Sign up for ISW's Newsletter
 
Should an Internet Service Provider be Required by Law To Monitor the Use of Its Services By Users? - The Pros and the Cons by Randy Stauber on 27/05/04

Abstract

The issue of whether an Internet Service Provider should be required by law to track and log the use of its services by its subscribers is a complicated one. One side is the view that favors personal privacy in spite of the risks, and on the other is the belief that given our countries vulnerabilities to informational attacks, the costs are worth it. The idea has been considered and rejected by the government of the United Kingdom. To implement the tracking of its user requires significant costs to the provider of internet services, which is already an industry that is struggling with diminishing profits and increasing competition by other companies and newer technologies. However, some would argue that the long term costs of not regulating how service providers track their users will be far higher to society and the information industry itself.

Randy Stauber


Should an Internet Service Provider be Required by Law
To Monitor the Use of Its Services By Users?
The Pros and the Cons

The attack against the United States of America on September 11, 2001 has brought the vulnerability of our country to terrorist attacks to everyone’s attention. Certainly the physical security of our airline industry and our borders is on everyone’s mind. But also the threat of attacks on the information infrastructure of this county is a concern that is widespread. According to Information Security Magazine’s Ed Skoudis, in his November 2002 article “InfoSecurity’s Worse Nightmares” the two worse internet security attacks, Code Red and Nimba occurred in July 2001 and shortly after the September 2001 attack respectively. The recentness of these and other large attacks has kept the threat of malicious computer security attacks looming large in the public consciousness.

This awareness of the risks involved with doing business on the web has undoubtedly lessened the growth of e-commerce. According to the Textbook: Security, Rights and Liabilities in E-Commerce by Jeffry H. Matsuura (2001) says on page 6: “Failure to devote that level of attention to e-commerce security will thwart the growth of the digital marketplace.”
"E-commerce creates considerable concern in the minds of the public," commented Charles Colby, President of Rockbridge . "Consumers are worried about the privacy and security of their online transactions; more than half (58%) do not consider it safe to do any kind of financial transaction online." 1
________________
1 Beale, Matthew & Greenberg, Paul, E-Commerce Times, “Industry Heavyweights Tackling Online Security Issues” Retrieved April 15, 2003 from: http://www.ecommercetimes.com/perl/story/1422.html

According to MSNBC:


And a fairly large number of Web surfers, 68.6 percent, bought something online in the third quarter, up from 67.4 percent in the holiday quarter 2001. However, the majority of people don’t trust that their personal information is secure when they make an online purchase. High-profile publicity about online credit card fraud, identity theft and concerns about Web merchants who don’t protect personal information has made consumers wary of e-commerce, the survey found. Barely one-fifth, or 21.2 percent, of wired Americans in the third quarter believed that their personal information was secure when they shopped online…”

So if ISPs are onramps to the information highway, shouldn’t we require that they get the ID’s of the drivers, rather than letting their users cruise in anonymity? Like a highway, the internet has users with different motivations. Some people are on the highway to go to work and others are on the way to commit crimes. And the fact that every user of the highway system can be immediately identified by law enforcement by calling in their prominently displayed license plate is reassuring. In fact, I would say that it is more than reassuring; I would consider it to be an absolute necessity. So therefore doesn’t the same trivial logic apply to the Information Highway?

Certainly, when you think of the infrastructure of the internet, it is certainly the ISPs that would logically identify the internet users because they have an account and the hardware address of the users NIC card in their configuration of the connection.

However, it is not that simple. In addition to the fourth amendment personal privacy concerns about illegal search and seizure, there is the fact that because of the global nature of the internet, the United States government at any level can not mandate that all users of our public national information resources can be tracked. In fact, you could say that our internet resources are only as secure as least secure country’s internet policies are in the world. Because if we implement a national requirement to track providers services users, there is no guarantee that the rest of the world follow suit. And as long as this noncompliant country has internet access, its citizens would potentially represent non-identified users of the information resources of this country.

In fact, the two large world wide computer attacks mentioned above, Code Red and Nimba, have their source of origin thought to be China, or more specifically, North Korea. Mr. Skoudis reassuringly tells us: “Rumors floated that China released Nimda to measure the response of the U.S. to a cyberattack. Not likely, given the nature of Nimda. While it was bad, it had the appearance of being written by a determined amateur, not a nation-state reported to spend $1 billion annually on cyberwarfare capabilities.” I wonder if I am alone in finding that information less than comforting.

At this point we have established that due to the global nature of the internet we cannot force service providers to track and keep logs of their users. We have established that the intent of some of the users will be outside of the law. But just what motivates these “hackers”?

In his book, Network Security Jumpstart, Matthew Strebe (2002) defines hackers as someone who attempts to gain access to a computer system without authorization. He further explains that hacker originally meant simply an adept computer user, and some highly advanced computer users still proudly use the term to describe themselves today. However, like he does in his book, I am limiting my use of the word in this paper to refer only to the newer negative meaning of the word. And like him, I will attempt to address the motivation of these individuals.

Mr. Strebe classifies hackers into seven categories by their motivation: security experts, script kiddies, underemployed adult hackers, ideological hackers, criminal hackers, corporate hackers. Due to the differences in their motivations, they all represent different levels of threat to the resources of information existent on the Internet.

The first group, security experts don’t enter computers without authorization, but they do understand how to and practice on their own test networks. Script kiddies are usually students who joyride looking for opportunities. These represent the vast majority of hackers, and they commonly look for ways to circumvent copyright restricts to share music and programs. Underemployed adult hackers are often former script kiddies who have either dropped out of school or have failed to find full time employment. They write the majority of virus and hacking tools. Ideological hackers are more common over seas, but the people responsible for the recent defacement of pro-terrorist news sites from the Middle East are also in this group. Criminal hackers main motivations are theft, revenge or the sheer satisfaction of causing damage. These are the ones that are sometimes in the newspapers who have stolen credit card numbers, preformed wire transfers from banks or hacked banks internet web services to steal money. Corporate spies are actually rather rare because large companies put more effort into protecting corporate assets. The most frequent example of this is foreign governments stealing from high tech start up companies. Disgruntled employees are often the most dangerous of all with revenge for a motive due their knowledge of the inner workings of their former companies.

So now that we’ve established that hackers can cruise the web while unidentified and that they have varied but strong motivation to take advantage, just how big a problem is this? According to the 2002 CSI/FBI survey of companies the problem represents ninety percent of their recent inquiry respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months. Additionally eighty percent acknowledged financial losses due to computer breaches.

While these numbers are high, surprising the majority of companies can’t quantify their financial losses. But forty-four percent were willing and/or able to quantify their financial losses. These companies’ respondents reported $455,848,000 in financial losses. The majority of the losses were due to the theft of proprietary information.

So with these eye opening statistics, how much of this is do to these people who take advantage of the fact that they can’t be identified on the internet?
While that question is a difficult one to answer with certainty, in the CSI/FBI survey more respondents (74%) cited their Internet connections as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).

As alarming as these figures are, it is likely that the majority of company losses remain undiscovered and unreported. This is due to the fact that it is easy for a company not to be aware that they have been compromised and also due to the fact that the people responsible don’t feel that it is a good idea to report the information career-wise. In fact, even if the loss is reported, the upper management often would rather leave the damage unreported because of the negative publicity and the difficulty identifying and prosecuting the responsible individuals.Indeed, in many parts of the world this type of theft remains legal or very low on the local law enforcements agenda. This makes this type of crime impossible to effectively prosecute.

In light of this problem, the Bush administration has recently made it more likely that IPS in this county will track users service usage. In recent news:


The U.S. government sided with the recording industry in its dispute with Verizon Communications Inc. on Friday, saying a digital-copyright law invoked by record labels to track down Internet song-swappers did not violate the U.S. Constitution. The move, while expected, came as a blow to the Internet provider as it struggles to shield its customers.
"We would have expected they would have recognized there are important privacy and safety issues beyond the narrow copyright claims here," Verizon Vice President Sarah Deutsch, who is also associate general counsel, told Reuters.
Verizon, and a recording-industry trade group have been in court since September, arguing over whether Verizon should be forced to help crack down on the online song-swapping that record labels blame for a decline in CD sales. The Recording Industry Association of America says Verizon is required under law to help its members protect their copyrights. Verizon says it is willing to help, but that the law only applies to Web pages stored on its computers, not the "peer to peer" networks like Kazaa that merely travel across its wires. Verizon argues that the law in question, the 1998 Digital Millennium Copyright Act, known as the DMCA, violates free-speech and due-process rights protected by the U.S. Constitution.” 2

________________
2 Sulivan, Andrew, Reuters News Service, Retrieved April 19, 2203 from http://www.washingtonpost.com/wp-dyn/articles/A53387-2003Apr18.html

On the same day (April 19. 2003) Security Focus, an online security company involved in all aspects of computer security published the article by well known security consultant Steve Poulson “Use a Honeypot, Go to Prison?”. In it he details the laughable but true argument that tracking hackers and identifying them violates their constitutional right of privacy:

“Using a honeypot to detect and survey computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, a Justice Department attorney warned Wednesday.
An increasingly popular technique for detecting would-be intruders, a honeypot is a type of hacker flypaper: a system that sits on an organization's network for no other purpose than to be hacked, in theory diverting attackers away from genuinely valuable targets and putting them in an closely monitored environment where every keystroke can be analyzed.

But that monitoring is what federal criminal law calls "interception of communications," said Salgado, a felony that carries up to five years in prison. Fortunately for honeypot operators, there are exemptions to the Federal Wiretap Act that could be applied to some honeypotconfigurations, but they still leave many hacker traps in a legal danger zone.

[…an] exemption passed in the USA-PATRIOT Act in October 2001, but only applies to cases where the government steps in to do the spying. The so-called "computer trespasser exemption" allows the government to intercept the communications of a computer intruder at the invitation of the victim.

"Everyone coming into that honeypot is a trespasser... So this exception may work very nicely with honeypots when the government is coming in to do the monitoring," said Salgado.

"But it has to be relevant to an ongoing investigation." And because the Federal Wiretap Act has civil provisions, as well as criminal, there's even a chance that a hacker could file a lawsuit against a honeypot operator that doesn't have their legal ducks in a row. That's not as incredible as it sounds, the lawyer said, in an interview after the presentation. 3

________________
3 Poulsen, Kevin, SecurityFocus Apr 16 2003 4:44PM Retrieved April 17, 2002 from: http://www.securityfocus.com/news/4004

In light of Title 18, United States Code, Section 1030 enacted by Congress in 1984 which made unauthorized computer access a crime, this is an excellent example of the prodigious amount of ambiguity in the current statutes regarding computer security infractions.

Clearly this paper suggests that some laws regarding internet privacy need to be changed. I believe in terms of national security and crime reduction that it would be helpful for all IPS to track the use of its services. Their use should be only for official crime investigations. Certainly if the United States requires internet providers to track the id’s of its users and log internet activity, it would be costly for those providers and all of us would end up paying higher fees. And it wouldn’t force compliance on off shore providers.

As is often the case, this is a situation in which all the new laws in the world would not necessarily eliminate or significantly reduce the problem of internet piracy and crime. I believe congress should mandate a voluntary 5 year period to comply with a suggested set of security measures. If at the end of that voluntary compliance period the industry has made significant steps to insure that people can’t anonymously commit crimes on the web using their services, then a voluntary industry committee to enforce compliance on the remaining recalcitrant providers should be set up. Certainly, I for one have more faith in the industry to know how to go about this than I do in Congress. Passing additional laws willy-nilly as Congress has been prone to do in the past has not resulted in increased security for the nation or its inhabitants. And the invisible hand of the market referred to by Adam Smith in his seminal work in Economics “The Wealth of Nations” has been proven to be the best arbitrator of good for the nation as a whole or for industries individually. Therefore I favor a period of voluntary compliance first, without the passage of additional legislation for now. Indeed, existing legislation needs to be altered and reduced to be less draconian to the rights of the individual. National defense is clearly a role suggested by Smith as a proper one for the federal government to be involved in, and I fully concur. So this topic, unlike much of what the mushrooming federal government has become involved with during the last 50 years, is clearly within its purview. But in my limited experience, new laws have never been really effective and this appears to me to be a typical case where they won’t be.

Perhaps if after a period of non-mandatory compliance, individuals could collect some of the losses from the network provider though arbitration. Certainly we have enough underemployed lawyers in our society that could sit though informal hears, at a reasonable cost. Better they do that than sit in their offices hatching schemes to legally steal from the public as many of them do now, as has been my experience.


References
Rate this article
Home | About Us | Contact Us | Privacy Policy | Site Map

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.