Antarctica Starts Here. - Memories of things that haven't happened yet, predictions of things that have come to pass.

« The Scooter Libby tri… | Home | Thanks, 'lex! »

First Europe, now the US?

Wednesday 07 February 2007 at 2:40 pm
Another bill's been put into circulation that I think everyone should know about. Representative Lamar Smith of Texas has put forth legislation that would require every ISP to keep records of what their users do on the Net to assist. For every customer an ISP has, every IP address they are given, every DNS request they make, every outgoing connection, and every incoming connection attempt would be recorded and archived on the off chance that a subpoena came in. Failure to do so would mean fines and jail time for not complying with this proposed law.

On top of that, people who run sexually explicit websites would have to label their sites as such (as if you couldn't tell within the first thirty seconds of following a link). This act (called the SAFETY Act) is a rerun of a bill submitted in 2006 that died before being voted on.

The bill is supposed to help law enforcement get the information they need to hunt down and prosecute net.criminals these days. Speaking as someone that's done incident reseponse a couple of times in the past, this bill is a waste of time and mental compute cycles. Given how criminal law is adapting to the Net, companies and other organisations these days have considerable pressure put upon them to at least make an attempt at implementing information security measures and intrusion countermeasures. There are two problems with this, though: First of all, convincing the admins of a given company that they've got a breach that is making life interesting for other people on the Net. Finding an e-mail address for their security officer, if indeed there is one on staff there, can be like getting the formula for Coca-Cola out of a loading dock worker, i.e., good bloody luck. Second, assuming that you have done your homework, contacted the security officers of the org whose network has been infiltrated (or maybe you are the director of information security and your network has been compromised), and assuming that you've done the information forensics song and dance, confirmed the breach, and started backtracking... law enforcement often isn't interested in your case.

Yes, that's right. If one of your boxes has been cracked and you try to call the FBI or the Secret Service, chances are they're not going to want to persue the case for a number of reasons. First of all, unless more than $100kus of damage has been done, it's really not a big enough crime for them to persue it. Second, unless a major federal law like HIPAA has been violated, unless it's a part of something greater going on you'll probably have a hard time getting their help. Assuming that your org is the one that broke said laws, in which case you're doubly screwed.

There is also the fact that there is no evidence anywhere that any ISP has dragged its feet when presented with a subpoena.

The specific requirements of data retention have yet to be set by Attorney General Gonzalez. Used tags: big_brother, courts, data_retention, gonzalez, internet, law, surveillance

Fight Spam! Click Here!

Trackback link:

Please enable javascript to generate a trackback url

four comments recorded.

I don’t even begin to fathom how they’ll address web spiders like wget. Or if they will – they’re likely to just pretend there’s no such thing. That there couldn’t be an automated process which breaks the law through no intervention of the user.

Yeah, try charging Enlil with a crime. I do believe you’ll get a beep code.

Hasufin - 07 02 07 - 21:03 - Reply to comment?

Or Google. Or any of the fly-by-night search engines that malware developers like to use so much (that ignore the robots.txt file).

Chances are, they’d try to spin it as a zero-day super-elite ICEbreaker of some kind. Or a worm; everyone remembers Code Red.

That’s an amusing mental image, though.

The Doctor (URL) - 07 02 07 - 21:56 - Reply to comment?

Actually, I’m kind of ashamed to say I didn’t recall code red – I had to look it up.

It’s an amusing mental image, but alas the reality is somewhat uglier: as the owner of the machine, I’d be charged for what it did. BEfore long there will be charges of “negligent computer distribution” or the like.

Hasufin - 07 02 07 - 23:18 - Reply to comment?

That’ll never happen for one reason only: Microsoft.

Their track record of security vulnerabilties is such that they’d be wiped out of existence simply because of the damage so many worms have done on such a large scale. Also, there is a body of case law that says that the owner of a machine may not be liable for what is done with it after it’s been compromised; otherwise, a lot of web hosting companies whose farms have been cracked (which happens more often than anyone is willing to admit – look at all the phishing sites out there) would be in serious trouble.

It’s far easier, legally speaking, to try to disprove criminal intent and handwaving the lack of a patch.

The Doctor (URL) - 08 02 07 - 06:33 - Reply to comment?

Name:

Remember personal info?
Yes
No

Email:

URL:

Comment:

/ Textile

(Register your username / Log in)

Notify:		Yes, send me email when someone replies.
Hide email:		Yes, hide my email address.

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.