Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

physiological, mental,

physiological, mental, economic, cultural, or social identity. 14 The Working Party reaffirmed its position that IP addresses are PII in a 2009 opinion: In this respect, it re-emphasises its earlier Opinion [Opinion 4/2007] that unless the service provider “is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side." 15 The position was also noted in a June 2010 Working Party opinion concerning online behavioral advertising. 16 The Article 29 Working Party has gone a step farther than contemplating IP addresses as PII. In the same 2007 opinion, the WP also discussed pseudonymised data, determining that: Retraceably pseudonymised data may be considered as information on individuals which are indirectly identifiable. Indeed, using a pseudonym means that it is possible to backtrack to the individual, so that the individual’s identity can be discovered, but then only under predefined circumstances. In that case, although data protection rules apply, the risks at stake for the individuals with regard to the processing of such indirectly identifiable information will most often be low, so that the application of these rules will justifiably be more flexible than if information on directly identifiable individuals were processed. 17 The EU’s expansive definition of PII, coupled with the position that IP addresses are PII, presents a tough compliance issue for cyber security R&D and creates high barriers for international collaboration on cyber security R&D projects. The compliance risks on collaborative R&D projects needs to be carefully evaluated, lest the researcher and his/her organization become ensnarled in a dispute with a national data protection authority, or worse, create a diplomatic issue between countries. 4. Botnet Research Legal Analysis 14 EU Directive. 15 Article 29 Working Party, Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive), 00350/09/EN WP 159, Feb. 10, 2009, http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/ 2009_en.htm (emphasis in original). 16 Article 29 Working Party, Opinion 2/2010 on online behavioural advertising, 00909/10/EN WP 171, June 22, 2010, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp1 71_en.pdf. 17 WP 29 2007 Opinion at 18. 5 99 Botnet research brings several additional bodies of law into play, such as those pertaining to the protection of communications equipment, cybercrime, child pornography, privacy, breach notification, identity theft, spam, intellectual property, access device and wire fraud, torts, and contracts. For example, botnet research may involve various data elements, including the content of communications, PII, and sensitive information obtained through the compromised computer or victim. Researchers who allow botnets to run over live networks, especially if they have infiltrated them and are involved in command and control functions, may be deemed to be aiding and abetting activities that violate cybercrime laws or wilfully causing these acts to be done. Researchers who infiltrate a botnet and passively observe spamrelated commands could be viewed by some enforcement authorities as aiding and abetting a crime. If the researchers change a link in a botnet’s spam message to one under the researchers’ control in the belief they are reducing harm, they are actually bringing more risk upon themselves and their organizations because they are actively involved in perpetrating an online fraud, directing a spam operation, and sending commercial email messages directed toward a site they control. Researchers who establish websites that mimic those used by botnets may be infringing legitimate copyrights or removing or altering copyright management material, which could lead to suits by the legitimate owners of the work. These are but a few of the examples that the Botnet Legal Guide analyzes based upon research activities undertaken in the case studies. Since botnet legal analysis cannot be neatly broken into a set of questions and guided by decisional flowcharts, the Botnet Legal Guide sets forth a number of tables and charts to facilitate the process. One table lists the various research activities undertaken in the case studies, indicates the laws that may be triggered, and notes actions that the researcher may take to mitigate risks. Another tables lists penalties associated with each of the laws. A Botnet Legal Research Template sets forth the key provisions of the laws and notes how the Tool Chest or Botnet Legal Guide may assist. International Considerations To complicate matters further, the laws of more than one jurisdiction may need to be considered, depending upon where the research is being performed and/or the jurisdictions that may be impacted. For example, botnet and malware research projects may involve communications sent by compromised computers around the globe, with drop zones located in multiple jurisdictions, domain names registered in several countries, and botmasters controlling the operations from more than one location. Given the global nature of botnet research, it is important to note that researchers based outside the United States may be subject to criminal penalties for violating domestic U.S. laws. Likewise, researchers in the U.S. might be subject to the extraterritorial reach of foreign laws. In the U.S., laws are generally applicable only within the United States, however Congress has the authority to enforce its laws beyond the territorial boundaries of the United State. For example, in 2001, as part of the USA PATRIOT Act, Congress amended the U.S. cybercrime law, the Computer Fraud and Abuse Act, to apply to a computer "which is used in interstate or foreign commerce, including a computer located outside the United States that is used in a manner that affects interstate or

foreign commerce or communication of the United States." 18 Thus, researchers who are conducting activities that may impact computers in another country may find themselves (a) the target of legal action or extradition by a foreign government for their actions that impacted the country’s population, or (b) the target of a U.S. legal action for affecting a foreign computer involved in U.S. commerce. Without a specific statutory reach, the general rule for applying laws extraterritorially revolves around whether someone had the requisite minimum connection with persons in the other jurisdiction. For example, a website operator may be based outside the United States, but his activities may be said to fall within the U.S. if the website is accessed or intended to be accessed by a single person within the United States. The U.S. Supreme Court set forth this long-standing principle in International Shoe Co. v. Washington with its declaration that there must be “certain minimum contacts” with the jurisdiction so it does not offend “traditional notions of fair play and substantial justice.” 19 Intention may also be a factor. 20 5. Relationship of Legal Analysis to Ethical Considerations With little to guide them regarding the legal issues pertaining to botnet R&D, researchers have increasingly looked to whether their research was “ethical” or within accepted “principles” to determine whether specific activities would be acceptable conduct. Ethical determinations are frequently based upon whether (1) the benefits of the research outweigh any potential harms that may occur, or (2) the research activity is “doing no harm” (e.g., the activity would have occurred anyway by the bot). The problem with this analysis is that activities viewed as “beneficial” or “not harmful” are also assumed to be legal. Unfortunately, the laws are not administered and enforced through such a simple prism. Many activities that are considered by researchers to be ethical are, in fact, illegal. For example, a researcher may justify infiltrating a botnet and allowing it to send spam because the spam would have been sent anyway, so no harm was done. Or, the researcher may justify changing links in the botnet’s spam message to an innocuous site that he/she controls because it reduces harm to the person who otherwise would have received a malicious spam message. This reasoning seems logical, but it ignores the fact that sending the spam, especially with the researcher’s involvement 18 See 18 U.S.C. § 1030(e)(2)(B). Even prior to the 2001 amendment, however, at least one court held that the plain language of 18 U.S.C. § 1030 was a clear manifestation of congressional intent to apply that section extraterritorially. See United States v. Ivanov, 175 F.Supp.2d 367, 374-75 (D. Conn. 2001). 19 International Shoe Co. v. State of Washington, 326 U.S. 310 (1945). 20 "The intent to cause effects within the United States ... makes it reasonable to apply to persons outside United States territory a statute which is not extraterritorial in scope." United States v. Muench, 694 F.2d 28, 33 (2d Cir. 1982). 6 100 from its own system, violates anti-spamming laws and raises a number of other legal issues. The intent here is not to point fingers or blame researchers for conducting illegal research; until now, guidance has been limited. That said, the lack of legal consideration given most botnet research projects is deeply concerning and indicates a reluctance on the part of researchers to seek out competent legal assistance. This concern is compounded when researchers include questionable activities in their research simply because another research team has undertaken similar activities and concluded they were all right. In addition, these decisions seem to be made with complete disregard for jurisdictional differences in legal frameworks, such as between the U.S. and EU, even though researchers are analyzing botnets that span the globe and have hosts, drop zones, and victims scattered across various countries. It is important to understand the connection between “ethical” and legal research. Generally, conduct that is illegal is not viewed as ethical. Numerous corporate codes of conduct prohibit conduct that is unlawful or inconsistent with their compliance requirements. Therefore, it is important that researchers first undertake a legal analysis of their project and, after ensuring that the research activities are within the bounds of the law, then proceed to examine ethical considerations. 6. Conclusion The Tool Chest and Botnet Legal Guide are companion publications that provide the cyber security research community with a central repository of definitions, descriptions of the laws, worksheets, decisional frameworks, tables simplifying privacy provisions and penalties, and conclusions regarding how U.S. laws apply to datasets to be used in research projects and impact research activities. International considerations, especially with respect to privacy and cybercrime laws, present challenges for researchers that require careful analysis. The Tool Chest and Botnet Legal Guide offer a positive step toward helping researchers, IRBs, legal counsel and management better understand the legal issues associated with research projects and the data used in them. The need for collaboration between the legal and technical communities is great, particularly with respect to exploring the extraterritorial reach of laws and inconsistencies in legal frameworks. Researchers particularly need to better understand critical jurisdictional differences in the global legal framework for interception, privacy, and cybercrime. Programs such as PREDICT that include the legal analysis of datasets that are offered to researchers help build confidence that data used in research efforts will not run afoul of the law, but they do not address the legality of the activities undertaken by researchers when using the data. The development of best practices with respect to certain research activities would make a significant difference toward encouraging legal conduct in R&D projects.

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International