December 2014

Hack Hell

by on December 31, 2014 · 0 comments

2014 was quite the year for high-profile hackings and puffed-up politicians trying to out-ham each other on who is tougher on cybercrime. I thought I’d assemble some of the year’s worst hits to ring in 2015.

In no particular order:

Home Depot: The 2013 Target breach that leaked around 40 million customer financial records was unceremoniously topped by Home Depot’s breach of over 56 million payment cards and 53 million email addresses in July. Both companies fell prey to similar infiltration tactics: the hackers obtained passwords from a vendor of each retail giant and exploited a vulnerability in the Windows OS to install malware in the firms’ self-checkout lanes that collected customers’ credit card data. Millions of customers became vulnerable to phishing scams and credit card fraud—with the added headache of changing payment card accounts and updating linked services. (Your intrepid blogger was mysteriously locked out of Uber for a harrowing 2 months before realizing that my linked bank account had changed thanks to the Home Depot hack and I had no way to log back in without a tedious customer service call. Yes, I’m still miffed.)

The Fappening: 2014 was a pretty good year for creeps, too. Without warning, the prime celebrity booties of popular starlets like Scarlett Johansson, Kim Kardashian, Kate Upton, and Ariana Grande mysteriously flooded the Internet in the September event crudely immortalized as “The Fappening.” Apple quickly jumped to investigate its iCloud system that hosted the victims’ stolen photographs, announcing shortly thereafter that the “celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions” rather than any flaw in its system. The sheer volume produced and caliber of icons violated suggests this was not the work of a lone wolf, but a chain reaction of leaks collected over time triggered by one larger dump. For what it’s worth, some dude on 4chan claimed the Fappening was the product of an “underground celeb n00d-trading ring that’s existed for years.” While the event prompted a flurry of discussion about online misogyny, content host ethics, and legalistic tugs-of-war over DMCA takedown requests, it unfortunately did not generate a productive conversation about good privacy and security practices like I had initially hoped.

The Snappening: The celebrity-targeted Fappening was followed by the layperson’s “Snappening” in October, when almost 100,000 photos and 10,000 personal videos sent through the popular Snapchat messaging service, some of them including depictions of underage nudity, were leaked online. The hackers did not target Snapchat itself, but instead exploited a third-party client called SnapSave that allowed users to save images and videos that would normally disappear after a certain amount of time on the Snapchat app. (Although Snapchat doesn’t exactly have the best security record anyways: In 2013, contact information for 4.6 million of its users were leaked online before the service landed in hot water with the FTC earlier this year for “deceiving” users about their privacy practices.) The hackers received access to 13GB library of old Snapchat messages and dumped the images on a searchable online directory. As with the Fappening, discussion surrounding the Snappening tended to prioritize scolding service providers over promoting good personal privacy and security practices to consumers.

Continue reading →

As 2014 draws to a close, we take a look back at the most-read posts from the past year at The Technology Liberation Front. Thank you for reading, and enjoy. Continue reading →

This morning, a group of organizations led by the Center for Responsibility and Ethics in Washington (CREW), R Street, and the Sunlight Foundation released a public letter to House Speaker John Boehner and Minority Leader Nancy Pelosi calling for enhanced congressional oversight of U.S. national security surveillance policies.

The letter—signed by over fifty organizations, ranging from the Electronic Frontier Foundation, the Competitive Enterprise Institute, and the Brennan Center for Justice at the New York University School of Law, and a handful of individuals, including Pentagon Papers whistleblower Daniel Ellsberg—expresses deep concerns about the expansive scope and limited accountability of intelligence activities and agencies, famously exposed by whistleblower Edward Snowden in 2013. The letter states:

Congress is responsible for authorizing, overseeing, and funding these programs. In recent years, however, the House of Representatives has not always effectively performed its duties.

The time for modernization is now. When the House convenes for the 114th Congress in January and adopts rules, the House should update them to enhance opportunities for oversight by House Permanent Select Committee on Intelligence (“HPSCI”) members, members of other committees of jurisdiction, and all other representatives. The House should also consider establishing a select committee to review intelligence activities since 9/11. We urge the following reforms be included in the rules package.

