Is France’s Law the First to Penalize Open Wireless LANs?
November 18th, 2008 § Leave a Comment
Ars Technica reported yesterday that a French court is allowing lawsuits to proceed against P2P software vendors under DADVSI copyright legislation. The article mentions as an aside that DADVSI requires people to “secure their own Internet connections, an apparent attempt to stop the ‘open WiFi defense’ from being trotted out in court.”
The “open WiFi defense” (more accurately, the open WLAN defense; “WiFi” is a trade name) takes advantage of the fact that MediaSentry (the RIAA’s investigators) can only trace file sharing to an IP address, not a particular user. Typically, the RIAA will file suit against the end user who had that address at the time. But if an open wireless network is behind that IP, the defendant can argue that someone else was sharing files. That strategy has worked in Denmark and Germany, where defendants won in court.
In the U.S., the open WLAN defense is more theory than fact. The RIAA has dropped cases against defendants who had open WLAN networks, but for multiple reasons. Teacher Tammie Marson, for example, had a wireless network, but also had in her house hundreds of student cheerleaders, any of whom could have accessed her computer. Francisco Zuleta had a wireless network too, but he also had a roommate, whose name matched the account name used in the file-sharing program . The defense didn’t work for Jammie Thomas, who claimed that if she had a wireless router, others could also have used it. That oddly hypothetical phrasing (“if” she used a wireless router? She doesn’t know?) and the RIAA’s expert testimony that the file-sharing traffic showed no evidence of a wireless router made the Thomas case a poor test case for the wireless defense.
The RIAA has argued that these defendants should still be vicariously liable. In the high-profile Capitol v. Foster case, the RIAA argued that the owner of an ISP connection should be responsible for any copyright infringement using that connection. If accepted, that would have made anyone with an open wireless network liable for any file sharing done on it. The court, however, rejected the RIAA’s theory of liability as “marginal and indisputably untested.”
Others have argued against open WLANs (or for liability for having an open wireless network). The FBI occasionally complains about open wireless networks, and the Department of Homeland Security has suggested that these networks should be regulated. India has considered making open WLANs illegal. The county of Westchester, N.Y. passed a law requiring businesses to secure their wireless networks, which effectively outlaws open business WLANs. And, of course, ISPs may forbid sharing a connection over open wireless, or even disconnect users who do.
France doesn’t look much like a trendsetter here—it still heavily regulates cryptography, for example, despite relaxing its laws in 1999—but as far as I’m aware this is the first case of a country passing a law that creates liability for running an open wireless network.
California’s Second Payment Card Bill Also Vetoed
October 1st, 2008 § Leave a Comment
Governor Schwarzenegger vetoed California’s second attempt at a payment card law yesterday. Even though the bill passed by overwhelming margins, AB 1656 fell victim to one of Schwarzenegger’s record-setting 415 vetoes.
The bill did, however, escape the boilerplate veto message many bills got. Schwarzenegger again said that the marketplace did enough to protect consumers, and complained that the bill required notification even without evidence that the data has been misused:
As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.
Clearly, the need to protect personal information is increasingly critical as routine commercial transactions are more and more exclusively accomplished through electronic means. However, by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state. In addition, by locking in today’s best practices, AB 1656 would assure that the law remains static in the face of future, unseen concerns. Moreover, this bill would create a disincentive for businesses to adhere to new, more comprehensive, industry standards.
Existing law already contains a comprehensive penalty scheme for identity theft that details with great particularity the numerous ways in which it can occur, and imposes criminal sanctions. These provisions cover both identity thieves and retailers who are complicit in their crimes. If existing penalties are inadequate to properly deter would-be identity thieves, the proper response would be to enhance these penalties..
I’m not sure that the requirement for “notification even where no information was obtained improperly” is new in AB 1656. It adds requirements for what must be reported, but the criteria for notification are set in California Civil Code sections 1798.29(b) and 1798.82(b), which require notification if “personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” AB 1656 did not change this language. One might wonder what would have happened in 2002 to SB 1386 had Schwarzenegger, not Gray Davis, been governor.
It’s also arguable whether the marketplace alone does enough to dissuade data loss or compensate harms. One of the financial costs of large-scale credit card thefts is the issuing banks’ expenses in reissuing all those lost credit cards. Agreements between the issuers and card brands allow the issuers to reallocate losses, but these do not cover all an issuer’s costs. Although a recent appellate decision reopened the possibility of recovering under the third-party beneficiary contract theory, efforts of issuers to recoup their expenses have so far failed. That was part of the motivation for this bill.
