The jailing last week of Facebook Regional Vice President Diego Dzoda in Brazil may have been the tip of an iceberg. Frustrated police made the arrest after Facebook failed to produce WhatsApp messages connected to a drug trafficking case. The incident is one of a growing heap of examples that highlight the difficulties law enforcement agencies face when trying to collect evidence in a digital world without borders.
In international cases involving digital data, it's not uncommon for national laws to be at loggerheads. That's especially true when the nations involved have laws that treat privacy differently. Those conflicts can produce frustration that leads to the kind of extreme behavior Brazilian authorities engaged in last week."These conflicts will continue, because the way foreign governments can obtain data stored with a U.S. provider is to go through the Mutual Legal Assistance Treaty process," explained Jadzia Butler, a fellow on privacy, surveillance, and security at the Center for Democracy & Technology.
"Unfortunately, this process is extremely cumbersome. It can take up to 10 months for a foreign law enforcement agency to get the data it needs," she told TechNewsWorld.
"So governments like Brazil and others have started to resort to extreme tactics in order to get the data," Butler said. Those measures include data localization mandates and intimidation of local officials.
Reform Needed
Reform of the existing MLATs system is on the U.S. congressional agenda.The House Judiciary Committee last month held a hearing on the subject. The committee is considering what rules should apply when two countries claim jurisdiction over the same piece of data, noted Gregory T. Nojeim, director of the CDT's Project on Freedom, Security and Technology.
"Increasingly, one country's law will require disclosure and another country's law will prohibit it, or at least subject the disclosure to local rules that the requesting country may find difficult to meet," he observed.
"Because of the explosive growth of global communications and of communications service providers, and because of the increasingly central role that communications content and metadata play in law enforcement investigations worldwide, this problem is growing," Nojeim continued.
"Moreover, because the largest communications service providers are located in the U.S., the volume of data demands coming into the U.S. from foreign governments far exceeds the volume of demands made by the U.S.," he said.
The CDT is one of several groups that are trying to find a way to streamline the MLAT process. One possibility is to create an alternative framework for obtaining data for countries that meet specific human rights criteria, suggested CDT's Butler.
"Until that happens, I would say conflicts like the one in Brazil will continue to happen," she said. "It's frightening."
The Geography of E-Fraud
Electronic fraud claimed 13 million victims in 2015, according to a Javelin study released earlier this year, but where you live in the United States can determine your chances of being one of those victims.The states with the highest rates of billing fraud were Florida, Delaware, Oregon, California and Washington, D.C., according to an Experian study released last week. The highest for shipping fraud were Delaware, Oregon, Florida, California and Nevada.
Why are some regions more prone to e-fraud than others?
"A lot of it has to do with proximity to port cities," said Adam Fingersh, senior vice president of fraud and identity solutions at Experian.
Counter to many expectations, big cities are not necessarily fraud magnets, he noted.
"While there are a number of big cities that are ranked high, we also see a number of small cities that are ranked as having high risk," Fingersh told TechNewsWorld.
Path of Least Resistance
Fraud appears to follow the path of least resistance."We've seen that as a result of pulling pin-and-chip technologies into the U.S., fraudsters are looking for other avenues to exploit," Fingerish said. "As a result, card-not-present fraud, as anticipated from what we've seen in other regions, becomes one of those channels that fraudsters can look to backfill opportunities prior to the introduction of chip-and-pin," he explained.
Although hard numbers aren't yet available for correlating card-not-present fraud rates with the introduction of chip-and-pin or EMV technology, there is evidence that CNP rates will be getting higher.
"During the most recent Black Friday holiday, there was a significant volume in card-not-present fraud, and some of the geographies referenced in our study saw a significant increase in that time frame," Fingersh said.
"We know there's a gradual climb in card-not-present fraud as EMV is rolled out," he added.
Drafting Hackers
The Pentagon last week announced that it was launching a bug bounty program to make Defense Department computers more secure.The "Hack the Pentagon" initiative is the first bug bounty program in the history of the federal government, according to DoD.
Under the pilot program, the department will use commercial sector crowdsourcing to allow qualified participants to conduct vulnerability identification and analysis on its public Web pages.
The bug bounty program is modeled after similar competitions conducted by some of the nation's biggest companies in an effort to improve the security and delivery of networks, products and digital services.
The pilot marks the first in a series of programs designed to find vulnerabilities in the department's applications, websites, and networks.
Outside the 5-Sided Box
The bug bounty program shows a willingness on the part of Secretary of Defense Ashton Carter to push the Pentagon bureaucracy out of its comfort zone in meaningful ways, according to the Center for a New American Security."This initiative, with its potential to cause embarrassment or unintended breaches of critical systems, undoubtedly drew bureaucratic push back in its development," wrote CNAS Program Director Ben Fitzgerald and CNAS Senior Fellow Loren DeJonge in a statement. "But these are precisely the fears and cultural factors the secretary needs to incentivize the institutional Pentagon to overcome if his innovation agenda is to take hold."
Although the bug bounty program has received kudos from the security community, some have questioned whether the momentum Secretary Carter is trying to build will fizzle when a new administration takes office in 2017.
That's not likely, said Casey Ellis, CEO Bugcrowd.
"The need for people to solve the vulnerability discovery problem will never go away, and ultimately a distributed resourcing approach like a bug bounty program is the only way for the DoD to access resourcing and economics that are on parity with their adversaries," he told TechNewsWorld.
No comments:
Post a Comment