Privacy And Surveillance

04/12/2304/12/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 11

Privacy Laws and Privacy Laws and SurveillanceSurveillance

Sarah Cortes, PMP, CISASarah Cortes, PMP, CISA

www.inmantechnologyIT.comwww.inmantechnologyIT.comSarah’s blog: SecurityWatchSarah’s blog: SecurityWatch

Sarah’s ITtechEx columnSarah’s ITtechEx column

twitter: SecuritySpytwitter: SecuritySpy

LinkedIn: Sarah CortesLinkedIn: Sarah Cortes


Privacy and SurveillancePrivacy and Surveillance

AgendaAgenda

Who are we? InmanTechnologyITWho are we? InmanTechnologyIT Current Legal OverviewCurrent Legal Overview

• WorldwideWorldwide• USUS

US Legal SummaryUS Legal Summary Historical OverviewHistorical Overview

• History of cellphone technologyHistory of cellphone technology• Origin of cellphone surveillance-1990sOrigin of cellphone surveillance-1990s• Cellphone surveillance categoriesCellphone surveillance categories• Surveillance requestsSurveillance requests

Privacy conceptsPrivacy concepts ClassificationsClassifications

• Cellphone surveillance categoriesCellphone surveillance categories CALEACALEA TimelineTimeline California LawsCalifornia Laws Massachusetts LawMassachusetts Law


Privacy and SurveillancePrivacy and Surveillance Table of ContentsTable of Contents

Who are we? InmanTechnologyITWho are we? InmanTechnologyIT Current Legal OverviewCurrent Legal Overview

• 6- Worldwide Overview6- Worldwide Overview• 7- Legal History7- Legal History• 8- US Legal overview8- US Legal overview• 9- Recent US Legal Activity9- Recent US Legal Activity• 10- US laws cited in Sen 77310- US laws cited in Sen 773• 11- US Legal summary 1, 211- US Legal summary 1, 2• 13- Wiretapping vs. “Location technology”13- Wiretapping vs. “Location technology”• 14- History of US Wiretap laws/rulings 1,214- History of US Wiretap laws/rulings 1,2• 16-1998-2008 US Wiretaps Authorized16-1998-2008 US Wiretaps Authorized

Cellphone surveillanceCellphone surveillance• 13- History of cellphone technology13- History of cellphone technology• 14- Origin of cellphone surveillance-1990s14- Origin of cellphone surveillance-1990s• 15- Cellphone surveillance categories15- Cellphone surveillance categories• 16- Surveillance requests16- Surveillance requests• 17- Cellphone location methods, 1, 217- Cellphone location methods, 1, 2


Privacy and SurveillancePrivacy and Surveillance Table of ContentsTable of Contents

Specific LawsSpecific Laws• 19- CALEA19- CALEA• 20- CALEA- ANSI / TIA J-STD-02520- CALEA- ANSI / TIA J-STD-025• 22- CALEA 2005-6 revisions22- CALEA 2005-6 revisions• 24- CALEA Extension to VoIP & ISPs24- CALEA Extension to VoIP & ISPs• 25- California Laws25- California Laws• 26- Massachusetts Law26- Massachusetts Law• 27- Legal Jurisdiction27- Legal Jurisdiction• 28- High-profile data breaches28- High-profile data breaches• 29- Calling in the Experts29- Calling in the Experts


Sarah Cortes, PMP, CISASarah Cortes, PMP, CISA Clients: Clients:

• Harvard UniversityHarvard University• BiogenBiogen• FidelityFidelity

Professional Associations:Professional Associations:• Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the

Massachusetts Legislature Massachusetts Legislature

Practice expertisePractice expertise• Complex Application Development/ImplementationComplex Application Development/Implementation• IT Security/Privacy/Risk Management/Audit ManagementIT Security/Privacy/Risk Management/Audit Management• Data Center Operations ManagementData Center Operations Management• Disaster Recovery/High AvailabilityDisaster Recovery/High Availability• Program/Project ManagementProgram/Project Management

BackgroundBackground• SVP in charge of Security, DR, IT Audit, and some Data Center Operations at SVP in charge of Security, DR, IT Audit, and some Data Center Operations at

Putnam InvestmentsPutnam Investments• As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan

failed over to our facility from the World Trade Center 99th floor data centerfailed over to our facility from the World Trade Center 99th floor data center• Coordinated over 65 audits per yearCoordinated over 65 audits per year• Previously ran major applications development for Trading/Analytics SystemsPreviously ran major applications development for Trading/Analytics Systems


