Privacy, security and copyright Legislation and other challenges Kent Wada UCLA IT Security and...

Privacy, security and copyrightLegislation and other challenges

Kent WadaUCLA IT Security and Policy

Coordinator

ACM SIGUCCS CSMSMonterey, March 31, 2003

Privacy, security and copyright SIGUCCS CSMS - Monterey 2

HIPAA – SB1386 – TEACHGLBA – VISA

NASA

DMCA – USA PATRIOT Act


USA PATRIOT ActUniting and Strengthening America

by Providing Appropriate Tools Required to Intercept and Obstruct

Terrorism Act of 2001

Amends more than fifteen statutes (including FERPA)Was intended in part to update wiretap and surveillance laws for the Internet era


Since the Sept. 11, 2001, attacks, the Justice Department and FBI have dramatically increased the use of two little-known powers that allow authorities to tap telephones, seize bank and telephone records and obtain other information in counterterrorism investigations with no immediate court oversight, according to officials and newly disclosed documents.Washington Post, March 24, 2003

Not just a theoretical issue


Subpoenas and Search Warrants

Do you have a policy?Are systems administrators and front-desk staff aware of it?What if a law enforcement officer is demanding data outside of business officers?Tracking requests is important for institutional memory and to prevent abuse


Records retention

How long should email be kept?How long should email server logs be kept? Surveillance tapes? Web server logs? Etc. etc. etc.

Keep data only as long as it is needed, and no longer, lest it become a liability (the library model)


At issue

Security and law enforcementOperational costsPrivacyRecords retention (not just electronic)


HIPAAHealth Insurance Portability and

Accountability Act of 1996

Among other things, defines privacy and security standards for personally identifiable patient informationNot just for university hospitals


California SB1386

Senate Bill 1386

New provision of the California Information Practices Act requiring disclosure of computer security breaches involving personal information of California residents


At issue

What is “encryption?”Data everywhereWhat if a Palm Pilot was lost?


VISA USACardholder Information Security

Program

Standard of due care and enforcement for protecting sensitive information associated with credit cardsApplies to e-commerce merchants allowing online Visa transactionsThe “Digital Dozen:” 12 basic security requirements


At issue

Annual on-site audits for “high volume transaction” customers (not likely for higher ed)Still a good checklist for security: does it align with your existing security policy?


National Strategy to Secure Cyberspace

“Should consideration be given to tying State or Federal funding to [institutions of higher education] to compliance with certain cybersecurity benchmarks?”


NASA IT Security ClauseFinal Rule in the Federal Register (67 FR 48814-48815) on July 26,

2002

For NASA contracts, the Clause mandates that an IT security plan be submitted to NASA, along with a project bid, detailing how IT security requirements are to be metGuidelines for grants to follow


At issue

Will other granting agencies begin stipulating IT security requirements?What infrastructure implications are there for faculty who are applying for grants?


TEACH ActTechnology Education and

Copyright Harmonization Act of 2001

Relaxes certain copyright restrictions to make it easier to use materials in online learningAdditional obligations that have security and privacy implications


GLBA

Gramm – Leach – Bliley Act

Creates obligations to protect customer financial informationApplies to financial institutions including colleges and universitiesPrivacy = FERPA, but will need a comprehensive security program


DMCADigital Millennium Copyright Act of

1998

Updates the copyright laws to reflect cyberspaceOffers liability shelter for ISPs from claims of vicarious or contributory infringement – optional and many requirements to meet to qualify


Some numbers

RIAA estimates 2.6 billion files illegally downloaded per month16% of files available through file sharing services at any given time are located at US educational institutionsRIAA sends ~2,500 claims to universities per month


Industry attention (Oct 2002)


“Specifically, we urge you to adopt and implement policies that:Inform students of their moral and legal responsibilities to respect the rights of copyright ownersSpecify what practices are, and are not, acceptable on your school’s networkMonitor complianceImpose effective remedies against violators.”


Industry attention (Feb 2003)

In Australia, recording companies have asked Federal Court to allow them to scan computers at the University of Melbourne for gathering evidence of claimed widespread breach of copyright.


Industry attention (March 2003)

The British record industry is to prosecute universities that allow students to copy music over the internet through their computer networks. Heads of universities will face criminal sanctions if they collude in the illegal downloading of music files — “copyright theft” — that is costing the music industry £2 billion a year.


Congressional attention (Feb 2003)

In a recent hearing on the topic of digital piracy, Rep. John Conyers, D-Mich., “warned that universities should take aggressive measures to police their own networks lest Congress do it for them in a much more invasive way.”Asks: Why do we not prosecute?


At issue

Monitoring versus privacy, academic freedomShould we (or any ISP) be the RIAA’s (or anyone else’s) police?Illegal uses of P2P versus legitimate onesLegal exposure – what is it?Media exposure


Internal issues, too

Bandwidth allocation – how much is “incidental personal use?”Operational cost for processing claimsAcademic uses of P2PSecurity of P2P


Experiments (1)

Cornell has changed their procedure to block access immediately in light of the Verizon court case. This is felt to increase protection to students.


Experiments (2)

The University of Wyoming has been testing software that examines each file being transferred across the network to see if it is copyrighted material.


Experiments (3)

Stanford has imposed a port reactivation fee.


Experiments (4)

The University of Chicago promotes non-file-sharing configuration of P2P programs.


Experiments (5)

Various universities are looking at weekly or monthly caps on bandwidth, or charging for high use.


Experiments (6)

Commercial music services such as Pressplay, AOL, Rhapsody and others offer music for a monthly fee.


Esq

uire

Mag

azin

e, M

arc

h 2

003


Copyright (©) protects the original way an idea is expressed, not the idea itself. It includes artistic, literary, dramatic or musical works presented in a tangible medium such as a book, photograph or movie. This protection is given to works to prevent unauthorized copying. The general rule for a work created on or after 1-1-78, is that the copyright lasts for the author's lifetime plus 70 years after the author's death, or 95 years after publication for a work made for hire.

— International Trademark Association


The Congress shall have Power . . . To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

– U.S. Constitution, Article I, Section 8


“ Copyright Term Extension Act”

Congress has extended existing copyright terms 11 times in the past 40 years. In 1790, copyrights lasted 14 years. The CTEA extended copyright protection limits from 50 years to 70 years after an author’s death.


Unlike his parents, Zack’s memories of summer vacation aren’t going to be organized around one album played to death. I tried one more time. “Surely,” I asked, “there must be some reason to still buy CDs?” …

Zack gave me a pained expression and rubbed his head some more. I sympathized with him; at the moment, looking at the 1,001 songs he downloaded for free, buying CDs made no sense to me either.

— “21st Century Music Fan” Los Angeles Magazine, November 2001

The future is upon us


Some Final Comments


HIPAA – SB1386 – TEACHGLBA – VISA

NASA

DMCA – USA PATRIOT Act


I. The balancing act

Core values• Academic freedom• Freedom of speech• Privacy

National controversy

Needs• Security• Legal• Fiscal

VS


1I. Articulating decisions

Overbroad argumentsEmotional tension

Media relations


III. Collaboration

Maybe we need to invent the wheel a thousand times, but we also need a collective voice


[email protected]://www.bol.ucla.edu/~kent/

Discussion

Date post:	19-Dec-2015
Category:	Documents
View:	213 times
Download:	0 times

Privacy, security and copyright Legislation and other challenges Kent Wada UCLA IT Security and...

Documents