I was hard pressed to call it a debacle, but I couldn’t think of a better word. Still, when I think about it I keep hearing Resolution Trust Corporation bells in my ears. Steve Berger says:

Let contractual arrangements remain in force, let good lenders prosper and bad ones suffer (similarly with borrowers) and let the taxpayers’ pockets go unpicked. Legislative interference with market processes is likely only to prolong and deepen the downturn.

I concur, but legislators only know how to legislate. Look at the bright side…if government steps in, institutions will have less need to raise rates.

This post could just have aptly been titled “Australia Gets Tough on Internet Crooks,” as we already know they are tough on spammers. Cripes, even the ISPs down under are hammering spam.

Back to the subject at hand..uh, that was spyware, right?

I am not sure how this is going to work, but the Australian parliament is pushing a concept that would make ISPs liable for spyware that crosses their network into a customer’s machine.

Senator Brian Greig called the measure tougher than banning spyware altogether. The onus is on the ISP, and they will be the target of legal action if they don’t watch their socks.

In America, ISPs would likely welcome this with open arms, as then they would have an excuse to charge more for internet access. But in Australia, with much fewer providers, I hope the government doesn’t allow this, mostly because I have a lot of friends in Australia that I don’t want to see getting gouged to fix a problem that isn’t their’s in the first place.

The US House of Representatives Homeland Security subcommittee has approved the creation of an Assistant Secretary of Cybersecurity. Having the US government keeping a watchful eye on IT security issues can be a good thing, because you know politicians will get some funding for it, and you also know they will start squawking about it left and right. The funding will be used for some useless studies, but the squawking will hit the mainstream press, and then everyday folks hear about it. It is like free PR for the security conscious.

However, it always pays to read between the lines.

The article on this from Computerworld noted that the ITAA (Information Technology Association of America) was involved in lobbying for action. And paying association members are usually companies with deep pockets that can use their membership to push some cause that benefits them (which, at face, I have nothing against).

In this case, however, the ITAA is pushing to limit liability for companies subject to data security breaches, if and when they adopt industry standards. So I just have to ask..what the hell does “industry standard” mean? If it is a set of best practices that are mandatory and independently auditable, that’s one thing. But if it is a minimum set of guidelines that are self-policed and subject to interpretation, that’s quite another.

Regardless, you can be fairly certain there will be plenty of loopholes available to corporations, so if they hand their data over some crook, even over and over again like ChoicePoint and LexisNexis did, they won’t have to worry about the people they hurt (through their blooming stupidity) trying to come after them.

Most of you have never heard of him. But Bruce Schneier is one of my geek heroes. He doesn’t know it, but this co-founder and CTO of Counterpane Internet Security is the one who introduced me to the concept of public key encryption. My email has never been the same since (mostly because my friends can’t read my 4096 bit scrambled messages)!

No seriously…Bruce was the author of Applied Cryptography, which was one of the first books on encryption that didn’t require a PhD in astrophysics to understand. You could also send away for the source code associated with the book - I did, and six weeks later I had a floppy loaded with algorithms. I never compiled any of that source, but it led me to grab PGP, so it was worth the trip.

The reason I say all this is because Mr. Schneier is a guy who knows security. And by that I mean not only the code, but the processes behind them, and how they can affect users in our data driven world.

Now Bruce has commented on “identity theft,” and again it is worth listening to.

In this contribution over at CNET News.com, Bruce questions the very concept called “identity theft,” and expounds upon some of the reasons why the pursuits of legislation to fix the problems will miss the boat.

Bruce’s first contention is that “identity theft” is a bit of a misnomer - identities are never actually stolen - what is stolen is the data that acts as tags for peoples’ identity. It is the fraudulent transaction perpetrated as a result of that data acquisition that is the real crime. He goes on to suggest that if traditional financial institutions (such as banks) bore some liability for those fraudulent transactions, much the same way credit card companies do, that they would be apt to approach the fraud in a different way.

Credit card companies, through the use of sophisticated pattern recognition technology, are able to stop transactions that don’t fit the cardholders’ historical charge composition. It works well enough that they don’t mind bearing some liability for what fraud does happen. If banks utilized similar measures, as Bruce suggests, much of the data that is stolen could be rendered useless.

While I don’t know how quickly banks and brokerages will adopt such measures, if ever, I do know that they are already subject to a number of regulations designed to “know the customer.” The Bank Secrecy Act, the NASD Manual, and even the Patriot Act outline compliance measures that cost financial institutions a bundle to comply with. Taking it one step further, to “know the transaction,” seems like a logical next move.

If Bruce’s presumptions are correct, the presently pending legislation that is designed to stop the data mishaps will be ineffective, as the fraudulent transactions can co-exist in that environment. But, if the transaction can be stopped by some computer algorithm, why steal the data in the first place? Some additional measures are taken at the transaction level, and “identity theft” simply dies as a result of technological obsolescence. Interesting.

***UPDATE***

Schneier has not let up on the message, and others are picking up on it too.

Spam is going to cause the next war in the Pacific theatre, I just know it. Everyone I talk to says all the spam comes from China, even though we know it all comes from Westminster, Colorado. Unfortunately, in the midst of announcing new legislation on spam in their country, the Chinese press has let the cat out of the bag, and now all hell is going to break loose.

As Xinhau puts it:

“And we know that US spammers now send junk e-mails to China via servers in China, rather than through servers in the United States. As a result, the nation is blamed, on many occasions, as a big spammer, and many IP (Internet protocol) addresses in China are in danger of being shut down.”

The everyday joe in the States think the spam comes from China, and now over a billion everyday joes in China know it comes from the States. All we need is a couple of zealous politicians to start pointing fingers in each direction, at the bequest of their always well-informed constituents, and surely trouble will arise.

Read factual details from the 100% independent Chinese press here.

Call me crazy, but isn’t Iowa a little late to the game? The recent legislation includes making it illegal to send spam, as well as steal personal information about computer users. I don’t get it, so I will just shut up.

No, wait. I hope they don’t think spyware is something James Bond wears [spywear].

Read Sioux City Journal: House passes new laws against computer crimes for more (you’ll get the James Bond goof then too).

A new bill is floating around that hopes to make tough on phishing. If it ends up anything like CAN-SPAM, we might wind up with legalized phishing! While I am all for tougher penalties against the bad guys, the politicians should be careful to properly scrutinize future legislation with the help of folks who actually know something about technology processes, prior to introducing something that disables rather than enables. You can read more about it here: New Senate Bill Looks to Hook Phishers.

In accordance with standard practice in the technology community, Slashdotters have posted their own world view (see Slashdot | Phishers Face Jail Time Under New U.S. Bill).

I won’t comment anymore on either - judge for yourself and send comments if you like - I would like to learn more about how this bill might provide a solution (if there is a legal solution).