I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)
My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals. Continue reading →
In my latest essay for the IAPP “Privacy Perspectives” blog , I ponder the question: Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online? I note that the idea has long been floating around out there, but never gone anywhere. I offer a couple of explanations for why that has likely been the case. But I also note that there may still be some reasons to believe that private data contracting has a future.
Read the whole thing.
(Note: I discuss these issues in greater detail in my forthcoming George Mason Law Review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It will be out before the end of the month and I will post it here once it is live.)
Today the Heartland Institute is publishing my policy brief, U.S. Cybersecurity Policy: Problems and Principles, which examines the proper role of government in defending U.S. citizens, organizations and infrastructure from cyberattacks, that is, criminal theft, vandalism or outright death and destruction through the use of global interconnected computer networks.
The hype around the idea of cyberterrorism and cybercrime is fast reaching a point where any skepticism risks being shouted down as willful ignorance of the scope of the problem. So let’s begin by admitting that cybersecurity is a genuine existential challenge. Last year, in what is believed to be the most damaging cyberattack against U.S. interests to date, a large-scale hack of some 30,000 Saudi Arabia-based ARAMCO personal computers erased all data on their hard drives. A militant Islamic group called the Sword of Justice took credit, although U.S. Defense Department analysts believe the government of Iran provided support.
This year, the New York Times and Wall Street Journal have had computer systems hacked, allegedly by agents of the Chinese government looking for information on the newspapers’ China sources. In February, the loose-knit hacker group Anonymous claimed credit for a series of hacks of the Federal Reserve Bank, Bank of America, and American Express, targeting documents about salaries and corporate financial policies in an effort to embarrass the institutions. Meanwhile, organized crime rings are testing cybersecurity at banks, universities, government organizations and any other enterprise that maintains databases containing names, addresses, social security and credit card numbers of millions of Americans.
These and other reports, aided by popular entertainment that often depicts social breakdown in the face of massive cyberattack, have the White House and Congress scrambling to “do something.” This year alone has seen Congressional proposals such as Cyber Intelligence Sharing and Protection Act (CISPA), the Cybersecurity Act and a Presidential Executive Order all aimed at cybersecurity. Common to all three is a drastic increase the authority and control the federal government would have over the Internet and the information that resides in it should there be any vaguely defined attack on any vaguely defined critical U.S. information assets.
Continue reading →
It was my pleasure last night to take part in an hour-long conversation on “Privacy, Security, and the Digital Age,” which was co-sponsored by Mediaite and the Koch Institute. The discussion focused on a wide range of issues related to government surveillance powers, Big Data, and the future of privacy. It opened with dueling remarks from former U.S. Ambassador to the U.N. John Bolton and Ben Wizner of the ACLU. You can view their respective remarks here.
I then sat on a panel that included Atlantic Media CTO Tom Cochrane and Michael R. Nelson, who is affiliated with with Bloomberg Government and Georgetown University. The entire session was expertly moderated by Andrew Kirell of Mediaite. He did an amazing job facilitating the discussion. Anyway, the videos for my panel are below, split into two parts. My comments focused heavily on the importance of separating the government uses of data from private sector uses and explaining the need to create a high and tight firewall between State and Industry when it comes to information sharing. I also argued that we will never get a handle on government-related privacy concerns until we get control of the scope of government power. I used the example of the drug war and our government’s constantly-expanding militaristic activities both abroad and here at home. So long as government is expanding without any rational, constitutional constraint, we are going to have serious surveillance and privacy problems. (See this essay, “It’s About Power, not Privacy,” by my colleague Eli Dourado for more on that theme.)
Continue reading →
Last month, it was my great pleasure to serve as a “provocateur” at the IAPP’s (Int’l Assoc. of Privacy Professionals) annual “Navigate” conference. The event brought together a diverse audience and set of speakers from across the globe to discuss how to deal with the various privacy concerns associated with current and emerging technologies.
My remarks focused on a theme I have developed here for years: There are no simple, silver-bullet solutions to complex problems such as online safety, security, and privacy. Instead, only a “layered” approach incorporating many different solutions–education, media literacy, digital citizenship, evolving society norms, self-regulation, and targeted enforcement of existing legal standards–can really help us solve these problems. Even then, new challenges will present themselves as technology continues to evolve and evade traditional controls, solutions, or norms. It’s a never-ending game, and that’s why education must be our first-order solution. It better prepares us for an uncertain future. (I explained this approach in far more detail in this law review article.)
Anyway, if you’re interested in an 11-minute video of me saying all that, here ya go. Also, down below I have listed several of the recent essays, papers, and law review articles I have done on this issue.
Continue reading →
The suicide of Aaron Swartz earlier this year has sparked a national debate about reforming the Computer Fraud and Abuse Act (CFAA). Most notably, in June, Reps. Zoe Lofgren and Jim Sensenbrenner joined Sen. Ron Wyden to introduce Aaron’s Law, which aims to rein in the excesses of the federal computer fraud law and ensure it targets real criminals, rather than researchers or tinkerers.
Would this bipartisan reform go far enough — or too far? Would Aaron’s Law preserve the government’s ability to prosecute harmful hacking? What can activists do to promote CFAA reform in Congress?
These are some of the questions that will be explored in a panel discussion hosted by TechFreedom and the Electronic Frontier Foundation at CNET’s San Francisco Headquarters on July 22. RSVP here. Continue reading →
In June, The Guardian ran a groundbreaking story that divulged a top secret court order forcing Verizon to hand over to the National Security Agency (NSA) all of its subscribers’ telephony metadata—including the phone numbers of both parties to any call involving a person in the United States and the time and duration of each call—on a daily basis. Although media outlets have published several articles in recent years disclosing various aspects the NSA’s domestic surveillance, the leaked court order obtained by The Guardian revealed hard evidence that NSA snooping goes far beyond suspected terrorists and foreign intelligence agents—instead, the agency routinely and indiscriminately targets private information about all Americans who use a major U.S. phone company.
It was only a matter of time before the NSA’s surveillance program—which is purportedly authorized by Section 215 of the USA PATRIOT Act (50 U.S.C. § 1861)—faced a challenge in federal court. The Electronic Privacy Information Center fired the first salvo on July 8, when the group filed a petition urging the U.S. Supreme Court to issue a writ of mandamus nullifying the court orders authorizing the NSA to coerce customer data from phone companies. But as Tim Lee of The Washington Post pointed out in a recent essay, the nation’s highest Court has never before reviewed a decision of the Foreign Intelligence Surveillance Act (FISA) court, which is responsible for issuing the top secret court order authorizing the NSA’s surveillance program.
Today, another crucial lawsuit challenging the NSA’s domestic surveillance program was brought by a diverse coalition of nineteen public interest groups, religious organizations, and other associations. The coalition, represented by the Electronic Frontier Foundation, includes TechFreedom, Human Rights Watch, Greenpeace, the Bill of Rights Defense Committee, among many other groups. The lawsuit, brought in the U.S. district court in northern California, argues that the NSA’s program—aptly described as the “Assocational Tracking Program” in the complaint—violates the First, Fourth, and Fifth Amendments to the Constitution, along with the Foreign Intelligence Surveillance Act.
Continue reading →
The New York Times reports:
The Russians, who with only minimal success, had for years sought to make these companies provide law enforcement access to data within Russia, reacted angrily. Mr. Gattarov formed an ad hoc committee in response to Mr. Snowden’s leaks.
Ostensibly with the goal of safeguarding Russian citizens’ private lives and letters from spying, the committee revived a long-simmering Russian initiative to transfer control of Internet technical standards and domain name assignments from two nongovernmental groups that control them today to an arm of the United Nations, the International Telecommunications [sic] Union.
It’s not immediately clear to me how moving Internet standards and DNS from IETF and ICANN to the ITU is supposed to stop the NSA from spying on Russians, so the smart read is that this is retaliation pure and simple.
Brazil’s foreign minister, Antonio Patriota, for example, a week ago endorsed the Russian proposal to transfer some control over Internet technical standards to the United Nations telecommunications agency.
While these are not major changes in policy positions, the NSA’s surveillance programs seem to be galvanizing those who want the ITU to take an active role in Internet governance. It’s time for the USA to practice what it preaches on Internet freedom.
This afternoon, Berin Szoka asked me to participate in a TechFreedom conference on “COPPA: Past, Present & Future of Children’s Privacy & Media.” [CSPAN video is here.] It was a in-depth, 3-hour, 2-panel discussion of the Federal Trade Commission’s recent revisions to the rules issued under the 1998 Children’s Online Privacy Protection Act (COPPA).
While most of the other panelists were focused on the devilish details about how COPPA works in practice (or at least should work in practice), I decided to ask a more provocative question to really shake up the discussion: What are we going to do when COPPA fails?
My notes for the event follow down below. I didn’t have time to put them into a smooth narrative, so please pardon the bullet points. Continue reading →