[IP] more on looks like IP may suffer also
Begin forwarded message:
From: Marc <marcaniballi@xxxxxxxxxxx>
Date: July 5, 2005 4:20:04 AM EDT
To: dave@xxxxxxxxxx
Subject: RE: [IP] looks like IP may suffer also
Dave, Declan;
//----- Start of conspiracy theory rant -----//
In the last 5 years, your lists (and, I'm sure, many others) have been
strongly "lobbying" among their subscribers for awareness of the laws
that
are being passed on Capitol Hill. DMCA, Patriot, etc. In all cases, the
analysts and pundits of these lists have pointed out valid and shocking
problems with these "works."
Can anyone think of anyone who would like to see Politech, IP and
their ilk
go away?
How long could you keep a list running at $1000 / day in fines? And
let's be
realistic - while they are secured to a reasonable degree, mailing list
databases are not full of credit card numbers! A talented and motivated
attacker can get his hands on any listserve mailing list. Now, given
that
the "motivated attacker" can't be motivated by cash profit, what would
motivate them to steal the Politech/IP mailing list?! (Executive
directive?!)
And let's not forget the other "data" businesses out there! All
manufacturing companies keep customer data, as do retail businesses and
service businesses. Loyalty programs everywhere will be forced to change
dramatically (or shut down) under this legislation! This new law could
effectively allow a form of corporate extortion to be legally
conducted by
the state!
Isn't it amazing how many "other" headaches this administration
attempts to
cure in the resolution of a major issue! It seems that every time this
administration has dealt with a major issue (9/11, P2P, etc.) it has
also
"introduced" legislation to increase executive power, reduce
constitutional
rights and eliminate/silence their opposition. How much more of this
before
words like fascism and totalitarianism start being used to describe the
American system of government? By 2008, it may be too late to save the
world's best democracy from itself.
//----- End of conspiracy theory rant -----//
Don't worry, be happy! (Fnord found in all US media)
Marc
-----Original Message-----
From: owner-ip@xxxxxxxxxxxxxx [mailto:owner-ip@xxxxxxxxxxxxxx] On
Behalf Of
David Farber
Sent: Monday, July 04, 2005 9:44 PM
To: Ip ip
Subject: [IP] looks like IP may suffer also
-----Original Message-----
From: politech-bounces@xxxxxxxxxxxxxxx
[mailto:politech-bounces@xxxxxxxxxxxxxxx] On Behalf Of Declan
McCullagh
Sent: Thursday, June 30, 2005 12:14 AM
To: politech@xxxxxxxxxxxxxxx
Subject: [Politech] Preliminary analysis of new Specter-Leahy data
security
bill: opinions? [priv]
It's worth taking a close look at the new Specter-Leahy security
breach
bill -- introduced Wednesday -- because it's the most comprehensive so
far and the leading candidate to be enacted into law this year. It's
even, at least in theory, going to be voted on in the Senate Judiciary
committee on Thursday:
http://judiciary.senate.gov/meeting_notice.cfm?id=1555
The sections dealing with government use of databases seem generally
useful (though some loopholes exist, like the requirement that a
database is "primarily" of Americans before its use is covered -- look
for the FBI to start inserting random Mexican names to get around the
"primarily" requirement). So let's look at the private sector
components.
Bear with me as we get a little technical here...
Title III of the bill erects a complex regulatory scheme around any
"data broker." That's defined as a "business entity" that it's in the
regular business of "collecting, transmitting, or otherwise providing
personally identifiable information" of 5,000 or more people that are
not "customers" or "employees." Business entity is defined as any
organization, including a sole proprietorship, that's in the
business of
making money, or a non-profit group that isn't.
Well, Politech is a sole proprietorship -- I have some Google text ads
on politechbot.com that make a princely $10-$15 or so a month. If they
made more I wouldn't complain. And I'm pleased to say that the list
includes over 5,000 subscribers.
Do I "collect[]" personal information? 18 USC 1028(d)(7) defines
that as
"any name or number that may be used, alone or in conjunction with any
other information, to identify a specific individual." Mailman gives
subscribers the option of typing in their name, and obviously I have
everyone's email addresses. 18 USC 1028(d)(7)(C) explicitly
includes any
"unique electronic identification number, address, or routing code" so
that seems to cover e-mail.
So that makes me a highly-regulated "data broker" unless I can
skate on
some other technicality. Again, I'm arguably in the business of
regularly "collecting" information from people are aren't
"customers" --
you don't buy anything frome me. Let's assume I can't escape the rule
and continue this walk-through.
If I am indeed a data broker, what must I do?
* "Clearly and accurately" disclose all relevant "personal electronic
records" (maintained for disclosure to third parties) about an
individual if he or she asks me.
* "Develop and publish" a set of "procedures for correcting inaccurate
information."
* Offer to "investigate" "free of charge" any discrepancies.
* Provide an opportunity to insert a "100 word" notice of any dispute.
If I don't, I can be sued and fined $1,000-$2,000 per violation per
day.
Title IV of the bill is far more exhausting. Any "business
entity" (that
term again) including a sole proprietorship that collects, accesses,
transmits, stores, or disposes of personal info in digital form on
over
10,000 U.S. persons must create a "data privacy and security program."
Well, there are over 10,000 Politech subscribers, and that's an even
broader definition (no requirement that it be limited to non-customers
or that the involvement be regular). So I'm likely covered. If that
happens, I must:
* "Implement a comprehensive personal data privacy and security
program"
* Create a "risk assessment" to "identify reasonably foreseeable"
vulnerabilities
* "Assess the likelihood" of security breaches
* "Assess the sufficiency" of my policies to protect against them
* Protect information by encrypting it
* Publish the "terms of such program"
* Do "regular testing of key controls" to test security
* Select only superior "service providers" after doing "due diligence"
* Regularly "monitor, evaluate, and adjust" my security policies
If I don't, I can be fined up to $10,000 a day per violation.
Oh, and there's Title IV Subtitle B. It's pretty much the same
definition, and requires me to:
* In the case of a security breach of the Politech subscriber list, I
must notify the U.S. Secret Service and the state attorney general.
* And I must notify individual subscribers
* And I must notify consumer reporting agencies
* For individual subscribers, I must notify via physical mail to home
address, or if I can't, via telephone call to your home. There's no
provision for e-mail contact. But if I don't follow that procedures I
violate the law.
* I also must post this notice publicly on the Web and notify "major
media outlets"
If I don't follow those rules, I can be fined up to $10,000 a day per
violation -- and if I "willfully" conceal the security breach, I
can be
fined something like $250,000 and be imprisoned for up to five years.
I recognize that senators Specter and Leahy are trying to target
ChoicePoint and Acxiom and so on. But their bill, as written, does not
appear to be written to include just those data warehouses. And given
that they've had months and (presumbly) very bright people drafting
it,
that makes me worried.
In fact, the definitions could cover, for instance, news organizations
(many news sites arguably provide personal information on thousands of
people, and People magazine's Web site certainly does). How about
popular blogs that have thousands of registered users? Search engines?
Google's phone number finding service? Libraries? Email service
providers? Alumni organizations for schools? Charities, like Golden
Gate
National Parks Association? What about universities, especially in
terms
of all the applications they get? Sweepstakes companies? I wonder if
probable supporters of this bill -- like the ACLU and EPIC -- would
enjoy having to follow all these complicated procedures (with the
penalty of fines or prison terms if they don't).
I admit this is just my preliminary reading, but my sense is that
these
requirements will end up being another version of Sarbanes-Oxley, with
the same destructive, wealth-eroding implications:
http://www.politechbot.com/2005/06/16/richard-rahn-on/
Perhaps I'm wrong. I'd welcome responses (and "don't worry, trust
prosecutors' discretion" is not a useful one). If I'm right, how much
harm will be done in the name of "protecting privacy?"
-Declan
---
News article:
http://news.com.com/2100-7348_3-5769156.html
Text of legislation (Leahy's floor statement is below):
http://i.i.com.com/cnwk.1d/pdf/ne/2005/Specter-Leahy.pdf
Additional background material:
http://www.politechbot.com/docs/leahy.floor.statement.062905.txt
http://www.politechbot.com/docs/specter.leahy.sections.062905.doc
http://www.politechbot.com/docs/specter.leahy.summary.062905.doc
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)
-------------------------------------
You are subscribed as marcaniballi@xxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/