Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Wednesday, September 29, 2010

Conflicting rulings leave open debate on privacy protections for social network data

In June, we noted with interest a California federal district court ruling in Crispin v. Christian Audigier that provided an interpretation of the status of social networking sites under the Stored Communications Act (18 U.S.C. §121) that found that Facebook, MySpace, and other services should be considered "electronic communications services" under the definition in the SCA, and used that determination to quash several subpoenas issued in a copyright infringement case that sought the disclosure of private messages, user posts, and other information communicated by a user of the sites. As electronic communication services, social network operators are prohibited under the SCA from disclosing "to any person or entity the contents of a communication while in electronic storage by that service" (18 U.S.C. §2702(a)(1)). Where the SCA provides several legal avenues by which government entities can request the disclosure of such information, parties to civil suits such as the one in this case have no such standing, and the subpoenas issued in this civil matter therefore did not provide a means to overcome the statutory restricts on disclosure.

In marked contrast to the district court ruling, the New York Supreme Court last week issued a ruling that ordered an individual's Facebook and MySpace postings to be provided as discovery in a civil lawsuit. The judge in this case, Romano v. Steelcase, did not consider the constraints imposed by the SCA at all, despite the statute being cited as justification for refusing disclosure. Instead, the majority of the legal reasoning in the ruling addresses the scope of permissible discovery under New York State law and the extent to which the social network site user has a reasonable expectation of privacy with respect to content posted to their profile pages. The judge's determination that the user does not have such an expectation of privacy was the result of applying prevailing Fourth Amendment doctrine, despite the fact that party seeking the disclosure is not a government entity, but a corporation. The New York court also apparently chose not to take into account the privacy settings Romano had in place for her accounts, possibly because those settings already permitted some potentially relevant information to be publicly accessible.

Courts trying to apply the provisions of the SCA, which was enacted in 1986 as part of the Electronic Communications Privacy Act (ECPA) and modified in 1994 through the Communications Assistance for Law Enforcement Act (CALEA), often seem challenged to fit the law to suit issues arising with more modern technologies and services. For its interpretation of SCA, the court in the Crispin case relied not only on precedents from judicial rulings (including the Ninth Circuit opinion in Quon v. Arch Wireless) but also on books and relevant law journal articles from professors with expertise in this area of the law. In its analysis of the applicability of the SCA, the district court considered both private messages send through the social networking sites and posts on user pages (like a user's Facebook wall), analogizing the former to web-based email and the latter to non-public electronic bulletin boards, and thus managed to tie contemporary Internet services to logical technical equivalents that were in use at the time the law was passed. That potential sign of progress notwithstanding, the order in the Romano case prompted a Wall Street Journal Online blog post that offered a cautionary note to New York residents not to assume that anything they post to social networking sites is protected from discovery.

Tuesday, September 28, 2010

Supreme Court to hear corporate challenge to FOIA based on "personal" privacy

The United States Supreme Court today granted a petition of certiorari filed by the federal government, seeking to overturn a ruling by the 3rd Circuit Court of Appeals that allowed AT&T to prevent the disclosure of documents held by the Federal Communications Commission (FCC) related to a 2004 investigation. The release of the documents was sought by telecommunications trade association CompTel, through a request made under the Freedom of Information Act (FOIA, 5 U.S.C. §522). In seeking to block the disclosure, AT&T has argued that releasing the documents would result in an invasion of personal privacy, and therefore renders the disclosure requirements in FOIA inapplicable. The argument hinges on AT&T's contention that as a corporation it is a "person" in the legal sense of the term, and so should enjoy the same protection from invasions of privacy that individuals do. The Circuit Court accepted AT&T's interpretation of "person," noting that the company's position is fully consistent with definitions in the U.S. Code — Title 1, for instance, states that "the words 'person' and 'whoever' include corporations, companies, associations, firms, partnerships, societies, and joint stock companies, as well as individuals" (1. U.S.C. §1).

