why the technical community: Bruce Schneier (5 Sep 2013), “The US government has betrayed the internet. We need to take it back,” Guardian, http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying. Stephen Farrell (2013), “Pervasive monitoring is an attack,” Internet Engineering Task Force Trust, Network Working Group, http://tools.ietf.org/pdf/draft-farrell-perpass-attack-00.pdf.
the FBI is continually trying: Charlie Savage (27 Sep 2010), “U.S. tries to make it easier to wiretap the Internet,” New York Times, http://www.nytimes.com/2010/09/27/us/27wiretap.html. Ryan Singel (17 Feb 2011), “FBI pushes for surveillance backdoors in Web 2.0 tools,” Wired, http://www.wired.com/2011/02/fbi-backdoors. Valerie Caproni (17 Feb 2011), “Statement before the House Judiciary Committee, Subcommittee on Crime, Terrorism, and Homeland Security, Washington, D.C.,” US Federal Bureau of Investigation, http://www.fbi.gov/news/testimony/going-dark-lawful-electronic-surveillance-in-the-face-of-new-technologies.
and to each other’s: This isn’t new. In the 1980s and 1990s, the NSA inserted backdoors into the hardware encryption products sold by the Swiss company Crypto AG. Scott Shane and Tom Bowman (4 Dec 1995), “Rigging the game,” Baltimore Sun, http://cryptome.org/jya/nsa-sun.htm. Wayne Madsen (Winter 1998), “Crypto AG: The NSA’s Trojan whore?” Covert Action Quarterly 63, http://mediafilter.org/caq/cryptogate.
observers have concluded: Christopher Ketcham (27 Sep 2008), “An Israeli Trojan horse,” Counterpunch, http://www.counterpunch.org/2008/09/27/an-israeli-trojan-horse. James Bamford (3 Apr 2012), “Shady companies with ties to Israel wiretap the U.S. for the NSA,” Wired, http://www.wired.com/2012/04/shady-companies-nsa/all. Richard Sanders (Spring 2012), “Israeli spy companies: Verint and Narus,” Press for Conversion! 66, http://coat.ncf.ca/P4C/66/spy.pdf.
Security has to come first: Back in the 1990s, the National Academies made the same recommendation: “Recommendation 1—No law should bar the manufacture, sale, or use of any form of encryption within the United States. Specifically, a legislative ban on the use of unescrowed encryption would raise both technical and legal or constitutional issues. Technically, many methods are available to circumvent such a ban; legally, constitutional issues, especially those related to free speech, would be almost certain to arise, issues that are not trivial to resolve. Recommendation 1 is made to reinforce this particular aspect of the Administration’s cryptography policy.” Kenneth W. Damm and Herbert S. Lin, eds. (1995), Cryptography’s Role in Securing the Information Society, National Academies Press, http://www.nap.edu/catalog.php?record_id=5131.
law enforcement officials: Bruce Schneier (4 Oct 2014), “Stop the hysteria over Apple encryption,” CNN, http://edition.cnn.com/2014/10/03/opinion/schneier-apple-encryption-hysteria/index.html.
exactly one involved kidnapping: Administrative Office of the US Courts (11 Jun 2014), “Table 3: Major offenses for which court-authorized intercepts were granted pursuant to 18 U.S.C. 2519 January 1 through December 31, 2013,” from Wiretap Report 2013, http://www.uscourts.gov/Statistics/WiretapReports/wiretap-report-2013.aspx.
there’s no evidence that encryption: Andy Greenberg (2 Jul 2014), “Rising use of encryption foiled cops a record 9 times in 2013,” Wired, http://www.wired.com/2014/07/rising-use-of-encryption-foiled-the-cops-a-record-9-times-in-2013.
