IP Address, Privacy, Forensics and Self Defense

Internet Protocol Address Tracking, Subpoena and Investigation

Terms of Access for Hackers in Security Incident

A top privacy official in the EU avers that an IP (Internet Protocol) address should be considered personally identifiable information (like a telephone number or postal address) that is normally subject to protection under privacy laws. Such protection might shield the address from recording or processing in many instances under European and other privacy laws.

If that official is right, then IT security professionals have reason to pause before collecting or processing an IP address in the course of their work. However, I argue a security professional could have good, legal justification for collecting or processing the IP address of a criminal or abusive party. The law widely recognizes notions like self defense, citizen’s arrest and defense of property. These ideas generally provide a defense to a citizen who violates a law in a limited, measured way for the purpose of achieving a higher social goal.

Further, a network administrator might post terms of service stating that if a hacker enters the administrator's domain, then the hacker consents to the administator processing and recording the hacker's IP address and to the use of that information in an investigation. Such terms of access are similar to an end user license agreement (EULA) that advances the interests of a software owner. The general principle is this: good communication can help responsible professionals avoid the appearance that their assertive actions are illegal.

Suppose you have an electronic record of an IP address (or other information) you'd like to preserve as legal/forensic evidence or as a response to a subpoena. You could consider preserving a copy of it using the authentication steps described in another article.

I've published another article on IP address and privacy agreements.

[Reminder: Nothing I say on the web is legal advice for any particular situation. If you need legal advice, you should consult a lawyer.]

Robot Surveillance Contracts

We are emerging into a world where all manner of automated systems engage in surveillance. Internet spiders (bots) collect intelligence from our web sites and servers. Search engines record our Internet queries. Security cameras surveil our bodies and our vehicles as they move about in physical space. Smart phones keep detailed records about incoming transmissions from third parties. Mobile apps track our GPS location.  Motorists mount cameras on their dashboards to memorialize what happens in the event of a traffic collision. The day is dawning when robots record their encounters with people, businesses and property.

The trend toward increasing robotic reconnaissance is unmistakable. The trend will continue to grow on account of digital technology and our legal system's veneration of records. Technology makes the collection and analysis of text, image, audio, video and other forensic records ever more easy. At the same time, people want to possess those records for legal purposes. Our legal traditions hold records in high esteem, as they are powerful agents in the resolution of disputes and the assignment of accountability.

But just as our legal system honors records, it also has a tradition for honoring agreements – that is, contracts. When two parties communicate, the legal system respects the agreements they make between themselves. Contracts can even be formed through the communication of machines, such as computers. And, contracts can cover topics like the creation, use, protection and disposal of records.

Implication: contracts can establish terms to limit and regulate automated surveillance.

Thus, a web administrator can post "terms of service" on its site, and the legal system will (generally) uphold those terms as binding on automated spiders that probe the administrator's site. (For example, Internet Archive and Suzanne Shell settled a lawsuit where Shell claimed that IA copied material from her web site in violation of her published terms of service. Instead of pressing forward for victory in the lawsuit, the Internet Archive settled. It publicly expressed regret for encroaching on Shell’s rights. See also Mark Rasch's discussion of web terms-of-services cases.)

The general principle is this: People (and businesses) can post or broadcast legal terms that impact automated snoops. The terms are like an end user license agreement (EULA) associated with software.

For this general principle, I foresee a large application. People can communicate all kinds of terms to and form contracts with robots.

Here is an example of legal terms a person could publish: "Notice to any system that may be surveilling my activities or entering the domain of my systems or probing or querying my systems: You do not have permission to make or store records about me, my activities, my systems, the contents of my systems or communications from my systems. By making and storing such records, you agree as follows: You will treat me with dignity. You will destroy the records immediately. If you violate your agreement and do not destroy the records, then you agree to keep the records confidential, you agree not to use them in a way that is contrary to my security or my interests and you agree not use them without my written permission. If you do not destroy the records, you also agree to e-mail within one day of creation a copy of all such records to me at jane@janedoe.com. You agree that these terms may be enforced by judicial injunction, together with any other appropriate legal remedy, including monetary damages."

Terms like this could be published on a web page. Or they might be transmitted to a spy's e-mail address. Or they might be posted for visual reading on a vehicle or a building. Or they might be transmitted via an open Bluetooth channel (or multiple radio frequencies) so that a local robot, surveillance camera or store owner could detect them.  Or they might be transmitted by way of an augmented reality channel detectable by a local robot or camera.

The publication of such terms is like posting an end user license agreement around yourself or your property.

Is there any reason why terms like this should not be legally binding on nosey systems or robots that can access the terms?

[Nothing I publish publicly is legal advice, but the foregoing is something to think about and debate in public.]

Software Legal Liability

Should Technology Vendors be Liable for What Hackers Do?

or

Should Law Enforce End User License Agreements (EULA)?

My colleague at the SANS Institute, David Rice, has published an important and learned book, Geekonomics: The Real Cost of Insecure Software. This book could be for the software industry what Ralph Nader’s Unsafe At Any Speed was for the automobile industry in the 1960s. Nader’s book contributed to the legal movement requiring auto manufacturers to make safer products.

Geekonomics argues that computers would be more secure if software publishers are held legally liable for distributing faulty software. The book is destined to influence software law. David backs his argument with outstanding research and cogent explanations. He says software publishers should not be able to use end user license agreements (EULA) to immunize themselves from liability for their mistakes.

I learned a lot from the book, and I highly recommend it.

How to Judge Software Security?

As I studied the book, I developed a question: Legally speaking, how do we judge whether a software product is good or bad? In other words, What should be the standard for evaluating when a software publisher has failed so miserably that the publisher should be penalized through the mechanics of our judicial system?

On page 69 Geekonomics says the industry has known since the 1960s how to write “secure” software. But the book does not tell me what secure software development entails, and it does not tell me what secure software looks like when it is released.

Do We Want Software That Secure?

Will “secure” software look, function and cost like an M1 Abrams tank, produced by a military contractor? Do I want that kind of software?

Secure Software?

The book goes into quite some detail saying present software is bad. But as a consumer and small business proprietor who bought his first PC (and installed his first software) in 1987, I confess that I am absolutely dazzled with the software made available to me over the past 20 years! I love, for example, all the latest Web 2.0 stuff. I am thrilled to have all the new functionality offered to me in rapid succession. My assessment of the vast array of software I have used seriously is that it is really good. It has enabled me to be productive (and have fun) beyond any dreams I could have had in the 1970s.

I realize hackers can break into the software installed on my PCs, damage my PCs, deface my blog, and steal my credit card data. But the worst case scenario is that I have to backup my data, I must buy a new PC every once in a while (the cost of which has progressively decreased over the years) and I have to monitor things like my credit card statements and my status at the credit bureaus. I accept that no product can be perfect. And I accept that I must order my life to account for the security imperfections in software.

Little of the software I deal with personally impacts my physical safety.

On balance, I am very, very pleased with a great deal of the software available to me today and across the years. But Geekonomics says present software is really bad.

By What Standard Should Law Judge Software?

Hence, my esteemed colleague, David, and I come to this topic with two different value standards. For purposes of law, how do we know who is right?

More particularly, in a court of law, how do we know whether a software product is good enough (albeit not perfect) so that the publisher can avoid having to pay money as a consequence of the publisher’s distribution of the software to the public? If we can't answer this question with some precision, then our prolific software industry will be stunted.