Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 213 times |
Download: | 0 times |
Privacy, security and copyrightLegislation and other challenges
Kent WadaUCLA IT Security and Policy
Coordinator
ACM SIGUCCS CSMSMonterey, March 31, 2003
Privacy, security and copyright SIGUCCS CSMS - Monterey 2
HIPAA – SB1386 – TEACHGLBA – VISA
NASA
DMCA – USA PATRIOT Act
Privacy, security and copyright SIGUCCS CSMS - Monterey 3
USA PATRIOT ActUniting and Strengthening America
by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001
Amends more than fifteen statutes (including FERPA)Was intended in part to update wiretap and surveillance laws for the Internet era
Privacy, security and copyright SIGUCCS CSMS - Monterey 4
Since the Sept. 11, 2001, attacks, the Justice Department and FBI have dramatically increased the use of two little-known powers that allow authorities to tap telephones, seize bank and telephone records and obtain other information in counterterrorism investigations with no immediate court oversight, according to officials and newly disclosed documents.Washington Post, March 24, 2003
Not just a theoretical issue
Privacy, security and copyright SIGUCCS CSMS - Monterey 5
Subpoenas and Search Warrants
Do you have a policy?Are systems administrators and front-desk staff aware of it?What if a law enforcement officer is demanding data outside of business officers?Tracking requests is important for institutional memory and to prevent abuse
Privacy, security and copyright SIGUCCS CSMS - Monterey 6
Records retention
How long should email be kept?How long should email server logs be kept? Surveillance tapes? Web server logs? Etc. etc. etc.
Keep data only as long as it is needed, and no longer, lest it become a liability (the library model)
Privacy, security and copyright SIGUCCS CSMS - Monterey 7
At issue
Security and law enforcementOperational costsPrivacyRecords retention (not just electronic)
Privacy, security and copyright SIGUCCS CSMS - Monterey 8
HIPAAHealth Insurance Portability and
Accountability Act of 1996
Among other things, defines privacy and security standards for personally identifiable patient informationNot just for university hospitals
Privacy, security and copyright SIGUCCS CSMS - Monterey 9
California SB1386
Senate Bill 1386
New provision of the California Information Practices Act requiring disclosure of computer security breaches involving personal information of California residents
Privacy, security and copyright SIGUCCS CSMS - Monterey 10
At issue
What is “encryption?”Data everywhereWhat if a Palm Pilot was lost?
Privacy, security and copyright SIGUCCS CSMS - Monterey 11
VISA USACardholder Information Security
Program
Standard of due care and enforcement for protecting sensitive information associated with credit cardsApplies to e-commerce merchants allowing online Visa transactionsThe “Digital Dozen:” 12 basic security requirements
Privacy, security and copyright SIGUCCS CSMS - Monterey 12
At issue
Annual on-site audits for “high volume transaction” customers (not likely for higher ed)Still a good checklist for security: does it align with your existing security policy?
Privacy, security and copyright SIGUCCS CSMS - Monterey 13
National Strategy to Secure Cyberspace
“Should consideration be given to tying State or Federal funding to [institutions of higher education] to compliance with certain cybersecurity benchmarks?”
Privacy, security and copyright SIGUCCS CSMS - Monterey 14
NASA IT Security ClauseFinal Rule in the Federal Register (67 FR 48814-48815) on July 26,
2002
For NASA contracts, the Clause mandates that an IT security plan be submitted to NASA, along with a project bid, detailing how IT security requirements are to be metGuidelines for grants to follow
Privacy, security and copyright SIGUCCS CSMS - Monterey 15
At issue
Will other granting agencies begin stipulating IT security requirements?What infrastructure implications are there for faculty who are applying for grants?
Privacy, security and copyright SIGUCCS CSMS - Monterey 16
TEACH ActTechnology Education and
Copyright Harmonization Act of 2001
Relaxes certain copyright restrictions to make it easier to use materials in online learningAdditional obligations that have security and privacy implications
Privacy, security and copyright SIGUCCS CSMS - Monterey 17
GLBA
Gramm – Leach – Bliley Act
Creates obligations to protect customer financial informationApplies to financial institutions including colleges and universitiesPrivacy = FERPA, but will need a comprehensive security program
Privacy, security and copyright SIGUCCS CSMS - Monterey 18
DMCADigital Millennium Copyright Act of
1998
Updates the copyright laws to reflect cyberspaceOffers liability shelter for ISPs from claims of vicarious or contributory infringement – optional and many requirements to meet to qualify
Privacy, security and copyright SIGUCCS CSMS - Monterey 19
Some numbers
RIAA estimates 2.6 billion files illegally downloaded per month16% of files available through file sharing services at any given time are located at US educational institutionsRIAA sends ~2,500 claims to universities per month
Privacy, security and copyright SIGUCCS CSMS - Monterey 20
Industry attention (Oct 2002)
Privacy, security and copyright SIGUCCS CSMS - Monterey 21
“Specifically, we urge you to adopt and implement policies that:Inform students of their moral and legal responsibilities to respect the rights of copyright ownersSpecify what practices are, and are not, acceptable on your school’s networkMonitor complianceImpose effective remedies against violators.”
