Friday, September 7, 2012

Proposed amendments to FAR - Attention GSA'ers

DoD, GSA and NASA are proposing to amend the FAR with a new subpart and contract clause for anyone contracting with Uncle Sam or handling government data.  The changes would require contractors or organizations handling government data to take certain information security measures and these would be contractually required.

Written comments are due on or before October 23rd, and the FAR case is 2011-020.

"Basic safeguarding" of data includes such items as:
  • Use of public computers
  • Intrusion protection
  • Transmitting of electronic information
  • Physical and electronic barriers
According to the proposed rule, basic protection measures are "first-level information technology security measures used to deter unauthorized disclosure, loss, or compromise."
It is interesting to note that although these should already be included under FISMA it also pertains to the use of COTS products.  Anyone contracting with Uncle Sam should keep abreast of the changes and provide comments.

http://www.gpo.gov/fdsys/pkg/FR-2012-08-24/pdf/2012-20881.pdf



Friday, July 27, 2012

Thought for the day

Optimists look at a glass of water filled 50% and say it is half full
Pessimists look at the same glass as half empty

A security person looks at the glass and says "how do I know this is water and not some deadly chemical"

Chris Cunningham (just now)

Friday, June 1, 2012

Cookie Guidance from the UK ICO

In 2002 the European Directive 2002/58/EC laid the ground work for the protection of privacy for electronic communications. This was amended in 2009 by directive 2009/136/EC commonly referred to as the “cookie rule”. This directive required governments in the EU to implement these changes in their own laws by May 25, 2011. The UK ICO allowed for a “lead in period” of one year, and that year is now up. On May 25th, The UK ICO published their recommendations on the directive and how the UK ICO views the issues and requirements in the directive, as well as some insight into how enforcement actions may take place within the UK. This is a valuable resource for organizations operating websites in the UK.



As should be anticipated, any cookies that are not strictly necessary or any cookies that handle sensitive data should get extra attention, since you can be assured the DPAs will be paying special attention to them. This is an area where explicit consent should be obtained.

A couple of items from the guidance should be noted by any organizations using cookies on their websites, especially cookies that track users actions across multiple sessions.


• Explicit consent is not a requirement in all cases


• Users on the site should be conspicuously advised of the use of cookies on the site, and their choices on allowing the cookies.


• Exceptions for a cookie being “strictly necessary” should be sued very narrowly


• Make the use of third party cookies very clear to the end-user



Friday, February 24, 2012

How a carrot and a stick relate to US privacy legislation

Yesterday, the Obama Administration released their latest efforts to effect real privacy standards and legislation in what they are calling the Consumer Privacy Bill of Rights. The paper, entitled Consumer Data Privacy in a Networked World outlines several measures that will drag the US, kicking and screaming, into the development of a real privacy standard that will rival the European and OECD standards and directives.
The plan is broken down into several areas. First, there is a Consumer Privacy Bill of Rights that is similar to the OECD Privacy Principles, albeit unnecessarily complicated and duplicative. Secondly, the Bill of Rights would be implemented in Codes of Conduct that industry would need to develop in concert with the government’s “assistance”. Thirdly, the FTC would be the enforcer of these codes of conduct similar to their current role. Lastly, the plan calls for a Federal breach notification standard and calls for enforceable federal legislation that would enable mutual recognition by other countries. To date, Congress has failed miserably in every attempt to enact Federal data privacy legislation, so I applaud the Administration for trying the carrot approach, since the stick has not been effective.

Consumer Privacy Bill of Rights

The Obama Administration is hoping that even if Congress does not implement Federal legislation, that this will be the starting point for industry discussion and a beginning of privacy standards that can be used by businesses and industries. The Bill of rights is similar to the OECD standards and includes:

•Individual Control
•Transparency
•Respect for Context
•Security
•Access and Accuracy
•Focused Collection
•Accountability

Codes of Conduct

The plan calls for companies and groups to develop these codes of conduct in cooperation with the FTC and the National Telecommunications and Information Administration (NTIA). The enforcement powers would most likely be given to the FTC under Section 5 off the FTC Act, similar to how the FTC now brings actions against organizations for unfair and deceptive trade practices. Any Federal legislation resulting from this should preempt any state laws to the extent they are inconsistent with the Federal law.

Time will tell if the plan will advance privacy legislation and improve consumer protection, but it is already an improvement of anything we have seen come down from Capitol Hill – which is nothing. If this indeed moves forward, the next step will be gaining recognition by the EU, but forgive me if I don’t hold my breath on this just yet.

More to come on this topic as it develops.

Tuesday, July 19, 2011

Working Party Opinion on Consent 15/2011

On July 13 the Article 29 Working Party issued Opinion 15/2011 on the definition of consent.

In their words:
“The Opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive and in the e-Privacy Directive. Drawing on the experience of the members of the Article 29 Working Party, the Opinion provides numerous examples of valid and invalid consent, focusing on its key elements such as the meaning of "indication", "freely given", "specific", "unambiguous", "explicit", "informed" etc. The Opinion further clarifies some aspects related to the notion of consent. For example, the timing as to when consent must be obtained, how the right to object differs from consent, etc.”

The opinion, all 38 pages of it, answer some of the questions that face many organizations when it comes to tactical privacy decisions involving consent. It has many real world examples, and gives great insight into the WP thinking for possible future changes. It is easy to fall into the trap of only looking at 95/46 and not taking the various member state implementations into account, and consent is no exception to this rule.

Following are some items to consider when making decisions based on consent.

- Currently, the Council’s definition of consent is
"any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed"
- Consent should not be used as an exemption form other data protection principles, you still need to process for purpose, use limitation, openness, etc.
- Consent is a weak basis for justifying the processing of personal data, and loses even more value when stretched to include items not in the original scope of the processing or for other purposes is not sufficient to prove consent
- Subjects should be able to exercise a real choice when consenting, and negative consequences of non-consent is not a good idea (duh!)
- Consent must be specific, and for the exact purpose of the processing
- Controllers should review data subject’s choices periodically
- Consent should be verifiable, and you should maintain proof of the consent
- Consent in the case of sensitive personal data must be explicit
- Explicit consent in the on-line world may be a clickable button, but not the lack of clicking or un-checking a default. In other words inaction typically will not be viewed as valid consent
- Be careful when using consent in the employment context. The WP’s stance on employee consent remains as it was in WP48 and WP 114

"where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent.… An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid. The situation is even clearer cut where, as is often the case, all employers impose the same or a similar condition of employment.”

Wednesday, November 24, 2010

help - I got groped at the airport, but the mall is still vulnerable

First – all of us are not terrorists, especially the 80 year old grandmother and 10 year olds you are groping. However, if the United States government continues with their current trend of invasion of privacy and near molestation of American citizens they may be well on their way to becoming a terrorist state. Additionally, it appears as if we are already being terrorized due to the number of ridiculous steps one has to take when flying, and we have done nothing to increase our security.

OK, that was my rant and I will attempt to deliver the rest in a logical matter taking security and risk into account.

There is a great quote regarding security that paraphrased states the protector has to be right 100% of the time but the attacker only has to be right once. There are a lot of targets for attackers, and note that I am not using the word terrorist, but I include them in this categorization. Shopping malls, restaurants, crowded bus and train terminals, trains, busses, subways, concerts, schools, etc. It is impossible to protect all of these locations 100% of the time from 100% of attackers. Furthermore, you have to classify the risks and distribute your finite amount of protections against them in a manner that reduces, but never eliminates the risk. This has to be balanced by protecting the rights and freedoms of the very people you are trying to protect in the first place, or you have accomplished nothing and the people intending to harm you (the attackers) have actually terrorized you and accomplished their main goal. I could go on discussing the need for intelligence and actual police work, which is the only item that has ever stopped attacks or terrorist activity, but instead I am focusing this blog on just aviation security.

The government has once again based their security posture on a reaction to a specific threat and not on the overall risks to commercial passenger aviation. The shoe bomber tried to detonate a device in his shoe, so we all remove our shoes, the underwear bomber tried to detonate a device in his pants, and now we are all getting groped and having naked images of ourselves taken when we fly. There was a device disguised as a toner cartridge, so now we can no longer bring those on board. In the old days, I had to make my pager beep so that the security people knew it was not a bomb, and every time I did this the same thought ran through my head “If someone could make a pager into a bomb, they could damn sure make it beep when they wanted”.

The new procedures will still not be able to find explosives hidden in or on the body, and anyone who has worked in a prison will tell you that for certain, and let you know how you would have to search someone to find them - let’s just say it ain’t pretty. People with medical devices or prosthetics will be especially embarrassed by the latest tactics, and in the end the TSA agent will still not know if the insulin pump contains anything we should not let on a plane. It is still far easier and less risky to get a job as a baggage handler or ramp employee and smuggle explosives on a plane, than it is to bring it through the front door or to simply mail the explosives in a cargo container. There are hundreds of other means as well, but again we are discussing a specific threat and need to be discussing risks and countermeasures at a broader level. In disaster planning, you don’t plan for a plane crashing through your building, you plan for any occurrence that could harm an employee or the facility and plan accordingly. Again, I am only speaking of aviation security here, and there are many more targets that are far easier than an aircraft to attack.

Ask yourself this, would the current tactics have stopped the 9/11 terrorists – no. That event was a black swan, and was not anticipated by the countermeasures in place at the time, and the next event may not be either. If we continue down the road of reacting to every event with draconian measures that undermine our privacy and freedoms, we will have accomplished nothing, not made our country any safer, and spent a lot of money in the process. We need to ensure that Police are on the job, the intelligence community gets the resources and recognition is desperately deserves and look at all of our risks and not just the one that the last terrorist used.