Blogs

Concerns about Information Security Training and Awareness - Part 3

Note: This article is a continuation of an earlier one. Read it here.

OK, OK, security awareness training and awareness for senior management is an almost impossible endeavor, but that does not mean that the same obstacles are present in security training and awareness for the rest of an organization. As I have said before, I’ve had my share of experience with security training and awareness, and have accumulated several important “lessons learned” concerning successes and failures, including:

1. Successfully conveying perceived purpose to the target audience is all important. Making whatever skills to be taught or message to be presented relevant to this audience is the difference between being able to engage and motivate them to learn or not being able to do so. Conveying perceived purpose is difficult, however, because many users use computers purely out of necessity and do not necessarily think that being unable to use their computers temporarily because of a security-related problem is such a bad thing. This is where HR can help considerably. If compliance with information security policy, standards and procedures is included among employee performance review criteria, employees are much more likely to realize that information security is important and thus are likely to be more open and receptive to security training and awareness efforts.
2. Training and awareness must be tailored to different groups within an organization. “One size fits all” definitely does not apply to security training and awareness. Training and awareness for casual PC users needs to be radically different from training and awareness for system administrators; the same principle applies to expert system administrators versus novice system administrators. Tailoring security awareness and training to different groups is truly one of the greatest challenges for information security professionals, especially considering that training and awareness budgets are usually rather limited.
3. Those who are trained must be held accountable. I am confident that in and of itself having a group of people come into a room and hear a presentation on information security does little good. At a minimum, requiring attendees to take a test afterwards or show hands-on that they have learned to follow a mandatory security procedure is necessary. Those who do not pass the test or practicum need to receive more training before they once again attempt to pass.
4. Skip the theory and get down to the practical. Too often information security training and awareness consists of communicating many security platitudes, but nobody but these professionals really care about these platitudes. Those who receive security training and awareness need to learn practical things such as how to create a strong password, why it is important to avoid opening attachments and how to disconnect a network cable from a network interface card if there is reason to believe that a computer has been compromised.
5. Training must be recurrent. We often require that all employees and contractors receive security training once every year, but psychologists say most concepts that we learn are forgotten within the matter of hours (sometime minutes) after we are exposed to them. Following up, say with a brief individual distance learning session, two or three weeks after a group training session is imperative.

These prescriptions are by no means any kind of “silver bullet.” At the same time, however, paying attention to them could very well make your security training and awareness effort go much better than ever before.

Concerns about Information Security Training and Awareness - Part 2

Note: This article is a continuation of an earlier one. Read it here.

I’ll continue from where I left off in my last blog entry. I’ve pointed out some problems and dilemmas associated with information security training and awareness. What are some possible solutions?

First and foremost, senior management must understand what information security training and awareness is and why it is so potentially valuable to the organization’s business. I have a strong suspicion that even some of the top information security professionals overlook the necessity of getting senior management buy-in for training and awareness.

Don’t get me wrong-information security professionals have a difficult enough time trying to win senior management support for their information security programs-trying to obtain their support for parts of and initiatives within these programs is, I am sure, even more difficult. But unless senior management really understands what security training and awareness can potentially accomplish at the cost of relatively few resources, the chances of a training and awareness effort being effective diminish considerably.

Perhaps part of the problem with senior management’s lack of awareness of the many benefits of security training and awareness is that training and awareness efforts seldom target senior management.

Putting security awareness posters in the hallway to which senior managers’ offices connect is certainly not very likely to be effective in making senior management more aware of security-related issues and solutions.

Although I am aware of (and have occasionally taught) security awareness courses for senior management in a few organizations, I also know that unless attending these courses is mandated by the CEO, the likelihood of managers attending is miniscule. And if managers are forced to attend, the ill will towards information security that obligatory attendance creates can often outweigh any benefits of the training.

