Data Protection Tips for Proposed US Cybersecurity Laws

Uploaded on 2016-08-05 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Proposed cybersecurity legislation is making business owners nervous – with good reason. These tips will help you be prepared no matter what US Congress does.

Is Washington waging a war on security technology? In April, U.S. Senators Richard Burr  and Dianne Feinstein introduced what became a highly controversial bill that -- if it were to be promulgated into law -- would effectively outlaw strong encryption.

By the end of it was thought the bill as good as dead in the water because of strong public opposition. This is potentially an overstatement. Despite a lack of support from their Senate colleagues, Burr and Feinstein have urged "patience" to Senate-watchers where the bill is concerned.

Proposed Cybersecurity Legislation

Meanwhile, Beltway insiders have reportedly indicated that there is substantial reluctance to go to battle against the technology industry in a presidential election year. Indeed, a separate legislative measure drafted by Senators Burr and John McCain (R-Ariz.) that would have made it easier for federal law enforcement to obtain the electronic communications data of private persons without worrying about pesky court orders or other due process measures was defeated late last month -- albeit narrowly.

With the Burr-Feinstein legislation on life support for now, an alternative bill -- introduced in both houses of the legislature, by Senator Mark Warner (D-Va.) and Representative Mike McCaul (R-Tex.) respectively -- has emerged as a possible compromise: The Digital Security Commission Act of 2016 is hailed by proponents as a measure that is far less "hasty" than the heavy-handed Burr-Feinstein bill.

The McCaul-Warner legislation would merely establish a commission -- made up of 16 people from across the public and private sectors -- who would study the issue of further encryption-related legislation and issue reports. Critics are skeptical, however, of the bill's ability to establish meaningful compromise.

Meanwhile, the FBI has been pushing for more electronic search-and-seizure leeway for quite some time. FBI Director James Comey has said that his top priority is to obtain the legal power necessary to be able to collect personal electronic communications data without obtaining a court order.

With all of this political posturing, cybersecurity- and privacy-minded companies should bear these three tips in mind to proactively keep their data safe -- regardless of which way the winds blow in Washington.

Look to California's Actions on Data Privacy

Are you considering founding a new company or relocating your current operations? Recent California legislation could potentially protect your company from law enforcers who may demand you break your own encryption or reverse-engineer your own products -- if your company is located within the state, that is.

On January 1, a California state law took effect banning the sale or use of voice data collected in that state via smart televisions or smart devices that connect to televisions (such as set-top boxes, DVRs, video-game consoles) for advertising purposes. The bill further bans any voice recognition operation by smart TVs "without prominently informing ... the user" (or, during installation, the user's designee). These measures resulted from lawsuits related to the alleged collection and improper use of consumer data by Vizio smart TVs.

More pertinently, however, a separate clause in the law protects California businesses from being compelled to modify their devices to assist law enforcement or other investigators. Undoubtedly this is a move to protect Silicon Valley and other California tech companies in the wake of the recent Apple-FBI encryption scuffle after December's terror attack in San Bernardino. 

Whether that part of the law will stand up against federal preemption is another story, but the California tech sector -- and those considering a move to California -- can at least take heart in knowing that their state government legally stands behind them when it comes to law enforcement-compelled reverse engineering and encryption breaking.

Business owners may want to encourage their own state legislatures to adopt similar measures. At the very least, you will want to keep informed about your own state's legislative efforts involving cybersecurity and data protection.

Consider a Warrant Canary

Certain types of federal law enforcement subpoenas and information requests -- such as National Security Letters, FISA court orders and the like -- are usually accompanied by a gag order, preventing the recipient from confirming or denying the existence of receipt of the subpoena or request (or, for that matter, the gag order). If the FBI gets its way, the federal government will enjoy even broader powers to issue broad information requests and bar speech about them.

