[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips July 29, 2002

Clips July 29, 2002

ARTICLES

House Approves Homeland Security Bill
ID Theft Turns Students Into Privacy Activists
Military Works on High-Tech IDs
FBI Plans to Fight Terror With High-Tech Arsenal
Class-Action Lawsuits Gain Strength on the Web
Sony loses Australian mod chip case
Privacy still a priority, officials say
Data quality politics
Ashcroft offers TIPS assurances
Labor accepts digital signatures from union filers
Democrats spar with Ashcroft over agency information sharing
U.S. Rep. Mike Thompson on PC recycling
Brands Seek to Knock Off Counterfeiters
French groups demand shutdown of Web site
On the trail of an identity thief

***********************
Washington Post
House Approves Homeland Security Bill
Bush Gets Flexibility To Shape, Manage New Department
By Bill Miller and Juliet Eilperin

After a day-long partisan debate, the House yesterday approved the creation of a massive Department of Homeland Security that would transform the way the federal government responds to emerging terrorist threats.

The measure, which passed 295 to 132, gives momentum to the largest overhaul of the federal bureaucracy since the Defense Department was created more than 50 years ago. The House gave President Bush nearly everything he wanted in shaping a department charged with guarding the nation's borders, protecting potential targets such as the transportation system and overseeing the recovery from future attacks. But 120 Democrats, including Minority Leader Richard A. Gephardt (Mo.), opposed the bill over issues involving workers' rights and other matters.

Bush praised the House afterward for passing what he called "landmark legislation," and said the House had shown "a strong commitment to improving the security of the American people."

Roadblocks to the plan have emerged in the Senate, where Democrats have defied the president by turning down his request to limit the workplace and union rights of the 170,000 employees who would staff the department.

Sen. Joseph I. Lieberman (D-Conn.), head of the Senate Governmental Affairs Committee, which crafted the Senate's version of the bill, said yesterday that efforts to move the bill through the Senate next week, before the August recess, are "in jeopardy" because Sen. Robert C. Byrd (D-W.Va.) and others are considering procedures to delay it.

A spokesman for Byrd said the senator believed lawmakers were "going too fast" and "racing to meet artificial deadlines."

Senate Majority Leader Thomas A. Daschle (D-S.D.) set a schedule yesterday that would devote the beginning of next week to a contentious prescription drug bill, followed by work on Defense Department spending. That leaves little time for homeland security, and Daschle made no guarantees that the Senate would pass a bill next week, saying only that "we also have a need to begin work on the homeland security legislation."

Senate Minority Leader Trent Lott (R-Miss.) estimated that the Senate would require four days of discussions and said the recess should be delayed to wrap it up.

In his strongest language yet, Bush yesterday vowed not to sign any legislation that doesn't include the management flexibility that the Senate version would deny him. The language approved by the Governmental Affairs Committee would make it more difficult to remove workers from unions for national security reasons.

"A time of war is the wrong time to weaken the president's ability to protect the American people," Bush declared, saying he would not accept legislation "that limits or weakens the president's well-established authorities."

Lieberman called the dispute a "tempest in a teapot" and insisted Bush had all the flexibility he needs. Lieberman said his committee gave Bush "more than 90 percent" of what he sought in the reorganization, adding: "So let's all tone down the rhetoric and stop sounding alarms."

Acting after two days of debate, much of it about personnel issues, the House agreed to move all or part of 22 agencies into the new department. The bill has moved through Congress with breakneck speed since Bush first unveiled the plan last month, with many lawmakers hoping to enact it in time to commemorate the one-year anniversary of the Sept. 11 terrorist attacks on New York and Washington.

Lawmakers from both parties agreed that the department would be a critical tool in the government's ongoing war against terrorism. It would be anchored by agencies that include the Coast Guard, the Customs Service, the Federal Emergency Management Agency, the Transportation Security Administration and the law enforcement arm of the Immigration and Naturalization Service.

The department would receive intelligence information from the FBI, the CIA and other agencies and would analyze it to issue warnings about terrorist threats and to recommend beefing up security at potential targets.

In one of its few rebuffs to Bush, the House chose to keep the INS's social service functions within the Justice Department instead of moving them, too.

House Majority Leader Richard K. Armey (R-Tex.), the driving force behind the bill, said it will focus the government's resources "on the defeat of villainy."

But in the floor debate, Minority Whip Nancy Pelosi (D-Calif.) said the bill would create a "bloated bureaucracy" that undermines workers' rights.

Even if the pieces fall into place, numerous questions remain about how the department will work. Many Democrats predicted years of upheaval and spiraling costs, despite assertions from Homeland Security Director Tom Ridge and other White House officials that the new department will save money by eliminating duplication.

Lawmakers from both parties have expressed fears that non-terrorism functions performed by agencies such as the Coast Guard, FEMA, the Secret Service and the Customs Service will be abandoned in a department so riveted on homeland security. Some parts of the new department, such as the INS, have a long history of management problems that lawmakers warned won't be corrected by reorganization.

The key battle yesterday centered on whether to limit the workplace rights of the department's employees. The White House has demanded broad discretion over how to pay and hire, fire and discipline workers, and for the first time on Thursday threatened to veto any legislation that curtails its ability to do so.

"The president has got to have some flexibility," said Rep. Rob Portman (R-Ohio), a key White House ally. "The administration has to mesh 22 agencies together. You cannot do it keeping the agencies intact."

Republican Rep. Constance A. Morella (Md.) joined with Democrats to offer a provision that would have allowed employees transferred into the department to belong to a union as long as their duties did not change. Many unions backed the measure.

"I simply refuse to buy the argument that I have to matter-of-factly give the administration as much flexibility as possible," Morella said. "I am a friend of the president and I think he has done a wonderful job guiding this country through this crisis, but on federal employees' issues, his record is less laudable. In fact, in many areas, I find it unacceptable."

But Republicans beat back that proposal. Instead, the House voted 229 to 201 to allow the president to exempt employees from traditional labor laws if he determined that those protections would have "a substantial adverse impact on the department's ability to protect homeland security." Rep. Christopher Shays (R-Conn.), who sponsored the latter amendment, called it "a reasonable compromise."

There also was much disagreement over a provision in the bill that gives airports an additional year to install devices to detect explosives in baggage, extending the deadline to Dec. 31, 2003. The White House hadn't sought the extension, advocated by Armey and others. It survived in the package.

Virginia Republicans Eric I. Cantor, Jo Ann S. Davis, Thomas M. Davis III, J. Randy Forbes, Robert W. Goodlatte, Edward L. Schrock and Frank R. Wolf and Democrat Rick Boucher voted for the department. Independent Virgil H. Goode Jr. and Democrats James P. Moran Jr. and Robert C. "Bobby" Scott were opposed.

Maryland Democrat Benjamin L. Cardin joined Republicans Morella, Roscoe G. Bartlett and Wayne T. Gilchrist in voting for the new department. Democrats Albert R. Wynn, Elijah E. Cummings and Steny H. Hoyer were opposed. Rep. Robert L. Ehrlich Jr. (R) did not vote.
********************
Chronicle of Higher Education
ID Theft Turns Students Into Privacy Activists
Colleges respond by reducing reliance on Social Security numbers in databases

By ANDREA L. FOSTER

Benjamin M. Brummett, an incoming senior at the University of Texas at Austin, closely guards his privacy.

He doesn't fill in the space on exams that is reserved for a Social Security number. When he gets credit-card receipts, he tears them in half so the credit-card number is divided. Then he throws each half in separate trash bins.

"I don't want the wrong person stumbling across my credit-card number and making Internet purchases," he says.

Mr. Brummett's concern about his privacy burgeoned a year and a half ago, when an impostor requested a credit card in his name, using his Social Security number. Capital One, with which Mr. Brummett already had an account, sent the card out before realizing that the impostor had cited the wrong maiden name for Mr. Brummett's mother. The company then prevented the impostor from activating the card.

Since that scare, Mr. Brummett has become an activist, appearing in the local news media to decry the university's use of Social Security numbers. Like many institutions, Austin uses the number as a key identifier for individuals in computer databases throughout the campus. During the last academic year, he headed the Student Bill of Rights Committee, a group that in large part promotes privacy rights for students at Austin.

Ferment Beyond Austin

Political ferment surrounding the use of Social Security numbers is not limited to Austin. Students at several other colleges are demanding that administrators and faculty members wean themselves from attaching Social Security numbers to vast amounts of personal student information. Students say the shift would reduce the risk of "identity theft" -- the use of personal information such as a Social Security, credit-card, or bank-account number to gain access to someone's money or credit. As many as 700,000 people are victims of the crime each year, and it was the top consumer complaint last year, according to the Federal Trade Commission. Identity thieves see students as enticing prey because they often have a clean credit history and are cavalier about guarding their privacy.

The student pressure is prompting some institutions to act. The University of Florida and Northern Illinois University are restricting the visibility of the Social Security number as a result of student concerns, and student needling is prompting Austin to more quickly reexamine the use of the number. Revisions to state laws that limit colleges' display of the numbers to government documents like payroll and financial-aid records are forcing other colleges to make changes.

But progress is slow. Hobbled by tight budgets, many colleges are reluctant to buck tradition and make costly changes to computer systems used in many departments, including housing, academic-records, and admissions offices. To revamp such systems could cost at least half a million dollars, estimates Jay E. Foley, director of consumer and victims services at the Identity Theft Resource Center, a nonprofit group in San Diego that educates the public about identity theft. Nearly half of colleges nationwide still use Social Security numbers as the primary means to track students in academic databases, according to a March survey by the American Association of Collegiate Registrars and Admissions Officers. The survey also shows that 79 percent of colleges display students' Social Security number on official transcripts.

Privacy gaps abound at colleges. Since May, Austin and at least three other colleges have discovered that some of their publicly accessible computers were infected with software that secretly records computer users' keystrokes. At Texas, the finding prompted administrators to advise 180 students to change their university passwords. The Secret Service is investigating whether a Russian crime ring is responsible for installing the software, and is advising colleges to check their computers for the program, which could allow criminals to find out computer users' credit-card numbers.

In July, Resicom, a Doylestown, Pa., company that provides telephone services to colleges, confirmed that a glitch in its programming had enabled Web surfers to view the names, addresses, and Social Security numbers of as many as 2,000 students. Leidy Smith, the president of Resicom, says his company serves between 50 and 100 colleges, but he doesn't know how many different colleges the students were from.

Such mishaps show how easy it is for impostors to steal students' identities. "As more and more of our administrative systems are on computers attached to the Internet, any database that is left insecure could lead to the exposure of Social Security numbers," says Daniel J. Updegrove, vice president for information technology at Texas' Austin campus and co-chairman of an Educause committee on network security.