A few years ago I tried a different approach to trying to expose senior management to some security training and awareness. I figured that because senior managers’ time is at such a premium, allowing them to get awareness training using their own computer in their own office was the way to go. Working closely with someone from the publications department, I developed learning objectives for a short (approximately 15 minutes) distance learning course, and then sent email describing these objectives and asking for feedback to a number of senior managers whom I considered part of the target audience.

Although most recipients of my messages predictably did not respond, a few did, and the ones who responded gave some very valuable feedback, particularly in pointing out issues that I had omitted. I then proceeded to design the distance learning course content from the revised objectives, and finally worked with the publications staff member to create interactive slides, sound effects, and a short quiz at the end.

Next I rolled out a small pilot project in which I was able to get about a dozen managers (the majority of which was not actually “senior”), obtained feedback, and then made final revisions to the course content.

The course, which was available on-demand at a special Web site, was announced several different ways, and I was even able to get the CIO to announce the course at a staff meeting. A few weeks later, I asked the same persons who originally announced the availability of the course to announce it once again. The result of all the time, effort and money invested was extremely disappointing-only a small fraction of senior managers ever took the course, and of those who did, almost nobody bothered to take the ten question self-assessment quiz at the end.

My reaction was extreme disappointment-I had pulled out all the stops, so to speak, investing far more time and effort than I was ever paid for, and only a fraction of the targeted audience took the course.

As I look back at what happened now over four years ago, I realize that unless senior managers were required to complete the course (just as they are required to complete sexual harassment and safety courses), they would not do so. But I did not have the power to require anything, and although I tried to convince the CIO that it would be very worthwhile for him to mandate taking the course, I was not successful (mainly because the CIO was fearful of the political consequences of making such a mandate).

Furthermore, I had inroads neither with the president to whom the CIO reported nor his staff. But once again, even if I had been successful in getting a requirement to take the distance learning course in place, mandating participation in security training and awareness would have produced quite a bit of resistance.

The “bottom line” is that there is no clear path to success with security training and awareness.

Concerns about Information Security Training and Awareness - Part 1

Someone does not have to be in the field of information very long before becoming acquainted with the long-held belief that information security training and awareness provides one of the best returns on investment of any control measures. Empirical data support this belief.

To counter personnel-related security vulnerabilities from 1994 through 2002, the US Military Regional Computer Emergency Response Team (RCERT) in Europe initiated a security training and awareness effort in which users were instructed on the value of computing assets as well as the security-related risks and appropriate procedures.

One important finding from the study was that training significantly reduced the time between the discovery of a vulnerability and when it was fixed.

However, a substantial problem-a huge gap between the theory of information security training and awareness and the practice of it- exists. Much lip service is given to security training and awareness, but in reality organizations devote relatively little time and resources to it.

In many organizations security training and awareness consists of little more than having awareness posters taped to walls in passageways as well as message pads with a trite slogan such as “Think security.” And, strangely, whenever there are funding problems for information security practices, security training and awareness sessions and courses are almost invariably one of the first to be slashed.

The same goes for training and awareness specialists who are members of the information security staff. How can this be if security training and awareness produces more “bang for the buck” than any other initiative?
I also find it perplexing that so few articles and papers in professional magazines and journals cover security awareness and training.

Most of the ones I have read over the years have some value, but I have not read any that I would consider breakthrough articles, ones that share insight that can transform a training and awareness effort into one that is super effective.

Possibly the reason for the dearth of published training and awareness articles is fear of leaking intellectual property-after all, numerous organizations and individuals make a large portion if not all of their revenue from security awareness and training. Sharing breakthroughs to competitors would, of course, be most unwise. Still, if training and awareness produces such a great ROI, one would think that proportionally more articles on this subject would be published.
I do a fair share of teaching courses for professional organizations, so I am not in a good position to objectively evaluate what is good and what is deficient about training materials and curricula. I do, however, know that many of the topics about which I teach are not too innately interesting to attendees.