Given the statutory language, it's hard to argue with the reading or the consideration given by the 3rd Circuit, although that interpretation is the sole question presented in the government's petition:   "Whether Exemption 7(C)'s exemption for 'personal privacy' protects the 'privacy' of corporate entities."  Aside from its inclusion in Title 1, similar definitions for "person" appear in other statutes, such as the one used in the context of wire and electronic communications:  "'person' means any employee, or agent of the United States or any State or political subdivision thereof, and any individual, partnership, association, joint stock company, trust, or corporation" (18 U.S.C. §2501). The administration has argued that, at least with respect to FOIA, AT&T's actions to block disclosure is the first time in the history of the law that the personal privacy provisions have been applied to a corporation. That fact notwithstanding, where literal interpretations of U.S. laws do not give any indication that Congress intended to have the law applied in a way other than what the law says, federal courts in general and the Supreme Court in particular have historically been unwilling to re-interpret statutory language unless is it too ambiguous to be applied consistently. Ambiguity does not seem to be at issue here, but rather whether the statutory language matches the intent of the legislation; such discrepancies are rarely resolved by the Court, which prefers to leave it to Congress to revise its legislation if its use as enacted subverts the purpose of the law.

Identity theft from hospital records violates more than HIPAA's Howard Anderson and others last week covered an indictment filed in Pennsylvania against a man who allegedly used his authorized access (as a hospital employee) to patient records to steal names, dates of birth, social security numbers, and other personal data from patient health records and using them to file false tax returns. Much of the reporting on the incident has focused on the HIPAA violations of the alleged actions, the HITECH-strengthened criminal and civil penalties for which could theoretically result in millions of dollars in fines and a lengthy prison sentence. While the HIPAA-based prosecution is certainly noteworthy, the facts of the case as reported in the media suggest that the man has likely also violated federal and Pennsylvania identity theft laws, including the Identity Theft and Assumption Deterrence Act and section 4120 of the Pennsylvania Crimes Code (18 Pa. Cons. Stat. §4120), and could therefore be subject to additional charges and penalties under the authority of the FTC and other government agencies. Under enhanced civil and criminal enforcement provisions enacted with HITECH, the potential clearly exists for prosecutions for HIPAA violations to become routine, in market contrast to the almost complete absence of such prosecutions under HIPAA in the past.

Wednesday, September 22, 2010

Health data privacy remains a key factor in slower U.S. adoption of EHRs

A newly released paper by four academic researchers comparing electronic health record adoption in the United States and European Union concludes that concerns over privacy of health record data remain the key obstacle to broader EHR use in the United States. The paper, "Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared," co-authored by Wade Chumney of Georgia Tech, Janine Hiller and Matt McMullen of Virginia Tech, and David Baumer of North Carolina State, assesses the legal privacy protections in place for health information in both the US and EU, and attribute the much greater penetration of EHRs in many European countries (such as Holland, where nearly all residents have EHRs) to the stronger privacy regulations. Specifically, the researchers point to a notable lack of public support for health IT such as EHRs in the United States, and key differences in legal and policy approaches to data privacy in the US and EU, where the American stance is seen as more reactive compared to the EU's proactive approach. The recommendations in the report include suggestions that US health data privacy laws be strengthened (beyond the impact of HITECH on HIPAA) in areas such as giving a private right of action to individuals who suffer from violations of privacy laws, implying that affording redress rights to individuals would help overcome privacy-driven reluctance about using EHRs. It remains to be seen whether the Department of Health and Human Services' Office for Civil Rights, has the resources and resolution to follow through on its stated intentions to more vigorously and proactively enforce federal health data privacy and security regulations, and if so, what impact stronger enforcement might have on public perceptions about data privacy in healthcare.

