Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New EU Rules Require ISPs, Telcos To Come Clean Within 24 Hours of Data Breaches

Unknown Lamer posted about a year ago | from the be-quick-or-be-dead dept.

Security 70

hypnosec writes "Under new EU regulations ISPs and Telcos serving European customers will have to come clean within 24 hours in case of a security or data breach that leads to theft, loss, or compromise of data. Companies will have to disclose the nature and size of the breach within the first 24 hours. Whenever it's not possible to submit such data, they must provide 'initial information' within the stipulated time and full details within three days. Under the new terms the affected organizations will be required to reveal information such as information that has been compromised and the steps that have been taken or will be taken to resolve the situation. If the breach 'is likely to adversely affect' personal information or privacy, affected businesses and consumers will be notified of the breach."

cancel ×

70 comments

Sorry! There are no comments related to the filter you selected.

NSA too? (4, Interesting)

hawguy (1600213) | about a year ago | (#44098127)

Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?

Re:NSA too? (4, Funny)

Anonymous Coward | about a year ago | (#44098305)

Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?

Yes.

it's part of why nsa wanted soooo much to keep it secret. plenty of companies have to stop using american hosting if they technically know that the US servers are compromised.

Re:NSA too? (0)

Anonymous Coward | about a year ago | (#44098355)

Not a problem. The offshore (non-States) ISPs track their non-citizen data and turn that over to the NSA. That gives the NSA data about the American citizens without breaking the law about monitoring their own civilian population Such agreements have already been exposed between the States and Australia and the States and the UK. Other will eventually come to light.

So the NSA is tracking your communications ins any form whether you are a citizen or not. We have a new campaign to use your credit card for every transaction, no matter how small, so that gives them all your financial transactions. Soon they'll be gathering so much information that the fellow who was on a watch list and was facebooking everything he did, including the hamburger he had for lunch that day will be able to take a holiday from posting all of his activities. They'll already have them all.

Re:NSA too? (3, Informative)

gl4ss (559668) | about a year ago | (#44098449)

that's the point of making them come clean of compromise to the data or get burnt if they get outed by someone.

americans can't do anything about it - but if european operating companies are liable legally in europe about the breaches they will either have to disclose the data compromises to their customers(bad for business) or move the servers inside eu and not share all data(since you know, the european privacy laws are against that).

Re:NSA too? (1)

MrDoh! (71235) | about a year ago | (#44098309)

My first thoughts too. Surely with everything being snooped on, we never have a 'non data breached' moment?

Re:NSA too? (2)

Joce640k (829181) | about a year ago | (#44098723)

"Breach" implies access without permission.

The NSA has government-mandated permission so their access doesn't fall under this law.

Re:NSA too? (0)

Anonymous Coward | about a year ago | (#44098923)

The NSA has government-mandated permission so their access doesn't fall under this law.

This is EU law we are talking about. Please substantiate your claim that the EU government has given the NSA permission.

Re:NSA too? (1)

xophos (517934) | about a year ago | (#44099383)

The NSA has government-mandated permission so their access doesn't fall under this law.

This is EU law we are talking about. Please substantiate your claim that the EU government has given the NSA permission.

You are absolutely right.
Your parent misses the obvious.

But of course, NSA is the good guy (-1)

Anonymous Coward | about a year ago | (#44098365)

The EU wants to know what the bad guys are doing to their data-backbones

NSA is the GOOD GUY, NSA is their ALLIES, and EU welcomes NSA with both arms stretching wide

Re:NSA too? (1)

Anonymous Coward | about a year ago | (#44098431)

Traffic monitoring is not the same as a data breach. A data breach is data being accessed without authorization - usually in a database-style scenario - internet traffic is viewable for every intermediate router and therefore confidentiality cannot be ensured in the first place, without appropriate security protocols. Similarly (nearly?) every ISP monitors their network for unusual behavior and traffic patterns (when is there a lot of activity? where should additional hardware be deployed?), which would then also be classifiable as a 'data breach'.

Now don't get me wrong, the NSA taps are a bad thing. It is just not what this law is designed for, nor does it have very much to do with this law. Illegal wiretapping is not part of privacy legislation, nor is there any need for it to be.

Re:NSA too? (2)

six025 (714064) | about a year ago | (#44098691)

Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?