Governor Schwarzenegger is on somewhat firmer ground when he points out the problems in legislating specific technical requirements. It’s a challenge the Minnesota payment card law faced with only partial success. Still, California’s bill didn’t seem to pose too many of the problems listed in the veto statement. It doesn’t get tied down to particular physical formats, or too-specifically define a PIN or verification code the way the Minnesota bill does. It applies to “payment-related data” and data from a “payment card or other payment-related device.” This is not the kind of language likely to require a legislative revisit each year.
This bill was a weakened version of a bill sent to Governor Schwarzenegger’s desk last year. Will the California legislature try again next year? The large margins by which AB 1656 passed—only four people in the California legislature voted against it—suggest that the legislature is very interested in updating its data breach law. But this veto raises the question: would Governor Schwarzenegger sign any version of this bill, no matter how weakened?
Chances of an override look slim—last year’s bill also passed by similarly large margins, well above the two-thirds majority needed to override a veto in California, but no override vote ever happened. With a record-setting 415 vetoes this year, AB 1656 probably won’t get enough attention for an override.
Better luck next year.
California’s Payment Card Bill Gets Another Chance
September 12th, 2008 § 2 Comments
In a previous post, I asked why Minnesota was still the only state with a PCI DSS law. California may be about to become state number two.
Last year, California’s legislature passed AB 779, but Governor Schwarzenegger vetoed it. Explaining his veto, Schwarzenegger said that that the bill tried to legislate areas that were better left to industry self-regulation. He also complained about some definitional problems in the bill (for example, that the bill didn’t adequately define the “owner or licenser” of data).
The bill is back. AB 1656, amended to address some of Governor Schwarzenegger’s concerns, passed the California Senate 34-3 and the Assembly 74-1.
As with Minnesota’s law and the previous version of the California bill, this version would forbid storing full-track payment card data. This year’s bill includes a new exception for “the sole purpose of processing ongoing or recurring payments.”
But the biggest change is in card handlers’ liability. The amended bill creates liability for the cost of notifying customers:
SEC. 3. Section 1724.6 is added to the Civil Code, to read:
1724.6. Any person, business, or agency subject to Section 1724.4 required to give the notice described in subdivision (a) of Section 1724.5 shall be liable to the owner or licensee of the information for the actual costs of any consumer notification provided by the owner or licensee pursuant to Section 1798.29 or 1798.82.
Compare this to the old version of the bill, which allowed damages for the costs of notifying customers and for issuing new cards:
Sec. 2 , § 1724.5
(d) (1) In addition, a person, business, or agency subject to Section 1724.4 shall be liable to the owner or licensee of the information for the reimbursement of all reasonable and actual costs of providing notice to consumers pursuant to the breach as required by subdivision (a) of Section 1798.29 or subdivision (a) of Section 1798.82 and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system.
(Emphasis mine.)
The removal of damages for card replacement is a big concession to merchants. Replacing cards can be vastly more expensive than giving notice to consumers. Notice probably* won’t cost more than $250,000, because California’s breach notification law allows substitute notice if the cost of written or electronic notice would be more than that. But the cost of reissuing cards after a large breach can be huge. For example, TJX recently agreed to pay $65 million to card issuers as settlement for the cost of reissuing cards after its breach.
*I say “probably” because California’s data breach notification law says that notice may be given by substitute notice, but it doesn’t have to be. Could an issuer notify its customers in writing even though it would be allowed to give substitute notice, and still get the cost back as damages? Probably not (the loss avoidance doctrine would seem to apply here), but an issuer might successfully argue that substitute notice was inadequate for some reason.
Although Minnesota’s law came first, California is the trend setter. Its data breach notification law spurred a host of similar laws in other states, and some people think a California payment card law could do the same. If so, it will be interesting to watch whether these states follow the model of California’s bill, Minnesota’s, or some combination of the two.
Another “Gotcha!” Security Study
August 27th, 2008 § Leave a Comment
Every now and then, we get a story telling us how gullible people are when it comes to security practices. We’ve been told that people will give away their passwords (or pretend to) for chocolate or cheap pens, and that they’ll use thumb drives they find lying in the streets. But how much do we actually learn from these studies?
The latest is a survey out of the UK, in which most respondents disclosed their income brackets even though they said they protect their income details. Aha! People say they care about privacy, but they really don’t! Gotcha!
But wait a moment. The survey asked if people protect income details, then asked for an income bracket. The former is specific, the latter is general. We could as easily make another “Gotcha!” survey that claimed people don’t really want their unlisted numbers protected because they give out their area codes.
Even ignoring the bracket/details distinction, we shouldn’t read too much into this survey. It’s easy to lie on an income bracket question. Internet users have become accustomed to web forms that require all fields to be filled out. Because not filling out a required field means seeing the page again—and sometimes having to re-enter all the fields on the page—it’s easier just to pretend to answer everything on the page. After a while, that sort of behavior can train us to fill out all fields by default. A proper study would need to check whether the reported salary bracket information is within a certain error margin of an expected salary distribution; that could help discover whether people are really divulging their salary brackets, or just making them up.
It would be a fundamental misunderstanding of privacy to draw a conclusion from this study that people don’t care as much about privacy as they claim. Daniel Solove’s privacy taxonomy shows that defining what privacy is is a slippery task, but it’s easier to say what privacy is not. Privacy is not keeping the world from knowing anything about me. It’s about my ability to decide for myself what to disclose and to whom.
It’s time to move past “Gotcha!” studies. If people trade their passwords for candy, or use strange thumb drives, or click through multiple warnings that they’re about to do something really bad, it’s not because the users are stupid. It’s because they’re people, and people have this odd habit of acting like people. The fault lies with those of us in the security and privacy world who haven’t figured out a way to make computer security adapt to people instead of the other way around.
Should Credit Card Issuers Reissue Cards Immediately After a Breach?
August 12th, 2008 § 2 Comments
What do you do when you lose a credit card? Hopefully, you call the issuing bank right after the card is lost. The bank cancels the old card and issues you a new one. In return for calling the bank right away, you’re not responsible for fraudulent credit card charges over $50 (at most). But what if someone loses 45 million credit cards? Should an issuing bank use the same process when millions of cards are lost as it does when only one is lost?
There are reasons to think they shouldn’t. Consider the TJX breach. TJX paid $65 million to card issuers as settlement for the issuers’ costs canceling and reissuing credit cards. The first TXJ credit card ring, caught last year, is believed to have run up at least $8 million in fraudulent charges. Last week’s new indictments seek $20 million in forfeiture from Maksym Yastremskiy. The $20 million figure is not directly related to fraudulent charges (Yastremskiy made most of his money selling card numbers to others), and is not all directly traceable to TJX. But even if it were, compare the numbers: at least $65 million spent reissuing credit cards that were only used for about $28 million or so in fraudulent charges.
Would the issuers have been better off absorbing the fraud instead of reissuing cards?
When a single credit card is stolen, chances are high that the thief will try to use the card. But when millions of cards are stolen, the odds of any particular card being used fraudulently are lower. The TJX numbers suggest that instead of reissuing all the stolen cards, banks would have been better off by paying closer fraud monitoring attention to those cards, then canceling them when the banks see actual attempted misuse.
But I think it’s still a good idea for banks to cancel and reissue cards, at least in cases like TJX where obvious mischief was involved.
First, more money may have been lost than these numbers account for. If Yastremskiy made $20 selling credit card numbers, the purchasers probably made more than that by using them (why spend money on a card number if you don’t think you can make more than that much back?).
Second, the losses may be “only” $28 million because the banks spent $65 million to cancel the cards. How many newly-invalid cards did the thieves try to use? Knowing that $28 million was lost doesn’t tell us how much would have been lost had the issuers not canceled cards.
But even if these numbers do show the whole picture, banks should still reissue credit cards stolen en masse. As Adam Shostack points out, data breaches aren’t all about identity theft. Nor are credit card breaches all about unauthorized charges. A credit card relies on trust. I trust that by using a piece of plastic with a number on it, the merchant and issuer will protect me from fraudulent charges that aren’t my fault. We as credit card users should be able to trust the system, and know with reasonable certainty that someone isn’t running around Estonia with our credit card numbers.
Reissuing credit cards lost in massive breaches may end up costing more than the resulting fraud, but that’s not entirely the point. The point is that when companies mishandle data, they should make things right.
