Australia’s federal government has planned to require Australian ISPs to use filtering software to remove “illegal” content from Australia’s Internet. They’re spending around $77M (USD) to implement the program which the government had lead people to believe would be optional. Instead, it will be mandatory.
Mark Newton, a network engineer with Internode in Australia (but not working on behalf or speaking for Internode), did an analysis of the data gathered from Australian government trials of filtering software. He concluded that, among other things, more accurate filters degrade Internet speeds over 70%, and less accurate filters can have up to a 15% false positive rate.
In retaliation, Belinda Dennett, a policy advisor to Australia’s communication minister, Senator Stephen Conroy (Labor), wrote an e-mail to Newton’s employer, asking them to reign in the network engineer’s dissent.
We called Sen. Conroy’s office but we were not able to get a response before press time.
We have an audio interview in podcast form with Mark Newton below, with a transcript below the cut.
Michael Cote of Redmonk just recently spoke with us and some other vendors here in Austin, and talked about it in a podcast he put up on his (very well read) blog.
Mostly, he focused his attention to our partnerships with Cisco, Microsoft, F5, and EMC, although there was a head-scratcher when Cote said that we were “getting into some configuration stuff” – which, I guess, if you mean we provide tools to diagnose many problems including router misconfiguration, sorta applies…
The other was a minor slip, which he quickly corrected, when he referred to “Quality of Assurance,” instead of what he meant to say, “Quality of Service.”
However, just to set the record straight – NetQoS provides some of the highest quality assurance possible, with daily affirmations, a self-esteem lab, positive-thinking modules for the Cisco routers, and assertiveness training for passive monitoring.
And if you work here five years, they give you a puppy.
From Cote’s podcast:
I have to admit I’m not an extreme expert in network performance tools and things like that. But what was interesting was to see the approach to spreading around the technology that they [NetQoS] have - just to various, sort of, partners, whether it's Cisco or Microsoft or F5 or EMC or even different geographies.
The position that NetQoS is in, is that, as with a lot of IT management stuff, different primary vendors, I guess you could say, people like Cisco, or people who are selling actual devices or applications being monitored often put out a lot of different information about that advice, and just kind of have it sitting there. And even, when you get into things like Cisco, obviously, there's a lot more advanced things like NetFlow and stuff like that that you can use to dig into an troubleshoot these problems.
So it creates this interesting sort of third party market, where other people like NetQoS can come in and do something with that data and plumb into those systems. And usually, you have to have to have a pretty good relationship with the primary vendor you're integrating with, which NetQoS seems to have. And so, what they’ve managed to do with their various platforms is sort of layer in to - like, peering into the network, and just helping people out with, as their name implies, ensuring quality of service.
And, what I found interesting, I was starting to say, about them, was that they're clearly in the stage where they're comfortable enough with their technology that what they're trying to do now is trying to spread it to different partners and geographies and things like that. So, I would guess, what you would see from them is - establishing more relationships like the one they have with Microsoft and EMC and Cisco, and so forth and so on.
Recently, a posting on Slashdot linked to a story from PC Magazine called “Texas PC Repair Now Requires PI License.” Obviously, this story has gathered tons of attention, and if strictly true, would have a major impact on IT departments across the state, if not the nation.
Matt Miller, Executive Director of the Texas State Chapter, Institute for Justice:
Editor Brian Boyko, at NPD: So, could you tell me a little bit about your organization?
Executive Director Matt Miller: Sure. We are a public interest law firm; we're based in Arlington, Virginia. We have offices now in Minnesota, Washington (state), Arizona, and now in Texas, and we file public interest litigation on behalf of individuals whose Constitutional liberties are taken away from them by government.
NPD: How many cases have you filed?
Miller: The Institute for Justice, in total?
NPD: Yeah.
Miller: Probably close to a hundred. "IJ" has been in business since 1992, and we work in four areas. We work in property rights - you may have heard of our "Kelo vs. New London" decision that came out of the U.S. Supreme Court, we work in free-speech in the areas of commercial speech and campaign finance reform, we work in economic liberty - which is what the case that we'll be discussing today is about - which challenges licensing restrictions. And then we're also the lawyers for the school choice movement.
