Cybersecurity

Last week the U.S. Court of Appeals for the 11th Circuit vacated a Federal Trade Commission order requiring medical diagnostic company LabMD to adopt reasonable data security, handing the FTC a loss on an important data security case.  In some ways, this outcome is not surprising.  This was a close case with a tenacious defendant which raised important questions about FTC authority, how to interpret “unfairness” under the FTC Act, and the Commission’s data security program.

Unfortunately, the decision answers none of those important questions and makes a total hash of the FTC’s current unfairness law. While some critics of the FTC’s data security program may be pleased with the outcome of this decision, they ought to be concerned with its reasoning, which harkens back to the “public policy” test for unfairness that was greatly abused by the FTC in the 1970’s.

The most problematic parts of this decision are likely dicta, but it is still worth describing how sharply this decision conflicts with the FTC’s modern unfairness test.  The court’s reasoning could implicate not only the FTC’s data security authority but its overall authority to police unfair practices of any kind.

(I’m going to skip the facts and procedural background of the case because the key issues are matters of law unrelated to the facts of the case. The relevant facts and procedure are laid out in the decision’s first and most lucid section. I’m also going to limit this piece to the decision’s unfairness analysis. There’s more to say about the court’s conclusion that the FTC’s order is unenforceable, but this post is already long. Interesting takes here and here.)

In short, the court’s decision attempts to rewrite a quarter century of FTC unfairness law.  By doing so, it elevates a branch of unfairness analysis that, in the 1970s, landed the FTC in big trouble.  First, I’ll summarize the current unfairness test as stated in the FTC Act. Next, I’ll discuss the previous unfairness test, the trouble it caused, and how that resulted in the modern test. Finally, I’ll look at how the LabMD decision rejects the modern test and discuss some implications.

The Modern Unfairness Test

If you’ve read a FTC complaint with an unfairness count in the last two decades, you’re probably familiar with the modern unfairness test.  A practice is unfair if it causes substantial injury that the consumer cannot avoid, and which is not outweighed by benefits to consumers or competition.  In 1994, Congress codified this three-part test in Section 5(n) of the FTC Act, which reads in full:

The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice [1] causes or is likely to cause substantial injury to consumers which [2] is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition. In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination. [Emphasis added]

The text of Section 5(n) makes two things clear: 1) a practice is not unfair unless it meets the three-part consumer injury test and 2) public policy considerations can be helpful evidence of unfairness but are not sufficient or even necessary to demonstrate it. Thus, the three-part consumer injury test is centrally important to the unfairness analysis. Indeed, the three-part consumer injury test set out in Section 5(n) has been synonymous with the unfairness test for decades.

The Previous, Problematic Test for Unfairness

But the unfairness test used to be quite different.  In outlining the test’s history, I am going to borrow heavily from Howard Beales’ excellent 2003 essay, “The FTCs Use of Unfairness Authority: Its Rise, Fall, and Resurrection.” (Beales was the Director of the FTC’s Bureau of Consumer Protection under Republican FTC Chairman Timothy Muris.) Beales describes the previous test for unfairness:

In 1964 … the Commission set forth a test for determining whether an act or practice is “unfair”: 1) whether the practice “offends public policy” – as set forth in “statutes, the common law, or otherwise”; 2) “whether it is immoral, unethical, oppressive, or unscrupulous; 3) whether it causes substantial injury to consumers (or competitors or other businessmen).” …. [T]he Supreme Court, while reversing the Commission in Sperry & Hutchinson cited the Cigarette Rule unfairness criteria with apparent approval….

This three-part test – public policy, immorality, and/or substantial injury – gave the agency enormous discretion, and the FTC began to wield that discretion in a problematic manner. Beales describes the effect of the S&H dicta:

Emboldened by the Supreme Court’s dicta, the Commission set forth to test the limits of the unfairness doctrine. Unfortunately, the Court gave no guidance to the Commission on how to weigh the three prongs – even suggesting that the test could properly be read disjunctively.

