Integrity Blog

Originally published in The Des Moines Register December 2015

Electronic Communications Privacy Act

The digital life of everyday Iowans is under continuous attack. As a fellow with the Information Systems Security Association and the president/CEO of Integrity, a national information security consulting firm headquartered in Ankeny, I’m concerned about the lack of action Congress has taken to protect the privacy of the online communications of every American citizen.

In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to establish standards for government access to private information transmitted and stored over public networks. These public networks have become what we now know as the Internet. Nearly three decades ago, Americans had no idea that the Internet would transform the way we live and work. We use cloud providers on the Internet to store our email, phone contacts, pictures, computer backups and more. Our entire digital identity and that of our children is often stored in a large data center somewhere on the Internet. The legislation simply hasn’t kept up with the times.

Under ECPA, government agencies can gain access to anything we store in the cloud without a warrant from a judge. This loophole, written in a time when Americans hardly ever stored anything online, clearly bypasses the Fourth Amendment — a key safeguard against warrantless search and seizure for our personal property. The Fourth Amendment protects our snail mail and the files we physically store in our homes and offices. While it should protect our digital files as well, ECPA as written undermines the Fourth Amendment. ECPA reform would rectify this issue and protect our online lives the same way as our offline lives.

Bipartisan Support for ECPA Reform

Fortunately, bipartisan efforts in the House and Senate seek to bring ECPA into the digital age and fix this loophole in Iowans’ online privacy rights. The Email Privacy Act has more than 300 sponsors — a supermajority in the House — making it the most cosponsored bill in the House that has not yet passed. Meanwhile the ECPA Amendments Act is supported by almost a quarter of the Senate. Reform is also supported by a diverse group of privacy advocates, civil libertarians, former prosecutors, businesses, start-ups, and more than 100,000 individuals across the full political spectrum, but ECPA reform still hasn’t moved forward in Congress.

Reasons for Resistance

Some law enforcement and civil agencies like the Security and Exchange Commission and Federal Trade Commission are attempting to block reform to preserve their special exemptions from the Fourth Amendment, and unfortunately some congressional leaders are listening to these concerns. However, the original ECPA legislation never intended to give these extraordinary powers in the first place; it set out to protect our digital privacy.

Furthermore, the reform legislation already provides for emergency authority, such as in cases where serious injuries or deaths might occur. Some law enforcement officials claim we would be unable to stop crimes without the warrantless searches. Nothing could be further from the truth. When law enforcement is forced to work within the bounds of the constitution and not take shortcuts, we ensure due process for the innocent and are more assured of conviction for the guilty.

Moving Congress Forward

The support for reform is clear. California and other states have already passed their own versions of ECPA reform in recent weeks. Republicans, Democrats and everyone in between have come together to advocate for our online privacy rights. Now it’s time for Congress to move forward and make real progress to extend full protection of our Fourth Amendment rights to all Americans nationwide.

We use the Internet for just about everything today: emailing family and friends, saving important documents in the cloud, and sharing photos and messages on social media. In the digital age, Americans have a reasonable expectation that our private online messages are indeed private, and we deserve to have our email protected from warrantless search and seizure. With hundreds of thousands of supporters across the country advocating for reform, Congress is running out of reasons to delay.

Most businesses understand the need for 24/7 security monitoring, but deciding how SIEM should be managed is an entirely different conversation. Security and technology teams constantly debate on whether SIEM should be handled in-house or by a managed security services provider (MSSP). The following infographic is designed to help give insight into the current security monitoring landscape, and poses a few very important questions that every organization should be prepared to answer. Some organizations are built to handle in-house SIEM, but many must rely on expert MSSPs. Which one is right for your business?

I need help understanding Managed SIEM

Managed SIEM vs In-house SIEM Solution

Web-based managed SIEM demo with screenshots
Acceptable Use Policies and Rules of Behavior for Wearable Technology

Intellectual capital. Trade secrets. Personal Health Information. These are examples of information that organizations invest significant resources to protect through administrative, technical, and physical controls. A breach of this information, as well as a host of other types of information, could result in significant losses for a company, reputation, clients, and finances among them.

Acceptable Use Policies and Rules of Behavior generally provide employees with what is acceptable and unacceptable regarding an employee’s use of company IT, email, and social media. However, they don’t usually provide policies or guidance on the use of an employee’s wearable technologies. Though many companies have Bring Your Own Device (BYOD) policies and are implementing mobile device management, wearable technologies are not normally considered. “May we install an encrypted container on your smart watch?” may draw some inquisitive looks from employees.

Today, large manufacturers are “all-in” with the Internet of Things (IoT), investing millions of dollars in the next great wearable technology, as well as other IoT technologies. Smaller sensors, improved miniature batteries, and various forms of communications – BlueTooth and ZigBee among them – are making wearable technologies possible. But if your organization is not assessing the risks posed by wearable technologies to the organization’s security and privacy, it should.

Already, “connected” watches, eyewear, jackets, gloves, and even shoes are on the market. These technologies are proliferating quickly, adding to the potential risks that organizations need to consider. While Google Glass was in development and getting a lot of attention, “smart eyewear” such as PivotHead were already on the market. Up to 1080p video capture. Check. 8 megapixel photos. Check. Audio capture. Check. Wi-Fi and 4g LTE compliant. Check. All from what looks like a (fairly) normal pair of sunglasses. Oh, and don’t forget the live broadcasting. Check.

Life-logging devices, such as Narrative (formerly Memoto), have already been introduced into work areas, silently snapping photos and sending those photos to the user’s cell phone. Compare this device’s form factor with the seemingly innocuous Tile, which helps a user find their keys (or other Tile-equipped belongings).

The kapture wrist-worn audio recording device sure could be mistaken for an activity tracker by others in the meeting, all while it sends audio clips to the user’s cell phone, which the company asked to be left outside the meeting room.

With a flood of IoT devices – especially wearable technologies – into the marketplace and company offices, as well as limited resources to track all these devices and their capabilities, this is becoming a challenge for companies as they try to protect critical and sensitive data. However, organizations should start to include wearable technologies within their risk and security discussions if they are not already doing so. Many of these devices have capabilities which could be used to quietly and surreptitiously capture information, causing a breach or other security incident.

Disclaimer: this blog is not intended to endorse any manufacturer or product.
Get our blog posts delivered to your inbox: