Category: Legal

That didn't take long

Verizon is facing a $5 billion lawsuit over its alleged law-breaking. The NYT reports today that this suit may actually involve as much as $50 billion in damage. Previously, a $20 billion suit had been filed regarding the aspects of the NSA program that had become publicly-known in December.
Interestingly enough, when you don’t take into account the downside of engaging in a criminal conspiracy enterprise of questionable legality, it may have ramifications for your shareholders and executives. I wrote about this elsewhere, but it looks like this angle may have increased relevance here at EC.

Tip of the iceberg

A former intelligence officer for the National Security Agency said Thursday he plans to tell Senate staffers next week that unlawful activity occurred at the agency under the supervision of Gen. Michael Hayden beyond what has been publicly reported, while hinting that it might have involved the illegal use of space-based satellites and systems to spy on U.S. citizens.
[Tice] said he plans to tell the committee staffers the NSA conducted illegal and unconstitutional surveillance of U.S. citizens while he was there with the knowledge of Hayden. … “I think the people I talk to next week are going to be shocked when I tell them what I have to tell them. It’s pretty hard to believe,” Tice said. “I hope that they’ll clean up the abuses and have some oversight into these programs, which doesn’t exist right now.”, quoting from National Journal
Italics (but not bold) supplied by me.
Note to AM: Apropos of your comment many posts back, this story exists due to those in the trenches.

NSA Call Tracking Legality

nsa-counsel.jpgThere are times you just have to defer to the lawyers. So I shall.

In deferring to lawyers, I can get away with a link to Kip Esquire, who has great analysis in “Are We At ‘Worse than Nixon’ Yet?

Tomato-bait by Hokiefacs, on Flickr.

Half empty

I think Adam is too kind to Arizona’s new breach law.
My issues have to do with how various elements of the law might be interpreted:
“materially compromises”: Maybe I am reading too much Sarbanes-Oxley stuff and my sense of what constitutes materiality has been warped, but I would need to be reassured that this term means something “smaller” than it does in the SOX context. I realize this language is present in practically all breach laws, as well as HIPAA, etc.
“acquisition and access” — so if I simply hack in (gain “access”), but the audit trail doesn’t show that I did “acquire” PII, you get to keep quiet? How would acquisition be established?
“substantial economic loss” — So credit card numbers are no biggie, since liability is limited to an insubstantial amount?
“reasonably likely” — So, losing the PII of a bunch of people with no credit history, or those who have been demonstrated (by ID Analytics, or even the FTC) to be unlikely victims (like children on public assistance, say) gets you out of notifying?
I am leery of all these weasel words, and can envision a situation in which it would be in a firm’s interest to figure out just how big a truck could be driven through any of these possibel loopholes.
Also, based solely on Adam’s excerpt, I do not see much difference between the CO and the AZ laws. Each has a ‘reasonably likely’ standard. In fact, I think AZ may have a higher notification threshold overall — reasonable likelihood of substantial economic loss. CO requires reasonable likelihood of misuse. Not all misuses cause substantial economic loss. I would like to know more about case law on these matters. Is there a lawyer in the house?
Ultimately, I guess I am not sure that these so-called new norms are actually norms. The fact that proposed national legislation is weaker than the best from the states shows me that the pendulum is swinging back, or is at least being nudged that way by folks who believe they have alot riding on this.

Here’s to you, New York

I’ve mentioned before that other than New York, only New Jersey requires that security breaches involving personal identifying information be reported centrally.
I hazarded a guess at the time that, unlike NY, NJ would not respond favorably to a freedom of information request for such records, because the mandated reporting is to the state police, whereas in NY it is to (among others) the Consumer Protection Bureau.
Well, New Jersey has indeed responded to my request for such records under their Open Public Records Act — Denied. The records I sought “are considered criminal investigatory records and are exempt from disclosure”, according to Sgt. Jeanne Hengemuhle, Government Records Custodian for the NJ State Police. Just as I suspected.
I had previously received hundreds of pages of material from NY after making an identical request. This was done promptly, and at no cost to me. I think they even answered the phone on the first ring when I called to ask to whom my request should be addressed :^).

The Costs of Torture

I usually try to cut down quotes. This essay by Siva Vaidhyanathan in Slate’s Altercation is worth quoting at length:

I was wondering something. Maybe somebody could help me out here. Yesterday a federal jury decided appropriately that this country shall not execute Zacarias Moussaoui, a wanna-be-mass murderer who also happens to be a mentally disturbed megalomaniac who dearly wished to become a martyr for his twisted cause.