The result was a series of rulemakings relying upon broad, newly found theories of unfairness that often had no empirical basis, could be based entirely upon the individual Commissioner’s personal values, and did not have to consider the ultimate costs to consumers of foregoing their ability to choose freely in the marketplace. Predictably, there were many absurd and harmful results.

According to Beales, “[t]he most problematic proposals relied heavily on ‘public policy’ with little or no consideration of consumer injury.”  This regulatory overreach triggered a major backlash from businesses, Congress, and the media. The Washington Post called the FTC the “National Nanny.” Congress even defunded the agency for a time.

The backlash prompted the agency to revisit the S&H criteria.  As Beales describes,

As the Commission struggled with the proper standard for unfairness, it moved away from public policy and towards consumer injury, and consumer sovereignty, as the appropriate focus…. On December 17, 1980, a unanimous Commission formally adopted the Unfairness Policy Statement, and declared that “[un]justified consumer injury is the primary focus of the FTC Act, and the most important of the three S&H criteria.”

This Unfairness Statement recast the relationship between the three S&H criteria, discarding the “immoral” prong entirely and elevating consumer injury above public policy: “Unjustified consumer injury is the primary focus of the FTC Act, and the most important of the three S&H criteria. By itself it can be sufficient to warrant a finding of unfairness.” [emphasis added]  It was this Statement that first established the three-part consumer injury test now codified in Section 5(n).

Most importantly for our purposes, the statement explained the optional nature of the S&H “public policy” factor. As Beales details,

[I]n most instances, the proper role of public policy is as evidence to be considered in determining the balance of costs and benefits”  although ”public policy can ‘independently support a Commission action . . . when the policy is so clear that it will entirely determine the question of consumer injury, so there is little need for separate analysis by the Commission.’” [emphasis added]

In a 1982 letter to Congress, the Commission reiterated that public policy “is not a necessary element of the definition of unfairness.”

As the 1980s progressed, the Unfairness Policy statement, specifically the three-part test for consumer injury, “became accepted as the appropriate test for determining unfairness…” But not all was settled.  Beales again:

The danger of unfettered “public policy” analysis as an independent basis for unfairness still existed, however [because] the Unfairness Policy Statement itself continued to hold out the possibility of public policy as the sole basis for a finding of unfairness. A less cautious Commission might ignore the lessons of history, and dust off public policy-based unfairness. … When Congress eventually reauthorized the FTC in 1994, it codified the three-part consumer injury unfairness test. It also codified the limited role of public policy. Under the statutory standard, the Commission may consider public policies, but it cannot use public policy as an independent basis for finding unfairness. The Commission’s long and dangerous flirtation with ill-defined public policy as a basis for independent action was over.

Flirting with Public Policy, Again

To sum up, chastened for overreaching its authority using the public policy prong of the S&H criteria, the FTC refocused its unfairness authority on consumer injury.  Congress ratified that refocus in Section 5(n) of the FTC Act, as I’ve discussed above. Today, under modern unfairness law, FTC complaints rarely make public policy arguments and only then to bolster evidence of consumer injury.

In last week’s LabMD decision, the 11th Circuit rejects this long-standing approach to unfairness. Consider these excerpts from its decision:

“The Commission must find the standards of unfairness it enforces in ‘clear and well-established’ policies that are expressed in the Constitution, statutes, or the common law.”

“An act or practice’s ‘unfairness’ must be grounded in statute, judicial decisions – i.e., the common law – or the Constitution. An act or practice that causes substantial injury but lacks such grounding is not unfair within Section 5(a)’s meaning.”

“Thus, an ‘unfair’ act or practice is one which meets the consumer-injury factors listed above and is grounded in well-established legal policy.”

