Presentation on theme: "The Legal Framework for Creating Trust in Cyberspace: Security and Privacy Skopje March 2006 James X. Dempsey Center for Democracy & Technology Global."— Presentation transcript:
The Legal Framework for Creating Trust in Cyberspace: Security and Privacy Skopje March 2006 James X. Dempsey Center for Democracy & Technology Global Internet Policy Initiative
Overview: The Elements of Trust Online 1.Cybersecurity Communications network reliability Critical infrastructure protection -power, water Cybercrime 2.Protection of government secrets Protection of national security information Other sensitive government information 3.Protection of intellectual property- business secrets - WIPO 4.Communications privacy - illegal interception
The Elements of Trust Online -2 5.Personal data protection (privacy of personally identifiable information) 6.E-signature and authentication 7.Consumer protection - e-commerce framework 8.Fraud, defamation - offline laws should be sufficient, but jurisdiction unresolved Dont forget the offline environment: Enforcement of contracts Credit card fraud
Cybersecurity Many communications networks and other critical infrastructures are privately owned Cybersecurity is shared responsibility of gov't, service providers, software and hardware makers, and users (large and small). Cybersecurity strategy has many components: –industry standards and sound technology design –information sharing about threats/vulnerabilities (CERTs) –awareness, education of all users –R&D –criminal law –liability of computer/software makers under civil law?
Cybersecurity Guidelines OECD Guidelines for Security of Information Systems and Networks APEC Strategy and Statement on the Security of Info and Communications Infrastructure EU - Council Resolution 28 E-Japan Priority Policy Program (cybersecurity incorporated) Australia E-Security National Agenda US National Strategy to Secure Cyberspace & E-Government Act (cybersecurity included)
Common Themes in Intl Guidelines Public-Private Partnerships Public Awareness Guidelines, International Standards Information Sharing Training and Education Respect for Privacy Vulnerability Assessment, Warning and Response International Cooperation
Govt Must Get Its Own House In Order Government should not dictate security technologies to industry until it has solved its own problems (that is, probably never) Elements of a National Cyber-Security Strategy. –Assessment of national vulnerabilities –Issuance of a public report that conceptualizes the issue and raises awareness of policymakers and the public –Creation of a leadership structure within the executive branch to oversee the development and implementation of policy –Drafting of a detailed national plan based on dialogue with the private sector –Structure and enforce responsibility –Adoption of legislation and guidelines addressing such questions as information sharing and accountability.
Govt Must Get Its Own House In Order US E-Gov Act (2002) - Title III - limited to government systems - focuses on process, not technologies –Periodic assessment of risk –Adoption of policies and procedures –Chief Security Officer for every agency –Security awareness training –Detecting and responding to attacks –Annual reports to Congress on progress –Independent security evaluation –Office of Management and Budget (White House) authority Similar requirements may be appropriate for private sector, especially financial sector, medical data
Government secrets Protection of national security information –Definition: information generated by the government and its contractors, which, if publicly disclosed, will harm the national security. –Important question: Can the judiciary or some other independent official review and overturn the decision of the Executive Branch to keep information secret. Other sensitive government information Criminal investigative information Private information about individuals in the hands of the govt Govt secrets online and off are defined the same. Many countries deal with these issues in Freedom of Information law: http://www.rz.uni-frankfurt.de/~sobotta/FOI.htm http://www.cfoi.org.uk/overseas.htmlhttp://www.cfoi.org.uk/overseas.html.
Cybercrime Crimes against computers or communications –Interference with availability or integrity of data destroying data, altering data –Interference with availability of service Denial of service attacks –Interception of data in transit (unauthorized access to comms) –Unauthorized access to data (cyber trespass) CIA - Confidentiality, Integrity, Availability Crimes using computer –Fraud, dissemination of pornography, copyright infringement –Should not be treated as separate crimes Crimes where evidence is in computer –Any crime COE Convention on Cybercrime - good model, approach with caution
Investigation of Cybercrime To investigate cybercrime and crimes facilitated by computer, law enforcement agencies need access to –content of communications; –transactional (or traffic) data; –stored data; –data identifying subscriber (e.g., name)
Phishing E-mail message Message purporting to be from eBay Threatens account termination Asks user to update information Uses eBay and Trust-e logos for legitimacy Links to non-ebay site
Criminal Law Has Limited Effect Under US law, such an email is absolutely illegal Falsified header information - criminal and civil violation Hijacking another computer to send spam - criminal and aggravated civil violation Possible falsification of domain name registration information - criminal violation No valid physical address - civil violation No opt-out - civil violation Deceptive subject heading - civil violation Possible address harvesting - aggravated civil violation The solution to the cybercrime problem requires: International cooperation. Better technology design Education of users.