They have the right and ability: Steven Bellovin et al. (6–7 Jun 2013), “Lawful hacking: Using existing vulnerabilities for wiretapping on the Internet,” Privacy Legal Scholars Conference, Berkeley, California, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2312107.
the NSA eavesdropped on: Jacob Appelbaum et al. (23 Oct 2013), “Berlin complains: Did US tap Chancellor Merkel’s mobile phone?” Der Spiegel, http://www.spiegel.de/international/world/merkel-calls-obama-over-suspicions-us-tapped-her-mobile-phone-a-929642.html. Ian Traynor, Philip Oltermann, and Paul Lewis (23 Oct 2013), “Angela Merkel’s call to Obama: Are you bugging my mobile phone?” Guardian, http://www.theguardian.com/world/2013/oct/23/us-monitored-angela-merkel-german.
the NSA spied on embassies: Ewan MacAskill and Julian Borger (30 Jun 2013), “New NSA leaks show how US is bugging its European allies,” Guardian, http://www.theguardian.com/world/2013/jun/30/nsa-leaks-us-bugging-european-allies. Glenn Greenwald (2014), No Place to Hide: Edward Snowden, the NSA and the US Surveillance State, Macmillan, http://glenngreenwald.net.
the NSA spied on the UN: Laura Poitras, Marcel Rosenbach, and Holger Stark (26 Aug 2013), “Codename ‘Apalachee’: How America spies on Europe and the UN,” Der Spiegel, http://www.spiegel.de/international/world/secret-nsa-documents-show-how-the-us-spies-on-europe-and-the-un-a-918625.html.
It’s actually stabilizing: Uncertainties between exploit and attack can lead to unwanted escalations. Herbert Lin (Fall 2012), “Escalation dynamics and conflict termination in cyberspace,” Strategic Studies Quarterly 6, http://www.au.af.mil/au/ssq/2012/fall/lin.pdf.
The increasing militarization: Peter B. Kraska (Jan 2007), “Militarization and policing: Its relevance to 21st century police,” Policing 1, http://cjmasters.eku.edu/sites/cjmasters.eku.edu/files/21stmilitarization.pdf. John Paul and Michael L. Birzer (Mar 2008), “The militarization of the American police force: A critical assessment,” Critical Issues in Justice and Politics 1, http://www.suu.edu/hss/polscj/journal/V1N1.pdf#page=25. Abigail R. Hall and Christopher J. Coyne (Spring 2013), “The militarization of U.S. domestic policing,” Independent Review 17, http://www.independent.org/pdf/tir/tir_17_04_01_hall.pdf. Matthew Witt (Mar 2013), “Morewell than Orwell: Paramilitarization in the United States post-9/11,” Journal of 9/11 Studies 36, http://www.journalof911studies.com/resources/2013WittVol36Mar.pdf.
that’s a topic for another book: This is a good one to start with. Radley Balko (2013), Rise of the Warrior Cop: The Militarization of America’s Police Forces, Public Affairs Press, http://books.google.com/books?id=M3KSMQEACAAJ.
he would extend some: Barack Obama (17 Jan 2014), “Transcript of President Obama’s Jan. 17 speech on NSA reforms,” Washington Post, http://www.washingtonpost.com/politics/full-text-of-president-obamas-jan-17-speech-on-nsa-reforms/2014/01/17/fa33590a-7f8c-11e3-9556-4a4bf7bcbd84_story.html.
when you’re being attacked in cyberspace: Scott Charney (30 Apr 2010), “Rethinking the cyber threat: A framework and path forward,” Microsoft Corporation, http://www.microsoft.com/en-us/download/details.aspx?id=747.
the Internet doesn’t have borders: On the blurring between crimes and acts of war. Benjamin J. Priester (24 Aug 2007), “Who is a ‘terrorist’? Drawing the line between criminal defendants and military enemies,” Florida State University College of Law, Public Law Research Paper No. 264, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1009845.
