M311 International Information Environment; DeMaio.pdf part of , text manual preview

Text preview for : M311 International Information Environment; DeMaio.pdf part of

| Home

~SHARE~

SHARE SESSION REPORT
61 M311 Trans Border Data Flow 65
SHARE NO. SESSION NO. SESSION TITLE ATTENDANCE
Security O. Lee Hurtt III SSI INTERNATIONAL INFORMATION ENVIRONMENT
PROJECT SESSION CHAIRMAN INST. CODE
Harry B. DeMaio
~~~!~34~ Company Service, Inc., 64 Perimeter Center E., Atlanta GA 30346 (404) Director of Data Security Programs
IBM Corporation
SESSION CHAIRMAN'S COMPANY, ADDRESS, AND PHONE NUMBER Old Orchard Road
Armonk, NY 10504
SEC
The Security Project is pleased to present Mr. Harry B. DeMaio as the Speaker M311
for this session. He is the Director of Data Security Programs for the IBM
Corporation. He is especially well qualified to speak upon this subject because
of his knowledge and experience.

Harry DeMaio joined IBM in 1956. He has held a series of management positions
in marketing, systems engineering and development. As Director of Data Security
Programs, he has worldwide responsibility for ensuring that all IBM divisions
~ ABSTRACT
N
have appropriate plans and product offerings to support customer requirements ---
for systems security, auditability and systems management.
~ Discussion of the International Information environment in this briefing paper
He is also responsible for directing IBM representation worldwide to individual is divided into its component issues. Each issue is treated in overview
national governments, intergovernmental agencies, the media, industry and fashion with national and international illustrations provided, and several
professional organizations on the issues of computer systems security, additional policy recommendations which do not readily fit into the individual
auditability and systems management _as well as the broader social issues of issue discussion are provided.
privacy protection and international information regulation.
This paper is by no means a comprehensive catalog of issues or experiences. It
does try to highlight the principal areas of debate. Recent history indicates
He is a member of the State Department Advisory Committee on transborder data that the relative importance of current issues will change and new issues will
flow, as well as the International Chamber of Commerce and CBEMA committees on emerge with some frequency.
transborder data flow.

This subject is of vital importance to all organizations conducting business in
the international market. As Mr. DeMaio notes, the flow of information is the
essential element of this topic. This, he develops his theme on the
International Information Environment.

O/F/rcg/1
The increasing acceptance of the phrase "International Information Flow" over (a) U.S. reliance on voluntary self-regulation by information owners and
"Transborder Data Flow tl reflects the broader nature of the issues and users to the greatest degree possible;
constituencies involved. tlInformation" covers a much wider spectrum of usage (b) U.S. concern for protecting sensitive information in any form rather
and policy involvement than the word "data" which is usually interpreted as than computerized information only;
"technical or business data." Since "information" can take on many more forms, (c) Individualized u.S. legislation (federal and state which is tailored
it therefore serves a much wider user base and involves many more providers and toward the specific characteristics of individual sectors where
sources. Similarly "transborder" focused attention exclusively on the movement control is deemed necessary; e.g., medical, banking or credit,
of information across national boundaries. However, many of the components of government, employer-employee) as opposed to the blanket coverage of
this issue involve the ability of international companies and other the European model;
organizations to use locally generated information and facilities within the (d) U.S. reliance on the courts to provide redress for actual abuses
boundaries of a given country. ------ rather than an anticipatory licensing structure.

The component issues of International Information Flow have been categorized a In view of these differences, the establishment of a worldwide agreement has
number of different ways in the past and specific situations often fit more been difficult. There are two international instruments at the moment: the
than one category. However, it has now become commonly accepted in national Council of Europe Treaty, which has been initialed but not yet ratified by
and international policy discussions that IIF has the following member states, and the DECD Privacy Guidelines. While both documents are aimed
characteristics: at creating a common denominator of harmonization, the DEeD Privacy Guidelines
are more compatible with the U.S. approach since they are more cognizant of the
(I) Protection of Human Rights - primarily the value of voluntary compliance. The private sector in the U.S. has responded
privacy issue favorably to a request from the Department of Commerce for endorsement of the
(II) National Security guidelines.
(III) Economics
(IV) Political & Cultural Integrity There is another element in European privacy legislation which needs some
explanation: the concept of protecting the legal person. In several
Involved in each of these categories are a number of interest groups. countries, the legal person (corporations, partnerships, organizations, etc.)
,l;, is specifically covered by additional provisions of the legislation. This
t-,:) (a) Information suppliers means that with a few exemptions all files and applications dealing with
i~ (b) Information equipment and services suppliers sensitive information (e.g., credit ratings, performance, quality) about
(c) Telecommunications providers vendors, customers and competitors must also be licensed or registered and are
(d) Users of all or some of the above open to inquiry by the data subject. Austria thus far has gone the furthest to
(e) National and international regulatory and comprehensively implement the legal person program. Certain European service
legislative bodies bureau offerings were delayed in Austria while determination was made of what
(f) National and international standards, protection and registration responsibilities rest with the data owner and user
and similar cooperative bodies (the customer) and with the caretaker (the service provider).

Obviously any given organization, institution or government may at any given There has been some comment made about the possibility of the legal person
time fit more than one of these interest areas. This may in turn create being used as grounds for government fishing expeditions into corporate
conflicting objectives and perspectives for that government or institution. business data. Thus far, we know of no experience to directly bear out this
concern, but the overall experience base is very small indeed. It is our
The Privacy Issue - In Europe, the term "transborder data flow" originally expectation that most future legislation will contain legal person provisions,
emerged from the desire of countries having privacy legislation to protect at least in Europe.
sensitive personal data moving outside their boundaries to the same extent that
it was protected inside. This ltdata protection" emphasis resulted from a Is privacy an exhausted issue? No. First, there remains a substantial number
belief that computers and telecommunications, with their ability to collect, of countries, European (e.g., U.K., Italy) and non-European (e.g., Japan and
manipulate and transmit high volumes of information rapidly and inexpensively, most of South America) which are just considering or have not yet begun to
represented a unique threat to personal privacy. This approach resulted in an consider privacy legislation. Secondly, most privacy laws leave a great deal
emphasis on protecting sensitive information in electronic form but said of discretion to the licensing bodies and, therefore, the privacy policy of
relatively little about that same information in so-called manual form. It most governments is still only partially described or understood. Third,
also placed the government in the position of regulator, registrar (or several countries are working to revise their legislation (Sweden and Germany).
licensor) and inspector of sensitive files. The European approach differs from Finally, there are additional proposals for stronger international instruments
U.S. policy perceptions in at least four areas:
coming from within the European Parliament and the Council of Europe which, implications of such a system are profound indeed, but thus far have been
while not imminent, still cannot be ignored. explored very little. In 1981, the OECD sponsored a conference to examine some
of these characteristics. Fortunately, the atmosphere at the conference was
Proponents of the existing legislative and regulatory structures for data primarily one of information professionals seeking to improve the state of the
protection in Europe argue that the burden of compliance on corporations and protection art. There is still a great deal to be done in the area of systems
other institutions has not been insurmountable and relatively few files have protection. The computer and telecommunications industries in general have
been restricted or refused licensing. What is not clear is how much additional been responsive to requirements. It is our belief that broad-based
protection has resulted from these activities. Unfortunately, that standardization and government licensing in this area are not conducive to
measurement is probably impossible to develop. However, there have been some optimum security. This is an area in which responsibility is shared by a broad
cutbacks in the administrative support for the Data Commissions in several spectrum of users and suppliers. Much of the solution is
countries indicating that the governmental cost has exceeded expectation or may non-technical--dealing with personnel, organization structure and end-user
not be sustainable in the face of current economic conditions. responsibility. Government encouragement and sponsorship of research and
education in this area are important. Licensing and restrictive control on a
In short, while U.S. privacy laws and policies will continue to require broad basis is impractical and potentially destructive.
clarification and explanation in world forums, we do not believe there is a
requirement for fundamental change. Brazil, the other primary example of a national security view, leads ultimately
into the category of economics. Brazil has taken the approach that its
National Security - It should be obvious as we progress through this analysis information policy should be driven toward minimizing external dependency for
that the lines of demarcation between categories are very dim and ill-defined. all forms of information support. This policy has economic motivation; e.g.,
National security and economics are good examples of this definitional problem. balance of payments and growth of indigenous industry, but it also has the
While there is little argument that sovereign governments have the right and security motivation that no external agency, nation or company will be capable
obligation to defend their citizens, the use of national security in IIF of impacting Brazil through deprivation of technology, equipment and parts,
discussions has gone well beyond the traditional concepts of national defense. software or information itself. Therefore, new equipment and software
purchases from outside Brazil require government approval. Approval is based
In the context of U.S. national security, DoD restrictions on technology primarily on lack of a Brazilian capability to supply a similar function. The
It