Take, for example, network security. Learning about the various types of network media and protocols is not exactly the kind of thing people want to do during their leisure hours. I have to use every trick I know to make the content of such courses interesting to attendees. Additionally, most courses nowadays consist of slide presentations followed by demos or hands-on sessions followed by more slide presentations. With all the breakthroughs in media technology, one would think that there would be more use of different, interesting and engaging learning methods in information security training and awareness.

So-I’ll close by repeating what I said earlier-that there is a huge paradox. Information security professionals believe that training results in huge dividends, yet training and trainers are in practice greatly undervalued. I’ll propose some possible solutions in my next blog entry.

Legislation Would Limit DHS’ Right to Seize Laptops

In a reaction to the US Department of Homeland Security’s recent assertion that it has the right to seize laptop computers at any US border, three US Congresspersons have introduced legislation designed to limit DHS’s power.

Senators Maria Cantwell and Russ Feingold, and Representative Adam Smith, all of whom are democrats, initiated legislation named the Travelers Privacy Protection Act. The DHS currently lets customs agents seize any laptop system for as long as they need to inspect data stored therein without having to give a rationale for doing so. The laptop’s owner is also required to surrender the password if border agents demand it.

The legislation would necessitate the DHS having reasonable suspicion based on compelling evidence that there is illicit activity before computers and other electronic devices in the possession of US residents could be seized and inspected. The DHS would also have to give probable cause and a warrant or court order if such computers and other devices are to be kept longer than 24 hours. The legislation also would restrict what information collected in the course of conducting electronic searches could be divulged. Finally, it would require the DHS to regularly give an account of its actions related to border searches to Congress.

Any of you who read the blogs I have written over a period of more than one year know that I have long been concerned about the current climate of disregard for privacy rights in the US. I am very aware of the need to combat terrorism, and realize that to be successful in this endeavor there will be times when fighting terrorism outweighs the right to privacy.

However, something is dreadfully wrong when border agents are afforded the power to seize and inspect any laptop they want at any time for any reason whatsoever, and then keep the computer indefinitely if they so desire.

Computers almost always contain a great deal of personal, sensitive information in the form of email messages, photographs, and more—information that people deem private and that would be embarrassing to them if it were to be viewed by someone else. This information should thus not be available to DHS border agents at their whim.

Additionally, having a computer system seized is very disruptive to individuals who use the system to get their work done. Furthermore, people should not have to surrender the password to a system they own unless there is a compelling rationale to require the person to do so.

It will be interesting to see how the new legislation fares. There appears to be a good chance it will pass in both the Senate and the House. The big question is thus whether President Bush will sign it or whether he will veto it, and if the latter occurs whether there will be enough votes in Congress to override the veto.

Fortunately, slowly but surely some of the excesses in terms of erosion of individual rights and liberties in the US are being reversed. The great German philosopher Georg Wilhelm Friedrich Hegel said that theses are created and that antitheses that negate the theses emerge. Eventually, however, synthesis that resolves the conflict between theses and antitheses occurs.

We’ve seen a lot of antitheses when it comes to personal rights and liberties; perhaps it’s now time for some synthesis.

When the school’s the fool, who gets blamed?

Sorting out the Issues Concerning a Student’s Access to a Database

I recently read the story of a 15-year-old male student at Shenendehowa Central High School in New York who was charged with three felony counts for allegedly accessing one of the school’s databases without authorization. He has been charged with computer trespassing, unauthorized possession of personal information, and identity theft.

The student, whose name was withheld because he is a minor, allegedly used a legitimately assigned password to access a database containing information concerning school district bus drivers. Shortly afterwards, the student allegedly notified his school’s principal to warn him of the fact that the database could be reached in this manner. The principal in turn notified law enforcement of what the student reported he had done and had him suspended from school.

I read a number of accounts of this incident and could not find the level of detail that I had hoped to find. Nevertheless, several aspects of this case trouble me. First and foremost, the student in question was given the password that he used to obtain the access he allegedly obtained. He did not ostensibly engage in any “cracking” behavior.

