On the podcast this week, Michael Burstein, assistant professor of law at the Benjamin N. Cardozo School of Law, discusses his paper entitled, Exchanging Information Without Intellectual Property. Burstein begins by discussing theories behind IP law and why it exists. According to Burstein, IP law incentivizes creation of intellectual works because it protects the creator’s investment by preventing others from copying the work and obtaining a benefit without any effort. He then goes on to discuss the critiques of these theories, the costs that are involved in protecting intellectual works, and the effect IP law has on innovation. Burstein then discusses practical examples in the pharmaceutical and biotech industry where actors structure the flow of information in a way that is reciprocal but only requires a small role from IP law. According to Burstein, norms protect intellectual works. He believes these norms allow disclosure of intellectual works in stages and facilitate a trusting relationship between two firms. Burstein ends the discussion by addressing policy conclusions surrounding IP law and what role it should play in information exchange.

Related Links

• Exchanging Information Without Intellectual Property, by Burstein
• “Emerging Markets for High Tech Ideas”, Small Business Trends
• “Frischmann Predicts Prometheus”, Concurring Opinions

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, Jim Harper, director of information policy studies at the Cato Institute, and Ryan Radia, associate director of technology studies at the Competitive Enterprise Institute, discuss Congress’s recent interest in cybersecurity. Harper and Radia begin by discussing why Congress wants to legislate cybersecurity and the potential threats that have Congress frightened. Harper and Radia then discuss the types of bills before Congress, which include aspects of information sharing that would promote cybersecurity intelligence but may have privacy implications, and mandates for a security infrastructure. The discussion then turns to the role of government in cybersecurity and whether the protection of online information and assets should be left to markets. The discussion ends with Harper and Radia predicting the future of the proposed bills.

Related Links

• “Cybersecurity Bills? No, Thanks”, cato@liberty
• Government Bureaucrats Can’t Prevent Data Breaches, CEI.org
• “Cyberwar Is the New Yellowcake”, Wired
“Cybersecurity bill passes, Obama threatens veto”, CNN Money

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, Jennifer Shkabatur, Fellow at the Berkman Center for Internet Society at Harvard University, discusses her new paper, “Transparency With(out) Accountability: The Effects of the Internet on the Administrative State. Shkabatur begins by discussing the focus of her paper, a critical look at open government initiatives. Shkabatur believes promises of transparency in government fall short and do not promote accountability. She then discusses innovations in accountability facilitated by the Internet, which she divides into three categories: mandatory transparency, discretionary transparency, and involuntary transparency. Shkabatur then sets forth types of reforms that she believes would improve government transparency. According to Shkabatur, context and details on agency processes are necessary along with details about how an agency performs various tasks.

Related Links

• Transparency With(out) Accountability, by Shkabatur
• “Transparency Through Technology: Evaluating Federal Open Government Efforts”, Mercatus.org
• “The Power of Open Government”, Brookings Institute

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, Naomi Cahn, John Theodore Fey Research Professor of Law at George Washington University, discusses her new paper entitled, “Postmortem Life Online.” Cahn first discusses what could happen to online accounts like Facebook once a person dies. According to Cahn, technology is outpacing the law in this area and it isn’t very clear what can happen to an online presence once the account holder passes away. She discusses the various problems family members face when trying to access a deceased loved one’s account, and also the problems online companies face in trying to balance the deceased’s privacy rights with the need to settle an estate. Cahn claims that terms of service often dictate what will happen to an online account after death, but these terms may not be in line with account holder wishes. She then suggests some steps to take in making sure online accounts are taken care of after death, including taking inventory of all online accounts and determining who should have access to those accounts after death.

Related Links

• “Postmortem Life On-Line”, by Cahn
• “What happens to your Facebook account when you die?”, The Digital Beyond
• “Deathless data: What happens to our digital property after we die?”, The Economist

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, Spencer Weber Waller, Professor and Director at the Institute for Consumer Antitrust Studies at Loyola University Chicago School of Law, discusses his new paper entitled, Antitrust and Social Networking. The discussion centers on the likelihood of Facebook being charged by the government as having a monopoly over the social networking market. Waller first explains antitrust law, which, among other things, prohibits monopolization to protect competition. Waller then discusses the difficulty of defining the market for social networks. He claims that Facebook is dominant in the market, but he also says there are multiple markets for Facebook’s participation, like consumer use and advertising. Waller goes on to explain how a court would analyze an antitrust violation. According to Waller, there is a two-step process involved where courts ask whether there is market power, and whether a company is doing anything with that power to interfere with competition. Waller ends the discussion by analyzing the likelihood of Facebook ever being charged with antitrust violations. Waller also briefly gives his thoughts on the recent antitrust suit filed by the DOJ against Apple.

Related Links

• Antitrust and Social Networking, By Waller
• “Will Facebook’s Instagram Deal Face Antitrust Scrutiny?”, CNBC
• “The procompetitive story that could undermine the DOJ’s e-books antitrust case against Apple”, Technology Liberation Front

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, Adam Lashinsky, author and editor-at-large for Fortune, discusses his new book, Inside Apple: How America’s Most Admired–and Secretive–Company Really Works. Lashinsky begins by discussing Apple’s obsession with secrecy to the point that employees do not discuss what they are working on with other employees. According to Lashinsky, secrecy is tied to focus and achievement, so Apple employees obtain a depth and expertise on one area, rather than being exposed to different areas of the company. He then discusses how secrecy impacts employee morale and how employees view accomplishment and achievement as a tradeoff for happiness and morale. Lashinsky then explains how other corporations can emulate Apple’s secretive style and reap the benefits.

Related Links

• “Inside Apple: How America’s Most Admired–and Secretive–Company Really Works”, by Lashinsky
• “The Consequences of Apple’s Walled Garden”, Time Techland
• “Adam Lashinsky on peeling back Apple’s skin”, Washington Post

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, Christina Mulligan, Visiting Fellow at the Information Society Project at Yale Law School, discusses Her new paper, co-authored with Tim Lee, entitled, Scaling the Patent System. Mulligan begins by describing the policy behind patents: to give temporary exclusive rights to inventors so they can benefit monetarily for their inventions. She then explains the thesis of the paper, which argues that the patent system is failing because it is too large to scale. Mulligan claims that some industries are ignoring patents when they develop new products because it is nearly impossible to discover whether a new product will infringe on an existing patent. She then highlights industries where patents are effective, like the pharmaceutical and chemical industries. According to Mulligan, these industries rarely infringe on patents because existing patents are “indexable,” meaning they are easy to look up. The discussion concludes with Mulligan offering solutions for the current problem, which includes restricting the subject matter of patents to indexable matters.

Related Links

• Scaling the Patent System, by Mulligan & Lee
• “Questions About ‘Scaling the Patent System’ Answered”, Forbes.com
• When Patents Attack, NPR.org

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, Bruce Schneier, internationally renowned security expert and author, discusses his new book entitled, “Liars & Outliers: Enabling the Trust That Society Needs To Thrive.” Schneier starts the discussion by looking at society and trust and explains why he thinks the two are necessary for civilization. According to Schneier, two concepts contribute to a trustful society: first, humans are mostly moral; second, informal reputation systems incentivize trustworthy behavior. The discussion turns to technology and trust, and Schneier talks about how the information society yields greater consequences when trust is breached. He then describes how society deals with technology and trust and why he thinks the system is not perfect but working well overall.

Related Links

• “Liars and Outliers: Enabling the Trust that Society Needs to Thrive”, by Schneier
• “Why Doesn’t Society Just Fall Apart?”, Forbes.com
• Bruce Schneier-CFP 2011-Keynote on Cyberwar Rhetoric, JerryBrito.org

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, Jason Mazzone, professor of law at Brooklyn Law School, discusses his new book, Copyfraud and Other Abuses of Intellectual Property Law. Copyfruad, according to Mazzone, occurs when intellectual property law is used in an abusive or overreaching manner. Mazzone believes the problem arises when content owners make false or fraudulent claims of intellectual property rights that are not recognized by the law. The discussion turns to the scope of harm that results from Copyfraud, and Mazzone proposes that the solution lies in legislative measures as well as education on the scope of intellectual property law.

Related Links

• Copyfraud and Other Abuses of Intellectual Property Law, by Mazzone
• Copyright Criminals, pbs.org
• “IP Feudalism and the Shrinking of the Public Domain”, Marginal Revolution

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

From The Hill this weekend:

But James Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies, said “no serious analyst doubts the risk anymore” of a cyber attack.

“There are people who are naturally skeptical about anything the government says and there are the ones who are paid to be skeptical,” Lewis said, but he claimed almost everyone else has accepted the seriousness of the situation.

Since I’m the only other person quoted in the story–making the case that the threat of a catastrophic cyberattack has been exaggerated–that statement can be read as applying to me. I’m certainly naturally skeptical of government (for good reason, I think), and to the extent my organization is also generally skeptical of government, I guess I am paid to be skeptical of government. But the implication that I wouldn’t advocate skepticism of government but for payment is insulting. And it also has nothing to do with whether the cyber threat has been blown out of proportion and whether we should be skeptical of such threat inflation.

On that front, I’d like to quote at length from a fantastic 2006 San Francisco Chronicle piece entitled, “The War on Hype,” that might as well have been written by me. It is by a certain James A. Lewis:

Or cyber terror. In 1995, the first in a long series of warnings of an “electronic Pearl Harbor” was made. Although terrorists have launched many attacks since 1995, none has involved cyber terror.

The closest thing to a cyber attack occurred in Australia, when a disgruntled employee who had designed the computer system for a sewage treatment plant was able to penetrate the network after 49 consecutive attempts that went unnoticed and release raw sewage. The government report on the incident says this produced an unbearable smell for several days. Residents were unhappy, but able to control their terror.

Cyber terror was at first suspected in the 2003 Northeast blackout. The cause turned out to be incompetence and falling trees. The widespread blackout did not degrade U.S. military capabilities, did not damage the economy, and caused neither casualties nor terror.

One lesson to draw from this is that large, modern economies are hard to defeat. Their vulnerability — to cyber attack or dirty bombs or the other exotic weapons — is routinely exaggerated.

Yes, computer networks are vulnerable to attack, but nations are not equally vulnerable. Countries like the United States, with its abundance of services and equipment and the ability and experience in restoring critical functions, are well equipped to overcome an attack.

Yes, that’s the very point I was making in the Hill article, and which I’ve been making in my writing the last couple of years. But wait, there’s more.

What explains this discrepancy between risk and perception?

During the cold war, analysts became accustomed to thinking about horrible things that never happened — from nuclear winter to atomic war. This willingness to suspend disbelief has carried over to the war on terrorism.