NPD: So, could you tell me a little bit about who you are and what your position with the organization is?
Miller: Sure. I'm the executive director of the Texas State Chapter, so I run the office here in Austin. I have a staff attorney that works with me, and then we have an office manager and some law clerks from the University of Texas Law School.
NPD: So, could you tell me a little bit about this bill that has been passed into law - House Bill 2833?
Miller: Well, last Thursday [June 26, 2008], we filed suit against the [Texas] State Private Security Board on behalf of the owners of some computer repair shops here in Texas and their customers. Last year, the state of Texas passed a law that basically said that to perform a lot of types of data analysis; you have to have a private investigator's license. And, if you perform that analysis without a license, or if you are a customer and you seek to have that analysis performed by somebody without a license, it is punishable by up to one year in jail and up to $14,000 in fines.
NPD: Could you tell me a little bit about the language of the bill, where exactly it says that in the bill?
Miller: Well, what was changed in the bill - they amended the Texas Occupations Code, Chapter 1702, Section 104 of the Texas Occupations Code. And they added one little line - and it was done in subsection B, and they that for the purpose of subsection A, "obtaining or furnishing information" includes "information obtained or furnished through the review and analysis of any investigation into the content of computer-based data not available to the public."
This case got on our radar screen because the Private Security Board has issued a series of interpretations saying flat-out that this law applies to computer repair shops and a lot of people who analyze computer data in certain ways.
NPD: Sorry, what board was that again?
Miller: The Texas Private Security Board. They're basically charged with licensing private investigators, security guards, guard dog trainers - people of that type.
NPD: Alright, is that a government agency, or private function?
Miller: It is a State Agency. They are a sub-agency of the Texas Department of Public Safety.
NPD: The Lawsuit names them as the defendant?
Miller: It does. We have sued the members of the board in their individual capacity - excuse me, I'm sorry, let me correct that. In their official capacity. Which is what you're required to do when you file a lawsuit of this type against a state agency. And we are asking the Judge to declare that the law violates our clients' constitutional rights to practice their occupation free from unreasonable governmental interference.
NPD: Is the problem with the law or the interpretation of the law that the Texas Private Security Board has taken?
Miller: Well, it's with both. Laws can be interpreted in a lot of different ways, and the private security board has chosen to interpret this law very aggressively. Since the law can be interpreted in that way, there are problems with the law itself. The interpretations that the board has issues, is the reason that this case has come to our attention, because they say specifically that computer repair shops should be aware that if they offer to provide these services they've committed a crime. And that kind of caught our attention, so we started looking into it, and the law itself is problematic because it is subject to such a broad and aggressive interpretation.
NPD: Would it also affect network engineers performing network analysis on their own companies' computers?
Miller: Sure, and let's talk about that because, it is complicated and there is quite a bit of nuance. It kind of leads to how this applies to these guys. We've gotten calls from people who say, "Well, if somebody's switching out a hard drive, then that doesn't apply to them, right?" And the answer to that is, yes. It doesn't apply to them. But anyone who is analyzing data in a situation where that data points back to the actions of a third party - so, somebody who is not the computer's owner, or someone who is not the owner of the company - anytime a third party is implicated by data analysis, this law is potentially triggered.
What the board came back and did was, they said that any analysis of non-public computer data to determine the causes of events or the conduct of persons is what they're calling a regulated service. Of course, that is extremely broad. You know, for instance, if an employer went to a company and wanted to know how their employees were using the computer - that constitutes an investigation. The Board has said that when the service provider is charged with reviewing the client's computer-based data, for evidence of employee malfeasance and a report is produced that describes the computer related activities of an employee, it has conducted an investigation and has therefore provided a regulated service.
NPD: So, other than the lawsuit, is your organization taking any other actions?
Miller: We've obviously tried to bring this issue to light in the media. Because it is somewhat technical, we've had to educate the media on how this works. And they've been very responsive. But the primary vehicle we're taking here is this lawsuit and our goal is just to change the law. We're not seeking monetary damages, this is not a personal lawsuit - we're going to a judge and saying: "Judge, this is a bad law, and it stops our guys from practicing their profession - it stops a lot of people from potentially doing the things they do on a daily basis, and the law needs to be changed." So we're asking the judge to strike the law down.
NPD: Have you spoken to the author of the law? Rep. Driver?
Miller: We have not. We will do that in the due course of a part of our litigation, but we've not talked to him prior to filing this litigation.
NPD: What would happen if the judge does not find that the law is a bad law, but rather that the interpretation of the Texas Private Security Board was overly broad?
Miller: Well, in that event, then the board would be limited in the future in how they can enforce the law. And that would be a partial victory for our clients, because, if they were prohibited from enforcing the law against people who were just basically analyzing computer data in a way that was legal and that someone had asked them to analyze it, then obviously that would be a partial victory. The problem is that the law is still hanging out there, and it's going to be difficult for a judge to say that the interpretation is a problem without also saying that the law in which that interpretation is based is also a problem.
NPD: Well, is there anything else you wanted to add, anything that you think I've left out?
Miller: Well, again, I appreciate you interviewing me for this. The law is tricky, and the computer community just needs to be aware that anything they're doing that implicates third-party data or any reports they're producing for customers or for employers that says something about how a third party has used a computer is potentially regulated by this law. And they just need to be careful. We are working hard to have the law struck down in court, and we're moving as fast as possible on that, but in the meantime, people just need to keep an eye out and be aware of the issue.
Recently, a posting on Slashdot linked to a story from PC Magazine called “Texas PC Repair Now Requires PI License.” Obviously, this story has gathered tons of attention, and if strictly true, would have a major impact on IT departments across the state, if not the nation.
The law in question is Texas HB 2833, which is an updated collection of amendments to laws regarding private security services. It explains who, exactly, is required to get a private investigator’s license.
The controversial bit of the law in question seems to be this bit. The underlined part is what has been added:
SECTION 4. Section 1702.104, Occupations Code, is amended to read as follows: Sec. 1702.104. INVESTIGATIONS COMPANY.
(a) A person acts as an investigations company for the purposes of this chapter if the person:
(1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:
(A) crime or wrongs done or threatened against a state or the United States;
(B) the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;
(C) the location, disposition, or recovery of lost or stolen property; or
(D) the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property;
(b) For purposes of Subsection (a)(1), obtaining orfurnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.
Because the law can be difficult to interpret, the Texas Private Security Bureau issued an opinion statement which clarified their position on this matter. The controversial statements there seem to be:
Computer Repair & Technical Assistance Services October 18, 2007
Computer repair or support services should be aware that if they offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators… [Text of law posted above.]
Please be aware that providing or offering to provide a regulated service without a license is a criminal offense. TEX. OCC. CODE §§1702.101, 1702.388. Employment of an unlicensed individual who is required to be licensed is also a criminal offense. TEX. OCC. CODE §1702.386.
and:
Computer Forensics August 21, 2007
First, the distinction between “computer forensics” and “data acquisition” is significant. We understand the term “computer forensics” to refer to the analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons. We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.
For example, when the service provider is charged with reviewing the client’s computer-based data for evidence of employee malfeasance, and a report is produced that describes the computer-related activities of an employee, it has conducted an investigation and has therefore provided a regulated service. On the other hand, if the company simply collects and processes electronic data (whether in the form of hidden, deleted, encrypted files, or otherwise), and provides it to the client in a form that can then be reviewed and analyzed for content by others (such as by an attorney or an investigator), then no regulated service has been provided.
… Consequently, we would conclude that the provider of computer forensic services must be licensed as an investigator, insofar as the service involves the analysis of the data for the purposes described above.
In order to clarify some of this and figure out what this would mean to both personal computer repair technicians and network engineers, analysts and system administrators, we contacted Texas State Representative Joe Driver, who authored the bill, Matt Miller at the Texas branch of the Institute for Justice, which has launched a suit against the Texas Private Security Bureau, and RonEarl Bowie of the Texas Private Security Bureau. We’ll have podcasts and transcripts available on this site soon.
First, Texas State Representative Joe Driver, Author of Texas HB 2833:
Editor Brian Boyko, at NPD: So, could you tell me a little bit about who you are and what you do in the Texas Legislature?
Rep. Joe Driver: Hi. My name’s Joe Driver, I am state representative from Garland, Sachse, and Rowlett area which is Northeast Dallas County. I’m the current chairman of the Law Enforcement Committee, and this is my eighth term.
NPD: How often are each of those terms, two years, four years?
Driver: Two years.
NPD: So you have 16 years of experience writing legislation. And you authored this bill, I believe it’s [Texas] HB 2833?
Driver: Yes, sir.
NPD: Now that's currently a bill, not a law, correct? Or has it been passed?
Driver: No, it's been passed. The governor signed it.
NPD: Let me just bring up the law right here - and I'm looking at it. It is "an act relating to the licensing and regulation of certain private security services." Could you tell me a little bit more about what this act was designed to do?
Driver: Basically, it was a clean-up situation for the Securities Act. We felt like we had to go in and clean some things up. Some of it was old stuff, some of it was new stuff, but basically we worked pretty hard to try to just get it so that it was easier for people to interpret and - you know, some things hadn't been changed for quite a few years, so we were going through it, trying to just basically do a real thorough clean-up, and it turned into what you'd call an omnibus bill which is basically something that encompasses a lot of different areas.
NPD: How has the law changed for people who practice investigative services?
Driver: Well, there's quite a few changes in there. I really truthfully couldn't go into all of it, I mean, it's a pretty good sized bill. Of course, the one that's - there's some area that's getting some, I don't know, "interest" out there, but I think it's interest that has been generated by a group of folks, and basically in their newsletter, they just opened a new chapter in Texas and decided to file a lawsuit. That's all in one sentence - so it sounds like they decided to file the lawsuit so they could bring some attention to their new chapter.
NPD: It does to me that the law... now, I am not a lawyer...
Driver: Me neither.
NPD: I am not a... um... pretty good reader of bills. So, what I wanted to know... The claim is that people who repair personal computers would need to get a private investigator's license in order to continue repairing computers.
Driver: Yeah, and that's what they're claiming. It's interesting that they're claiming all that, and they filed a lawsuit on the same day that they decided to open their Texas chapter. To me, I just felt it was a way they're getting a lot of free publicity, and a lot of free press, and free TV time and free radio time, because the bill to me, it says what it says. There's three words that describe somebody that repairs computers, and that's if people retrieve or provide information, and there's three words that somebody "reviews, analyzes, or investigates" that material, then, they do need to have some sort of security clearance because they're delving into people's private lives or private property on the computer.
NPD: The one thing that I noticed was that it seems very clearly that this is for personal computer investigators, like someone who does analysis to determine whether a crime has been committed or something has been stolen, or intellectual property has been violated. It doesn't seem to me that this would apply to people trying to just recover information for the person's wishes.
Driver: Right, and you're correct. You used one of the key words in my opinion, which is "analyze." "Review, analyze, and investigate" are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they're doing some of that, then they don't need to be - it doesn't need to be just anybody able to do that - they need to have somebody that has a security license. But if someone's just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that's just a regular computer repair person. And those guys are great, they're good at what they do, and we never intended for them to get any kind of license other than have the ability to repair.
NPD: So, how do you think this came about - you mentioned that there was a new group - I think I may have a copy here of - are you talking about the Institute for Justice?
Driver: Yeah, yeah, that's them. Well, and I think - to me - that - I mean I've got something, I don't know if it’s a press release or just some information about them, but they actually said in here that they tell about how they're the "nation's leading litigators." They have a little cute name for them, and I thought I could think of that, but I'm not coming up with it. But, they basically said, "we fight for the rights of those violated by the government." And they're opening their new Texas chapter today (whenever this was written) by filing a lawsuit against the Texas Private Security Board. So they're kind of kicking off their opening - well, what better to draw attention to someone's opening then to get a lot of free press - they don't have to go out and advertise because - and I'm not criticizing you guys [the media] because, I'm just saying, that - to me, that's what they intended and that's part of what they did.
So. Lawyers can interpret, like you and I know, and we're not both, either one of us, luckily, they can interpret the same word three different ways if you get three different lawyers. And, I think that's what they decided to do here, and - to me, if someone reviews, analyzes, or investigates, they need a license. If they're just retrieving, providing or preparing information, that's what computer companies do, and as long as they want to do that, they're fine.
NPD: There is another possibility though - there is, - you wouldn't call them computer repairmen. There are people who work in enterprise networks, and we even have a term for it, "Network Forensics."
Driver: Like forensic scientists and all that stuff?
NPD: Not so much forensics...
Driver: That's the investigative part.
NPD: Not so much forensic scientists like a criminal forensic scientist. But for example, if a network is running slowly, not running at peak performance, there are tools that people can use to determine which computer may be slowing it down. Is it a virus - and that's all investigative work, but not investigative work related to criminal activity. It's just - so basically I'm wondering if maybe the law could have been written - not thinking about this possibility, and that maybe there might be some sort of loophole that needs to be amended. Does this just not apply to companies trying to improve their network performance?
Driver: Truthfully, you may be just a little bit out of my realm of comprehension on that, because, maybe that's something we need to look at tweaking, along those lines, to clarify that situation. We talked to lots of folks when we were writing this. Maybe we didn't talk to enough folks. But, as far as those types of things - maybe just a little bit far out of my comprehension on that. But the whole deal - like, if you have an IT person, (just cause that's all the terms I know,) IT person that somebody says, "Hey, we want you to delve into this person's computer, and find out what's going on." Well, if they delve into that person's computer, and - this is all I know about computers - and hands the information over to somebody else, then they don't need any kind of license because they're just doing their retrieving job. So, if the area you're talking about is different from that, you're probably out of what I understand and maybe something we have to look at.
But - anytime we do anything this massive, a lot of times there are areas of tweaking. But I just thought the coincidence of this particular group filing this lawsuit and bragging about filing the lawsuit on the day they opened their new chapter was just - coincidental and - because the intent of the bill was, as I've been saying, was, if you retrieve and provide information, you don't need a license.
Because I'm sure not trying to put anyone out of business. I'm a small business person, I would never do that!
NPD: What business do you run?
Driver: I'm in insurance sales.
NPD: What I'm wondering is if there is - like a specific exemption in the law that - most of these forensic investigators for network performance tend be of one of two types - the first time is that they're in-house, and that the company hires these people to do this job on the computers that the company owns. And if there's a specific exemption for investigative work on material that you own yourself. And the second, sometimes the people are hired by the company as a separate company - not direct employees, but outsourced. Is this something that might be protected under the law even if it falls under the "investigative" arm?
Driver: If it falls under the investigative arm, probably not, but I - I don't know about what you're describing to really comment more than that. I mean, I wish I did. But in this particular case, I don't. It's just a little deeper into the computer world than I know about.
NPD: You don't foresee legis-- any activity... what's the word I'm looking for...
Driver: A future bill, maybe, corrective measures, tweaking, something along those lines?
NPD: I was actually thinking of enforcement against-- you don't see this possibly being enforced against..
Driver: I don't. I don't. I really don't. I don't see - and then again, and it may be something that we may need to look at. And we may have somebody else look at it. Every time we have something like this come up we have people that want to tweak it just a little bit or change it just a little bit. And I'm not hardcore set against it. If it causing somebody problems then we ought to change it. I don't foresee it doing that but, I don't know. I mean, I really don't think it is. But if we find out that it does, that's what we're there for, to make sure it's written correctly and if it's not, we're going to change something a bit to make it right. Cause we're not after anybody, that's for sure, except the people that are doing investigative service for a living and yet, they don't want to bother with having - giving any kind of background or being qualified or licensed in any way.
NPD: That's pretty much all the questions I had.
Driver: Well, I wish I could have given you better answers. I think I kind of danced around one that - just because I don't have enough knowledge.
NPD: Don't worry about it - I'm not saying that - we're getting into some technical stuff. This isn't even a technical bill.
Driver: Not in intent, anyway.
NPD: History's full of bills that had to be amended after the fact because of something.
Driver: Well if you find out more information about it and found we really need to do something about it, call me back, and we'll get back in session, maybe we can use you for a little information, as far as how to do it right.
In a few minutes, Jim Metzler of Ashton, Metzler, and Associates, will be delivering his keynote on the Next Generation NOC at NetQoS Symposium 2008 at Barton Creek Resort in Austin. Last week, we pre-recorded a podcast with Dr. Metzler regarding the speech he is about to give and what he means by a "next generation NOC."
He talks about the changing role of the NOC and moves in enterprises towards integrating what were once seperate stovepipe functions to focus on application delivery.
Today, in this podcast, we speak to Dr. Jim Metzler at Ashton, Metzler, and Associates regarding his handbook, "The Handbook of Application Delivery 2008" and his upcoming keynote speech a NetQoS Symposium 2008.
We've recently covered Bell Canada throttling P2P service. Today, in this podcast, we speak to Professor Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, regarding the controversial move by Bell Canada to use traffic shaping on wholesale service providers.
A transcript of this podcast will be provided at the earliest opportunity.
Thanks to the latest Die Hard movie, I'm still fighting the urge to unplug my microwave to foil hacker attempts. Thanks to the U.S. government, however, we have a new line of defense against kitchen appliances of mass destruction.
The U.S. government has setup a new command center in the Air Force called Air Force Cyber Command or AFCYBER. Here's the summarized mission of AFCYBER, according to Air Force Secretary Wynne:
"The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commanders and the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace."
There are real threats; Estonia came under attack from hackers back in April of 2007 And in September of 2007, the U.S. Defense Department said that the Chinese military hacked into a Pentagon computer network.
It's hard to tell exactly how much damage a hack into U.S. computers could do because the Pentagon isn't exactly forthcoming with information on this. A plausible scenario would be a Chinese hacker gaining knowledge about U.S. troop movement. (A much less plausible scenario would be a teenage hacker who is looking for a game company accidentally, through a back door left by a programmer who left the project years ago, activates an AI which then seeks global thermonuclear war under the pretense that it cannot distinguish between a gamed scenario and reality.)
From a network monitoring and management perspective, AFCYBER will bring a whole new level of opportunities and challenges. How exactly do you monitor the United States network? What is the United States network? There are obviously some critical assets (White House, Pentagon, Capitol, etc.), but how many "cyber security holes" exist between critical infrastructure and those who want to attack critical infrastructure? Don't we all share some connectivity medium at some level?
It gets even more interesting on the offense front. Are you confident enough in your network management/security monitoring tools to launch a missile attack on an offending host? False positives take on a whole new meaning.
If you have answers or insights, I'd love to hear them. Otherwise, I may never microwave again.
Recently, Network Performance Daily did a story on the Cisco Nexus 7000 switch, which had recently been announced by Cisco and will likely be a very important piece of enterprise hardware.
After our article, Douglas Gourlay, the Senior Director of Marketing and Product Management of Cisco's Data Center Business Unit, contacted us and pointed out that we were mistaken about some of the capabilities of the Cisco Nexus 7000 and so we invited him to do this podcast with us.
Ben Erwin, product manager at NetQoS, quickly explains the impact of WAN Optimization on TCP-based Applications in a short video, kicking off our "Whiteboard Series."
If you have questions about the video, please leave a comment below and we'll do our best to answer them.
-------------- More information:
by Brian Boyko