IT Compliance Advisor


February 13, 2012  7:13 PM

EPIC pushes for more investigation surrounding Google privacy policy

Ben Cole Ben Cole Profile: Ben Cole

Since January, the Electronic Privacy Information Center (EPIC) has pushed for further Federal Trade Commission (FTC) investigation into Google’s online consumer privacy practices. The sometimes testy back and forth got testier last week, when EPIC sued the FTC in an unusual effort to prevent implementation of a new Google privacy policy.

EPIC requested a federal judge issue a temporary restraining order and injunction requiring the FTC to enforce a consent order that Google agreed to last year. The issue has a sense of urgency, considering the new Google privacy policy (which EPIC says violates the consent order) is scheduled to go into effect March 1.

To speed the process, a federal district court judge has ordered an accelerated briefing schedule in response to EPIC’s complaint. The court gave the FTC until Friday to respond to EPIC’s complaints, and EPIC is required to respond to that by Feb. 21.

But Google has already started defending its compliance with the FTC’s original consent order: In a lengthy January self-assessment submitted to the FTC, Google’s legal counsel reported the company “is acting in a manner consistent with its public representations regarding the privacy and confidentiality of its covered information.”

So the question remains: Are the efforts surrounding the new Google privacy policy on the up-and-up, or a case of bait and switch?

Google insists the new privacy policy increases transparency and user control surrounding information tracking. EPIC and other critics, however, contend the privacy policy changes will end up helping Google’s bottom line: They say the new policy allows Google to comb user data without consent, and will unethically assist Google’s advertising by violating online consumer privacy.

What do you think? Is the new Google privacy policy more of the same, making user information available to outside parties without proper user consent? Or is Google taking the necessary steps to comply with FTC mandates to protect online consumer privacy? Or is it somewhere in between, with Google taking steps in the right direction on its privacy policy, but steps that are not nearly big enough?

Until these questions are answered, the questions surrounding Google’s online privacy practices remain.

February 6, 2012  9:42 PM

Like SOPA, Anti-Counterfeiting Trade Agreement draws ire

Ben Cole Ben Cole Profile: Ben Cole

After shooting down the Stop Online Piracy Act (SOPA), protesters opposing broad online antipiracy legislation have a new target: the Anti-Counterfeiting Trade Agreement. And this time, the protests are on a global scale.

The Anti-Counterfeiting Trade Agreement is designed to establish international standards for intellectual property rights enforcement. It establishes legal frameworks for targeting counterfeit goods, generic medicines and Internet copyright infringement. The agreement was signed by Australia, Canada, Japan, Morocco, New Zealand, Singapore, South Korea and the United States in late 2011. Last month, the European Union and 22 of its member states joined them.

But protesters — perhaps bolstered by the shelving of SOPA of Project IP — are not allowing the Anti-Counterfeiting Trade Agreement to go through without a fight. The international citizens group Avaaz is seeking 2 million signatures for a petition to drop the agreement (it already has 1.75 million). Last weekend, thousands of people marched in the Slovenian capital of Ljubljana to protest it. The worldwide protests have led some countries, including Poland, to delay the agreements ratification process.

Supporters of the Anti-Counterfeiting Trade Agreement say it would decrease pirating of copyrighted works. Intellectual property-based organizations such as the Motion Picture Association of America helped with its development. Protesters, however, say it is an assault on freedom of expression and that opinions from all sides were not considered in the negotiation process.

Do these traits sound familiar?

Protesters showed what can be done after legislators backed off of SOPA and Project IP following public outcry. Now, with the whole world watching, they’re trying to get their voices heard again.


January 30, 2012  6:36 PM

Online privacy policies take over antipiracy as top Internet headline

Ben Cole Ben Cole Profile: Ben Cole

After weeks of nonstop talk (including a lot of criticism) of SOPA and other antipiracy legislation, protecting online privacy is back in the news. The switch in focus came as the European Union announced sweeping changes to its data protection rules and Google released details of its new privacy policy, which goes into effect March 1.

