[Infowarrior] - DHS Cyber-Security Too Blase About Citizen Info, Panel Says

Wed Dec 10 23:38:27 UTC 2008

DHS Cyber-Security Too Blase About Citizen Info, Panel Says
By Ryan Singel EmailDecember 10, 2008 | 4:54:35 PMCategories:  
Cybersecurity

http://blog.wired.com/27bstroke6/2008/12/dhs-cyber-secur.html

The government's latest cyber-security efforts are too wrapped in  
secrecy and its privacy assessments downplay citizens' interest in the  
privacy of their IP addresses, a government commission reported Monday.

At issue is a Homeland Security anti-hacking system known as EINSTEIN,  
software which monitors traffic into and out of government networks in  
order to detect abnormal use.

The intrusion detection system is considered a key part of the  
government's multi-billion dollar, highly secretive computer security  
program known as the Comprehensive National Cyber-Security Initiative.

EINSTEIN2, the newest iteration of the detection system, is intended  
to watch over the gateways to all of the government websites in real  
time, in order to spot intrusions or attacks quickly. But to do that,  
software controlled by DHS will need to peer into citizens online  
interactions with the government, including emails.

But sharing traffic data from government websites such as the IRS's  
with the Department of Homeland Security raises privacy concerns,  
according to the Information Security and Privacy Advisory Board,  
though DHS's own assessment dismisses them outright.

"Internet users have no expectation of privacy in the to/from address  
of their messages or the IP addresses of the sites they visit," the  
program's recent Privacy Impact Assessment (.pdf) concluded.

But the NIST group of advisors disagree and all but call that notion  
dangerous.

"Written this broadly, the statement is a change from previous  
government policy that has suggested that there is an expectation of  
privacy based on the use of Internet header information," the group  
told the Office of Management and Budget in a letter (.pdf) sent  
Monday but not yet posted to the NIST.gov website.

They note that the government has turned down government sunshine  
requests for web traffic logs on the grounds that citizens who visited  
a .gov website had a privacy interest in their IP address. Government  
regulators -- particularly in Europe -- are pushing search engines to  
forget IP addresses more quickly, since they can be used to  
reconstruct a person's search history.

The panel, comprised of private sector techies and employees from  
agencies ranging from the National Security Agency to Housing And  
Urban Development, want Homeland Security to make it clear that  
citizens do have privacy rights in the information their browsers have  
to tell government sites.

"We urge OMB to recommend that DHS clarify [...] that any privacy  
interest in IP address and other header information is being  
adequately addressed by DHS through fair information practices,  
considering the significant law enforcement and national security  
interest in use of this information by EINSTEIN2," the group wrote.

While TO: and FROM: lines in messages and IP addresses need to be semi- 
public in order to let information travel across the net, IP addresses  
can easily be used by law enforcement and intelligence agencies as a  
starting point to reconstruct a person's internet usage.

Google, for one, has had its own issues with whether users have a  
privacy interest in the IP addresses it services store. They argued to  
the government that they were in order to keep from having to turn  
over user logs, but then told European regulators that IP addresses  
weren't really personal, when those officials were seeking limits on  
how long search engines could store data.

That argument whipsawed on the company in a Viacom lawsuit over  
YouTube, when a judge ordered Google to turn over all its YouTube user  
logs, citing Google's own arguments about IP addresses.

The group also suggested that the Bush Administration's fledgling  
Comprehensive National Cyber-Security Initiative needed to be  
forthcoming, since many of the privacy assessments created for the  
program aren't public.

That's not unsurprising since the Executive Order laying out  
guidelines for the project -- issued in January by President Bush --  
remains a secret.

Cyber-security finally became a priority for the government last fall.

Homeland Secretary Michael Chertoff wants EINSTEIN to eventually have  
the capability to strike back at attackers, while NSA head Michael  
McConnell has said the NSA will need to sit on the public internet,  
monitoring searches and traffic, to keep the internet running.