And consider this especially salty bite of pretzel logic based on a selective citation of the FTC Act:

“Section 5(n) now states, with regard to public policy, ‘In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.’  We do not take this ambiguous statement to mean that the Commission may bring suit purely on the basis of substantial consumer injury. The act or practice alleged to have caused injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the Constitution.” [emphasis added]

Yet those two sentences in 5(n) are quite clear when read in context with the full paragraph, which requires the three-part consumer injury test but merely permits the FTC to consider public policies as evidence.  The court’s interpretation here is also undercut by the FTC’s historic misuse of public policy and Congress’s subsequent intent in Section 5(n) to limit the FTC overreach by restricting use of public policy evidence. Congress sought to restrict the FTC’s use of public policy; the 11th Circuit’s decision seeks to require it.

To be fair, the court is not exactly returning to the wild pre-Unfairness Statement days when the FTC thought public policy alone was sufficient to find an act or practice unfair.  Instead, the court has developed a new, stricter test for unfairness that requires both consumer injury and offense to public policy.

After crafting this bespoke unfairness test by inserting a mandatory public policy element, the decision then criticizes the FTC complaint for “not explicitly” citing the public policy source for its “standard of unfairness.”  But it is obvious why the FTC didn’t include a public policy element in the complaint – no one has thought it necessary, for more than two decades.  (Note, however, that the Commission’s decision does cite numerous statutes and common law principles as public policy evidence of consumer injury in this case.)

The court supplies the missing public policy element for the FTC: “It is apparent to us, though, that the source is the common law of negligence.” The court then determines that “the Commission’s action implies” that common law negligence “is a source that provides standards for determining whether an act or practice is unfair….”

Having thus rewritten the Commission’s argument and decades of FTC law, the court again surprises. Rather than analyze LabMD’s liability under this new standard, the court “assumes arguendo that the Commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice.”

Thus, the court does not actually rely on the unfairness test it has set out, arguably rendering that entire analysis dicta.

Why Dicta?

What is going on here? I believe the court is suggesting how data security cases ought to be pled, even though it cannot require this standard under Section 5(n) – and perhaps would not want to, given the collateral effect on other types of unfairness cases.

The court clearly wanted to signal something through this exercise.  Otherwise, it would have been much easier to have assumed arguendo LabMD’s liability under the existing three prong consumer injury unfairness test contained in the FTC’s complaint.  Instead, the court constructs a new unfairness test, interprets the FTC’s complaint to match it, and then appears to render its unfairness analysis dicta.

So, what exactly is the court signaling? This new unfairness test is stricter than the Section 5(n) definition of unfairness, and thus any complaint that satisfies the LabMD test would also satisfy the statutory test.  Thus, perhaps the court seeks to encourage the FTC to plead data security complaints more strictly than legally necessary by including references to public policy.

Had the court applied its bespoke standard to find that LabMD was not liable, I think the FTC would have had no choice but to appeal the decision.  By upsetting 20+ years of unfairness law, the court’s analysis would have affected far more than just the FTC’s data security program.  The FTC brings many non-data security cases under its unfairness authority, including illegal bill cramming and unauthorized payment processing and other types of fraud where deception cannot adequately address the problem. The new LabMD unfairness test would affect many such areas of FTC enforcement. But by assuming arguendo LabMD’s liability, the court may have avoided such effects and thus reduced the FTC’s incentive to appeal on these grounds.

Dicta or not, appeal or not, the LabMD decision has elevated unfairness’s “public policy” factor. Given the FTC’s misuse of that factor in the past, FTC watchers ought to keep an eye out.

—-

Last week’s LabMD decision will shape the constantly evolving data security policy environment.  At the Charles Koch Institute, we believe that a healthy data security policy environment will encourage permissionless innovation while addressing real consumer harms as they arise.  More broadly, we believe that innovation and technological progress are necessary to achieve widespread human flourishing.  And we seek to foster innovation-promoting environments through educational programs and academic grant-making.

There was a bold, bizarre proposal published by Axios yesterday that includes leaked documents by a “senior National Security Council official” for accelerating 5G deployment in the US. “5G” refers to the latest generation of wireless technologies, whose evolving specifications are being standardized by global telecommunications companies as we speak. The proposal highlights some reasonable concerns–the need for secure networks, the deleterious slowness in getting wireless infrastructure permits from thousands of municipalities and counties–but recommends an unreasonable solution–a government-operated, nationwide wireless network.

The proposal to nationalize some 5G equipment and network components needs to be nipped in the bud. It relies on the dated notion that centralized government management outperforms “wasteful competition.” It’s infeasible and would severely damage the US telecom and Internet sector, one of the brightest spots in the US economy. The plan will likely go nowhere but the fact it’s being circulated by administration officials is alarming.

First, a little context. In 1927, the US nationalized all radiofrequency spectrum, and for decades the government rations out dribbles of spectrum for commercial use (though much has improved since liberalization in the 1990s). To this day all spectrum is nationalized and wireless companies operate at sufferance. What this new document proposes is to make a poor situation worse.

In particular, the presentation proposes to re-nationalize 500 MHz of spectrum (the 3.7 GHz to 4.2 GHz band, which contains mostly satellite and government incumbents) and build wireless equipment and infrastructure across the country to transmit on this band. The federal government would act as a wholesaler to the commercial networks (AT&T, Verizon, T-Mobile, Sprint, etc.), who would sell retail wireless plans to consumers and businesses.

The justification for nationalizing a portion of 5G networks has a national security component and an economic component: prevent Chinese spying and beat China in the “5G race.”

The announced goals are simultaneously broad and narrow, and at severe tension.

The plan is broad in that it contemplates nationalizing part of the 5G equipment and network. However, it’s narrow in that it would nationalize only a portion of the 5G network (3.7 GHz to 4.2 GHz) and not other portions (like 600 MHz and 28 GHz). This undermines the national security purpose (assuming it’s even feasible to protect the nationalized portion) since 5G networks interconnect. It’d be like having government checkpoints on Interstate 95 but leaving all other interstates checkpoint-free.

Further, the document author misunderstands the evolutionary nature of 5G networks. 5G for awhile will be an overlay on the existing 4G LTE network, not a brand-new parallel network, as the NSC document assumes. 5G equipment will be installed on 4G LTE infrastructure in neighborhoods where capacity is strained. As Sherif Hanna, director of the 5G team at Qualcomm, noted on Twitter, in fact, “the first version of the 5G [standard]…by definition requires an existing 4G radio and core network.”

The most implausible idea in the document is a nationwide 5G network could be deployed in the next few years. Environmental and historic preservation review in a single city can take longer than that. (AT&T has battled NIMBYs and local government in San Francisco for a decade, for instance, to install a few hundred utility boxes on the public right-of-way.) The federal government deploying and maintaining hundreds of thousands 5G installations in two years from scratch is a pipe dream. And how to pay for it? The “Financing” section in the document says nothing about how the federal government will find tens of billions of dollars for nationwide deployment of a government 5G network.

The plan to nationalize a portion of 5G wireless networks and deploy nationwide is unwise and unrealistic. It would permanently damage the US broadband industry, it would antagonize city and state officials, it would raise serious privacy and First Amendment concerns, and it would require billions of new tax dollars to deploy. The released plan would also fail to ensure the network security it purports to protect. US telecom companies are lining up to pay the government for spectrum and to invest private dollars to build world-class 5G networks. If the federal government wants to accelerate 5G deployment, it should sell more spectrum and redirect existing government funding towards roadside infrastructure. Network security is a difficult problem but nationalizing networks is overkill.

Already, four out of five [update: all five] FCC commissioners have come out strongly against this plan. Someone reading the NSC proposal would get the impression that the US is sitting still while China is racing ahead on 5G. The US has unique challenges but wireless broadband deployment is probably the FCC’s highest priority. The Commission is aware of the permitting problems and formed the Broadband Deployment Advisory Committee in part for that very purpose (I’m a member). The agency, in cooperation with the Department of Commerce, is also busy looking for more spectrum to release for 5G.