Both the EU and Google insist that they are making the changes to streamline online privacy policies. The European commission said its 27 member states have implemented its data protection rules differently, “resulting in divergences in enforcement.” The EU changes incorporate a single set of data protection rules that will be valid across all member countries. The changes to the online privacy policy will reduce unnecessary administrative requirements, saving businesses around €2.3 billion a year, according to the EU.

When announcing its changes, Google said it was replacing 60 different privacy policies with “one that’s a lot shorter and easier to read.” Under the new policy, for the first time Google Account users could have their information cross-referenced among several of Google’s sites. By treating users as a single entity across Google products, Google said it can provide better search results, ads and other content.

Of course, like everything else surrounding big online security and privacy changes, these two announcements were not without controversy. Critics of the EU’s new data protection rules say complying would hinder Internet innovation and create expensive, unnecessary new regulations for companies. (These criticisms were similar to those surrounding SOPA and antipiracy legislation, and we all know how well that turned out.)

Speaking of legislators, some were quick to point out detriments to Google’s new privacy rules. Reps. Edward J. Markey (D-Mass) and Joe Barton (R-Texas) have already sent a letter to the FTC saying Google’s new policy violates the agreement the company came to last year after privacy questions arose around Google Buzz.

So it sounds like these two big announcements are just the start of what will likely be a lengthy discussion of the best way to protect online privacy. In both the EU data protection revamp and Google’s new privacy policy, the two entities are trying to bolster business while at the same time protecting online privacy. It will be interesting to see if online privacy regulators and business can meet in the middle and best protect both commerce and the personal information of users. It definitely won’t be easy.


January 20, 2012  6:51 PM

Did protests of SOPA and other antipiracy legislation work?

Ben Cole Ben Cole Profile: Ben Cole

It was an eventful week for Internet-related antipiracy legislation, to say the least. After threatening for weeks, Internet giants such as Wikipedia and Google participated in a day-long “blackout” Wednesday in protest of the House of Representative’s Stop Online Piracy Act (SOPA) legislation and its Senate counterpart, PROTECT IP.

But did it work? After all, it’s not like the sites were completely shut down for 24 hours. Users could still access most of the sites participating in the protest; they just had to bypass literature outlining why the protesting sites equate SOPA and PIPA compliance with Internet censorship.

It definitely brought more attention to the controversial legislation, if nothing else. The blacked-out sites encouraged users to contact their legislators to protest the bills, and many did. Following the blackout, approximately 10 senators and nearly 20 House members announced their opposition to the antipiracy legislation as written, according to the New York Times. Among the flipped was Sen. Marco Rubio (R-Florida), one of the co-sponsors of PROTECT IP.

Today, Senate Majority Leader Harry Reid announced he was delaying a PROJECT IP vote scheduled for Jan. 24. House Judiciary Committee Chairman Lamar Smith (R-Texas) also announced a postponement of moving forward with SOPA antipiracy legislation “until there is wider agreement on a solution.” To help create this wider agreement, Christopher Dodd, chairman of the Motion Picture Association of America (MPAA), has called for a summit meeting between Internet companies and content distributors, in an effort to reach a compromise.

Until then, the protests keep coming: After the federal government shut down the website Megaupload and charged seven people with Internet piracy, the protest group Anonymous threw its weight around, briefly attacking and shutting down the websites of the Department of Justice, the MPAA and the Recording Industry Association of America.

So, it’s clear that the online antipiracy legislation fight is far from over. Legislators need to strike the right balance between the needs of critics who contend the legislation is unconstitutional, and the rights of those who want to protect their intellectual property.

Both sides (each with huge influence, by the way) have a valid argument designed to protect the way they do business. It will be interesting to see how legislators respond.


January 13, 2012  7:44 PM

EPIC letter questions Google’s online consumer privacy

Ben Cole Ben Cole Profile: Ben Cole

Just last April, Google Inc. settled Federal Trade Commission (FTC) charges that it used “deceptive tactics and violated its own privacy promises” to consumers when it launched Google Buzz in 2010. Now, some critics claim Google still hasn’t learned from its online consumer privacy mistakes.

In a letter to the FTC, the Electronic Privacy Information Center (EPIC) is pushing for an investigation because of more Google Search changes. EPIC said the inclusion in Google Search results of personal data, such as photos and contact details gathered from Google Plus, raises “concerns related to both competition and the implementation of the commission’s consent order.”

Under the settlement reached with the FTC in April, Google was required to implement a comprehensive privacy program and submit regular, independent privacy audits for the next 20 years.

“Google allows users to opt out of receiving search results that include personal data, but users cannot opt out of having their information found by their Google+ contacts by Google Search,” EPIC Executive Director Marc Rotenberg wrote in the letter to the FTC. “In contrast, Google allows content owners to remove pages from Google’s public search results.”

The EPIC letter also contends Google’s changes create potential antitrust violations because the company prioritizes its own content when returning search results.

In Google’s official blog earlier this week, Google fellow Amit Singhal wrote a lengthy post outlining and explaining the benefits of Google Search Plus Your World. Singhal touted what he called the new feature’s “unprecedented” security, transparency and control. The company has also posted accolades from analysts and consumers touting Google’s Search Plus Your World.

The FTC has yet to comment publicly on EPIC’s letter and call for another investigation into Google’s online consumer privacy practices. But it’s worth noting that the last couple of times EPIC made similar complaints against high-profile Internet companies, it resulted in privacy-related FTC settlements for both Google and Facebook with the FTC.


January 6, 2012  7:49 PM

Big online business ‘open’ to Stop Online Piracy Act alternative

Ben Cole Ben Cole Profile: Ben Cole

Internet giants — including eBay, Google, Facebook and Twitter — reportedly are considering a simultaneous “blackout” of their sites in protest of the Stop Online Piracy Act. Now they are throwing their weight behind an alternative bill.

The Stop Online Piracy Act has been slammed publicly by Internet companies since it was released a few months ago. Under the act, the U.S. Department of Justice and copyright holders could seek court orders against websites accused of copyright infringement. Those orders could include bans on networks and payment facilitators that would prevent them from doing business with the allegedly infringing websites, barring search engines from linking to them, and requiring that Internet service providers block access.

The (very vocal) opponents of the Stop Online Piracy Act say compliance amounts to Internet censorship and would increase compliance costs for organizations dramatically.

A compromise could be on the horizon, however: The Online Protection and Enforcement of Digital Trade (OPEN) Act has been introduced by Rep. Darrell Issa (R-Calif.) and Sen. Ron Wyden (D-Ore.) as an alternative to the Stop Online Piracy Act and its Senate counterpart PROTECT IP.

The OPEN Act would allow intellectual property holders to petition the International Trade Commission to investigate whether a foreign website’s only real purpose is to infringe on U.S. copyrights and trademarks. Proponents say OPEN takes a narrower and more targeted approach to combating online infringement than other proposed legislation does.

The OPEN Act ensures that only legitimate cases are pursued, and provides clear standards for companies to follow in enforcing intellectual property rules, supporters add. AOL, eBay, Facebook, Google, LinkedIn, Mozilla, Twitter, Yahoo and Zynga have written a joint letter announcing their support. The Internet companies say OPEN correctly targets “rogue sites” rather than law-abiding Internet companies.

And of course, OPEN has the support of — rather than vitriol from — such Internet giants as Google and Facebook. That’s likely to be a major factor as the infringement laws move through the ranks in the next several months. But OPEN has powerful critics as well: The entertainment industry, for one, says OPEN would not effectively prevent piracy, which was one of the major drivers of SOPA. Stay tuned.


December 8, 2011  8:26 PM

Push for Dodd-Frank Act regulations continues — at least for now

Ben Cole Ben Cole Profile: Ben Cole

With Chris Dodd already in Hollywood, Sen. Barney Frank’s retirement announcement last month led some to speculate the push for Dodd-Frank Act regulations would retire with him. The controversial financial regulation act has faced criticism and pushes for its repeal since it was proposed. With Frank’s retirement, its backers are losing their most outspoken supporter.

A Politico headline stated that Dodd-Frank (officially called the Dodd-Frank Wall Street Reform and Consumer Protection Act) now has “a murky future” due to Frank’s announcement. The article went on to say that despite Frank’s retirement having little impact on the act in the short term, “Republicans are salivating” at the chance to repeal it.

Two Senate Banking Committee hearings showed pushing through Dodd-Frank Act regulations is still a goal in some circles. On Dec. 6, the committee held an oversight hearing on the implementation of Dodd-Frank, with representatives from the Treasury, Federal Reserve and the SEC testifying. The hearing was designed to examine progress in implementing the act, and to explore how it could ultimately improve the stability of the U.S. financial system.

Senate Banking Committee Chairman Tim Johnson noted that some of the most complex Dodd-Frank Act regulations remain under consideration, and that he would like a timely resolution of these rules.

“I recognize that these rulemakings are difficult, but this is the time when tough decisions have to be made by our regulators,” Johnson said during opening statements at Tuesday’s hearing. “While our economy is starting to show signs of recovery from the financial crisis, the ongoing turmoil in Europe is a stark reminder that we must continue to monitor threats to financial stability.”

The financial regulation theme continued the following day, when the committee hosted another hearing titled “Enhanced Supervision: A New Regime for Regulating Large, Complex Financial Institutions.” Just the sound of it invoked thoughts of the overarching goals established by Dodd-Frank Act regulations. Also this week, Johnson released a scathing statement lambasting Senate Republicans after they voted to block Richard Cordray’s nomination to be the first director of the Consumer Financial Protection Bureau.

Frank is not likely to spend his last year in office quietly preparing for private life. He will no doubt spend a good portion of it loudly pushing for his namesake bill’s implementation. But implementing the sweeping Dodd-Frank Act regulations has already faced several delays, mostly due to its complexity. What if the financial crisis continues and Dodd-Frank detractors convince more people its rules would hinder job creation? What if President Obama is not re-elected and cannot veto a repeal of the act? If these delays continue, will it be held up long enough for its detractors to water it down in order to pacify the financial institutions the rules are designed to reign in?

With the attention paid to it this week, it at least shows that the Dodd-Frank Act is not going to fall by the wayside. But for it to have any teeth, Democrats and supporters will have to get moving … or find another (loud) voice to replace Barney Frank’s push for financial reform. Tim Johnson, are you listening?


December 6, 2011  7:27 PM

The top 10 compliance risk management questions you should be asking

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

When it comes to IT governance, it’s one thing to have staff completing compliance risk management processes; it’s quite another to be confident that everything is indeed in line and secure. Understanding your level of compliance and how it relates to business risk is more than simply asking IT staff: “How are things?” or “Are we secure?”

The best way to ensure that you’re getting good information surrounding compliance risk management is to trust but verify. Asking the right questions and getting involved with the security management process are sure ways to bring light to some issues that have been shrugged off or even undetected — sometimes for years. Here are some pointed questions you can ask of those responsible for day-to-day network and system administration to ensure that you’re not creating a monster by making high-risk assumptions:

1.       What high-priority items were found during our most recent Web application penetration test? What’s the plan for fixing these issues?

2.       What patches were missing during our last vulnerability scan?

3.       Why are patches continually showing up as missing on our Windows servers and database systems?

4.       How are we managing event logs and correlating potential security incidents? How long are these logs being kept?

5.       Our passwords seem pretty secure for our main network logons, but what about for our Web applications, firewalls and all the random database servers scattered around the network?

6.       Given our current configurations, what’s the business risk of someone losing a laptop or having their smartphone or iPad stolen?

7.       What security incidents have been prevented over the past “X” number of months?

8.       How do we know our traditional desktop antivirus software is actually keeping our endpoints secure?

9.       What are we doing to proactively prevent data from leaking out of the network unnoticed?

10.   Have you seen any protocol anomalies on the network recently when compared with your known baseline? Are any odd systems like workstations, smartphones and rarely-used servers showing up as top talkers on the network?

This is hardly an exhaustive list, but these are some of the major security oversights and risks I see on a consistent basis. If everything appears to be hunky-dory in IT, odds are you need to probe further. Complacency, poor time management and the desire for job security often get in the way of what’s really going on.

One of your main goals for compliance risk management should be to ensure you’re getting the right information at the right time so you, your peers and your executives can make the right decisions. Anything short of this will merely set your compliance program up for failure in the long term.


November 29, 2011  3:04 PM

Private sector inherent to U.K. cybersecurity strategy

Ben Cole Ben Cole Profile: Ben Cole

Federal governments all over the world have become increasingly hands-on with cybersecurity strategy and online privacy, but businesses have sometimes been critical of new rules that they say will hurt their bottom line.

Look at the controversy surrounding the U.S. House of Representatives’ Stop Online Piracy Act. The act would allow the Attorney General to seek injunctions against foreign websites that steal and sell American innovations and products, and would increase criminal penalties for individuals who traffic in counterfeit medicine and military goods. While these traits may sound like music to online businesses’ ears, a letter protesting the act (signed by representatives from names you may have heard of like AOL, eBay, Facebook, Google and Twitter) expresses concern that it poses a “serious risk to our industry’s continued track record of innovation and job creation, as well as to our nation’s cybersecurity.”

But in announcing new details that are part of its new £650m cybersecurity strategy, the U.K. government is trying to strike a balance between protecting consumers, online information and good business sense. Just look at the government’s tagline when heralding the initiative, which it calls “a new era of unprecedented cooperation between the government and the private sector on cybersecurity.”

The cybersecurity strategy is unique in that it sets up a joint public/private-sector cybersecurity “hub” designed to allow the U.K. government and the private sector to exchange actionable information on cyberthreats and manage cyberattack response. A pilot program surrounding this initiative will begin in December with five business sectors: Defense, telecommunications, finance, pharmaceuticals and energy.

The strategy is also encouraging industry-led cybersecurity standards for private-sector companies. Instead of just selling this as new mandatory regulations, the U.K. cabinet says the standards would give businesses a competitive edge by promoting themselves as certifiably cybersecure. The U.K. will also develop a program to certify cybersecurity specialists by March, with the ultimate goal to increase the skill levels of information assurance and cybersecurity professionals.

Minister for Cyber Security Francis Maude said a closer partnership between the public and private sectors is crucial to the success of the cybersecurity strategy, and this is what some of the U.S. efforts are missing. When working to strike this proper balance between the interests of cybersecurity and business, it’s obviously important to take into consideration the best interests of both parties. The U.S. and other countries could learn from the U.K.’s cybersecurity initiative. Working closely with the private sector will likely create a more congenial environment by demonstrating that the government is trying to help, rather than impose heavy-handed restrictions to secure online information.


November 21, 2011  5:14 PM

Address information risk management now — before the going gets tough

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Information risk management impacts each and every one of us both professionally and personally. Yet we still can’t seem to properly grasp managing information risk and put it into action. The problem is the bad guys — external hackers, organized cybercrime rings, malicious employees and the like — know what’s really going on.

They know that compliance is a joke in many enterprises. They know that security audits often gloss over the real issues. They know they have free reign and that the odds are in their favor. The reality is that many people don’t know which side of the risk equation they’re on. They assume they have the clarity, context and visibility they need for managing information risk. But in reality, they’re way behind the eight ball — and don’t realize it until it’s too late.

As IT professionals, we all have a choice of how information risk management is handled in our business. It really boils down to when we address the critical issues. We can do it before an incident occurs, which is not done often enough. We can do it during an incident, which is unrealistic because odds are we aren’t even going to know when it’s taking place. We can do it after an incident, which is still the most common effort I see. Finally, we can just ignore the problem and hope we don’t get bitten.

Savvy IT professionals who see the big picture and think long term choose the first option. They put the proper information risk management systems and processes in place to handle the issues immediately, before the going gets tough.

The essence of effective information risk management involves perspective and good old-fashioned common sense. It’s easy to get caught up in the minutiae and overlook the fact that information risk can be tied directly to business risk. The formula for making information risk management work is to highlight that this control satisfies this requirement or risk, and meets this business need. You have to use this in every IT and security-related decision you make — periodically and consistently over time.

The inability to stop doing things that are no longer working is the primary failure of information security. In IT security, you cannot change that which you tolerate. In most cases, there is no “right” or “wrong” way of managing information risk.

Every business and every situation is different. The key is to do whatever it takes to get the job done in your own environment based on your own circumstances. Taking a proactive information risk management approach is the only viable way to keep things in check over the long haul.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: