Skip to main content
SpringerLink
Log in

The Impact of Privacy and Data Protection Legislation on the Sharing of Intrusion Detection Information

  • Conference paper
  • First Online:
Recent Advances in Intrusion Detection (RAID 2001)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2212))

Included in the following conference series:

Abstract

The global nature of the information infrastructure presents enormous opportunities to organizations. However, global interconnection also means global risk and implies the need for global defence. A central aspect of global defence is information sharing, and at as early a point in the incident cycle as possible. This implies the sharing of intrusion detection sensor data. The growing recognition of the requirement to respect personal privacy is bearing fruit in the passage of personal privacy and data protection legislation, which generally limit the ability of organizations to share personal information. Based on the broad definitions of personal information found in the legislation, source IP addresses, one of the key elements of information used in tracing malicious activity, may be considered to be personal information, and would therefore fall under the purview of the privacy and data protection legislation. There are, however, exemptions for the sharing of information that could be extended to permit the sharing of intrusion detection information while still meeting the intent of the surveyed legislation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alexander, Jim, Program Director SII, Chief Information Officer Branch, Treasury Board of Canada Secretariat, “Overview of Strategic IM/IT Infrastructure Initiative”, a presentation to the Fifth Annual Government on the Net conference, dated 24 November 1999. Presentation available at http://www.nrc.ca/forum/govnet99/presentations/alexanderj.pdf.

  2. (Australia) Freedom of Information Act 1982, Act No. 3 of 1982 as amended. This compilation was prepared on 22 June 2001 taking into account amendments up to Act No. 30 of 2001. Available at http://scaleplus.law.gov.au/html/pasteact/0/58/pdf/FOI82.pdf.

  3. (Australia) The Privacy Act 1988 (Act No. 119 of 1988 as amended). The compilation used was prepared 24 May 2001 incorporating amendments up to Act No. 24 of 2001. Available at http://scaleplus.law.gov.au/html/pasteact/0/157/pdf/Privacy88.pdf. 168 S.R. Johnston

  4. (Australia) Telecommunications Act 1997 No. 47 of 1997. Available at http://scaleplus.law.gov.au/html/pasteact/2/3021/top.htm.

  5. (Australia) Privacy Amendment (Private Sector) Act 2000 (Act No. 155 of 2000), assented to 21 December 2000. Available at http://scaleplus.law.gov.au/html/comact/10/6269/pdf/155of2000.pdf.

  6. Biskup, Joachim and Flegel, Ulrich, “Transaction-Based Pseudonyms in Audit Data for Privacy Respecting Intrusion Detection”. In H. Debar, L. Me and F. Wu (Eds.): Proceedings of Recent Advances in Intrusion Detection 2000, pages 28–48, Springer-Verlag Berlin Heidelberg, 2000. Also available electronically at http://link.springer.de/link/service/series/0558/papers/1907/_19070028.pdf (subscription required).

    Google Scholar 

  7. Buschkes, Roland and Kesdogan, Dogan, “Intrusion Detection and User Privacy-A Natural Contradiction?”, slides presented at the First International Workshop on Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium, 14–16 September 1998, available at http://www.raid-symposium.org/raid98/_Prog_RAID98/Full_Papers/Bueschkes_slides.pdf.

  8. Beardwood, John, “Privacy Issues”, paper prepared for the First Annual IT Law Spring Training Program, 27–29 April 2000, sponsored by the Law Society of Upper Canada Osgoode Hall, Toronto, Canada.

    Google Scholar 

  9. Boucher, Phillippe; Shostack, Adam; and Goldberg, Ian; “Freedom System 2.0 Architecture”, Zero-Knowledge Systems, Inc., 18 December 2000. Available at http://www.freedom.net/info/whitepapers/Freedom_System_2_Architecture.pdf.

  10. (Canada) Access to Information Act (R.S. 1985, c.A-1), updated to 31 December 2000. Available at http://laws.justice/gc/ca/en/A-1/index.html.

  11. (Canada) The Privacy Act (R.S. 1985, c. P-21 (The Privacy Act), updated to 30 April 2000. Available at http://canada.justice.gc.ca/en/laws/P-21/text.html.

  12. (Canada) Telecommunications Act 1993, c.38 (assented to 23 June 1993). Available at http://laws.justice.gc.ca/en/T-3.4/88772.html.

  13. (Canada) Personal Information Protection and Electronic Documents Act 2000, c. 5. Available at http://canada.justice.gc.ca/en/laws/P-8.6/text.html.

  14. Department of Foreign Affairs and International Trade (Canada), Economic and Trade Analysis Division, “Second Annual Report on Canada’s State of Trade (Trade Update 2001)”, dated May 2001. Report available at http://www.dfait-maeci.gc.ca/eet/state_of_trade/trade_upd2001-e.pdf.

  15. Data Protection Working Party, “Opinion 4/2000 on the level of protection provided by the “Safe Harbor Principles” ”, dated 16 May 2000. Available at http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/_wp32en.pdf.

  16. Data Protection Working Party, “Opinion 7/2000 On the European Commission Proposal for a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector or 12 July 2000 COM (2000) 385”, dated 2 November 2000. Available at http://europa.eu.int/comm/internal_market/en/dataprot/_wpdocs/wp36en.pdf.

  17. Data ProtectionWorking Party, “Opinion 2/2001 on the adequacy of the Canadian Personal Information Protection and Electronic Documents Act”, dated 26 January 2001. Available at http://europa.eu.int/comm/internal_market/en/dataprot/_wpdocs/wp39en.pdf. The Impact of Privacy and Data Protection Legislation 169

  18. Data Protection Working Party, “Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000”, dated 26 January 2001. Available at http://europa.eu.int/comm/internal_market/en/dataprot/_wpdocs/wp40en.pdf.

  19. Data ProtectionWorking Party,Working Document, “Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive”, dated 24 July 1998. Available at http://europa.eu.int/comm/internal_market/_en/dataprot/wpdocs/wp12en.pdf.

  20. Data Protection Working Party, Working Document, “Privacy on the Internet-An Integrated EU Approach to On-line Data Protection”, dated 21 November 2000. Available at http://europa.eu.int/comm/internal_market/en/dataprot/_wpdocs/wp37en.pdf.

  21. European Commission, “Data Protection: Background Information”, dated 3 November 1998. Available at http://europa.eu.int/comm/internal_market/en/_media/dataprot/backinfo/info.htm.

  22. European Commission, “Proposal for a Directive of the European Parliament and of the Council on a common regulatory framework for electronic communications networks and services”, dated 12 July 2000. Available at http://europa.eu.int/ISPO/infosoc/telecompolicy/_review99/com2000-393en.pdf.

  23. European Commission, “Proposal for a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector”, dated 12 July 2000. Available at http://europa.eu.int/ISPO/infosoc/telecompolicy/review99/_com2000-385en.pdf.

  24. European Committee on Crime Problems (CDPC), “Draft Convention on Cyber-Crime (Draft No. 25 Rev. 5)”, dated 22 December 2000. Available at http://conventions.coe.int/treaty/EN/projets/cybercrime25.htm.

  25. European Committee on Crime Problems (CDPC), “Draft Explanatory Memorandum to the Draft Convention on Cybercrime”, dated 14 February 2001. Available at http://conventions.coe.int/treaty/EN/projets/CyberRapex7.htm.

  26. Holland, Jesse J., “Companies Won’t Help National Cybersecurity Without Waivers”, dated 22 June 2000, The Associated Press. Available at http://www.startext.net/news/doc/1047/1:COMP56/1:COMP560622100.html.

  27. Johnston, Margret, “Commerce Department Tries to Boost’ Safe Harbor Adoption’”, 05 January 2001, IDG News Service. Available at http://www.computerworld.com/cwi/story/0,1199,NAV47_STO55924,00.html. 170 S.R. Johnston

  28. Lundin, Emilie and Jonsson, Erland, “Privacy vs. Intrusion Detection Analysis”, as submitted to the Second International Workshop on the Recent Advances in Intrusion Detection, hosted by Purdue University CERIAS, West Lafayette, Indiana, USA, September 7-9, 1999, available at http://www.raid-symposium.org/raid99/PAPERS/Lundin.pdf.

  29. McConnell International, “Cyber Crime... and Punishment? Archaic Laws Threaten Global Information”, dated December 2000. PDF version of report available at http://www.mcconnellinternational.com/services/CyberCrime.pdf.

  30. Organization for Economic Cooperation and Development (OECD), “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”, dated 23 September 1980. Available at http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM.

  31. Press release, “Prime Minister Announces Office of Critical Infrastructure Protection and Emergency Preparedness”, dated 5 February 2001, Ottawa, Canada. Available at http://pm.gc.ca/default.asp?Language=E\&Page=newsroom \&Sub=NewsReleases\&Doc=emergency.20010205_e.htm.

  32. Report of the President’s Commission on Critical Infrastructure Protection, dated October 1997. Available at http://www.ciao.gov/CIAO_Document_Library/PCCIP_Report.pdf.