Privacy and SurveillancePrivacy and Surveillance Worldwide Legal OverviewWorldwide Legal Overview

UK and 47 European States UK and 47 European States • Article 8 of the European Convention on Human Rights Article 8 of the European Convention on Human Rights

CanadaCanada• Personal Information Protection and Electronic Documents Act Personal Information Protection and Electronic Documents Act

1995-20041995-2004

Australia: Australia: Privacy Act of 1988Privacy Act of 1988

US: US: Multiple Federal Laws in 14 categories; plus:Multiple Federal Laws in 14 categories; plus:• Over 80 State of California LawsOver 80 State of California Laws• State of Massachusetts LawState of Massachusetts Law• State of New Jersey Proposed LawState of New Jersey Proposed Law• California Law now followed by similar laws in more than 40 California Law now followed by similar laws in more than 40

statesstates



Legal History Legal History

WorldwideWorldwide• Universal Declaration of Human RightsUniversal Declaration of Human Rights• UK – English Law and Prince AlbertUK – English Law and Prince Albert

USUS• Brandeis-WarrenBrandeis-Warren• Not explicit in US constitutionNot explicit in US constitution• Prosser – 4 areasProsser – 4 areas• KatzKatz• Griswold v. ConnecticutGriswold v. Connecticut

PenumbrasPenumbras• Roe v. Wade Roe v. Wade



US Legal Overview US Legal Overview Federal classifications:Federal classifications:

• Health privacy laws Health privacy laws • Online privacy laws Online privacy laws • Financial privacy laws Financial privacy laws • Communication privacy laws Communication privacy laws • Information privacy lawsInformation privacy laws• Laws regarding privacy in one’s homeLaws regarding privacy in one’s home

California classifications:California classifications:• Health Information PrivacyHealth Information Privacy • Online PrivacyOnline Privacy • Constitutional Right to PrivacyConstitutional Right to Privacy • Office of Privacy ProtectionOffice of Privacy Protection • General PrivacyGeneral Privacy • Identity TheftIdentity Theft • Unsolicited Commercial CommunicationsUnsolicited Commercial Communications



Recent US Legal ActivityRecent US Legal Activity

5/5/09 – Sen. xxx- Information and Communications 5/5/09 – Sen. xxx- Information and Communications Enhancement (ICE) Act of 2009 –creates White House Cyber Enhancement (ICE) Act of 2009 –creates White House Cyber CISOCISO

4/1/09 - Sen. 773 - Cybersecurity Act of 2009 – “kill-switch bill”4/1/09 - Sen. 773 - Cybersecurity Act of 2009 – “kill-switch bill” 3/3/2009- Latest Revision of US Criminal Code, 3/3/2009- Latest Revision of US Criminal Code, Title 18Title 18, Pt. I, , Pt. I,

Chap. 119Chap. 119, § 2511 – it is a federal crime to tap a phone – , § 2511 – it is a federal crime to tap a phone – “Interception and disclosure of wire, oral, or electronic “Interception and disclosure of wire, oral, or electronic communications prohibited” communications prohibited”

2/17/09- Health Information Technology for Economic and 2/17/09- Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of American Recovery Clinical Health Act (HITECH Act), part of American Recovery and Reinvestment Act of 2009and Reinvestment Act of 2009



US Legal Summary, cited in Sen. 773 US Legal Summary, cited in Sen. 773 (Cybersecurity Act of 2009) (Cybersecurity Act of 2009)

(1) the Privacy Protection Act of 1980 ((1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa42 U.S.C. 2000aa);); (2) the Electronic Communications Privacy Act of 1986 ((2) the Electronic Communications Privacy Act of 1986 (

18 U.S.C. 251018 U.S.C. 2510 note); note); (3) the Computer Security Act of 1987 ((3) the Computer Security Act of 1987 (15 U.S.C. 27115 U.S.C. 271 et seq.; et seq.;

40 U.S.C. 75940 U.S.C. 759);); (4) the Federal Information Security Management Act of 2002 ((4) the Federal Information Security Management Act of 2002 (

44 U.S.C. 353144 U.S.C. 3531 et seq.); et seq.); (5) the E-Government Act of 2002 ((5) the E-Government Act of 2002 (44 U.S.C. 950144 U.S.C. 9501 et seq.); et seq.); (6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et (6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et

seq.)seq.)



US Legal SummaryUS Legal Summary

Health privacy laws Health privacy laws • 1996-Health Insurance Portability and Accountability Act 1996-Health Insurance Portability and Accountability Act

(HIPAA)(HIPAA)• 1974-The National Research Act1974-The National Research Act

Financial privacy laws Financial privacy laws • 1970-Bank Secrecy Act1970-Bank Secrecy Act• 1998-Federal Trade Commission1998-Federal Trade Commission• 1999-Gramm-Leach-Bliley Act-GLB1999-Gramm-Leach-Bliley Act-GLB• 2002-Sarbanes-Oxley Act-SOX2002-Sarbanes-Oxley Act-SOX• 2003-Fair and Accurate Credit Transactions Act2003-Fair and Accurate Credit Transactions Act

Online privacy laws Online privacy laws • 1986-Electronic Communications Privacy Act-ECPA-pen 1986-Electronic Communications Privacy Act-ECPA-pen

registersregisters• 1986-Stored Communications Act-SCA1986-Stored Communications Act-SCA



US Legal Summary (cont’d)US Legal Summary (cont’d)

Communication privacy laws Communication privacy laws • 1978-Foreign Intelligence Surveillance Act (FISA)1978-Foreign Intelligence Surveillance Act (FISA)• 1984-Cable Communications Policy Act1984-Cable Communications Policy Act• 1986-Electronic Communications Privacy Act (ECPA)1986-Electronic Communications Privacy Act (ECPA)• 1994-Digital Telephony Act - Communications Assistance for Law 1994-Digital Telephony Act - Communications Assistance for Law

Enforcement Act-”CALEA” 18 USC 2510-2522 Enforcement Act-”CALEA” 18 USC 2510-2522 • 2005-6 CALEA expansions2005-6 CALEA expansions

Education Privacy LawsEducation Privacy Laws• 1974-Family Educational Rights and Privacy Act-FERPA1974-Family Educational Rights and Privacy Act-FERPA

Information privacy lawsInformation privacy laws• 2001-US Patriot Act – expanded pen registers2001-US Patriot Act – expanded pen registers

Laws regarding privacy in the homeLaws regarding privacy in the home OtherOther

• 2005-Privacy Act 2005-Privacy Act - sale of online PII data for marketing - sale of online PII data for marketing • 1974-Privacy Act1974-Privacy Act



Wiretapping vs. “Location technology”Wiretapping vs. “Location technology”

Wiretapping- allowing simultaneous or recorded Wiretapping- allowing simultaneous or recorded eavesdropping of actual conversations.eavesdropping of actual conversations.

““Location technology” - use of a “pen register” or “trap-and-Location technology” - use of a “pen register” or “trap-and-trace device” to identify the physical location of a device trace device” to identify the physical location of a device (cellphone) at an exact moment in time.(cellphone) at an exact moment in time.

You can learn much more than you think simply by identifying You can learn much more than you think simply by identifying “location.”“location.”

May, 2009 – Boston’s “craigslist killer” was identified by May, 2009 – Boston’s “craigslist killer” was identified by “location” technology.“location” technology.



History ofHistory of US Wiretap laws/rulingsUS Wiretap laws/rulings

Wiretapping’s cool:Wiretapping’s cool: 1928-Olmstead v. United States, 277 U.S. 438; 1928-Olmstead v. United States, 277 U.S. 438; Dissented by privacy rock star Louis Brandeis and overruled Dissented by privacy rock star Louis Brandeis and overruled

by:by:

Not really, wiretapping violates 4th Amendment:Not really, wiretapping violates 4th Amendment: 1967-Katz v. United States, 389 U.S. 347, and 1967-Katz v. United States, 389 U.S. 347, and 1967-Berger v. New York, 388 U.S. 411967-Berger v. New York, 388 U.S. 41

It is also a Federal Crime:It is also a Federal Crime: 1968-Omnibus Crime Control and Safe Streets Act of 1968 1968-Omnibus Crime Control and Safe Streets Act of 1968 1994-Digital Telephony Act - Communications Assistance for 1994-Digital Telephony Act - Communications Assistance for

Law Enforcement Act-”CALEA” 18 USC 2510-2522 Law Enforcement Act-”CALEA” 18 USC 2510-2522 1/3/2007-Latest CALEA version: Title 18 USC, Pt. I, Chap. 119, 1/3/2007-Latest CALEA version: Title 18 USC, Pt. I, Chap. 119,

§ 2511§ 2511



History ofHistory of US Wiretap laws/rulingsUS Wiretap laws/rulings

ButBut if you’re the President it’s cool. if you’re the President it’s cool.

