European Court of Justice rules against UK on data retention

ECJ

The Court of Justice of the European Union (familiarly known as the European Court of Justice or ECJ) issued a judgment this week explicitly against laws in the United Kingdom and in Sweden that require telecommunications service providers to collect and retain data about telephone calls and other electronic communications (for 12 months in the UK law and for six months in the Swedish law). In its ruling, the ECJ found that the British and Swedish data retention regulation “prescribes general and indiscriminate retention of data” in a manner inconsistent with norms of democratic society and, in particular, with privacy protections for electronic communications included European Council Directive 2002/58/EC. The Court’s ruling makes clear that it is possible for European Union member nations to establish targeted data retention rules for specific purposes, such as supporting criminal or anti-terrorism investigations, but the December 21 judgment further clarifies interpretations of EU policy since the Court ruled invalid the EC-wide Data Retention Directive in 2014.

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary.

To put this recent ruling in context, a little history may be in order. Even those with only a casual interest in personal privacy protections are often aware that, in general, regulations governing the collection, use, and disclosure of personal data are stronger in the European Union than privacy regulations in the United States. Despite those overarching privacy protections, enumerated in multiple EC Directives dating at least to 1995, the European Parliament and the European Council established Directive 2006/24/EC in March 2006 to harmonize member countries’ retention of data related to electronic communications services. The 2006 Directive concerned location and telecommunications metadata that could be used by law enforcement authorities or other authorized entities to identify the source and destination of electronic communications (including telephony services and Internet transmissions such as email) and the identity of the subscriber or registered user initiating such transmissions. Individual countries were free to establish their own specific retention periods, but Directive 2006/24/EC set the minimum at six months and the maximum at two years. Laws such as the Swedish regulation addressed in this week’s ECJ ruling were crafted specifically to conform to the guidelines in 2006/24/EC.

Directive 2006/24/EC was in effect for approximately eight years; in April 2014 the ECJ declared the data retention directive invalid, largely because it did not require any “differentiation, limitation, or exception” in the collection of electronic communications data nor did it ensure that government authorities could only use the collected data for preventing, detecting, or prosecuting serious crime. The Swedish case brought to the ECJ challenged a law that was enacted prior to the 2014 ruling invalidating 2006/24/EC, while the UK case concerned the Data Retention and Investigatory Powers Act of 2014, which was enacted specifically in response to the invalidation of the EC data retention directive. Dubbed the “snoopers’ charter” by opponents, the UK law requires telecommunications carriers and Internet service providers to hold data about all electronic communications by subscribers or users for a period of 12 months. While many national data retention laws (and Directive 2006/24/EC) exclude the content of electronic communications, news reports about the UK law suggest that service providers would be required to retain, and to make available to law enforcement, details such as the Internet websites individuals visit and the applications and messaging services individuals use. The UK efforts to increase this type of data retention stand in stark contrast to actions by other EU nations in the years while 2006/24/EC was still in effect, such as the rejection by the German Federal Constitutional Court of a data retention law that had been designed to comply with the EC Directive. As for the U.S., while there is no mandatory data retention law currently in place, Congress has tried several times to enact these rules, including failed efforts in 2009 and 2011, and U.S. law enforcement authorities have well-established legal procedures under the Stored Communications Act to access any data or records that electronic communications providers choose to maintain for their own business purposes.

After Yahoo! breach, can users do anything to protect their online data?

After news broke last week that online services giant Yahoo! had suffered a data breach resulting in the compromise of account information on 500 million users, customers were left wondering how the breach would affect them while news organizations and industry observers heaped criticism on the company. Yahoo! public disclosure of the attack against its user database, which reportedly occurred at least two years ago, comes in the midst of the company’s efforts to see itself to Verizon, which said it learned of the breach at about the same time the public did. Subsequent news reports have charged that Yahoo! business executives, including CEO Marissa Mayer and Senior VP Jeff Bonforte (who has responsibility for Yahoo! email services), made public pronouncements and took actions that seemed to indicate that cybersecurity was a high priority, but in reality chose to de-emphasize security in favor of strategies to retain current users. This approach stands in strong contrast to other major online services providers such as Google that have suffered attacks (and compromises) in years past and responded by aggressively invested in rolling out stronger security controls, including protection for email messages and user account data.