While it's hard to argue against implementing better protections for health data and stronger enforcement of current privacy laws, greater efforts are also needed to educate consumers (and healthcare providers) about health IT and its capabilities. In a blog post published on Tuesday, MEDecision's Eric Demers warns that excessive fears about health information privacy threaten to needlessly slow EHR adoption, a situation that could be avoided with a combination of better enforcement of existing legal safeguards like those under HIPAA overseen by HHS' Office for Civil Rights, and with broader education of consumers about the strength and effectiveness of existing EHR security. When available security mechanisms are actually implemented and configured correctly, it is probably true that the risk of loss of confidentiality or integrity for electronic health record data is commensurate with online retail or banking, as Demers suggests. But if a consumer's data is stolen in those domains, there is typically very little loss incurred (with the obvious exception of cases where the stolen data enables identity theft), because laws and business practices in e-commerce and banking mean that the businesses shoulder all the financial burden, so the customer is rarely if ever hurt out of pocket. This is not the case for health data, or more importantly perhaps it is not perceived to be the case, as people seem to take think the loss or theft of their medical record data is much more dire than losing some personal financial information. Also, the personal data associated with retail and banking transactions is not nearly as sensitive (to most people) as their health data is — it's trivially easy to change an account number, get a new credit card, or restore stolen funds. What this may mean is that EHR vendors and health care users of health IT may need to convince people that health data privacy and security protections are more robust or provide better protection than controls in situations with which they are already familiar.

Monday, September 20, 2010

Questions to consider about GPS data, location tracking, and privacy expectations

The previous post looked at some of the variable and as yet unresolved factors that may help determine how and under what circumstances GPS location data may be used for investigations by law enforcement personnel, with or without a warrant. As should be abundantly clear to anyone reviewing the recent and often conflicting or inconsistent judicial rulings on the collection and use of location data (GPS-based or otherwise), privacy expectations and the corresponding applicability of the 4th Amendment or any of the variety of statutory regulations relevant to such data may depend on the specifics of a given situation. One way to think through these scenarios is to consider key characteristics that incorporate (or exclude) current regulations or legal precedents, by asking questions such as the following.

Is the collection and use of GPS data a search?
The accepted legal standard for determining the applicability of the 4th Amendment protections against unreasonable search and seizure was established in a concurring opinion by Justice Harlan in United States v. Katz. Under this standard courts can determine whether an asserted expectation of privacy is reasonable by considering both the extent to which the individual's exhibits an expectation of privacy, and whether society recognizes this expectation of privacy as reasonable. In many formulations this two-part test addresses both subjective (the individual's) and objective (society's) expectations, and unless there is agreement between the two, no reasonable expectation of privacy can be said to exist. When considering GPS data in particular and location-related information about an individual in general, there is still some debate as to whether an individual's assertion of privacy regarding their own movements is reasonable. In the recent 3rd Circuit finding that rejected a magistrate judge's refusal to approve a government request for cell site location information, the court decided (contrary to the magistrate judge's finding) that the location of cell towers to which an individual's cell phone connects could be considered to be a part of the wireless service provider's record, and was therefore information that cell phone users willingly disclose to third parties (wireless providers) and hence could not be considered private information.

What sort of GPS device is in use?
There are two contexts in which the nature of the GPS device becomes relevant. Most important is whether the GPS device can be used to track the location of an individual, rather than an object (such as a car or container), but a related consideration is whether the device itself can be considered to be a tracking device. While it may seem obvious that the use of GPS would be consistent with the use of a tracking device, there are plenty of GPS receivers on the market that do not communicate the user's location beyond displaying it on the device's screen. In contrast, GPS location capabilities associated with cellular phone handsets or, for example, auto industry services such as LoJack or OnStar operate in such a way that they first receive geographic positioning information for a given location, then communicate that location data either to the service provider or directly to law enforcement personnel. The reason the distinction is important is because there are existing legal restrictions on gathering data from tracking devices — most generally, rule 41 of the Federal Code of Criminal Procedure requires a showing of probable cause in order to issue a warrant so that a tracking device can be used. The Supreme Court's ruling in United States v. Knotts was a departure from this procedural standard, but one which the court justified because the placement of the GPS tracking device and the movement that was tracked occurred in public settings. For law enforcement personnel to gain access to GPS location information about a cell phone, without obtaining a warrant, presumably the location data being sought could only correspond to public locations — that is, places where visual surveillance would be feasible.