But But if you’re the government and get a warrant, it’s Ok, too. if you’re the government and get a warrant, it’s Ok, too.

ButBut even warrantless wiretapping is Ok too, if the target is a “foreign even warrantless wiretapping is Ok too, if the target is a “foreign enemy.” Which means anybody, including us! Cool.enemy.” Which means anybody, including us! Cool.

1978-Foreign Intelligence Surveillance Act (FISA) 1978-Foreign Intelligence Surveillance Act (FISA) 1984-Cable Communications Policy Act1984-Cable Communications Policy Act 1986-Electronic Communications Privacy Act (ECPA)1986-Electronic Communications Privacy Act (ECPA)

ButBut actually, just kidding, now the government can wiretap anybody. actually, just kidding, now the government can wiretap anybody. But But youyou can’t. Legally, that is. can’t. Legally, that is.

10/26/2001 – US Patriot Act – revised multiple laws10/26/2001 – US Patriot Act – revised multiple laws

Technically, it’s easy and everybody knows how. Well lots of people do.Technically, it’s easy and everybody knows how. Well lots of people do.



11998-2008 US Wiretaps Authorized998-2008 US Wiretaps Authorized

Table 7Authorized Intercepts Granted Pursuant to 18 U.S.C. 2519 as Reported in Wiretap

Reports for Calendar Years 1998 – 2008

Wiretap Report Date 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

Total authorized by year (reported through Dec 2008)

1,447 1,546 1,386 1,695 1,543 1,788 1,992 2,100 2,306 2,208 1,891



History of cellphone technologyHistory of cellphone technology

1990s – cell companies started to 1990s – cell companies started to transform communicationstransform communications

McCaw Cellular dominated carriersMcCaw Cellular dominated carriers McCaw cellular sold to AT&T in 1994 McCaw cellular sold to AT&T in 1994

for $11.4 billionfor $11.4 billion Craig McCaw was highest-paid CEO in Craig McCaw was highest-paid CEO in

the USthe US Criminals accounted for 70% of trafficCriminals accounted for 70% of traffic



Origin of cellphone surveillance-1990sOrigin of cellphone surveillance-1990s Carriers originally tracked call initiation and Carriers originally tracked call initiation and

termination to reimburse each othertermination to reimburse each other Surveillance-capable technology was baked into Surveillance-capable technology was baked into

telco equipmenttelco equipment Criminals accounted for 70% of cellular traffic, Criminals accounted for 70% of cellular traffic,

cloning analog cellphonescloning analog cellphones Earliest cellphone surveillance was carriers Earliest cellphone surveillance was carriers

pinpointing the location of bandwidth thievespinpointing the location of bandwidth thieves Legendary hacker Kevin Mitnick was caught by law Legendary hacker Kevin Mitnick was caught by law

enforcement, using a cellular modem that was enforcement, using a cellular modem that was detected by “location-aware technologies” detected by “location-aware technologies” developed by the phone companies to fight fraud developed by the phone companies to fight fraud

Move from analog to digital left law enforcement Move from analog to digital left law enforcement without required equipmentwithout required equipment



CCellphone surveillance categoriesellphone surveillance categories Pen register-ECPA- subpoena w/o judicial review Pen register-ECPA- subpoena w/o judicial review Subscriber information-CALEA- subpoena w/o Subscriber information-CALEA- subpoena w/o

judicial reviewjudicial review Network “location” information-CALEA-cell towers, Network “location” information-CALEA-cell towers,

specific calls- requires judicial reviewspecific calls- requires judicial review• Past- Historical data - Who was using a specific tower at a Past- Historical data - Who was using a specific tower at a

specific moment in time, or where was a particular specific moment in time, or where was a particular customer during a specific timeframe. Covered by CALEAcustomer during a specific timeframe. Covered by CALEA

• Present - Ping data - Network operators and some third-Present - Ping data - Network operators and some third-party providers are able to send a one-time ping to a party providers are able to send a one-time ping to a phone to locate it at a specific time. Not covered by CALEAphone to locate it at a specific time. Not covered by CALEA

