[ISN] Rules aimed at digital misdeeds lack bite
isn at c4i.org
Tue Apr 12 07:05:35 EDT 2005
By Jon Swartz
SAN FRANCISCO - Federal and state lawmakers, compelled by headlines of
a computer-crime wave, are scrambling to introduce bills that would
tighten cybersecurity and make it easier for prosecutors to file
charges and impose stiffer penalties.
Digital thieves have rarely been so audacious. Data breaches at
ChoicePoint, LexisNexis, the University of California and elsewhere,
in which the personal records of thousands of Americans were pinched,
underscore the brazen tactics of criminals marauding like gunslingers
on a lawless Internet, security experts say.
At least a dozen federal and state bills covering privacy protection,
phishing and spyware have been introduced on Capitol Hill and in state
capitals this year. The bills are designed to staunch consumer losses.
Identification theft cost consumers, banks and credit card companies
$11.7 billion through the 12 months ended in April 2004, says
Phishing scams, fraudulent e-mails or Web sites that trick computer
users into surrendering personal information, burned U.S. consumers
for $500 million in the 12-month period ended September 2004, says
researcher Ponemon Institute.Damages from spyware, software that
quietly monitors the activities of Internet users: More than $200
million to U.S. consumers last year, Ponemon says.
"The large number of bills, unfortunately, reflects the dark side of
the Internet," says Harris Miller, president of the Information
Technology Association of America, a non-profit that represents 400
But computer-security experts doubt the legislative outbreak will
change matters. They contend prospective bills often are watered down
to appease lobbyists and can't always be enforced by overtaxed law
enforcement. On top of that, corporations are reluctant to share
sensitive data in investigations, and offshore criminals are outside
the reach of the law. Several fear a repeat of the federal Can-Spam
law, which outlaws unsolicited commercial e-mail but has done little
to curb spam.
"When it gets down to the nitty-gritty, Congress rarely passes strong
consumer-protection measures, primarily because of industry
influence," says Beth Givens, director of Privacy Rights
Clearinghouse. "To quote Shakespeare, this is 'Full of sound and fury,
signifying nothing.' "
Computer-security experts already blame fuzzy national laws that do
not specifically ban spyware, phishing and other digital misdeeds.
"Legislation is reactive. There are harsher penalties, yes, but
nothing that would help prevent identity theft," says Judith Collins,
a criminal justice professor at Michigan State University.
Hacking laws exist, but as computer crimes become more sophisticated
so, too, must the laws, lawmakers and prosecutors say. "New laws are
about making it easier for prosecutors to bring harsh, specific
charges," says Deborah Thoren-Peden, an Internet lawyer in Los
Angeles. "It raises awareness for the public and risk for criminals."
For now, authorities are limited in the laws they cite in
computer-crime cases, Internet lawyers say. The Computer Fraud and
Abuse Act, a 1986 law most recently amended in 2001, makes it a crime
to access a computer without authorization. Common trespass law can
apply to phishing scams and computer viruses.
Federal law doesn't impose security measures on companies outside of
financial services and health care to protect private information,
says Internet lawyer Edward Naughton.
Most companies prefer it that way. They don't want to be regulated out
of concern it will be costly to shore up computer defenses and give
investigators access to sensitive data. Instead, they advocate
self-regulation and tighter security.
With high-profile computer crimes on the rise, and consumers clamoring
for protection, the tech and financial industries may have no choice,
Naughton and privacy experts say. The raft of legislation covers:
* Privacy protection. A bill from Sen. Dianne Feinstein, D-Calif.,
would require federal agencies and companies conducting interstate
commerce to notify customers when their private data are compromised.
The bill, based on a similar law in California, may include a
requirement that all commercially stored data be encrypted.
Even then, a federal-notification requirement may not be enough to
appease lawmakers and privacy experts, who oppose the sale of Social
Security numbers without an individual's consent. FTC Chairman Deborah
Platt Majoras says there are legitimate purposes for obtaining a
Social Security number without the individual's knowledge, including
fraud investigations and law enforcement.
