Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

Legal Issues Associated

Legal Issues Associated With Data Collection & Sharing 1. The Problem Cyber security researchers require the use of various types of communications data for problem definition and testing purposes, but they often do not have access to such data, especially that which reflects current traffic patterns and threats. When researchers are able to obtain useful communications data, their organizations often restrict their use of it because the legal issues are complex and present significant risks to the organization and researcher. Thus, cyber security research and development (R&D) initiatives are hampered, the development of effective security solutions is thwarted or impeded, and some threats may not be tested. The PREDICT 1 project, sponsored by the U.S. Department of Homeland Security (DHS) Science & Technology Directorate’s Cyber Security R&D division, has tried to address this problem by making approved data sources available to cyber security researchers. The purpose of PREDICT is to help accelerate the advancement of network-based cyber defense research, product development, and evaluation by providing needed test datasets to the research community. PREDICT’s operations include a comprehensive analysis of legal and policy issues associated with each dataset. This provides researchers and their organizations with more certainty that the datasets used in the R&D effort are clear of legal issues. As cyber security R&D increases and the attacks become more complex, organizations are becoming more concerned about legal and policy considerations associated with R&D projects. Laws governing the interception, disclosure, and use of communications * Jody R. Westby is CEO of Global Cyber Risk LLC, located in Washington, DC. Ms. Westby also serves as Adjunct Distinguished Fellow to Carnegie Mellon CyLab. She chairs the American Bar Association’s Privacy & Computer Crime Committee (Section of Science & Technology Law) and co-chairs the World Federation of Scientists’ Permanent Monitoring Panel on Information Security. She is the author of the Legal & Policy Tool Chest for Cyber Security R&D and the Legal Guide to Cyber Security Research on Botnets. She has published four books on international issues pertaining to privacy, cybercrime, cyber security and enterprise security programs, as well as numerous articles and papers. She speaks globally on these topics. 1 PREDICT is an acronym for the Protected Repository for the Defense of Infrastructure Against Cyber Threats. Jody R. Westby © 2011. Jody R. Westby, Esq.* Global Cyber Risk LLC 5125 MacArthur Blvd, NW; Third Floor Washington, DC 20016 USA + 1.202.255.2700 westby@globalcycberrisk.com 95 data are strict, yet confusing, and carry criminal penalties. Privacy laws are inconsistent, may apply to both packet headers and content, and present reputational risks as well as civil and/or criminal penalties. Finally, the complexity of research projects that investigate botnet operations spanning the globe raise a host of legal issues, and guidance for structuring projects around these legal landmines is scarce. Recognizing that further work in this area was needed, DHS’s Cyber Security R&D Division funded a project entitled “New Frameworks for Detecting and Minimizing Information Leakage in Anonymized Network Data.” One of the goals of the project was to develop a tool that researchers and their organizations could use to help them analyze these legal and policy considerations and understand possible legal protective measures that could be utilized to better manage risks associated with the use of communications data in cyber security R&D. The Legal & Policy Tool Chest for Cyber Security R&D (Tool Chest) was developed by the author to meet this goal. The Tool Chest is a comprehensive set of three documents that may be used both to help analyze the legal and policy implications associated with the use of traffic data in cyber security R&D and to mitigate identified risks: 1. Legal Analysis Tool on Obtaining & Using Network Communications Data (Legal Analysis Tool) focuses on obtaining, using, and disclosing intercepted and stored communications data. 2. Privacy Tool on Using Network Communications Data (Privacy Tool) focuses on the relevant privacy legal considerations with this data. 3. Protection Measures Tool contains sample contract clauses and memoranda of agreement that can be used by researchers and their organizations to mitigate legal risk. The Tool Chest is not, however, intended to serve as a complete legal reference guide for cyber security R&D. Research activities pertaining to the detection and mitigation of botnets and other malware are often proactive and require some of the most complex legal analysis because research activities can involve numerous bodies of law, including foreign laws and treaties. To date, there are few resources available to assist cyber security researchers, institutional review boards (IRBs), attorneys, and funding organizations to help them determine whether a particular research

project could violate laws or organizational policies or the degree of risk that is involved. The author developed the Legal Guide on Cyber Security Research on Botnets (Botnet Legal Guide) to extend the Tool Chest’s analysis and examine the myriad of legal issues associated with this particular type of research. The Botnet Legal Guide also was funded by DHS’s Cyber Security R&D Division and developed as a component of a technical research project led by Georgia Institute of Technology on “Countering Botnets: Anomaly-Based Detection, Comprehensive Analysis, and Efficient Mitigation.” The Botnet Legal Guide is intended to be used as a companion to the Tool Chest. Botnet research can invoke a number of laws beyond interception, stored communications, and privacy laws. The purpose of the Guide is to serve as a central resource and tool with respect to the range of legal and policy issues associated with cyber security research on botnets, but it will also be useful in many other cyber security R&D projects where similar activities are undertaken. In the development of the Botnet Legal Guide, nineteen case studies of botnet research projects were analyzed and specific research activities were identified. Laws that may be applicable to these research activities included cybercrime, intellectual property, child pornography, spam, breach notification, identity theft, access device and wire fraud, contract, and tort laws. The Botnet Legal Guide maps each R&D activity to the laws that may be applicable. Although it focuses on U.S. law, international legal issues also are discussed. 2. Fact Finding Some initial fact-finding is a necessary precursor to the legal analysis process. It is important to determine: • Who is the provider of the data? � A provider of communications services “to the public,” such as Verizon, AT&T, AOL, Earthlink, etc.? � A private provider of service, such as a university Internet service provider, a nonprofit organization, or a private sector business? � A government entity, such as an agency, department, or research entity? • Who owns the data? Does the provider own the data or did they get it from someone else, either directly or indirectly? Many individuals or even organizations may use a particular dataset, but use does not necessarily mean the user owns the data or may allow others to use it. 2 2 See Marianne Swanson, Joan Hash, and Pauline Bowen, Guide for Developing Security Plans for Federal Information Systems,” Feb. 2006 at 5, http://csrc.nist.gov/publications/nistpubs. 2 96 • How was it obtained? Was the data obtained from stored communications or by real-time interception? If it was intercepted, who intercepted it? A provider? Law enforcement? A third party? The researcher? • What are the data provider’s privacy policies and operating procedures regarding the collection, handling, storage, and retention of the data and disclosure of the data? What agreement does it have with its users? • Who is the researcher? A student, private individual, private sector employee, or government employee? • Who is the organization sponsoring the research and who is the organization that the researcher works for? A private company, university, national laboratory, non-profit organization, or government entity? • What is contained in the data? Internet Protocol (IP) addresses? Full packet headers? Packet headers with Uniform Resource Locators (URLs)? URLs and/or content? Personally identifiable information (PII)? Sensitive content, such as medical or financial information or data pertaining to students or minors? Any special characteristics of the data, such as the anonymization of certain fields, the jurisdiction in which it was collected, the age of the data, etc., should be noted. The Tool Chest provides a Decisional Framework Worksheet on which to enter the answers to the fact finding questions. 3. Dataset Legal Analysis Any discussion of legal issues applicable to communications data requires a precise taxonomy. For purposes of this paper, it will be assumed that network communications data generally may consist of: • Packet headers, which may contain IP addresses, port information, and the protocol used; and/or • Communications content, comprised of: � the transmission control protocol (TCP) that transfers the actual content of the communication to the receiver; � the IP Authentication Header (AH) that is used for integrity and data origin authentication of IP packets; and � the actual content of the communication, which may include URLs, commonly referred to as links. Hypertext Transfer Protocol (HTTP) packet headers may contain the requested URL, which carries an expectation of privacy and may be considered by some to be content. Therefore, for purposes of this paper, HTTP packet headers are distinguished from packets using other protocols (e.g., TCP, IP, User Datagram Protocol (UDP)) and are treated as content. This paper will refer to packet

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International