Mounting Concern

Concerns over identity theft are mounting at the Austin campus. In addition to the discovery of the keystroke software and Mr. Brummett's scare, Naufil M. Mulla, then a university senior and honors student, was arrested in March for credit-card fraud after he allegedly purchased food with other students' debit cards without their knowledge. The charge was dismissed in May after he received counseling.

Austin students were so concerned about the issue that The Daily Texan, the student newspaper, did a four-part series on identity theft in March 2001 that touched on the plight of Mr. Brummett. It also mentioned how Social Security numbers are widely used on the campus and how easy it is to receive a credit card in someone's name using their Social Security number.

The president of the Student Government Association at Texas, Katie A. King, made the privacy of Social Security numbers a major part of her election platform. She and another incoming senior, Elliott W. Kruppa, head of the Cabinet of College Councils, a group representing the student councils of the University of Texas System, met with administrators in July about plans to curtail the use of the number on the campus.

A Never-Ending Struggle

Unlike Mr. Brummett, victims usually don't discover that someone has tried to assume their identity until years after the crime occurs, experts say. An impostor can run up a whopping credit-card debt, and arrange for the bill to be sent to an address other than the victim's. In this way, the victim could remain in the dark while charges are accumulating. Only when the victim's credit history is reviewed, for instance when the victim seeks to purchase a home, does the scam come to light.

For many victims, trying to erase the debt and reclaim a good credit history is a never-ending struggle. They are shuffled from one government agency to another as they try to report and resolve the crime. And just when they think the nightmare is over, another charge pops up in their name to indicate that the impostor is on the prowl again.

"Once you're a victim, you need to be in for a long, long journey," says Stanton S. Gatewood, chief privacy officer and chief information assurance officer at the University of Southern California. He says some victims of identity theft at the university have battled for six years to resolve their cases.

Los Angeles, where the university is located, has one of the highest reported incidences of identity theft among American cities, according to the Federal Trade Commission. Mr. Gatewood declines to say how often this type of theft occurs at USC, but says he receives at least one call every two days from someone inquiring about the issue.

He says the university, in some cases, still uses Social Security numbers to identify students but hopes to end its reliance on the numbers in about a year. "It's a long, slow process," he says. Within the last six months the institution started issuing new campus identification cards to replace the old ones that had Social Security numbers on them, Mr. Gatewood says. The new card has another nine-digit number on it.

Northern Illinois decided to curtail publishing students' Social Security numbers after the Student Senate asked the university last December to stop using the number to identify students.

"I had noticed through taking part in my classes that many times attendance was taken by Social Security number," says Kevin J. Miller, who led the petition drive and is now president of the university's Student Association. "Many times, grades were publicly posted by Social Security number, which was sometimes accompanied by a person's name."

Administrators partly heeded the petition but told Mr. Miller that the university had budget constraints. Beginning in September, the university will use a new identification number on forms and documents that are widely visible, such as on class lists and grade rolls, says Anne C. Kaplan, the vice president for administration. She acknowledges that the change is a "stopgap" solution, and that overhauling the campus network would cost millions of dollars and take years to complete.

Administrators at other colleges who are in the midst of converting their systems away from identifying individuals by their Social Security numbers can understand the university's predicament. The University of Michigan system began replacing the Social Security number with another identifier in 1995 and still hasn't completed the process, says Virginia E. Rezmierski, an expert on privacy issues who is an adjunct associate professor at Michigan's School of Information and the Gerald R. Ford School of Public Policy. Once colleges plug the number into one database, it tends to crop up everywhere as the key identifier for an individual, she says.

Colleges that decide to make the investment sometimes find it cost-efficient to do other network upgrades at the same time. The University of Florida, for example, is moving to substantially reduce its use of Social Security numbers, while at the same time working to provide a complete and up-to-date directory of every member of the university community, says Michael Conlon, director of data infrastructure there. The university will move to a new eight-digit identifier for students and faculty and staff members in January. That number, he says, not Social Security numbers, will appear on university identification cards. He says he doesn't know how much the project will cost.

Mr. Conlon credits Cory B. Kravit, who graduated from Florida last year, with goading the administration into action. Mr. Kravit was chairman of a Student Senate committee on Social Security privacy, and persuaded the Senate to pass a resolution that asked the administration to stop using Social Security numbers. He joined other student organizations to lobby the Florida Legislature to support a bill that would limit the ability of state agencies, including public colleges, to display the number. The legislation is pending. Also, Mr. Kravit testified before the Ways and Means Committee of the U.S. House of Representatives in May 2001 on the widespread use of Social Security numbers at Florida.

Students are outspoken about the issue at the University of Texas at Arlington, too. A measure was introduced into the Student Congress in March that would give prospective students the option of omitting their Social Security numbers from application forms. The measure was not adopted during the last academic year but it will still be considered during the upcoming year, says Christopher H. Featherstone, a junior who is president of the Congress.

Students at some colleges are pushing their institutions to stop providing information about them to outside vendors, partly because of fears over identity theft. At Louisiana State University at Baton Rouge, the Student Senate adopted a resolution in March that asks the administration to prohibit the marketing of credit cards on the campus, and to stop the alumni association from providing data about graduates to credit-card companies.

Disturbed by Marketing

Donald Hodge Jr., a member of the Student Senate and a second-year law student, says he decided to help write the resolution because he was disturbed by what he viewed as aggressive marketing practices by credit-card companies on the campus. The alumni association also was providing graduates' personal information to credit-card companies and other marketing firms, he says.

Clifford A. Vannoy, senior vice president of the LSU alumni association, acknowledges that his group has given graduates' names and addresses to a credit-card company. Of the student petition, he says, "I don't have a copy of it, so it's difficult for me to comment on it."

Mr. Hodge notes that the university had been displaying students' Social Security numbers on their university identification card, known as the Tiger Card. That practice will stop this fall, says Toni C. Frey, manager of the Tiger Card office.

At Brigham Young University, some student journalists went undercover to show how easy it is for someone to assume a student's identity. The journalists went into the campus bookstore and reported purchasing items using other students' credit cards and campus debit cards.

The bookstore cashiers didn't check to see whether the photograph on the debit card, known as a Signature Card, matched the student who made the purchases, says Jesse M. Coleman, a senior who co-wrote the article that resulted from the investigation.

After the article ran in February in the student newspaper, The Daily Universe, Mr. Coleman says the bookstore started cracking down and checking the photographs on Signature Cards. But they still were not regularly asking for photographic identification when students made credit-card purchases, he says.

Students are not the only ones pressing colleges on the Social Security issue. Arizona, California, Maryland, New York, and Wisconsin all have passed laws that restrict colleges' ability to use or display the number.

New York's law, which took effect last July, prohibits colleges from displaying an individual's name next to his or her Social Security number.

At New York University, the law prompted the university to stop printing Social Security numbers on receipts from on-campus purchases, says John H. Beckman, a university spokesman.

Erasing Hard Disks

Even more sweeping changes are possible. Austin's Mr. Updegrove says that public colleges may want to reconsider whether they continue to make Internet access freely available to the public in libraries and other computer centers. One way to reduce the risk of identity theft, Mr. Updegrove says, would be to require any user of publicly available computers to show some identification before receiving a password to the network.

Colleges could even program their public computers to erase their hard disks and reinstall their software after each user logs off, which Austin has done on some of its computers. "Even if someone put rogue software on [the computer], it would be gone by the time the next person logs in," says Mr. Updegrove. Such a task is not particularly time-consuming or expensive, but it takes skill, he adds.

It is easy to pick up a student's Social Security number at Austin, says Mr. Brummett. He recalls walking inside the economics building there last year and finding boxes of exams that included students' names and Social Security numbers.

Sheldon Ekland-Olson, the provost, says that administrators are in the middle of figuring out precisely what changes to make in the use of Social Security numbers, and when.

"The students are expressing some serious interest in making sure that it gets done, and that has helped motivate us to get it done quicker," he says.
****************************
Associated Press
Military Works on High-Tech IDs
By MATT KELLEY, Associated Press Writer

WASHINGTON (AP) - Future versions of military identification cards will encode information about fingerprints or other physical characteristics, the Pentagon ( news - web sites)'s latest move to tighten security.

The newest cards already have information such as name, rank and serial number on a computer chip embedded in the card under the user's picture. The Defense Department passed out the one-millionth computerized ID card earlier this week to an Army soldier who works at the Pentagon.

Officials hope to distribute the high-tech ID cards to more than 3 million military and civilian Defense Department workers in the next several years.

The ID cards help the Defense Department guard its computer files, not just its bases and offices, said John Stenbit, the Pentagon's chief information officer.

Workers with the ID cards can insert them into a device at a computer terminal to log on and get access to the files they need and not to files they don't.

"The point of all of this is to allow people to have broader access to information, freely, over a network," Stenbit said.

With the card, the computer recognizes who is on the network and can track what files he uses, which websites he visits and what e-mails he sends. Users can send and receive encrypted e-mail and be sure no unauthorized users have access to the information.

Army Spc. Trenton Dugan, who got the one-millionth ID card, demonstrated the technology for reporters by sending an encrypted e-mail to the Defense Department press office.

The Pentagon is testing a program to add "biometrics" data to the ID card information about unique physical characteristics such as a fingerprint, hand shape, iris pattern, voice print or face. That would add another level of security by requiring computer users to log in with their ID card and password and then have their fingerprint or other biometric data scanned to verify who they were.
************************
Los Angeles Times
FBI Plans to Fight Terror With High-Tech Arsenal
By CHARLES PILLER and ERIC LICHTBLAU

Since Sept. 11, the FBI has budgeted tens of millions of dollars to turn its massive collection of computerized case files, memos, tips and phone intercepts from an investigative black hole into a mother lode of predictive intelligence.

If the effort succeeds, by Sept. 11, 2004, it will have replaced today's systemso antiquated and cumbersome that many top FBI executives have never learned to use itwith a high-tech brain that instantly culls years of records and eventually will simultaneously check databanks in other government agencies, public records and the Internet.

And that's just the beginning.

By Sept. 11, 2011, the FBI hopes to use artificial-intelligence software to predict acts of terrorism the way the telepathic "precogs" in the movie "Minority Report" foresee murders before they take place.

The goal is to "skate where the puck's going to be, not where the puck was," said Robert J. Chiaradio, who until recently oversaw data system improvements as a top aide to FBI Director Robert S. Mueller III. "We have to get ourselves positioned for Sept. 10, not Sept. 12."

The technology plan reflects a belief that the chief weapon against terrorism will not be bullets or bombs. It will be information.

