Video rental records are afforded more privacy protections than your online data.

Defcon 17 Security Conference

Today at Defcon 17 I attended an interesting talk given by the Electronic Frontier Foundation (EFF) where they talked about some of the case law that is shaping our countries IT related laws. One of the interesting tidbits that I picked up was that current laws seem to protect your personal video rental and sales records (i.e. what you rented from the video store) from disclosure in a more effective way than your computer data residing online. I'm no lawyer, and this is not legal advice, but here are some of the details on the subject. Chapter 121 of Title 18 of the US code contains laws pertaining to STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS. The two that were discussed at defcon and Blackhat this week were statute 2703 and statute 2710. 2703 deals with required disclosure of customer communications or records while 2710 deals with wrongful disclosure of video tape rental or sale records. Reading the 2703 statute shows that there are very few protections of your online data residing at service providers, SaS, Co-lo, email, and other types of online providers. 2703 makes it possible for government to allow the disclosure of your data without your approval or even notice in certain circumstances. The 2710 statute however implements very stringent, specific, protections on the lawful disclosure of your personal video store rental and purchase records. According to the EFF and Wikipedia, "Congress passed the VPPA after Robert Bork's video rental history was published during his Supreme Court nomination (EPIC). It makes any "video tape service provider" that discloses rental information outside the ordinary course of business liable for up to $2500 in actual damages" among other punishments. I'll let you read the statute snippets so you can make your own conclusions. 2703:

(1) A governmental entity may require a provider of remote computing service to disclose the contents of any wire or electronic communication to which this paragraph is made applicable by paragraph (2) of this subsection— (A) without required notice to the subscriber or customer, if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant; or (B) with prior notice from the governmental entity to the subscriber or customer if the governmental entity— (i) uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena; or (ii) obtains a court order for such disclosure under subsection (d) of this section; except that delayed notice may be given pursuant to section 2705 of this title. (2) Paragraph (1) is applicable with respect to any wire or electronic communication that is held or maintained on that service— (A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such remote computing service; and (B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.
2710
(b) Video Tape Rental and Sale Records.— (1) A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d). (2) A video tape service provider may disclose personally identifiable information concerning any consumer— (A) to the consumer; (B) to any person with the informed, written consent of the consumer given at the time the disclosure is sought; (C) to a law enforcement agency pursuant to a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a grand jury subpoena, or a court order; (D) to any person if the disclosure is solely of the names and addresses of consumers and if— (i) the video tape service provider has provided the consumer with the opportunity, in a clear and conspicuous manner, to prohibit such disclosure; and (ii) the disclosure does not identify the title, description, or subject matter of any video tapes or other audio visual material; however, the subject matter of such materials may be disclosed if the disclosure is for the exclusive use of marketing goods and services directly to the consumer; (E) to any person if the disclosure is incident to the ordinary course of business of the video tape service provider; or (F) pursuant to a court order, in a civil proceeding upon a showing of compelling need for the information that cannot be accommodated by any other means, if— (i) the consumer is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and (ii) the consumer is afforded the opportunity to appear and contest the claim of the person seeking the disclosure. If an order is granted pursuant to subparagraph (C) or (F), the court shall impose appropriate safeguards against unauthorized disclosure. (3) Court orders authorizing disclosure under subparagraph (C) shall issue only with prior notice to the consumer and only if the law enforcement agency shows that there is probable cause to believe that the records or other information sought are relevant to a legitimate law enforcement inquiry. In the case of a State government authority, such a court order shall not issue if prohibited by the law of such State. A court issuing an order pursuant to this section, on a motion made promptly by the video tape service provider, may quash or modify such order if the information or records requested are unreasonably voluminous in nature or if compliance with such order otherwise would cause an unreasonable burden on such provider.
What is your take on these laws, which one seems to offer more protection for the consumer? Do you consider your video rentals worthy of more protection than say your online email account? If any lawyers would like to comment or mention anything I may have gotten incorrect please post. For more information: http://www4.law.cornell.edu/uscode/18/2710.html http://www.usdoj.gov/criminal/cybercrime/usc2703.htm

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)