Who is collecting the GPS data?
The discussion about who is on the receiving end of the data as it is gathered boils down to whether the data being sought (typically by the government, with or without a court order) will be transmitted directly to government agents such as law enforcement personnel, or whether the data is already collected by a third party, typically in the course of routine business operations. Generally speaking, current attention is focused on "electronic communication service" providers (there is a specific legal definition for that term established by the Electronic Communications Privacy Act), who are the explicit subject of the Stored Communications Act (Title II of ECPA). The legal history is longer and a bit harder to navigate than ECPA alone, as ECPA served to amend the Ominibus Crime Control and Safe Streets Act of 1968, and the statutory provisions such as §2703 codified in Title 18 of the U.S. Code were further modified in 1994 by the Communications Assistance for Law Enforcement Act (CALEA). The general intent of these provisions is to provide legal assistance for law enforcement investigations in the form of communications records held by service providers. The net result where location data is concerned (if in fact location data is considered to be part of service provider records) is that it is generally more straightforward — in the sense that they need to satisfy less stringent legal requirements — for law enforcement personnel to get data in records maintained by service providers than it is for them to act as the primary collector of the data.

In what locations is the individual when GPS data is collected?
Supreme Court precedents focus specifically on whether location data can be used to pinpoint individuals within their homes, as gathering data related to just about any type of communications within the confines of a private residence ordinarily requires a warrant. In United States V. Karo the Court held that the use of a tracking device (a beeper of the same sort used in the scenario involved in Knotts) to determine the presence of the device (in this case, placed inside a chemical drum) inside a residence was an unreasonable search and therefore required a warrant. With somewhat similar reasoning, in Kyllo v. United States the Court ruled that the use of a thermal imaging device that allowed law enforcement personnel to gather information (in this case, temperature) inside the home violated the occupants' reasonable expecation of privacy. There has been some technical debate as to just how accurate GPS tracking data (and, for that matter, cell site location information when triangulation is used) is in terms of pinpointing the location of an individual, as well as the effectiveness of GPS tracking when the device in question is indoors. Technical questions aside, it seems logical based on past legal precedent that using cellphone-based GPS data to track individuals is likely to require a warrant if the historical or future monitoring timespan will include periods when the subject will be in their home.

What type of data is being sought?
There is an important legal distinction between the contents of communication and the data in the records about the communication. Where contents are sought, the legal requirement is clear that a warrant is needed, whether for historical or prospective communications. In contrast, various laws and legal interpretations have held not only that record data about communications should be considered separately from the contents, but in many cases that individuals can have no reasonable expectation of privacy about the information contained in such records, because they willingly share that information with service providers or other third parties who enable the communications to take place. Examples often cited for telecommunications services include the originating and terminating telephone numbers at either end of a call (wired or wireless), or sender and receiver of a text message or email. The privacy analogue is postal mail, where the destination address (and by convention if not requirement the sender's return address) on an envelope are disclosed to the postal service in order to enable successful delivery of the mail, but the contents inside the envelope remain private, even from the postal service personnel to whom they are entrusted. Where GPS location data is concerned, it's not that anyone has argued that location data is communication contents and therefore should remain private, but neither is there agreement that location data is unarguably among the information that the service provider needs, especially given that providers do not only use location data in order to enable communication transmissions, but store historical location data over time. It might be interesting to see the response to an argument that concedes that cell site location information is necessary for routine telecommunications operations, but challenges the relevant or need for GPS data collection in addition to cell site data.