If you RTFA you would find out:

There are a few exceptions though – companies will not be required to pass on the data in cases where there are "justified national security reasons", companies like Facebook and Google who fall under Data Protection Direction, companies that take steps such as encryption of data.

Re:NSA too? (2)

Rockoon (1252108) | about a year ago | (#44098719)

There are a few exceptions though – companies will not be required to pass on the data in cases where there are "justified national security reasons", companies like Facebook and Google who fall under Data Protection Directive, companies that take steps such as encryption of data.

This reminds me of the Data Retention Directive, passed in what... 2006?

First they require you to keep all data... then they require you to protect the data they made you keep.

Here is a thought: The best way to let me protect my data is to let me delete it.

Re:NSA too? (1)

scarboni888 (1122993) | about a year ago | (#44099185)

What are you some kind of subversive?

Re:NSA too? (1)

Rockoon (1252108) | about a year ago | (#44100749)

Yes.

Any other questions?

Re:NSA too? (1)

Anonymous Coward | about a year ago | (#44099061)

companies will not be required to pass on the data in cases where there are "justified national security reasons"

What national security reasons are there for retaining the average persons internet traffic?

Re:NSA too? (3, Insightful)

scarboni888 (1122993) | about a year ago | (#44099205)

I got it this one's easy.

Today's 'average person' may be tomorrow's protestor. Heck that person might actually start turning into someone that other proletariat start listening too. And if their message is in any way threatening to those that gain from the power of the national security apparatus then said apparatus can dig in to so-called 'average person's' past communications to dig up the dirt on them, discredit them, jail them if necessary, and to thereby to retain their power without threat.

See how easy that is?

You're welcome.

No. (1)

Camael (1048726) | about a year ago | (#44098765)

For good measure, again No.

From the last paragraph of TFA [paritynews.com] :-

There are a few exceptions though – companies will not be required to pass on the data in cases where there are "justified national security reasons"

This provision is likely useless against the NSA.

Prism for Ubuntu (0)

Anonymous Coward | about a year ago | (#44098999)

Did you know about:

Available Prism Packages in Ubuntu 8.04
http://buck-nasty.blogspot.pt/2009/01/how-to-install-mozilla-prism-in-ubuntu.html

prism-facebook
prism-google-analytics
prism-google-calendar
prism-google-docs
prism-google-groups
prism-google-mail
prism-google-reader
prism-google-talk
prism-twitter

Install Prism packages for google using the following command

sudo aptitude install prism-google-talk prism-google-mail prism-google-docs prism-facebook prism-google-analytics

Entire (1)

For a Free Internet (1594621) | about a year ago | (#44098143)

Buttgoat NSA buttgoart NSA burrgort NSA assgoat NSA assgort NSA slashdort NSA buttfart NSA assfartgoat NSA slashfart NSA turdfartgoatbutt NSA assturdfart NSA NSA NSA burrtbartfartbuttass NSA world!

Hopefully coming soon to the US (1)

Anonymous Coward | about a year ago | (#44098155)

It's just too easy for US companies to "pretend nothing happened".

Re:Hopefully coming soon to the US (5, Interesting)

mlts (1038732) | about a year ago | (#44098173)

I wonder how this law is to be enforced. If nothing is ever told that the breach happened (and logs "expired" pertaining to the breach), then only the party that did the intrusion would really have proof it ever happened.

General system logs don't have all the eDiscovery rules that E-mail do, and I sort of dread to have to keep every syslog/event log from every single machine for x amount of time, because an intruder can easily just trash the log archive server unless the logs were written something like WORM tape, or EMC's SAN that does WORM volumes.

In any case, this law is a start, and I wish similar laws would reach across the pond too. However, my fear is that even successful breaches will be classified as "attempts" and never reported... and if they are, it will be one person who gets the blame for failing to report it, they get sacked, and life goes on.

Re:Hopefully coming soon to the US (1)

labnet (457441) | about a year ago | (#44098265)

I was wondering the same thing.
Are the majority of breaches only discovered when some external party says. 'Lulz I gotz ur data'?

Re:Hopefully coming soon to the US (1)

pokoteng (2729771) | about a year ago | (#44098327)

It just means any whistleblower or hackers themselves can report the findings into public. Companies are pretty much forced to hand in any reports of breaches; they can't keep quiet about it because otherwise the penalties will be even more severe after the day's over.