Second, the school district superintendent said that the database containing employee information was accessible to anyone who was assigned a password, but how to access this database required some special knowledge. Furthermore, a school district employee conceded that access to the database was wide open, but that it had only been that way for a week or two.

You have almost certainly read other blogs and commentaries I have written in the past, and if you have, you know that I have little sympathy for individuals who have gained unauthorized access to systems. At the same time, however, something about the case of this New York high school student simply does not make sense to the point that I seriously question his guilt.

First, he had a legitimate password, one that the district superintendent conceded could have and did give him access to a variety of resources on the computer in question.

Second, nothing in any accounts of this bizarre story suggests that the high school either required users to sign a user accountability statement advising them of terms of acceptable use, nor does anything suggest that a login banner advising users of the same provisions was displayed when users logged in.

Third, the access that the student obtained was potentially available to every student. Failure to secure access is no excuse for those who have obtained unauthorized access, but a legitimate question concerning how a 15-year old is supposed to read school administrators’ minds concerning what resources were and were not o.k. to access exists.

Fourth, the student promptly notified the principal of the access he had obtained. Doing such is hardly new; many times attackers have notified system administrators and others of their exploits, only to offer “security consulting services” to fix the cause(s) of the problem. Additionally, many times attackers have contacted persons associated with systems they have broken into to boast or to taunt them. However, from the accounts I read, the accused student appeared to be genuinely concerned that access to the database that he allegedly accessed was accessible in this manner.

All blame is currently focused on the accused student, but at some point in time questions concerning the degree of responsibility the high school and its administrators have in this whole sorry episode must be asked.

Throwing the proverbial book at a 15-year old student without giving the student a fair chance seems barbaric. Leaving a database open to every user and then claiming that doing so was not so bad because it had not been open for all that long is blatantly irresponsible.

Counting on “security by obscurity” to protect employees’ data is despicable. The only thing to hope for at this point is that despite the apparent comedy of errors in this case, justice (whatever it might be) will ultimately prevail.

Security Risks in Social Networking Sites

Social networking has in just a few years grown beyond all imagination, with MySpace and Facebook leading the way. Social networking sites enable their users to connect with friends and peers in ways never before possible; through postings and blog entries to promote their positive attributes and assert their individuality. The number and variety of social networking sites today is mind boggling, but experts tell us that the social networking as it currently exists is only the tip of the iceberg.

Despite the huge numbers of positives associated with it, social networking also has some distinct downsides.

The degree to which social networking sites are monitored for undesirable or downright malicious content varies greatly from site-to-site. Hostile, fabricated, or even public safety-endangering content can cause considerable negative fallout. Content posted and then retracted can remain available long after it is retracted because it is cached.

The main issue in this posting, however, is how an information security manager should deal with social networking. From an information security point of view, social networking sites (as good and popular as they may be) introduce security and other risks. Some of the most significant of these risks include:

1. Use of peer-to-peer (P2P) networking. A surprising number of social networking sites utilize P2P network technology, a technology that typically allows traffic to bypass perimeter defenses such as firewalls and also greatly increases the likelihood of malware infections.
2. Legal fallout from fraudulent enrollment. A certain percentage of social networking site members enroll under false pretenses and then pretend to be somebody they are not, violating the terms and conditions of the sites in which they enroll. This can result in a wide range of legal fallout, including the potential for such a person to face criminal charges for unauthorized access to computing systems.
3. Enablement of predators. Predatory behavior and the Internet go hand-in-hand, and social networking sites are no exception. A recent study indicates that approximately one out of six teenagers who use the Internet have received direct sexual advances from predators; I fear that this statistic may be an underestimate.
4. Electronic harassment. Lamentably, social networking sites are also used to electronically harass individuals, with ex-friends and ex-lovers being the most frequent targets. Recently a 13-year old girl who was allegedly unmercifully harassed by someone masquerading as a 16-year old boy committed suicide. The masquerader was allegedly the mother of another 13-year old girl who had a falling out with the girl who took her life.
5. Net loafing. Employees at work who engage in social networking are wasting company time and resources. Net loafing was bad enough before social networking became the rage; with social networking it has threatened to get out of control.
6. Data leakage. Social networking users can and do reveal information about organizations, their trade secrets and their goals and activities that should not be revealed. Social networking thus exacerbates the already out-of-control problem data extrusion problem.
7. Reputational damage. The downsides of social networking, e.g., giving users the ability to easily harass someone else or allowing predators to engage in their sordid deeds, can easily cause reputational damage to both individuals and organizations.

