We commonly blame the “Internet”. Typical telecommunications law holds that a communications service provider is not responsible for the content of what is carried over their network. Even if organized crime, terrorist organizations, or even groups planning an assassination use a conference bridge service, the service providers involved are not held responsible or liable.
However, this apparently does not extend to the providers of content, or for providers that enable the storage of content that is publicly accessible. The simplest example is the storage and distribution of copyrighted material. In these cases, both USA and international laws enable some pretty rapid responses to both shut down the service as well as prosecute the providers. This also extends right to the home for people that have downloaded copyrighted material, even though that are not acting as a service for others. Other laws, such as HIPPA (Health Insurance Portability and Accountability Act) which deals with the use and disclosure of personal health information.
However, there are other elements between the user and their data:
- Computer hardware (workstation, tablet, smartphone, etc.)
- Computer operating systems (Windows, iOS, Android, etc.)
- Computer applications (whether they run on the “client” or in the “Cloud”)
- and now Computer Identity services (Google, Facebook, etc.)
In general, we have held harmless the manufacturers of hardware, operating systems, and applications. The largest exception, in general, are hardware warranties. We generally expect imperfect software with defects that do not significantly impact our ability to use the software (or with (“work-arounds”). Larger software problems are solved as part of some sort of software maintenance agreement, with periodic patches from the software company.
Even if we assume that our data is safe on our own device or protected in the Cloud, the “larger” problem stems around unauthorized use of your personal property. That is, your computer, smartphone, tablet, or Cloud service is hacked in a manner that makes it appear like legitimate data requests are coming from you. The question who is really responsible and who does or should have a liability?
The general computer case is where the end-user owns the entire stack of hardware and software of the connected endpoints. This can include desktops, laptops, and tablets) and what is necessary to ensure security. Responsible users deploy Anti-Virus, Anti-Malware, Anti-Phishing, and Application-specific Firewalls. Here, the customer is responsible, if they so choose, to keep their computer up-to-date.
However, even with all that, the computer (or smartphone) user is still vulnerable. So, other than the user who else could be responsible? Some possibilities are:
- Internet Service Providers
- Only responsible for getting bits from the Internet to and from the customer’s computer.
- They make no representation of whether the bits represent a security attack or not. They try hard to deal with certain types of bad sites and traffic, but only at what is considered commercial best practice.
- They take no liability on the accuracy of the Domain Name System (DNS).
- Computer Hardware
- The computer manufacturer, which in generally is an integrator of other manufacturers components, puts standard commercial elements together.
- These elements may have their own risks, for example interface devices and their closely associated device driver software or even the BIOS firmware. In general, the computer manufacturer is responsible for making these patches available, with the owner of the computer responsible for the installation.
- They may bundle and operating system (Windows, iOS, Linux, Android, etc.) which, in general, has a set of risks. The operating system provider is responsible for making patches, and the use is responsible for the installation.
- Operating System Vendor
- Much of the focus on vulnerabilities are placed at the doorstep of the Operating System vendor. We are accustomed to “patch Tuesday” which mostly pushes out security related updates.
- Host-based Application Provider
- Similar to the Operating System, the application owner generally makes security patches available. There are many cases for the actual cause of a security-related patch. These include ones that are related to the operating system, how the computer is operated (do all applications run as “root”), and of course defects in the application itself (these include security-related applications such as Anti-Virus, etc.)
- Cloud-based Application Provider
- Services in the “Cloud” are clearly the full responsibility of the service provider. They are responsible to protect their infrastructure (which they may get from another provider, complicating the situation) and updated their service to address vulnerabilities. Much of the time this is done without any intervention or notification to the user of these services.
The combination of companies, integration, and the owner or operator of the computer leads to a complexity that has enabled many different vectors for security-related attacks by the proverbial ‘hacker”. In fact, even if one of the individual companies could be held liable for a security defect, the environment is so complex that it would be very difficult to prove that it was not the owner or operator’s fault. There are some exceptions, where the hardware manufacturer is also the hardware provider, and in the case of Apple holds significant control over user applications, but this really not a significant reduction in complexity.
The following table provides an expanded list of the components of a standard desktop, laptop, tablet, or phone and the various technology elements that contribute to security and privacy of a user’s data.
Element
|
Example
|
Issue
|
Provider Action
|
Customer Notification
|
Customer Action
|
Frequency
|
Chips
|
Microprocessor
|
User mode compromise of protected execution mode
|
Next chip version
|
Generally none
|
None or device replacement
|
Device Breakage of Obsolescence Time
|
Basic Firmware
|
Motherboard BIOS
|
Malicious code insertion
|
Clean BIOS code download
|
Generally none. Potentially from an non-industry standard workstation provider application
|
Attempt re-burn BIOS
|
Almost never for the life of the device
|
Basic Firmware
|
Device BIOS (e.g., Graphics Card)
|
Malicious Code insertion
|
Clean BIOS code download
|
Generally none. Potentially from an non-industry standard workstation provider application
|
Attempt re-burn BIOS
|
Almost never for the life of the device
|
Device Drivers
|
Operating System Device drivers (e.g., display, WiFi, LTE, Bluetooth,, printers, etc.)
|
Malicious Code insertion and potential operating system compromise
|
Device company update or provider update
|
Generally none. Potentially from an non-industry standard workstation provider application
|
Search for updates Generally not-automatically initiated.
|
Very infrequently
|
Operating System
|
Windows, iOS, Android
|
Malicious Code insertion and potential operating system compromise
|
Operating System provider
|
Automatic Updates
|
Generally none (after selection of automatic installation option)
|
Very frequently
|
Applications
|
Authoring tools, browsers
|
Use application security defects to enable access to user files. If the application is root-level then compromise of operating system objects
|
Application Provider
|
For desktops some manual and some automatic. Generally via non-industry standard application specific approach
For tablets and phones, updates are generally provided via a standard process
|
Generally none (after selection of automatic installation option)
|
Moderate frequency
|
Here are some real examples of vulnerabilities that run from chips to systems:
In this case, there is a chip flaw that could enable non-privileged code to take control of computer: http://www.kb.cert.org/vuls/id/649219
And, another case, more targeted to laptops and smartphones:
An example where a hacker can attempt to download malicious code masked as a legitimate BIOS update: http://www.kb.cert.org/vuls/id/912156
Device drivers also have vulnerabilities that can lead to the hijacking of a users computer: http://www.kb.cert.org/vuls/id/957036
So, when it comes down to it, who is responsible? Given the complexity of the total system from chips to Cloud applications, what would be the impact of law or regulations that attempted to hold someone responsible for a user’s data? It appears that there are so many potential exploits that the root cause analysis and number of cases would more than swamp the legal system to determine fault.
One final observation. User authentication and authorization are now moving to systems that are in a completely different trust domain. The example in the figure uses Facebook to access a cable service providers customer website. Maybe at one time the worst issue would be that a hacker could get our upcoming (and of course too large) bill. But now, they can have your telephone records, voicemail, and even access to the the web-based home security and automation system.
No comments:
Post a Comment