Tag: Privacy

Leading Internet Engineers Agree to Upgrade Standards to Improve Internet Privacy and Security

IETF Chair Blog
http://www.ietf.org/blog/2013/11/strengthening-the-internet/
IETF Technical Plenary Video archive
http://www.ietf.org/live/
IETF Technical Plenary Consensus report
http://www.ietf.org/mail-archive/web/ietf/current/msg83857.html

LEADING INTERNET ENGINEERS AGREE TO UPGRADE STANDARDS TO IMPROVE INTERNET PRIVACY AND SECURITY

IETF reaches broad consensus to improve the security of Internet protocols to respond to pervasive surveillance

VANCOUVER, British Columbia–(BUSINESS WIRE)– Internet security has been a focus this week for the more than 1100 engineers and technologists from around the world gathered at the 88th meeting of the Internet Engineering Task Force (IETF). As the Internet’s premier standards organization responsible for developing the foundation of services and technologies used billions of times every day, IETF participants are rethinking approaches to security across a wide range of technical areas.
“Ensuring the global Internet is a trusted platform for billions of users is a core and ongoing concern for the IETF community. Discussions over the past few months, including many in the more than 100 working group sessions this week, are carefully and systematically reviewing Internet security and exploring ways to improve privacy and other aspects of security for different applications,” said Jari Arkko, Chair of the IETF. “Internet security has many facets, and the IETF is focused on ensuring that the technical Internet protocols that it develops provide a strong foundation for privacy and security.”
“The Internet has been turned into a giant surveillance machine,” said Bruce Schneier, who spoke at the meeting’s technical plenary. “This is not just about any particular country or individual action. We need to work broadly to fix the problems of today and tomorrow.”
“At the IETF technical plenary, participants agreed that the current situation of pervasive surveillance represents an attack on the Internet,” said Stephen Farrell, one of the IETF’s two Security Area Directors. “While there are challenges isolating the specific areas of attack that IETF protocols can mitigate, all of the working groups that considered the topic have started planning to address the threat using IETF tools that can mitigate aspects of the problem.”
The Internet depends upon standards developed in an open and transparent manner. Openness allows any interested party to participate, review, critique, or question the work of others. Transparency provides visibility into all steps of the process and an appropriate audit trail for inspection. Broad consensus, after review from a wide range of interests and perspectives, fosters agreement on the resulting standards.
“The IETF is taking steps to develop the technical specifications to improve the privacy and security of the Internet,” said Russ Housley, Chair of the Internet Architecture Board. “However, others need to take on the non-technical aspects that are part of a comprehensive response to mass surveillance on the Internet.”
In nearly 30 years, the IETF has published more than 4500 documents that describe standards for the fundamental technologies and widely used services on today’s global Internet. IETF participation is open to any interested individual and includes experts from industry, academia, and government from across the globe. While the work of the IETF mainly takes place online to reduce barriers to participation, its in-person meetings bring together participants three times each year at locations around the world.
For archives of video and other materials from the meeting, see:
http://www.ietf.org/live/
For more information about the IETF 88 meeting, see:
http://www.ietf.org/meeting/88/index.html
About the Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is the Internet’s premier technical standards body. It gathers a large open international community of network designers, engineers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. The IETF seeks broad participation. The work of the IETF takes place online, largely through email lists, reducing barriers to participation and maximizing contributions from around the world. IETF Working Groups (WGs) are organized by topic into several areas (e.g., routing, transport, security, etc.). For more information, see: http://www.ietf.org/

Security hole found in Obamacare website

Security hole found in Obamacare website

By Jose Pagliery CNN Money October 29, 2013  The Obamacare website has more than annoying bugs. A cybersecurity expert  found a way to hack into users’ accounts.  Until the Department of Health fixed the security hole last week, anyone  could easily reset your Healthcare.gov password without your knowledge and  potentially hijack your account.  The glitch was discovered last week by Ben Simo, a software tester in  Arizona. Simo found that gaining access to people’s accounts was  frighteningly simple.
You could have:
* guessed an existing user name, and the website would have confirmed it   exists.
* claimed you forgot your password, and the site would have reset it.
viewed the site’s unencrypted source code in any browser to find the   password reset code.
* plugged in the user name and reset code, and the website would have  displayed a person’s three security questions (your oldest niece’s first  name, name of favorite pet, date of wedding anniversary, etc.).
* answered the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted.
[…]
http://money.cnn.com/2013/10/29/technology/obamacare-security/index.html

SAFE Act

The Securing Adolescents from Exploitation-Online Act of 2007

ISPs already have a duty to notify authorities if they stumble across anything that appears to be child pornography or molestation evidence. The new bill ups the penalties for not reporting this information; ISPs now face up to $150,000 for a first violation and up to $300,000 for subsequent violations. The bill also requires ISPs to retain copies of all information filed in these reports, and to do so for 180 days in case they are needed for use as evidence in court.  Now, what does the bill not do? It explicitly tells ISPs that they do not need to “monitor any user, subscriber, or customer,” they do not need to “monitor the content of any indication,” or even “affirmatively seek facts or circumstances.” In other words, if you see it, you are legally obligated to report it, but ISPs do not need to become child porn detectives.
110th CONGRESS
1st Session
H. R. 3791
AN ACT

To modernize and expand the reporting requirements relating to child pornography, to expand cooperation in combating child pornography, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the “Securing Adolescents From Exploitation-Online Act of 2007” or the “SAFE Act of 2007”.

SEC. 2. REPORTING REQUIREMENTS OF ELECTRONIC COMMUNICATION SERVICE PROVIDERS AND REMOTE COMPUTING SERVICE PROVIDERS.

(a) In General.—Chapter 110 of title 18, United States Code, is amended by inserting after section 2258 the following:

“SEC. 2258A. REPORTING REQUIREMENTS OF ELECTRONIC COMMUNICATION SERVICE PROVIDERS AND REMOTE COMPUTING SERVICE PROVIDERS.

“(a) Duty To Report.—

“(1) IN GENERAL.—Whoever, while engaged in providing an electronic communication service or a remote computing service to the public through a facility or means of interstate or foreign commerce, obtains actual knowledge of any facts or circumstances described in paragraph (2) shall, as soon as reasonably possible—

“(A) complete and maintain with current information a registration with the CyberTipline of the National Center for Missing and Exploited Children, or any successor to the CyberTipline operated by such center, by providing the mailing address, telephone number, facsimile number, electronic mail address of, and individual point of contact for, such electronic communication service provider or remote computing service provider; and

“(B) make a report of such facts or circumstances to the CyberTipline, or any successor to the CyberTipline operated by such center.

“(2) FACTS OR CIRCUMSTANCES.—The facts or circumstances described in this paragraph are any facts or circumstances that appear to indicate a violation of—

“(A) section 2251, 2251A, 2252, 2252A, 2252B, or 2260 that involves child pornography; or

“(B) section 1466A.

“(b) Contents Of Report.—To the extent available to an electronic communication service provider or a remote computing service provider, each report under subsection (a)(1) shall include the following information:

“(1) INFORMATION ABOUT THE INVOLVED INDIVIDUAL.—Information relating to the Internet identity of any individual who appears to have violated a Federal law in the manner described in subsection (a)(2), which shall, to the extent reasonably practicable, include the electronic mail address, website address, uniform resource locator, or any other identifying information, including self-reported identifying information.

“(2) HISTORICAL REFERENCE.—Information relating to when any apparent child pornography was uploaded, transmitted, reported to, or discovered by the electronic communication service provider or remote computing service provider, as the case may be, including a date and time stamp and time zone.

“(3) GEOGRAPHIC LOCATION INFORMATION.—Information relating to the geographic location of the involved individual, hosting website, or uniform resource locator, which shall include the Internet Protocol Address or verified billing address, or, if not reasonably available, at least one form of geographic identifying information, including area code or zip code. The information shall also include any self-reported geographic information.

“(4) IMAGES OF APPARENT CHILD PORNOGRAPHY.—Any image of any apparent child pornography relating to the incident such report is regarding.

“(5) COMMINGLED IMAGES.—Any images, data, or other digital files (collectively referred to as ‘digital files’) which are commingled or interspersed among the images of apparent child pornography. If it would impose an undue hardship to provide these commingled digital files as part of the report, because of the volume of the digital files or for other reasons, the reporting company shall, in lieu of providing those digital files, inform the CyberTipline of the existence of such digital files, and retain those digital files as if they were part of the report as required pursuant to subsection (h).

“(c) Forwarding Of Report To Law Enforcement.—

“(1) IN GENERAL.—The National Center for Missing and Exploited Children shall forward each report made under subsection (a)(1) to any appropriate law enforcement agency designated by the Attorney General under subsection (d)(2).

“(2) STATE AND LOCAL LAW ENFORCEMENT.—The National Center for Missing and Exploited Children may forward any report made under subsection (a)(1) to an appropriate official of a State or political subdivision of a State for the purpose of enforcing State criminal law.

“(3) FOREIGN LAW ENFORCEMENT.—The National Center for Missing and Exploited Children may forward any report made under subsection (a)(1) to any appropriate foreign law enforcement agency designated by the Attorney General under subsection (d)(3), subject to the conditions established by the Attorney General under subsection (d)(3).

“(d) Attorney General Responsibilities.—

“(1) IN GENERAL.—The Attorney General shall enforce this section.

“(2) DESIGNATION OF FEDERAL AGENCIES.—The Attorney General shall designate promptly the Federal law enforcement agency or agencies to which a report shall be forwarded under subsection (c)(1).