Recode is reporting that White House officials are already distancing the White House from the proposal. Hopefully they will publicly reject the plan soon.

On August 1, Sens. Mark Warner and Cory Gardner introduced the “Internet of Things Cybersecurity Improvement Act of 2017.” The goal of the legislation according to its sponsors is to establish “minimum security requirements for federal procurements of connected devices.” Pointing to the growing number of connected devices and their use in prior cyber-attacks, the sponsors aims to provide flexible requirements that limit the vulnerabilities of such networks. Most specifically the bill requires all new Internet of Things (IoT) devices to be patchable, free of known vulnerabilities, and rely on standard protocols. Overall the legislation attempts to increase and standardize baseline security of connected devices, while still allowing innovation in the field to remain relatively permissionless. As Ryan Hagemann[1] at the Niskanen Center states, the bill is generally perceived as a step in the right direction in promoting security while limiting the potential harms of regulation to the overall innovation in the Internet of Things.

Continue reading →

[This is an excerpt from Chapter 6 of the forthcoming 2nd edition of my book, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom,” due out later this month. I was presenting on these issues at today’s New America Foundation “Cybersecurity for a New America” event, so I thought I would post this now.  To learn more about the contrast between “permissionless innovation” and “precautionary principle” thinking, please consult the earlier edition of my book or see this blog post.]


 

Viruses, malware, spam, data breeches, and critical system intrusions are just some of the security-related concerns that often motivate precautionary thinking and policy proposals.[1] But as with privacy- and safety-related worries, the panicky rhetoric surrounding these issues is usually unfocused and counterproductive.

In today’s cybersecurity debates, for example, it is not uncommon to hear frequent allusions to the potential for a “digital Pearl Harbor,”[2] a “cyber cold war,”[3] or even a “cyber 9/11.”[4] These analogies are made even though these historical incidents resulted in death and destruction of a sort not comparable to attacks on digital networks. Others refer to “cyber bombs” or technological “time bombs,” even though no one can be “bombed” with binary code.[5] Michael McConnell, a former director of national intelligence, went so far as to say that this “threat is so intrusive, it’s so serious, it could literally suck the life’s blood out of this country.”[6]

Such outrageous statements reflect the frequent use of “threat inflation” rhetoric in debates about online security.[7] Threat inflation has been defined as “the attempt by elites to create concern for a threat that goes beyond the scope and urgency that a disinterested analysis would justify.”[8] Unfortunately, such bombastic rhetoric often conflates minor cybersecurity risks with major ones. For example, dramatic doomsday stories about hackers pushing planes out of the sky misdirects policymakers’ attention from the more immediate, but less gripping, risks of data extraction and foreign surveillance. Well-meaning skeptics might then conclude that our real cybersecurity risks are also not a problem. In the meantime, outdated legislation and inappropriate legal norms continue to impede beneficial defensive measures that could truly improve security. Continue reading →

In a recent Senate Commerce Committee hearing on the Internet of Things, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) “announced legislation that would direct the National highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy.” Spurred by a recent report from his office (Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk) Markey argued that Americans “need the equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century.”

Among the many conclusions reached in the report, it says, “nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” This comes across as a tad tautological given that everything from smartphones and computers to large-scale power grids are prone to being hacked, yet the Markey-Blumenthal proposal would enforce a separate set of government-approved, and regulated, standards for privacy and security, displayed on every vehicle in the form of a “Cyber Dashboard” decal.

Leaving aside the irony of legislators attempting to dictate privacy standards, especially in the post-Snowden world, it would behoove legislators like Markey and Blumenthal to take a closer look at just what it is they are proposing and ask whether such a law is indeed necessary to protect consumers. Continue reading →

by Adam Thierer & Andrea Castillo

Cybersecurity policy is a big issue this year, so we thought it be worth reminding folks of some contributions to the literature made by Mercatus Center-affiliated scholars in recent years. Our research, which can be found here, can be condensed to these five core points:

1)         Institutions, societies, and economies are more resilient than we give them credit for and can deal with adversity, even cybersecurity threats.

