[ISN] Rules aimed at digital misdeeds lack bite

InfoSec News isn at c4i.org
Tue Apr 12 07:05:35 EDT 2005


By Jon Swartz

SAN FRANCISCO - Federal and state lawmakers, compelled by headlines of 
a computer-crime wave, are scrambling to introduce bills that would 
tighten cybersecurity and make it easier for prosecutors to file 
charges and impose stiffer penalties.

Digital thieves have rarely been so audacious. Data breaches at 
ChoicePoint, LexisNexis, the University of California and elsewhere, 
in which the personal records of thousands of Americans were pinched, 
underscore the brazen tactics of criminals marauding like gunslingers 
on a lawless Internet, security experts say. 

At least a dozen federal and state bills covering privacy protection, 
phishing and spyware have been introduced on Capitol Hill and in state 
capitals this year. The bills are designed to staunch consumer losses. 
Identification theft cost consumers, banks and credit card companies 
$11.7 billion through the 12 months ended in April 2004, says 
researcher Gartner.

Phishing scams, fraudulent e-mails or Web sites that trick computer 
users into surrendering personal information, burned U.S. consumers 
for $500 million in the 12-month period ended September 2004, says 
researcher Ponemon Institute.Damages from spyware, software that 
quietly monitors the activities of Internet users: More than $200 
million to U.S. consumers last year, Ponemon says. 

"The large number of bills, unfortunately, reflects the dark side of 
the Internet," says Harris Miller, president of the Information 
Technology Association of America, a non-profit that represents 400 
tech companies.

But computer-security experts doubt the legislative outbreak will 
change matters. They contend prospective bills often are watered down 
to appease lobbyists and can't always be enforced by overtaxed law 
enforcement. On top of that, corporations are reluctant to share 
sensitive data in investigations, and offshore criminals are outside 
the reach of the law. Several fear a repeat of the federal Can-Spam 
law, which outlaws unsolicited commercial e-mail but has done little 
to curb spam.

"When it gets down to the nitty-gritty, Congress rarely passes strong 
consumer-protection measures, primarily because of industry 
influence," says Beth Givens, director of Privacy Rights 
Clearinghouse. "To quote Shakespeare, this is 'Full of sound and fury, 
signifying nothing.' "

Computer-security experts already blame fuzzy national laws that do 
not specifically ban spyware, phishing and other digital misdeeds. 

"Legislation is reactive. There are harsher penalties, yes, but 
nothing that would help prevent identity theft," says Judith Collins, 
a criminal justice professor at Michigan State University.

Limited tools 

Hacking laws exist, but as computer crimes become more sophisticated 
so, too, must the laws, lawmakers and prosecutors say. "New laws are 
about making it easier for prosecutors to bring harsh, specific 
charges," says Deborah Thoren-Peden, an Internet lawyer in Los 
Angeles. "It raises awareness for the public and risk for criminals."

For now, authorities are limited in the laws they cite in 
computer-crime cases, Internet lawyers say. The Computer Fraud and 
Abuse Act, a 1986 law most recently amended in 2001, makes it a crime 
to access a computer without authorization. Common trespass law can 
apply to phishing scams and computer viruses.

Federal law doesn't impose security measures on companies outside of 
financial services and health care to protect private information, 
says Internet lawyer Edward Naughton. 

Most companies prefer it that way. They don't want to be regulated out 
of concern it will be costly to shore up computer defenses and give 
investigators access to sensitive data. Instead, they advocate 
self-regulation and tighter security.

With high-profile computer crimes on the rise, and consumers clamoring 
for protection, the tech and financial industries may have no choice, 
Naughton and privacy experts say. The raft of legislation covers:

* Privacy protection. A bill from Sen. Dianne Feinstein, D-Calif., 
would require federal agencies and companies conducting interstate 
commerce to notify customers when their private data are compromised. 
The bill, based on a similar law in California, may include a 
requirement that all commercially stored data be encrypted. 

Even then, a federal-notification requirement may not be enough to 
appease lawmakers and privacy experts, who oppose the sale of Social 
Security numbers without an individual's consent. FTC Chairman Deborah 
Platt Majoras says there are legitimate purposes for obtaining a 
Social Security number without the individual's knowledge, including 
fraud investigations and law enforcement.