“(3) DESIGNATION OF FOREIGN AGENCIES.—The Attorney General shall promptly—

“(A) designate the foreign law enforcement agencies to which a report may be forwarded under subsection (c)(3);

“(B) establish the conditions under which such a report may be forwarded to such agencies; and

“(C) develop a process for foreign law enforcement agencies to request assistance from Federal law enforcement agencies in obtaining evidence related to a report referred under subsection (c)(3).

“(e) Failure To Report.—An electronic communication service provider or remote computing service provider that knowingly and willfully fails to make a report required under subsection (a)(1) shall be fined—

“(1) in the case of an initial knowing and willful failure to make a report, not more than $150,000; and

“(2) in the case of any second or subsequent knowing and willful failure to make a report, not more than $300,000.

“(f) Protection Of Privacy.—Nothing in this section shall be construed to require an electronic communication service provider or a remote computing service provider to—

“(1) monitor any user, subscriber, or customer of that provider;

“(2) monitor the content of any communication of any person described in paragraph (1); or

“(3) affirmatively seek facts or circumstances described in subsection (a)(2).

“(g) Conditions Of Disclosure Information Contained Within Report.—

“(1) IN GENERAL.—Except as provided in paragraph (2), a law enforcement agency that receives a report under subsection (c) shall not disclose any information contained in that report.

“(2) PERMITTED DISCLOSURES.—A law enforcement agency may disclose information in a report received under subsection (c)—

“(A) to an attorney for the government for use in the performance of the official duties of that attorney;

“(B) to such officers and employees of that law enforcement agency, as may be necessary in the performance of their investigative and recordkeeping functions;

“(C) to such other government personnel (including personnel of a State or subdivision of a State) as are determined to be necessary by an attorney for the government to assist the attorney in the performance of the official duties of the attorney in enforcing Federal criminal law;

“(D) if the report discloses a violation of State criminal law, to an appropriate official of a State or subdivision of a State for the purpose of enforcing such State law;

“(E) to a defendant in a criminal case or the attorney for that defendant, to the extent the information relates to a criminal charge pending against that defendant;

“(F) to an electronic communication service provider or remote computing provider if necessary to facilitate response to legal process issued in connection to that report. The electronic communication service provider or remote computing service provider shall be prohibited from disclosing the contents of that report to any person, except as necessary to respond to the legal process; and

“(G) as ordered by a court upon a showing of good cause and pursuant to any protective orders or other conditions that the court may impose.

“(h) Evidence Preservation.—

“(1) IN GENERAL.—For the purposes of this section, the notification to an electronic communication service provider or a remote computing service provider by the CyberTipline of receipt of a report under subsection (a)(1) shall be treated as notice to preserve, as if such notice was made pursuant to section 2703(f).

“(2) PRESERVATION OF REPORT.—Pursuant to subsection (h)(1), an electronic communication service provider or a remote computing service shall preserve the contents of the report provided pursuant to subsection (b) as well as the information in subsection (c)(2) of section 2703 pertaining to the involved individual for not less than 180 days after such notification by the CyberTipline.

“(3) AUTHORITIES AND DUTIES NOT AFFECTED.—Nothing in this section shall be construed as replacing, amending, or otherwise interfering with the authorities and duties under section 2703.

“SEC. 2258B. LIMITED LIABILITY FOR ELECTRONIC COMMUNICATION SERVICE PROVIDERS, REMOTE COMPUTING SERVICE PROVIDERS, OR DOMAIN NAME REGISTRAR.

“(a) In General.—Except as provided in subsections (b) and (c), a civil claim or criminal charge against an electronic communication service provider, a remote computing service provider, or domain name registrar, including any director, officer, employee, or agent of such electronic communication service provider, remote computing service provider, or domain name registrar arising from the performance of the reporting responsibilities of such electronic communication service provider, remote computing service provider, or domain name registrar under this section, section 2258A, or section 2258C may not be brought in any Federal or State court.

“(b) Intentional, Reckless, Or Other Misconduct.—Subsection (a) shall not apply to a claim if the electronic communication service provider, remote computing service provider, or domain name registrar, or a director, officer, employee, or agent of that electronic communication service provider, remote computing service provider, or domain name registrar—

“(1) engaged in intentional misconduct; or

“(2) acted, or failed to act—

“(A) with actual malice;

“(B) with reckless disregard to a substantial risk of causing injury without legal justification; or

“(C) for a purpose unrelated to the performance of any responsibility or function under this section, section 2258A, or section 2258C.

“(c) Ordinary Business Activities.—Subsection (a) shall not apply to an act or omission relating to an ordinary business activity of an electronic communication service provider, a remote computing service provider, or domain name registrar, including general administration or operations, the use of motor vehicles, or personnel management.

