, and upon its own initiative, the data controller is obliged to supplement, amend, or delete incorrect, incomplete or out-of-date information. Article 14.

• Retention Limit. Data should be stored in a form that allows identification of the data subject for no longer than is necessary to fulfill the purposes for which the data were collected. Article 5, paragraph 1, item 5.

Personal Data Principles - 3

• Use Limitation. Data should not be disclosed or processed except for purposes specified when it was collected unless the data subject consents, subject to specified exceptions. Article 6.

• Access. The data subject has the right to access data about himself. Article 12. This right is crucial to exercise of the right to data quality.

• Security. Any person having access to a personal data collection on behalf of a controller or handler of the collection is obliged to maintain the secrecy and protection of the data. Article 23. In order to ensure secrecy and protection of personal data, the controller must apply adequate technical and organization measures. Article 24.

Data Protection Principles - 4

• Openness. A data controller shall keep records of each personal data collection indicating its practices regarding that data collection and shall submit those records to the Data Protection Directorate, which shall compile and publish them. Articles 27-30.

• Accountability and Enforcement. The data “controller” should be accountable for complying with the protections and a process is created for data subjects to enforce their rights under the law. Articles 18-22; Articles 37-47 (creation and competencies of the Directorate); Articles 49-50 (penal provisions).

EU Electronic Communications Privacy Directive

• Spam - opt-in (prior relationship - opt-out)• Traffic data marketing - opt-in• Cookies - opt-out

– clear and precise information on their purposes and the opportunity to refuse them.

• Directories - opt-out• Data retention - permitted but not required for law

enforcement or national security - disclosure requires independent approval

Directive 2002/58/EC http://europa.eu.int/information_society/topics/telecoms/regulatory/new_rf/index_en.htm

Enforcing Data Protection

• Privacy Commissioners

• Chief Privacy Officers - Ministry level

• Privacy Impact Assessments

• Central Register of Data Collections

• Privacy Audits

Privacy Commissioners

• Article 28 of the EU Directive, Articles 37-48 of Macedonian law

• Eight inter-related roles (Article 41): – educator – consultant – policy advisor – auditor – negotiator– ombudsman – enforcer– international ambassador

Chief Privacy Officers

• Ministries and other governmental bodies

• Commercial enterprises

Privacy Impact Assessments

• “An assessment of any actual or potential effects that an activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated.”

• Hong Kong, Canada, New Zealand, and Australia, and US

Privacy Impact Assessments

• A description of the proposed project, the types of personal data that will be collected or used and how they will be disseminated or retained;

• An explanation of who will have access to the data. • A Privacy Analysis that identifies how the new project or practice

will impact individual privacy. • A Risk Assessment that lists the privacy risks that have been

identified and an analysis of how those risks may affect individuals and the success of the project.

• A discussion of appropriate technical, procedural or other or safeguards that can be adopted to protect privacy.

• Recommendations for how the project’s privacy risks should be managed.

Privacy Impact Assessments

Examples of when a PIA is appropriate:• creation of public health databases; • proposals to add new biometrics to national ID cards;• proposals to create new law enforcement computer systems;• any proposed law that would require private businesses to

collect information on their customers;• creation of new databases or modifying the scope or use of

databases that contain personal information;• establishment of electronic toll systems on highways;• the installation of closed circuit cameras in public places.

PIA usually does not result in recommendation against system - it shows how to implement the system in a manner consistent with fair information practices.

Example: Court Records Online

• Retain the traditional policy that court records are presumptively open to public access.

• As a general rule, access should not change depending upon whether the court record is in paper or electronic form. Whether there should be access should be the same regardless of the form of the record, although the manner of access may vary.

Example: Court Records Online

• The nature of certain information in some court records, however, is such that remote public access to the information in electronic form may be inappropriate, even though public access at the courthouse is maintained;

• The nature of the information in some records is such that all public access to the information should be precluded, unless authorized by a judge;

• Access policies should be clear, consistently applied, and not subject to interpretation by individual court or clerk personnel.

Enforcing Data Protection

• Central Register of Data Collections

• Privacy Audits

Consumer Protection

• Success of e-commerce depends on legal system recognizing and promptly enforcing electronic contracts (business to business and business to consumer)

• Consumer protection includes– Prohibition on misleading advertising– Regulation of consumer financial services and credit– Rules against fraudulent billing– Complaint resolution– Right to refund if goods are not delivered or defective

Consumer Protection

• Before closing contract, consumer should be provided– Identity and address of supplier– Description of goods and their price– Procedure for payment, delivery and performance (if buying a

service)– Notice of “right of withdrawal”

• European Parliament & Council Directive 97/7/EC (17 February 1997) on the protection of consumers in respect of distance contracts– http://europa.eu.int/information_society/topics/ebusiness/eco

mmerce/3information/law&ecommerce/legal/documents/31997L0007/31997L0007_en.html

• European Parliament & Council Directive 2000/31/EC (8 June 2000) on electronic commerce– http://europa.eu.int/ISPO/ecommerce/legal/documents/2000

_31ec/2000_31ec_en.pdf

More Information

Global Internet Policy Initiative (GIPI)

http://www.internetpolicy.net

Center for Democracy and Technology(CDT)

http://www.cdt.org

Information Technology Security Handbook

infoDev project, World Bank (Dec. 2003)

http://www.infodev-security.net/handbook/