There have been a number of articles recently ["1":1, "2":2] about a new proposed law in Westchester County (just north of New York City, for those of you who aren’t from around the area) that will require providers of Public Internet services to install secured and firewalled networks. Much of the writing on this proposed law, called the “Public Internet Protection Act”, claim that it mandates that all Wi-Fi networks in Westchester County be encrypted, and that all such networks are also registered with the County.
In reading the proposed law, now available on the County Government’s website”:3, it seems that much of the criticism is a bit overzealous. I called up the County office and spoke with Andrew Newman of the Westchester County Executive’s Office in order to understand the motivations and specifics of the proposed legislation.
The intent of this proposed law is to specifically protect residents of Westchester County from incidents of Identity Theft, a growing concern amount local legislators who feel that (primarily) financial and commerical institutions aren’t doing enough to protect the privacy and financial records of their customers. They are right to be concerned, though it seems that they may not really be addressing the issue, and are certainly mis-identifying Wi-Fi networks as primary vehicles for such crimes.
The legislation requires that all “Commercial Businesses” that provide “Public Internet” access (whether wired or wireless) to protect via a firewall access to all private information that the business collects and stores, and that the business must file a Notice of Compliance with the County indicating it has secured its network. In instances where such Public Internet services are provided, the County is requiring a disclaimer be displayed that says:
bq. YOU ARE ACCESSING A NETWORK WHICH HAS BEEN SECURED WITH FIREWALL PROTECTION. SINCE SUCH PROTECTION DOES NOT GUARANTEE THE SECURITY OF YOUR PERSONAL INFORMATION, USE YOUR OWN DISCRETION
Further, the legislation requires any “Commercial Business” that stores or uses personal information must install a firewall to protect that information even if they don’t provide Public Internet service. If a business fails to comply with the legislation, there are warnings and then fines that will be levied.
The County will also be putting into place a public education effort to inform its residents and network providers about network and personal information security.
It seems that such Community Network efforts, as well as home and home business networks, are not covered by the legislation. In fact, Mr. Newman indicated that such networks wouldn’t be affected since there is no “goods or services for sale for profit” associated with those networks.
There are, however, a couple of things to be concerned about with this legislation:
* Wireless internet, while given a first class position in this legislation (I appreciate the attention), is of minor significance when considering _how_ identity theft currently happens in this country. The vast majority of identity theft happens through other means, including equipment theft and even over the phone.
* Most identity theft happens via centralized datacenters, outside of the local jurisdiction of the county government. This proposed law does _nothing_ to protect residents from any potential identity theft issues that are outside of the County lines. The vast majority of incidents will happen in other locations, but will affect local residents. While its important to ensure that _everyone_ who collects personal and financial information protects this data, merely securing wireless networks from hacking a single type of hacking isn’t going to do much, and will provide a false sense of security. If you process credit cards, then you have lots of credit card receipts with signatures on them.
* Wireless hacking is a lot more difficult than these legislators think. Yes, I too can drive around a downtown area and see dozens or hundreds of open access points. But sniffing a wireless network and extracting private data from computer systems is a lot harder than that. There is an example mentioned in the legislation justification about how the CIO of Westchester County found an open network and logged into a private server (they informed the owner of the network and server of what they found), we shouldn’t be creating legislation based on a single incident, or even a small number of incidents.
* While the goal of the proposed legislation is protecting local residents from Identity Theft, the legislation doesn’t really seem to address this issue. Firewalls are only a partial security feature of any well run and protected network, and there are plenty of other ways for such private information to fall into the wrong hands. In fact, the vast majority of large scale Identity Theft cases result from either an insider stealing the data, or the computer device containing the data being stolen. The legislation doesn’t help in either of these cases, and threatens to make matters worse since it will surely give businesses the excuse that they are “secure” when they follow the County’s legislation, even though they are leaving themselves open for attack on a number of other fronts
* Identity Theft cases cause thousands of dollars (or more) in damages to the people involved. Fining a business only a few hundred dollars to prevent such cases from happening is hardly a deterrent.
* There is a public registration requirement that essentially forces all businesses to register their network security compliance with the County. This amounts to asking all businesses to submit themselves to be monitored by the local government in a way that they have never have been monitored in the past. This seems to be quite an onerous requirement for the vast majority of small and medium businesses, especially since the proposed law casts an unreasonably wide net when determining what businesses are affected.
If such types of legislation are in our future it seems clear that we need far more thought about how to specify some base level of compliance. Requiring businesses to only keep personal information for a limited amount of time, requiring they securely destroy this information, and preventing them from blanket collection of any personal information is a far better way to start protecting personal information: *If you don’t collect it or don’t have it, then someone can’t seal it from you*.
Furthermore, network security is a complicated topic, and we certainly need far better security than just firewalls to protect personal information. I’m not sure of how to specify security requirements, but if necessary, perhaps organizations that keep personal and private data for more than a week or so should have to be audited by a network security professional.
And of course, if any organization is gathering or keeping personal information, public disclosure of this fact, including details about how such inforation is used and how long it will be stored.
Such policies as those I recommend would certainly be _more_ secure than merely firewalling your Wi-Fi networks.
Filed under: Community Wireless, News, Policy