German court overturns anti-terrorism data retention law

Today the Federal Constitutional Court of Germany struck down a law requiring telecommunications companies to retain individual user data on phone and Internet usage in case it is needed by law enforcement authorities in criminal investigations. The law was created in response to a European Union data retention directive (2006/24/EC), which obligated member states to store telecommunications data on citizens for at least six months, and to make the retained data available to law enforcement or other authorized officials. In its rule, the German court decided that the interest in combating terrorism and protecting national security was outweighed by personal privacy and data protection rights, and concluded the law is unconstitutional. The court’s ruling was lauded not just by privacy advocates and the thousands of German citizens who had appealed to have the law overturned, but also by some German government officials, despite the fact that the ruling is a rebuke to a high-profile initiative implemented by the current administration. Peter Schaar, Germany’s Commissioner for Freedom of Information and a member of the European Commission’s Data Protection working party, noted that despite the intention of the Data Protection Directive, as implemented the German law resulted in keeping “massive amounts of data about German citizens who pose no threat and are not suspects.”

This ruling provides a stark contrast to the efforts by lawmakers and senior justice officials in the previous and current administration to enact laws that would require Internet service providers and other telecommunications companies to retain customer data. Both the House and Senate have drafted versions of the so-called Internet SAFETY Act, which is focused on curbing child exploitation but which requires, among other provisions, that  electronic communication service providers retain user information for at least two years, with the aim of facilitating criminal investigations by law enforcement. When first introduced, the SAFETY Act raised an outcry among both privacy advocates and computer users due to a possible interpretation of the law’s definition of “electronic communication service provider” that any home user whose network configuration allowed more than one computer to connect to the Internet might be subject to the data retention requirement. That debate notwithstanding, the issue of customer data retention is now one in which companies like Google, Yahoo!, and Microsoft — all of whom vigorously defend their practices of retaining Internet search data, IP addresses, and other user information — are simultaneously urged to store less personal information about users and for less time by the FTC and other regulators, while Congress and the Justice Department would seem to prefer that they collect and hold even more data for longer periods of time, just in case it could help in a future investigation. Addressing the RSA conference this week, FBI Director Robert Mueller echoed the theme of private sector organizations doing more to cooperate with the government.

On a somewhat less publicized front, major service providers in the U.S. already have processes and procedures in place designed to assist law enforcement investigations. In the wake of the disclosure of the Google attacks in China in January, security guru Bruce Schneier suggested that the attacks were facilitated by backdoor access to Google’s systems that are in place to allow eavesdropping by government officials. Less than two weeks ago, a minor stir erupted when an allegedly leaked “Global Criminal Compliance Handbook” was published online, detailing procedures by which law enforcement could obtain access to data Microsoft retains on the users of its online services, such as Hotmail, MSN, and Windows Live. The document also includes information about the specific data elements that are stored and the retention period for those data. The document was posted online, then withdrawn ostensibly at Microsoft’s insistence, then surfaced again, and is now readily accessible to Internet searchers seeking it. Microsoft has noted in its public comments following the disclosure of the document that it has the same obligation as all service providers to support authorized requests for information from law enforcement and to facilitate criminal investigations, so while Microsoft’s guidelines may be garnering the most attention at the moment, it seems likely that comparable policies and procedures are in place for most if not all online service providers.

It’s hard to determine system security requirements in the absence of solution architecture

In the health IT arena, a lot of energy is currently focused on measures, criteria, and standards with which health care providers and other entities can demonstrate “meaningful use” of electronic health record (EHR) systems and thereby qualify for reimbursement and other financial incentives for adopting EHR technology, under a Recovery Act-funded program administered by CMS. In an interim final rule released on December 30 that took effect on February 12, the Office of the National Coordinator, working through the Health IT Standards Committee (an advisory body also created by a provision of the Recovery Act), published a set of functional criteria and associated standards to be used to certify that EHR modules and systems can support meaningful use. As expected, much of the commentary submitted to the Standards Committee related to the security-specific criteria and standards in the IFR focus on establishing the appropriate level of specificity for functional criteria, and on when it makes sense to require the use of specific technical standards. In many ways the consideration of EHR systems in isolation mirrors the information system-centric approach to security favored by the federal government, and to the extent that the criteria in the rule will be used as a product certification checklist, this may be appropriate. However, when considering functional and technical requirements related to the way organizations using EHR technology will exchange information, it is essential to include the environmental context in which the systems operate, in order to assign requirements to the appropriate components in the overall solution.

As a case in point, at a meeting on February 24 the Privacy and Security Workgroup of the Health IT Standards Committee identified in its comments and recommendations on the IFR what the workgroup calls a “critical gap” in the criteria and standards because they do not address the need to authenticate end points of the secure communication channels that an organization using an EHR system must  use to exchange information with other entities. At first glance it might make sense to require the EHR system to offer this capability, but when considering a typical point-to-point integration architecture between two entities, it’s not that likely that the EHR system itself will serve as one of the end points in the transmission. What’s far more typical is that any information to be exchanged will be transmitted using an integration gateway, adapter, application server, or even web server depending on the type of information exchange being implemented. For instance, the service specifications for the Nationwide Health Information Network (NHIN), which include the required use of a mutually authenticated secure communication channel, presume the use of intermediary communication components such as the government-produced Connect open-source gateway software, to which internal entity systems would be integrated and which handle functions like establishing TLS sessions with information exchange partners, generating identification and authentication assertions, and applying digital signatures using entity-specific X.509 certificates issued to NHIN participating entities. An internal medical record keeping system in the sort of NHIN-connected scenario envisioned by ONC wouldn’t directly connect with any external systems at all, so there wouldn’t be a need for the EHR system to be able to establish a secure communication channel on its own. Of course, there are many potential ways to implement health information exchange that don’t involve the NHIN, but the point is any required certification criteria that will be used in part to determine eligibility for EHR incentives should match functional capabilities that EHR systems will need in typical implementation scenarios, not in the abstract.

French court rules IP addresses are not personal data

In something of a departure from a trend in some European countries towards considering IP addresses to be personally identifiable information, a French appeals court last week determined that an IP address could not be used to positively identify an individual computer user. The case reached the appellate level due to legal considerations in France whether prior authorization to collect IP addresses was needed from the National Commission for Information Technologies and Civil Liberties, as required before processing personal data under the requirements of the French Data Protection Act. One interesting aspect of the ruling is that both the French appellate court in this case and German, British, and other European data protection officials are considering exactly the same issue but arriving at opposite conclusions. The opinions hinge on the question of whether an IP address can be used to uniquely identify an individual computer user. The French said that it cannot, while in cases in other EU countries authorities have cited circumstances such as the use of static IP addresses assigned by some ISPs to conclude that at least some of the time an IP address can be unequivocally linked to a single person. Even in the case of static IP addresses, there seems to be a big leap between conclusively identifying a computer (the machine) and identifying the users operating the computer. If the intention is to hold the computer owner responsible for all possible actions performed using his or her property, there would seem to be little support for such an approach under current law. With a technically knowledgeable lawyer, you would also expect to see arguments that would question conclusive computer identification, given the feasibility of impersonating media access control MAC identifiers, not to mention IP addresses.

Italian ruling against Google highlights US – EU divide on privacy

The recent ruling in an Italian court against three Google executives finding them criminally liable for violated Italian privacy law by allowing a video to be posted on YouTube predecessor Google Video has been widely criticized in the U.S. and abroad not only for the precedent the court is apparently trying to set (of holding service hosting companies liable for the actions of the service’s users), but also for the way the ruling appears to run contrary to existing European laws. Regardless of the specific legal wranglings for the case or its pending appeal, the fact that the ruling came down the way it did at all is yet another illustration of the fundamental differences in the way privacy is viewed in European countries as compared to the U.S. As simply and accurately stated by Google’s own legal personnel, the crux of the difference is that in Europe privacy is considered a human-dignity right, but in the U.S., it is treated as a consumer-protection right, particularly in the way privacy is legally protected. Privacy is explicitly enumerated in the European Convention on Human Rights, Article 8 of which states “Everyone has the right to respect for his private and family life, his home and his correspondence.” There is no such right in the U.S. Constitution, so in American jurisprudence, the idea that privacy is a fundamental right is based on precedents established through a long series of rulings on other matters, that collectively serve to establish a right to privacy.

Boeing’s Airborne Laser Testbed realizing a vision seen on screen 25 years ago

On February 11, aerospace giant Boeing, leading a team including Northrop Grumman and Lockheed Martin working for the U.S. Missile Defense Agency, successfully completed the first air-to-air demonstration of the Airborne Laser Testbed (ALTB) by destroying a missile in flight. As seen in live video, the ALTB combined a high-powered chemical laser with sophisticated optics and advanced targeting and tracking systems all carried in a specially modified 747, resulting in the ability to lock on to a target liquid-propelled missile in its boost phase and hit the target missile with a laser powerful enough to incinerate it. As remarkable as this technical achievement may be on its own, it is also a validation of a concept envisioned more than 30 years ago when the first chemical oxygen iodine laser was invented in 1977. Those of us of a certain generation may quickly recall similarities between this real-world demonstration and the plotline of the 1985 movie Real Genius, a comedy starring Val Kilmer that told the story of a group of college students at a fictional high-tech institution who despite various distractions manage to build a multi-megawatt chemical laser of exactly the same type used in the ALTB. In the movie, the students are unwittingly furnishing all the components of an airborne laser ostensibly desired by the military to allow the vaporization of virtually any target from space. Such a chemical laser has also been envisioned for possible use in space-based missile defense systems. In the film the aircraft carrying the laser is a B-1 bomber instead of a 747, but the rest of the details are remarkably similar to the actual ALTB system. We note with some irony that in a previous test of the system a ground-based target was successfully destroyed from the ALTB in flight — a scenario virtually identical to the demonstration that is planned in the movie for the laser the students have built. In retrospect, it appears the producers of the file should get some extra credit for the thoroughness of their research into the science portrayed in the film.