See: Sean Lawson, “Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber-Threats,” December 19, 2012.

2)         Companies and organizations have a vested interest in finding creative solutions to these problems through ongoing experimentation and they are pursing them with great vigor.

See: Eli Dourado, “Internet Security Without Law: How Service Providers Create Order Online,” June 19, 2012.

3)         Over-arching, top-down “cybersecurity frameworks” threaten to undermine dynamism in cybersecurity and Internet governance, and could promote rent-seeking and corruption. Instead, the government should foster continued dynamic cybersecurity efforts through the development of a robust private-sector cybersecurity insurance market.

See: Eli Dourado and Andrea Castillo, “Why the Cybersecurity Framework Will Make Us Less Secure,” April 17, 2014.

4)         The language sometimes used to describe cybersecurity threats sometimes borders on “techno-panic” rhetoric that is based on “threat inflation.

See the Lawson paper already cited as well as: Jerry Brito & Tate Watkins “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” April 10, 2012; and Adam Thierer, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” January 25, 2013.

5)         Finally, taking these other points into account, our scholars have conclude that academics and policymakers should be very cautious about how they define “market failure” in the cybersecurity context. Moreover, to the extent they propose new regulatory controls to address perceived problems, those rules should be subjected to rigorous benefit-cost analysis.

See: Eli Dourado, “Is There a Cybersecurity Market Failure,” January 23, 2012.

 

Continue reading →

Originally posted at Medium.

The federal government is not about to allow last year’s rash of high-profile security failures of private systems like Home Depot, JP Morgan, and Sony Entertainment to go to waste without expanding its influence over digital activities.

Last week, President Obama proposed a new round of cybersecurity policies that would, among other things, compel private organizations to share more sensitive information about information security incidents with the Department of Homeland Security. This endeavor to revive the spirit of CISPA is only the most recent in a long line of government attempts to nationalize and influence private cybersecurity practices.

But the federal government is one of the last organizations that we should turn to for advice on how to improve cybersecurity policy.

Don’t let policymakers’ talk of getting tough on cybercrime fool you. Their own network security is embarrassing to the point of parody and has been getting worse for years despite spending billions of dollars on the problem.

C2-Spending-and-Breaches_0

The chart above comes from a new analysis on federal information security incidents and cybersecurity spending by me and my colleague Eli Dourado at the Mercatus Center.

The chart uses data from the Congressional Research Service and the Government Accountability Office to display total federal cybersecurity spending required by the Federal Information Security Management Act of 2002 displayed by the green bars and measured on the left-hand axis along with the total number of reported information security incidents of federal systems displayed by the blue line and measured by the right-hand axis from 2006 to 2013. The chart shows that the number of federal cybersecurity failures has increased every year since 2006, even as investments in cybersecurity processes and systems have increased considerably.

Continue reading →

Hack Hell

by on December 31, 2014 · 0 comments

2014 was quite the year for high-profile hackings and puffed-up politicians trying to out-ham each other on who is tougher on cybercrime. I thought I’d assemble some of the year’s worst hits to ring in 2015.

In no particular order:

Home Depot: The 2013 Target breach that leaked around 40 million customer financial records was unceremoniously topped by Home Depot’s breach of over 56 million payment cards and 53 million email addresses in July. Both companies fell prey to similar infiltration tactics: the hackers obtained passwords from a vendor of each retail giant and exploited a vulnerability in the Windows OS to install malware in the firms’ self-checkout lanes that collected customers’ credit card data. Millions of customers became vulnerable to phishing scams and credit card fraud—with the added headache of changing payment card accounts and updating linked services. (Your intrepid blogger was mysteriously locked out of Uber for a harrowing 2 months before realizing that my linked bank account had changed thanks to the Home Depot hack and I had no way to log back in without a tedious customer service call. Yes, I’m still miffed.)

