Mixed Bag Data Security Legislation Inches Forward, USACM Comments on Proposal

Today Congress took another step forward in trying to deal with the numerous data breaches that continue to make news as the House Energy and Commerce Committee unanimously passed legislation (H.R. 4127) that would force companies to shore up their security practices.

We’ve covered this issue in other posts (1,2), but for background the legislation has four main components:

  • A requirement that all businesses have data security plans in place,
  • Special regulations for so-called “databrokers,”
  • A nationwide notification requirement, and
  • Preemption of state law.

As the bill was moving through the committee process USACM issued a new letter finding that the draft legislation embraced several of the Fair Information Practices (FIP) principles recommended in a previous letter to Congress. The bill requires information brokers to verify the accuracy of personal information, allows consumers access to personal information held by brokers, and introduces additional accountability through mandatory audit logs — all welcome steps forward. However, USACM expressed concern about the legislation’s notification provisions if there is a breach of a company’s security.

The bill would require companies to notify consumers of a data breach unless only if there is a reasonable risk that the acquired data can be used for unlawful practices. Futher, it states that if a company encrypts the data or uses other technologies or practices that render data unreadable or indecipherable, then these technologies create an automatic exemption from notification (e.g. it argues there is little risk with encryption).

This troubled USACM in two different respects. First, the creation of a risk-based standard for notification may not improve security practices. Clearly if there is a breach, regardless of the risk to consumers, a company’s security system should be hardened to deal with the vulnerabilities. If there are multiple breaches, then notification should be required. Second, just utilizing technology such as encryption doesn’t necessarily mean that the risk of identity theft is mitigated if there is a breach. From the USACM letter:

“We are concerned, however, that specifying technologies to mitigate risk without ensuring that these tools are part of a comprehensive system is problematic. If the goal is to prevent exposed data being used for identity theft, then the standard should address both the robustness of the technology used in the system and how it is implemented. Encryption or other techniques for obfuscating data are valuable security tools; however, without comprehensive security practices in place they are, by themselves, incomplete protection.

For example, reliance on encryption, particularly if it is not properly used, can create a false sense of security. Often this will lead to so-called “brittle” protections, where whole systems fail as a consequence of simple component failures. A company may use an Encrypting File System to store all its customers’ personal information. If an unauthorized user gained access to the system but not to the encryption keys, all of this information would be encoded and useless. However, if someone was able to compromise the account or accounts of authorized users on the system, the mere presence of encryption does not reduce the threat of identity theft. All the personal information on that server would now be available to the thief through his or her compromise of a password, which might equivalently compromise the decryption key.

We recommend that rather than relying on specific technologies, the test for a safe harbor should be whether personally identifiable information might be extracted or inferred from the data that is disclosed.”

While the bill is a mixed bag, it is still a step forward. The legislation will have to be reconciled against other bills moving through House Committees before it can come before the full House of Representatives for consideration. These bills include one by the House Banking Committee that we haven’t had the chance to analyze. The Senate bills are also still in play, so there is a long way to go before these are law.

Maryland’s Governor Endorses Paper-Ballot Voting Machines

The Washington Post reports that Maryland Governor Ehrlich (R-MD) wrote a letter to the Chairman of the State Board of Elections calling for the board to replace touch screen voting machines with optical scan machines. According to the Post, his letter states:

“Maryland’s lack of a paper trail means we are no longer a national leader in elections systems and that our equipment is susceptible to system failures,” the governor wrote in a letter to be delivered today to the chairman of the State Board of Elections. “It is inexcusable for us not to be prepared for a catastrophic system failure in the 2006 cycle.”

The Governor is endorsing legislation by Maryland House Member Sheila Hixon (D-Montgomery) that would require the state to lease optical scan systems for the next election. Her bill was approved by committee last week, but according to the Post its prospects in the Senate aren’t clear.

ACM issued a statement in 2004 calling for voting systems to have a physical (e.g., paper) record to verify that individual’s vote has been accurately cast. That statement also called for all voting systems to “embody careful engineering, strong safeguards, and rigorous testing in both their design and operation.”

Maryland's Governor Endorses Paper-Ballot Voting Machines

The Washington Post reports that Maryland Governor Ehrlich (R-MD) wrote a letter to the Chairman of the State Board of Elections calling for the board to replace touch screen voting machines with optical scan machines. According to the Post, his letter states:

“Maryland’s lack of a paper trail means we are no longer a national leader in elections systems and that our equipment is susceptible to system failures,” the governor wrote in a letter to be delivered today to the chairman of the State Board of Elections. “It is inexcusable for us not to be prepared for a catastrophic system failure in the 2006 cycle.”

The Governor is endorsing legislation by Maryland House Member Sheila Hixon (D-Montgomery) that would require the state to lease optical scan systems for the next election. Her bill was approved by committee last week, but according to the Post its prospects in the Senate aren’t clear.

ACM issued a statement in 2004 calling for voting systems to have a physical (e.g., paper) record to verify that individual’s vote has been accurately cast. That statement also called for all voting systems to “embody careful engineering, strong safeguards, and rigorous testing in both their design and operation.”

USACM Adds a Balanced Voice in the Copyright Wars

Let me apologize for not posting much lately. I can’t think of a busier time for ACM, USACM, and tech. policy happenings generally, than over the past couple of weeks. So first let me catch up on some of the major happenings.