What is the “bottom line” then? Should on-the-job social networking activity be banned?

The answer is not necessarily. Like everything else in information security, the associated costs and benefits need to be assessed and then weighed against each other to determine whether social networking on the job should be allowed, and, if it is, what controls need to be put in place.

Additionally, rules concerning access to social networking sites need to be included in every organization’s acceptable use policy. Finally, such access, like virtually every other type of user activity, needs to be continuously monitored.

Staying secure with a pinched budget

That fact that the US as well as much of the rest of the world is undergoing a recession is hardly a secret. This recession has had a great impact upon organizational budgets, often resulting in deep spending cuts.

Not surprisingly, information security practices have not been spared from such cuts; security control-related projects that were to be initiated this calendar year have increasingly been put on hold, and reductions in the number of information security staff have been commonplace.

Given the dependence on availability of personnel and financial resources that information security practices have, the potential negative impact of reducing the level of resources is potentially severe. What can security practices do to attempt to provide the needed level of business process assurance and data protection despite a reduction in resources?

During times of budget reductions, the first thing an information security manager needs to do is to undergo a major shift in attitude.

Prior to budget cuts, an information security practice may have been moving forward with multiple initiatives as well as well-defined and executed operations. After budget cuts, especially if the cuts are severe, a security manager needs to realize that the practice is now more or less in a holding pattern, so to speak. The practice must now pay attention to and deliver the bare essentials-just enough to get by-even if security risk can no longer be managed to a level the senior management deems acceptable.

Being in this situation is not by any means easy, and the difficulty of adjusting to it is exacerbated by the fact that virtually all books, manuals and other published information concerning information security management presume that an information security practice will have sufficient resources to be able to launch numerous control initiatives that mitigate various types of risk. To the best of my knowledge, none of these resources covers how to survive under adverse conditions, such as when severe budget cuts have occurred.

In the absence of such guidance, I’ve taken the liberty of brainstorming potential ways of dealing with severely reduced levels of resources. My suggestions include:

1. Assess and communicate the impact of cutbacks upon the level of unmitigated security risk. First and foremost, never blindside senior management and critical stakeholders. If cutbacks result in inability to mitigate risks that were to be addressed by security initiatives, both of these critical entities need at a minimum to be advised of the probable negative impact on business and/or operational processes.
2. Re-evaluate the priority of each security initiative and drop or postpone those that are least critical. Information security involves assessing risks and mitigating them according to priorities. If resources become scarce, the lowest priority initiatives need to be dropped.
3. Slow multi-phase projects. Some risk mitigation projects can be slowed to lower the resource “burn rate.” The acceptable level of residual risk after each stage is completed may have to be redefined. Senior management should, of course, have the final say concerning the level of risk that is acceptable as well as which stages of which projects should be slowed down to conserve resources.
4. Attempt to achieve maximum convergence with other, similar organizational functions. Many information security functions overlap with other organizational functions such as risk management, audit and physical security. When resources become scare, turning to such functions to determine whether they can perform tasks or parts of tasks that would normally be performed by the information security function is an excellent way to accomplish at least some goals in the face of resource shortages.
5. Where cutbacks in labor are involved, strongly consider using third-party provider services to a greater extent. Third-party provider services are by no means any kind of “magic bullet,” but when labor costs must be reduced, these services often provide a good means of doing so. This is especially true when positions (e.g., security architect, compliance specialist, and so on) within a security staff are indispensable, but sufficient funding for full-time work for each is not available.

Having a shortfall of resources is nothing new for information security practices, but what has been happening recently is far more severe than any previous time that I can remember. The challenge is formidable; the good news is that the information security arena has an abundance of outstanding professionals who can and in all likelihood will rise to this challenge.

Why Purdue’s CERIAS Program Has Dropped out as a “Center of Academic Excellence”

Why Purdue’s CERIAS Program Has Dropped out as a “Center of Academic Excellence”

In 1998 the US National Security Agency NSA started a special program in response to Presidential Directive 63, which stated that there was a shortage of well-trained information assurance professionals and advocated national standards in IA/IS educational programs. This program gives US universities and colleges with information assurance (IA) or information security (IS) programs recognition as “Centers of Academic Excellence (CAEs)” for meeting Committee on National Security Systems (SNSS) requirements regarding IA/IS course curriculum and library holdings.

Purdue’s CERIAS program was one of the first to receive recognition as a CAE. Over time, nearly 100 programs at various universities and colleges have also been granted this status. Interestingly, however, several months ago when it came time to renew, CERIAS declined to do so.

One of the major reasons cited by CERIAS director Dr. Gene Spafford is that the term “Center of Academic Excellence” is inappropriate and misleading. Many academic marginal programs at universities and colleges, including some that have the reputation of being little more than “diploma mills,” have nevertheless been awarded CAE status.

“Excellence” should mean far out of the ordinary; as such, very few programs should be awarded this status. But let’s face it-not all that many truly excellent IA/IS programs at institutions of higher learning exist. Instead, achieving CAE status has served only to “put lipstick on a pig”-programs with marginally qualified faculty, inadequate laboratory facilities, and only a few hundred information security books in their libraries appear to be far higher in academic quality than they actually are. CAE status has thus become more of a travesty than anything else. To remedy this sad situation, the NSA should instead certify IA/IS programs for meeting minimum requirements.

I’m not sure what effect CERIAS’s dropping out as a CAE will have on the CAE program. Given that being awarded CAE status is not all that advantageous in helping programs obtain funding, I wouldn’t at all be surprised if faculty at other truly excellent programs came to their senses and then followed CERIAS’s example.

At the same time, however, I strongly suspect that academically marginal programs will continue to enthusiastically participate in this program for as long as it exists. After all, the CAE label is very useful when it comes to recruiting students, and the competition among universities and colleges in recruiting students has for several decades been intense.

As far as the CAE program itself, I would not expect things to change any time soon. Government employees who grant CAE status to IA/IS programs are usually so far removed from the academic mainstream that they cannot begin to comprehend the meaning of “academic excellence.”

Even if they did, there would be many barriers to dropping the CAE program, including objections from the programs (and, in particular, Congressional representatives from the states in which these programs exist) that so unjustly enjoy its benefits.

Meanwhile, I strongly suspect that Purdue’s CERIAS program will not at all be adversely affected by its having dropped out of the CAE program. Virtually everyone who knows about IA/IS programs at universities and colleges is aware of the excellence in research and teaching that CERIAS has achieved.

Whether or not a plaque attesting that CAE status has been achieved hangs on a wall somewhere on campus should and does not make the slightest bit of difference.

Misinformation Communicated by Conference Speakers

I just attended another information security conference. Normally when I attend a conference, I give a presentation and then leave shortly afterwards to hurry back to the High Tower office. This time, however, I had the luxury of being able to take in a number of presentations. Although some of them were truly outstanding, what speakers said in two of these sessions struck me terribly wrong.

In one session, a person who described himself as a forensics expert made some reasonably good points. I would in fact have considered his talk to be above average until he started answering questions from the audience.

Someone asked him if he had ever had to decrypt file content in the course of a forensics investigation. He replied that he had, and that obtaining and running a decryption tool was the correct approach. I suppose that there is nothing wrong with using a decryption tool, but I was surprised that he did not say anything about trying to look for encryption keys in a system’s memory before doing anything else-by far the most straightforward approach.

