There was an interesting report in California today about a proposed bill, AB 2415, that would, generally, require manufacturers and retailers of computers with wi-fi to include warnings within the OS, as well as, by default, turn off file-sharing.
Of course there are new bills proposed all the time…and many of them do not make it into law. However, I find this one interesting because it is so narrowly focused to wireless security. There are so many other risks that exist with computers, how long will it be until these are legislated also? Will there be a law that requires all personal information to be encrypted at rest (in storage) and in motion (while in transit)? Will the use of malicious code previous become legislated? These issues are covered, at least through implications that require security to be implemented based upon the results of risk assessments, along with many others, in such laws as HIPAA and GLBA and even through the interpretations of the FTC Act. However, this bill is different in that it is forcing computer manufacturers and retailers to, in effect, implement a customer awareness/protection program for each computer sold.
Even though this is a California bill, if enacted, it would impact basically all computer manufacturers to implement the consumer warnings and reset defaults within the computer software by stating, "This bill would prohibit a person or entity from manufacturing or selling a device in this state that enables connection to a network without including a warning in its software that alerts the consumer of certain security factors if he or she chooses to set up the device without security protections. The bill would also require a person or entity that manufactures or sells a computer in this state to distribute or sell the computer with the computer’s file-sharing feature in off mode." I can’t think of any computer manufacturer who would not sell to California just because of this.
It’s curious why the bill was amended by striking "wireless technology" and replacing it with "network security" when it is specific to wi-fi security.
I think it is good to legally require businesses to protect information and implement security, but when it starts getting so narrowly scoped and technology specific there can be other more significant risks being overlooked (such as buggy, inadequately secured application code) in an effort to address only those very specific legal technical requirements.
The specific amended bill, with the stricken passages omitted, follows:
" AB 2415, as amended, Nunez Network security.
Existing law, the Consumer Protection Against Computer Spyware Act, provides specified protections for the computers of consumers in this state against certain types of computer software.
This bill would prohibit a person or entity from manufacturing or selling a device in this state that enables connection to a network without including a warning in its software that alerts the consumer of certain security
factors if he or she chooses to set up the device without security protections. The bill would also require a person or entity that manufactures or sells a computer in this state to distribute or sell the computer with the computer’s file-sharing feature in off mode. The bill would also provide that if any part of these provisions or their applications are held invalid, the invalidity would not affect other provisions.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. The Legislature finds and declares the following:
(a) With the increasing use of wireless technology, consumers are unknowingly allowing their personal information to be accessed by unauthorized users who piggyback onto their network connection.(b) Piggybacking occurs when an unauthorized user taps into a consumer’s network connection. The practice is becoming a serious issue for people who reside in densely populated areas or live in apartment buildings where WiFi radio waves can easily emit through walls, floors, and ceilings.
(c) Since there is no gauge that shows how many people are using a particular connection, it is impossible to determine when someone has tapped into a consumer’s network connection.
(d) In 2003, it was estimated that there were 3.9 million households with wireless access to the Internet. Currently, there are about 7.5 million households with wireless access, and that number is expected to rise to 16.2 million households by the end of the year.
(e) In April 2004, Humphrey Cheung, the editor of a technology Web site, flew two single-engine airplanes over metropolitan Los Angeles with two wireless laptops. The laptops logged more than 4,500 wireless networks, only 30 percent of which were encrypted to lock out unauthorized users.
(f) In June 2002, there was only one major carrier that offered "hot spot" access. Recently, however, several other large carriers have announced plans to enter the market by the end of the year. Few people realize that hackers can take advantage of these wireless "hot spots" by redirecting E-mail traffic from its intended path to the hacker’s computer, thereby obtaining personal information without the consumer being aware of the hacker’s presence.
(g) There is disagreement as to whether it is legal for someone to use another person’s WiFi connection to browse the Internet if the owner of the WiFi connection has not put a password on it. While Section 502 of the Penal Code prohibits the unauthorized access to computers, computer systems, and computer data, authorized use is determined by the specific circumstances of the access. There are also federal laws, including the Computer Fraud and Abuse Act (18 U.S.C. Sec. 1030 et seq.), which also prohibit the intentional access of a computer without authorization.
SEC. 2. Chapter 34 (commencing with Section 22948.5) is added to Division 8 of the Business and Professions Code, to read:
CHAPTER 34. NETWORK SECURITY22948.5. For purposes of this chapter, "computer" means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, or communication facilities that are connected or related to the device.
22948.6. A person or entity that manufactures or sells a device in this state that enables connection to a network shall include in its software a warning that comes up on the computer screen if the consumer chooses to set up his or her device without a password and other security protections. The warning should advise the consumer how to protect his or her personal information. These instructions may also be available in the product manual.
22948.7. A person or entity that manufactures or sells a computer in this state may only distribute or sell the computer with the computer’s file-sharing feature in off mode.
22948.8. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application."
Technorati Tags
regulatory compliance
information security
data protection law
wireless security
California law
privacy