Outlawing Ransomware?

Legislation has yet to catch up with technology. Perhaps – finally legislators will begin to understand that they have some power to actually protect consumers where new technologies are concerned. There is hope coming out of California where tech law is concerned.

State legislation to outlaw ransomware is drawing broad support from tech leaders and lawmakers, spurred by an uptick in that type of cybercrime and a series of recent attacks on hospitals in Southern California.

The bill, authored by state Sen. Bob Hertzberg (D-Van Nuys), would update the state’s penal code, making it a felony to knowingly use ransomware, a type of malware or intrusive software that is injected into a computer or network and allows a hacker to hold data hostage until money is paid.

Ransomware has become a lucrative industry over the last three years, affecting schools, police departments and healthcare businesses. Trojans that work like viruses, such as CryptoLocker — which began appearing in 2013 — can be unleashed by users with few technical skills and reel in profits.

Proponents say the proposed ransomware law is the right step to counter attacks difficult to prosecute under existing statutes that are not tailored to combat computer crime. But some question just who will get caught in the dragnet, as such incidents are tough to trace and culprits are often overseas.

Victims nationwide lost more than $209 million in ransomware payments in the first three months of 2016 alone, compared with $25 million in all of 2015, according to the FBI.

But no arrests were made. Nor were arrests made in more than half a dozen of ransomware incidents investigated by the Cyber Investigation Response Team of the Los Angeles County district attorney’s office, which is a co-sponsor of the bill.

 

Ransomware Defined

Ransomware attacks are instigated when a person clicks on a compromised website or opens an infected email. The programs encrypt files, such as photographs, videos or documents, and they cannot be accessed without an encryption key.

Security researchers first saw similar attacks in 1989, when the so-called AIDS Trojan virus locked people out of their files if they clicked through a quiz about their sexual and drug habits. Ransomware has evolved over the last decade with the creation of “police screen lockers,” pop-up screens that appear to be created by law enforcement agencies that fraudulently order people to pay fines after accusing them of downloading pirated movies or child pornography.

At the federal level, prosecutors can use the Computer Fraud and Abuse Act to target ransomware. But state prosecutors typically must pursue such cases under laws against extortion, or those that target threats to injure a person or property that have not been acted upon.

Share This:

FCC Seeks To Stop RoboCalls

If you are like me you just cannot stand robocalls. If you are like me this might be the best news you’ve heard all week. The Federal Communications Commission (FCC) is now moving to protect us against these nuisance calls as well as spam texts to boot.

The FCC approved a slew of what it calls “declaratory rulings” that affirm your rights to control incoming calls from political campaigns, survey-takers, charities and the like. As part of the package, the FCC made it crystal clear that telephone companies can freely allow you to use robocall-blocking technology.

All this is in response to thousands of consumer complaints about robocalls the FCC fields every month. In fact, the FCC reported that complaints related to unwanted calls are the most typical type of grievance it receives. All told, there were over 250,000 unwanted call complaints in 2014 alone. Apparently, the FCC is tired of fielding calls about annoying calls.

Breaking down the package, the FCC gave a green light to so-called “do-not-disturb” technology. Telephone companies can offer robocall-blocking technologies to consumers and add on market-based solutions that consumers can use to stop unwanted robocalls. Consumers also have the right to revoke consent to receive robocalls and robotexts, even if they previously signed up for them. And if a phone number has been reassigned, companies have to stop calling the number after one call.

The new FCC package theoretically covers just about anything you could think of. The agency tackled third-party consent, affirmed the law’s definition of auto dialers, and reaffirmed that consumers are entitled to the same consent-based protections for texts as they are for voice calls to wireless numbers. The FCC even covered Internet-to-phone text messages and free calls or texts to alert you of possible fraud on your bank account, along with reminders of medication refills and related alerts.

How does all this impact the do-not-call list? This week’s action make no changes to the Do-Not-Call Registry, which restricts unwanted telemarketing calls, but are intended to build on the registry’s effectiveness by closing loopholes and ensuring that consumers are fully protected from unwanted calls, including those not covered by the registry.

Will all of this help keep my home phone quiet in the evening and my inbox clear? Somehow I doubt it.

Share This:

FCC Refuses to Delay Net Neutrality Ruling

The FCC appears to be serious about their new net neutrality rules and the big broadband companies like Comcast are very – very unhappy, which in itself is probably a good thing. Laws may finally be catching up with internet and broadcasting changes

The U.S. Federal Communications Commission has denied the requests of several broadband providers and trade groups asking the agency to delay its net neutrality rules.

 

The FCC, late Friday, denied petitions for a stay of its net neutrality rules from Daniel Berninger, founder of the nonprofit Voice Communication Exchange Committee, the American Cable Association, the National Cable and Telecommunications Association, USTelecom, the Wireless Internet Service Providers Association, AT&T and CenturyLink.

Berninger asked the FCC to delay its entire net neutrality order which earlier been approved in February, while the trade groups and broadband providers sought a delay in the portion of the order reclassifying broadband from a lightly regulated information service to a regulated common carrier.

The groups had asked the FCC to delay the rules from going into effect while courts deal with seven lawsuits challenging the regulations.

Public Knowledge, a digital rights groups, praised the FCC for denying the request. Reclassifying broadband under Title II of the Telecommunications Act would enable the FCC to enforce several consumer protections, the group said.

The group further suggested that the net neutrality rules will hinder deployment of broadband.

The Telecommunications Industry Association, a trade group for the manufacturers and suppliers of broadband networks, said it was disappointed with the decision. The FCC refused “a fair and reasonable request to delay the imposition of sweeping new regulations of the Internet,” the group said in a statement.
The FCC is obviously having none of the broadband group’s combined argument. That’s was decades of negative press and horrendous customer support will get you.

Share This:

Net Neutrality Faces More Challanges

net-neutrality-rulingThe FCC’s net neutrality ruling is going to need to endure some challenges in order to survive. To be specific since the FCC ruling has been filed 7 lawsuits have been launched.

The new net neutrality rules, which I believe for the most part is appropriate and necessary was approved by the FCC on February 26, would prohibit broadband and mobile carriers from selectively blocking or slowing Web traffic. The rule reclassifies broadband as a regulated telecom service, instead of treating it as a lightly regulated information service, as the FCC has done for the past decade.

These lawsuits are to be expected because “old ways” always die a hard death.

CenturyLink, a broadband provider has now joined the list of 6 other ISPs and trade groups suing the U.S. Federal Communications Commission over its net neutrality rules.

The company objected to the FCC’s reclassification of broadband from a lightly regulated information service to a more heavily regulated common-carrier service. CenturyLink spends hundreds of millions of dollars a year to “build, maintain and update an open Internet network and does not block or degrade lawful content,” it said in a statement.

The common-carrier regulations, dating back to the 1930s, “not only have no place in the 21st century economy, but will chill innovation and investment,” the company added.

The FCC is confident it will prevail in the lawsuits, Chairman Tom Wheeler said Friday.

CenturyLink, based in Monroe, Louisiana, is the third-largest telecom carrier in the U.S. It acquired Qwest in 2011, and it has about 5 million broadband customers, with its presence the strongest in the U.S. South, Mountain West and parts of the Midwest.

The six other lawsuits come from two ISPs, AT&T and Alamo Broadband and trade groups CTIA, the United States Telecom Association (USTelecom), the National Cable and Telecommunications Association and the American Cable Association. Alamo and USTelecom filed lawsuits in late March, with the trade group refiling its suit on Monday. AT&T and the three other trade groups filed lawsuits on Tuesday.

Share This:

Congress Continues to Act on Cyber Threat

law

The federal government is obviously – finally trying to at least address the growing cyber threat we all face. The U.S. Congress is working on several forms of legislation, the latest of which attempts to address the sharing of potential threat information.

The U.S. Congress is moving forward with legislation that would encourage private companies to share cyberthreat information with government agencies, despite concerns that two leading bills weaken consumer privacy protections.

The House of Representatives Intelligence Committee voted Thursday to approve the Protecting Cyber Networks Act (PCNA), just two days after the bill was introduced.

The House bill “is a cybersurveillance bill at least as much as it is a cybersecurity bill, and it is written so broadly that it could wind up making the Internet less safe,” Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute [OTI], said by email.

The PCNA requires government agencies to “automatically and indiscriminately” share information they receive with military and intelligence agencies, OTI said in a critique of the bill. The bill would allow other agencies to pass cyberthreat information to the FBI and the National Security Agency, where “it could be used in investigations that have absolutely nothing to do with cybersecurity,” Greene said.

While the PCNA limits what personal information businesses can share with government agencies, it does not actually require companies to remove all personal information, OTI added. In addition the bill authorizes companies to monitor all activities and communications of users as a way to identify threats, OTI said.

The House bill would “explicitly undermine every rule that is currently in place to protect Americans’ Internet privacy, and replaces them with dangerously weak protections,” Greene added. “It would massively increase companies’ monitoring of our online communications and activities, and give them a nearly blank check to share that information with the government.”
The bill came after several months of negotiations that included privacy groups, Schiff said through a spokesman. The committee addressed the main concerns raised by privacy groups, he added. The bill requires companies to remove personal information before sharing information with the government and limits the way government can use the data, he said.

The bill also does not authorize offensive countermeasures against attackers, he noted, even though that would be permitted in other information-sharing proposals.

“Protecting privacy was at the forefront during the process of crafting this bill, and I’m pleased by the progress we’ve made,” Schiff said.

Share This:

New FCC Regulations for Net Neutrality Arrive

This week the 400-page net neutrality order released by the U.S. Federal Communications Commission was released. It includes a long legal defense of the commission’s vote last month to reclassify broadband as a regulated telecommunications service.

net_neutrality1_600x400

While the order is long, the actual changes to the Code of Federal Regulations that the FCC approved amount to only eight pages, running from pages 283 to 290.  An executive summary describing the changes runs from page 7 to page 18.

Here are the highlights of the new FCC regulations.

  • Broadband providers are prohibited from blocking or throttling legal Web traffic and from accepting payment to prioritize traffic.
  • The order justifies a “catch-all” standard against these potential broadband provider actions by actually quoting statesman Benjamin Franklin: “A little neglect may breed great mischief.” 
  • The FCC will also police future broadband practices. The commission will prohibit, on a case-by-case basis, “practices that unreasonably interfere with or unreasonably disadvantage the ability of consumers to reach the Internet content, services, and applications of their choosing or of edge providers to access consumers using the Internet.”
  • The commission will allow broadband subscribers and Web companies to file complaints about net neutrality violations.
  • Broadband access is now a regulated telecommunications service, subject to some rules governing the traditional telephone network.
  • The commission, however, will forebear from applying large parts of Title II of the Telecommunications Act, the portion of the law that covers regulated telecom services, to broadband providers. “This is Title II tailored for the 21st Century.”
  • The order does not apply the new rules to back-end interconnection agreements among ISPs, backbone providers and Web services like Netflix. It does however allow the commission to regulate those deals in the future. [Pages 10 and 11.] While the FCC has more than a decade of experience looking at last-mile broadband practices, it lacks a “similar depth of background in the Internet traffic exchange context.”
  • Reasonable network management by broadband providers is allowed, but defined as a practice with a “primarily technical network management justification.”
  • Mobile broadband is subject to the same net neutrality rules as fixed broadband.
  • Mobile data plans that allow for sponsored data, for example, music downloads not counted against a data cap, are not prohibited by the order. The commission will address mobile data caps on a case-by-case basis.
  • So-called specialized services that do not provide Internet access, including some VoIP services, online heart monitors and energy consumption sensors, are not covered by the rules.

Share This:

FCC Steps In To Tighten Hacking Laws

FCC_logoOne of the problems surrounding hacks to companies such as Target and Staples is the serious delay in announcing the security breach to their customers. In almost each and every case the public announcement is weeks delayed and sometimes even months. It is this delay in publicly announcing the security breach that makes the problem worse. Because of these delays customer’s data very often remains at risk for longer then it should. This is where the federal government needs to take a role, and it looks like that this may actually happen.

President Obama is also likely to propose rules that prohibit technology companies from profiting from information collected in schools, according to a report yesterday in the New York Times, which quoted White House officials.

The proposed federal law on data hacks, which the president is expected to discuss in a speech to the Federal Trade Commission, is expected to require companies to report within 30 days of finding that their data has been hacked. The new law will more then likely specify when breaches must be disclosed and makes it a crime to sell a person’s online information abroad. The FTC would have the authority to penalize companies which fail to comply with the new law.

 

Share This:

Mobile Phone Privacy Gets Protected

The Supreme Court of the United States said last Wednesday that police officers must have a warrant before searching the cell phone contents of an individual under arrest.

Supreme Court The Supreme Court was unanimous in its decision to give cell phones of all kinds special privacy protections. [Image Source: Art Lien]

Supreme Court The Supreme Court was unanimous in its decision to give cell phones of all kinds special privacy protections. [Image Source: Art Lien]

In a unanimous ruling announced Wednesday, June 25, 2014 the high court settled two cases surrounding instances in which law enforcement officials scoured the mobile phones of suspects in custody and then used information contained therein to pursue further charges.

Here is a sample of some important language from the ruling:

“The police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested,” the Supreme Court ruled.

“Modern cell phones are not just another technological convenience,” the court continued. “The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought. Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple — get a warrant.”

This is a big win and a long one coming for protecting our digital privacy and moving our laws into the 21st century and working to get them on pace with technology trends.

The high court’s decision last week stems from two cases in which individuals received extended prison sentences due to convictions that may not have been possible had police not accessed their cell phones to gather evidence. In both instances, a warrant was not requested nor issued to search the contents of the arrestee’s phones.

This is yet another example of the laws governing our land being outdated where technology is involved. Cell phones and now smart phones have been around for a couple of decades and just now some of the same protection that has been applied and demanded in other areas (like land line phones) are just not being adopted to address the actual technology we all use today.

You can read the Riley v. California ruling here.

Share This:

Regulation Coming to Map Apps?

Apple_Maps_1Can’t we just use gadgets without new laws being imposed on us? I do admit I have been “distracted” while driving from time to time with the GPS on my phone. Just ask my wife. However I am not sure the federal government getting involved is really the best thing. I have also been unfortunately distracted with my satellite radio at one time or another. Should the government regulate that as well?

All of this being understood more regulation on the highway is where we may be heading as this recent report suggests.

The distracted driving debate is about to get very interesting, as The New York Times recently reported. The New York Times is reporting that the U.S. Department of Transportation (DOT) is looking to step in and start regulating all in-car navigation devices including those on our smartphones.

A new bill proposal would give the National Highway Traffic Safety Administration (NHTSA) the authority to set guidelines for how smartphone apps actually provide in-car navigation services to drivers. The NHTSA is concerned that users can become distracted when using the current generation of apps, and that such apps should be regulated if further study determines them to be an actual “dangerous” distraction.

Not surprisingly, automobile manufacturers are fully behind the government on this proposal, as many already voluntarily adhere to strict guidelines regarding distracted driving (this is why navigation-equipped vehicles pop up a warning screen when you start of the vehicle, or lock you out from entering in a new destination or changing a destination while the vehicle is in motion.

I assume that it is these types of restrictions that the NHTSA would want imposed on the “maps” apps on smartphones. This could be a good idea, but it does make me nervous.

Meanwhile I see motorcyclists every day on the roadways without helmets.  

Share This:

Email Privacy Act Has Life

Cloud providers may have some relief soon from the federal government when it comes to protecting the privacy of their customer’s information. The problem today is that there is that law enforcement can actually, and often does request or demand email communications without a warrant and of course service providers are placed in a very difficult position every time this happens.

However a far-reaching bill that would require the government to actually obtain a warrant to search through people’s emails (imagine that) and other online communications has found support in the U.S. House of Representatives.

_text_image

The Email Privacy Act, introduced by Reps. Jared Polis (D-Colo) and Kevin Yoder (R-Kans.), now has 218 co-sponsors — the number needed for the bill to pass if it is brought up for a vote in the House.

The bill (H.R. 1852) strives to update the privacy protections for electronic communications stored by Internet Service Providers (ISPs) and other third parties.

An Outdated Law

Many have suggested that the law governing data as defined in the Electronic Communications Privacy Act (ECPA) of 1986, is inadequate and outdated. This 28 year old act noted that the ECPA allows law enforcement authorities and government officials to access emails and other online communications stored by third parties without a warrant

Cloud providers and other technology vendors have been pushing for changes to how the government can ask for customer data.

Catching the Law Up With Technology

The proposed Email Privacy Act would would amend the outdated ECPA and prohibit a third-party service provider from divulging a customer’s communication records to law enforcement officials without a warrant obtained under the Federal Rules of Criminal Procedure or state warrant procedures. 

The problem here is that technology has greatly outpaced the written law since 1986. Email and other electronic communication was in it’s infancy in the mid 1980’s and the law governing it’s use and protection has not been accurately adjusted since then.

To make matters worse many of our lawmakers do not have not have a good understanding of technology standards and trends and therefore laws which are intended to protect citizens often lag when technology services are involved.

With the support for H.R. 1852 by the U.S. house of representatives perhaps we are on the road to our laws catching up with technology, at least for the time being.

Share This:

1 2