Repeal of planned FCC privacy rules leave ISPs largely unregulated

FCC-FTC Privacy

Last week Congressional Republicans successfully passed legislation to repeal privacy regulations that would have imposed several constraints on the ability of broadband Internet service providers (ISPs) to collect, analyze, sell, and otherwise manage personal information about their customers and their use of the Internet. The repealed rules, which were developed by the Obama administration and passed by the Federal Communications Commission (FCC) in October 2016, were set to go into effect this year. The new, now abandoned, FCC rules applied key privacy principles like transparency, choice, and consent to different categories of personally identifiable information, notably requiring customers to give affirmative consent (that is, to “opt in”) to use or sharing of sensitive personal information. The rules consider sensitive information to include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications. ISPs would have had more freedom to use or share non-sensitive personal information, but customers could still opt out of any use of their information if they choose to do so.

Beyond consent and use of personal information, the FCC would have added requirements that ISPs provide customers with “clear, conspicuous, and
persistent notice” regarding what information the ISPs collect, how that information may be used, and with whom and under what circumstances it will be shared. This element is consistent with notice of privacy practices requirements that the Federal Trade Commission (FTC) imposes on many types of companies, including e-commerce vendors, social media sites, and website operators. ISPs also would have been obligated to implement industry best practices for data security, authentication, monitoring, and oversight, again consistent with FTC best practices and the Consumer Privacy Bill of Rights, and to notify customers and law enforcement agencies notice of data breaches or other failures to protect customer information.

Instead, now that President Trump signed the measure into law, ISPs like Comcast, Verizon, and AT&T have few practical restrictions on how they handle their customers’ information and are subject to substantially fewer regulations than web content providers, e-commerce companies, and technology firms like Google and Facebook that depend on the ISPs so that end users can reach their products, content, and services. Since the new FCC rules never went into effect, it might seem that privacy protections for customers of Internet service providers are no worse than they were before, but unfortunately that is not the case, due to a separate decision the FCC made in early 2015. That decision, when the FCC voted in its Open Internet Order to adopt “net neutrality” principles, reclassified Internet service providers as common carriers, placing them under the jurisdiction of the Telecommunications Act of 1934 and, by treating them in a manner analogous to conventional telephone companies, shifted the regulatory authority for ISPs from the FTC to the FCC. The exemption from FTC oversight was made explicit in a landmark ruling last year by the 9th Circuit Court of Appeals, which found AT&T was not subject to action by the FTC, even for behavior that occurred prior to the Open Internet Order. One clear intent of the Obama-era FCC privacy rules was to bring regulations for ISPs in line with FTC rules and enforcement actions applicable to other technology companies. Now, unless further regulatory changes are introduced that somehow alter the common-carrier designation, Internet service providers are uniquely positioned to capitalize on the personal information and online behavior patterns of their customers.

Tax season means it’s time to watch out for W-2 scams

W-2 phishing

As American individuals and companies head into tax season, the Internal Revenue Service (IRS) is warning organizations of all types to be on the lookout for attempted W-2 phishing attacks as part of a broader pattern of business email compromise attempts. The urgent alert issued by the IRS on February 2 was the second such notice in a span of just eight days and emphasized that the phishing scam centered on employers’ Form W-2 information appears to be affecting many types of organizations beyond the commercial corporate entities typically targeted by this sort of attack. The IRS has for several years included phishing on its “dirty dozen” list of tax scams, although historically the most prevalent scams seem to have been attempts by attackers to send fake emails purportedly from the IRS. Beginning just last year, this class of attacks evolved to include phishing emails directed to company employees working in payroll or human resources that claim to be from the company CEO, asking the recipient to send copies of employee W-2 forms. According to data compiled by industry media sources such as CSO Online, data from more than 40 companies was compromised by these attacks in 2016. This “success” rate, coupled with what the IRS says is new notifications it has received already this year for the tax year 2016 filing season, prompted a renewed alert to corporate payroll and HR departments.

It should come as no surprise to anyone that paperwork or data related to tax returns are attractive targets for attackers, or that phishing scammers have gotten more creative about who the originating party is supposed to be in the emails they send. What is perhaps harder to understand is why so many of these emails make it through to their recipients, whether or not the recipients actually fall for the scam. A phishing email of this type is almost always sent from a source outside the targeted organization, so while it is a trivial matter for a scammer to change the “reply to” value in the email to be a corporate CEO or other official, it is technically much less trivial to hide the true origin (server, IP address, and domain) of the email. It should be simple to apply a rule to to incoming email that essentially says, “reject any email received from an external domain that claims to originate from an address in the internal domain.” Essentially every network firewall implements an analogous rule by default (dropping packets from external sources that have an internal source IP address), but few managed email service providers allow such rules to be defined and enforced. This deficiency leads to a market opportunity for email security gateway vendors like Barracuda, Cisco, Proofpoint, Sophos, and Websense. While many organizations have treated phishing avoidance as a security awareness issue, the increasing frequency of specialized attacks like the W-2 scams might push more companies to augment their phishing prevention capabilities so they don’t have to rely so heavily on their employees.

European Court of Justice rules against UK on data retention

ECJ

The Court of Justice of the European Union (familiarly known as the European Court of Justice or ECJ) issued a judgment this week explicitly against laws in the United Kingdom and in Sweden that require telecommunications service providers to collect and retain data about telephone calls and other electronic communications (for 12 months in the UK law and for six months in the Swedish law). In its ruling, the ECJ found that the British and Swedish data retention regulation “prescribes general and indiscriminate retention of data” in a manner inconsistent with norms of democratic society and, in particular, with privacy protections for electronic communications included European Council Directive 2002/58/EC. The Court’s ruling makes clear that it is possible for European Union member nations to establish targeted data retention rules for specific purposes, such as supporting criminal or anti-terrorism investigations, but the December 21 judgment further clarifies interpretations of EU policy since the Court ruled invalid the EC-wide Data Retention Directive in 2014.

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary.

To put this recent ruling in context, a little history may be in order. Even those with only a casual interest in personal privacy protections are often aware that, in general, regulations governing the collection, use, and disclosure of personal data are stronger in the European Union than privacy regulations in the United States. Despite those overarching privacy protections, enumerated in multiple EC Directives dating at least to 1995, the European Parliament and the European Council established Directive 2006/24/EC in March 2006 to harmonize member countries’ retention of data related to electronic communications services. The 2006 Directive concerned location and telecommunications metadata that could be used by law enforcement authorities or other authorized entities to identify the source and destination of electronic communications (including telephony services and Internet transmissions such as email) and the identity of the subscriber or registered user initiating such transmissions. Individual countries were free to establish their own specific retention periods, but Directive 2006/24/EC set the minimum at six months and the maximum at two years. Laws such as the Swedish regulation addressed in this week’s ECJ ruling were crafted specifically to conform to the guidelines in 2006/24/EC.

Directive 2006/24/EC was in effect for approximately eight years; in April 2014 the ECJ declared the data retention directive invalid, largely because it did not require any “differentiation, limitation, or exception” in the collection of electronic communications data nor did it ensure that government authorities could only use the collected data for preventing, detecting, or prosecuting serious crime. The Swedish case brought to the ECJ challenged a law that was enacted prior to the 2014 ruling invalidating 2006/24/EC, while the UK case concerned the Data Retention and Investigatory Powers Act of 2014, which was enacted specifically in response to the invalidation of the EC data retention directive. Dubbed the “snoopers’ charter” by opponents, the UK law requires telecommunications carriers and Internet service providers to hold data about all electronic communications by subscribers or users for a period of 12 months. While many national data retention laws (and Directive 2006/24/EC) exclude the content of electronic communications, news reports about the UK law suggest that service providers would be required to retain, and to make available to law enforcement, details such as the Internet websites individuals visit and the applications and messaging services individuals use. The UK efforts to increase this type of data retention stand in stark contrast to actions by other EU nations in the years while 2006/24/EC was still in effect, such as the rejection by the German Federal Constitutional Court of a data retention law that had been designed to comply with the EC Directive. As for the U.S., while there is no mandatory data retention law currently in place, Congress has tried several times to enact these rules, including failed efforts in 2009 and 2011, and U.S. law enforcement authorities have well-established legal procedures under the Stored Communications Act to access any data or records that electronic communications providers choose to maintain for their own business purposes.

After Yahoo! breach, can users do anything to protect their online data?

After news broke last week that online services giant Yahoo! had suffered a data breach resulting in the compromise of account information on 500 million users, customers were left wondering how the breach would affect them while news organizations and industry observers heaped criticism on the company. Yahoo! public disclosure of the attack against its user database, which reportedly occurred at least two years ago, comes in the midst of the company’s efforts to see itself to Verizon, which said it learned of the breach at about the same time the public did. Subsequent news reports have charged that Yahoo! business executives, including CEO Marissa Mayer and Senior VP Jeff Bonforte (who has responsibility for Yahoo! email services), made public pronouncements and took actions that seemed to indicate that cybersecurity was a high priority, but in reality chose to de-emphasize security in favor of strategies to retain current users. This approach stands in strong contrast to other major online services providers such as Google that have suffered attacks (and compromises) in years past and responded by aggressively invested in rolling out stronger security controls, including protection for email messages and user account data.

The group that seems most overlooked in the aftermath of the breach is Yahoo! customers. As the New York Times and other media sources has reported, executives including Mayer chose not to implement even widely-accepted practices such as automatically resetting user account passwords when a breach occurs. This is of course problematic when account credentials for email services are compromised, because end users may not be able to receive communications from the breached company if their password is changed and such changes would normally be communicated to them via email. Yahoo! apparently also chose not to pursue end-to-end encryption for its messaging services, because doing so would eliminate the company’s ability to scan message content for use in pitching services to customers. This leaves users more or less on their own to take corrective action, where the guidance remains pretty much the same whether we’re talking about Yahoo! or any of the many other online companies that have suffered data breaches that compromised usernames, passwords, security questions, or other personal or credentialing information. Users sticking with Yahoo! should at the very least change their account password and the passwords of any other online accounts that are setup with the same username and password. Many articles recommend keeping an eye on your accounts to try to identify any unexpected activity, but for Yahoo! customers it seems more likely that the data disclosed about Yahoo! users would potentially be put to use in account penetration attempts against other online providers (particularly those where the account username is a Yahoo! email address). Lastly, while it is not always an easy or consistent option, one of the best ways to limit the value of breached account credentials is to add two-factor authentication, although even with this addition level of protection accounts that use the same login credentials may continue to be at risk.

Delta and other air carriers show how not to do disaster recovery

The August 8 systemwide outage suffered by Delta Airlines – attributed to a power failure at the company’s primary data center – is merely the most recent of a string of technology-related problems significantly affecting operations of major air carriers. In just the past 13 months, United (July 2015) and Southwest (July 2016) lost the use of their computer systems due to problems blamed on faulty network routers and Delta last week joined JetBlue (January 2016) in experiencing data center power failures. The predominant response from the IT industry is both surprise and disappointment that mission-critical airline operations systems do not seem to have reliable or effective continuity of operations or failover capabilities in place, whether in the form of backup power generation in data centers or redundant hardware or software systems. All of the recent outages highlight single points of failure for the airlines, which not only show poor design but also seem completely unnecessary given modern computing resources.

Conventional disaster recovery and business continuity planning begins by assessing the criticality of the business processes that information technology systems, networks, and infrastructure support. Alternate processing facilities (like secondary data centers) are categorized as “cold”, “warm”, or “hot” sites according to how rapidly the alternate facility can take over for or establish at least some level of business operations when the primary facility has an outage; hot failover is the most immediate, often entailing fully redundant or mirrored systems in two or more data centers that can work together or individually to keep systems available. In addition to alternate processing capabilities, most modern data centers – whether owned and operated by companies themselves (like Delta) or by outsourcing providers like Dell, HP, or Verizon (the last of which is used by JetBlue) – have redundant network and power connections as well as battery and generator-based backup power to try to avoid precisely the type of failure it seems affected Delta. Various news reports of the Delta outage have noted that many of Delta’s key operational systems, including the ones that failed on August 8, run out of a single Atlanta data center, dubbed the Technology Command Center, and have speculated that Delta chose not to implement an alternate processing site. Based on what happened on August 8, it seems fair to say that either Delta does not in fact have a secondary facility or, if it does, any automated failover procedures that are designed to shift operations to a secondary facility did not work as intended. Whether due to poor planning, misplaced financial priorities, or lack of disaster recovery testing, the events of the day provide clear evidence that Delta’s systems are neither reliable nor resilient in the face of unanticipated problems in the Atlanta facility. There seems to be some disagreement as to whether a power outage or an equipment malfunction was actually the cause of the outage, but neither of those issues should have brought Delta’s systems down if the company had implemented the sort of IT redundancy that is common among major commercial enterprises. Even when redundancy has been built in, the importance of testing cannot be overstated; without regular disaster recovery testing companies may operate under a false sense of security, until they actually encounter a problem and find that their failover mechanisms don’t work. This is apparently the case for the Southwest Airlines outage, which was blamed on a network router that began functioning improperly but did not actually go offline, with the result that existing backup systems were not activated to take over for the malfunctioning router.

cancel-screenThe apparent fragility of air carrier IT systems has raised concerns within the federal government, as seen this week in a letter from Senators Edward Markey and Richard Blumethal, both members of the Senate Commerce, Science and Transportation Committee, to Delta CEO Ed Bastian (the letter was also sent to executives at a dozen other airlines) asking for information about the state and general resilience of the airlines’ IT systems, their potential susceptibility to failure due to power or technology issues or to cyber-attack, and the affect on traveling members of the public when outages occur. Commercial air carriers’ IT systems are not explicitly considered part of the nation’s critical infrastructure (although aviation is part of the Transportation Systems Sector defined as critical infrastructure by the Department of Homeland Security) but Sens. Markey and Blumenthal emphasize the responsibility that Delta and other carriers have to ensure the reliability and resilience of their IT systems, especially in light of the large-scale consolidation of U.S. airlines. Many industry observers point to airline mergers, and in particular the need for merged carriers to integrate disparate IT systems, many of which rely on “legacy” technologies that may not have been designed for or easily adapted to high-availability deployments. It seems quite likely that the diversity of systems and technology characterizing many carriers post-merger makes their systems more vulnerable and makes business continuity planning more complicated than it would be with a more homogeneous IT environment, but there is nothing in the recent airline outages to suggest that merger-related IT integration had anything to do with the problems that brought flights to a standstill.