“(d) Minimizing Access.—An electronic communication service provider, a remote computing service provider, and domain name registrar shall—

“(1) minimize the number of employees that are provided access to any image provided under section 2258A or 2258C; and

“(2) ensure that any such image is permanently destroyed, upon notification from a law enforcement agency.

“SEC. 2258C. USE OF IMAGES FROM THE CYBERTIPLINE TO COMBAT CHILD PORNOGRAPHY.

“(a) In General.—The National Center for Missing and Exploited Children is authorized to provide elements relating to any image reported to its CyberTipline to an electronic communication service provider or a remote computing service provider for the sole and exclusive purpose of permitting that electronic communication service provider or remote computing service provider to stop the further transmission of images. Such elements may include unique identifiers associated with a specific image, Internet location of images, and other technological elements that can be used to identify and stop the transmission of child pornography.

“(b) Use By Electronic Communication Service Providers And Remote Computing Service Providers.—Any electronic communication service provider or remote computing service provider that receives elements relating to an image from the National Center for Missing and Exploited Children under this section may use such information only for the purposes described in this section, provided that such use shall not relieve that electronic communication service provider or remote computing service provider from its reporting obligations under section 2258A.

“SEC. 2258D. LIMITED LIABILITY FOR THE NATIONAL CENTER FOR MISSING AND EXPLOITED CHILDREN.

“(a) In General.—Except as provided in subsections (b) and (c), a civil claim or criminal charge against the National Center for Missing and Exploited Children, including any director, officer, employee, or agent of such center, arising from the performance of the CyberTipline responsibilities or functions of such center, as described in this section, section 2258A or 2258C of this title, or section 404 of the Missing Children’s Assistance Act (42 U.S.C. 5773), or from the effort of such center to identify child victims may not be brought in any Federal or State court.

“(b) Intentional, Reckless, Or Other Misconduct.—Subsection (a) shall not apply to a claim or charge if the National Center for Missing and Exploited Children, or a director, officer, employee, or agent of such center—

“(1) engaged in intentional misconduct; or

“(2) acted, or failed to act—

“(A) with actual malice;

“(B) with reckless disregard to a substantial risk of causing injury without legal justification; or

“(C) for a purpose unrelated to the performance of any responsibility or function under this section, section 2258A or 2258C of this title, or section 404 of the Missing Children’s Assistance Act (42 U.S.C. 5773).

“(c) Ordinary Business Activities.—Subsection (a) shall not apply to an act or omission relating to an ordinary business activity, including general administration or operations, the use of motor vehicles, or personnel management.

“(d) Minimizing Access.—The National Center for Missing and Exploited Children shall—

“(1) minimize the number of employees that are provided access to any image provided under section 2258A; and

“(2) ensure that any such image is permanently destroyed upon notification from a law enforcement agency.

“SEC. 2258E. DEFINITIONS.

“In sections 2258A through 2258D—

“(1) the terms ‘attorney for the government’ and ‘State’ have the meanings given those terms in rule 1 of the Federal Rules of Criminal Procedure;

“(2) the term ‘electronic communication service’ has the meaning given that term in section 2510;

“(3) the term ‘electronic mail address’ has the meaning given that term in section 3 of the CAN–SPAM Act of 2003 (15 U.S.C. 7702);

“(4) the term ‘Internet’ has the meaning given that term in section 1101 of the Internet Tax Freedom Act (47 U.S.C. 151 note);

“(5) the term ‘remote computing service’ has the meaning given that term in section 2711; and

“(6) the term ‘website’ means any collection of material placed in a computer server-based file archive so that it is publicly accessible, over the Internet, using hypertext transfer protocol or any successor protocol.”.

(b) Conforming Amendments.—

(1) REPEAL OF SUPERCEDED PROVISION.—Section 227 of the Crime Control Act of 1990 (42 U.S.C. 13032) is repealed.

(2) TABLE OF SECTIONS.—The table of sections for chapter 110 of title 18, United States Code, is amended by inserting after the item relating to section 2258 the following:

“2258A. Reporting requirements of electronic communication service providers and remote computing service providers.
“2258B. Limited liability for electronic communication service providers and remote computing service providers.
“2258C. Use of images from the CyberTipline to combat child pornography.
“2258D. Limited liability for the National Center for Missing and Exploited Children.
“2258E. Definitions.”.

Passed the House of Representatives December 5, 2007.
Attest:

SafeSlinger claims Phone Privacy

CMU Researchers Claim To Have Created Messaging App Even NSA Can’t Crack

The app is called SafeSlinger, and is free on the iTunes store, and Google play store for Android phones. SafeSlinger’s easy-to-use interface brings cryptography and secure communication to non-expert users, but also achieving military-grade security against hackers.
[youtube=http://www.youtube.com/watch?v=IFXL8fUqNKY]