What period of time does the GPS data cover?
The D.C. Circuit in its Maynard ruling is the only court so far that has drawn a distinction between short-term and long-term GPS tracking. The investigation in question in that case relied on first placing a GPS tracking device on the suspect's vehicle and they following his movements over four weeks to establish patterns indicative of his participation in drug trafficking. Given the appellate court's ruling, it seems likely that law enforcement personnel would be wise to seek a warrant before engage in prolonged monitoring or tracking using a GPS device. It is not at all clear that the government could succeed at all in a §2703(d) application to a magistrate judge or other authority seeking historical GPS information — such as from a wireless service provider — but if the request sought data covering more than a very short period of time, the precedent set by the D.C. Circuit would strongly suggest that a warrant is needed.

Friday, September 17, 2010

Can GPS be used to track your movements, without a warrant? That depends...

The 4th Amendment implications of location-based data have been a topic of active discussion, prompted in part by two recent federal Circuit Court rulings, and to a lesser degree by some outspoken opinions made both in concurrence and dissent to these and other court rulings, and a number of legal interpretations offered by law professors (including some who filed briefs in the cases in question) and other analysts about the most appropriate interpretation of the text of the 4th Amendment itself. These opinions add to ongoing discussions of several laws addressing law enforcement and government behavior with respect to 4th Amendment searches and seizures, and analyses of both legislative intent and judicial reasoning when trying to apply these constraints to relatively recent technologies like GPS that weren't considered when the laws or legal precedents were established. The divergence of several federal Circuit Courts on matters central to this debate raises the likelihood that the Supreme Court will need to weigh in on the issues, although it is entirely possible that a case that makes it to that level will involve cell phone tower location information or other data collected in the course of modern provision of telecommunications services, and not GPS data per se.

In August, the D.C. Circuit reversed the conviction of an alleged drug trafficker on the grounds that the installation and monitoring of a GPS tracking device — placed on the man's vehicle without a warrant — over a continuous four-week period constituted a search and violated the suspect's reasonable expectation of privacy. This ruling ran counter to opinions from multiple other federal courts involving investigatory vehicle tracking without a warrant, all of which rely on the Supreme Court's ruling in United States v. Knotts, which said that using a tracking device to monitor travel on public roads is no different than visual surveillance and therefore did not require a warrant. While this D.C. Circuit case is notable primarily for its departure from the Knotts precedent, the facts of the case place the issues the court addressed within some narrowly defined situational boundaries that leave many key 4th Amendment questions unanswered. Specifically, the GPS device used in the investigation was affixed to the bumper of the defendant's car, and transmitted location data directly to law enforcement personnel. This meant that the GPS location data did not extend inside any buildings or particular locations (especially the defendant's home), and there was absolutely no question (as there is in analogous investigations involving location data from cellular telephones) as to whether the GPS device in question should be considered a tracking device.

In a case with somewhat different facts but which raises many of the same key issues, the 3rd Circuit filed a ruling last week regarding an ex parte application by the government seeking to obtain cell site location data about a cell phone subscriber from the subscriber's wireless service provider. The government in this instance sought access to historical cellular phone location information from the service provider under the terms of the Stored Communications Act (specifically, 18 U.S.C. §2703(d)), a legal standard which enables investigators to compel disclosure of subscriber records without obtaining a warrant. The magistrate judge who considered the government's original request denied the request, but upon appeal the 3rd Circuit vacated the magistrate judge's decision and remanded the government's application for reconsideration by the magistrate court, with instructions to follow the opinions expressed in the Circuit panel's ruling, which in essence rejected the original reasoning used by the magistrate judge to deny the government's application. Among the questions considered in this appeal were whether the use of cell tower location information should equate to the cellular telephone being categorized as a tracking device, and whether wireless subscribers can have a reasonable expectation of privacy with respect to such location information. In direct contrast to Maynard, in this case there was no GPS data involved (although the government gives every indication that it believes it could seek GPS location data in the same manner) and the location data was collected by the service provider in the course of normal operations, not by the investigators. Consistent between the two cases are that the data in question covers an extended period of time, and at least according to the government's contention (technical accuracy of the claim notwithstanding), the specificity of the location data is not such that it would unquestionably extend within the confines of a subscriber's home.