Privacy is an Element of Cybersecurity Protection of privacy is a key policy objective in the European Union. It was recognized as a basic right under Article 8 of the European Convention on human rights. Articles 7 and 8 of the Charter of Fundamental Rights of the EU also provide the right to respect for family and private life, home and communications and personal data. Communication from the Commission on Network and Information Security (2001)
OECD Cybersecurity Guidelines Principle 5: Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.
Summary Network security is the shared responsibility of the govt and the private sector. Gov't protects its own networks, contributes to awareness, info sharing, and R&D. A lot of work has been done and more needs to be done by the private sector. International consensus on strategy elements. Cybercrime legislation is one key component of cybersecurity. Privacy and security are two sides of the same coin. Dont forget the basics of law reform and the enabling environment.
Privacy in the Digital Age Online Privacy Risks –Collection of information to an extent never before possible: click-stream data, location information. –Aggregation of data across time, space, applications, vendors - creating a detailed dossier of activity and thought. –Retention is cheap and easy. –Distribution is cheap and easy too. Public opinion surveys and business experiences show that privacy is a major consumer concern and impediment to e-commerce and e-government. What is privacy? Information privacy - principles for use of data.
Why Privacy Matters Three Examples of How Privacy Concerns Arise in E- Government Projects Japan - Juki Net - national ID and information system - concerns about identity theft Australia - PKI and Health Records US - Social Security Records Online
Personal Data Protection Data Subject - the individual to whom the data pertains Data Controller - a governmental or private sector entity who is responsible for controlling the purposes and ways of personal data processing Processing - any use, recording, storing or publishing of data Data Handler or Processor - anyone who processes (uses) data on behalf of the controller User - anyone to whom data is disclosed for a permitted purpose
Personal Data Principles - 1 Consumer privacy protection in the US and Europe, under the guidelines of the OECD and APEC, and in the law of the Republic of Macedonia, is based on ten principles: Purpose Specification. Personal data shall be collected only for purposes that are concrete, clear and legally determined. The subsequent use of data should be limited to those purposes. Article 5, para. 1, item 2. Notice. The data subject shall be informed of the identity of the data controller and the purpose for which data are collected, as well as the rights of access and correction. Articles 10 and 11.
Personal Data Principles - 2 Collection Limitation. Personal data should be collected only if it is appropriate, relevant and not excessive in relation to the purpose for which it is collected (no more data should be collected than is necessary to accomplish the stated purpose). Article 5, paragraph 1, item 3. Data Quality. Data should be accurate, complete, and up to date, taking into account the purposes for which they were collected. Article 5, paragraph 1, item 4. Upon request of the data subject, and upon its own initiative, the data controller is obliged to supplement, amend, or delete incorrect, incomplete or out-of-date information. Article 14. Retention Limit. Data should be stored in a form that allows identification of the data subject for no longer than is necessary to fulfill the purposes for which the data were collected. Article 5, paragraph 1, item 5.
Personal Data Principles - 3 Use Limitation. Data should not be disclosed or processed except for purposes specified when it was collected unless the data subject consents, subject to specified exceptions. Article 6. Access. The data subject has the right to access data about himself. Article 12. This right is crucial to exercise of the right to data quality. Security. Any person having access to a personal data collection on behalf of a controller or handler of the collection is obliged to maintain the secrecy and protection of the data. Article 23. In order to ensure secrecy and protection of personal data, the controller must apply adequate technical and organization measures. Article 24.
Data Protection Principles - 4 Openness. A data controller shall keep records of each personal data collection indicating its practices regarding that data collection and shall submit those records to the Data Protection Directorate, which shall compile and publish them. Articles 27-30. Accountability and Enforcement. The data controller should be accountable for complying with the protections and a process is created for data subjects to enforce their rights under the law. Articles 18-22; Articles 37-47 (creation and competencies of the Directorate); Articles 49-50 (penal provisions).
EU Electronic Communications Privacy Directive Spam - opt-in (prior relationship - opt-out) Traffic data marketing - opt-in Cookies - opt-out –clear and precise information on their purposes and the opportunity to refuse them. Directories - opt-out Data retention - permitted but not required for law enforcement or national security - disclosure requires independent approval Directive 2002/58/EC http://europa.eu.int/information_society/topics /telecoms/regulatory/new_rf/index_en.htm http://europa.eu.int/information_society/topics /telecoms/regulatory/new_rf/index_en.htm
Enforcing Data Protection Privacy Commissioners Chief Privacy Officers - Ministry level Privacy Impact Assessments Central Register of Data Collections Privacy Audits
Privacy Commissioners Article 28 of the EU Directive, Articles 37-48 of Macedonian law Eight inter-related roles (Article 41): –educator –consultant –policy advisor –auditor –negotiator –ombudsman –enforcer –international ambassador
Chief Privacy Officers Ministries and other governmental bodies Commercial enterprises
Privacy Impact Assessments An assessment of any actual or potential effects that an activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated. Hong Kong, Canada, New Zealand, and Australia, and US
Privacy Impact Assessments A description of the proposed project, the types of personal data that will be collected or used and how they will be disseminated or retained; An explanation of who will have access to the data. A Privacy Analysis that identifies how the new project or practice will impact individual privacy. A Risk Assessment that lists the privacy risks that have been identified and an analysis of how those risks may affect individuals and the success of the project. A discussion of appropriate technical, procedural or other or safeguards that can be adopted to protect privacy. Recommendations for how the projects privacy risks should be managed.
Privacy Impact Assessments Examples of when a PIA is appropriate: creation of public health databases; proposals to add new biometrics to national ID cards; proposals to create new law enforcement computer systems; any proposed law that would require private businesses to collect information on their customers; creation of new databases or modifying the scope or use of databases that contain personal information; establishment of electronic toll systems on highways; the installation of closed circuit cameras in public places. PIA usually does not result in recommendation against system - it shows how to implement the system in a manner consistent with fair information practices.
Example: Court Records Online Retain the traditional policy that court records are presumptively open to public access. As a general rule, access should not change depending upon whether the court record is in paper or electronic form. Whether there should be access should be the same regardless of the form of the record, although the manner of access may vary.
Example: Court Records Online The nature of certain information in some court records, however, is such that remote public access to the information in electronic form may be inappropriate, even though public access at the courthouse is maintained; The nature of the information in some records is such that all public access to the information should be precluded, unless authorized by a judge; Access policies should be clear, consistently applied, and not subject to interpretation by individual court or clerk personnel.
Enforcing Data Protection Central Register of Data Collections Privacy Audits
Consumer Protection Success of e-commerce depends on legal system recognizing and promptly enforcing electronic contracts (business to business and business to consumer) Consumer protection includes –Prohibition on misleading advertising –Regulation of consumer financial services and credit –Rules against fraudulent billing –Complaint resolution –Right to refund if goods are not delivered or defective
Consumer Protection Before closing contract, consumer should be provided –Identity and address of supplier –Description of goods and their price –Procedure for payment, delivery and performance (if buying a service) –Notice of right of withdrawal European Parliament & Council Directive 97/7/EC (17 February 1997) on the protection of consumers in respect of distance contracts –http://europa.eu.int/information_society/topics/ebusiness/eco mmerce/3information/law&ecommerce/legal/documents/319 97L0007/31997L0007_en.htmlhttp://europa.eu.int/information_society/topics/ebusiness/eco mmerce/3information/law&ecommerce/legal/documents/319 97L0007/31997L0007_en.html European Parliament & Council Directive 2000/31/EC (8 June 2000) on electronic commerce –http://europa.eu.int/ISPO/ecommerce/legal/documents/2000 _31ec/2000_31ec_en.pdfhttp://europa.eu.int/ISPO/ecommerce/legal/documents/2000 _31ec/2000_31ec_en.pdf
More Information Global Internet Policy Initiative (GIPI) http://www.internetpolicy.net Center for Democracy and Technology(CDT) http://www.cdt.org Information Technology Security Handbook infoDev project, World Bank (Dec. 2003) http://www.infodev-security.net/handbook/