Perspective: The coming Web security woes

Our esteemed leaders in the U.S. Congress are vowing to enact new laws targeting data thieves, backup-tape burglars and other information-age miscreants.

We should be worried.

Any reasonable person, of course, should agree that such thefts must be punished and data warehouses should let us know if our information falls into the hands of criminals.

But a bill announced last week by Sens. Arlen Specter, R-Penn., and Patrick Leahy, D-Vt., goes far beyond reasonable data security precautions. It amounts to a crackdown on individuals, bloggers and legitimate e-mail list moderators.

Sure, it's annoying if your e-mail address ends up in the hands of a spammer, but there's no connection to identity fraud.

Anyone who runs a Web site with registered users and receives income from it (Blogads and Google Ads count) should be concerned. The Specter-Leahy bill says that if that site's list of user IDs or e-mail addresses is compromised, each registered user must be notified via U.S. mail or telephone. Refusal to do so can be punished with $55,000-a-day fines and prison time of up to five years.

That's remarkable but not as extreme as the second requirement: The Web master or mailing list operator might have to "cover the cost" of 12 monthly credit reports of each person whose e-mail addresses was lost or purloined.

For a popular site with 10,000 registered users, that would be a princely sum. If monthly credit reports cost $15 a person, that's $1.8 million over a year.

Sure, it's annoying if your e-mail address ends up in the hands of a spammer, but there's no connection to identity fraud. Independent Web site owners should not be bankrupted by making them cough up that kind of cash: The penalty is unrelated to any harm.

James Maule, who maintains the Maule family genealogy site, worries he might be at risk of hefty fines. Maule, a law professor at Villanova University, says he hasn't found an exception in the bill to let his genealogy database off the hook: "I have more than 10,000 names, of whom many are dead."

Other sections of the proposed law, called the Personal Data Privacy and Security Act, are highly rigid.

For example, anyone running an ad-supported Web site or mailing list with 10,000 or more registered users must "implement a comprehensive personal data privacy and security program," create a "risk assessment" to "identify reasonably foreseeable" vulnerabilities, "assess the likelihood" of security breaches, "assess the sufficiency" of policies to protect against them, publish the "terms of such program," do "regular testing of key controls" to test security, select only superior "service providers" after doing "due diligence," and regularly "monitor, evaluate and adjust" security policies.

Law of unintended consequences
Specter and Leahy probably intended to target large businesses that employ teams of corporate lawyers and would view this as just more government paperwork. Unfortunately, though, that's not what their proposed law actually says.

Tracy Schmaler, a Leahy spokeswoman, said that the bill could be changed before a final vote. "We don't want to place any undue limitations on mailing lists, Web sites, and so on," Schmaler said. "The intent of this is not to make listservs or bloggers pay for credit reports."

Politicians don't like to admit this because it makes for fewer press conferences, but sometimes new laws aren't the answer.

Perhaps the problems with this bill can be fixed. But I'm starting to think that any similar effort will suffer from similar problems--it'll be overly regulatory and not aimed at actual wrongdoing. Many state proposals fall into that trap.

Politicians don't like to admit this because it makes for fewer press conferences, but sometimes new laws aren't the answer. Take Bank of America's embarrassing loss of a backup tape--which happened even though the company was subject to the detailed security regulations of the Gramm-Leach Bliley Act.

An alternative might be to rely on a general-purpose rule that punishes negligence. Courts are already moving in that direction--at least if appellate decisions in New Hampshire and Michigan are any indications.

That approach would make for fewer Senate press conferences, true, but the end result might make a lot more sense.

Biography
Declan McCullagh is CNET News.com's chief political correspondent. He spent more than a decade in Washington, D.C., chronicling the busy intersection between technology and politics. Previously, he was the Washington bureau chief for Wired News, and a reporter for Time.com, Time magazine and HotWired. McCullagh has taught journalism at American University and been an adjunct professor at Case Western University.

More Perspectives

[Slap_Shot_12]

A law that's well overdue.

There's really only one argument that needs to be made in favour of this law - don't lose my personal information and you'll be fine. It doesn't threaten online businesses, only ones who are careless or try to cut corners on security.

Hire a security expert, do your due diligence, and you won't have to worry about this law - beacuse you won't lose my personal info.

That

That is like saying, hire a security system provider and put two dead-bolts on your door and you are guaranteed to never have a theft from your office. No matter how hard you try, there will always be the possibility of data theft.

[leeman]

wakeup!

You better wakup! This is just one more way to erode at you freedoms! More laws that the will never be able to enforce. They will just end up moving these bussiness's to third world countries where these laws will not affect them. they will only affect people in this country. WAKEUP!

[Slap_Shot_12]

A law that's well overdue.

There's really only one argument that needs to be made in favour of this law - don't lose my personal information and you'll be fine. It doesn't threaten online businesses, only ones who are careless or try to cut corners on security.

Hire a security expert, do your due diligence, and you won't have to worry about this law - beacuse you won't lose my personal info.

That

That is like saying, hire a security system provider and put two dead-bolts on your door and you are guaranteed to never have a theft from your office. No matter how hard you try, there will always be the possibility of data theft.

[leeman]

wakeup!

You better wakup! This is just one more way to erode at you freedoms! More laws that the will never be able to enforce. They will just end up moving these bussiness's to third world countries where these laws will not affect them. they will only affect people in this country. WAKEUP!

Data security isn't the answer

Data banks will never be totally secure. Data security must be
suppliemented by some other approaches.

1. The data kept should be minimized. There is no reason why,
because I paid a merchant once with my credit card, he should
forever keep that credit card number. There is really no reason
to keep it once the transaction is completed. Similarly, there is
little reason for him to keep my name, address, email or
anything else about me unless I specifically say I want to receive
ads from him.

2. The value of stolen data must be minimized. I should be able
to "turn off" my credit reports so that they are flagged as not
being good for authorizing credit until I turn them back on.
Then, my personal information such as name and social security
number become almost worthless to identity thieves.

3. My credit cards should be protected by some sort of bio-data
such as a fingerprint. This does not require a central registry of
fingerprints -- just encode it on the back of the card and check
it against the presenter's fingerprint when it is used.

These things aren't rocket science. The fact is, nobody -- least
of all Congress -- is interested in effective action. They just
want their publicity. Frankly, I don't think any of them are really
very bright.

[Bogsanyi]

fingerprint analysis is not simple

My comment to #3 is: Are you going to train the checkout
operator to become an expert fingerprint analyst? The thought that
the local checkout casual is given the power to accept or reject my
card on the basis of a fingerprint absolutely frightens me. It is bad
enough for him/her to act as an expert handwriting analyst.

Data security isn't the answer

Data banks will never be totally secure. Data security must be
suppliemented by some other approaches.

1. The data kept should be minimized. There is no reason why,
because I paid a merchant once with my credit card, he should
forever keep that credit card number. There is really no reason
to keep it once the transaction is completed. Similarly, there is
little reason for him to keep my name, address, email or
anything else about me unless I specifically say I want to receive
ads from him.

2. The value of stolen data must be minimized. I should be able
to "turn off" my credit reports so that they are flagged as not
being good for authorizing credit until I turn them back on.
Then, my personal information such as name and social security
number become almost worthless to identity thieves.

3. My credit cards should be protected by some sort of bio-data
such as a fingerprint. This does not require a central registry of
fingerprints -- just encode it on the back of the card and check
it against the presenter's fingerprint when it is used.

These things aren't rocket science. The fact is, nobody -- least
of all Congress -- is interested in effective action. They just
want their publicity. Frankly, I don't think any of them are really
very bright.

[Bogsanyi]

fingerprint analysis is not simple

My comment to #3 is: Are you going to train the checkout
operator to become an expert fingerprint analyst? The thought that
the local checkout casual is given the power to accept or reject my
card on the basis of a fingerprint absolutely frightens me. It is bad
enough for him/her to act as an expert handwriting analyst.

[SecurityNympho]

Another Not So Well Planned Out Law

Have you ever wondered where our elected officials come up with these brilliant laws?

I have worked with government agencies in the past, and our nations lawmakers are the most inferior intellectuals when it comes to information technology, But yet they are the ones making the laws. Before making laws that can cripple technology, maybe we should also elect 2 information technology professionals from every state. These professionals would be responsible for performing an impact analysis from a proposed law.

Something to think about, how come our nations lawmakers never developed a law that impacts the selling of insecure code? As individuals we spend thousands on insecure software every year, and corporations spend billions for the same insecure code.

[SecurityNympho]

Another Not So Well Planned Out Law

Have you ever wondered where our elected officials come up with these brilliant laws?

I have worked with government agencies in the past, and our nations lawmakers are the most inferior intellectuals when it comes to information technology, But yet they are the ones making the laws. Before making laws that can cripple technology, maybe we should also elect 2 information technology professionals from every state. These professionals would be responsible for performing an impact analysis from a proposed law.

Something to think about, how come our nations lawmakers never developed a law that impacts the selling of insecure code? As individuals we spend thousands on insecure software every year, and corporations spend billions for the same insecure code.

[Razzl]

The spectre of Specter...

It seems that Penn. Sen. Specter is determined to sign on with every screwball piece of legislation that comes down the pike. He recently offered up a bill that would shut down the NOAA's national weather service broadcast (essential for aviation and navigation) and only allow it to be disseminated by private radio stations that buy it (information produced by publicly-owned satellites, buoys, and personnel). This last bill has generated a storm of opposition among members of the venerable organization BoatUS (the AAA of recreational boating)and is making Specter's name a household epithet far outside his district. We'll see if Specter will be haunting us with his silly, empty, ill-considered offerings after the mid-term election next year (he's up for re-election)...

[Razzl]

The spectre of Specter...

It seems that Penn. Sen. Specter is determined to sign on with every screwball piece of legislation that comes down the pike. He recently offered up a bill that would shut down the NOAA's national weather service broadcast (essential for aviation and navigation) and only allow it to be disseminated by private radio stations that buy it (information produced by publicly-owned satellites, buoys, and personnel). This last bill has generated a storm of opposition among members of the venerable organization BoatUS (the AAA of recreational boating)and is making Specter's name a household epithet far outside his district. We'll see if Specter will be haunting us with his silly, empty, ill-considered offerings after the mid-term election next year (he's up for re-election)...

[mcwong2000]

It isn'tthat they aren't bright....

The comments about how clever the pols are about computer technology is beside the point. As the original writer pointed out, the whole object of these exercises in "law"making is to issue press releases, get on the news, and claim "credit" for "doing something" about the "problem" (even if they've identified the wrong problem, are making it worse, and won't accept the blame when that becomes clear--or try to fix things either). It's the nearsighted political process, not the intelligence -- they are perfectly intelligent when it comes to knowing how to game this system.

Every time a politician wades into an issue like this, clarify things by asking yourself if the situation will be improved by *politicizing* the issue. Because that's all they're doing--politicizing it--not solving it, not addressing it, not making things better, not expressing the nation's concern.... This article has it exactly right--the Spectre(sic) law will only harm the little guy and not fix a thing.
--Mac McCarthy

[mcwong2000]

It isn'tthat they aren't bright....

The comments about how clever the pols are about computer technology is beside the point. As the original writer pointed out, the whole object of these exercises in "law"making is to issue press releases, get on the news, and claim "credit" for "doing something" about the "problem" (even if they've identified the wrong problem, are making it worse, and won't accept the blame when that becomes clear--or try to fix things either). It's the nearsighted political process, not the intelligence -- they are perfectly intelligent when it comes to knowing how to game this system.

Every time a politician wades into an issue like this, clarify things by asking yourself if the situation will be improved by *politicizing* the issue. Because that's all they're doing--politicizing it--not solving it, not addressing it, not making things better, not expressing the nation's concern.... This article has it exactly right--the Spectre(sic) law will only harm the little guy and not fix a thing.
--Mac McCarthy