Looking at several former and recent federal court rulings in the aggregate, whether or not GPS location information can be acquired and used by law enforcement depends on several factors. To determine whether getting access to GPS data about an individual without a warrant is constitutional, you have to consider several key questions:
  • Is the collection and use of GPS data a search?
  • What sort of GPS device is in use?
  • Who is collecting the GPS data?
  • In what locations is the individual when GPS data is collected?
  • What type of data is being sought?
  • What period of time does the GPS data cover?
Only the Maynard ruling (so far) has directly addressed the use of GPS tracking devices, and in that case the device was physically placed on a vehicle. A more interesting question would be how the laws and court precedents are interpreted when the government seeks GPS data transmitted by cellular telephones. In such a hypothetical instance it's hard to imagine a credible argument against considering a cellular phone to be a tracking device (the 3rd Circuit accepted the government's argument in this regard when cell site location data was involved), so it would seem that §2703(d) requests could not be used. However, in the Justice Department's own guidelines on obtaining electronic evidence for investigations, it lists GPS data among the many "record" contents that it advises its personnel may be sought using applications under §2703(d). Given the immediate impact the D.C. Circuit Court's Maynard opinion has had among members of the judiciary at all levels, and the divergence of opinions among multiple federal circuits, it would seem the Supreme Court would not only be willing to weigh in on these issues, but might even be eager to do so.

Wednesday, September 8, 2010

ACLU mounts legal challenge to border searches of electronic devices

The American Civil Liberties Union (ACLU), joined by national associations representing defense lawyers and press photographers, filed a lawsuit in federal court this week challenging the U.S. Custom and Border Protection (CBP) policy on border searches of information in the possession of travelers, particularly including information stored on electronic devices such as laptop computers. The CBP policy, issued in July 2008, asserts the right of CBP personnel to examine computers, hard drives, and other electronic storage devices (as well as hard-copy material), without any need to show probable cause, suspicion, or justification of any kind. The policy also describes circumstances and operational guidelines under which CBP officers may take and hold information-containing devices in order to conduct thorough reviews of the information, potentially including using expert assistance to translate, interpret, or even break encryption if it has been used. Such detention is temporary (which legally apparently distinguishes it from seizure of the information), and the policy requires any copies of the information to be destroyed if, after review, no probable cause exists to seize it, but there are virtually no limitations on the type of information that may be reviewed.

The complaint filed by the ACLU challenges the CBP policy on Constitutional grounds, claiming causes of action under the Fourth Amendment because the border search policy and the searches performed under its authority allow warrantless, and in fact suspicionless, searches, copying, and detention of electronic devices and the data they contain, and under the First Amendment because the information reviewed by CBP includes expressive material protected by the free speech clause. The lead plaintiffs in the case include a doctoral student, a defense attorney, and a freelance photojournalist, all of whom have been detained on one or more occasions when traveling into the United States, and all of whom were subjected to searches of electronic devices in their possession when they passed through customs. The pending legal debate on this issue seems likely — as is often the case where homeland security is involved — to boil down to whether the government's interest in ensuring compliance with and enforcing customs laws trumps reasonable expectations of privacy held by individuals traveling into or out of the United States.

Tuesday, September 7, 2010

Practical challenges to worthwhile intentions for training more security professionals

While it's hard to see the current emphasis on information security training as anything other than a positive trend, the popularity of security programs at many higher education institutions may not produce the next generation of appropriate skilled and qualified infosec professionals without some consideration of how the training is structured. Undergraduate and graduate degree programs in information security (or information assurance, or cyber security, or any of the trendier labels for such programs) are often marketed to individuals based on the anticipated need for workers trained in security, without much regard for the prior educational background or work experience of the prospective students. Most of the institutions offering these programs also try to get their curricula approved by the Committee on National Security Systems (CNSS) or other government bodies, since the Department of Defense and other government agencies use such approvals to determine the validity of the training that information security job seekers have had (along with attainment of certain certifications designated in DoD Directive 8570). CNSS produces training standards for information assurance professionals, which in general specify the set of topics and functional responsibilities that people working in various security-related positions should master.

