|
2000年12月,美國國會通過了CIPA法案(Children's Internet Protection Act; 兒童網路保護法),要求各學校利用內容過濾的技術阻止特定網路資料的存取。這個法案在通過以後,就引起了美國公民自由聯盟(American Civil Liberties Union)與美國圖書館協會(American Library Association)由言論自由的角度,發出質疑與反對。 而這個法案最引人爭議的是,2004年發生的一個案件,而被告面臨的是長達40年徒刑告訴。這個案子的被告Julie Amero在2004年時,是擔任KellyMiddle School的代課老師。據了解,事情發生的當天,Julie Amero所要代課班級的老師Matthew Napp幫Julie登入了班級的電腦,並告訴Julie不要將電腦關掉,因為Matthew一整天都會請假,無法幫Julie再登入電腦。Julie使用了一陣子電腦後,就讓學生使用該台電腦。在學生使用電腦的過程中,一張色情圖片突然跳出來,Julie隨即擋住螢幕並要求學生離開電腦。
起訴Julie Amero的檢查官認為,色情圖片必須要Julie「實際」去點選了色情網站的連結才會跳出來,因此認定Julie是蓄意在學生面前瀏覽色情網站。而支持 Julie Amero的人認為,學校網路的安全防護措施根本沒有發揮功效,而該電腦是中了間諜軟體或廣告軟體,色情圖片是這些惡意程式所自動彈跳出來的。
姑且不論這個案子事實真相究竟為何,如果先假設Julie Amero是無辜的,那麼這個案子背後,有相當多值得去深思的問題。
兒童網路保護法的核心,是結合了柯林頓政府設計的E-Rate program。E-Rate program簡單講,就是提供上網折扣,以補助學校、圖書館以及鄉村醫療處所上網的費用。如果學校不能証明,已經完備了內容過濾的政策與技術,就無法得到E-Rate program的上網補助。這樣的立法用蘿蔔與棍子,可以要求教育當局負起資訊安全的責任,同時又能帶動資訊安全內容過濾廠商的商機,似乎是相當好的法令。
但是,這個案子除了突顯出來,目前電腦安全不只是在技術與管理的能量上,普遍不足的老問題外,司法人員對於資訊安全發生問題的了解不夠深入,很有可能在執法的過程中造成許多令人扼腕的狀況,更是應該關切。
更廣泛來說,很多資訊安全的規定或法令,常常會發生立意與執行落差的問題。很多企業或組織常常訂了許多規定或罰則,但當實際個案發生時,卻又面臨是否應該落實罰則的窘境。因為,以現在資訊安全威脅與問題的嚴重性與廣泛性,這些規定與罰則,恐怕無法發揮殺一儆百的效果,而是必須要殺百儆千,而且這裡面又會摻雜許多無辜的個案。但如果不落實執行,組織與人員的惰性,是不會願意多花心力,來犧牲方便性換取安全性。
所以,資訊安全真的可以說是資訊領域最難推動,又最難彰顯績效的領域啊。 (本文作者為專案支援處副處長劉培文,e-mai l : pwl@iii.org.tw) In December 2000, the US Congress passed the Children's Internet Protection Act (CIPA). This Act requires all schoolsin the US to use content filtering technology to prevent students from accessing certain types of data from the Internet.The passing into law of this Act provoked strong criticism from the American Civil Liberties Union and the AmericanLibrary Association, on the ground that it constituted a violation of Americans' right to freedom of speech. The contention aroused by the CIPA was exacerbated by a lawsuit brought in 2004 in which the defendant could conceivably have faced up to 40 years in prison. The defendant, Julie Amero, had been teaching as a substitute teacher at Kelly Middle School in 2004. On the day of the incident, the teacher for whom Ms. Amero was substituting, Matthew Napp, helped Julie to log on to the class computer; Mr. Napp warned Ms. Amero not to switch the computer off, as he would be away all day and would not be available to help her log back on. After using the computer for a while, Ms. Amero allowed the students to begin using the computer. While one of the students was using it, a pornographic image suddenly appeared on the screen. Ms. Amero immediately covered the screen and told the student to switch the computer off. The prosecutor who brought the case against Ms. Amero claimed that, for the pornographic image to appear, she must have clicked on a link to a pornographic website; he suggested that Ms. Amero had deliberately shown the pornographic images to the student. Ms. Amero's supporters claimed that the school Internet protection measures were inadequate, and that the pornographic images were pop-ups caused by malware, and had appeared automatically. Leaving aside the question of what the facts were in this particular case, if one assumes that Julie Amero was in fact innocent, then this case raises several important questions. The CIPA is closely linked to the E-Rate program designed by the Clinton administration. The E-Rate program provides subsidized Internet access for schools, libraries, and healthcare facilities in rural areas. The subsidies are only available to those schools that can demonstrate that they are using content filtering technology and have a suitable content filtering policy inplace. The basic idea behind this "carrot and stick" policyis to get educational institutions to take responsibility for information security; at the same time, the program has created business opportunities for vendors of content filtering software. On the face of it, this would seem to be a very sensible policy. The Julie Amero case has shown that, in the field of information security, besides the longstanding problems of technical and managerial failings, the judicial authorities' inadequate understanding of information security issues also gives cause for concern. More generally, the implementation of information security legislation and regulations often creates results that are significantly different from the original goals of the legislation in question. Business enterprises and other organizations establish complex codes and detailed penalties relating to information security issues, but then when an incident occurs, it can be very difficult to decide whether the penalties should actually be imposed. Given the ubiquity and growing seriousness of information security threats, it is questionable whether laws and regulations of this type can have any real deterrent effect. To achieve a meaningful deterrent effect, very large numbers of people would need to be prosecuted, in which case it is highly likely that many of the people involved would be innocent victims of a miscarriage of justice. On the other hand, if the people working in an organization know that the information security policy is merely a dead letter, then the natural human tendency to take the easy way out will result in security being sacrificed for convenience. Perhaps more than any aspect of information technology,information security is difficult to implement properly,and presents great difficulty in demonstrating whether significant results have been achieved. (Liu, Pei-Wen is Deputy Managing Director of the Project Resource Division, E-mail: pwl@iii.org.tw)
|
