Reliance on an inherently insecure infrastructure exposes organizations to a variety of new threats
...greater emphasis is being placed on detection of and response to anomalous events...key..strategy is the use of intrusion detection systems. Are the above 2 statements true? Can the infrastructure be made secure? Are there other strategies besides IDS.
Ability to copy, save, log, etc., info exists in numerous network technologies...what are the legal implications for using IDS in protecting computers and networks. So is this a reasonable thing to do? If so, who should do it?
The money is on-line, the crooks are moving on-line. Technological advances and the Internet provide expanded opportunities for criminal activity. Thus, part of what is on-line is: intelligence, evidence, and indications and warnings.
Intelligence is defined as information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding
Normally intelligence is gathered by "Agencies". Specific legislation exists to govern interception activities of Agencies. So can we gather intelligence?
While existing legal regimes adequately address interception by S&I and law enforcement agencies, they generally do not adequately address interception of network traffic by other organizations.
Is this true?
any oral communication or any telecommunication...that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it.
Telecommunications is...the emission, transmission or reception of signs, signals, writing, images, sounds or intelligence of any nature by any wire, cable, radio, optical or other electromagnetic system, or by an similar technical system.
Note that it is the expectation of the originator of the message that no one other than the intended recipient will intercept the message that matters to the determination of whether the communications is a 'private communication'.
Personal information is defined as information is defined as information about an identifiable individual that is recorded in any form including any identifying number, symbol, or other particular assigned to the individual, or the address of the individual...
Does an IP Address fit this?
Encryption is mentioned in the law as a way to protect messages... so the question arises, if a message is encrypted, what can we say about the header info?
In US mail, the information on the header is public, but the envelope
is private.
So most packet header info could be considered public?
So what about just knowing a communication has occurred?
In a network content, there is a difference of opinion as to what
constitutes the equivalent of the dialed number list.
The range of possibilities extends from the header (or addressing)
portion of the network traffic to the address and subject lines of an
e-mail and Web URL.
So for an IDS, which intercepts the whole packet, in order to scan it
for indications of malicious traffic...we have crossed from public
to private data.
That certain legislation distinguished between traffic data and content implies that traffic data is NOT considered to be private communications
Expectations of a bad guy..
Patriot Act: a computer trespasser
is a person who accesses
a protected computer without authorization and thus has no
reasonable expectation of privacy in any communication transmitted
to, through or from the protected computer
But, IDS cannot distinguish between malicious activity and benign activity.
In summary: headers are probably NOT considered private...important in interpreting legislation, and configuring a lawful IDS.
Criminal Code states: every one who, by means of any electromagnetic, acoustic, mechanical or other device, willfully intercepts a private communication is guilty of an indictable offence
IDS is in fact copying all of the network traffic ...Author's view that "an IDS will almost certainly be considered to fall within the definition of device, and to be considered an intercept within the meaning of criminal law.
Exceptions: Consent and Authorization.
Need consent from both parties: Supreme Court of Canada has held that one party consent to the monitoring of private communications, violates the protection dealing with search and seizure...
Authorization
must be reasonable grounds to believe that an offense against
criminal law has been or will be committed.
Given the unpredictable nature of network intrusions, it would be difficult to provide particulars of the offense that will be committed.
Catch All
Criminal law provides exemptions relating to interception of
private communications by the provider of a telephone, telegraph
or other communication service to the public
So do we want to fall under this umbrella? Why does it exist? Would we then become susceptible to the willy/nilly wims of the Agencies?
The nature of information that can be captured has been broadened to include dialing, routing and addressing information, effectively enabling law enforcement agencies to monitor and intercept electronic mail, web surfing and other forms of electronic communications.
...the amendments still do not provide a general authorization for interception of network communications by public nad private sector organizations - they must still operate under the prior, more restrictive regime
An exception for 'protected computer'
But...
the definition of protected computer appears to be faily narrow,
being a computer that is exclusively for the use of a financial
institution or the US Government or which is used in
interstate or foreign commerce or communication.
So what about my machine?
legislation exists to force the disclosure of encryption keys.
IDS Log data probably falls within the definition of traffic data, and is, therefore probably subject to provisions of the legislation that require that long-term retention of traffic data by service providers.
It is reasonable to suggest that the key to addressing these deficiences is the creation of a new exemption under criminal law. ...would provide the necessary legal basis for the interception of private communications for the purpose of protecting public and private sector computer systems or networks from mischief, unauthorized use or interference.
Last Modified Tuesday, 28-Mar-2006 11:11:19 PST