Events, news, technologies and products about cyber security
Sunday, February 9, 2014
[fortinet] Behind the Firewall: Weighing Privacy & Security With International Regulation
All too often, cyber space seems a vast and unregulated “Wild West,” where anarchy is the norm and criminal justice remains by-and-large a concept rarely enforced. What’s more, the Internet cloaks cybercriminals under a blanket of anonymity, where they have the ability to take down international governments and large-scale corporations at the touch of a button from any where in the world.
It’s no secret that the “lawless” nature of cyberspace has become an accepted status-quo - so much so that high-profile cybercrime, international privacy breaches and cyber espionage have experienced exponential growth in recent years.
But the penalties might become more enforceable - albeit slowly. And the governments of countries that engage in large-scale cyber espionage as well as companies that create spying software could face stiffer, more enforceable penalties for violating international policies.
Part of a reinvigorated effort could be attributed to the Convention on Cybercrime – the first international treaty that addresses Internet and computer crimes, according to a report in Inter Press Service.
The Convention is not exactly a new treatise - it was adopted in Budapest, Hungary in 2001 and put into effect in 2004. But it contains a provision that attempts to protect private data communication from illegal and unauthorized interception. The Convention was initially adopted by the Council of Europe, but it has also been signed by non-European Union nations such as Canada, Japan and the United States, which ratified it in 2006. Thus far, 51 countries have signed the treatise and 40 have ratified it.
Among other things, it requires member nations to criminalize four kinds of nefarious activity relating to data privacy: illegal access, illegal interception, data and system interference and misusing devices with the intent to commit those crimes. In short, the Convention aims to ensure that everyone respect and adhere to fundamental privacy rights - including powerful governments. And with good reason – in recent years, various governments and corporations have come under fire for illegal surveillance of its citizens and unauthorized access to personalized data of consumers.
That said, the Convention’s mandates don’t bode well for nation states conducting cyber surveillance, wire-tapping and other types of activities that violate privacy legislation. In fact, the Convention doesn’t take into account cross-border espionage activities - a caveat that also throws a wrench into international political hacktivism, regardless of its source.
A conundrum, then, lies in the ability for international law enforcement officers to collect information on suspected criminals and enforce cyber laws across international borders. Under the Convention, cyber surveillance is a violation of international privacy rights, and perpetrators could subject themselves to severe penalties and litigation. Subsequently, components of the Convention could potentially have the ability to thwart time-sensitive investigations and tie the hands of law enforcement in pursuit of criminals.
However, that issues is addressed - at least in part - by an exception introduced in the Budapest Convention. Specifically, the Convention maintains that activities such as cyber surveillance and computer data collection could theoretically be deemed legal if an organization were able to obtain lawful consent from an authorized party - such as a law enforcement agency or government with a warrant or reasonable cause to apprehend a suspect, for example - that had a legal right to access and reveal that data.
“A Party may, without the authorization of another Party .. access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.” Essentially, in the interest of maintaining justice and enforcing laws across borders, an exception was made to the doctrines that tempered unrestricted privacy rights. And similar compromises could be imminent as law enforcement gains a foothold on cyber crime.
The Budapest Convention and other similar international treatises will likely undergo various iterations as the threat landscape continues to evolve. And balancing individual privacy rights with international cyber policing will be no trivial matter.
Undeniably, disparate cross-border cyber laws and the anonymity of the Internet provide cyber criminals a consequence-free safe haven. As such, coordinated international cyber policing between governments will undoubtedly need to gain momentum, enabling law enforcement agencies to collaborate and pool resources on a broader global scale. Meanwhile, a myriad of high-profile information leaks have raised the ire of advocacy groups and propelled a critical mass of awareness around privacy rights and issues.
And weighing the age-old challenge of privacy versus security will likely take on a life of its own in the not-too-distant future.