When the cold war ended, the United States reassessed what kinds of threats it would face in the future. A series of influential commissions concluded that new kinds of opponents would use asymmetric attacks and unconventional weapons against the American homeland. They would attack vulnerable civilian targets, as no one could challenge the U.S. military and win.

This assessment proved, unfortunately, to be correct, but its corollary — that the new opponents would use unconventional weapons like cyber or bio — missed the mark.

There are important differences between experts and terrorists. Experts imagine exotic attack scenarios. Terrorists are conservative. They prefer guns and bombs.

There’s even a hint of how threat inflation can hurt policymaking:

The media, particularly television, prefers to translate complex risks into simple and dramatic tales. Eighty-three people dying in six years is tragic, but not news. Deadly chickens sweeping out of China to infect millions appeals to alarmism and anxiety and attracts audiences and talking heads.

A changing American political culture makes our leaders more anxious. Since the 1960s, the U.S. government has become progressively more cautious and risk-averse. …

Exaggerated concerns shape our spending and strategies for counterterrorism and public health (even if our implementation of these strategies is at times so lax as to appear to welcome risk with open arms).

It’s good to know that a serious analyst can doubt the risks associated with cyberattack. If Dr. Lewis has changed his views on the threat posed by cyber, I’m sure it’s the result of extensive investigation and careful reflection, and not for any other reason. More to the point, it doesn’t matter. Bringing up motives is what you do when you can’t counter an argument.

The cover story of this week’s The New Republic is a review by Evgeny Morozov of Walter Isaacson’s biography of Steve Jobs. In 10,000 words it is more illuminating about what made Steve Jobs tick than Isaacson’s 656 pages of warmed-over anecdotes and Wikipedia glosses. Morozov gets it right when he draws the connection between Bauhaus and Apple–functionalism and simplicity über alles. But he doesn’t seem to like where this takes Apple or Jobs.

He calls Jobs’s adherence to the Bauhaus ideal “a kind of industrial Platonism” in which products have a true form or essence that must be discovered and revealed by a designer. What consumers think they want is irrelevant; they will know what they want when it is presented to them. That’s true as far as it goes, but Morozov is the real Platonist here.

Morozov’s ultimate indictment of Apple is that it refuses to consider the externalities its technologies impose on “society.” One may love one’s Apple products and how they have improved one’s life, but, Morozov says,

We need to identify the other moral instructions that may be embedded in a technology, which it promotes directly or indirectly. And this fuller analysis requires going beyond studying the immediate impact on the user and engaging with the broader–let us call it the “ecological”–impact of a device. (“Ecological” here has no environmental connotations; it simply indicates that a technology may affect not only its producer and its user, but also the values and the habits of the community in which they live.)

What is this negative externality Apple’s technology is inflicting on the value and habits of our communities? It’s that apps will kill the open Internet, except not for the reasons we think. Morozov cites and dismisses Jonathan Zittrain’s “generativity” critique saying that Zittrain is concerned only with the threat to innovation. Morozov, on the other hand, is concerned with loftier “ethical and aesthetic considerations.” Namely, that Apple’s app paradigm “may be destroying the Internet in much the same way that the automobile destroyed the sidewalks and the playgrounds.”

The point is not that we should forever cling to the shape and the format of the Internet as it exists today. It is that we should (to borrow Apple’s favorite phrase) “think different” and pay attention to the aesthetic and civic externalities of the app economy. Our choice is between erecting a virtual Portland or sleepwalking into a virtual Dallas. But Apple under Steve Jobs consistently refused to recognize that there is something valuable to the Web that it may be destroying.

After reading a competing cover story about Portland in another newsweekly, I’m not sure the choice is as clear as Morozov thinks it is. But the message is clear: like Portland’s planners do about a “livable city,” Morozov has a vision of what is the Internet’s pure form, and it’s not one left to messy markets.

Morozov quotes a Newsweek interview with Jobs just a few years after the Web was invented. Jobs sees it as “the ultimate direct-to-customer distribution channel.” He essentially predicts that you’ll be able to buy books online and that the bookstore will know what you like.

That the Web did become a shopping mall fifteen years after Jobs made his remark does not mean that he got the Web right. It means only that a powerful technology company that wants to change the Web as it pleases can currently do so with little or no resistance from anyone. If one day Apple decides to remove a built-in browser from the iPad, as the Web becomes less necessary in an apped world, it will not be because things took on a life of their own, but because Apple refused to investigate what other possible directions—or forms of life—“things” might have taken. For Jobs, with his pre-political mind, there was no other way to think about the Internet than to rely on the tired binary poles of supply and demand.

The notion that Apple turned the web into what it is today singlehandedly is laughable. Apple was moribund until 2000, didn’t introduce the iTunes Store until 2003, and has never had a strong presence on the web. The web has become what it is today because the convenience of getting any book you want, whenever you want it, and cheaply beats little bookstores stocked by proprietor’s whims, however aesthetically pleasing they may be–which they’re often not. And for the record, I hope we can all agree the web is more than a shopping mall.

More to the point, though, Jobs was not as much a Pied Piper as we’d like to think he was. Depite all his marketing moxie, he was constrained by the market. If Jobs ever thought there was a true essence of a computer, it was the Power Mac G4 Cube. As Isaacson says, “it was the pure expression of Jobs’s aesthetic.” And it was a flop. “Jobs later admitted that he had overdesigned and overpriced the Cube, just as he had the NeXT computer.” Remember the NeXT cube? How about the iPod Hi-Fi? The buttonless iPod shuffle? Ping? Those tired poles of supply and demand told Jobs “no” time after time, but we might just as easily dismiss gravity or entropy as tired.

