Page030

EU-US Safe Harbor

An interesting aspect of the EU Data Protection Directive is that the personal data of EU citizens may not be transmitted, even when permitted by the individual, to countries outside of the EU unless the receiving country is perceived by the EU to adequately protect their data. This presents a challenge regarding the sharing of the data with the United States, which is perceived to have less stringent privacy protections. To help resolve this issue, the United States and European Union created the safe harbor framework that will give US-based organizations the benefit of authorized data sharing. In order to be part of the safe harbor, US organizations must voluntarily consent to data privacy principles that are consistent with the EU Data Protection Directive.

US Privacy Act of 1974

All governments have a wealth of personally identifiable information on their citizens. The Privacy Act of 1974 was created to codify protection of US citizens’ data that is being used by the federal government. The Privacy Act defined guidelines regarding how US citizens’ personally identifiable information would be used, collected, and distributed. An additional protection was that the Privacy Act provides individuals with access to the data being maintained related to them, with some national security oriented exceptions.

International Cooperation

Beyond attribution, attacks bounced off multiple systems present an additional jurisdiction challenge: searching or seizing assets. Some involved systems might be in countries where the computer crime laws differ from the country prosecuting the crime. Or the country where evidence exists might not want to share the information with the country prosecuting the crime. These challenges can make successful prosecution of computer crimes very difficult.

To date, the most significant progress towards international cooperation in computer crime policy is the Council of Europe Convention on Cybercrime. In addition to the treaty being signed and subsequently ratified by a majority of the 47 European member countries, the United States has also signed and ratified the treaty. The primary focus of the Convention on Cybercrime is establishing standards in cybercrime policy to promote international cooperation during the investigation and prosecution of cybercrime. Additional information on the Council of Europe Convention on Cybercrime can be found here: https://www.coe.int/en/web/conventions/full-list?module=treaty-detail&treatynum=185.

Import/Export Restrictions

In the United States, law enforcement can, in some cases, be granted the legal right to perform wiretaps to monitor phone conversations. What if a would-be terrorist used an encrypted tunnel to carry Voice over IP calls rather than using traditional telephony? Even though law enforcement might have been granted the legal right to monitor this conversation, their attempts would be stymied by the encryption. Due to the successes of cryptography, many nations have limited the import and/or export of cryptosystems and associated cryptographic hardware. In some cases, countries would prefer their citizens to not have access to cryptosystems that their intelligence agencies cannot crack, and therefore attempt to impose import restrictions on cryptographic technologies.

In addition to import controls, some countries enact bans on the export of cryptographic technology to specific countries in an attempt to prevent unfriendly nations from having advanced encryption capabilities. Effectively, cryptography is treated as if it was a more traditional weapon, and nations desire to limit the spread of these arms. During the Cold War, CoCom, the Coordinating Committee for Multilateral Export Controls, was a multinational agreement to not export certain technologies, which included encryption, to many communist countries. After the Cold War, the Wassenaar Arrangement became the standard for export controls. This multinational agreement was far less restrictive than the former CoCom, but did still suggest significant restrictions on the export of cryptographic algorithms and technologies to countries not included in the Wassenaar Arrangement.

During the 1990s the United States was one of the primary instigators of banning the export of cryptographic technologies. The previous United States export restrictions have been greatly relaxed, though there are still countries to which it would be illegal to distribute cryptographic technologies. The countries to which the United States bars export of encryption technology changes over time, but typically include countries considered to pose a significant threat to US interests. The United States is not alone in restricting the export to specific countries considered politically unfriendly to their interests. Further information on laws surrounding cryptography can be found in the “Cryptography Laws” section of Chapter 4, Domain 3: Security Architecture and Engineering.