A “cybersiege” mentality is becoming: Far too many people use this emotionally charged term. Richard Behar (13 Oct 2008), “World Bank under cybersiege in ‘unprecedented crisis,’” FOX News, http://www.foxnews.com/story/2008/10/13/world-bank-under-cyber-siege-in-unprecedented-crisis. Scott Harkey (3 Jul 2012), “Our view: Arizona must rise to challenge of cybersiege,” East Valley Tribune, http://www.eastvalleytribune.com/opinion/article_fcfd880c-a421-11e0-a8e5-001cc4c002e0.html. Kaspersky Lab (2014), “Under cybersiege: What should America do?” Kaspersky Government Cybersecurity Forum, http://kasperskygovforum.com.
These tend to be totalitarian: Here’s a proposal to institute a sort of “cyber draft” to conscript networks in the event of a cyberwar. Susan W. Brenner and Leo L. Clarke (Oct 2010), “Civilians in cyberwarfare: Conscripts,” Vanderbilt Journal of Trans-national Law 43, http://www.vanderbilt.edu/jotl/manage/wp-content/uploads/Brenner-_Final_1.pdf.
The 1878 Posse Comitatus Act: RAND Corporation (20 Mar 2001), “Overview of the Posse Comitatus Act,” in Preparing the U.S. Army for Homeland Security, http://www.rand.org/content/dam/rand/pubs/monograph_reports/MR1251/MR1251.AppD.pdf. Charles Doyle and Jennifer K. Elsea (16 Aug 2012), “The Posse Comitatus Act and related matters: The use of the military to execute civi
lian law,” Congressional Research Service, http://www.fas.org/sgp/crs/natsec/R42659.pdf.
In the US, that’s Cyber Command: Rhett A. Hernandez (Oct 2012), “U.S. Army Cyber Command: Cyberspace for America’s force of decisive action,” Army, http://connection.ebscohost.com/c/articles/82115370/u-s-army-cyber-command-cyberspace-americas-force-decisive-action.
NSA’s defensive capabilities: In recent decades, the NSA has been doing more to provide data and communications security to US private companies. The companies need government help, but it needs to be much more public. Susan Landau (29 Sep 2014), “Under the radar: NSAs efforts to secure private-sector telecommunications infrastructure,” Journal of National Security Law and Policy, http://jnslp.com/2014/09/29/under-the-radar-nsas-efforts-to-secure-private-sector-telecommunications-infrastructure.
The Computer Security Act of 1987: Robert A. Roe et al. (11 Jun 1987), “Computer Security Act of 1987: Report,” Committee on Science, Space, and Technology, US House of Representatives, https://beta.congress.gov/congressional-report/107th-congress/senate-report/239/1. Electronic Privacy Information Center (2014), “Computer Security Act of 1987,” http://epic.org/crypto/csa.
They want an Internet that recognizes: Milton Mueller (21 Jun 2012), “Threat analysis of the WCIT part 4: The ITU and cybersecurity,” Internet Governance Project, http://www.internetgovernance.org/2012/06/21/threat-analysis-of-the-wcit-4-cybersecurity.
Countries like Brazil: Brazil’s government even proposed a law mandating this, but then backed down. Esteban Israel and Anthony Boadle (28 Oct 2013), “Brazil to insist on local Internet data storage after U.S. spying,” Reuters, http://www.reuters.com/article/2013/10/28/net-us-brazil-internet-idUSBRE99R10Q20131028. Anthony Boadle (18 Mar 2014), “Brazil to drop local data storage rule in Internet bill,” Reuters, http://www.reuters.com/article/2014/03/19/us-brazil-internet-idUSBREA2I03O20140319.
and Germany: Michael Birnbaum (1 Nov 2013), “Germany looks at keeping its Internet, e-mail traffic inside its borders,” Washington Post, http://www.washingtonpost.com/world/europe/germany-looks-at-keeping-its-internet-e-mail-traffic-inside-its-borders/2013/10/31/981104fe-424f-11e3-a751-f032898f2dbc_story.html.