No one disputes that Moussaoui should be held accountable for his actions in support of what became the air attacks of September 11, 2001. But it’s clearly unjust to execute a person for deaths he did not cause (even if he had wished to) simply because he refused to incriminate himself to the FBI….

The jury had a difficult decision to make, in the face of wrenching emotional pleas by federal prosecutors and witnesses and the clear hunger we have to bring someone — anyone — to justice for these offenses.

What gets me — what I don’t understand — is why millions of my fellow American citizens, led by the families of those who lost loved ones in the attacks, are not banging down the doors of the Justice Department to bring to justice those who really did mastermind the killings of 3,000 of my neighbors. Their memory still hangs heavy in the air of my city. And we wonder why our government seems all too willing to put on a show trial of a sad peripheral character instead of pursuing real justice and — I admit it — satisfying vengeance.

Somewhere in a secret prison sits Khalid Sheik Mohammad, the mastermind of the attacks. Our government could bring him to trial either here in the United States or in the Hague. It could use the trial to demonstrate not only the terrible hatred that drives Al Queda to murder so many innocents around the world. It could use a trial to reveal the depth and breadth of the ideological threat that we face in coming years. It could show how we can avoid such vulnerability in the future. A Khalid Sheik Mohammad conviction would be deeply meaningful and satisfying.

Best of all, it could demonstrate to the world that despite so much recent evidence to the contrary, the United States is a nation of laws and its governmental agents are not above either our laws or international laws. They whole world thinks we have given up on the concept of justice. We could use a decent trial to show otherwise.

The reason we have not done this may be very disturbing: in our haste to be brutal and stupid, we almost certainly tortured Mohammad, rendering him unconvictable in any decent court in any decent country. We have also held him and hundreds more for more than three years without counsel, without facing charges, without a chance to respond to accusations, and without even allowing their families to know that they are in custody.

[I clicked the no comments button by accident, and have opened this post for comments.]

Live Free or Die: New Hampshire Rejects National ID

Be it Enacted by the Senate and House of Representatives in General Court convened:

Prohibition Against Participation in National Identification System. The general court finds that the public policy established by Congress in the Real ID Act of 2005, Public Law 109-13, is contrary and repugnant to Articles 1 through 10 of the New Hampshire constitution as well as Amendments 4 though 10 of the Constitution for the United States of America. Therefore, the state of New Hampshire shall not participate in a national identification card system; nor shall the department of safety amend the procedures for applying for a driver’s license under RSA 263 or an identification card under RSA 260:21

From Devvy Kidd, who has some good commentary, and also Privacy Law.


In the latest in the ongoing saga of debit cards being reissued after a breach at an unnamed merchant, 3rd-party, or card processor, we learn that unless a crook stands a chance of getting caught, he’ll keep on stealing:

These crooks get away with it, and that’s why they keep doing it. They’ve got about a one in a thousand chance of getting arrested

The quotation is from Gartner analyst Avivah Levitan. I’d love to know where that 1 in 1,000 number comes from. I found a decent report [pdf] from the folks that run the Star ATM network, but couldn’t derive anything about arrest rates from it. Other than that, all my intrepid research assistant Google could find was that arrest rates are “under 5%, according to law enforcement” in about 25 different places — which is probably a factoid run amok, rather than a real number. Besides, there’s a big difference between 1 in 20 and 1 in 1000.
Anybody have any idea how such a number could be determined? Seems to me it’s rather challenging to compile for a crime likely not to be reported, and where one criminal’s arrest could clear hundreds of crimes.

The law is an ass

Nevada is one of a small number of states that actually defines the term ‘encryption’ as used in its breach disclosure law.
To wit:

NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
(Added to NRS by 1999, 2704)

Initially, I read this as basically saying that any control used to prevent or hinder unauthorized access to data counts as encryption. After all, why would a data owner want to hinder or obstruct legitimate access? But what the heck is a “computer contaminant”? I thought maybe it meant some kind of electronic taggant — after all, this is financial stuff. I figured it might be the digital equivalent of an exploding dye packet in a cash drawer.
Nope. Basically, it means “evilware” — virii, worms, spyware, etc. So, what we have here is a law designed to protect data from being accessed by malefactors that defines one of its key controls (encryption) as (in part) the use of malware to deprive legitimate data owner access to his data!
Basically, Nevada seems to have passed their law defining encryption back when encryption was thought (by the ignorant) to be something pornographers, drug dealers, Communists, and mafiosi used. Accordingly, it is defined by statute in negative terms. Now, when it is rightly seen as a critical means of protecting “good” information and keeping it from some of the very bad guys listed above, Nevada remains saddled with their earlier definition, and IMO they look all the more foolish for it.