But intelligence experts, computer scientists and civil libertarians remain skeptical about whether the FBI canor shouldreverse 94 years of entrenched bias in favor of shoe-leather detective work, and turn itself into a high-tech domestic CIA. And they caution that using databases to foretell acts of terrorism is still a science fiction fantasy.

"These techniques assume that the past predicts the future," said Rakesh Agrawal, an IBM Corp. scientist and a leading "data mining" expert. "But what if the future is completely different?"

Before Sept. 11, no one had crashed a hijacked plane into a skyscraper. Before Jan. 27, when a blast ripped through Jerusalem's commercial district, there had never been a female suicide bomber.

FBI leaders insist that effective data miningsifting investigative knowledge from voluminous electronic fileswill overcome such obstacles.

They point out that rudimentary data mining already has become commonplace. Any Internet user can instantly search more than a billion Web pages for, say, "Middle Eastern flight-training students." The popular search service Google ranks results by popularitypages that receive the most visits and are most often referenced by other pages are listed firstone formula for making sense of more information than a person can digest.

Retail stores analyze data on millions of purchases, then draw conclusions on buying habits to pitch discounts or new products.

"Just as Wal-Mart's trying to figure out what people's buying patterns are, some of that logic can translate into law enforcement," said Mark Tanner, the FBI's deputy chief information officer.

Broad Changes Needed

But to get there will require sweeping changes. Today at the FBI, a comprehensive electronic search requires separate checks of 42 databanks of case files, memos, video footage, mug shots and fingerprints. It's as different from Google as the Web is from government-issue file cabinets, where 1 billion FBI documents still reside.

That will soon change, FBI leaders promise. In the next fiscal year alone, the FBI has requested $76 million to combine and enhance its databases, on top of $730 million more previously budgeted for "Trilogy"code name for a general technology upgrade, the third try after two failed efforts. The bureau says it will replace paper files and inefficient text-only electronic databases with a "virtual case file" system that will allow rapid, Web browser-like views of video, photos and sounds.

Though technologically feasible, that goal remains distant, given the bureau's primitive technology.

"When I came in I said I wanted it done in a year," Mueller told a Senate committee in June. Now he estimates two to three years. "We do not have the data warehousing, we do not have the software applications [for this] kind of searching."

Still, within the FBI, Mueller is widely viewed as having a better grasp of technology than his predecessor, Louis J. Freeh, and greater drive to make changesespecially after Sept. 11.

"They're on the right track," said Nancy Savage, head of the FBI Agents' Assn. Unlike earlier failed technology efforts, she said, Mueller has involved field agents in the planning and testing.

As a model, experts point to the Defense Department's Global Command and Control System, an immensely complex and far-flung system that analyzes intelligence data, satellite imagery, troop movements, weapon status and a multitude of other inputs from all over the world, yet operates efficiently and effectively. Unlike typical government data systems, built from scratch, the Command and Control system is built largely from off-the-shelf commercial hardware and software and took less than two years to build in the mid-1990s.

After the FBI gets its data systems operating, it will try to tie them to information held in the databanks of other agencies or private entities that may prove crucial in rooting out terrorists.

For example, by combing different agencies' records, the FBI could find a person who was denied a visa, took a flying lesson and may be moving next door to a suspected terrorist. An automated process would connect the information "for an analyst to say, 'Hey look, here's three clues,' " Chiaradio said.

That process is technically challenging because it involves many systems that use incompatible software and divergent methods to label and organize information.

But similarly connected databases are becoming commonplace in the corporate world and gradually are being adopted in the intelligence community, according to private data-mining contractors such as Presearch Inc. and Veridian Corp.

The National Security Agency has linked about 20 disparate databases containing human intelligence, electronic eavesdropping files, pictures and sounds using software from Webmethods Inc., said Len Pomata, a company executive. Pilot projects within NSA and the Transportation Security Administration are now linking such data to public records, such as real estate ownership and marriage and death certificates, he said.

Systems can even be designed to track missing data, said James H. Vaules, a former FBI executive who heads the National Fraud Center, a data-mining subsidiary of Lexis-Nexis.

"A lack of information is probably the [biggest] red flag," he said. "If you are 40 years old and there are no public records on you in this country, then there's something upit just doesn't happen."

Effort Was 'Pipe Dream'

The FBI has coveted such abilities since the 1980sinvesting substantial time and resources without success, according to officials familiar with the project. The entire effort was "a pipe dream," said an agent who declined to be identified.

But data-mining developments are beginning to produce predictive abilitiessuch as banks scanning credit card purchases for anomalies that suggest fraudulent transactions.

The FBI says such techniques will preempt terrorists.

"There was not a specific warning [before Sept. 11] about an attack on a particular day. But that doesn't mean that there weren't ... dots that should have been connected," Mueller said in May.

But systems that make sense of highly varied inputs are still in their infancy, independent experts say.

For example, the NSA may be able to find a photo of a cargo plane and an intercepted flight plan but not know what the plane carried, even if the flight manifest was accessible. Every scanned document, film clip and photo must be labeled with multiple codes to allow efficient searchesand to compare data, the labels must be consistent. To a computer, "occupation" and "employment category" are not necessarily equivalent.

The scope of that task will be staggering, given the volume of terrorism materials in question. Prosecutors in the case of Zacarias Moussaoui, allegedly the 20th Sept. 11 hijacker, declined to print out discovery material for the defendant, because the documents "would leave no room for Mr. Moussaoui in his cell ... and might even consume the entire jail."

Yet the bureau proposes to sift thousands of times as much data as a matter of routine.

Chiaradio said the biggest challenge will not be handling huge volumes of information but securing it.

"Do we want to bet that our technology is going to be one day ahead of a 13-year-old in Alabama who's getting into the system and beating it?" Chiaradio said. "It's a business risk that eventually the director or somebody is going to have to" take.

And internal spies or interagency leaks pose additional security problems.

"The more people who have access to that information, the surer it is to leak," said Michael Vatis, director of the FBI's cyber-crime unit.

Mindful of the damage that FBI spy Robert Philip Hanssen caused by navigating intelligence files, several senators say they are concerned that the FBI may be leaning too far toward an open system in an effort to make files more accessible to all agents.

Sen. Jeff Sessions (R-Ala.) said at a recent Senate hearing that the FBI should keep a separate system for sensitive intelligence dataavailable only on a need-to-know basis.

Yet in a technical sense, security problems may seem trivial compared with the challenge of developing artificial-intelligence methods that can generate knowledge to stop terrorism before it occurs.

The FBI is seeking pattern-recognition algorithms that can discern hints of terrorism from what Jeffrey D. Ullman, professor of computer science at Stanford University, calls "the soup of billions of possible coincidences."

Instead of needing the right question, an analyst would merely say "show me something out there that looks odd," and get, say, a report about an influx of Middle Eastern men in flight training, he said.

But anticipating acts of terrorism by sorting billions of records with unknown relevance to unknown future attackers is incomparably more difficult than detecting credit card fraud.

Ullman called predictive data mining "one of the fundamental research problems of the age," comparing it to the Manhattan Project, which produced the atomic bomb during World War II. He said it would require an investment of at least $1 billion to accomplish the ultimate goal"preventing a terrorist group from carrying a nuclear bomb into this country and setting it off."

Key Departures

Even more modest goals may have been placed in doubt by recent departures of key executives. Bob Dies, a former IBM executive who was the FBI's technology visionary, retired in the spring. He has not been replaced. Chiaradio, appointed to manage the FBI technology transition, also left in June, joining the accounting firm KPMG after only six months on the job.

Meanwhile, President Bush has slated the FBI's cyber-crime unit to move to the new Homeland Security Department.

"That would be a major loss to the FBI," said Vatis, the unit's founder. "One of the things we were successful at doing was building a cadre of technical expertise both in headquarters ... and in the field offices."

Members of Congress have grown impatient over missteps on far less ambitious projects than today's proposals. Fingerprint computers and other law-enforcement data systems have cost more than $1.7 billion since 1993yet still don't operate reliably.

Sen. Charles E. Schumer (D-N.Y.) recently called the FBI's current system "fossil technology," and Mueller's two- to three-year estimate for minimal database efficiency "unacceptable."

Testifying before the Senate Judiciary Committee this month, Sherry Higgins, the FBI's project management executive, acknowledged that "the problems ... didn't occur overnight and they won't be fixed overnight either. That is because it is more important to get it right and know that we have the systems and capabilities that precisely fit our mission, as well as cure past problems."

Despite repeated requests from The Times, the FBI was unable or unwilling to detail its plans for technology spending, or to clarify the relationships among its many technology projects.

Civil libertarians charge that the FBI faces a crisis of competence that sophisticated new technology will only exacerbatemore deeply burying the bureau in information. Already awash in data, the FBI has not even updated its Web-based wanted posters of leading terrorists. The section on Osama bin Laden makes no mention of Sept. 11 and the Web site still lists Bin Laden lieutenant Mohammed Atef as at large, although he was reportedly killed in November.

Documents released in May under the Freedom of Information Act showed that the FBI's "Carnivore" program, which monitors e-mail in criminal probes, had inadvertently gobbled unrelated messagesa violation of privacy laws. When the error was discovered, an FBI technician destroyed the entire data file, including e-mail from presumed terrorists.

"The buck really stops at the FBI for their failure to properly analyze the information they had before Sept. 11," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, the advocacy group that obtained the FBI documents. He called the surge of interest in data mining "sleight of hand" designed to distract focus away from the bureau's failures.

FBI executives agree that there should be some limit on database surveillance. But they insist that a national crisis warrants a shift in the balance between security and privacy.

Critics should ask, "How can we create civil liberties protections that don't get in the way of fighting terrorists?" said Stewart Baker, a Washington attorney and former general counsel for the National Security Agency.

He suggested that database abuses can be prevented with automated audit controls. "One way to protect civil liberties is to make people prepare to justify how they use the systems," Baker said.

Problems of Accuracy

Yet no matter how careful the FBI is, it faces a larger question about the accuracy of records. "Garbage in, garbage out," the old computer adage goes. The accuracy of all kinds of data held by the government or corporationsas victims of identity theft have learned, to their dismayis highly suspect.

Deep within complex databases, errors can rapidly eclipse reality, as a 1999 Justice Department audit showed.

In a Department of Justice review of an FBI database of 93,000 Florida civil service job applicants, about 12% of those who had criminal records were not detected, while nearly 6% of applicants with no criminal record were identified as criminals.

Moreover, just as spies create false personas, the Sept. 11 hijackers evaded detection, in part, by setting up bank accounts using false Social Security numbers. Such moves to pollute the data stream suggest a flaw in the logic of data mining, skeptics say.