If Apple were to remove the browser from the iPad today, there would be, shall we say, less demand for the tablet. If at some future date there is no more demand for a web browser, and Apple removes it to little fanfare, then what is the harm?

I guess it is some Platonic Internet that we’d lose. A pure internet that we don’t know we want. One that only philosopher-kings can see. One they will discuss at “Berlin-based think tanks” and in the pages of “quarterly magazines,” as Morozov praises Google for sponsoring. And it’s an Internet the philosopher-kings would plan for us the same way Neil Goldschmidt and his friends planned Portland.

No thanks. I prefer a Steve Jobs, pursuing a functionalist ideal with little care for the consequences, yet checked by those tired poles and the “perennial gale of creative destruction” that will someday catch up with Apple.

On the podcast this week, Gabriella Coleman, anthropologist and the Wolfe Chair in Scientific and Technological Literacy in the Department of Art History & Communication Studies at McGill University, discusses hacktivist group Anonymous. Coleman begins with an overview of Anonymous originating with online pranks that eventually evolved into political activism. The group, according to Coleman, began seeking “lulz” on the message board 4chan. The pranks consisted of Internet memes and practical Internet jokes called trolling. She then discusses how the group moved into activism using denial of services attacks to shut down websites and how it issued a series of videos against the Church of Scientology. The discussion then turns to the recent arrest of several LulzSec members, including Sabu, the hacker turned FBI informant.

Related Links

• “Anonymous: From the Lulz to Collective Action”, by Coleman
• “Arrests Sow Mistrust Inside a Clan of Hackers”, New York Times
• “Why Anonymous will never be able to take down the power grid”, JerryBrito.com
• “‘We Do It for the Lulz’: What Makes LulzSec Tick?”, Time Techland

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On Wednesday, administration and military officials simulated a cyber attack for a group of senators in an attempt to show a dire need for cybersecurity legislation. All 100 senators were invited to the simulation, which “demonstrated how the federal government would respond to an attack on the New York City electrical grid during a summer heat wave, according to Senate aides.” Around 30 Senators attended. Some post-game reactions:

After the briefing, [Sen. Jay] Rockefeller spokesman Vincent Morris said: “We hope that seeing the catastrophic outcome of a power grid takedown by cyberterrorists encourages more senators to set aside Chamber of Commerce talking points and get on this bill.” [Sen. Mary] Landrieu said the simulation “just enhanced the view that I have about how important” cybersecurity is. She added: “The big takeaway is it’s urgent that we get this done now.”

So how catastrophic did the simulation get? How many casualties? What was the extent of the simulated damage? Did thousands die a la 9/11? A “cyber 9/11″ if you will? We’ll likely never know because such a simulation will be classified.

Yet as policymakers consider the cost-benefit of cybersecurity legislation, I hope they’ll remember that we’ve already had many a blackout in New York City in real life and, well, they didn’t lead to catastrophic loss of life, panic or terror. As Sean lawson has explained:

[A]ttacks upon the electrical grid are often featured prominently in cyber-doom scenarios. But historically, just what has happened when the power has gone out? As mentioned above, a series of blackouts in New York City in the 1930s indicated that people did not panic and society did not collapse at the loss of electrical power (Konvitz, 1990). That pattern continued through the remainder of the last century, where “terror, panic, death, and destruction were not the result” of power outages. Instead, as Nye (2010: 182–183) has shown, “people came together [and] helped one another,” just as they do in most disaster situations.

In August 2003, many initially worried that the two-day blackout that affected 50 million people in the United States and Canada was the result of a terrorist attack. Even after it was determined that it was not, some wondered what might happen if such a blackout were to be the result of intentional attack. One commentator hypothesized that an intentional “outage would surely thwart emergency responders and health-care providers. It’s a scenario with disastrous implications” (McCafferty, 2004). But the actual evidence from the actual blackout does not indicate that there was panic, chaos, or “disastrous implications.” While the economic costs of the blackout were estimated between four and ten billion dollars (Minkel, 2008; Council, 2004), the human and social consequences were quite minor. Few if any deaths are attributed to the blackout. A sociologist who conducted impromptu field research of New York City residents’ responses to the incident reported that there was no panic or paralysis, no spike in crime or antisocial behavior, but instead, a sense of solidarity, a concern to help others and keep things running as normally as possible, and even a sense of excitement and playfulness at times (Yuill, 2004). For example, though the sudden loss of traffic lights did lead to congestion, he notes that the situation was mitigated by “people spontaneously taking on traffic control responsibilities. Within minutes, most crossing points and junctions were staffed by local citizens directing and controlling traffic . . . All of this happened without the assistance of the normal control culture; the police were notably absent for long periods of the blackout” (Yuill, 2004). James Lewis (2006) of the Center for Strategic and International Studies has observed that “The widespread blackout did not degrade U.S. military capabilities, did not damage the economy, and caused neither casualties nor terror.”

Lawson goes on to explain that citizens are not terrorized by loss of power. More than anything, we are “irked” and we redouble our efforts to be resilient in the face of adversity. This is not to say that we should simply lie down and accept cyber attacks as they may come, but policymakers and the public should resist being scared into hasty policy decisions that will have many long-term consequences. Fear is not an appropriate basis for policymaking, and we should never allow it to supplant critical thinking.

For example, the Rockefeller spokesman notes that the simulation was of “a power grid takedown by cyberterrorists,” yet as Thomas Rid has shown, “terrorists are unlikely culprits of an equally unlikely cyber-9/11.” The more likely scenario of a cyber attack blackout is one carried out by a foreign state power in conjunction with a conventional attack. And thinking about conventional attack on the homeland requires a completely different type of analysis.

Cross-posted from JerryBrito.com

On the podcast this week, Rebecca MacKinnon, a former CNN correspondent and now Senior Fellow at the New America Foundation, discusses her new book, “Consent of the Networked: The Worldwide Struggle for Internet Freedom.” MacKinnon begins by discussing “Net Freedom,” which she describes as a structure that respects rights, freedoms, and accountability. She discusses how some governments, like China, use coercion to make private companies act a as subcontractors for censorship and manipulation. She goes on to discuss a project she launched called Global Network Initiative, where she urges companies like Google and Facebook to be more socially responsible. MacKinnon believes technology needs to be compatible with political freedoms, and she issues a call to action for Internet users to demand policies that are compatible with Internet freedoms.

Related Links

• “Consent of the Networked: The Worldwide Struggle For Internet Freedom”, by MacKinnon
• Global Network Initiative
• “Handmaidens to Censorship”, The Wall Street Journal
• The Case Against Letting the U.N. Govern the Internet, Time Techland

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

After the NSA’s aggressive pursuit of a greater role in civilian cybersecurity, and last week’s statement by Sen. John McCain criticizing the Lieberman-Collins bill for not including a role for the agency, some feared that the new G.O.P. cybersecurity bill would allow the military agency to gather information about U.S. citizens on U.S. soil. So, it’s refreshing to see that the bill introduced today–the SECURE IT Act of 2012–does not include NSA monitoring of Internet traffic, which would have been very troubling from a civil liberties perspective.

In fact, this new alternative goes further on privacy than the Liberman-Collins bill. It limits the type of information ISPs and other critical infrastructure providers can share with law enforcement. Without such limits, “information sharing” could become a back door for government surveillance. With these limits in place, information sharing is certainly preferable to the more regulatory route taken by the Liberman-Collins bill.

It seems to me that despite Sen. McCain’s stated preference for an NSA role, the G.O.P. alternative is looking to address the over-breadth of the Lieberman-Collins bill without introducing any new complications. The SECURE IT bill is also more in line with the approach taken by the House, so it would make reaching consensus easier.

I’ll be posting more here as I learn about the bill.

UPDATE 12:06 PM: A copy of the bill is now available. Find it after the break.

UPDATE 2:55 PM: Having now had an opportunity to take a look at the bill and not just the summary, it does appear it includes a hole through which the NSA may be able to drive a freight train. While NSA monitoring of civilian networks is not mandated, information that is shared by private entities with federal cybersecurity centers “may be disclosed to and used by”

any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code …

That last bit limits law enforcement’s use of shared cyber threat information to serious crimes, but the highlighted bit potentially allows sharing with the NSA or any other agency, civilian or military, for a any “national security” reasons. That is troublingly broad and a blemish on this otherwise non-regulatory bill.

Information sharing with the NSA might be fine as long as it is not mandatory and the shared information is used only for cyber security purposes.

Cross posted from JerryBrito.com

SECURE IT.introduction

Tomorrow Sen. John McCain, along with five other Republican senators, plans to unveil a cybersecurity bill to rival the Lieberman-Collins bill that Majority Leader Harry Reid has said he plans to bring to the Senate floor without an official markup by committee.

At a hearing earlier this month, Sen. McCain criticized the Lieberman-Collins bill for not giving the NSA authority over civilian networks. And as we’ve heard this week, the NSA has been aggressively seeking this authority–so aggressively in fact that the White House publicly rebuked Gen. Keith Alexander in the pages of the Washington Post. But as CDT’s Jim Dempsey explains in a blog post today,

The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.

The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.

The military, and especially the NSA, has great experience and useful intelligence that should leveraged to protect civilian networks. But that assistance should be provided at arms-length and without allowing the military to conduct surveillance on the private Internet. Military involvement in civilian security is as inappropriate in cyberspace as it is in the physical world.

As Gene Healy has explained, civilian law enforcement and security agencies “are trained to operate in an environment where constitutional rights apply and to use force only as a last resort”, while the military’s objectives are to defeat adversaries. The NSA’s warrantless wiretapping scandal speaks to this difference. “Accordingly, Americans going back at least to the Boston Massacre of 1770 have understood the importance of keeping the military out of domestic law enforcement.” The Senate Republicans would do well to leave NSA involvement in civilian networks out of a new cybersecurity bill.

And FYI: I will be presenting at a Cato Institute Capitol Hill briefing on cybersecurity on March 23rd along with Jim Harper and Ryan Radia. Full details and RSVP are here.

Cross posted from JerryBrito.com

On the podcast this week, Clay Johnson, co-founder of Blue State Digital and former director of Sunlight Labs at the Sunlight Foundation, discusses his new book, The Information Diet. According to Johnson, America’s diet of mass-produced unhealthy food has resulted in an obesity epidemic and we may be seeing the same thing when it comes to our media diet. He believes the problem is not too much information, rather it is the quality of information that people choose to consume. Johnson encourages more responsibility in choosing information intake, similar to what is required to make healthy food choices. He ends by outlining a plan of action and offers tips on consuming “healthy” information.

Related Links

• “The Information Diet”, by Johnson
• “How to Start Your Information Diet”, lifehacker.com
• ‘Plug In Better’: A Manifesto, The Atlantic

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

On the podcast this week, David Weinberger, senior researcher at Harvard Law’s Berkman Center for the Internet & Society and Co-Director of the Harvard Library Innovation Lab at Harvard Law School, discusses his new book entitled, “Too Big to Know: Rethinking Knowledge Now That the Facts Aren’t the Facts, Experts Are Everywhere, and the Smartest Person in the Room Is the Room.” According to Weinberger, knowledge in the Western world is taking on properties of its new medium, the Internet. He discusses how he believes the transformation from paper medium to Internet medium changes the shape of knowledge. Weinberger goes on to discuss how gathering knowledge is different and more effective, using hyperlinks as an example of a speedy way to obtain more information on a topic. Weinberger then talks about how the web serves as the “room,” where knowledge seekers are plugged into a network of experts who disagree and critique one another. He also addresses how he believes the web has a way of filtering itself, steering one toward information that is valuable.

Related Links

• “Too Big to Know: Rethinking Knowledge Now That the Facts Aren’t the Facts, Experts Are Everywhere, and the Smartest Person in the Room Is the Room”, by Weinberger
• “Research Ethics: Coercive Citation in Academic Publishing”, Science Daily
• “Knowledge Has Always Been Networked: On Weinberger’s ‘Too Big to Know’”, The Atlantic

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

Ahead of today’s cybersecurity hearing in the Senate, I wanted to jot down some thoughts on the issue. For over a year now, I’ve been questioning the need for federal intervention in cybersecurity and calling for a slower and more deliberate process. Perhaps I come across as a refusenik, but I hope that I’m at least lending some balance to the debate.

First, let me say that I fully recognize that the U.S. faces serious cyber threats. Here is one of the best (and most honest) cases for being worried that I’ve seen. I get it.

That said, what I try to point out is that the existence of a threat does not necessarily mean that regulation is necessary. In many cases, the threat can be internalized by affected private actors. Even if we determine that some private actors are not internalizing the costs, prescriptive regulation can sometimes do more harm than good. The best thing we can do is not try to prevent harm at all costs, but instead make sure that we are resilient so that no single threat can destroy us. And we may be more anti-fragile–more resilient and more capable of adaptation–than we’re led to believe.

That brings me to the other thing I try to point out: that the rhetoric surrounding cybersecurity is often unnecessarily alarmist. Introducing the Cybersecurity Act of 2012, Sen. Rockefeller equated the cyber threat with the nuclear threat. I’m sorry, but I don’t think that’s right. It does scare people, however, and I’m afraid that we will be sold an expensive bill of goods based on fear.

So I’m happy to see that both the Senate and the House have begun to take more realistic approaches to cybersecurity. For example, the Rockefeller-Snowe bill from last congress would have required the Department of Commerce to develop “a national licensing, certification, and periodic recertification program for cybersecurity professionals,” and would have made certification mandatory for anyone engaged in cybersecurity. I’m happy to see that’s gone in the new bill. I’m glad that there is no “Internet kill switch.” I’m also happy to see that the bill includes a way for private industry to appeal its inclusion in the regulatory regime.

Where do I think there may be a role for government? Information sharing certainly comes to mind. There is no doubt that there’s a lot that the public and private sectors can learn from each other. And to the extent that private actors are prevented by privacy laws to cooperate on cybersecurity, there should be a way to facilitate cooperation without endangering consumer protections. Additionally, requiring disclosure of security breaches is not a bad idea. It would allow insurance markets and other markets serve as an alternative to regulation, or as Cass Sunstein calls it, regulation through transparency.

Here, in one sentence, is what’s wrong with Stewart Baker’s testimony on cybersecurity before the Senate Homeland Security committee today:

If an asset is not designated as “covered critical infrastructure,” then the owner has no obligation under the bill to guard against attack by hackers, criminals, or nation states, leaving those who depend on the asset unprotected.

The logic here is that if a private network is not forced by government to protect itself, then it will be left unprotected and wide open for attack. There is no private incentive to secure one’s investment, the argument seems to be. If you’d like an explanation of why this isn’t logical, see Eli Dourado’s paper on cybersecurity market failure.

One more thing: according to Baker, present network insecurity “could easily cause the United States to lose its next serious military confrontation.” I understand asymmetric threats, but here is a listing of military spending by country. “Easily” doesn’t come to mind.

Kevin Drum and Tim Lee have been having an interesting exchange about whether those of us who oppose granting copyright holders stronger enforcement powers feel this way because we are ideologically opposed to IP protection. Tim points out that copyright owners have, as a matter of fact, received greater and greater enforcement powers–almost on an annual basis. As a result, Tim says, “most of us are not anti-copyright; we just think enough is enough, and that the menu of enforcement tools Congress has already given to copyright holders is more than sufficient.”

Sufficient for what, though? Sufficient to significantly reduce piracy online? That’s certainly not the case. Piracy is rampant on the net. Some would say, though, that the only meaningful ways left to enforce copyright would (dare I say it?) break the Internet as we know it.

So I think that when Tim says that the powers copyright holders now have are “more than sufficient,” I think he means sufficient to provide an incentive to create. After all, the purpose of copyright is to “promote the progress of science,” not to protect some Lockean notion of property. It may be the case that while owners’ rights are no doubt being violated, a further reduction in piracy won’t affect the incentive to create.

This is why many, including Julian Sanchez, Tim O’Reilly, Mike Masnick and Jonathan Coulton, question whether piracy is really a problem at all. That is, they don’t believe it may be the case that the present level of piracy doesn’t hurt content owners’ bottom lines because it’s clear that not every infringement would have otherwise been a sale. If that’s the case, then the costs of new enforcement powers would outweigh any benefits. So, the argument goes, we should do nothing.

Another argument might be that even if there is some harm on the margin to content owners from piracy–some reduction in the incentive to create–the toll a bill like SOPA would take on free speech and innovation are just not worth the reduction in piracy. So, again, we should do nothing.

Two observations about this. First, many folks, including many policymakers, do in fact take a Lockean view of copyright. I think this is why many persons believe that opponents of new legislation are secretly IP anarchists. We need to do a better job of explaining the utilitarian purpose of Copyright. (I like to tell my friends on the Right that I’m for the “originalist vision of copyright” that the Founding Fathers intended.)

Second, it’s practically impossible to figure out the exact effect of online piracy on the economy, let alone creators’ incentives. In my view the truth is much closer to the “there’s no problem” end of the spectrum than to the inflated estimates put forth by the content industry. But, it’s certainly possible that there is too much piracy. If that’s the case, and we do believe in copyright, then I think it’s incumbent upon us to try to develop alternatives to reduce piracy without breaking the Internet. I’m not saying we should advocate for these, just that we should think about what those are.

If nothing else, we’ll be able to point to these alternatives when the next SOPA is portrayed as the only possible solution. Otherwise, people like RIAA President Cary Sherman will get away with saying that we have no “constructive alternatives” or that we’re IP anarchists.

Kevin Drum thinks that we may yet see a technical solution emerge that reduces piracy while preserving an open Internet. That may be, but color me skeptical. I think it will have to be a legislative solution. What that should be, I don’t know. The OPEN Act is one alternative. Compulsory licensing, however unpopular, is another way to tackle the issue. I’m sure there are others.

It’s a hard problem, and there are no easy answers. But if we do believe in copyright, then I think the intellectually honest thing to do is to spend some time thinking about how to reduce piracy, on the margin, without breaking the Internet. We can do this at the same time we fight for greater recognition of fair use, to protect the public domain, and to roll back terms and other over-reaching in copyright.

Tate Watkins and I have an essay in Wired today looking at how the overheated rhetoric and unsupported claims around cybersecurity inflate the threat and may lead us to a new cyber-industrial complex. It’s the same theme we explore in our recent Harvard National Security Journal article and also in a feature in Reason a few months ago.

Rockefeller on #Cybersecurity : planes slamming into one another, chemical plant explosions “on the brink of what could be a calamity”

— Katy Bachman (@KatyontheHill) February 14, 2012

What do we mean by overheated rhetoric that serves more to scare than to inform? Here are some statements from Sen. Jay Rockefeller introducing the comprehensive cybersecurity bill on the Senate floor today:

“The experts are warning us that we are on the brink of something much worse. Something that could bring down our economy, rip open our national security, or even take lives. The prospect of mass casualty is what has propelled us to make cybersecurity a top priority for this year, to make it an issue that transcends political parties or ideology. …

“Admiral Mike Mullen, former Joint Chiefs chairman, said that a cybersecurity threat is the only other threat that is on the same level as Russia’s stockpile of nuclear weapons. …

“We are on the brink of what could be a calamity. A widespread cyber attack could potentially be as devastating to this country as the terror attacks that tore apart this country 10 years ago. …

“Think about how many people could die if a cyber-terrorist attacked our air traffic control system, both now and when it’s made modern, and our planes slammed into one another. Or rails switching networks were hacked causing trains carrying people, and more than that perhaps hazzardous material, toxic materials, to derail or collide in the midst of our most populate urban areas like Chicago, New York, San Francisco, Washington, DC, etc.”

He also touch on pipeline explosions and electricity blackouts, of course, and said that we needed to act immediately. It seems that some GOP senators are calling for a delay on the bill. Stay tuned.

On the podcast this week, Jonathan Coulton, a musician, singer-songwriter, and geek icon, who releases his music under a Non-Commercial Creative Commons License, discusses his thoughts on piracy from an artist’s point of view. Coulton talks about quitting his day job so he could focus on his music. He bypassed the traditional route of becoming a musician, which usually means signing to a record label, and began releasing one song per week on his website. This lead to eventual success, according to Coulton, who now makes his living as a full-time musician by touring and selling his music on his website. The discussion then turns to piracy. Coulton explains why he thinks piracy cannot be stopped and describes what he considers “victimless piracy.” He goes on to discuss the difficulties of addressing piracy issues, especially when taking fairness and practicality into account.

Related Links

• “MegaUpload”, on Coulton’s blog
• “Internet to Artists: Drop Dead”, Wall Street Journal
• Thing a Week, on jonathancoulton.com

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

Over at TIME.com I write that we should keep a close eye on moves by Russia, China and other countries to move Internet governance to the UN:

All this year, and culminating in December at the World Conference on International Telecommunications in Dubai, the nations of the world will be negotiating a treaty to govern international telecommunications services between countries. It is widely believed that some countries, including Russia and China, will take the opportunity to push for U.N. control of Internet governance. Such a turn of events would certainly be troubling. …

It’s amazing to think about it, but no state governs the Internet today. Decisions about its architecture are made by consensus among engineers and other volunteers. And that, in fact, is what has kept it open and free.

“Upending the fundamentals of the multi-stakeholder model is likely to Balkanize the Internet at best, and suffocate it at worst,” FCC Commissioner Robert McDowell said recently in a speech. “A top-down, centralized, international regulatory overlay is antithetical to the architecture of the Net, which is a global network of networks without borders. No government, let alone an intergovernmental body, can make decisions in lightning-fast Internet time.”

Read the whole thing at TIME.com.

Folks, I wanted to bring your attention to this conference on Feb. 24 from the Information Economy Project at George Mason University. The pitch:

The assembly line of our knowledge-based economy begins with technology discovery and ends with the moving target of a consumer market. Connectivity is funded and rewarded through exchanges of time, money, and digital goods. The conversation in this conference will identify key priorities in technology policy for innovation, network investment, and content delivery models. Articles will be published in a special issue of the Journal of Law, Economics & Policy.

See the website for speakers, schedule, and RSVP info.

On the podcast this week, Catherine Tucker, Douglas Drane Career Development Professor in IT and Management, and Assistant Professor of Marketing at MIT’s Sloan School of Management, discusses her paper with Avi Goldfarb in the Journal of Competition Law and Economics entitled, Substitution Between Offline and Online Advertising Markets. According to Tucker, the FTC treats online advertising as a distinct market from offline advertising for antitrust purposes. She describes the study she and Goldfarb conducted, where they sought to determine whether online advertising could serve as a substitute for offline advertising. Tucker also discusses Google’s role in online advertising, how its auction mechanism affects pricing, and the difference between search advertising and display advertising. The conversation ends with a discussion on policy implications on how dominant players in online advertising should be viewed.

Related Links

• Substitution between Offline and Online Advertising Markets, by Tucker & Goldfarb
• “Google faces antitrust glare on Capitol Hill”, Washington Post
• “Google Now Owns 44% of Global Advertising Market”, Search Engine Watch

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

Over at TIME.com I take a look at the different approaches to cybersecurity now being considered by Congress:

But what can congress do to improve cybersecurity? One line of thinking reportedly embodied by the Senate legislation, though details of that bill are not yet available, would tell network owners how to protect their systems. The Department of Homeland Security would be charged with creating security rules and punishing companies that did not comply. Such a prescriptive approach may not be very helpful, however. …

The bipartisan approach moving forward in the House, on the other hand, takes a different approach. At the center of the PRECISE Act is the creation of a non-profit National Information Sharing Organization (NISO) that would serve as a clearinghouse for the voluntary exchange of cybersecurity threat information between government and industry. Under the NISO umbrella, as long as they only share information for cybersecurity purposes, industry and government would be exempt from privacy laws that today restrict collaboration.

Read the whole thing at TIME.com.

Over at TIME.com I write that if you didn’t like SOPA because it threatened free speech, then you probably won’t like the new “Right to be Forgotten” proposed in the EU. Prof. Jane Yakowitz contributes some great insights to the piece. What I dislike most about the rule is that it subordinates expression to privacy:

[T]he new law would flip the traditional understanding of privacy as an exception to free speech. What this means is that if we treat free expression as the more important value, then one has to prove a harmful violation of privacy before the speaker can be silenced. Under the proposed law, however, it’s the speaker who must show that his speech is a “legitimate” exception to a claim of privacy. That is, the burden of proof is switched so that speakers are the ones who would have to justify their speech.

Read the whole thing at TIME.com.

On the podcast this week, Reuben Grinberg, a recent Yale Law School graduate now in private practice in New York City, discusses his paper, published in the Hastings Science & Technology Law Journal entitled, Bitcoin: An Innovative Alternative Digital Currency. Grinberg first gives a brief overview of Bitcoin, the decentralized, digital currency. According to Grinberg, Bitcoin can maintain sustainability, even though it is not backed by an institution or commodity, but it must overcome several hurdles. Grinberg then discusses the potential security problems and legal issues Bitcoin faces. He also describes some of the unique qualities of Bitcoin, including the ability to conduct transactions anonymously. Grinberg ends the discussion with his thoughts on what Bitcoin could potentially become.

Related Links

• Bitcoin: An Innovative Alternative Digital Currency, by Grinberg
• “Online Cash Bitcoin Could Challenge Governments, Banks”, Time Techland
• bitcoin.org
• The Rise and Fall of Bitcoin, Wired

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

Cybersecurity is one of the issues that the President may touch upon tonight in his State of the Union speech, and Senate Majority Leader Harry Reid has said he is ready to move on comprehensive cybersecurity legislation soon. This all raises the question: what is the problem we’re trying to fix?

In an important new working paper for the Mercatus Center at George Mason University, Eli Dourado asks if there is a market failure in cybersecurity that requires a government response. He concludes that policymakers may be jumping to conclusions a little too hastily.

Proponents of cybersecurity regulation make the case that private network owners do not completely internalize cyber risks. The reason, they say, is that a loss stemming from a cyber attack, against a financial network for example, will affect not just the network owner, but thousands of consumers as well. As a result, private network owners won’t spend the socially optimal amount on to meet that risk. That is a market failure, they say, and only government intervention can ensure that we get the right amount of cybersecurity.

In his paper, however,Dourado shows that the presence of an externality does not necessarily mean that there is a market failure. Externalities are often internalized by private parties without government intervention. This is true both generally and in the realm of cybersecurity. Policy makers, he says, should therefore be careful not to enact cybersecurity legislation just because they observe an externality. Regulating when there is no market failure will likely have dire unintended consequences.

You can download the paper at Mercatus.org.