Another Pop Quiz: Apple, Pimple Popper Lite and Reading Your Wife's E-Mail. What Do These Have In Common?

Posted on December 29, 2010 by Paul Stanfield

Pop quiz, hotshot! (Using the same Speed reference in two posts.  You would think it's the only DVD we have.)

What is the common element among Apple, an app called Pimple Popper and a guy in Michigan that read his wife's e-mail?  The answer is that they have all been accused of violating computer security laws. 

Of course, there's more to the story.

First, let's visit the Michigan defendant.  The guy in question was in the throes of a divorce.  He had suspicions regarding his wife's monogamous instincts.  She kept her passwords in a notebook (dead tree variety) next to a computer that was shared by the couple.  He "hacked" her account by opening the notebook, finding her password and using it to access her gmail account.  Supposedly he found that she was in fact, having an affair with her second ex-husband.  Our hero is hubbie number 3.  Hubbie number 2 (the one now getting the action) had been convicted of beating the wife in question in front of her child (the progeny of hubbie number 1).  Still with me?  Our hero (hubbie number 3) was concerned about the possibility of continued abuse and took the information he found to hubbie number 1.  The wife, of course, found out, contacted the prosecuting attorney and hubbie number 3 (our hero) is now charged with violating the following statute:

"A person shall not intentionally and without authorization...Access a computer, computer system or computer network to acquire...or otherwise use the service of a computer program, computer, computer system or computer network."  Michigan Statute 752.795

The prosecutor's justification is that the defendant is a computer technician and he used his "skills" like a hacker to access the e-mail.  Violation of this statute in Michigan is a felony with a potential jail term of five years.

What of Apple and the Pimple Poppers?

This week, a number of defendants were sued in the Northern District of California.  The defendants include the makers of the iPhone apps: Testplus4, Pandora, Paper Toss, Weather Channel, Dictionary.com, Talking Tom Cat, Pimple Popper Lite and Pumpkin Maker and of course, Apple because the plaintiffs claim that Apple approves all of these apps through the inspection process of the App Store.  The suit further claims that all of these apps take advantage of the UDID (Uniform Device Identifier) and pass information like location, etc. along to advertisers without the user's knowledge.  Since the UDID is given to each device and can't be changed it works much better in this regard than cookies.

Along with a request for damages and other stuff, the plaintiffs claim that the defendants have violated a California statute (Penal Code 502[c]) that penalizes someone who "...knowingly accesses and without permission ... uses any data, computer, computer system or computer network in order to ... wrongfully control or obtain any money, property or data."

For those of you that are our Texas brethren, there is a Texas statute that makes it a Class B misdemeanor to: "...knowingly access a computer, computer network, or computer system without the effective consent of the owner" (Penal Code 33.02) if the amount of money involved is less than $1,500 or nothing at all.  The offense gets progressively worse if bigger amounts of money are involved and goes to a first degree felony if the amount exceeds $200,000.

So, we have iPhone apps, the big Apple mothership itself and a jilted husband ostensibly seeking to protect a child that could all be possibly implicated under any of these statutes. 

Too much?  None of this is final yet.  Stay tuned.
Tags: , , , , , , , , ,

Not Content To Wait On COICA, HSA and ICE Seize Domain Names

Posted on November 29, 2010 by Paul Stanfield

This notice did not appear on our site (yet), thankfully, but about 70 sites were hit with this over the holiday weekend.

We recently posted on the pending legislation called COICA and noted that the forces that be were quickly drawing lines in the sand and standing rather firmly on their side of the line.  Interestingly, Homeland Security and Immigration and Immigration and Customs Enforcement supposedly obtained warrants and seized the domain names of these sites that they alleged are infringing, either by committing copyright infringement or selling counterfeit items.  As noted by this article in Techdirt, the seizure was only of the domain names and not of the equipment or other assets so some of the sites merely changed their high level domains (e.g. .com to .info), put out the word on Twitter and continued business.

Some people are worried by the apparent lack of due process in this matter and the potential for abuse.  Others are worried by the level of infringement and counterfeiting and the loss of revenue as a result.  This would call into question the need for COICA if HSA and ICE already possess these powers.  There should be a serious discussion of this whole process as the COICA legislation progresses.

Tags: , , , , , , , , , , , , , , , , ,

The Legal Defensibility Era: The Convergence of Security and Legal Risk

Posted on May 10, 2010 by Luke Stanfield

With each passing day we are providing more and more personal data to companies through online transactions, social networks, and cloud computing.  Concurrently, there is also a growing framework of laws, regulations and contractual obligations in how companies should treat this information.  These colliding paths are creating what has been dubbed the "The Legal Defensibility Era."  David Navetta of the Information Systems Security Association (ISSA) has written an excellent article outlining this trend and highlighting several important issues that companies must focus on to properly handle data in this new era.

The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements.  Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.

To create an effective legal defense, companies should create a security plan with the view that a security incident is a "when" and not an "if."  Companies must create an adequate security policy, abide by that policy, comply with the appropriate laws, regulations, and industry standards; and ensure that its vendors are also handling personal information with the appropriate level of care.   With the advent of cloud based services, the last point is becoming extremely important.  Companies should effectively scrutinize their vendors' security policies and procedures before agreeing to transmit personal information to them.  Focusing on legal defensibility will require more communication and cooperation between a company's IT and legal departments to effectively implement security policies in this new era.  Additionally, for a viewpoint from the security professional side, check out this article

 

Tags: , , , , , ,