Another ISP Agreement with the NCMEC, and Some Details on How It Works

Two weeks ago, all the cable operators in the National Cable & Telecommunications Association agreed with the National Association of Attorneys General and the National Center for Missing and Exploited Children (NCMEC) to restrict access to child pornography using information provided by the NCMEC. This not long after Qwest announced plans to use the NCMEC list to block access to child pornography.

But are the cable operators really blocking access? The NCMEC press release suggests not:

Specifically, the cable companies have agreed to use NCMEC’s list of active websites identified as containing child pornography, to ensure that no such site is hosted on servers owned or controlled by those companies. The companies will also report these instances to NCMEC’s CyberTipline and where appropriate revise their policies around other potential sources of child pornography, such as, for example, newsgroups.

The agreement with NCMEC will provide cable broadband service providers with an invaluable source of information to help them enforce their terms of service, all of which forbid the hosting of such illegal materials on their servers.

So maybe this isn’t a new plan for an entire industry to block access to certain websites. It’s more of a takedown mechanism for sites controlled by cable ISPs (most of whom forbid users operating any servers on their cable connections, much less servers with child pornography): the NCMEC tells the cable operators if it sees a child pornography site on the cable network, and the cable operator takes it down.

That’s probably one reason why New York Attorney General Andrew Cuomo threatened Comcast with a lawsuit unless it agreed to block access to web sites and Usenet groups with child pornography.

Cuomo’s threat is troubling for a couple of reasons. First, the New York Attorney General may not have a good basis to threaten a lawsuit. It’s pretty clear that 42 U.S.C. ยง 230 (part of the Communications Decency Act) protects Comcast from any liability for content created by someone else but carried over its network. Second, this is the clearest example yet of a government entity going beyond merely suggesting that an ISP block Internet access based on content, to direct coercion under threat of lawsuit. The government “suggestions” raised state action questions; threat of legal action confirms them.

Comcast’s agreement is clearly the result of government action and should, I think, be subject to First Amendment requirements. We’ll see whether anyone steps up to challenge the agreement.

Published in:  on July 29, 2008 at 11:35 am Leave a Comment

The Six States Without Data Breach Notification Laws

Update, 7/23/09: Missouri passed a breach notification law on July 9, 2009.

Alaska has enacted a data breach notification law, making it the forty-fourth state (along with D.C. and Puerto Rico) to do so. Now that only six states remain, maybe instead of listing all the states with breach notification laws, we should just name the ones who for some reason haven’t done so:

  • Alabama
  • Kentucky
  • Mississippi
  • Missouri
  • New Mexico
  • South Dakota
States without data breach notification laws

States without data breach notification laws

Alabama and Missouri have at least considered breach notification bills. Alabama’s bill would also have incorporated PCI DSS requirements.

Published in:  on July 23, 2008 at 5:40 pm Leave a Comment

ISP Filtering: Where’s the Line?

Qwest has announced that it will block websites with child pornography, as determined by the National Center for Missing & Exploited Children. Qwest’s announcement comes on the heels of Time Warner and Verizon’s agreement with New York to remove the alt.* Usenet hierarchy from their servers.

Qwest’s plan is more troubling than the Time Warner and Verizon plan. Usenet is a shell of its former self, with more noise than content these days. Cutting off the alt.* heirarchy—even the overbroad step of removing all alt.* as opposed to alt.binaries.*—won’t really impact people who care about those groups. The impact is symbolic more than practical: another death knell for the old pre-commercial Internet some of us knew.

Removing Usenet groups is also an editorial decision. An ISP hosting newsgroups has to decide what newsgroups to carry, just as a library must choose which books to stock. An ISP could choose not to carry certain newsgroups because of disk space or bandwidth concerns. Given those concerns, the surprise is that Verizon and Time Warner were still carrying some of the alt.binaries.* groups until now.

Qwest, however, will be blocking traffic to third-party web sites. That’s a fundamentally different model than removing newsgroups. An ISP that controls what sites you may or may not visit is acting as a carrier, not a host, and in the U.S. we’ve grown accustomed to carriers forwarding all our communications regardless of content or destination. Sometimes that’s legally required because the letter carriers and phone companies are common carriers, who are required to carry traffic without preference. ISPs have successfully avoided that status.

One of the major questions in Qwest’s arrangement is the role of the National Center for Missing & Exploited Children. How accurate will its list of bad sites be? What are the criteria? Is any legal due process involved, or will it just be a list of sites the NCM&EC decides have child pornography? Will there be an appeal process?

Derek Bambauer points out that the U.S. is gradually joining the list of countries that filter Internet access in some way. As Professor Bambauer says, we typically think of countries that filter the Internet as “bad” (e.g., China, Iran, etc.). If we want to avoid the U.S. also being a bad Internet filterer, we need to consider how much filtering is appropriate, if any. Some interesting edge cases come up in that analysis. Consider these two cases where some Internet blocking would be considered (by many) to be good:

Blocking offshore child porn servers. Law enforcement has limited ability to deal with servers hosted outside the U.S. Suppose the FBI finds a server with child pornography that’s hosted in a country not overly prone to cooperating with U.S. law enforcement. A court grants an injunction against the site. Should the FBI be able to tell the ISP to block all access to that site? What if a court hasn’t granted an injunction? What if it’s the NCM&EC instead of the FBI? What if the site is text-only stories of underage sex? What if it’s text-only stories of consensual adult sex? At what point, procedurally, do we decide that blocking Internet traffic is okay?

Spam. It’s almost as hard to find someone in favor of spam as it is to find advocates for child pornography. Wouldn’t it be great if we could block spam at the source, or in the Internet backbone, before it ever reached a mailbox? But a lot of spam filtering is based on content (a lot of it isn’t—some techniques that would be useful at the ISP level involve checking that the claimed sender and source address are valid, which is more a matter of validating envelope information than content). If we take the position that all ISP content-filtering is bad, how can an ISP do anything about spam?

I don’t have any good answers to these. But I can suggest a few factors to include in the analysis:

How close to the edge is the filtering happening? In general, I think the closer the filtering is to the network edge, the more likely it is to be appropriate. If my local Internet provider blocks P2P traffic, I have other providers to choose from. If the handful of major backbone carriers all block P2P, I have no recourse. Consumers don’t have as much ISP choice as we did back when there were thousands of dial-up ISPs, but we do have some choice. We can avoid last-mile filtering, but backbone filtering catches everyone.

How much legal process is involved in the filtering decision? A court-ordered block has more legitimacy than one unilaterally declared by a private organization.

How transparent is the filtering decision process? This goes to some of the questions above. Can anyone see the list of blocked sites, or is it secret? Is there a process to remove oneself from the blocked list? If I can’t see the whole Internet, I’d like to know what it is I’m not allowed to see.

How much of the filtering decision is really government action in disguise? The First Amendment limits what the government can do directly to limit speech. But can the government suggest to ISPs that it would be very much in their interests to do things the government couldn’t force them to do? The recent FISA bill (now law) tells ISPs that even if what the government asks is illegal, Congress will bail them out anyway. The line between government action and private action is blurred when ISPs decide to limit information access by agreement with state Attorneys General.

We need to develop a policy that considers these factors. The alternative is ad-hoc filtering decisions based on least-common-denominator market forces and “suggestions” from government entities. If some form of ISP filtering is inevitable (and even desirable), we need to make sure that the filtering is as benign and transparent as possible.

Published in:  on July 14, 2008 at 4:36 pm Comments (4)

Does Texas Really Require a PI License for Computer Repair?

According to some bloggers and news sources, a new Texas law requires all PC repair shops to get private investigator (PI) licenses. A group called the “Institute for Justice” has even filed a lawsuit based on that claim. These fears seem to rely on a drastically overbroad reading of the law.

The law, which amends the Private Security Act, expands the definition of an investigator to include anyone who does computer investigations. The key language is in Texas Occupations Code section 1702.104(b), which says that “[f]or purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.” Subsection (a)(1) lists investigation activities (e.g., criminal investigations, location/tracking investigations, finding lost or stolen property, etc.). In other words, if you do what we typically think of as an “investigation” (think Sam Spade), you have to get an investigator’s license, even if those investigations are of computers. The law is clearly aimed at computer forensics.

That’s not to say that the law is particularly well drafted to achieve that intent. The biggest problem is that “computer-based data not available to the public” is awfully vague. What does “not available to the public” mean, anyway? It is just exempting anything that’s on a public web server?

The Texas Department of Public Safety’s opinions support the stricter interpretation. The DPS explains that if computer repair services “offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators.” Yes, some computer repair shops that offer forensic services will need PI licenses. But Texas doesn’t require a PI license to remove spyware or upgrade memory.

The DPS opinions also say that not all forensic work requires a PI license. First, it draws a distinction between forensics (which involves analysis) and mere data collection (for later analysis by others).
Second, it notes that only certain information gathering makes one an “investigator.” If a forensic analyst gathers information not listed in section 1702.104(a)(1), then the analyst probably doesn’t need to be licensed as a PI. However, because the definition of “investigator” includes anyone gathering information about the “identity, . . . knowledge, . . . transactions, acts, reputation, or character of a person” and “the location, disposition, or recovery of lost or stolen property,” it seems that most computer forensic investigations would require licensing.

The DPS opinion also clarifies that network vulnerability testing firms don’t have to be licensed. There was some confusion on that point because the law uses the phrase “private security consultant.” The DPS opinion explains that as defined in the law, “security” means physical security. The law regulates security guards, locksmiths, alarm system companies, and private investigators, but not computer security consultants.

Post Process has informative and low-hype information about the Texas law.

Update:

Network Performance Daily has interviewed both State Rep. Joe Driver, who authored the bill, and Mike Miller of the Texas Institute for Justice. It’s worth reading for two different opinions of the same law.

Published in:  on July 2, 2008 at 11:20 am Leave a Comment