This is a good move. It'll finally keep people/companies on their toes instead of try to hide their flaws.

There are laws ... (0)

Anonymous Coward | about a year ago | (#44098389)

... and then, there are "SECRET PRESIDENTIAL DIRECTIVES"

In any case, this law is a start, and I wish similar laws would reach across the pond too

"You can have all the LAWS you want, but as long as the SECRET PRESIDENTIAL DIRECTIVES get to by-pass any existing law ( and in the PRISM case, even bypassing the UNITED STATES CONSTITUTIONS ), do not keep your expectation too high

Re:Hopefully coming soon to the US (2)

moronoxyd (1000371) | about a year ago | (#44098547)

I wonder how this law is to be enforced. If nothing is ever told that the breach happened (and logs "expired" pertaining to the breach), then only the party that did the intrusion would really have proof it ever happened.

That a company does it's best to hide that their systems where breached doesn't mean that it will never come out.
If lists of passwords appear online, or if somebody abuses customer data that was only ever disclosed to that company, they will be in deep sh*t if it comes out that they knew about the breach and did not follow the law.

Re:Hopefully coming soon to the US (1)

AmiMoJo (196126) | about a year ago | (#44098641)

Most countries have laws requiring any company that handles personal data to take reasonable steps to protect it. That means intrusion prevention and detection. If they don't they are breaching the law anyway, so saying "we didn't know" isn't a valid excuse.

There are ways ... (2)

thrill12 (711899) | about a year ago | (#44098647)

...I sometimes encounter data breaches from companies I do business with, simply because I use a unique e-mail address for each business. (name_businessname@domain). As soon as I start receiving spam on the e-mail, I have pretty much irrefutable proof that a leak exists at that company; the only condition being that I must make sure that that e-mail address is never communicated to anyone else.
Of course, "proof" for a court of law could require a bit more, but I think that needs to be established as jurisprudence, and this could be an example of how it could be established.

Re:Hopefully coming soon to the US (0)

Anonymous Coward | about a year ago | (#44098675)

You could always send a message, sure to trigger a response from the government snooping, wait 24 hours and then when you're arrested, point out that nobody came clean to obviously collecting your data.

But given the way this government operates, I would suggest against such proof of concept.

Re:Hopefully coming soon to the US (1)

hairyfeet (841228) | about a year ago | (#44099111)

Nice to see I'm not the only one to be scratching their head and thinking about how that is supposed to work. But after watching the laws passed with regard to the Internet? Honestly I just think these bozos passing these laws have zero fricking clue as to how this shit actually WORKS. It would be like some government mandate to "back up the Internet"...okay,how?

They make these laws and mandates without asking a single grunt who actually does this for a living "Can we do this, and what would be the cost if we can"...kinda reminds me of some of the bosses i had when i worked corporate, they think you can wave your magic IT wand and all this shit will come to pass when it just. doesn't. work. that way. Let me say if you are an IT grunt in the EU? My condolences pal, sounds like you are gonna be in a world of shit just trying to keep from running afoul of this, when five will get you ten no matter how hard you try it'll end up biting your right on the ass.

Re:Hopefully coming soon to the US (1)

oranGoo (961287) | about a year ago | (#44099193)

The legislation is intended for Telcos and ISPs according to the excerpt. AFAIK they already have legislation on log retention.

So you have couple of easily detectable cases:
* Missing logs or other log anomalies and no reported breach - bad and easy to check
* Logs with breach activity and no reported breach - bad and possible to check

So the worst case is actually if someone manages to reconstruct the logs, however I would say that would not be so easy these days with redundant and complex systems that log at various levels.

As for reporting the breach - as with anything that you need to report yourself it would require audits of some sorts.

Re: Hopefully coming soon to the US (-1)

Anonymous Coward | about a year ago | (#44098447)

China is more free than the US

US congress - Are you listening (1)

chromaexcursion (2047080) | about a year ago | (#44098187)

Hmm.
Europe is more about freedom than the US.
All the right wing congressmen prancing about, but they claim to disavow surveillance.

I'm just a trouble maker finding holes in the wall...

rats seem to like peanutbutter more than cheese, but there's lots of that...

Re:US congress - Are you listening (1)

Anonymous Coward | about a year ago | (#44098269)

Europe has its own freedom problems. Both sides do different things well. While it's great to ignore all the negatives to make statements like this, remember that one side isn't necessarily better than the other.

Re:US congress - Are you listening (-1)

myowntrueself (607117) | about a year ago | (#44098347)

Europe has its own freedom problems. Both sides do different things well. While it's great to ignore all the negatives to make statements like this, remember that one side isn't necessarily better than the other.

Are there any historical events in the USA that you aren't allowed to question the official account of?

In Europe you get in big trouble for questioning the official version of the holocaust. Which sets it up for conspiracy theorists very nicely. I mean, imagine if in the USA it was illegal to claim that the moon landings never happened.

Re:US congress - Are you listening (2)

blackraven14250 (902843) | about a year ago | (#44098495)

Isn't that only Germany, or did I miss something?

Re:US congress - Are you listening (0)

Anonymous Coward | about a year ago | (#44098541)

Isn't that only Germany, or did I miss something?

Germany, Europe, what's the difference, it's all over there somewhere, and most easily grouped together as one homogeneous thing.

Re:US congress - Are you listening (1)

myowntrueself (607117) | about a year ago | (#44098559)

yeah otherwise I'd have to ask "is it illegal to deny the moon landings in any state or county in the USA?" instead of just "... in the USA?"

Re:US congress - Are you listening (1)

zAPPzAPP (1207370) | about a year ago | (#44098727)

Given that there are several differences in state laws both in the U.S. and EU, you should better ask that.

Re:US congress - Are you listening (1)

toutankh (1544253) | about a year ago | (#44098757)

I don't know about every European country but In France and Austria you'd get in trouble as well.

Re:US congress - Are you listening (1)

Anonymous Coward | about a year ago | (#44098529)

Sentences that begin with "In Europe" are hardly ever true or factual. Holocaust-denial is not a crime in every one of the 50 countries of Europe. Please, stop generalizing.

Re:US congress - Are you listening (1)

Anonymous Coward | about a year ago | (#44098567)

In US, you can be thrown in to some pit and be tortured by some sadistic guards, just because the government thinks so. And that's when you are lucky. If not, you can be killed alongside your whole family and half your neighbors. The US is more like North Korea than like a civilized country.

Re:US congress - Are you listening (0)

Anonymous Coward | about a year ago | (#44098579)

Are there any historical events in the USA that you aren't allowed to question the official account of?

In the US there are states (e.g. Kansas) where you are currently required by law to "present both sides of the story", even though one side is supported by the vast majority of all evidence and research and the other one is a fairy-tale someone wrote down 2000 years ago.
Different sides of the same coin.

Re:US congress - Are you listening (0)

Anonymous Coward | about a year ago | (#44098637)

There is no one "official version" you have to keep. Saying that is huge misinterpretation and exaggeration. The only thing you can not question is whether Holocaust happened. That is the only limitation.

These laws have been made so that nazis can not deny holocaust and rise back to power. We do not want to repeat the history. And you know what? I'm perfectly ok with being unable to deny this piece of history. It does not make me less free in any aspect of my life.

This "they have one or two limitations we do not have therefore they are less free" kind of argumentation is stupid anyway. So there is one aspect where one country allows more then other one. So what? That is nothing but "we are better" trolling to keep someones ego high.

Re:US congress - Are you listening (1)

myowntrueself (607117) | about a year ago | (#44098655)

Not just whether it happened but the official figure on the number of dead. Question that "oh maybe it was 100,000 less than the official version" and its jail time.

The problem is that it encourages the neo-nazis because some people get the feeling that the government is trying to cover something up.

Re:US congress - Are you listening (1)

Anonymous Coward | about a year ago | (#44098689)

Not just whether it happened but the official figure on the number of dead. Question that "oh maybe it was 100,000 less than the official version" and its jail time.

The problem is that it encourages the neo-nazis because some people get the feeling that the government is trying to cover something up.

Can you please cite *any* specific examples where you get jail time for claiming that number of dead are off by 100,000?

Re:US congress - Are you listening (0)

Anonymous Coward | about a year ago | (#44098693)

> some people get the feeling that the government is trying to cover something up.

Only to fictional pro-conspirationnists slashdot-readers US neo-nazis.

Re:US congress - Are you listening (0)

Anonymous Coward | about a year ago | (#44098679)

1) ISP will not have the freedom to deny breaches, and that's better for everybody else. 2) In Europe the taste of the public tolerates more regulation of freedom of expression than in the US (although many principles are the same). In the case you mention, you are free to research on the holocaust and find different numbers than the ons established in literature. What you're not allowed to is to blatantly deny it happened at all. That's in several places in Europe, not only Germany.

Does a request count as a "breach"? (1)

Uberman23 (1735246) | about a year ago | (#44098197)

Does dropping trou for an intelligence agency (foreign or domestic) count as a "breach"? Or is that just "business as usual"?

Re:Does a request count as a "breach"? (0)

Anonymous Coward | about a year ago | (#44098535)

Foreign intelligence, as in the US, would be a breach. A domestic intelligence agency would be legal and legitimate with a warrant or similar measures (variations of).

Why just Telcos? (1)

Anonymous Coward | about a year ago | (#44098335)

This should be for all internet service providers of some scale.. I mean telcos have a lot of communications metadata, but breaching that is not actually something I need to know QUICKLY. What I need to know stores and places with my credit cards and shared accounts are stored. "Do I need to reset passwords" is basically the main question.

Re:Why just Telcos? (0)

Anonymous Coward | about a year ago | (#44099043)

It will probably soon be generalised to other sectors. These rules were discussed as part of a package of directive that targeted ISP/Telcos. It would have been complicated to extend it to other sectors at this stage.

The EU commission is currently discussing Privacy Regulations to extend these data breach notification provision to other sectors (among many other things), but this is being slowed down notably by intense US lobbying efforts to weaken the proposed text, as well as a few EU member states.

What can reasonably be accomplished in three days? (3, Interesting)

Fastolfe (1470) | about a year ago | (#44098339)

Do they really expect every massive, multi-part intrusion to be investigated to completion so that a full report can be made after only 72 hours? What am I missing?

Re:What can reasonably be accomplished in three da (0)

Anonymous Coward | about a year ago | (#44098497)

It does seem a bit absurd. I understand the 'let customers know' about a security breach ASAP (24 hours even) although the full info should be released as it is known and then a maximum time specified for the investigation. Maybe up to 6 months. There are obviously certain circumstances where it wouldn't be possible to fix the problems because of third parties, insane financial costs (like shutting down a factory), etc. It may only be feasible to do at certain times. If shutting down the factory to fix a security breach means six months until resumption that could mean the company goes bankrupt.

Re:What can reasonably be accomplished in three da (0)

Anonymous Coward | about a year ago | (#44098761)

If shutting down the factory to fix a security breach means six months until resumption that could mean the company goes bankrupt.

If shutting down the factory to fix a problem where people lost their lives means six months until resumption that could mean the company goes bankrupt.

When you are dealing with someones personal information any kind of mismanagement can have very large consequences.
Just treat it as equally important and you will be fine. If you can't afford a security breach, don't risk it.

Re:What can reasonably be accomplished in three da (1)

Anonymous Coward | about a year ago | (#44098545)

There's no full report required, just the immediate discovery and notification thereof. "Breach detected, your password may be stolen, please change it now". It's about giving people the ability to take measures ASAP.

Re:What can reasonably be accomplished in three da (1)

Fastolfe (1470) | about a year ago | (#44109465)

That's not how I read it, but that would make more sense, I suppose. I'm thinking of situations where you have a multi-pronged attack, and one prong accesses one set of sensitive data, and the other prong accesses another. One access may be discovered, the clock starts, and 72 hours later they may not even be far enough into their forensics to find out about the other prong of the attack. But if you're defining each as its own "breach", even though it's part of the same larger complex attack, I suppose it's a little more reasonable than I interpret it.

But what if you're investigating something like this:

1. Breach of data A occurs
2. First breach of data B occurs (small set of data accessed)
3. Second breach of data B, by the same attacker from a different attack vector, occurs (accessing more data)

1 is discovered, clock starts, but you're able to get a full report out after 72h.
2 is discovered, separate clock starts, and you're able to get that report out after 72h.
3 is discovered. Should that have been part of (2)? What happens if you don't notice this during your investigation of (2)?

Re:What can reasonably be accomplished in three da (0)

Anonymous Coward | about a year ago | (#44098813)

Hopefully you are aware of what the compromised server is used for, as well as which other servers it normally interacts with. You also should know whether that server handles sensitive data, and how that data is protected (are the passwords hashed and salted on the http server, the db server or some other server?). This information should be available within an hour, and it should be enough for a preliminary report.

Using proper log handling and log analysis (which you have, right?), you can identify the timespan of the intrusion, figure out which connections were made from the server in question during that time period, figure out what data was accessed or modified during this time period by one of the (potentially) compromised accounts, and so on. This should take a couple of minutes if you know how to handle logs.

Finally, you need to combine all the data you have gathered into a technical report, which is then sent via bosses to the PR department for publication. This step most likely takes many hours, but it should still be possible to do everything within 24 hours (unless you want to sleep).

In short: If you can't do it in 24 hours, you are unprepared for handling intrusions, and then you should fix your system and educate your employees. The goal of the EU rules is to create an incentive to actually do so.

Re:What can reasonably be accomplished in three da (1)

Fastolfe (1470) | about a year ago | (#44109449)

Your post suggests you've never done this before. Consider:

1. Spear phishing attack nets the credentials of employee A.
2. A's credentials are used to access sensitive data B. A normally has access to B so this doesn't set off any alarms.
3. A's credentials are used to plant malicious code on an internal web site.
4. Malicious code nets credentials of employee C and D and E (and a dozen others).
5. A separate attacker probes C's access, digs through source code repository.
6. Source code review yields an exploitable vulnerability in an internal system.
7. Staging from D's workstation, internal system F is cracked using discovered vulnerability. This gives them access to credentials that are trusted by system G.
8. Staging from E's workstation, sensitive system G is accessed using credentials stolen from F.
9. An administrator on G notices that something is amiss.

So now that you've discovered the breach, the clock starts.

10. G contacts E to ask what's going on, but E's at home asleep.
11. E's workstation is taken offline and forensics begins.
12. The credentials stolen from F are used on several systems because the developer re-used them, so it takes a while to figure out that F was where they were stolen from. The attackers covered their tracks, but a sharp-eyed engineer found access attempts in an unrelated daemon's logs from D.
13. D is contacted, and has no explanation. It's possible he would have accessed that system, but he can't remember. But your guys are smart, so you check his system for malware just in case.
14. Malware found on D. How did it get there? He exchanges software with a 3rd party all the time, so you spend some time scanning what he's downloaded, turning up nothing, so then you go through his e-mail, and find a short e-mail with a link from a colleague that seems out of place. The URL doesn't look suspicious (the vulnerability was removed by the attackers after it was used), so you set it aside.
15. You get stuck, so you go back to that e-mail again, one item of many presumed false leads, and realize that A didn't remember sending it.
16. Malware found on A, spear phishing e-mail found.
17. Logs of systems scoured for activity from A, sensitive access to B found.
18. A's outbound e-mail checked, e-mail to C (and dozens of others) found that looks similarly suspicious.
19. Logs of systems scoured for activity from C, accesses to source code repository found.
20. The dozens of others also affected are investigated to see what systems they accessed, just in case there's more.
21. What did you miss? Was there anything else? Keep looking. Are you sure that's it? Keep looking.

This is all "best-case" and you haven't even started trying to identify the attackers yet, much less assembling a report.

It's easy to play the armchair security consultant and talk about "proper log handling and log analysis" as though that's the magic bullet. Do you think that every company subject to this law has "proper log handling and log analysis" covering every component of every internal system on their network? Do you think even a majority of companies have this?

Do you think it's typical that every system in this chain of investigation will have all of the logs needed to proceed to the next step? Do you think those doing the investigations will always have easy access to these logs? That they will spot patterns that look like normal accesses but really came from an unauthorized attacker? Do you think they will even have access to the systems in question without having to track down an administrator?

There are companies that have the forethought (or experience) to make such a forensic exercise relatively fast and accurate, but these companies are the exception, not the rule, and even for those that have their shit together, investigations like this could take WEEKS to reach a meaningful conclusion about what data was compromised. You might know *something* after 72 hours, but in many cases this will be far from a "full report".

Nepotism (0)

Anonymous Coward | about a year ago | (#44098411)

I bet the kid of an EU official was tasked with implementing with a heartbeat server, couldn't hack it and the parental unit thought: let's make every ISP implement a "Still hakced by the NSA"-website, that refreshes every 24h.

If they didn't have data... (1)

Anonymous Coward | about a year ago | (#44098419)

Suppose ISPs (and that includes telcos) were required to only provide connections, an no other products: they simply provided a wire and a router for a monthly bill. They could have no data at all about you aside from how to bill you. Now suppose they perform competitive bidding to provide service to a separably maintained database of customers (or multiple such databases if you dislike centralization) which handled billing. Then the ISPs don't even have your billing information, and in the case of wireless providers might no even know where you live. If logging is necessary for some reason (perhaps bill per amount of bandwidth), this can be very short term (seconds) aggregated in volatile memory and streamed off to another company (perhaps the billing one in the case of bandwidth based billing). So at most they have on site is an in memory note of how much band width an unknown user consumed in the last few seconds. This is easy to audit.

The key to applying capitalism effectively here is to ban vertical integration, and setup specific and simple to regulate levels at which competition takes place. Then you can have good competition and regulate the state that companies at each level are allowed to maintain. A stateless router ISP is little threat to privacy or freedom (and its cheaper!).

In the wireless case, you would split up providing cells from providing customs, meaning every customer can use every cell (For the existing Cell installations that means more coverage for the average user, and smaller cells for less noise, lower power and higher bandwidth). Companies bid to construct cell towers (and/or are paid based on the amount of traffic they serve), and different companies make contracts with customers.

The privacy is better, the freedom is harder to infringe on, the market competition is better (and thus better prices) and the efficiency of the service is higher (no more needlessly overlapping cells).

Re:If they didn't have data... (1)

moronoxyd (1000371) | about a year ago | (#44098573)

Now suppose they perform competitive bidding to provide service to a separably maintained database of customers (or multiple such databases if you dislike centralization) which handled billing.

So... instead of having to hack the database of all service providers an attacker would only have to hack one (or a small number of) database(s) to get the data of all consumers?
No that's progress.

Re:If they didn't have data... (0)

Anonymous Coward | about a year ago | (#44098617)

Its progress thats there would be no information about your browsing activity stored anywhere related to the ISP. No logs associating you with your IP either. And it would be in a manner such that you could enforce that. Given the 5 strikes piracy thing we have going around now, bandwidth capping and all kinds of other junk, its clear that they are keeping a lot of data that we would prefer them not to. I wanted to point out a way to force them to not keep this data, and to act as unbiased common carriers.

If there is a specific fear/worry about ISPs getting hacked and leaking data, I assumed the fear was not the customer list, but other things.

Yes, storing the state in a third party location does not make it invincible, but it makes it easy to limit what is stored, and easy to regulate and audit for security purposes.

Re:If they didn't have data... (1)

drinkypoo (153816) | about a year ago | (#44099169)

Its progress thats there would be no information about your browsing activity stored anywhere related to the ISP.

It's progress from the view of the state, which would very much like that information centralized. But it's the opposite from the point of view of The People, who would prefer that governments have to jump through as many hoops as possible before viewing data that doesn't belong to them.

Yes, storing the state in a third party location does not make it invincible, but it makes it easy to limit what is stored,

No easier than storing it anywhere (everywhere) else

and easy to regulate and audit for security purposes.

Yes, where "security" is euphemistic.

Re:If they didn't have data... (0)

Anonymous Coward | about a year ago | (#44098581)

You are just moving the problem. It wouldn't be any harder to hack the service provider that now is providing the services ISPs are no longer allowed to offer, fx. hacking the email provider.

Re:If they didn't have data... (0)

Anonymous Coward | about a year ago | (#44098651)

Yes, you are correct that moving things around does not protect them. However if the places that are allowed to log things have very little access to information (like the deep packet inspection Comcast can to to see if you are stealing movies they also provide over their TV system), there will be less privacy violating data to steal.

ISPs get to spy on (log, throttle, report to the NSA or even block) all your traffic. If they also have contracts with the MPAA for selling movies, targeting ads etc, there are issues where profits conflict with privacy (they have an incentive to log and inspect stuff) and freedom (they have an incentive to throttle and block stuff). If you ban operating in other product/service areas, problem solved: no logging/inspection is the cheapest to do (and you can regulate it to be required if you want, since they won't oppose such laws)

You have a choice about who is your email provider, and what you send them but its pretty hard to decide you don't like your ISP and choose another (there are not many in any given area, since that would be inefficient under the current system). The fact that most of the ISPs are crap does not help here either.

GCHQ spying was a data breach (4, Insightful)

Anonymous Coward | about a year ago | (#44098421)

EU Privacy directive is still law, EU Right to Privacy is still written directly into UK law. RIPA does not trump the fundamental rights and it didn't give them permission :
http://www.legislation.gov.uk/ukpga/2000/23/section/1

"(4)Where the United Kingdom is a party to an international agreement which—
(a)relates to the provision of mutual assistance in connection with, or in the form of, the interception of communications,
(b)requires the issue of a warrant, order or equivalent instrument in cases in which assistance is given, and
(c)is designated for the purposes of this subsection by an order made by the Secretary of State,
it shall be the duty of the Secretary of State to secure that no request for assistance in accordance with the agreement is made on behalf of a person in the United Kingdom to the competent authorities of a country or territory outside the United Kingdom except with lawful authority."

You didn't have a UK court order, so you didn't have lawful authority to intercept UK comms. It was done illegally. You cannot transcribe a mass surveillance directive FISA warrant into UK law and pretend it gives you UK lawful authority. FISA law does not apply to UK, a FISA warrant does not count as lawful authority. If it did, then American law would count as lawful authority over any UK law.

Without even getting into whether a US law that violates the 4th Amendment is lawful authority or not. It is not lawful in the UK. It is not lawful under RIPA.

So the companies who assisted in this, need to come forward and report what they did as a data breach. Because that is what it is. Parliament rules UK, not GCHQ, not NSA.

In particular Vodafone is buying Deuschland Kabel and Vodafone network in Greece was spied on in 2004, so the Germans need to ensure their network is secure from extra-legal surveillance before allowing that to go ahead. Answers are needed.

It may be "legal" under UK law (1)

Camael (1048726) | about a year ago | (#44098855)

Full credit to this article at the London School of Economics and Politic Science [lse.ac.uk] .

It is clear that FISA allows the US to target ‘persons reasonably believed to be located outside the United States to acquire foreign intelligence information’. Arguably, when intelligence already in the hands of an agency such as the NSA is handed over to the GCHQ, there is little, if any, legal regulation or oversight in that situation as the RIPA applies only when the GCHQ gathers the data itself. If the data is simply provided to the GCHQ by the NSA pursuant to The Security Service Act 1989 and the Intelligence Services Act 1994 there is no legal requirement for a UK court warrant.

Also RIPA does not apply where the information on UK residents is harvested outside of the UK (e.g. harvested from Google servers based in the US).

Abuse may have already begun (1)

Camael (1048726) | about a year ago | (#44098883)

I forgot to add that while I'm sympathetic to your point of view, it appears that from a purely legal point of view, the authorities appear to have ensured that their actions are clothed with a fig-leaf of legality. Whether their actions have any moral justifications is an entirely different matter.

What is particularly repugnant is that these overly broad surveillance powers may have already been used to target civil liberty groups [guardian.co.uk] in the UK. I would think that it is a clear abuse of power to spy on parties perceived to be 'anti-government' instead of the terrorists they ostensibly were meant to root out when the laws were enacted.

Why so specific? (1)

Anonymous Coward | about a year ago | (#44099129)

Am I missing something here..? Why ISPs and telcos?

If its important enough to set up new legislation/regulation then shouldn't this apply to _any_ corporations?
Shouldn't Amazon, eBay and your banks be similarly accountable? I know if be a lot more angry if my bank exposed my personal and financial details than my ISP.

Gap between when breach occurs and '"detected" (1)

kye4u (2686257) | about a year ago | (#44099141)

Does this mean that companies have to report the breach after it actually occurs or when they "notice/detect" that it occurred.
Keep in mind there can be a significant gap between when something happens, it is noticed, and when it is "officially" reported by the company.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?