The FBI’s quest to expand its hacking authority moved forward last week: A judicial advisory panel approved a rule change regarding how flexible judges can be in granting search warrants outside the bounds of their geographical jurisdiction. Also in the news recently: The Pentagon launched a research program to protect personal data while making it available to third parties to analyze; a report finds most companies fall short of PCI DSS compliance; and a House of Representatives security committee unveils a major cyber bill.
U.S. Justice Department approves rule change that could broaden FBI’s hacking authority
A judicial advisory committee voted to approve a rule change last week that would grant federal judges more leeway in how they approve search warrants for electronic records, according to the Justice Department. The panel voted to modify Rule 41, which currently allows judges to approve search warrants but limits the warrants to material that is physically located within their judicial district. Under the proposed modification, judges would be allowed to grant search warrants for data in computers located either outside their district or in unknown locations. The committee’s vote is only the first of several steps to passing the proposal; the Supreme Court has until May 1, 2016 to review and accept the change, and then Congress would have another seven months to reject, modify or defer the amendment.
The U.S. government defended the rule change, saying that the provision needed to be updated to keep up with today’s digital realities. According to National Journal, expanding its powers would allow the FBI to more easily penetrate computer networks to install tracking software and monitor suspected criminals.
Various privacy advocacy and technology groups, however, have spoken out against the ruling. The American Civil Liberties Union, Google and others warn that the change amounts to a significant rewriting of the provision that could threaten constitutional protections as well as the sovereignty of foreign countries.
Pentagon rolls out new research program to protect personal data online
The Defense Advanced Research Projects Agency (DARPA), the Pentagon’s high-tech research agency, is launching a new program that aims to protect the personal data Americans knowingly provide to companies, health care providers and the government while also making that data accessible to those third parties for analysis. The program, called Brandeis, aims to “restructure our relationship with data by shifting the mechanisms for data protection to the data owner rather than the data user,” according to a document published by DARPA. The agency will spend four and a half years on the program.
Brandeis will look at four major research areas. The first, privacy-preserving computation, involves reducing the limits to the range of privacy-preserving data mining programs so that personal data can be both protected and shared on a larger scale, outlined USA Today. The second area, human-data interaction, will focus on developing technologies to help data owners make choices about how their information is being used. The third research area, experimental systems, will provide platforms to test the success of privacy-preserving computation and human-data interaction work. Lastly, Brandeis will focus on metrics and analysis to enable systems to determine exactly how private the data is; one way to determine this is by quantifying the privacy tax, which refers to “the increase in computational time, memory and storage requirements against the degradation of accuracy of results for any given level of privacy,” according to the DARPA document.
Report finds majority of companies fail PCI compliance tests
Eighty percent of companies fail interim assessments for compliance with the Payment Card Data Security Standard (PCI DSS), according to a report released by Verizon Communications earlier this month. Verizon’s forensics team discovered that of all the data breaches it investigated over the last 10 years, not one company was compliant with all 12 requirements of PCI DSS at the time each breach occurred.
Still, compliance is up overall, rising in every PCI requirement area between 2013 and 2014, except for Requirement 11 (testing security systems), which had the lowest compliance. Additionally, almost twice as many companies were found compliant at interim assessment in 2014 versus 2013 (20% vs. 11.1%); however, the report warns that this is not necessarily good news because of the large percentage of companies that still fail. Plus, sustainability is low: The study found that less than a third of companies were still fully compliant within a year of validation.
The Verizon report also offers guidance on how companies can sustain PCI compliance and improve data security, including fully integrating compliance into their larger governance, risk and compliance strategies, as well as implementing network segmentation and data masking, according to the Wall Street Journal.
House security panel releases cybersharing bill
The Homeland Security Committee in the House of Representatives last week released a bill that would provide legal liability protections to companies that share cyberthreat information with the Department of Homeland Security (DHS). The measure, called the National Cybersecurity Protection Advancement Act, designates the DHS as the “primary interface” for any intelligence sharing between private companies and public agencies, opening the possibility of exchanges with the likes of the National Security Agency (NSA) or the Treasury Department, while not explicitly authorizing them, reported The Hill. The bill also permits sharing among government agencies.
According to the Hill, the committee’s former staff director, Alex Manning, said the language of the bill has been changed from previous iterations to reflect a stronger stance on privacy in order to appease privacy advocates. These changes include specific guidelines on how the DHS privacy office will monitor the sharing program, as well as bolstering the sections that require companies to redact personal information from the data before sharing it with the government.
While the American Civil Liberties Union backed a version of the bill last year, some privacy advocates may still have objections regarding certain gaps in the current version, such as the possibility of sharing within the government or with the NSA, The Hill speculated.