"The people who are the greatest threats are already conducting themselves in such a way that they fall into the most innocuous profiles," said Edward Tenner, author of "Why Things Bite Back: Technology and the Revenge of Unintended Consequences."

"The question is not whether innovations in artificial intelligence are worth trying," he said. "The real issue is the opportunity costthe other things that experienced investigators could be doing with their time," such as figuring out how to infiltrate Al Qaeda.

Fear of terrorism, the FBI's detractors suggest, has already pushed database research into the realm of the absurdwhere innocuous behavior, or even the failure to leave an electronic trail, can arouse suspicion.

"That would be one of the most damaging things terrorism could do to us," Tenner said.
***************************
New York Times
Class-Action Lawsuits Gain Strength on the Web
By DINA TEMPLE-RASTON

Most people have heard about the big class-action settlements with the tobacco companies, or other cases involving silicone breast implants and the diet drug combination fen-phen. But there are many more, lesser-known cases out there: by some accounts, at least 10,000 class-action suits are filed each year, and billions of dollars are ultimately awarded to consumers.

Yet many people who might have been entitled to file claims and share in settlements have received nothing, some lawyers say, because they were unaware of the suits. In other instances, they say, deserving consumers might have been turned away from joining a suit, although they could have qualified for another had they known of it.

The Internet, though, is changing that. Consumers can run online searches on just about any class-action suit. A growing number of Web sites including Findlaw.com from the American Bar Association, Classactionsonline.com and Classaction America.com, along with those from individual law firms provide information on pending cases. The National Consumer Law Center also keeps its clients informed about pending class action cases online, at www.consumerlaw.org.

The Internet solves a longstanding problem for most class-action litigators. Previously, the only way they could recruit plaintiffs was through mass mailings and broadcast and print advertising. Medical class-action suits, in particular, posed problems because medical records are private.

But consumers need to be cautious when dealing with legal Web sites, legal experts say. Some information and forms floating through cyberspace may be outdated or even wrong. Online litigants should compare various sites and consider who is running them.

ClassactionAmerica.com, one of the largest sites, was set up about 18 months ago by the Kahn Gauthier Law Group in New Orleans. (Wendell Gauthier, one of firm's partners, helped start the state class-action suits against the tobacco companies in 1994; he died in December.)

ClassactionAmerica provides listings of thousands of class-action suits and product recalls, free online evaluations to see if you qualify to join a suit, and information on lawyers involved in various cases and on lawsuits open for new claims. The cases run the gamut from cheerleaders to computers. It lists, for example, one pending case in which 44 women who were employed as cheerleaders by the Philadelphia Eagles of the National Football League are claiming that opposing teams spied on them while they were changing and showering in the cheerleaders' locker room at Veterans Stadium. (They are suing 29 N.F.L. teams.)

LEWIS KAHN, president of Kahn Gauthier, said of the site: "We thought there had to be a better way to centralize a multibillion-dollar business, and this was it. We get literally thousands of inquiries every month."

Although the firm is involved in only about 50 of the thousands of cases listed on its Web site, it keeps a staff of 20 lawyers, paralegals and support staff to field inquiries, track cases and keep the site up to date. The site is free, but users can pay a $29.95 annual fee for an e-mail service that keeps them abreast of developing litigation.

Classactionsonline.com is less exhaustive. It lists recent class-action filings and provides a primer on class-action lawsuits. It also has links to other sites, like that of Stanford's Securities Class Action Clearinghouse (http://securities.stanford.edu/), which tracks shareholder class-action suits.

It was a ClassactionAmerica pop-up advertisement that caught the eye of Jennifer Walker, 33, a high school art teacher from San Antonio. Ms. Walker said that she and her mother, Marlene Walker, 60, who lives with her, had taken a certain medication that made them sick and created continuing medical problems. Ms. Walker said she had tried to join a class-action lawsuit against the drug manufacturer but was rejected because she did not meet specific criteria.

Both women filled out an evaluation form at the Web site. Two days later, they received e-mail messages from Kahn Gauthier, saying they could be eligible to receive some kind of settlement. Ten months later, each received a settlement check, Ms. Walker said.

"The first set of attorneys who sent us home have got to be kicking themselves," said Ms. Walker, whose agreement prohibited her from divulging any information about the settlement, including the name of the drug. She did say that she received enough money to handle future medical bills that might be required by damage from the drug.

While consumers like the Walkers may benefit from such online services, lawyers stand to gain even more. Nearly all class-action suits are brought on a contingency basis, which means that lawyers are paid a percentage of any recovery they obtain. Folding more members into a lawsuit only adds to the lawyers' bottom line, because the damage award can grow with additional plaintiffs.

William Hornsby, a spokesman for the American Bar Association in Chicago, said his group had not received any reports of serious problems or reports of abuse associated with the legal Web sites. "But consumers are going to have to assume a larger role for their own protection to make sure we don't," he said.

The absence of face-to-face meetings between lawyers and their online clients particularly worries Mr. Hornsby and other legal experts.

"To the extent that the relationship between the attorney and client is more abstract, they are more subject to abuse," he said.

Plenty of cautionary tales have already been told. For example, in "Next: The Future Just Happened" (W. W. Norton, 2001), Michael Lewis wrote about Marcus Arnold, a 15-year-old boy from California who posed as a lawyer for several months two years ago, dispensing legal advice on the Web site AskMe.com, based solely on what he learned watching court television shows.

Some people are willing to go to online class-action sites, however, because of their convenience.

"To me, not having to go to an office and fight with the parking and talk to an attorney is important because it is hard for me to get around now," said Karma Coleman 44, of Bronson, Tex., who says she is filing a claim against the drug company Wyeth, maker of the diet drugs fenfluramine and phentermine. Kahn Gauthier, which specializes in medical class actions, is handling Mrs. Coleman's case.

Mrs. Coleman said she developed chest pains several days after first taking fen-phen but continued to take the drug combination for about three months. She grew sicker during that time, she said, and has since had to quit her job as a computer operator. She says she is now using an oxygen machine.

Because there are few lawyers in her hometown, Mrs. Coleman decided to go online for help. She looked up "fen-phen," found ClassactionAmerica and asked for a free legal evaluation. Kahn Gauthier took her case, and she has been compiling evidence, including medical tests.

More than six million people took fen-phen before the combination was removed from the market in 1997 after being linked to heart valve disease. About three years ago, the fen-phen maker, American Home Products, which has since changed its name to Wyeth, agreed to a $3.75 billion settlement covering hundreds of thousands of Americans who said they had been harmed by the drug. Smaller class-action suits are pending.

The settlement, though, does not prevent consumers from filing individual claims and possibly receiving higher awards another factor that consumers should consider before joining any class-action suit.

The Walkers decided not to join a large national suit and instead joined a smaller class-action suit. Mrs. Coleman has yet to decide whether she will go it alone or join another pending suit.

Legal experts suggest that anyone looking for legal help shop around first.

"People expect to get off the Web what they pay for," Mr. Hornsby said. "When they go to the Internet, they take whatever they get there with a grain of salt. When they pay for a lawyer, their expectations are, and should be, substantially higher."
*************************
ZDNET News
Sony loses Australian mod chip case

By David Becker

Sony has suffered a setback in its international fight against "mod chips" that enable its PlayStation video game machines to play illegally copied games.
A federal judge in Australia ruled Friday that mod chips sold for the original PlayStation do not infringe on Sony copyright protections under Australian laws, which are similar to the U.S. Digital Millennium Copyright Act. The decision comes a week after a Canadian man was sentenced to probation and fined $17,000 for selling mod chips and pirated games for Sony's PlayStation 2.

Mod chips are add-ons that typically have to be soldered to a game console's main circuit board. Properly installed, they defeat copy protection measures built into the consoles, allowing users to play games originally sent to different geographic markets, backup copies and bootleg discs. Hackers have also seized on mod chips for Microsoft's Xbox as a way to run homemade software on the console.

In the Australian case, Sony accused Eddy Stevens of Sydney of violating Sony copyrights by selling and installing mod chips for the original PlayStation.

Federal Court of Australia Judge Ronald Sackville found that the chips do not violate Australian laws forbidding circumvention of "technological protection measures." Sackville said the technology mod chips disable doesn't constitute a "technology protection measure" under the law because it also prevents legal activity, including the playback of imported games and personal backup copies of games.

"There is nothing in the evidence to suggest that the major purpose or objective of the protective device, from the applicants' perspective, was to ensure that the PlayStation consoles could only play PlayStation games lawfully acquired in Australia or Europe," Sackville wrote in his ruling.

Sackville also found that the PlayStation doesn't employ legitimate copyright protection measures because while the technology prevents playing copied games, it doesn't prevent illegal copying.

"There seems to be nothing in the legislative history to support the view that a technological measure is to receive legal protection from circumvention devices if the only way in which the measure prevents or inhibits the infringement of copyright is by discouraging infringements of copyright which predate the attempt to gain access to the work or to copy it," he wrote.

The judge did agree with Sony's claim that Stevens infringed on the company's trademark by selling bootleg PlayStation games. Sentencing on that charge will happen later.
**************************
Federal Computer Week
Privacy still a priority, officials say

From airports and border crossing stations to the doorways of government buildings and even to the computers inside, the Bush administration plans to use biometric identification technology to beef up homeland security.

Fingerprints, facial recognition, iris and retina scans, and other biometric technologies will be used more frequently to sort terrorists and criminals from the vast population of innocent people, said Steve Cooper, chief information officer at the Office of Homeland Security.

But high-tech identification systems won't be allowed to undercut civil liberties, Cooper promised in a talk to congressional staffers and technology industry representatives.

Privacy advocates find the plans unnerving. Clyde Wayne Crews Jr., director of technology policy for the Cato Institute, worries that facial-recognition cameras could evolve into general surveillance systems and that biometric driver's licenses will morph into national ID cards.

Even well-intentioned security steps by the Bush administration could lay the groundwork for automated authoritarianism in the future, Crews said.

In an address July 23, Cooper said that creating more reliable identification documents is a top priority in the president's homeland security strategy.

White House plans call for using biometric technology such as fingerprint databases and facial-recognition systems to create "smart borders." Trusted travelers would be issued biometric ID cards to speed through airport checkpoints, and government workers might be issued smart cards with biometric identifiers that grant them entry to government buildings and access to government computer systems, Cooper said.

Perhaps the most far-reaching initiative is the administration's proposal to help states develop uniform standards for driver's licenses.

The American Civil Liberties Union pounced on the proposal, saying that "this plan proposes a national ID an internal passport pure and simple."

Cooper insisted that the administration is "not in favor of and currently will not support a national ID card."

But Crews called the idea "worrisome. It's a step toward a national ID card." Although "voluntary" to the extent that no one is required to carry a driver's license, Crews said he fears licenses bearing biometric identification features would quickly become mandatory in the wake of another terrorist attack.

Cooper sought to put the administration's plans in perspective. "We are at war, and the war on terrorism requires a balance" between civil liberties and homeland security. It's "tough" to balance the two, but the administration will not sacrifice civil liberties for homeland security, Cooper vowed. "We will get it right."

Fingerprint and facial-recognition technology are the favored technologies at present, Cooper said, but retina and iris scans are improving and gaining wider acceptance as useful biometrics. And other technologies are likely to be invented, he said. The administration's policy is not to favor any particular biometric technology but to develop identification systems that can accommodate multiple technologies.

To be acceptable to the federal government, smart cards, for example, would have to be able to accommodate more than one biometric identifier, because different agencies have already adopted favorite technologies, Cooper said.

The State Department has invested heavily in facial recognition as its primary identification system, but the FBI is wedded to fingerprints. And neither is likely to give up its favorite, Cooper said.

***

Biometric solutions

Some of the biometric initiatives the Bush administration is pursuing:

Travel documents Visas, passports and similar documents would include biometric identifiers.

Trusted traveler cards Airline passengers could volunteer to undergo background checks and receive biometric identification cards that would let them pass quickly through airport security.

Facial recognition The Transportation Security Administration is experimenting with facial-recognition cameras in airports.

Fingerprints and photos The Immigration and Naturalization Service plans to begin fingerprinting and photographing some foreign visitors as they arrive in the United States. Fingerprints would be checked against the fingerprints of criminals and terrorists in databases.

Driver's licenses Tougher standards for driver's licenses are expected to include fingerprints or other biometric identifiers to make it harder to get more than one license or to counterfeit licenses.
**************************
Federal Computer Week
Data quality politics
Commentary
BY J. Timothy Sprehe

The data quality guidelines that federal agencies have been publishing are a double-edged sword.

The agencies are publishing the guidelines because of a harmless-looking amendment to a 2001 appropriations bill requiring the Office of Management and Budget to issue directives "for ensuring and maximizing the quality, objectivity, utility and integrity of information (including statistical information) disseminated by federal agencies." Each agency, in turn, must issue the data quality guidelines they will hold themselves to.

On one edge: Who can argue with data quality? Of course, agencies should have policies and procedures that ensure the information they give to the public is accurate, objective and useful. Every federal agency should check and recheck any data published officially under its name for those qualities before the data's release.

This is motherhood and apple pie standard quality assurance practice in any modern enterprise. No respectable critic can argue for the removal or absence of data quality standards.

The sword's other edge is the troublesome aspect of data quality that reveals the political agenda behind the guidelines.

Each agency must also create administrative grievance processes for addressing any data quality complaints from the public. Regulatory agencies such as the Environmental Protection Agency issue rules based in part on data from scientific studies. The data quality guidelines give those opposed to such rules a monkey wrench that they can toss into the federal rule-making machinery.

If a proposed rule affects an industry in a way the industry does not like makes the industry spend money cleaning up pollution, for example the guidelines are a devilishly respectable device for challenging the rule. The affected industry can challenge the quality of the data supporting the rule and conceivably drag out final regulatory adoption for months or years.

Time is money. Businesses that complain about the slowness of government sometimes have a vested interest in slowing down government action. When a business can delay government regulatory action for some years, the postponement may have bottom-line payoff.

The U.S. Chamber of Commerce has said the potential impact of the data quality guidelines could go far beyond what most people imagine. The brainchild of former Office of Management and Budget officials who are politically conservative and pro-business, the data quality guidelines have only just begun to haunt federal regulatory agencies.

If you want a glimpse of the guidelines' future political use, check out the Web site of the Center for Regulatory Effectiveness (www.thecre.com). Already, the organization has filed notice of its intent to sue the Energy Department for not publishing data quality guidelines.

Sprehe is president of Sprehe Information Management Associates in Washington, D.C. He can be reached at jtsprehe@xxxxxxxxxxxxx
**************************
Federal Computer Week
Ashcroft offers TIPS assurances

Attorney General John Ashcroft is recruiting millions of Americans to report activity they think is suspicious, but he told a Senate committee he does not want the reports to be kept permanently in a central database.

Amid growing concern over Operation TIPS, Ashcroft sought to assure members of the Senate Judiciary Committee July 25 that reports of suspicious activity will not be retained in a central database, but he said some reports may be kept in databases maintained by various law enforcement agencies.

The Bush administration plans to launch Operation TIPS (which stands for Terrorist Information and Prevention System) in 10 cities in August. Initially, the White House hopes to sign up a million "American workers who, in the daily course of their work, are in a unique position to see potentially unusual or suspicious activity in public places."

When they spot something suspicious, the TIPS volunteers are supposed to file a report on a government Web site or call a toll-free hot line.

Operation TIPS aims to recruit truck drivers, mail carriers, meter readers, train conductors and others "to report what they see in public areas and along transportation routes."

But the program is prompting growing concern about privacy violations and the possibility that unfounded accusations will be lodged against innocent people.

The House Select Committee on Homeland Security wants to ban Operation TIPS, and the Senate is considering a ban.

Sen. Patrick Leahy (D-Vt.), chairman of the Judiciary Committee, warned that the program could transform Americans from vigilant to vigilantes.

What if a cable TV installer enters a home and then reports that he saw pictures of the World Trade Center and books about terrorism? Leahy asked Ashcroft. Would the Justice Department investigate? Interrogate? "Bring the person in?"

"It may be the head of Islamic studies at Harvard, or a kid doing a term paper at the University of Missouri," Leahy said.

"I'm very concerned that we don't end up with a database on innocent people. We do not want a situation" in which people are denied government mortgage loans or jobs "because someone didn't like their political opinions or the music they listened to," Leahy said.

Ashcroft said Operation TIPS is not intended to report on activity in private places, such as homes. But Leahy said some of those bring recruited for Operation TIPS "have more access to homes than law enforcement" personnel do.

Ashcroft said he advised against creating a database that would be maintained by Operation TIPS, and "I have been given assurances that TIPS will not maintain a database." But the FBI and other agencies might preserve TIPS reports in databases, he said.
***********************
Government Computer News
Labor accepts digital signatures from union filers
By Wilson P. Dizard III

The Labor Department has set up a voluntary program that lets unions file annual reports online using digital signatures.

The department's Labor-Management Standards Office will accept reports that bear the digital signatures of two union officials. Labor unions must file one of three sets of forms annually depending on their receipts, mainly dues from members.

"Allowing union officers to sign and submit their reports using digital signatures is an important step in automating the filing process," deputy assistant Labor secretary Don Todd said.

Labor is using under the General Services Administration's Access Certificates for Electronic Services program to provide digital certificates to union officials. The certificates cost $45 each. All union official who sign reports must have a certificate, good for two years, to participate in the online filing program. Certificates are renewable for two additional years at no cost.
************************
Government Executive
Democrats spar with Ashcroft over agency information sharing
By Teri Rucker, National Journal's Technology Daily

As the nation's attorney general came before the Senate Judiciary Committee on Thursday to extol the benefits of information sharing among federal agencies, Senate Democrats cautioned that the information could be mishandled and harm American citizens.

America's ability to protect itself "has been undermined significantly by restrictions to limit the intelligence and law enforcement communities' access to and sharing of our most valuable resource. ... That resource is information," Attorney General John Ashcroft told the committee.

Some of that information will come through the Operation Terrorism Information and Prevention System (TIPS) that has recruited 1 million volunteers to act as informants and report any suspicious activities. The Justice Department group overseeing that program had proposed keeping the information in a database, a proposal that concerns lawmakers.

Ashcroft assured the committee that he has recommended that TIPS not create a database but instead pass information to relevant departments and agencies, which already have information-retention rules in place. He said he believes that suggestion will be followed.

However, Judiciary Committee Chairman Patrick Leahy, D-Vt., noted that in the past, such ideas that were set up to be "vigilant ended up being vigilante," and that was before law enforcement had computers with databases. "I am very, very concerned that we don't end up with a databank of innocent activity at a time of justifiable concern" that will hurt innocent citizens.

As law enforcers try to combat terrorism and implement changes to their agencies to do so, Leahy told Ashcroft he should do so with the Constitution in mind. "This country has an operation manual. It's called the United States Constitution," Leahy said, adding that any measures the Justice Department takes to gather information should fall within its limits.

Sen. Charles Grassley, R-Iowa, questioned Ashcroft on whether problems might arise if the FBI's National Infrastructure Protection Center is transferred to the proposed Homeland Security Department. The center was created to anticipate threats and serve as the principle means of facilitating and coordinating the federal government's response to threats on any of the nation's infrastructures, including physical and cyber-based systems.

People who investigate computer crimes will remain at the FBI, Ashcroft said. Additionally, the employees who can offer guidance on protecting critical computer systems will move to the new department, Ashcroft noted, saying that employees in the two departments will remain in close contact and share information.

The ability to share information among agencies and to have the tools and the right to seek information over new technology, whether by tapping mobile phones or accessing information through the Internet, is integral to preventing future attacks, Ashcroft said.

Leahy and other committee members criticized the Justice Department for not providing lawmakers with information they have requested. "We really do want answers to our requests," Leahy said, noting 23 outstanding requests by senators, some of which date back a year. The senator also noted that House lawmakers face the same problem.

Ashcroft told Leahy he would investigate the matter and get the answers for Congress.
***********************
Computerworld
U.S. Rep. Mike Thompson on PC recycling

WASHINGTON -- In an effort to find an environmentally sound solution for disposing of millions of PCs, U.S. Rep. Mike Thompson (D-Calif.) recently introduced a PC recycling bill that imposes an upfront fee on computer sales (see story). End users, consumers and businesses would pay as much as $10 for the monitor and an equal amount for the PC at time of purchase, and the U.S. Environmental Protection Agency (EPA) would use the money to fund community-based PC recycling centers.
Some 41 million PCs, which contain hazardous materials such as lead, will have to be disposed of this year, and in an interview with Computerworld's Patrick Thibodeau, Thompson outlined his arguments for the bill.

Q: What's your best argument for this legislation?

A: I don't think that any reasonable person would disagree that we have a tremendous number of computers that need to be either recycled or disposed of. We need to provide a mechanism where it will be done most effectively and most efficiently and done in a way that's not going to overfill our landfills, contaminate our rivers and streams, or put anyone's health at risk.

Q: Private-sector companies are already offering disposal services. Why can't the private sector meet this need?

A: And they do. But all those efforts combined aren't enough to take care of the problem. There are still people who are shipping these things primarily to Asia where they have, in many cases, children taking them apart and they dispose of them in environmentally inappropriate places and the kids who are taking them apart are exposed to all the toxic materials. There is a problem out there. Private-sector efforts have not met the need.

Q: Businesses that buy thousands of computers may balk at the idea of paying upwards of $10 for the PC and another $10 for the monitor. What will you say to them?

A: Here's the deal. I'll just be very blunt. It's not necessarily $10 -- that's the ceiling. The EPA will determine the amount of the fee. Anybody that would suggest that you could solve this problem without some sort of financial participation is really off the mark. There is no magic fund where you take money out to pay for it. There are no free riders on this. No one is excluded from contributing to the cost of the problem.

Q: How would the recycling centers work?

A: The fee money will go into a fund. People in local communities with an idea to solve this problem will apply to EPA for a grant. And you're going to have a more accessible option, down the street and around the block where you can take your computer.

Q: Can recycling centers receiving federal money reselling those computers overseas?

A: If you are going to get money as a result of my bill, you're going to have to build a project that is environmentally and health and safety appropriate. You're not going to be able to go to EPA and say, "I want a grant because I'm going to send these overseas."

Q: What's the outlook for your legislation?

A: I don't think it's possible to get it passed this year. I think it's very, very important, however, to get the debate started.
***********************
Washington Post
Dot-Org Decision Looms Large For Noncommercial Speakers


By David McGuire
washingtonpost.com Staff Writer
Monday, July 29, 2002; 12:00 AM


In the Internet atlas, "dot-org" shows up as a stuffy university town on the outskirts of the commerce-steeped "dot-com" Mecca. But as the only place on the Internet devoted to noncommercial speech, dot-org is indispensable to consumer advocates, public interest groups and political dissidents, many of whom are watching closely to see who will be chosen to take the helm of the domain when the current registry operator gives up its role later this year.

"Dot-org is important now because it the one space on the Internet that ... has been devoted to noncommercial speech," said Barry Steinhardt, the director of the American Civil Liberties Union's Technology and Liberty Program. "If it were to be turned into just another dot-com, that would be a blow to speech."

Operated for years by Internet addressing giant VeriSign Inc., dot-org is slated to get a new landlord in October when VeriSign relinquishes its hold on the domain.

Eleven entities, both commercial and nonprofit, have applied to operate dot-org, and global Internet addressing authorities are now slogging through hundreds of pages of application documents in search of a winning bidder.

Initially, officials at the Internet Corporation for Assigned Names and Numbers (ICANN) only planned to accept bids from nonprofit groups, but they later decided to throw the contract open to all comers in an effort to garner as many qualified bids as possible.

Although open to all Internet users, dot-org remains largely associated with the nonprofit organizations for which it is named. Many within the nonprofit community are closely following the bidding process, hoping to ensure that the domain remains primarily a forum for non-corporate voices.

"There's lots of commerce on the Internet," Center for Democracy and Technology (CDT) Policy Analyst Rob Courtney said. "The Internet is not only about commerce. There always needs to be space for noncommercial comment and expression."

Dot-org represents a lucrative asset for whichever organization takes the reins of the domain. As the wholesale seller of dot-org names, the current registry operator, VeriSign, makes $6 a year for every dot-org name registered.

With more than 2.3 million registrations already in place, dot-org will provide its operator with a predictable revenue stream in an often-shaky Internet environment.

ICANN won't give preference to nonprofit bidders. The first priority, ICANN President Stuart Lynn said, is finding a stable operator to replace VeriSign.

"I don't believe the (ICANN) board would favor a decision to jeopardize the stability of dot-org, so that becomes a very primary criteria," Lynn said. "ICANN's first priority is to preserve the stability and reliability of the Internet and the DNS."

Nonprofit organizations will be eligible to receive a $5 million endowment from VeriSign to bring their registry operations up to speed. Commercial bidders are not eligible to receive the endowment. ICANN plans to award the contract in September.

VeriSign agreed to make the $5 million endowment available last year when it inked the deal with ICANN to surrender dot-org. In exchange for giving up dot-org, VeriSign solidified its control of dot-com, the world's most heavily populated domain extension.

Registry operators like VeriSign serve as domain-name wholesalers, charging retailers, called registrars, a flat fee for every name they sell to customers. Some registry operators, including VeriSign, also participate in the retail side of the business as registrars.

ICANN is seeking a new bidder for dot-org as part of its ongoing mandate to bolster competition in the domain-name industry. Until a few years ago, Network Solutions, which was later bought by VeriSign, maintained a government-approved monopoly over the industry, providing both front- and back-end services for all names sold with dot-com, dot-net and dot-org extensions.

Media Access Project (MAP) Associate Director Harold Feld said ICANN has a chance through its decision to further define dot-org as a haven for free speech.

"The question of dot-org is its potential. For the public which is increasingly finding noncommercial speech squeezed out ... there has not been the public park on the Internet where people can go to find noncommercial speech," Feld said.

Feld is a member of a noncommercial constituency within ICANN that is reviewing the applications based on the public interest criteria laid out in ICANN's request for bids. Ultimately, however, ICANN's governing board will have final say over who wins the dot-org contract.

Peter Shiras, senior vice president for programs at Independent Sector, one of the nation's largest coalitions of nonprofit groups, also stressed the need for a well-managed dot-org.

"Our interest in the issue is that dot-org is one of the relatively few vehicles (online) for identifying the nonprofit sector as the nonprofit sector," Shiras said.

The Bidders
At the outset of the dot-org bidding process, ICANN outlined 11 criteria bidders would have to meet to qualify to operate the domain.

Eleven bidders plunked down $35,000 registration fees, submitting massive documents outlining their preparedness to meet the ICANN criteria. Their applications comprise a wide range of theories on how best to promote and manage the domain.

The dot-org registry operator will not set the retail price for dot-org addresses, but the registry will establish the wholesale price that registrars must pay when they sell names to retail customers. Lower wholesale prices could translate into lower retail prices for domain-name shoppers.

Bidders have proposed wholesale prices ranging from the current rate of $6 per name, per year, to less than $4 per name.

Regardless of what decision it makes, ICANN is poised to change the landscape of dot-org into the foreseeable future.

In the right column of this page are links to snapshot profiles of the 11 groups submitting bids. The profiles are presented in the order they are listed on ICANN's Web site.


For the 11 Criteria the bidders had to meet, see: http://www.icann.org/tlds/org/criteria.htm
***************************
Los Angeles Times
Brands Seek to Knock Off Counterfeiters
Trademarks: Corporate logo owners are taking software makers to court over programs that benefit bootleggers.
From Bloomberg News

Coca-Cola Co., Nike Inc. and other corporate logo owners are joining together to combat what they say is the latest and most dangerous threat to their famous brands.

Software programs are being sold over the Internet that can be used to instruct machines to etch onto glass or vinyl, or stitch onto clothing perfect copies of Coca-Cola's contour bottle, the Nike swoosh or Walt Disney Co.'s Mickey Mouse.

The trademark owners have used letters, threats and the courts to try to protect their brands from bootleggers. The new software programs are potentially more devastating because they allow counterfeiters to distribute perfect copies of logos anywhere in the world.

"There's no doubt in my mind that these seedy logo cases are starting to crop up," said Frederick Mostert, author of "Famous and Well-Known Marks" and former president of the International Trademark Assn. "That's the fallout where technology is enormously beneficial to society, but there's also a price to pay."

Disney, Nike, Coca-Cola and companies such as Polo Ralph Lauren Corp., Levi Strauss & Co., Toyota Motor Corp., AOL Time Warner Inc. and BP are pursuing a novel legal strategy and have sued one of the software makers they say is responsible for the new crop of knockoffs.

The federal lawsuit was filed in May in Orlando, Fla., against Rick Hedrick and his company, Zmax Digital Graphics Systems Inc. The suit does not accuse Hedrick of making or selling counterfeit merchandise, rather it accuses Hedrick of creating software that contains perfect copies of logos and instructs machines how to put the logos onto products. The lawsuit is believed to be one of the first of its kind.

The suit is similar to those brought against landlords of flea markets whose tenants sell knockoffs, analysts say.

Hedrick gives his clients a choice--they can either download logos directly from one of several Web sites, or buy a CD-ROM that can be delivered anywhere, according to his sites and the lawsuit.

"Usually, counterfeiters sell the product that bears the trademark," Mostert said. "Here, what you're selling is just the trademark, the brand name itself."

Other software makers sell logos. They can be used legally by small retailers to create advertisements for sales, or by publications that are writing about a product.

The difference between those software makers and ones like Hedrick, according to the suit, is that his software is being used for illicit purposes, and he didn't do anything to stop it even after repeated warnings from logo owners.

"People shouldn't be allowed to put their head in the sand when they know illegal activity is going on," said Tim Trainer, president of the International AntiCounterfeiting Coalition.

There are no reliable figures for counterfeit products sold in the U.S. each year. The International Chamber of Commerce has estimated that as much as 7% of global trade is in bogus goods from copyright and trademark infringements. The anti-counterfeiting group has said trademark infringement drains about $200 billion a year from the U.S. economy.

The Web "has made copying so much easier, faster, instantaneous and perfect, as the proliferation of counterfeiting on the Internet has demonstrated," Mostert said.

With the Internet, counterfeiters can go to a company's Web site, download or otherwise copy digital images of the famous marks, and duplicate them for use in bogus merchandise.

The software program containing the images can then be multiplied on thousands of CD-ROMs and shipped around the world, trademark lawyers said.

For years, bootleggers have transported unlabeled counterfeit products across borders without interference, attaching bogus logos after passing through customs.

The software makes it easier, and the logos are of a higher quality because they are digital images.

It's the perfection of the image that makes software such as Hedrick's so pernicious, companies say. Counterfeit T-shirts often include steamed transfer images that are handmade and amateurish enough that any average consumer can tell it's a knockoff.

With digital images, it's impossible to tell the difference from a phony picture of Coca-Cola's contour bottle and "The Real Thing."

"The Coca-Cola Co. owns some of the world's most valuable trademarks, and we protect them aggressively," said company spokeswoman Kari Bjorhus. "We do not tolerate infringers or those who enable others to infringe."

Attempts to reach Hedrick by e-mail were unsuccessful. Coca-Cola, Disney and their fellow logo owners didn't have much luck either.

According to their suit, they've pursued Hedrick for at least two years, and court documents show he isn't making it easy for them to deliver to him a copy of the suit.

Still, several trademark owners say this lawsuit may set an example for other cases--either in warning would-be knockoff artists or giving them ideas.

