http://www.usatoday.com/money/industries/technology/2005-04-11-net-law-cover_x.htm By Jon Swartz USA TODAY 4/11/2005 SAN FRANCISCO - Federal and state lawmakers, compelled by headlines of a computer-crime wave, are scrambling to introduce bills that would tighten cybersecurity and make it easier for prosecutors to file charges and impose stiffer penalties. Digital thieves have rarely been so audacious. Data breaches at ChoicePoint, LexisNexis, the University of California and elsewhere, in which the personal records of thousands of Americans were pinched, underscore the brazen tactics of criminals marauding like gunslingers on a lawless Internet, security experts say. At least a dozen federal and state bills covering privacy protection, phishing and spyware have been introduced on Capitol Hill and in state capitals this year. The bills are designed to staunch consumer losses. Identification theft cost consumers, banks and credit card companies $11.7 billion through the 12 months ended in April 2004, says researcher Gartner. Phishing scams, fraudulent e-mails or Web sites that trick computer users into surrendering personal information, burned U.S. consumers for $500 million in the 12-month period ended September 2004, says researcher Ponemon Institute.Damages from spyware, software that quietly monitors the activities of Internet users: More than $200 million to U.S. consumers last year, Ponemon says. "The large number of bills, unfortunately, reflects the dark side of the Internet," says Harris Miller, president of the Information Technology Association of America, a non-profit that represents 400 tech companies. But computer-security experts doubt the legislative outbreak will change matters. They contend prospective bills often are watered down to appease lobbyists and can't always be enforced by overtaxed law enforcement. On top of that, corporations are reluctant to share sensitive data in investigations, and offshore criminals are outside the reach of the law. Several fear a repeat of the federal Can-Spam law, which outlaws unsolicited commercial e-mail but has done little to curb spam. "When it gets down to the nitty-gritty, Congress rarely passes strong consumer-protection measures, primarily because of industry influence," says Beth Givens, director of Privacy Rights Clearinghouse. "To quote Shakespeare, this is 'Full of sound and fury, signifying nothing.' " Computer-security experts already blame fuzzy national laws that do not specifically ban spyware, phishing and other digital misdeeds. "Legislation is reactive. There are harsher penalties, yes, but nothing that would help prevent identity theft," says Judith Collins, a criminal justice professor at Michigan State University. Limited tools Hacking laws exist, but as computer crimes become more sophisticated so, too, must the laws, lawmakers and prosecutors say. "New laws are about making it easier for prosecutors to bring harsh, specific charges," says Deborah Thoren-Peden, an Internet lawyer in Los Angeles. "It raises awareness for the public and risk for criminals." For now, authorities are limited in the laws they cite in computer-crime cases, Internet lawyers say. The Computer Fraud and Abuse Act, a 1986 law most recently amended in 2001, makes it a crime to access a computer without authorization. Common trespass law can apply to phishing scams and computer viruses. Federal law doesn't impose security measures on companies outside of financial services and health care to protect private information, says Internet lawyer Edward Naughton. Most companies prefer it that way. They don't want to be regulated out of concern it will be costly to shore up computer defenses and give investigators access to sensitive data. Instead, they advocate self-regulation and tighter security. With high-profile computer crimes on the rise, and consumers clamoring for protection, the tech and financial industries may have no choice, Naughton and privacy experts say. The raft of legislation covers: * Privacy protection. A bill from Sen. Dianne Feinstein, D-Calif., would require federal agencies and companies conducting interstate commerce to notify customers when their private data are compromised. The bill, based on a similar law in California, may include a requirement that all commercially stored data be encrypted. Even then, a federal-notification requirement may not be enough to appease lawmakers and privacy experts, who oppose the sale of Social Security numbers without an individual's consent. FTC Chairman Deborah Platt Majoras says there are legitimate purposes for obtaining a Social Security number without the individual's knowledge, including fraud investigations and law enforcement. Meanwhile, Sen. Bill Nelson, D-Fla., and Rep. Ed Markey, D-Mass., last month introduced legislation that would expand the powers of the FTC to oversee data brokers as it does companies that handle medical and financial records. Sen. Jon Corzine, D-N.J., also plans to file a bill that would help create federal data-protection standards and require CEOs or chief compliance officers to show that their companies comply with the rules. Still, broad privacy legislation faces a tough battle on Capitol Hill, where data brokers have strong lobbyists such as Akin Gump Strauss Hauer & Feld. The law firm was paid $160,000 by ChoicePoint in the first six months of 2004 and $280,000 in 2002 and 2003 to influence lawmakers, public documents show. Information brokers have "an enormous number of (lobbyists) canvassing the Hill with inside connections and massive campaign contributions," says Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group. "Privacy advocates do not have nearly the resources." * Spyware. Lobbying efforts may also undercut anti-spyware legislation from Rep. Mary Bono, R-Calif. Her bill, currently in the House, would raise fines against spyware purveyors to up to $3 million per infraction. Yet privacy advocates complain it exempts software cookies, a coded piece of information stored on a computer that identifies the computer during visits to a Web site, and embedded ads on Web pages from an earlier version, rendering it less effective. Another bill, introduced in late March by Sens. Conrad Burns, R-Mont., and Ron Wyden, D-Ore., prohibits the surreptitious installation of spyware programs. The FTC would be charged with enforcing the law, though state attorneys general would also be authorized to bring actions. It, too, exempts cookies. To strengthen federal law, states routinely craft bills that come down hard on violators who victimize residents. Bills in Michigan, Nebraska and Georgia would make it illegal to install spyware on the computers of state residents without their permission, and would delegate who is responsible for enforcement — a common shortcoming of federal law. Utah signed a bill into law in March. * Phishing. The Anti-Phishing Act, sponsored by Sen. Patrick Leahy, D-Vt., would impose jail terms up to five years and fines up to $250,000 for phishing. The bill protects free speech related to parody and politics online. More important, it allows law-enforcement officials to stop phishing schemes before the bad guys use stolen data, says phishing expert Dave Jevans. The national bill comes on the heels of state bills in Texas, Virginia, Rhode Island and elsewhere. An overriding worry with phishing bills — as with any computer-security-related proposal — is that too many could lead to legislative inflation. "How many ways can you make phishing illegal? There are at least five laws already," says Ari Schwartz, associate director at the Center for Democracy & Technology. "And they're not enforced." Making it work Despite the wave of bills, no matter how well researched and written, they are only as effective as enforced by police. Foreign governments often ignore U.S. law or fail to help their American counterparts. "We could add a million new laws, but you need to follow through," says Internet lawyer Pete Wellborn, who wrote the anti-spyware legislation in Georgia. "Unfortunately, there are more bad guys than good guys." Law enforcement is the "perennial question," adds Robert Holleyman, CEO of Business Software Alliance, a trade group that represents two dozen of the largest tech companies. "At the end of the day, we need adequate resources to track down and convict criminals. That means additional resources for the FTC and Justice Department." The Department of Justice declined comment. The federal Can-Spam law offers a cautionary tale on what some new bills might face. Anti-spam activists contend the much-ballyhooed law actually increases spam because of the way it is worded. It requires recipients to opt out of unwanted commercial e-mail by contacting each sender instead of forcing senders to get opt-in permission. The law also pre-empts parts of tougher state laws, including a California opt-in requirement. Can-Spam bars citizens from suing spammers, allowing only state attorneys general or Internet service providers to file civil suits. Backers of Can-Spam counter that ISPs such as Microsoft, America Online and EarthLink have taken advantage of the law to file dozens of successful lawsuits against spammers. Ultimately, the fate of the computer-security bills depends on the conflicting interests of politicians, lobbyists, tech companies and law enforcement. "It's all about striking a balance between punishing the bad elements and minimally intruding on the good actors," Holleyman says. "And that isn't easy." _________________________________________ Network Security - http://www.auditmypc.com Free vulnerability test - How secure is your computer?
This archive was generated by hypermail 2.1.3 : Tue Apr 12 2005 - 07:30:09 PDT