• Future - Prospective data - By tracking phones over a long Future - Prospective data - By tracking phones over a long period of time, and mapping individuals traffic, or larger period of time, and mapping individuals traffic, or larger traffic flows, it’s possible to predict where people are likely traffic flows, it’s possible to predict where people are likely to be. Not covered by CALEAto be. Not covered by CALEA



CCellphone surveillance requestsellphone surveillance requests All subscribers near a particular cell tower in a ten-minute period, All subscribers near a particular cell tower in a ten-minute period,

hoping to locate witnesses to a drug transaction hoping to locate witnesses to a drug transaction Provider might sell location information to a jealous spouse as a Provider might sell location information to a jealous spouse as a

“family finder” service“family finder” service Information on a missing child - company ordered to ping a phone Information on a missing child - company ordered to ping a phone

every 15 minutes for 24 hoursevery 15 minutes for 24 hours All phone numbers contacted by a mobile phone found in a All phone numbers contacted by a mobile phone found in a

container ship that contained counterfeit condoms: carriers refusedcontainer ship that contained counterfeit condoms: carriers refused Google only responds to search warrants about location infoGoogle only responds to search warrants about location info Totalitarian Governments tracking employees of human rights Totalitarian Governments tracking employees of human rights

organizations: staff disassembles phones prior to attending meeting organizations: staff disassembles phones prior to attending meeting or going to certain locationsor going to certain locations

Egyptian government requested from Vodaphone names of all who Egyptian government requested from Vodaphone names of all who attended a certain event; Vodaphone refusedattended a certain event; Vodaphone refused

State of Wisconsin asked Amazon to list everyone who bought a State of Wisconsin asked Amazon to list everyone who bought a particular book; court sided with Amazon’s refusal particular book; court sided with Amazon’s refusal

Carriers get 100 requests a week for location infoCarriers get 100 requests a week for location info No recording or oversight of requests No recording or oversight of requests



CCellphone Location Methods, Iellphone Location Methods, I Localization-Based Systems (LBS)Localization-Based Systems (LBS)

• Network based Network based • Handset based (GPS)Handset based (GPS)• Hybrid Hybrid

Network Based-Network Based-Utilizes service provider's network Utilizes service provider's network infrastructure to identify handset locationinfrastructure to identify handset location

Advantages: can be implemented non-intrusively, without Advantages: can be implemented non-intrusively, without affecting handset.affecting handset.

ChallengesChallenges• Accuracy variesAccuracy varies• cell identification-least accurate, triangulation-most accuratecell identification-least accurate, triangulation-most accurate• closely dependent on concentration of base station cells, urban closely dependent on concentration of base station cells, urban

environments achieve highest accuracyenvironments achieve highest accuracy• Requires working closely with service provider:Requires working closely with service provider:• entails the installation of hardware and software within the entails the installation of hardware and software within the

operator's infrastructure. operator's infrastructure. • Legislative framework, such as Legislative framework, such as E911E911, required to compel service , required to compel service

provider and safeguard privacyprovider and safeguard privacy



CCellphone Location Methods, IIellphone Location Methods, II Handset Based -Handset Based -Requires installation of client software on handsetRequires installation of client software on handset Determines location by:Determines location by:

• computing:computing: Location by cell identificationLocation by cell identification Signal strengths of the home and neighboring cells; or Signal strengths of the home and neighboring cells; or latitude and longitude, if the handset is equipped with a GPS modulelatitude and longitude, if the handset is equipped with a GPS module

• calculation then sent from the handset to a location servercalculation then sent from the handset to a location server Disadvantages: necessity of installing software on the handset. Disadvantages: necessity of installing software on the handset.

• Requires the active cooperation of subscriber Requires the active cooperation of subscriber • Requires software that can handle the different handset operating Requires software that can handle the different handset operating

systemssystems• Typically, only smart phones, such as Symbian or Windows Mobile are Typically, only smart phones, such as Symbian or Windows Mobile are

capablecapable• Proposed work-around: manufacturer installs embedded hw/sw on Proposed work-around: manufacturer installs embedded hw/sw on

handsethandset ChallengesChallenges

• Convincing different manufacturers to cooperate on a common mechanism and to Convincing different manufacturers to cooperate on a common mechanism and to address cost issue, so no headwayaddress cost issue, so no headway

• Address issue of foreign handsets roaming in the networkAddress issue of foreign handsets roaming in the network



CALEACALEA

Communications Assistance for Law Enforcement Communications Assistance for Law Enforcement Act of 1994Act of 1994

established requirement that phone carriers must established requirement that phone carriers must be able to perform some wiretapping functionsbe able to perform some wiretapping functions• actual functions defined by industry:actual functions defined by industry:

Telecommunications Industry Association J-STD-025Telecommunications Industry Association J-STD-025• with input from law enforcementwith input from law enforcement

operated by carriers, not law enforcementoperated by carriers, not law enforcement does not limit what law enforcement can ask for in does not limit what law enforcement can ask for in

a subpoenaa subpoena• CALEA is a floor not a ceilingCALEA is a floor not a ceiling

did not apply to “private networks” or “information did not apply to “private networks” or “information services”services”• the Internet was an “information service” in the eyes of the Internet was an “information service” in the eyes of

Congress in 1994Congress in 1994



CALEA- ANSI / TIA J-STD-025CALEA- ANSI / TIA J-STD-025

Developed by Carrier Industry consortium of Developed by Carrier Industry consortium of technical representatives over a 4-year technical representatives over a 4-year periodperiod

Requires real-time delivery to law Requires real-time delivery to law enforcementenforcement• call ID information call ID information

origin or dialed phone number, etc.origin or dialed phone number, etc.

• actionsactions dialing digits, call abandoned, call waiting toggling, etc.dialing digits, call abandoned, call waiting toggling, etc.

• communication itselfcommunication itself Must not be detectable by subjectMust not be detectable by subject Over a dedicated circuit in a specific formatOver a dedicated circuit in a specific format



CALEA- ANSI / TIA J-STD-025CALEA- ANSI / TIA J-STD-025 Technical requirements added after 1st Technical requirements added after 1st

version of J-STD-025version of J-STD-025 provide content of subject-initiated conference provide content of subject-initiated conference

callscalls identify active parties of a multiparty callidentify active parties of a multiparty call provide all dialing and signaling information provide all dialing and signaling information

including use of featuresincluding use of features provide notification that a line is ringing or busyprovide notification that a line is ringing or busy provide timing information to correlate call-provide timing information to correlate call-

identifying information with the call content identifying information with the call content provide digits dialed by a subject after the initial provide digits dialed by a subject after the initial

callcall



CALEA 2005-6 revisionsCALEA 2005-6 revisions

Aug 2005 & May 2006 FCC orders extended CALEA Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPsto “interconnected VoIP providers” and ISPs• an “interconnected VoIP provider” provides VoIP service an “interconnected VoIP provider” provides VoIP service

along with dial-out to PSTN along with dial-out to PSTN andand dial-in from PSTN dial-in from PSTN also covers connection between private network also covers connection between private network

and Internetand Internet implementation date 2007 implementation date 2007 justified under “substantial replacement” clause in justified under “substantial replacement” clause in

original CALEAoriginal CALEA• in court, 1st decision supported FCC - being appealedin court, 1st decision supported FCC - being appealed• Most subsequent decisions, 40 out of 42, did not support Most subsequent decisions, 40 out of 42, did not support

government requestsgovernment requests


CALEA Extension to VoIP & ISPsCALEA Extension to VoIP & ISPs

Aug 2005 & May 2006 FCC orders extended CALEA to Aug 2005 & May 2006 FCC orders extended CALEA to “interconnected VoIP providers” and ISPs“interconnected VoIP providers” and ISPs• an “interconnected VoIP provider” provides VoIP service an “interconnected VoIP provider” provides VoIP service

along with dial-out to PSTN along with dial-out to PSTN andand dial-in from PSTN dial-in from PSTN also covers connection between private network and also covers connection between private network and

InternetInternet implementation date Mar 2007 implementation date Mar 2007

• but no standards yetbut no standards yet justified under “substantial replacement” clause in original justified under “substantial replacement” clause in original

CALEACALEA• in court, 1st decision supported FCC - being appealedin court, 1st decision supported FCC - being appealed



CCalifornia Lawalifornia Law Over 80 separate laws in 7 categories, 3 additional laws Over 80 separate laws in 7 categories, 3 additional laws

currently pendingcurrently pending California's groundbreaking 2002 security breach notification California's groundbreaking 2002 security breach notification

law was followed by similar laws in more than 40 stateslaw was followed by similar laws in more than 40 states Enforcement path unclear for less clear categories of California Enforcement path unclear for less clear categories of California

residentresident Definition of “organizations doing business in the State of Definition of “organizations doing business in the State of

California” and “California resident” unclearCalifornia” and “California resident” unclear• Anyone who stores data on a California resident?Anyone who stores data on a California resident?• Anyone who stores data on on-California residents on media Anyone who stores data on on-California residents on media

located in California?located in California?• How can companies be sure if their records of non-California How can companies be sure if their records of non-California

residents are correct? i.e. not coveredresidents are correct? i.e. not covered• Covers temporary residents? Covers temporary residents? • Can potentially cover any company doing business anywhere in Can potentially cover any company doing business anywhere in

the worldthe world



MassachusettsMassachusetts Law Law 8/2/2007-Identity Theft Law, Massachusetts General Law

Chapter 93H 9/19/2008-201 CMR 17.00 Standards for the Protection of 9/19/2008-201 CMR 17.00 Standards for the Protection of

Personal Information of Residents of the CommonwealthPersonal Information of Residents of the Commonwealth Consortium of industry technical representatives currently Consortium of industry technical representatives currently

providing continuing commentaryproviding continuing commentary Original implementation date twice suspendedOriginal implementation date twice suspended Current implementation date January, 2010Current implementation date January, 2010 Enforcement path unclear for less clear categories of Enforcement path unclear for less clear categories of

Massachusetts employees/consumersMassachusetts employees/consumers First law to require encryption for employee data (Nevada law First law to require encryption for employee data (Nevada law

required encryption for consumer data)required encryption for consumer data) Requires a training module in terms of the lawRequires a training module in terms of the law Vendor management issuesVendor management issues



Massachusetts Law RequirementsMassachusetts Law Requirements• Written information security programWritten information security program• Passwords, encryption for laptopsPasswords, encryption for laptops• Risk assessmentsRisk assessments• Security policies around records retentionSecurity policies around records retention• Policies and procedures to prevent terminated Policies and procedures to prevent terminated

employees from gaining accessemployees from gaining access• Physical access control policies and proceduresPhysical access control policies and procedures• Security incident response policiesSecurity incident response policies• Monitoring for unauthorized accessMonitoring for unauthorized access• Encryption of PII on laptops and other portable Encryption of PII on laptops and other portable

devicesdevices• Encryption of PII data in transmission Encryption of PII data in transmission



Legal Legal JurisdictionJurisdiction “This regulation applies to all businesses and other

legal entities that own, license, collect, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”

Do these laws apply if you:Do these laws apply if you:• Have employees in the state/country?Have employees in the state/country?• Have customers in the state/country?Have customers in the state/country?• Have neither, but traffic in data of Massachusetts Have neither, but traffic in data of Massachusetts

residents?residents?• Store data physically in the state/ country?Store data physically in the state/ country?• How do you know if any of the above are true?How do you know if any of the above are true?• Are a private individual, a non-profit or a government Are a private individual, a non-profit or a government

agency?agency?• Pay taxes in the state/country?Pay taxes in the state/country?



Legal Legal JurisdictionJurisdiction

Do these laws apply only:Do these laws apply only:• To data stored physically in the state/ To data stored physically in the state/

country? Probably notcountry? Probably not


Privacy and SurveillancePrivacy and Surveillance High-profile data breachesHigh-profile data breaches

1/29/09 Department of Veterans Affairs agreed to 1/29/09 Department of Veterans Affairs agreed to pay $20 million to military personnel to settle a pay $20 million to military personnel to settle a 2006 case involving the theft of a laptop from an 2006 case involving the theft of a laptop from an employee's home that contained the unencrypted employee's home that contained the unencrypted personal records of 26.5 million military veterans personal records of 26.5 million military veterans and their spouses.and their spouses.

Massachusetts: TJX and BJ's WholesaleMassachusetts: TJX and BJ's Wholesale ChoicePoint Inc., the Atlanta-based provider of ChoicePoint Inc., the Atlanta-based provider of

identification services for the insurance and real identification services for the insurance and real estate industries, revealed in March that criminals estate industries, revealed in March that criminals had gained unauthorized access to aggregated had gained unauthorized access to aggregated personal data of 145,000 people. personal data of 145,000 people.



Calling in the ExpertsCalling in the Experts



Did you know….?Did you know….?

Seven out of ten attacks are from…Seven out of ten attacks are from…

Privacy And Surveillance

Technology

Transcript of Privacy And Surveillance