Russia passed a law in 2014: Charles Maynes (11 Jul 2014), “Russia tightens Internet screws with ‘server law,’” Deutsche Welle, http://www.dw.de/russia-tightens-internet-screws-with-server-law/a-17779072. Adrien Henni (12 Jul 2014), “New personal data storage rules to affect both foreign and domestic players—but still no “Chinese wall” surrounding Russia,” East-West Digital News, http://www.ewdn.com/2014/07/12/new-personal-data-storage-rules-to-affect-both-foreign-and-domestic-players-but-no-chinese-wall-surrounding-russia.
We don’t perceive: Jacquelyn Burkell et al. (2 Jan 2014), “Facebook: Public space, or private space?” Information, Communication and Society, http://www.tandfonline.com/doi/abs/10.1080/1369118X.2013.870591.
But because we didn’t bother: Even if we had, we would have found that the agreement was vague, and gave the company the right to do whatever it wanted . . . and to change the agreement at will without notice or consent.
These laws don’t apply: Scott Lybarger (1999), “Conduit or forum? Regulatory metaphors for the Internet,” Free Speech Yearbook 37, http://www.tandfonline.com/doi/abs/10.1080/08997225.1999.10556239.
things we say on Facebook: Noah D. Zatz (Fall 1998), “Sidewalks in cyberspace: Making space for public forums in the electronic environment,” Harvard Journal of Law & Technology 12, http://jolt.law.harvard.edu/articles/pdf/v12/12HarvJLTech149.pdf. Laura Stein (Jan 2008), “Speech without rights: The status of public space on the Internet,” Communication Review 11, http://www.tandfonline.com/doi/abs/10.1080/10714420801888385. Lyrissa Lidsky (Dec 2011), “Public forum 2.0,” Boston University Law Review 91, http://www.bu.edu/law/central/jd/organizations/journals/bulr/volume91n6/documents/LIDSKY.pdf.
14: Solutions for Corporations
what sorts of inventions: It is much more likely that we will invent our way out of the ecological disaster that is climate change than conserve our way out of it. Bjørn Lomborg (2001), The Skeptical Environmentalist: Measuring the Real State of the World, Cambridge University Press, https://encrypted.google.com/books?id=JuLko8USApwC.
1980 OECD Privacy Framework: Organization for Economic Cooperation and Development (2013), “The OECD privacy framework,” http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.
EU Data Protection Directive: European Parliament and Council of Europe (24 Oct 1995), “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. Neil Robinson et al. (2009), “Review of the European Data Protection Directive,” Report TR-710-ICO, Information Commissioner’s Office, RAND Corporation, http://ico.org.uk/~/media/documents/library/data_protection/detailed_specialist_guides/review_of_eu_dp_directive.ashx.
American corporations: Karlin Lillington (14 May 2014), “Analysis: Google takes another hit with EU privacy rulings,” Irish Times, http://www.irishtimes.com/business/sectors/technology/analysis-google-takes-another-hit-with-eu-privacy-rulings-1.1793749. Price Waterhouse Coopers (Jul 2014), “EU data protection reforms: Challenges for businesses,” http://www.pwc.com/en_US/us/risk-assurance-services/publications/assets/pwc-eu-data-protection-reform.pdf.
bringing that law up to date: European Commission (25 Jan 2012), “Commission proposes a comprehensive reform of the data protection rules,” http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm. European Commission (25 Jan 2012), “Why do we need an EU data protection reform?” http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/1_en.pdf. European Commission (12 Mar 2014),”Progress on EU data protection now irreversible following European Parliament vote,” http://europa.eu/rapid/press-release_MEMO-14-186_en.htm.
OECD Privacy Framework (1980): Organization for Economic Cooperation and Development (2013), “The OECD privacy framework,” http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.
By raising the cost of privacy breaches: This is a good introduction to the economics of data privacy. Tyler Moore (2011), “Introducing the economics of cybersecurity: Principles and policy options,” in Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy, National Academies Press, http://cs.brown.edu/courses/csci1800/sources/lec27/Moore.pdf.
doing this in the US with healthcare data: Healthcare data breach violations, and accompanying fines, are common. Patrick J. O’Toole, Corey M. Dennis, and Douglas Levy (28 Mar 2014), “Best practices for avoiding data breach liability,” Michigan Lawyers Weekly, http://milawyersweekly.com/news/2014/03/28/commentary-best-practices-for-avoiding-data-breach-liability.
it’s starting to happen here: Sasha Romanosky, David Hoffman, and Alessandro Acquisti (25–26 Jun 2012), “Empirical analysis of data breach litigation,” 11th Annual Workshop on the Economics of Information Security, Berlin, Germany, http://weis2012.econinfosec.org/papers/Romanosky_WEIS2012.pdf.
Target is facing several lawsuits: Target Corporation is a defendant in multiple lawsuits stemming from its 2013 data breach. Alex Williams (23 Dec 2013), “Target may be liable for up to $3.6 billion for card data breach,” Tech Crunch, http://techcrunch.com/2013/12/23/target-may-be-liable-for-up-to-3-6-billion-from-credit-card-data-breach. Lance Duroni (3 Apr 2014), “JPML centralizes Target data breach suits in Minn.,” Law360, http://www.law360.com/articles/524968/jpml-centralizes-target-data-breach-suits-in-minn.
banks are being sued: Brian Krebs (8 Jan 2014), “Firm bankrupted by cyberheist sues bank,” Krebs on Security, http://krebsonsecurity.com/2014/01/firm-bankrupted-by-cyberheist-sues-bank. Brian Krebs (20 Jun 2014), “Oil Co. wins $350,000 cyberheist settlement,” Krebs on Security, http://krebsonsecurity.com/2014/06/oil-co-wins-350000-cyberheist-settlement. Brian Krebs (13 Aug
2014), “Tenn. firm sues bank over $327K cyberheist,” Krebs on Security, http://krebsonsecurity.com/2014/08/tenn-utility-sues-bank-over-327k-cyberheist.
These cases can be complicated: Here’s one proposal. Maurizio Naldi, Marta Flamini, and Giuseppe D’Acquisto (2013), “Liability for data breaches: A proposal for a revenue-based sanctioning approach,” in Network and System Security (Lecture Notes in Computer Science Volume 7873), Springer, http://link.springer.com/chapter/10.1007%2F978-3-642-38631-2_20.
There’s a parallel with how: Much has been written about what privacy regulation can learn from environmental regulation. Dennis D. Hirsch (Fall 2006), “Protecting the inner environment: What privacy regulation can learn from environmental law,” Georgia Law Review 41, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1021623. Ira S. Rubinstein (2011), “Privacy and regulatory innovation: Moving beyond voluntary codes,” I/S, A Journal of Law and Policy for the Information Society 6, http://www.ftc.gov/sites/default/files/documents/public_comments/privacy-roundtables-comment-project-no.p095416-544506-00022/544506-00022.pdf.
The US Code of Fair Information Practices: Willis H. Ware et al. (Jul 1973), “Records, computers and the rights of citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems,” DHEW Publication (OS) 73-94, US Department of Health, Education and Welfare, http://www.justice.gov/sites/default/files/opcl/docs/rec-com-rights.pdf.
Making companies liable for breaches: There would need to be some exception for free and open-source software, and other instances where the user does not have any contractual relationship with the software vendor.
The relevant term from economics: Giuseppe Dari-Matiacci and Nuno Garoupa (May 2009), “Least cost avoidance: The tragedy of common safety,” Journal of Law, Economics, and Organization 25, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=560062. Paul Rosenzweig (5 Nov 2013), “Cybersecurity and the least cost avoider,” Lawfare, http://www.lawfareblog.com/2013/11/cybersecurity-and-the-least-cost-avoider.
Data and Goliath Page 45