I was also surprised that he told the audience that forensics tools such as EnCase are of limited value because they are too complicated to use. I fear that although the audience learned several valuable principles of forensics, some of what they learned was far from the truth.

In another conference session a speaker made numerous recommendations concerning PCI compliance. He, like the previous speaker, made a reasonably good presentation, but then he said something that I could not believe.

When discussing the need to protect customer data at rest, he said that strength of encryption is not important-that any kind of encryption is sufficient to protect such data. I certainly hope that no one in the audience took him seriously. Would ROT-13 be sufficient to protect customer data? Certainly not. How about the trivial to break DES algorithm? And for data in transit, I fear that the speaker would also endorse 40-bit SSL, which also can be quickly broken.

I am by no means any kind of exclusive truth repository in information security. Sometimes I, too, get things wrong. My much-valued friend and long time mentor William Murray does not hesitate to tell me when he thinks I have been wrong, and for that I am glad. I tried to return the favor, so to speak, in that in both presentations I raised my hand at the end in an attempt to correct the assertions that I considered to be faulty. Somehow, however, both speakers overlooked me, something that only added to my frustration.

I’ve said it before, so I will say it only briefly here. It is incredibly difficult to correct misinformation communicated during conference sessions; it is much easier to correct misinformation in published works such as books and journals. If uncorrected, misinformation can cause serious errors of judgment in the workplace.

Conference committees work hard and deserve a lot of credit for putting conferences together, but they need to pay far more attention to what a potential speaker intends to say before that person is allowed to make a presentation. Screening the content of upcoming presentations must become a greater priority.

And, finally, I truly hope that those who attended the two sessions in which misinformation was communicated will read this blog entry-but I am not holding my breath.

Craziness in the Courtroom

I’ve been told many times that legal rulings do not necessarily correspond to common sense. A decision by a lower court in California proves just how true this is.

In Bunnell versus the Motion Picture Association of America, Rob Anderson was accused of violating the 1968 Wiretap Act after he intruded into a server owned by Valence Media and configured it to forward email messages to his gmail account. He then collected them and gave them to the Motional Picture Association of America (MPAA), which wanted to obtain evidence concerning the fire sharing services that this company offers. The MPAA paid Anderson USD 15,000 for his services.

In August 2007 the Central District of California ruled that the accused had not intercepted any email messages, and thus did not violate the 1968 Wiretap Act. Judge Florence-Marie Cooper’s reasoning was based on her somehow being convinced that the messages had been stored momentarily, and thus were not in transmission.

This ruling still amazes me. How can someone claim that messages that were transmitted were really “not in transmission?” Additionally, forwarding messages to a destination other than the one that Valence Media intended certainly sounds like interception to me. Furthermore, the fact that Anderson had to break into the system to configure it to forward messages to a destination of Anderson’s choice by all appearances shows intent to intercept message content.

Lawyers for Valence Media are appealing the Central District of California Court ruling; the case is now in the hands of a California federal appeals court. It is hard to predict how the forthcoming ruling will go, however, because judges and juries typically understand so little about computer and networking technology. Until they learn more about it, crazy rulings such as Judge Florence-Marie Cooper’s are likely to continue.

A saner ruling by the California federal appeals court appears to be the best thing that can currently happen to correct specious thinking about technology that has governed previous court decisions. A proliferation of cases of this nature will invariably occur in the future. The ruling by the California federal appeals courts is thus potentially extremely important—it is likely to set a precedent that guides future rulings.
There is yet another critical consideration in this case, however. The MPAA has at times acted rather wantonly in its pursuit of copyright violations, and its conduct in connection with Valence Media is by no means an exception.

MPAA actually paid someone to intrude into a system, despite the fact that multiple federal and state statutes prohibit gaining unauthorized access to systems. Apparently, MPAA feels that the end justifies the means, and that it is above the law. It is well past time that the MPAA is held accountable for its despicable actions.