The theory behind a warrant canary remains legally untested as of yet, but it goes like this: Regularly discuss and update your users, your customers and the public on the fact that you have not received any such demands or requests for information that are normally accompanied by a gag order. Thus when and if you do become subject to a gag order, your silence on the issue (and takedown or edit of the corresponding notice -- the "canary" -- on your website or in other communication) will at once be compliant and inform the world-at-large with a wink and a nod that Uncle Sam has his hand over your mouth.

Understand your risks with this legal theory, and be prepared to shell out for a lawyer if the day ever comes that you have to potentially kill your canary and face a government challenge in court. Still, the notion of the warrant canary bears consideration.(It has even picked up traction with the ACLU and the EFF.)

Use Dark Web for Good, Not Evil

While the vast majority of content on the Dark Web reportedly involves illegal, quasi-legal and/or otherwise unsavory activity, it also has legitimate purposes such as protecting whistleblowers.

In a recent "Ask Me Anything" session on Reddit, warrant-canary activist Nicholas Merrill noted that any organization can easily set up their own Dark Web version of a website, accessible via an onion browser like Tor. 

Mainstream services and websites, including Facebook and ProPublica, already have their own "hidden" Dark Web presences.(ProPublica even offers instructions on how to browse its site using Tor.)

"It would be a great thing if Reddit would set up a hidden-service version of their website," Merrill observed. Merrill also urged individual users to use hidden-service browsers for all of their web surfing activities so as to maintain their anonymity, whether or not they browse the Dark Web.

"There is nothing stopping you from accessing [a regular website like] Reddit using The Tor Project's Tor Browser and maintaining the anonymity of your IP address and geolocation," Merrill told Redditors. "In fact, it would relieve Reddit of some of the burden of protecting you if you would do so."

SecurityPlanet

 

 

« Key Trends In Machine Learning & Artificial Intelligence
The End Of Your Undivided Attention »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Flashpoint

Flashpoint

Flashpoint is a globally trusted leader in risk intelligence for organizations that demand the fastest, most comprehensive coverage of threatening activity on the internet.

Assured Information Security (AIS)

Assured Information Security (AIS)

AIS is committed to providing our customers with critical information security products, services, and training. We support diverse needs throughout business and industry.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

Oceania Cyber Security Centre (OCSC)

Oceania Cyber Security Centre (OCSC)

OCSC engages with government and industry to conduct research, develop training opportunities and build capacity for responding to current and emerging cyber security issues.

Lumu Technologies

Lumu Technologies

Lumu is a cybersecurity company that illuminates threats and attacks affecting enterprises worldwide.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

AMSYS Innovative Solutions

AMSYS Innovative Solutions

AMSYS is a full-service, 24/7/365 IT solutions, Cybersecurity & Managed Service Provider.

Recon InfoSec

Recon InfoSec

The Recon InfoSec team includes analysts, architects, engineers, intrusion specialists, penetration testers, and operations experts.

Cyber Legion

Cyber Legion

Cyber Legion Ltd is a UK-based Cyber Security as a Service (CSaaS) start-up that provides IT security testing services to various organizations around the globe.

Prophaze Technologies

Prophaze Technologies

Prophaze enable organizations and SaaS providers to improve their web application cybersecurity and reduce costs through AI automation.

Association for Uncrewed Vehicle Systems International (AUVSI)

Association for Uncrewed Vehicle Systems International (AUVSI)

AUVSI is the world's largest nonprofit organization dedicated to the advancement of uncrewed systems and robotics. Focus areas include cyber security for uncrewed systems and robotics.

ZX Security

ZX Security

ZX Security is a New Zealand owned and operated cyber security consultancy.

Theos Cyber Solutions

Theos Cyber Solutions

Theos Cyber provides service-first cybersecurity solutions to digital businesses in Asia.

eMudhra

eMudhra

eMudhra is a leader in Identity and Transaction Management Solutions.

Knowit

Knowit

Knowit support customers in the digital transformation, simplify people’s everyday lives and create secure and innovative solutions enabling a sustainable future.

Synergy Quantum

Synergy Quantum

Synergy Quantum has pioneered a proprietary suite of military-grade, quantum-secure communication technologies.