As I reported, ACM released its report on globalization of the IT software industry. The media attention has been tremendous including stories in Newsweek, CNN, and a really great editorial in the New York Times. USACM also held it annual Executive Committee retreat last weekend; the newsletter (story #5) has a good summary. Two interesting bills were introduced last week. Senator Ron Wyden (D-OR) released his proposal (.pdf) on “Net Neutrality.” We previously covered the background on this issue here. Congressman Mike Ferguson (R-NJ) introduced an “audio flag” bill (more on this below). Finally, the whole competitiveness/innovation debate is really heating up, with the House Republican’s throwing their hat into the ring, but with little emphasis on research. Peter at CRA has a good post about this interesting development.

So back to the subject of this post. The battles over copyright policy in Washington D.C. are nothing new, but the digitizing of copyrighted works and the ability to quickly and widely distribute protected works has raised the stakes on this debate. A large part of this debate, and ultimately the most interesting to USACM, is that those holding copyrighted works are increasingly turning toward technology to protect their works in the digital age. Often called “Digital Rights Management,” these technologies present two interesting questions to policy makers. One, how does technology help or undermine existing copyright policies? Two, if technologies employed in the marketplace cannot adequately protect works or undermine existing fair uses of works, what role should policymakers have in steeping into this area and mandating how technology should perform?

To help guide policymakers thinking on this subject, below (here is the .pdf) are the policy recommendations that USACM has adopted on Digital Rights Management (DRM). The statement reflects USACM’s belief that DRM systems have a role in protecting against wide-spread infringement; however, it also reflects the community’s belief that long-standing legal uses of copyrighted works and consumer rights should be respect by policymakers wrestling with this issue.

Clearly the six principles below can be brought to bear on at least four bills Congress is currently reviewing. First, the so-called “analog hole” bill, which creates a federal mandate to prevent transferring digital content to analog and back to digital without whatever DRM is attached to the original work. Second, the “broadcast flag” bill (all we have is a draft proposal on this), which would mandate that digital receivers recognize a flag embedded in video signals with DRM. Third, the “audio flag” bill, which is similar to the broadcast flag bill but deals with digital audio broadcasts. Fourth, Representative Boucher’s (D-VA) Digital Media Consumers’ Rights Act of 2005, which among other things amends the Digital Millennium Copyright Act (DMCA) to allow for research into technological protection measures and circumvention of technology copy protection for “fair use” purposes, both of which are illegal today. USACM will now look to educate policymakers on how the principles below apply to their efforts.

Continue reading “USACM Adds a Balanced Voice in the Copyright Wars”

ACM Washington Update, Vol. 10.2 (February 28, 2006)

CONTENTS

[1] Newsletter Highlights
[2] ACM Releases Major Report on the Globalization of Software
[3] USACM Releases Study on Voter Registration Databases
[4] Software Pioneer Peter Naur Wins ACM’s Turing Award
[5] USACM Executive Committee Gathers to Set Goals for the Year Ahead
[6] Cerf Cautions Congress on Internet Fast Lanes
[7] Upcoming Events
[8] About USACM
Continue reading “ACM Washington Update, Vol. 10.2 (February 28, 2006)”

Software Pioneer Peter Naur Wins ACM’s Turing Award

ACM has named Peter Naur the winner of the 2005 A.M. Turing Award. The award is for Naur’s pioneering work on defining the Algol 60 programming language. Algol 60 is the model for many later programming languages, including those that are indispensable software engineering tools today. The Turing Award, considered the “Nobel Prize of Computing” was first awarded in 1966, and is named for British mathematician Alan M. Turing.

Dr. Naur was editor in 1960 of the hugely influential “Report on the Algorithmic Language Algol 60.” He is recognized for the report’s elegance, uniformity and coherence, and credited as an important contributor to the language’s power and simplicity. The report made pioneering use of what later became known as Backus-Naur Form (BNF) to define the syntax of programs. BNF is now the standard way to define a computer language. Naur is also cited for his contribution to compiler design and to the art and practice of computer programming.

ACM will present the Turing Award at the annual ACM Awards Banquet on May 20, 2006, at the Westin St. Francis Hotel in San Francisco, CA. For more information on Dr. Naur and the Turing Award, see ACM’s official press release here

Software Pioneer Peter Naur Wins ACM's Turing Award

ACM has named Peter Naur the winner of the 2005 A.M. Turing Award. The award is for Naur’s pioneering work on defining the Algol 60 programming language. Algol 60 is the model for many later programming languages, including those that are indispensable software engineering tools today. The Turing Award, considered the “Nobel Prize of Computing” was first awarded in 1966, and is named for British mathematician Alan M. Turing.

Dr. Naur was editor in 1960 of the hugely influential “Report on the Algorithmic Language Algol 60.” He is recognized for the report’s elegance, uniformity and coherence, and credited as an important contributor to the language’s power and simplicity. The report made pioneering use of what later became known as Backus-Naur Form (BNF) to define the syntax of programs. BNF is now the standard way to define a computer language. Naur is also cited for his contribution to compiler design and to the art and practice of computer programming.

ACM will present the Turing Award at the annual ACM Awards Banquet on May 20, 2006, at the Westin St. Francis Hotel in San Francisco, CA. For more information on Dr. Naur and the Turing Award, see ACM’s official press release here