Meanwhile, Sen. Bill Nelson, D-Fla., and Rep. Ed Markey, D-Mass., last 
month introduced legislation that would expand the powers of the FTC 
to oversee data brokers as it does companies that handle medical and 
financial records. Sen. Jon Corzine, D-N.J., also plans to file a bill 
that would help create federal data-protection standards and require 
CEOs or chief compliance officers to show that their companies comply 
with the rules.

Still, broad privacy legislation faces a tough battle on Capitol Hill, 
where data brokers have strong lobbyists such as Akin Gump Strauss 
Hauer & Feld. The law firm was paid $160,000 by ChoicePoint in the 
first six months of 2004 and $280,000 in 2002 and 2003 to influence 
lawmakers, public documents show.

Information brokers have "an enormous number of (lobbyists) canvassing 
the Hill with inside connections and massive campaign contributions," 
says Ed Mierzwinski, consumer program director for the U.S. Public 
Interest Research Group. "Privacy advocates do not have nearly the 

* Spyware. Lobbying efforts may also undercut anti-spyware legislation 
from Rep. Mary Bono, R-Calif. Her bill, currently in the House, would 
raise fines against spyware purveyors to up to $3 million per 
infraction. Yet privacy advocates complain it exempts software 
cookies, a coded piece of information stored on a computer that 
identifies the computer during visits to a Web site, and embedded ads 
on Web pages from an earlier version, rendering it less effective.

Another bill, introduced in late March by Sens. Conrad Burns, R-Mont., 
and Ron Wyden, D-Ore., prohibits the surreptitious installation of 
spyware programs. The FTC would be charged with enforcing the law, 
though state attorneys general would also be authorized to bring 
actions. It, too, exempts cookies.

To strengthen federal law, states routinely craft bills that come down 
hard on violators who victimize residents. Bills in Michigan, Nebraska 
and Georgia would make it illegal to install spyware on the computers 
of state residents without their permission, and would delegate who is 
responsible for enforcement — a common shortcoming of federal law. 
Utah signed a bill into law in March.

* Phishing. The Anti-Phishing Act, sponsored by Sen. Patrick Leahy, 
D-Vt., would impose jail terms up to five years and fines up to 
$250,000 for phishing. The bill protects free speech related to parody 
and politics online. More important, it allows law-enforcement 
officials to stop phishing schemes before the bad guys use stolen 
data, says phishing expert Dave Jevans. The national bill comes on the 
heels of state bills in Texas, Virginia, Rhode Island and elsewhere. 

An overriding worry with phishing bills — as with any 
computer-security-related proposal — is that too many could lead to 
legislative inflation. "How many ways can you make phishing illegal? 
There are at least five laws already," says Ari Schwartz, associate 
director at the Center for Democracy & Technology. "And they're not 

Making it work 

Despite the wave of bills, no matter how well researched and written, 
they are only as effective as enforced by police. Foreign governments 
often ignore U.S. law or fail to help their American counterparts. 

"We could add a million new laws, but you need to follow through," 
says Internet lawyer Pete Wellborn, who wrote the anti-spyware 
legislation in Georgia. "Unfortunately, there are more bad guys than 
good guys."

Law enforcement is the "perennial question," adds Robert Holleyman, 
CEO of Business Software Alliance, a trade group that represents two 
dozen of the largest tech companies. "At the end of the day, we need 
adequate resources to track down and convict criminals. That means 
additional resources for the FTC and Justice Department."

The Department of Justice declined comment.

The federal Can-Spam law offers a cautionary tale on what some new 
bills might face.

Anti-spam activists contend the much-ballyhooed law actually increases 
spam because of the way it is worded. It requires recipients to opt 
out of unwanted commercial e-mail by contacting each sender instead of 
forcing senders to get opt-in permission. The law also pre-empts parts 
of tougher state laws, including a California opt-in requirement. 
Can-Spam bars citizens from suing spammers, allowing only state 
attorneys general or Internet service providers to file civil suits.

Backers of Can-Spam counter that ISPs such as Microsoft, America 
Online and EarthLink have taken advantage of the law to file dozens of 
successful lawsuits against spammers.

Ultimately, the fate of the computer-security bills depends on the 
conflicting interests of politicians, lobbyists, tech companies and 
law enforcement.

"It's all about striking a balance between punishing the bad elements 
and minimally intruding on the good actors," Holleyman says. "And that 
isn't easy."

More information about the ISN mailing list