Meanwhile, Sen. Bill Nelson, D-Fla., and Rep. Ed Markey, D-Mass., last
month introduced legislation that would expand the powers of the FTC
to oversee data brokers as it does companies that handle medical and
financial records. Sen. Jon Corzine, D-N.J., also plans to file a bill
that would help create federal data-protection standards and require
CEOs or chief compliance officers to show that their companies comply
with the rules.
Still, broad privacy legislation faces a tough battle on Capitol Hill,
where data brokers have strong lobbyists such as Akin Gump Strauss
Hauer & Feld. The law firm was paid $160,000 by ChoicePoint in the
first six months of 2004 and $280,000 in 2002 and 2003 to influence
lawmakers, public documents show.
Information brokers have "an enormous number of (lobbyists) canvassing
the Hill with inside connections and massive campaign contributions,"
says Ed Mierzwinski, consumer program director for the U.S. Public
Interest Research Group. "Privacy advocates do not have nearly the
* Spyware. Lobbying efforts may also undercut anti-spyware legislation
from Rep. Mary Bono, R-Calif. Her bill, currently in the House, would
raise fines against spyware purveyors to up to $3 million per
infraction. Yet privacy advocates complain it exempts software
cookies, a coded piece of information stored on a computer that
identifies the computer during visits to a Web site, and embedded ads
on Web pages from an earlier version, rendering it less effective.
Another bill, introduced in late March by Sens. Conrad Burns, R-Mont.,
and Ron Wyden, D-Ore., prohibits the surreptitious installation of
spyware programs. The FTC would be charged with enforcing the law,
though state attorneys general would also be authorized to bring
actions. It, too, exempts cookies.
To strengthen federal law, states routinely craft bills that come down
hard on violators who victimize residents. Bills in Michigan, Nebraska
and Georgia would make it illegal to install spyware on the computers
of state residents without their permission, and would delegate who is
responsible for enforcement a common shortcoming of federal law.
Utah signed a bill into law in March.
* Phishing. The Anti-Phishing Act, sponsored by Sen. Patrick Leahy,
D-Vt., would impose jail terms up to five years and fines up to
$250,000 for phishing. The bill protects free speech related to parody
and politics online. More important, it allows law-enforcement
officials to stop phishing schemes before the bad guys use stolen
data, says phishing expert Dave Jevans. The national bill comes on the
heels of state bills in Texas, Virginia, Rhode Island and elsewhere.
An overriding worry with phishing bills as with any
computer-security-related proposal is that too many could lead to
legislative inflation. "How many ways can you make phishing illegal?
There are at least five laws already," says Ari Schwartz, associate
director at the Center for Democracy & Technology. "And they're not
Making it work
Despite the wave of bills, no matter how well researched and written,
they are only as effective as enforced by police. Foreign governments
often ignore U.S. law or fail to help their American counterparts.
"We could add a million new laws, but you need to follow through,"
says Internet lawyer Pete Wellborn, who wrote the anti-spyware
legislation in Georgia. "Unfortunately, there are more bad guys than
Law enforcement is the "perennial question," adds Robert Holleyman,
CEO of Business Software Alliance, a trade group that represents two
dozen of the largest tech companies. "At the end of the day, we need
adequate resources to track down and convict criminals. That means
additional resources for the FTC and Justice Department."
The Department of Justice declined comment.
The federal Can-Spam law offers a cautionary tale on what some new
bills might face.
Anti-spam activists contend the much-ballyhooed law actually increases
spam because of the way it is worded. It requires recipients to opt
out of unwanted commercial e-mail by contacting each sender instead of
forcing senders to get opt-in permission. The law also pre-empts parts
of tougher state laws, including a California opt-in requirement.
Can-Spam bars citizens from suing spammers, allowing only state
attorneys general or Internet service providers to file civil suits.
Backers of Can-Spam counter that ISPs such as Microsoft, America
Online and EarthLink have taken advantage of the law to file dozens of
successful lawsuits against spammers.
Ultimately, the fate of the computer-security bills depends on the
conflicting interests of politicians, lobbyists, tech companies and
"It's all about striking a balance between punishing the bad elements
and minimally intruding on the good actors," Holleyman says. "And that
More information about the ISN