The Fappening: 2014 was a pretty good year for creeps, too. Without warning, the prime celebrity booties of popular starlets like Scarlett Johansson, Kim Kardashian, Kate Upton, and Ariana Grande mysteriously flooded the Internet in the September event crudely immortalized as “The Fappening.” Apple quickly jumped to investigate its iCloud system that hosted the victims’ stolen photographs, announcing shortly thereafter that the “celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions” rather than any flaw in its system. The sheer volume produced and caliber of icons violated suggests this was not the work of a lone wolf, but a chain reaction of leaks collected over time triggered by one larger dump. For what it’s worth, some dude on 4chan claimed the Fappening was the product of an “underground celeb n00d-trading ring that’s existed for years.” While the event prompted a flurry of discussion about online misogyny, content host ethics, and legalistic tugs-of-war over DMCA takedown requests, it unfortunately did not generate a productive conversation about good privacy and security practices like I had initially hoped.

The Snappening: The celebrity-targeted Fappening was followed by the layperson’s “Snappening” in October, when almost 100,000 photos and 10,000 personal videos sent through the popular Snapchat messaging service, some of them including depictions of underage nudity, were leaked online. The hackers did not target Snapchat itself, but instead exploited a third-party client called SnapSave that allowed users to save images and videos that would normally disappear after a certain amount of time on the Snapchat app. (Although Snapchat doesn’t exactly have the best security record anyways: In 2013, contact information for 4.6 million of its users were leaked online before the service landed in hot water with the FTC earlier this year for “deceiving” users about their privacy practices.) The hackers received access to 13GB library of old Snapchat messages and dumped the images on a searchable online directory. As with the Fappening, discussion surrounding the Snappening tended to prioritize scolding service providers over promoting good personal privacy and security practices to consumers.

Continue reading →

Adam Thierer, senior research fellow with the Technology Policy Program at the Mercatus Center at George Mason University, discusses his latest book Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom. Thierer discusses which types of policies promote technological discoveries as well as those that stifle the freedom to innovate. He also takes a look at new technologies — such as driverless cars, drones, big data, smartphone apps, and Google Glass — and how the American public will adapt to them.

Download

Related Links

Andrea Castillo and I have a new paper out from the Mercatus Center entitled “Why the Cybersecurity Framework Will Make Us Less Secure.” We contrast emergent, decentralized, dynamic provision of security with centralized, technocratic cybersecurity plans. Money quote:

The Cybersecurity Framework attempts to promote the outcomes of dynamic cybersecurity provision without the critical incentives, experimentation, and processes that undergird dynamism. The framework would replace this creative process with one rigid incentive toward compliance with recommended federal standards. The Cybersecurity Framework primarily seeks to establish defined roles through the Framework Profiles and assign them to specific groups. This is the wrong approach. Security threats are constantly changing and can never be holistically accounted for through even the most sophisticated flowcharts. What’s more, an assessment of DHS critical infrastructure categorizations by the Government Accountability Office (GAO) finds that the DHS itself has failed to adequately communicate its internal categories with other government bodies. Adding to the confusion is the proliferating amalgam of committees, agencies, and councils that are necessarily invited to the table as the number of “critical” infrastructures increases. By blindly beating the drums of cyber war and allowing unfocused anxieties to clumsily force a rigid structure onto a complex system, policymakers lose sight of the “far broader range of potentially dangerous occurrences involving cyber-means and targets, including failure due to human error, technical problems, and market failure apart from malicious attacks.” When most infrastructures are considered “critical,” then none of them really are.

We argue that instead of adopting a technocratic approach, the government should take steps to improve the existing emergent security apparatus. This means declassifying information about potential vulnerabilities and kickstarting the cybersecurity insurance market by buying insurance for federal agencies, which experienced 22,000 breaches in 2012. Read the whole thing, as they say.