Data Intrusions: The Need for Federal Legislation

Berglund Authority Level 3

by Jeffrey Barlow <barlowj@pacificu.edu>

When we think back to our use of the WWW and the Internet in the 1990's, it comes to seem the golden age of the web: almost no spam, a minimum of concerns for privacy, theft of any sort was rare. All in all, our main problems seemed to be somehow acquiring the adequate bandwidth, storage, and memory with which to properly exploit the growing richness of the WWW. But recent back-to-back editorials on credit card theft [1], and a marked and continuing increase nationwide in related identify-theft crime have made me very aware of a host of new problems.

Fraud on the Internet has become so widespread that Howard Beales, Director of the Federal Trade Commission's Board of Consumer Protection, recently discussed "Fighting Internet Fraud" live and online at the Washington Post. [2]

Mr. Beales began by discussing "phishing", a criminal practice much in the news recently as a 17-year old California boy succeeded in luring AOL subscribers to a phony web site where many of them turned over personal data to the boy. Readers of a book we reviewed last issue, (Mitnick, Kevin D, and William L. Simon, The Art of Deception, Controlling the Human Element of Security, Indianapolis, Indiana: Wiley Publishing, 2002.) will recognize that phishing is not in fact a new crime at all, but is discussed in Mitnick's work. [3] In brief, it consists of luring consumers, usually by a notice seemingly from a firm with which they already have relations, such as their Internet Services Provider, that alleges problems with their account. The victim is then directed to a web page with a similar URL to the firm's real one, where is mounted a page that graphically seems genuine. The victim is then asked to enter, (within a secure environment of course), personal data. This data is then used to construct false ID, credit cards, bank accounts, or any number of tools for further victimization.

In addition to discussing phishing, Mr. Beales gave a good summary of the current state of cybercrimes as they affect consumers. The primary source of complaints, according to Mr. Beales, is on-line auction house scams. As E-Bay is far and away the most successful online business, these sorts of scams are more than mere nuisances---they threaten a very vital element of e-commerce.

But the largest category of crime is ID theft---which, broadly defined, includes my own experience of having a credit card number stolen. Last year 161,000 victims reported similar crimes to the FTC.

The rapid increase in such crimes has spawned its opposite if you will, anti-ID theft businesses. One such firm, whose advertisements are cleverly placed at the bottom of the Washington Post's very useful pages on cybercrime [4], is www.equifax.com. Equifax offers two different levels of insurance for low monthly charges, intended to help you monitor your financial activities for suspicious signs, to insure you against loss, and apparently, assist you in contesting spurious charges.

Although Mr. Beales is obviously concerned about these crimes, and in his talk lists a number of sites where concerned consumers can take positive action, he shies away from suggesting a need for new legislation, but in general seems to emphasize the difficulty of legislative approaches, telling us that "cooperation is hard to mandate."
Others are more sanguine as to legislative approaches. California, for example, just enacted a law requiring a business

... that owns or licenses computerized data that includes personal information... to disclose in specified ways, any breach of the security of the data...to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. [5]


Senator Dianne Feinstein (D-Cal) then put into the federal legislative process a bill requiring similar legislation at the national level. [6] This then kicked off a flurry of lobbying activity in which e-transactions firms voiced some of the same arguments I had heard in attempting to run down the nature of my own credit card theft: that no one agency is really responsible, nor has full knowledge of a particular event, etc., etc.

From this discussion over the Feinstein bill I realized that I had been very lucky. My friendly local credit agency had no obligation under Oregon law (nor, apparently that of any other state save California!) even to inform me that my credit card had been compromised. The need for something like the Feinstein bill seems to me to be obvious.

Until we get federal legislation protecting us against a variety of electronically distributed crimes we cannot have real confidence in the Internet. And by refusing to permit states or localities to tax electronic transactions the federal level has in effect claimed jurisdiction over the Internet. [7] An obvious place to begin is a law requiring that we be notified when databases containing our personal data are violated, and it is only sensible that the institution at which the violation occurred make this notification. In that manner, the consumer has a variety of recourses, if only to refuse to again do business with the firm whose security has failed.

Jeffrey Barlow
Editor, Interface

Footnotes:

[1] The first of these articles is at: http://bcis.pacificu.edu/journal/2003/04/edit.php; the second at: http://bcis.pacificu.edu/journal/2003/05/edit.php.

[2] See http://www.washingtonpost.com/ac2/wp-dyn/A29476-2003Jul22?language=printer

[3] For a discussion of the crime and how to avoid it, see the Privacy rights Clearinghouse at: http://www.privacyrights.org/ar/phishing.htm. Readers of a book we reviewed last issue, (Mitnick, Kevin D, and William L. Simon, The Art of Deception, Controlling the Human Element of Security, Indianapolis, Indiana: Wiley Publishing, 2002.) would recognize that phishing is not in fact a new crime at all, but discussed in Mitnick's work. See http://bcis.pacificu.edu/journal/2003/05/mitnick.php for the review.

[4] http://www.washingtonpost.com/wp-dyn/technology/techpolicy/cybercrime/

[5] See law at: http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

[6] See http://Feinstein.senate.gov/03Releases/datasecurityrelease.htm

[7] This ban ends on November 1, 2003. The Kiplinger Letter feels that it will be extended. The Kiplinger Letter, Vol 80, No 30. July 25, 2003. P. 3. "Taxes".