The group that seems most overlooked in the aftermath of the breach is Yahoo! customers. As the New York Times and other media sources has reported, executives including Mayer chose not to implement even widely-accepted practices such as automatically resetting user account passwords when a breach occurs. This is of course problematic when account credentials for email services are compromised, because end users may not be able to receive communications from the breached company if their password is changed and such changes would normally be communicated to them via email. Yahoo! apparently also chose not to pursue end-to-end encryption for its messaging services, because doing so would eliminate the company’s ability to scan message content for use in pitching services to customers. This leaves users more or less on their own to take corrective action, where the guidance remains pretty much the same whether we’re talking about Yahoo! or any of the many other online companies that have suffered data breaches that compromised usernames, passwords, security questions, or other personal or credentialing information. Users sticking with Yahoo! should at the very least change their account password and the passwords of any other online accounts that are setup with the same username and password. Many articles recommend keeping an eye on your accounts to try to identify any unexpected activity, but for Yahoo! customers it seems more likely that the data disclosed about Yahoo! users would potentially be put to use in account penetration attempts against other online providers (particularly those where the account username is a Yahoo! email address). Lastly, while it is not always an easy or consistent option, one of the best ways to limit the value of breached account credentials is to add two-factor authentication, although even with this addition level of protection accounts that use the same login credentials may continue to be at risk.

Delta and other air carriers show how not to do disaster recovery

The August 8 systemwide outage suffered by Delta Airlines – attributed to a power failure at the company’s primary data center – is merely the most recent of a string of technology-related problems significantly affecting operations of major air carriers. In just the past 13 months, United (July 2015) and Southwest (July 2016) lost the use of their computer systems due to problems blamed on faulty network routers and Delta last week joined JetBlue (January 2016) in experiencing data center power failures. The predominant response from the IT industry is both surprise and disappointment that mission-critical airline operations systems do not seem to have reliable or effective continuity of operations or failover capabilities in place, whether in the form of backup power generation in data centers or redundant hardware or software systems. All of the recent outages highlight single points of failure for the airlines, which not only show poor design but also seem completely unnecessary given modern computing resources.

Conventional disaster recovery and business continuity planning begins by assessing the criticality of the business processes that information technology systems, networks, and infrastructure support. Alternate processing facilities (like secondary data centers) are categorized as “cold”, “warm”, or “hot” sites according to how rapidly the alternate facility can take over for or establish at least some level of business operations when the primary facility has an outage; hot failover is the most immediate, often entailing fully redundant or mirrored systems in two or more data centers that can work together or individually to keep systems available. In addition to alternate processing capabilities, most modern data centers – whether owned and operated by companies themselves (like Delta) or by outsourcing providers like Dell, HP, or Verizon (the last of which is used by JetBlue) – have redundant network and power connections as well as battery and generator-based backup power to try to avoid precisely the type of failure it seems affected Delta. Various news reports of the Delta outage have noted that many of Delta’s key operational systems, including the ones that failed on August 8, run out of a single Atlanta data center, dubbed the Technology Command Center, and have speculated that Delta chose not to implement an alternate processing site. Based on what happened on August 8, it seems fair to say that either Delta does not in fact have a secondary facility or, if it does, any automated failover procedures that are designed to shift operations to a secondary facility did not work as intended. Whether due to poor planning, misplaced financial priorities, or lack of disaster recovery testing, the events of the day provide clear evidence that Delta’s systems are neither reliable nor resilient in the face of unanticipated problems in the Atlanta facility. There seems to be some disagreement as to whether a power outage or an equipment malfunction was actually the cause of the outage, but neither of those issues should have brought Delta’s systems down if the company had implemented the sort of IT redundancy that is common among major commercial enterprises. Even when redundancy has been built in, the importance of testing cannot be overstated; without regular disaster recovery testing companies may operate under a false sense of security, until they actually encounter a problem and find that their failover mechanisms don’t work. This is apparently the case for the Southwest Airlines outage, which was blamed on a network router that began functioning improperly but did not actually go offline, with the result that existing backup systems were not activated to take over for the malfunctioning router.

cancel-screenThe apparent fragility of air carrier IT systems has raised concerns within the federal government, as seen this week in a letter from Senators Edward Markey and Richard Blumethal, both members of the Senate Commerce, Science and Transportation Committee, to Delta CEO Ed Bastian (the letter was also sent to executives at a dozen other airlines) asking for information about the state and general resilience of the airlines’ IT systems, their potential susceptibility to failure due to power or technology issues or to cyber-attack, and the affect on traveling members of the public when outages occur. Commercial air carriers’ IT systems are not explicitly considered part of the nation’s critical infrastructure (although aviation is part of the Transportation Systems Sector defined as critical infrastructure by the Department of Homeland Security) but Sens. Markey and Blumenthal emphasize the responsibility that Delta and other carriers have to ensure the reliability and resilience of their IT systems, especially in light of the large-scale consolidation of U.S. airlines. Many industry observers point to airline mergers, and in particular the need for merged carriers to integrate disparate IT systems, many of which rely on “legacy” technologies that may not have been designed for or easily adapted to high-availability deployments. It seems quite likely that the diversity of systems and technology characterizing many carriers post-merger makes their systems more vulnerable and makes business continuity planning more complicated than it would be with a more homogeneous IT environment, but there is nothing in the recent airline outages to suggest that merger-related IT integration had anything to do with the problems that brought flights to a standstill.

It’s hardly treason, but Trump’s call for Russian hacking still encourages illegal actions

Despite speaking for more than an hour at a rally in Florida on July 27, media attention following the speech centered on just two sentences uttered by Republican presidential nominee Donald Trump. Leveraging widespread speculation that Russian hackers were responsible for the recently publicized attack of Democratic National Committee computer systems, Trump made an appeal directly to that nation: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” an apparent reference to the email messages that Hillary Clinton determined to be personal and deleted from her private server before handing the server over to the State Department and the FBI. Trump continued, “I think you will probably be rewarded mightily by our press.” Reaction to Trump statements was swift and predominantly critical, from both Democrats and Republicans, with a general consensus that Trump was actively encouraging espionage by a foreign power against American information technology assets. Michael Inboden, a member of the National Security Council under former president George W. Bush, called Trump’s comments “tantamount to treason,” although most politicians and analysts chose not to go that far, instead emphasizing how inappropriate it would be for a foreign government to try to intervene in or influence a U.S. presidential election.

A brief examination of relevant laws codified in the United States Code suggests that Trump, assuming for the sake of argument that his statements were serious and not a joke, is at the very least encouraging action that violates U.S. law, because computer hacking generally (whether perpetrated by domestic or foreign actors) is illegal under 18 USC §1030, which says in relevant part that anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any department or agency of the United States or information from any protected computer” may be subject to a fine or imprisonment of up to 10 years. It’s somewhat unfortunate that so many incensed observers chose to use the word espionage to characterize what Trump purportedly asked Russia to do, since under U.S. law (18 USC Chapter 37) that term only applies to defense information or to classified information, and at least according to Clinton, the deleted emails were personal in nature and did not contain any classified information (or, presumably, any information about matters of national defense). Michael Inboden also seems to have been overzealous in painting Trump’s words as treasonous, because acts of treason involve levying war against the United States (18 USC §2381), and it would be hard to characterize hacking emails as waging war. Still, it seems irresponsible to imply that any type of computer hacking or intrusion by Russia would be welcome, especially given the long history of alleged cyberattacks carried out by Russian nationals, whether or not they were working on behalf of the Russian government.

FedRAMP not delivering on promise of standard authorization

Nearly five years after the federal government launched the Federal Risk and Authorization Management Program (FedRAMP) and more than three years after the first FedRAMP authorization, many federal sector observers are questioning the effectiveness and even the relevance of the program. Although the number of FedRAMP-authorized service providers continues to grow – including as of June 21 the first set of providers authorized at a high FIPS 199 security categorization level – the more rapid adoption of cloud computing services FedRAMP was intended to facilitate has been hampered by many federal agencies’ unwillingness to accept FedRAMP authorization as sufficient for granting their own authorization to operate (ATO) or to accept ATOs granted by other agencies. This lack of reciprocity was highlighted by former Navy CIO and Department of Defense Deputy CIO Dave Wennergren in a commentary written for Federal Computer Week, in which he suggests that the Office of Management and Budget (OMB) needs to require agencies to accept ATOs previously granted by other agencies or by the FedRAMP Joint Authorization Board (JAB) to avoid the delays and unnecessary spending associated with the current prevalent practice of each agency repeating the authorization process even when selecting the same cloud service provider. As an example, the Department of Defense in January issued Defense Acquisition Services instructions to all DoD components that requires cloud service providers to obtain both a DoD provisional authorization from the Defense Information Systems Agency (DISA) and an ATO from the component’s authorizing official. This means that even DoD programs that choose to use one of the services DISA has already authorized under FedRAMP (such as Amazon Web Services Government Community Cloud, Microsoft’s Office365 Multi-Tenant & Supporting Services, or Verizon’s Enterprise Cloud Federal Edition) still need to complete an agency-specific ATO, and they cannot choose FedRAMP-authorized providers whose authorization came from another agency or JAB. This behavior is common among civilian agencies as well, who appear no more likely than the DoD to accept the judgment of the JAB or of agencies with ostensibly stricter security requirements than their own.