Institutions and their faculty members face the challenge of taking students from introductory information assurance basics through to a level of knowledge sufficient to establish them as qualified to take on specific infosec responsibilities. This task is made harder in some topic areas by the fact that few technically focused information security textbooks are produced, and the ones that are tend to cover broad ranges of security topics without the level of detail or rigor necessary to develop a thorough understanding of the topic. The materials that are available for this purpose include narrowly focused product or task-specific reference books and manuals, so that supporting a typical graduate course curriculum with such materials might incorporate content from a large number of sources. There's nothing inherently wrong with this situation, and in fact it reflects business as usual for much of the practice of information security, but both instructors and students often prefer having just one or a couple of comprehensive references to cover a topic, and finding such references often proves an elusive goal.

To use intrusion detection as an example, consider the content coverage necessary for a course that seeks to address all of the major aspects of the topic:  network-based and host-based intrusion detection and prevention; signature-based and anomaly-based detection methods; protection against external and internal threats; technical underpinnings of intrusion analysis, related threats and vulnerabilities, and use of detection mechanisms to mitigate those; and positioning of intrusion detection in relation to other related disciplines such as network security monitoring, incident response, forensic analysis, event correlation, and defense in depth. There are excellent technical references available for all of these topics, but no comprehensive coverage of these topics in a single source, in a format that might be used effectively as a course text. In the graduate Information Assurance program at University of Maryland University College (UMUC), the course on intrusion detection and prevention for many years used Paul Proctor's Practical Intrusion Detection Handbook as one of its core texts, in large part because Proctor tried to address, in a single volume, network-based and host-based IDS, deployment alternatives, behavioral analysis, operational models for intrusion detection activities, and factors organizations typically consider when evaluating vendors and tools in the IDS market. The value of Proctor's book, like most security references, has diminished significantly over time since the book was published in 2000, and now large portions of it are so out of date that they are inaccurate as well as irrelevant. Due largely to its age, UMUC replaced Proctor with a more recent work in the same general topic area, Ryan Trost's Practical Intrusion Analysis, which aside from being current also illustrates the two prevalent types of IDS technology through descriptions of Snort and Bro. Trost's book has some shortcomings as anything other than a reference for some specific sub-sets of intrusion detection topics, particularly because the book was assembled from a separately-produced group of chapters by different authors, and has not been favorably regarded by some expert security practitioners. In the context of a course text on intrusion detection, Trost's book matches the approach of quite a few others in focusing exclusively on network-based intrusion, which limits the applicability of the material in the book in terms of the relevant threats and organization security objectives it addresses. Practical Intrusion Analysis also reflects a trend seen in many recent books to try to cover only new or unique topics, assuming the reader already has other references available that describe the basic material that serves as the foundation for what's in the book. This assumption may be valid for security professionals, but is rarely true for students.

In theory, the best way to approach a course purporting to cover — at least at some level — all the major topics related to intrusion detection and prevention would integrate smaller content contributions from a potentially large number of reference sources. This would result in a custom curriculum that might be difficult to replicate from program to program, given the added effort (and often complexity) associated with obtaining the appropriate copyrights for chapters or excerpts from multiple publications. Another alternative might be to assemble the relevant content in a single volume specifically intended to serve as a textbook (which nevertheless might end up being valuable as a general security reference), although such an approach runs the risk of producing an aggregation of content that isn't well integrated or doesn't have enough logical flow to be understandable by its target audience. The key advantage to assembling relevant content from ostensibly authoritative sources is that changes to content can be more easily accommodated when there are multiple authors responsible for specific pieces, particularly if the material is made available electronically and not only in bound and printed editions. From a purely pedagogical standpoint, it might be preferable to have a single author responsible for the content, but with respect to intrusion detection, it seems likely that any author or instructor attempting to produce a textbook that fully covers the topic would be dependent on input from multiple other parties.