Government agencies working to train their investigators to leverage data in social media

The Electronic Frontier Foundation (EFF) has published a set of information detailing some of the ways that U.S. federal agencies collect information from social networking and other online sites in the scope of law enforcement investigations. The documents posted include training materials from the Justice Department explicitly on gathering evidence from social networking sites, preceded by a short memo that gives a little bit of context for the types of social networking behavior that might spark such an investigation. The documents that EFF obtained, through a Freedom of Information Act filing, are noteworthy in part for stipulations that government employees, including those doing the investigating, shouldn’t use government computers to access the sites in question. While there may be a number of reasonable investigative justifications for using alternate-channel access, it calls to mind some of the other areas in which the use of government equipment or facilities is prohibited for certain activities (such as political activities covered under the Hatch Act), where government employees are more or less free to conduct these same activities on their own time using their own non-government resources.

Online investigation methods by law enforcement have received a lot of attention lately, especially in the wake of the publication of the Global Criminal Compliance Handbook leaked from Microsoft, which provides guidance and instructions to law enforcement authorities about the type of personal information Microsoft stores about users of its online services, how long it keeps that information, and how investigators can go about getting it. This was a particularly well publicized example of ways that major companies facilitate criminal investigations; laws exist in many countries requiring service providers in different industries to retain user information and make it available to authorized investigators when asked, and the U.S. government has also expressed an interest in establishing some of these requirements where they don’t already exist.

Efforts to combat illegal music downloads again raise privacy issue over IP addresses

For quite some time we’ve been following the development of the legal debate in both the European Community and the United States over whether IP addresses can be considered personally identifiable information, and therefore handled under personal information privacy laws. In general, it seems that the American and European judicial systems are heading in opposite directions on this issue, with publicly stated opinions by both government officials and judges from some European countries that IP addresses should be considered personal information because, at least some of the time, they can be used to identify individual computer users. If we leave aside the legal rules of evidence (on either side of the Atlantic), we don’t have to resolve the question of whether an individual who owns a computer can be held accountable for actions traced through an IP address linked to a that computer. The point is that some authorities have held that you can track an individual through an IP address, and in the European regulatory structure, that puts the IP address within the scope of the Data Protection Directive (95/46/EC) and therefore severely restricts organizations from collecting or using this information.

This topic is back in the European spotlight this week due to a legal case in Ireland, which involves a settlement that a group of record companies worked out with Irish telecommunications leader Eircom in an effort to combat illegal music downloads by Eircom customers. Eircom agreed to identify customers using their IP addresses and disclose those identities to the record companies. The practice has yet to be implemented due to concerns over the potential violation of privacy such a disclosure would constituted under the national and European Community data protection laws, so now the record companies are seeking a legal ruling from the High Court (which has jurisdiction over all civil and criminal matters in Ireland, subordinate in authority only to the Irish Supreme Court) on the data protection issues involved. The issue at hand is no so much whether IP addresses do or do not constitute individually identifiable information — the IP addresses are being used specifically for the purpose of identifying Eircom users by name — but whether the evidence of wrongdoing by users who download music illegally outweighs the privacy protection. To the extent this argument implicitly accepts the personally identifiable nature of IP addresses, it represents another salvo in the European debate over this issue. Less than a month ago a French court ruled that an IP address cannot be used to positively identify an individual, a legal opinion that if applied to the Irish case would make the current request irrelevant, since it would seem to cast doubt on the “evidence” against individuals accused of illegal uploads or downloads.

Concerns over privacy, data anonymity, lead Netflix to abandon contest on improving movie recommendations

In a move reported by the Wall Street Journal online, responding to concerns raised by the Federal Trade Commission and in the wake of a settled lawsuit, online movie rental powerhouse Netflix announced that it is canceling a second planned contest intended to help the company improve its movie recommendations to members. As part of the first contest concluded in 2006, which Netflix credits with improving its recommendation system by 10 percent, Netflix made available a database of member movie ratings, rental dates, and unique subscriber ID numbers, and had promised to add customer demographics such as age, gender, and zip code for the second iteration of the context. The data were supposed to be sufficiently anonymized to protect Netflix member privacy, but University of Texas researchers Arvind Narayanan and Vitaly Shmatikov demonstrated that Netflix customers could be identified by comparing the member ratings in the Netflix-provided datasets with publicly posted ratings such as those on the Internet Movie Database website. Narayanan and Shmatikov published a paper describing the process they used to “re-identify” the anonymized Netflix customers in the datasets. One member, alleging that Netflix had caused her sexual orientation to become known, claimed in a class action lawsuit that Netflix had violated its own privacy policy with respect to guarding customer’s personal information. Such a claim (when it has merit) is usually sufficient to get the FTC involved, inasmuch as violations of stated privacy policies can be considered unfair and deceptive trade practices, which are prohibited under Section 5 of the FTC Act. This case has broader implications beyond Netflix of course, contributing as it does evidence in support of the argument that de-anonymization of personal records can be reversed through correlation with third-party data.

Health care entities need clear guidance on analyzing risk for meaningful use

There is but a single measure related to security and privacy in the “meaningful use” rules that will be used to determine the eligibility of health care providers to qualify for incentive payments for the adoption of electronic health record (EHR) technology. As currently stated in the Notice of Proposed Rulemaking published in the Federal Register in January, to demonstrate eligibility providers must “Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary.” The statutory reference is to a legal requirement originally stated as one of the required administrative safeguards in the HIPAA Security Rule.

The fact that the privacy and security measure is already an obligation under HIPAA should in theory make this particular measure easy to satisfy for HIPAA-covered entities; the HIPAA Security Rule has been in force since April 2003, and the deadline for entities to fully comply with the rule elapsed in April 2006. Despite this requirement, however, not all healthcare organizations comply:  the results of a 2009 security survey  of 196 senior-level healthcare professionals conducted by the Healthcare Information Management and Systems Society (HIMSS) found that only 74 percent of these organizations actually perform risk analyses, and of those just over  half (55 percent) do so with at least annual frequency.

If an organization does not conduct risk analyses, or does but is concerned that the process may not be sufficiently to comply with meaningful use, what would be most helpful would be for guidance to be provided on just what is required or what should be covered in a risk analysis. The government tends to direct entities to guidance from NIST—specifically its Special Publication 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule—and CMS’ Security Rule Education Paper Series, especially number 6 in the series, Basics of Risk Analysis and Risk Management. Both of these rely heavily on another NIST document, Special Publication 800-30, Risk Management Guide for Information Technology Systems, for the overall process to be followed.

For those preferring to seek guidance outside the U.S. federal standards, the ISO/IEC 27000 series of international standards covers risk assessment and risk management for information systems, particularly in ISO/IEC 27005, Information Security Risk Management, and the risk assessment section of ISO/IEC 27002, Code of Practice for Information Security Management. Anyone looking to follow any of this guidance on risk management or performing risk analyses should be aware that substantially all of the guidance is written in a way that focuses on risk assessments of individual information systems, not on organizations overall. This limitation is important because the risk analysis requirement under the HIPAA Security Rule is not limited to systems used by covered entities, but instead focuses on the protected health information. Organizations looking for more enterprise-level perspectives on assessing and managing risk can find relevant guidance in ISO 31000, Risk Management—Principles and Guidelines, within major IT governance frameworks such as ISACA’s Risk IT Framework based on COBIT^®, or the Risk Management section of the Information Technology Infrastructure Library (ITIL^®).

Recommended reading: clear analytical insights in a cluttered sea

With all the attention focused on privacy and security these days, any significant development or incident gets tremendous online coverage. This is at one a good thing and a terrible problem. We’ve noted before the difficulties in sorting through on the sources of information available online, in particular the problems with determining the true state of events among conflicting published accounts, and also what can happen when misinformation propagates rapidly leveraging the Internet. A notable recent example of this last issue was the widely circulated rumor of Supreme Court Chief Justice John Roberts imminent resignation, a bit of misinformation apparently originating in a Georgetown University law professor’s lecture, ironically on the subject of the reliability of anonymous sources.

In this environment it is therefore remarkable to find cogent, thoughtful, well-reasoned analysis about a high-profile event, incident, or trend. Today we have two to share, and we have Twitter to thank to bringing them to our attention. First, on the topic of the recent legal ruling in Italy finding three Google executives guilty of violating privacy laws:  the public response to this case has been dominated by sentiments that the ruling represents a grave threat to freedom of expression on the Internet. In stark contrast comes an article from EPIC Executive Director Marc Rotenberg published through the Huffington Post (and brought to our attention by Bruce Schneier) that provides a clear and straightforward legal analysis of the law on which the decision was based, and highlights the logic of the legal arguments by comparing the Italian personal data protection law to the arguments providing the basis for the earliest legal protections of the right to privacy in the U.S. In so doing, Rotenberg not only explains the completely rational legal basis for the ruling, but also shows all the virtual hand-wringing about implications for ISP liability to be largely irrelevant.

On another front, ever since Google’s public disclosure about the attacks against it in China and the speculation and allegations as to whether the attacks were state-sponsored hacking, there has been a marked increase in attention on the concept of the advanced persistent threat (APT). Unfortunately, a lot of the people and organizations now talking about APT either seem to not understand the concept, or to diminish its significance by incorrectly likening it to everyday security breaches, or simply to use the fear, uncertainty, and doubt surrounding this class of threat to market their products and services, whether or not they have any bearing on the problem or its mitigation. Blogger and incident response expert Richard Bejtlich has been particularly vocal on this topic and, especially, incensed at its frequent mischaracterization, and taking to Twitter to criticize or ridicule vendors or purported security experts who perpetuate these misconceptions. Against this backdrop comes a wonderfully accurate assessment of the whole APT issue from Sourcefire’s Matt Olney (who Twitters under the handle @kpyke), which came across our feed courtesy of Joel Esler, also of Sourcefire (creators of Snort and other incident detection and prevention tools). Olney’s post on the Sourcefire VRT blog is well worth a read.