The proposed modernization reforms include:

1) modernizing HPSCI membership to more accurately reflect House interests by allowing chairs and ranking members of other committees with intelligence jurisdiction to select a designee on HPSCI;

2) allowing each HPSCI Member to designate a staff member of his or her choosing to represent their interests on the committee, as is the practice in the Senate;

3) making all unclassified intelligence reports quickly available to the public;

4) improving HPSCI the speed and transparency of responsiveness to member requests for information; and

5) improving general HPSCI transparency by better informing members of relevant activities like upcoming closed hearings, legislative markups, and committee activities

The groups also urge reforms to empower all members of Congress to be informed of and involved with executive intelligence agencies’ activities. They are: Continue reading →

The FCC is currently considering ways to make municipal broadband projects easier to deploy, an exercise that has drawn substantial criticism from Republicans, who passed a bill to prevent FCC preemption of state laws. Today the Mercatus Center released a policy analysis of municipal broadband projects, titled Community Broadband, Community Benefits? An Economic Analysis of Local Government Broadband Initiatives. The researcher is Brian Deignan, an alumnus of the Mercatus Center MA Fellowship. Brian wrote an excellent, empirical paper about the economic effects of publicly-funded broadband.

It’s remarkable how little empirical research there is on municipal broadband investment, despite years of federal data and billions of dollars in federal investment (notably, the American Recovery and Reinvestment Act). This dearth of research is in part because muni broadband proponents, as Brian points out, expressly downplay the relevance of economic evidence and suggest that the primary social benefits of muni broadband cannot be measured using traditional metrics. The current “research” about muni broadband, pro- and anti-, tends to be unfalsifiable generalizations based on extrapolations of cherry-picked examples. (There are several successes and failures, depending on your point of view.)

Brian’s paper provides researchers a great starting point when they attempt to answer an increasingly important policy question: What is the economic impact of publicly-funded broadband? Brian uses 23 years of BLS data from 80 cities that have deployed broadband and analyzes muni broadband’s effect on 1) quantity of businesses; 2) employee wages; and 3) employment. Continue reading →

Over the course of the year, I collect some of my favorite (and least favorite) tech policy essays and put them together in an end-of-year blog post so I will remember notable essays in the future. (Here’s my list from 2013.) Here are some of the best tech policy essays I read in 2014 (in chronological order).

  • Joel Mokyr – “The Next Age of Invention,” City Journal, Winter 2014. (An absolutely beautiful refutation of the technological pessimism that haunts our age. Mokry concludes by noting that, “technology will continue to develop and change human life and society at a rate that may well dwarf even the dazzling developments of the twentieth century. Not everyone will like the disruptions that this progress will bring. The concern that what we gain as consumers, viewers, patients, and citizens, we may lose as workers is fair. The fear that this progress will create problems that no one can envisage is equally realistic. Yet technological progress still beats the alternatives; we cannot do without it.” Mokyr followed it up with a terrific August 8 Wall Street Journal oped, “What Today’s Economic Gloomsayers Are Missing.“)
  • Michael Moynihan – “Can a Tweet Put You in Prison? It Certainly Will in the UK,” The Daily Beast, January 23, 2014. (Great essay on the right and wrong way to fight online hate. Here’s the kicker: “There is a presumption that ugly ideas are contagious and if the already overburdened police force could only disinfect the Internet, racism would dissipate. This is arrant nonsense.”)
  • Hanni Fakhoury – The U.S. Crackdown on Hackers Is Our New War on Drugs,” Wired, January 23, 2014. (“We shouldn’t let the government’s fear of computers justify disproportionate punishment. . . . It’s time for the government to learn from its failed 20th century experiment over-punishing drugs and start making sensible decisions about high-tech punishment in the 21st century.”)
  • Carole Cadwalladr – “Meet Cody Wilson, Creator of the 3D-gun, Anarchist, Libertarian,” Guardian/Observer, February 8, 2014. (Entertaining profile of one of the modern digital age’s most fascinating characters. “There are enough headlines out there which ask: Is Cody Wilson a terrorist? Though my favourite is the one that asks: ‘Cody Wilson: troll, genius, patriot, provocateur, anarchist, attention whore, gun nut or Second Amendment champion.’ Though it could have added, ‘Or b) all of the above?'”)

Continue reading →

Last week, two very interesting events happened in the world of copyright and content piracy. First, the Pirate Bay, the infamous torrent hosting site, was raided by police and removed from the Internet. Pirate Bay co-founder Peter Sunde (who was no longer involved with the project) expressed his indifference to the raid; there was no soul left in the site, he said, and in any case, he is “pretty sure the next thing will pan out.”

Second, a leaked trove of emails from the Sony hack showed that the MPAA continues to pursue their dream of blocking websites that contribute to copyright infringement. With the failure of SOPA in 2012, the lobbying organization has pivoted to trying to accomplish the same ends through other means, including paying for state attorneys-general to attack Google for including some of these sites in their index. Over at TechDirt, Mike Masnick argues that some of this activity may have been illegal.

I’ll leave the illegality of the MPAA’s lobbying strategy for federal prosecutors to sort out, but like some others, I am astonished by the MPAA’s lack of touch with reality. They seem to believe that opposition to SOPA was a fluke, whipped up by Google, who they will be able to neutralize through their “Project Goliath.” And according to a meeting agenda reported on by TorrentFreak, they want to bring “on board ‘respected’ people in the technology sector to agree on technical facts and establish policy support for site blocking.”

The reality is that opposition to SOPA-style controls continues to remain strong in the tech policy community. The only people in Washington who support censoring the Internet to protect copyright are paid by Hollywood. If, through their generous war chest, the MPAA were able to pay a “respected” tech-sector advocate to build policy support for site blocking, that very fact would cause that person to lose respect.

Moreover, on a technical level, the MPAA is fighting a battle it is sure to lose. As Rick Falkvinge notes, the content industry had a unique opportunity in 1999 to embrace and extend Napster. Instead, it got Napster shut down, which eventually led to decentralized piracy over bittorrent. Now, it wants to shut down sites that index torrents, but torrent indexes are tiny amounts of data. The whole Pirate Bay index was only 90MB in 2012, and a magnet link for an individual torrent is only a few bytes. Between Bitmessage and projects like Bitmarkets, it seems extremely unlikely that the content industry will ever be able to shut down distribution of torrent data.

Instead of fighting this inevitable trend, the MPAA and RIAA should be trying to position themselves well in a world in which content piracy will always be possible. They should make it convenient for customers to access their paid content through bundling deals with companies like Netflix and Spotify. They should accept some background level of content piracy and embrace at least its buzz-generating benefits. They should focus on soft enforcement through systems like six strikes, which more gently nudge consumers to pay for content. And they should explicitly disavow any effort to censor the web—without such a disavowal, they are making enemies not just of tech companies, but of the entire community of tech enthusiasts and policy wonks.

Earlier this week I posted an essay entitled, “Global Innovation Arbitrage: Commercial Drones & Sharing Economy Edition,” in which I noted how:

Capital moves like quicksilver around the globe today as investors and entrepreneurs look for more hospitable tax and regulatory environments. The same is increasingly true for innovation. Innovators can, and increasingly will, move to those countries and continents that provide a legal and regulatory environment more hospitable to entrepreneurial activity.

That essay focused on how actions by U.S. policymakers and regulatory agencies threatened to disincentivize homegrown innovation in the commercial drone and sharing economy sectors. But there are many other troubling examples of how America risks losing its competitive advantage in sectors where we should be global leaders as innovators looks offshore. We can think of this as “global innovation arbitrage,” as venture capitalist Marc Andreessen has aptly explained:

Think of it as a sort of “global arbitrage” around permissionless innovation — the freedom to create new technologies without having to ask the powers that be for their blessing. Entrepreneurs can take advantage of the difference between opportunities in different regions, where innovation in a particular domain of interest may be restricted in one region, allowed and encouraged in another, or completely legal in still another.

One of the more vivid recent examples of global innovation arbitrage involves the well-known example of 23andMe, which sells mail-order DNA-testing kits to allow people to learn more about their genetic history and predisposition to various diseases. Continue reading →

What sort of public policy vision should govern the Internet of Things? I’ve spent a lot of time thinking about that question in essays here over the past year, as well as in a new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology early next year.

But I recently heard three policymakers articulate their recommended vision for the Internet of Things (IoT) and I found their approach so inspiring that I wanted to discuss it here in the hopes that it will become the foundation for future policy in this arena.

Last Thursday, it was my pleasure to attend a Center for Data Innovation (CDI) event on “How Can Policymakers Help Build the Internet of Things?” As the title implied, the goal of the event was to discuss how to achieve the vision of a more fully-connected world and, more specifically, how public policymakers can help facilitate that objective. It was a terrific event with many excellent panel discussions and keynote addresses.

Two of those keynotes were delivered by Senators Deb Fischer (R-Neb.) and Kelly Ayotte (R-N.H.). Below I will offer some highlights from their remarks and then relate them to the vision set forth by Federal Trade Commission (FTC) Commissioner Maureen K. Ohlhausen in some of her recent speeches. I will conclude by discussing how the Ayotte-Fischer-Ohlhausen vision can be seen as the logical extension of the Clinton Administration’s excellent 1997 Framework for Global Electronic Commerce, which proposed a similar policy paradigm for the Internet more generally. This shows how crafting policy for the IoT can and should be a nonpartisan affair. Continue reading →

Capital moves like quicksilver around the globe today as investors and entrepreneurs look for more hospitable tax and regulatory environments. The same is increasingly true for innovation. Innovators can, and increasingly will, move to those countries and continents that provide a legal and regulatory environment more hospitable to entrepreneurial activity. I was reminded of that fact today while reading two different reports about commercial drones and the sharing economy and the global competition to attract investment on both fronts. First, on commercial drone policy, a new Wall Street Journal article notes that:

Amazon.com Inc., which recently began testing delivery drones in the U.K., is warning American officials it plans to move even more of its drone research abroad if it doesn’t get permission to test-fly in the U.S. soon. The statement is the latest sign that the burgeoning drone industry is shifting overseas in response to the Federal Aviation Administration’s cautious approach to regulating unmanned aircraft.

According to the Journal reporters, Amazon has sent a letter to the FAA warning that, “Without the ability to test outdoors in the United States soon, we will have no choice but to divert even more of our [drone] research and development resources abroad.” And another report in the U.K. Telegraph notes that other countries are ready and willing to open their skies to the same innovation that the FAA is thwarting in America. Both the UK and Australia have been more welcoming to drone innovators recently. Here’s a report from an Australian newspaper about Google drone services testing there. (For more details, see this excellent piece by Alan McQuinn, a research assistant with the Information Technology and Innovation Foundation: “Commercial Drone Companies Fly Away from FAA Regulations, Go Abroad.”) None of this should be a surprise, as I’ve noted in recent essays and filings. With the FAA adopting such a highly precautionary regulatory approach, innovation has been actively disincentivized. America runs the risk of driving still more private drone innovation offshore in coming months since all signs are that the FAA intends to drag its feet on this front as long as it can, even though Congress has told to agency to take steps to integrate these technologies into national airspace.  Continue reading →

Sharing Economy paper from MercatusI’ve just released a short new paper, co-authored with my Mercatus Center colleagues Christopher Koopman and Matthew Mitchell, on “The Sharing Economy and Consumer Protection Regulation: The Case for Policy Change.” The paper is being released to coincide with a Congressional Internet Caucus Advisory Committee event that I am speaking at today on “Should Congress be Caring About Sharing? Regulation and the Future of Uber, Airbnb and the Sharing Economy.”

In this new paper, Koopman, Mitchell, and I discuss how the sharing economy has changed the way many Americans commute, shop, vacation, borrow, and so on. Of course, the sharing economy “has also disrupted long-established industries, from taxis to hotels, and has confounded policymakers,” we note. “In particular, regulators are trying to determine how to apply many of the traditional ‘consumer protection’ regulations to these new and innovative firms.” This has led to a major debate over the public policies that should govern the sharing economy.

We argue that, coupled with the Internet and various new informational resources, the rapid growth of the sharing economy alleviates the need for much traditional top-down regulation. These recent innovations are likely doing a much better job of serving consumer needs by offering new innovations, more choices, more service differentiation, better prices, and higher-quality services. In particular, the sharing economy and the various feedback mechanism it relies upon helps solve the tradition economic problem of “asymmetrical information,” which is often cited as a rationale for regulation. We conclude, therefore, that “the key contribution of the sharing economy is that it has overcome market imperfections without recourse to traditional forms of regulation. Continued application of these outmoded regulatory regimes is likely to harm consumers.” Continue reading →