"This potentially could have huge implications whichever way it goes," Mostert said.
*************************
Nando Times
French groups demand shutdown of Web site linked to Chirac assassination attempt

PARIS (July 29, 2002 6:21 a.m. EDT) - Two civil rights associations said Thursday they have asked a French court to ban a Web site run by a racist group linked to the man who tried to assassinate President Jacques Chirac two weeks ago.

Lodged by the Union of Jewish Students in France and the J'Accuse association, a group that monitors neo-Nazi propoganda on the Internet, the request calls for the site owned by the extreme-right Radical Unity to be shut down immediately.

It is to be heard by a tribunal in Paris on July 31.

Maxime Brunerie, the 25-year-old man arrested for trying to fire a .22 rifle at Chirac during the July 14 Bastille Day parade, has been linked to Radical Unity.

He allegedly posted a message on another web site, one run by the British neo-Nazi group Combat-18, the day before the attack reading: "Watch the TV this Sunday, I will be the star."

Radical Unity "displays several documents, text and images, militant material of a racist and anti-Semitic character," the two petitioning associations said in their joint statement.

French Justice Minister Dominique Perben said three days after the attempt of Chirac's life that he would ensure such racist websites feel the full weight of the law.

Brunerie, 25, is currently in a psychiatric ward for tests, while experts determine whether he was criminally responsible for his actions.
***********************
MSNBC
On the trail of an identity thief
Victim's sleuthing provides rare glimpse of crime at work
By Bob Sullivan

July 26 It was just another stolen credit card number, leaked by just another careless Web site, except for one thing the victim wouldn't take it sitting down. So he made a few phone calls, and managed to retrace the thief's steps. Peeking through accounts at anonymous e-mail services, information brokers, and online banks, the victim got a rare glimpse of an identity thief at work. Here's how that one stolen credit card became three bank checks totaling $3,000 and perhaps much more.

IT ALL STARTED when the victim, whose first name is Don, tried to buy a Curt Eichelberger online two weeks ago. Don stuck his credit card into a checkout form at Curt-eichelberger-pop-art.com on July 14. Unfortunately, the card number got spit out the other side of the Web site, thanks to a security hole, and quickly ended up in a hacker newsgroup.
By 7 a.m. the next morning, his credit card company called to say his card had logged $700 in suspicious activity overnight, and it was canceled.
That's normally where stories like this end.
But a few days later, Don went online to check his statement and found one more fraudulent charge from a Web site named USATrace.com. The site offers all manner of people-finding information, including Social Security Number lookups. It's a natural first stop for someone attempting identity theft. MSNBC.com's calls to USATrace.com weren't returned.
But the company did speak to Don, a tech-savvy Net user who works at Microsoft-owned Ensemble Studios in Dallas. Since the account was opened in his name, the USATrace operator agreed to fork over the user name, password, and the Hotmail e-mail address used to create the account. That began Don's voyage through the ID thief's handiwork. (MSNBC is a Microsoft - NBC joint venture.)
Don tried the same password for the alleged criminal's Hotmail account and it worked. The 15 e-mail messages sitting in that inbox offered a blow-by-blow look at just how criminals can turn stolen data in cold, hard cash. Don forwarded the data in the inbox to CardCops.com, an independent Web site which tracks credit card theft online. Site owner Dan Clements forwarded it to MSNBC.com, which was able to verify the information.
There's a Western Union account opened under the name of Cecilia Salow. "She" ordered a cell phone, too, through BellSouth. Then, there's a credit report run through Equifax on someone called Humbeto Becerra. Seconds later, a NetBank.com account is opened in Becerra's name.
And, perhaps most important, there's an e-mail to a Michael Bradway from someone called Joe Angel. The e-mail indicates an $845 check was sent to Bradway via a Web site named Qchex.
Qchex lets account holders send checks via the Internet, which can be printed by the payee and cashed just like a bank check.
In this case, the payee is Michael Bradway. In fact, according to the Qchex records viewed by Don, three checks were sent to Michael Bradway on July 19, totaling just under $3,000. Two other checks sent a few days before Don's card was stolen, and probably from another ID theft incident, added another $1,800 to the criminal's take.
Don tried the same password for the alleged criminal's Hotmail account and it worked. The 15 e-mail messages sitting in that inbox offered a blow-by-blow look at just how criminals can turn stolen data in cold, hard cash. Don forwarded the data in the inbox to CardCops.com, an independent Web site which tracks credit card theft online. Site owner Dan Clements forwarded it to MSNBC.com, which was able to verify the information.
There's a Western Union account opened under the name of Cecilia Salow. "She" ordered a cell phone, too, through BellSouth. Then, there's a credit report run through Equifax on someone called Humbeto Becerra. Seconds later, a NetBank.com account is opened in Becerra's name.
And, perhaps most important, there's an e-mail to a Michael Bradway from someone called Joe Angel. The e-mail indicates an $845 check was sent to Bradway via a Web site named Qchex.
Qchex lets account holders send checks via the Internet, which can be printed by the payee and cashed just like a bank check.
In this case, the payee is Michael Bradway. In fact, according to the Qchex records viewed by Don, three checks were sent to Michael Bradway on July 19, totaling just under $3,000. Two other checks sent a few days before Don's card was stolen, and probably from another ID theft incident, added another $1,800 to the criminal's take.
Blame for the string of crimes is hard to pin on any of the various victim businesses along the way, but Don said he was frustrated because he had nowhere to turn with the highly detailed information he had about the criminal's wrongdoings. Chase, the card issuer, was only concerned with reverting the fraudulent charges. An FBI agent understood the case, but said "unless you can show us it's $25,000 or more we're not touching it." And the Dallas police technology crime investigator there's only one, he was told has a one-year backlog of cases.
But Don said he was most frustrated by the credit card company's lack of interest in pursuing the case.
"I told them, 'You guys did a great job in making sure they didn't steal from me, but why don't you step up to the plate and actually stop somebody?'" Don said. "Instead, they just said to me, 'Wait a few weeks, these things work themselves out."
Rob Douglas, a privacy consultant who operates PrivacyToday.com, said Don's saga is actually pretty common, yet corporations and government agencies seem unable to stop it.
"This is just becoming too commonplace. And everybody saying they can't stop it. Corporations say law enforcement doesn't help, law enforcement says there's too many cases," Douglas said. Douglas testified before Congress three years ago and was instrumental in passing the a consumer privacy law called the Graham-Leach-Bliley Act, which made it illegal for banks to share some customer data. But today, despite numerous Congressional proposals to halt the practice, it's still legal for Web sites to sell Social Security Number information, and that's a core part of the problem, Douglas said.
"It's not that corporations and financial institutions shouldn't have access to the data, but we can't have that information info being sold to anybody across the Internet," he said. "Information brokers and private investigators have absolutely no knowledge of who they are selling this stuff too."
*****************************
CNN
Hunt for bin Laden goes online
Alive or dead, terrorist suspect remains a wanted man

WASHINGTON (CNN) -- U.S. intelligence agents searching for al Qaeda leader Osama bin Laden have followed the trail of the world's most wanted man into cyberspace, CNN has learned.

Counterterrorism experts are monitoring a number of Web sites and computer servers they believe might contain recent messages from bin Laden.

Al Qaeda is said to be computer savvy, and some investigators believe they have found markers or code words that indicate bin Laden is trying to signal supporters that he is alive.

"It's either bin Laden or an elaborate cyber-deception campaign" by his lieutenants, an intelligence official told CNN.

CNN reported earlier this year that al Qaeda has used at least one Web site to post information and keeps changing the site's address to stay ahead of investigators.

Authorities also are investigating information from detainees that suggests al Qaeda members -- and possibly even bin Laden -- are hiding messages inside photographic files on pornographic Web sites.

Bin Laden and al Qaeda are blamed for planning and executing the September 11 attacks against the World Trade Center and the Pentagon.

The attacks prompted the U.S.-led military campaign in Afghanistan, which toppled the ruling Taliban that had sheltered al Qaeda and bin Laden.

Report inconclusive
CNN has learned that a recently completed counterterrorism analysis concluded that no one knows whether bin Laden is still alive.

Captured al Qaeda fighters told U.S. interrogators that bin Laden was wounded in the left hand in the attack on his base at Tora Bora. In a videotape released in December, bin Laden never moved his left arm and his hand was never shown.

U.S. Defense Secretary Donald Rumsfeld confirmed that bin Laden has not been heard from since. Bin Laden has good reason not make further public appearances, he said.

"One might be he is not physically able, because he is injured in some way," Rumsfeld said. "Another might be because if he is afraid if he does it, he will get caught."

The intelligence report suggests that if bin Laden is still alive, he might be waiting to emerge when the next attack occurs.

Last week, the editor of al-Quds al-Arabi, a London-based Arabic-language magazine, said associates of bin Laden told him the al Qaeda leader was still alive and was recovering from a shrapnel wound to his shoulder. The editor, Abdel-Bari Atwan, said he was not given any other details.

"They never indicated where he is, " Atwan said.

Some intelligence officials believe bin Laden could be hiding in the border area between Afghanistan and Pakistan, a region encompassing several hundred square miles. If so, he likely is constantly on the move, they think.

New attacks?
In an audiotape broadcast on the Al Jazeera television network last month, al Qaeda spokesman Sulaiman Abu Ghaith said that bin Laden, his top lieutenant Ayman al-Zawahiri and "98 percent of the leadership of al Qaeda are safe" and planning new attacks against the United States. Taliban leader Mullah Omar was also alive, he said.

"I really want to assure the Muslims that Sheikh Osama bin Laden, with the mercy of Allah, is in a good health, and all rumors about Sheikh Osama's sickness or injuries in Tora Bora is completely inaccurate news," he said. Bin Laden would soon appear on television, Abu Ghaith said.

Alive or dead, bin Laden remains a powerful symbol.

"Those people who are going to rally behind him are going to rally behind him dead or alive," said Shibley Telhami, a Middle Eastern studies professor at the University of Maryland.

"You're going to have a core that, no matter what happens to him, are going to be his core supporters.

"He is terrifying to Middle Eastern elites. He is terrifying to Middle Eastern governments," Telhami said.

"He is terrifying to those who aspire to have a normal life because ... if it could be done to the United States, it could be done to them."
************************
CIO Insight
Wireless (In)security: Are Your Networks Snoop-Proof?
By Gary A. Bolles

Now, someone can steal your company's most sensitive data by snatching it out of thin airright from the company parking lot.

Sound more like scare talk than reality? Guess again. On May 1, an anonymous customer of Best Buy Inc. told SecurityFocus Online, a Web site for a security threat management firm, that he was able to break into Best Buy's internal sales data network from his carwhich was parked in one of the store's parking lots. He tapped into the network, he said, after installing into his laptop a wireless card that he had just bought in the store.

It's not certain whether any customer credit card numbers or other purchasing information held by Best Buy at its 499 stores across the country has actually fallen into the wrong hands, but the discovery of the company's vulnerability caused a brouhaha at Best Buy headquarters.

The problem? Best Buy, in some of its checkout lanes, uses portable point-of-sale terminals that are tied to its servers by a wireless local area network, or LAN. The LAN relies on the 802.11 wireless networking standard, known as Wi-Fi. But Best Buy did not, apparently, bother to turn on the most fundamental security feature that's built into Wi-Fi, thereby leaving customer credit card data unencrypted and open to snooping. At first, Best Buy pulled its wireless POS systems from its stores. Now, though, they're back in use, says spokeswoman Joy Harris, because the company has bolstered its wireless security procedures.

But Best Buy's vulnerability is hardly unique. Many companies fail to take even the most basic wireless security precautions. Still have doubts? Take a ride with government software consultant Todd Waskelis in Virginia's Dulles corridor, a thruway outside Washington, D.C. that is lined with high-tech firms. Waskelis can slip a wireless card into his laptop, drive down Route 7 and pick up one wireless network after another, including the networks of a major credit clearinghouse. "Instead of hacking from the Internet, people can hack from the road, and probably get to the accounting server," Waskelis says.

But the culprit, say experts, isn't the technology as much as it is poor management. Few companies think about wireless security as a business problem, and fewer still think of wireless security as a critical component of their company's business strategya set of choices to be made about what level of wireless risk is acceptable, and how to manage exposure while monitoring the network continuously for new holes and threats.

"The concept of wireless is on many peoples' radar screens, [but] the concept of wireless security is on far fewer of them," says Larry Rogers, a senior member of the technical staff at the CERT Coordination Center at Carnegie Mellon University. CERT trains companies to help secure the Net.

The first mistake many companies make, says Diana Smetters, security researcher at the Palo Alto Research Center (PARC), is failing to prohibit employees from setting up their own wireless networks at the office. If there's a wired connection available in, say, a conference room, anyoneemployees, contractors, partnerscan create a new local area network. With wireless LAN cards available for less than $100 at most local electronic superstores like Best Buy it's easy for these so-called "rogue" networks to slip into the company under IT's radar screen.

That's not to say that Wi-Fi is not at all secure. It's just that the equipment is typically shipped with its security softwareknown as WEP, or Wired Equivalent Privacyturned off. Using WEP means users have to fire up a browser, log onto a wireless access point and choose security keys. According to CERT's Rogers, some employees might consider doing all of these things more trouble than they're worth. "Or, they may be just clueless," says Rogers.

But even when WEP is turned on, it's no match for the toughest wireless hackers, or "whackers." WEP can be "broken" by anyone with a wireless laptop, a widely available encryption-buster program and enough time. Even relatively undetermined technophiles, for example, can use freeware software such as NetStumbler with a Wi-Fi card to sniff out exposed networks.

The NetStumbler site, for example, lets people see the locations of unprotected access points around the U.S.a gold mine for would-be corporate spies. If the CEO's nightmare is to wake up and see the corporation's unannounced acquisition plans, for example, plastered across The Wall Street Journal's front page, then the CIO's equivalent is finding the company's wireless network exposed on NetStumbler.

Another cause for wireless insecurity: the failure by workers to take needed security precautions when they work on a wireless device from outside the officewhether from Starbucks, the airport lounge or from home. PARC's Smetters says it's easy for a corporate spy seeking to "sniff" the laptop of a competitor. "Say I want to find someone who works in Corporation X," she says. "What I'm going to do is sit in a coffee house around the corner and wait for somebody from Corporation X to sit down with their laptop" and then, using a wireless card and "sniffer" program, begin scanning that person's laptop without their knowledge, if no wireless security software is in place. "People are going to take their laptops, and with wireless they're going to be moving in and out of your firewall in a much more dynamic way than they would have or could have before," she says.

To many security experts, allowing employees to blithely connect to wireless LANs outside the corporate officemost commonly from home or an airport loungeis madness. "It's difficult to think of a place that's better than an airport for stealing stuff going through the air," says CERT's Rogers. Adds Mick Johannes, CTO of consultant CorpNet Security Inc.: "If the wireless network in somebody's home is insecure, and they're connected to my corporate network, [then] I have an insecure corporate network."

And there are other vulnerabilities. Some IT departments fail to place wireless access pointsradio transmitters that broadcast and receive wireless signalsin areas physically located away from windows and exterior building walls, where they can be "sniffed" easily by corporate spies trying to crack into networks from the company parking lot. The practice is common, say expertswhat CorpNet CEO Rick Shaw calls "war driving," a variation on the old scheme of "war dialing," where intruders would use programs with modems to dial phone numbers in rapid succession to find unattended system entry points. Hopping onto wireless networks is a lot easier than dialing random numbers. Adds Erik Fichtner, security director at ServerVault Inc., a security integrator: "If you're running a wireless network, you're essentially providing an RJ-45 jack out on the street that someone can walk up to and [gain] access to your network."

Another problem is that companies often mistakenly "name" the signals their access points broadcast into the ether. Anyone with a wireless LAN card and widely available network scanning software can search through a list of network names while whacking. More often than not, those devices have been given a company name by someone on that company's IT staff, making it very obvious to intruders which access points belong to which companies.

Further, when a whacker sees a company name on a broadcast signal, it's a safe bet that company's entire security strategy is weak, or nonexistent. "If the IT staff put the company's name on it, that's a big clue that they don't take the threat seriously enough, or don't understand it," says Ridgely Evers, chairman and CEO of nCircle Network Security Inc., a San Francisco-based security strategy firm.

Taking Action

What to do? Some companies won't use wireless networks at all. "So far, the concerns about wireless technology and information security have prevented any steps from being taken toward an implementation" at Deutsche Bank AG, says Gregg Mele, N.Y.-based vice president of the Frankfurt, Germany-based financial services firm. "In this time of security concerns, the judgment being made is that it is better to err on the side of not moving forward on something relatively new like this, where questions still remain about how to prevent data theft using such a technology."

And lack of security can cost a company a lot more than lost data. Without better wireless security policies and ways to enforce their use, insurance companies can charge higher premiums. "Wireless significantly increases the risk of criminals getting into a company's network," says Don Harris, a broker in the technology risk group at Swett & Crawford, the world's largest wholesale insurance underwriter.

A broad range of customer data, such as credit card numbers and health statistics, for example, need to be kept from traveling over insecure wireless connectionsor companies bear a greater risk of being sued by clients and customers for security breaches. "If you're not protecting your information, you've got some serious liability," Harris says. "So as underwriters, are we concerned? Definitely. A risk that has heavy utilization of wireless technology?that's a very difficult underwriting risk."

CIOs can analyze their potential exposure using a scare calculatora Security Costs and Risks Estimator, such as the spreadsheet software offered by Alvaka Networks. Such software can help a CIO put a dollar value on what might happen if a client or customer sues for breach of privacy or a government agency slaps the firm with fines for leaking out data protected by law. CorpNet's Johannes says a potential fine could be as much as $250,000 for a privacy breach, depending on how it occurred. He points to new federal laws that protect hospital patient information from public scrutiny, increasing the risk of lawsuits against organizations that manage or transmit such informationand even against individual doctors who use PDAs to care for patients in a hospital.

Building Barriers

But not every company is clueless when it comes to wireless security. At Siemens Medical Solutions, for example, the networking department conducts site audits to ferret out rogue networks. Last year, says SMS' network engineer Stuart Higgins, IT used NetStumbler to sniff out a rogue wireless network that nobody in IT had installed. The discovery led to a set of new policies aimed at curbing the problem.

Now, says Michael Alban, who manages vendor relationships for Siemens Medical Solutions, workers who use the company's sanctioned wireless LANs must use the virtual private network security software provided to them by the company. Employees are also required to attend a seminar on using the VPN, and to sign a document saying they understand and agree with the organization's security measures. Failure to comply will mean a reprimand, and could lead to dismissal. Siemens employees are also encouraged to attend occasional "lunchtime exchanges" with IT and security staff to update their understanding of security policies as they change or as external threats vary.

NetBank Inc., an Alpharetta, Ga.-based online financial services firm, takes it all a step further. Tom Cable, NetBank's chief technology officer, sends company network engineers to employees' homesto make sure there are no security holes unplugged. NetBank checks home PCs for potential security problems of all types, including rogue wireless LANs. "We do inspections at peoples' homes," says Cable, "to verify that they are meeting the standards" set up for telecommuting security. "The machine that's going to be communicating to the bank should not be connected to a wireless network in the home," he says.

Other companies, like Deutsche Bank, simply limit what types of information can go inor outto get around the security problem. "There are limits on what [employees] can access in real time on the network through dial-up," says Mele. Experts recommend that companies treat employees working on wireless networks as if they were dialing in through the most insecure connection imaginableeven if the wireless LAN is physically set up in the middle of corporate headquarters, away from windows or exterior walls that could be easily sniffed from the road or employee parking lots by intruders.

The ideal setup? PARC's Smetters says it's a wireless network isolated from the rest of the company's regular local area network (see figure), connecting only where security devices like concentrators can block unauthorized access. WEP should be turned on, and access points should have obscure code names, set so they're not broadcast to the world. Access points should be placed carefully to avoid spreading their signals outside the office. And every employee using the wireless network should have personal firewall software installed on his or her computer.

Ultimately, though, the main weapon in the CIO's security arsenal against insecure wireless LANs is the VPN. Virtual private networking software is invariably used whenever employees dial in remotely over the insecure Internet, and experts and users say the same should be true for wireless LANs. For Dave McLean, network systems engineer for the City of St. Petersburg in Florida, that meant ordering up additionaland often expensivesecurity software. "We consider the 802.11 to be [insecure], and we put a VPN on top of it," he says. Though some experts point to the additional cost of VPNsfor large companies with no such security, for example, it could be millions of dollarsMcLean maintains it can be worth it.

Besides getting a level of security protection it didn't have before, the city is also saving money. Its move to use wireless LANs to link together buildings formerly connected by frame relay and cable modems is saving city taxpayers thousands of dollars in huge monthly communications bills. McLean says the city expects to see the full payback on its multimillion-dollar investment within 18 months of installation. Says McLean: "It's too late to plug holes in your system once data has already leaked out. The ROI when it comes to security is, ultimately, the theft that didn't happen."

CIO Insight Copy Chief Debra D'Agostino contributed to this article.
************************


Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx