Friday, April 3, 2009

Balancing Security and Privacy in Cyberspace

In the race to legislate solutions to our nation's vulnerabilities in cyberspace are we giving up more privacy protections?  A recent piece in Mother Jones offers a good examination of the trade-offs between privacy and security in cyberspace in current legislation being proposed on Capitol Hill.

From Mother Jones,
a bill to establish the Office of the National Cybersecurity Advisor - an arm of the executive branch that would have vast power to monitor and control Internet traffic to protect against threats to critical cyber infrastructure.  That broad power is rattling some civil libertarians.

The Cybersecurity Act of 2009 gives the president the ability to "declare a cybersecurity emergency" and shut down or limit Internet traffic in any "critical" information network "in the interest of national security." The bill does not define a critical information network or a cybersecurity emergency. That definition would be left to the president.

The bill does not only add to the power of the president. It also grants the Secretary of Commerce "access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access." This means he or she can monitor or access any data on private or public networks without regard to privacy laws.
Do you think the Executive Branch needs these kinds of authorities to protect cyberspace? 

4 comments:

Stephan said...

I do believe that the Executive branch needs to either create a post in order to ensure cyber-security. While the internet is essentially 'everywhere and it is no where,' maintaining a secure internet is essential to the livelihood of all US citizens.

On the other end of the spectrum from the executive branch establishing a post to ensure security, a recent article http://www.nytimes.com/2009/04/16/us/16nsa.html?pagewanted=2&_r=2&hp
may depict the contrary. Some intelligence agencies may be trumping the current Justice system and may be placing citizens in a bad category wrongfully. However if this was based on good evidence or would be important to national security then my views would change. Do you think current wiretapping laws are adequate for both with warrents and without warrents investigations?

jamie said...

The Internet Security Act of 2009, if passed, would give the President an unprecedented amount of legal control over the Internet. The bill would allow the President to basically stop Internet traffic in the event of an “emergency”. But, the bill manages to avoid defining what level of emergency would give the President all this power. In essence, the President could call any trivial matter and “emergency”, and proceed to shut down whatever parts of the Internet he or she chooses.
While this new power that could be given to the President is worrisome, the new powers given to the Secretary of Commerce are even more radical. If the bill is passed, the Secretary will be given “access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access”. This means that the Secretary would be able to look at whatever Internet activity he or she chooses to on a non-emergency basis.
There are many laws that have been enacted by Congress with the express goal of protecting Internet privacy. For instance, the Electronic Communications Privacy Act protects electronic communication in transit, sets requirements for search warrants, and protects messages stored on the computer. But, after 9/11, the Patriot Act greatly reduced the privacy of the Internet that is protected by law. The Patriot Act made it much easier for law enforcement agencies to use wiretaps and other methods of surveillance on citizens with warrants from the easily manipulated FISA courts. It also made it easier for the government to intercept electronic communications. Most Americans do not realize that what they say on the Internet is much less private than before 9/11.
While the Internet Security Act would diminish privacy, it is not as radical as some think. Even before 9/11, America has been giving up privacy in exchange for security. The passage of the Internet Security Act would just be the next step in favor of this exchange. But, that is not to say that we should allow the passage of this Act. Allowing the Secretary access to any network is not only unnecessary, but it could potentially make it easier for hackers to access that same information. While the Internet is a definite weak spot in national security that needs protection, the Act needs to define what qualifies as an “emergency” such that the President is permitted to shut down the Internet. This Act is too expansive and not specific enough to allow for the protection of the Internet without unnecessarily taking away the privacy of citizens. To quote Benjamin Franklin, "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety".

jamie said...

The Internet Security Act of 2009, if passed, would give the President an unprecedented amount of legal control over the Internet. The bill would allow the President to basically stop Internet traffic in the event of an “emergency”. But, the bill manages to avoid defining what level of emergency would give the President all this power. In essence, the President could call any trivial matter and “emergency”, and proceed to shut down whatever parts of the Internet he or she chooses.
While this new power that could be given to the President is worrisome, the new powers given to the Secretary of Commerce are even more radical. If the bill is passed, the Secretary will be given “access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access”. This means that the Secretary would be able to look at whatever Internet activity he or she chooses to on a non-emergency basis.
There are many laws that have been enacted by Congress with the express goal of protecting Internet privacy. For instance, the Electronic Communications Privacy Act protects electronic communication in transit, sets requirements for search warrants, and protects messages stored on the computer. But, after 9/11, the Patriot Act greatly reduced the privacy of the Internet that is protected by law. The Patriot Act made it much easier for law enforcement agencies to use wiretaps and other methods of surveillance on citizens with warrants from the easily manipulated FISA courts. It also made it easier for the government to intercept electronic communications. Most Americans do not realize that what they say on the Internet is much less private than before 9/11.
While the Internet Security Act would diminish privacy, it is not as radical as some think. Even before 9/11, America has been giving up privacy in exchange for security. The passage of the Internet Security Act would just be the next step in favor of this exchange. But, that is not to say that we should allow the passage of this Act. Allowing the Secretary access to any network is not only unnecessary, but it could potentially make it easier for hackers to access that same information. While the Internet is a definite weak spot in national security that needs protection, the Act needs to define what qualifies as an “emergency” such that the President is permitted to shut down the Internet. This Act is too expansive and not specific enough to allow for the protection of the Internet without unnecessarily taking away the privacy of citizens. To quote Benjamin Franklin, "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety".

jamie said...

The class reading on the Athens Affair brought many important concerns about telecommunication privacy to light. In the Affair, rouge software was installed in Vodafone-Panafon, the largest cell service provider in Greece. Many influential politicians and military leaders had their phones secretly wire-tapped sometime during the period from August 2004 to January 2005. The hackers listened in on, and presumably recorded, many serious diplomatic and military decisions. The hackers used sophisticated technology and methods to subvert the wire-tapping capabilities built into the phone network for their own use.
The hackers used to their own advantage the Ericsson AXE that Vodafone had installed to facilitate lawful wiretaps. When facilitating a wiretap, the RES sends a copy of the dialogue to another data stream that lets law enforcers listen in. The Ericsson IMS allows for better monitoring of the wiretaps. At the time of the hacking, Vodafone had not installed the IMS, making it harder for them to spot an illegal wiretap. Another aspect that made the Affair easier for the hackers is that Vodafone, like many other carriers, does not encrypt phone calls while they transit the provider’s core network. Encrypting phone calls all the way through makes it more difficult to initiate lawful wiretaps; so, for ease, most companies do not protect calls all the way through.
The software was only discovered when the hackers attempted to update their program. This attempt temporarily stopped text messages from being forwarded. This triggered an alarm. Vodafone looked at what the AXE had logged, and discovered the code that the hackers had put in.
This affair deeply jeopardized the state secrets in Greece and the privacy of Grecian officials and citizens. While the hackers did use very advanced technology it would have been possible for Vodafone to prevent the attack, or at least detect it earlier. Looking at this event, companies can learn a lot about the importance of stricter protection. Most countries have laws that require companies to provide some privacy protection for their costumers; but many times these laws are either not strict enough or out of date.
Governments either need to update their privacy requirements to be more in tune with the needs of the time, or companies need to take it into their own hands to provide their costumers with protection. People expect that what they say over the phone will be kept private; companies need to make sure that these expectations will be met. Companies need to get better virus protection, better data retention capabilities, and better coordination with law enforcement. As the use telecommunications continues to expand, laws need to become stricter to assure that the Athens Affair will not be repeated.