News Stay informed about the latest enterprise technology news and product updates.

Security Blog Log: Data storage bills go to extremes

This week, lawmakers miss the middle ground when it comes to how long electronic data should be stored. Meanwhile, a hacker defaces electronic subway signs to suggest prime minister is a monster.


U.S. lawmakers are working on legislation that would further regulate the handling of electronically stored data. And as one blogger pointed out this week, the latest initiatives go to opposite extremes instead of what many would consider the sensible center.

At one extreme is Republican Congressman Joe Barton of Texas, who chairs the House Energy and Commerce Committee, which is responsible for Internet and telecommunications legislation, and Democratic Congresswoman Diana DeGette of Colorado. At the other end of the same legislative body is Democratic Rep. Edward Markey of Massachusetts. The ultimate goal of Barton and DeGette is to crack down on child pornography, while Markey's mission is to protect consumers from data fraud.

According to media reports, Barton has vowed to work on legislation that would require Internet providers to keep records on customers' activities. The concept, commonly known as mandatory data retention, has the backing of the Bush Administration. One media report suggested Barton's committee will roll DeGette's amendment -- to require Internet service providers to retain information about subscribers for at least one year -- into a more sweeping bill.

About Secuirty Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at

Recent columns include:

Are certifications silly?

Burning about Firefox recruitment

Man of God, man of ID theft

Markey, meanwhile, has filed the Eliminate Warehousing of Consumer Internet Data bill, which would require owners of Internet Web sites to destroy obsolete data that can be used to individually identify a consumer, including credit card numbers, bank numbers, and date of birth, home address and Social Security numbers. The bill directs the Federal Trade Commission to set standards and enforce this act, according to Markey's Web site.

"If 2005 was the year of the data breach, I am going to make sure that 2006 is the year of safeguarding the privacy of American citizens by introducing legislation to prevent the stockpiling of private citizens personal data," Markey, the ranking democrat on the Telecommunications and Internet Subcommittee of the House Energy and Commerce Committee, said in a statement.

The bills got the attention of Isaac Scarborough of New York-based Chapell & Associates, an auditing company that helps enterprises comply with privacy laws. He questioned the workability of the legislation in the Chapell & Associates blog:

"I'm not saying that I advocate [Markey's] proposed alternative, but the impetus behind [DeGette's] proposed bill isn't all that clear to me," Scarborough said. "In fact, it seems the opposite extreme: instead of requiring businesses to delete a great deal -- if not all -- of the data they collect, ISPs would be required to retain customer information for at least a year."

The need to crack down on child pornography is hardly a position that can be argued with, he said. But he doesn't see why this should require ISPs to hang onto customer information for a year after the customer leaves their service.

"As Congress debates a new and updated telecommunications bill -- the first since 1996 -- many provisions are likely to deal directly with the Internet and online privacy," Scarborough said. "It's worrisome, however, that recent legislative proposals dealing with consumer privacy have taken one extreme (required deletion) or another (required storage

In the end, he said, online privacy is always a matter of balancing business and government needs against consumer interest. Markey's bill went too far in the latter direction, while DeGette's does just the opposite, he said.

"As things stand, telecommunications law generally specifies that ISPs -- like most telecommunications companies -- must retain information for a limited period of time, and only upon government request," he continued. "Perhaps this is restricting the government's ability to prosecute certain offenders. But there are definite risks associated with the broad collection and storage of consumer data, something that seems to have gone missing in the DOJ's (and now, Congresses') drive to have such data available to them as needed." )."

How to hack an electronic subway sign
Somewhere out there is a hacker who isn't fond of Canadian Prime Minister Stephen Harper.

Russell Dean Vines, president and founder of The RDV Group Inc., a New York-based security consulting services firm, noted in his RDV Group InfoSec blog that suburban Toronto railway travelers recently got the following headline from a scrolling message board inside a commuter train:

"Stephen Harper Eats Babies."

The board usually reports on train schedules or public events, but this time it was referring to the recently elected prime minister of Canada, Vines said, citing a report in The New York Times that the Greater Toronto Transit Authority (GTTA) had received five other sightings of the bizarre notice.

What happened?

"Evidently, the seven-year old transit reader signs had been hacked by an infrared hand-held, and the software was never configured to require a password," Vines said. "And it's not clear that the software has the capability to use passwords." The GTTA has since turned off the signs and is installing password software.

"And friends of Mr. Harper say he's never eaten a single baby that they know of," Vines said. Senior News Writer Bill Brenner peruses security blogs each day to see what the information security community is buzzing about. In this column he lists the weekly highlights. Feel free to contact him at if you'd like to comment on a column or bring new security blogs to his attention.

Dig Deeper on Data security strategies and governance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.