Articles Posted in Cybersecurity

Part I: DMV Sale of Personal Information

A group has investigated and allegedly found that the California Department of Motor Vehicles has earned more than $50 million by selling personal information of drivers to third parties without consent. This data may include names, addresses, and registration information. The DMV claims on its website that it does not sell information to advertisers or marketers for advertising or direct marketing purposes. It also claims that:

Most information acquired by the DMV is subject to public inspection under Vehicle Code Section 1808. Other statutes, regulations or laws governing subpoenas, discovery for litigation, Public Records Act requests, and commercial requestor requester accounts also apply to information gathered at this website. However, various provisions of law do prohibit or restrict the disclosure of certain electronically transmitted information such as social security numbers, residence addresses, and credit card accounts numbers. DMV also uses the information gathered on this website to help improve this website. For example, by tracking the number of website visitors, the date of visit, and the pages visited, DMV can balance resources so that the maximum number of visitors can obtain needed information. Additionally, by tracking what visitor software is being used (e.g. browser) DMV can avoid using features that visitors can not view or use.

Quantum computing technology will be affecting most of us in a direct or indirect way. We have stated in a prior article that: “A quantum computer is a highly-advanced computer system that works exponentially faster than today’s conventional computers. Quantum computing is the practice of studying quantum computers and their potential. This practice is growing and has caused the rapid decrease in the size of computers at the same time as these systems are rapidly increasing in their capability.”

Now, quantum computing has become a reality and technology companies have launched projects in order to compete in this sector. The question is how quantum computers will affect us.

First, since quantum computers are faster than conventional computers, they can break passwords or decrypt encryptions in a shorter time. This has caused concern over privacy and security which has forced companies to invest in quantum resistant cryptography. This technology and its potential ramifications on encrypted networks will also affect EU’s General Data Protection Regulation (GDPR) which outlines the rules and regulations for protecting unauthorized access. The United States government has also reacted and Congress has passed H.R. 6227 in order to implement the National Quantum Initiative Act that states as follows:

There have been cases where spammers have transmitted spam via email and text messages. These messages can include improper content, propaganda, hidden messages, and malware (e.g., virus, trojan, ransomware, adware, spyware). The spammers use the Internet Service Provider’s and user’s bandwidth to disseminate spam which results in bandwidth saturation, lost productivity, and other complications.

What is spam?

Spam is unsolicited commercial email advertisement that is sent towards recipients by third parties. An “unsolicited commercial email advertisement” means a commercial email advertisement that: (1) The recipient has not provided direct consent to receive advertisements from the advertiser; and (2) The recipient does not have a preexisting or current business relationship with the advertiser.

Internet of Things is more extensive than the Internet itself. It constitutes the combination of all electronic devices that are connected on the web and are able to communicate with each other. It is different from the Internet because it is essentially governed by information that is stored by electronic devices without human intervention. Now, smart devices can be connected through complex network systems and embedded sensors. These smart devices include, phones, refrigerators, thermostats, automobiles, or pills that allow medical professionals monitor a patient’s health status. These technological advancements enable smart devices to communicate in real time and promote the process of developing a more intelligent environment.

Artificial Intelligence is the intelligence demonstrated by machines in contrast to the natural intelligence displayed by humans and other animals. It allows machines to learn from experience, adjust to new inputs, and perform human-like tasks.  It relies heavily on deep learning and natural language processing. It uses neural networks which are a combination of software and hardware devices that are designed to emulate the operation of neurons in the human brain.

Smart Dust is a system of tiny microelectromechanical systems (MEMS) such as sensors or robots that detect light, temperature, vibration, magnetism, or chemicals. They are usually operated on a computer network wirelessly and distributed over an area to perform tasks by sensing through radio-frequency identification. This technology is able to collect and transmit data which can be uploaded to the cloud or other remote location.

Smart Dust is a system of tiny microelectromechanical systems (MEMS) which include sensors or robots that are able to detect light, temperature, vibration, magnetism, or chemicals. They are usually operated on a computer network wirelessly and are distributed over an area to perform tasks by sensing through radio-frequency identification.

The concept for this technology came from the Research and Development Corporation (RAND) and a series of governmental studies for potential military applications. This technological advancement was influenced by science fiction authors who mentioned microrobots, artificial swarm intelligence, or necroevolution. Now, this new technology is capable of collecting and transmitting data to and from specific locations. These tiny electronic devices, which are also known as motes, can detect light, vibration, and temperature. Also, the data that is collected by these devices can be uploaded to the Cloud or other remote location for processing.

Smart Dust v. Internet of Things:

In the accelerating information frenzy of the modern world, the specter of hacking has become more threatening as technology progresses.  For example, information is more accessible and vulnerable especially when it is valuable. Public and private institutions rely heavily on electronic communications and storage, which raises the stakes of a transgression.  Currently, there are legal barricades and consequences for accessing or exploiting another individual’s digital information without permission, but most are defensive, and some are largely ineffective.  The need for hacking countermeasures has been introduced and debated, but not satisfied.  International cooperation has largely helped, but is ultimately undergirded by political motive rather than principle.  To a degree, the law remains irresolute as to how to best combat online hacking and similar misconduct.

The federal government has exacted large punishments for hacking computer systems without authorization.  It defines “hacking” as accessing a computer without authorization or exceeding one’s authorization access, obtaining information that the United States government determines to be classified for reasons relating to national defense or foreign relations, or willfully communicating or attempting to communicate the information to any foreign nation, or willfully retaining the information and failing to deliver it to the officer or employee of the United States entitled to receive it.  It can be punished as a misdemeanor or a felony depending on the circumstances, resulting in a up to one year in prison and a $100,000 fine or up to ten years and $250,000, respectively.

So, hacking private companies or individuals can yield similar consequences.  Private companies are no strangers to cyberattacks.  In recent years, though, the scope of offense has broadened from companies contracted with the government or armed forces, to victims as diverse as movie studios and financial institutions.  As it stands, businesses have limited avenues to justice.  They may monitor, take defensive action, and fix whatever damage they incur on their own.  A Congressional bill recently drafted aims to allow businesses to “hack back” legally.  This can mean anything from simply tracing an attack, to identifying the attacker, to actually damaging the attacker’s devices.  However, the bill in its current form is discouragingly vague, and a company’s misstep could risk violating the same laws that were meant to protect it.  So, companies may be unwilling to take that risk.  Another criticism of the bill is that it does little to protect innocent third parties from retaliation where their systems might simply have been hijacked in a hacker’s scheme.  This concern is exacerbated by vagueness in the bill’s language allowing retaliation against “persistent unauthorized intrusion.”

In this article, we plan to discuss the Fifth Amendment implications of requirements to digitally identify oneself, for example by facial or thumbprint recognition.

The spread of data-encryption services has made the retrieval of information more difficult for law enforcement officials.  Over half the attempts the FBI made to unlock devices in 2017, for example, were thwarted by encryption.  As such investigatory bodies would have it, the government could simply compel a suspect to hand over the password.  Their biggest obstacle, however, remains to be the Fifth Amendment.

Fifth Amendment jurisprudence has come to bear on this issue in the past decade, yet remains somewhat unsettled.  Back in 1975, Fisher v. United States set a foundation for the issue.  The case involved the IRS attempting to compel the defendants to give up certain documents, which they refused on the grounds that they would be incriminating themselves, and were protected by the Fifth Amendment.  The Supreme Court ruled that the Fifth Amendment’s words: “[n]o person … shall be compelled in any criminal case to be a witness against himself” only protect a suspect from having to communicate incriminating testimonialevidence, and that the production of that case’s physical evidence wouldn’t compel the person to “restate, repeat or affirm the truth of it.”  The Court later fleshed out the term testimonial in a case regarding the subpoena of bank records and said that it’s “[t]he contents of an individual’s mind [that] fall squarely within the protection of the Fifth Amendment.”  Generally, the courts don’t protect people from having to produce physical evidence, which is not considered “testimony” or the “contents of an individual’s mind.”

As the Equifax breach continues to become a complicated issue, certain lessons can be learned for other businesses handling personal information. Namely, what not to do in their business operations?  In the wake of the cybersecurity breach, it had been reported that Equifax was aware of the security gaps, and did nothing to remedy them. So, where exactly did Equifax go wrong in its data security plans? How was it informed about the open holes in its security infrastructure?  What can a business owner do to avoid becoming an encore of Equifax’s folly? Is there any way to determine gaps in security policies and procedures?

Where did Equifax go wrong?

Effectively, Equifax appears to have failed at multiple levels, resulting in this breach. This is best summarized into one large mistake. There were no updates implemented to the computer systems Equifax used on its networks.  This was due to a delayed response to a known vulnerability in the Apache Struts web application. This framework is well known, it is used in the business community, and is an open-source framework for developing Java applications. In short, the delay was exasperated by the company’s failure to detect the vulnerability during a security scan.

As the Equifax breach has developed recently, another issue has come up, namely the arbitration provision within its website, which has caused consumer outrage and confusion. So, why does this provision matter? If consumers want to get their credit frozen, or check to see if they were affected, surely Equifax wouldn’t add insult to injury to the consumers who are suffering from its mistakes. Certainly, it would appear to be bad business to do so, or at least, unwanted attention. However, Equifax cannot be said to avoid adding insult to injury. Instead, Equifax has implemented that arbitration provision, and later removed it. So again, why would Equifax implement this provision? What impact might it have on the consumer? Why might this be important for businesses everywhere to observe?

What is the arbitration provision?

The arbitration provision that had insulted many consumers was attached to Equifax’s offer of free credit monitoring. In exchange for the service being performed (after the security breach) Equifax demanded that consumers settle any dispute with them through arbitration. In general, arbitration is a private and less costly way to settle disputes outside of the courtroom. While the results of the arbitration may be binding, it gives broader latitude to discovery, time, and may be faster and less formal than a formal trial.  While Equifax later clarified this provision would not apply to the current breach, however, nevertheless consumers were upset at the revelation.

Let us move on to the ways to protect ourselves in the future by using a credit freeze or fraud alert.  These options can protect your personal, private, and confidential information after a security breach and effectively add extra protection against identity theft. We have discussed them briefly in the past, although now, it seems appropriate to dive into further analysis. What are credit freezes and fraud alerts? How do they add more protection against identity thieves? What other actions might someone take to create additional safeguards?

Credit Freeze

The first and most basic way to prevent harm from identity theft is through a credit freeze, also known as a security freeze. A credit freeze is more or less what it sounds like–i.e., it “freezes” your credit where no lender can get access to your credit unless the consumer decides to lift it. Even then, the freeze cannot be undone without a pin number issued at the time of the freeze.