Privacy, security and copyright SIGUCCS CSMS - Monterey 22
Industry attention (Feb 2003)
In Australia, recording companies have asked Federal Court to allow them to scan computers at the University of Melbourne for gathering evidence of claimed widespread breach of copyright.
Privacy, security and copyright SIGUCCS CSMS - Monterey 23
Industry attention (March 2003)
The British record industry is to prosecute universities that allow students to copy music over the internet through their computer networks. Heads of universities will face criminal sanctions if they collude in the illegal downloading of music files — “copyright theft” — that is costing the music industry £2 billion a year.
Privacy, security and copyright SIGUCCS CSMS - Monterey 24
Congressional attention (Feb 2003)
In a recent hearing on the topic of digital piracy, Rep. John Conyers, D-Mich., “warned that universities should take aggressive measures to police their own networks lest Congress do it for them in a much more invasive way.”Asks: Why do we not prosecute?
Privacy, security and copyright SIGUCCS CSMS - Monterey 25
At issue
Monitoring versus privacy, academic freedomShould we (or any ISP) be the RIAA’s (or anyone else’s) police?Illegal uses of P2P versus legitimate onesLegal exposure – what is it?Media exposure
Privacy, security and copyright SIGUCCS CSMS - Monterey 26
Internal issues, too
Bandwidth allocation – how much is “incidental personal use?”Operational cost for processing claimsAcademic uses of P2PSecurity of P2P
Privacy, security and copyright SIGUCCS CSMS - Monterey 27
Experiments (1)
Cornell has changed their procedure to block access immediately in light of the Verizon court case. This is felt to increase protection to students.
Privacy, security and copyright SIGUCCS CSMS - Monterey 28
Experiments (2)
The University of Wyoming has been testing software that examines each file being transferred across the network to see if it is copyrighted material.
Privacy, security and copyright SIGUCCS CSMS - Monterey 29
Experiments (3)
Stanford has imposed a port reactivation fee.
Privacy, security and copyright SIGUCCS CSMS - Monterey 30
Experiments (4)
The University of Chicago promotes non-file-sharing configuration of P2P programs.
Privacy, security and copyright SIGUCCS CSMS - Monterey 31
Experiments (5)
Various universities are looking at weekly or monthly caps on bandwidth, or charging for high use.
Privacy, security and copyright SIGUCCS CSMS - Monterey 32
Experiments (6)
Commercial music services such as Pressplay, AOL, Rhapsody and others offer music for a monthly fee.
Privacy, security and copyright SIGUCCS CSMS - Monterey 33
Esq
uire
Mag
azin
e, M
arc
h 2
003
Privacy, security and copyright SIGUCCS CSMS - Monterey 34
Copyright (©) protects the original way an idea is expressed, not the idea itself. It includes artistic, literary, dramatic or musical works presented in a tangible medium such as a book, photograph or movie. This protection is given to works to prevent unauthorized copying. The general rule for a work created on or after 1-1-78, is that the copyright lasts for the author's lifetime plus 70 years after the author's death, or 95 years after publication for a work made for hire.
— International Trademark Association
Privacy, security and copyright SIGUCCS CSMS - Monterey 35
The Congress shall have Power . . . To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.
– U.S. Constitution, Article I, Section 8
Privacy, security and copyright SIGUCCS CSMS - Monterey 36
“ Copyright Term Extension Act”
Congress has extended existing copyright terms 11 times in the past 40 years. In 1790, copyrights lasted 14 years. The CTEA extended copyright protection limits from 50 years to 70 years after an author’s death.
Privacy, security and copyright SIGUCCS CSMS - Monterey 37
Unlike his parents, Zack’s memories of summer vacation aren’t going to be organized around one album played to death. I tried one more time. “Surely,” I asked, “there must be some reason to still buy CDs?” …
Zack gave me a pained expression and rubbed his head some more. I sympathized with him; at the moment, looking at the 1,001 songs he downloaded for free, buying CDs made no sense to me either.
— “21st Century Music Fan” Los Angeles Magazine, November 2001
The future is upon us
Privacy, security and copyright SIGUCCS CSMS - Monterey 38
Some Final Comments
Privacy, security and copyright SIGUCCS CSMS - Monterey 39
HIPAA – SB1386 – TEACHGLBA – VISA
NASA
DMCA – USA PATRIOT Act
Privacy, security and copyright SIGUCCS CSMS - Monterey 40
I. The balancing act
Core values• Academic freedom• Freedom of speech• Privacy
National controversy
Needs• Security• Legal• Fiscal
VS
Privacy, security and copyright SIGUCCS CSMS - Monterey 41
1I. Articulating decisions
Overbroad argumentsEmotional tension
Media relations
Privacy, security and copyright SIGUCCS CSMS - Monterey 42
III. Collaboration
Maybe we need to invent the wheel a thousand times, but we also need a collective voice
Privacy, security and copyright SIGUCCS CSMS - Monterey 43
[email protected]://www.bol.ucla.edu/~kent/
Discussion