  33. Reuters, “France: We Must Close’ Hacker Havens’”, dated 15 May 2000. Available at http://www.zdnet.co.uk/news/2000/19/ns-15382.html.

  34. Reuters, “Senator Wants to Aid Cyber Security by Secrecy”, dated 07 May 2001, available at http://www.thestandard.com/article/0,1902,24269,00.html.

  35. Sobirey, Michael, Fischer-Hubner, Simone and Rannenberg, Kai, “Pseudonymous Audit for Privacy Enhanced Intrusion Detection”, pp. 151–163 in Louise Yngstr öm, Jan Carlsen: Information Security in Research and Business; Proceedings of the IFIP TC11 13th International Information Security Conference (SEC’ 97): 14-16 May 1997, Copenhagen, Denmark. Also available at http://www.iig.uni-freiburg.de/~kara/publications/SoFiRa_97.IFIP_SEC.2.pdf.

  36. Sommer, Peter, “Intrusion Detection Systems as Evidence”, as presented at the First International Workshop on the Recent Advances in Intrusion Detection, 14-16 September 1998, Louvain-la-Neuve, Belgium. Available at http://www. raid-symposium.org/raid98/Prog_RAID98/Full_Papers/Sommer_text.pdf.

  37. Supreme Court of Canada, Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403. Decision posted at Faculty of Law, University of Montreal, Montreal, Canada (http://www.lexum.umontreal.ca/csc-scc/en/pub/1997/vol2/_html/19997scr2_0403.html).

  38. The Office of Critical Infrastructure Protection and Emergency Preparedness, notes on Roles and Responsibilities. Available at http://www.epc-pcc.gc.ca/_whoweare/index_e.html.

  39. The Right Honourable Jean Chretien, Prime Minister of Canada, in his “Response to the Speech from the Throne”, October 13, 1999, Ottawa, Ontario. Document available from http://www.pm.gc.ca/default.asp?Language=E\&Page=newsroom\&Sub=Speeches\&Doc=speeches199910131085_e.htm.

  40. Treasury Board of Canada Secretariat, “Strategic Directions for Information Management and Information Technology: Enabling 21st Century Service to Canadians”, dated 18 October 1999. Available at http://www.tbs-sct.gc.ca/Pubs_pol/ciopubs/TB_OIMP/sdimit1_e.html.

  41. (United Kingdom) Freedom of Information Act 2000, Chapter 36, dated 30 November 2000. Available at http://www.legislation.hmso.gov.uk/acts/acts2000/20000036.htm. The Impact of Privacy and Data Protection Legislation 171

  42. (United Kingdom) Data Protection Act 1998 (Chapter 29), dated 16 July 1998. Outline of document, with links, available at http://www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm.

  43. (United Kingdom) Electronic Communications Act 2000, 2000, Chapter c.7 (25 May 2000). Available at http://www.legislation.hmso.gov.uk/acts/acts2000/20000007.htm.

  44. (United States) Department of Commerce, “Safe Harbor Privacy Principles”, dated 21 July 2000. Available at http://www.export.gov/safeharbor/_SHPRINCIPLESFINAL.htm. More information on the Safe Harbor program is available at http://www.export.gov/safeharbor/.

  45. (United States) National Commission on National Security/21st Century, “Road Map for National Security: Imperative for Change”, draft final report dated 31 January 2001. Available at http://www.nssg.gov/phaseIII.pdf.

  46. (United States) The Freedom of Information Act, 5 U.S.C. §552, As Amended By Public Law No. 104-231, 110 Stat. 2422. Available at http://foia.state.gov/foia.asp.

  47. (United States) Telecommunications Act of 1996. Available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=104_cong_bills\&docid=f:s652enr.txt.pdf.

Download references

Author information

Authors and Affiliations

  1. Communications Security Establishment, P.O. Box 9703, Terminal, Ottawa, K1G 3Z4, Canada

    Steven R. Johnston

Authors
  1. Steven R. Johnston
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Georgia Institute of Technology, College of Computing, 801 Atlantic Drive, Atlanta, Georgia, 30332-0280, USA

    Wenke Lee

  2. SUPELEC, BP 28, 35511, Cesson Sevigne Cedex, France

    Ludovic Mé

  3. IBM Research, Zurich Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Andreas Wespi

Rights and permissions

Reprints and permissions

Copyright information

© 2001 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Johnston, S.R. (2001). The Impact of Privacy and Data Protection Legislation on the Sharing of Intrusion Detection Information. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_10

Download citation

  • DOI: https://doi.org/10.1007/3-540-45474-8_10

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-42702-5

  • Online ISBN: 978-3-540-45474-8

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation