Securing
Privacy in the Internet Age
Daniel
Solove: The New Vulnerability: Data Security and Personal Information
Jennifer
Chandler: Tort Liability for Cyber Insecurity: The Case of DDoS Attacks
Michael
Froomkin: The Uneasy Case for National ID Cards as a Means to Enhance Privacy
Lance Hoffman: An Architecture to Allow Metadata-driven Legal and
Economic Controls in Privacy-sensitive systems
Ian
Ballon: Coming Wave of Security Litigation
Intentionally
Leaky Technology
Daniel
Gervais: Price of Social Norms – Towards a privacy-friendly liability regime
for P2P
Christopher
Wolf: Air passenger privacy issues
Jonathan
Weinberg – RFID and Privacy
Pamela
Samuelson: Sensor Networks and Privacy
Challenges
for the Chief Privacy Officer
Thomas
Smedinghoff: Defining the Legal Standard of Information Security
Andrew
Charlesworth: The Evolution of Privacy Regulation in the Internet Age – Smooth
or Episodic
Alex
Fowler - Connected Privacy: Embedding Meaningful Privacy Measures into Business
Jon
Sobel: Privacy in the Internet Age
From
Contractual Freedom to Strict Liability
Shubha
Gosh & Vikram Mangalmurti: Social Insurance Perspective on Cybersecurity
and Privacy
Raymond
Nimmer – Contracts and Data protection
Finding
the Players in the Privacy Shell Game
Marcy
Peek: Beyond Contract: Utilizing Restitution
Michael
Birnahck & Niva Elkin-Koren: Securing Privacy in a Multi-player Regime
Susan
Brenner: Should criminal liability be used to secure data privacy
Tim
Wu – The International Privacy Ratchet
Alternatives
for Privacy Enhancement
Jay
Kesan – The Economic Case for Cyberinsurance
Lillian
Edwards: The Problem with Privacy: A modest Proposal
Coeditors: Margaret Jane Radin, Anupam Chander, Lauren Gelman
Program on Law, Science & Technology
Center for Internet & Society
Funded by Cy Pres Fund
What will it take to handle the privacy problem?
Many possible tools at our disposal
Need a way to talk about these questions calmly, practically
From
Computer Networks are vulnerable, and this data is important
Digital Dossiers about our lives: 100s of businesses & government
Used to assess reputation, credibility, eligibility for loans, jobs, arrest
Need to make sure these are safe, correct
Identity Theft – use of personal information to illegally access financial or other goods
FTC (2003) – Almost 10 million Americans within the past year
300 million hours to fix it
$5 billion consumer loss to ID theft
Tech. solutions for a tech problem? à crypto, firewalls
BUT: not the root cause of information abuse
Problem is legal, business model
Companies provide access to plenty of people
Information abuse – hierarchy of staging: insecurity enables leaking which can lead to harm
Misuse – used for ID theft, marketing, stalking
Cause concrete injuries: emotional distress, financial loss, physical violence
Criminal law is proposed as a solution
BUT: not enough resources in law enforcement, thieves are hard to catch, happens across multiple jurisdictions
Victims can’t use tort
Thieves don’t have deep pockets, still have to track them down
Enabling credit information seen as victims themselves, rather than at fault
Fair & Accurate Credit Transactions Act – FACTA
Allow people to deal with ID theft
Opting out of pre-screened credit, coordination b/n credit firms, free credit reports
Amelioration, remedial approach, doesn’t prevent ID theft
Even preempts more protective state laws
Law needs to act earlier on to prevent data misuse
Data Leaks
Not always a harm, merely exposure to potential for harm
Tracing leak to harm is harder, may happen past statute of limitations
Insecurity – problem of architecture
Primary flaw is the low-tech entry point
Social Security Number as the password – this is a stupid idea
On documents, in wallet; we have control over
as an identifier!
Can get SSN for sale on the internet
Common solution: use more information à mother’s maiden name
Also publicly available
Also: diminishing utility of repeated use of identifier
3 billion pre-approved credit notices
Identity theft has been
constructed
Gov’t has stamped us with ID, but not regulated its use
Businesses use it as password
Low security on our dossiers
à bad business practices
Architectures of control vs. “architectures of vulnerability”
Cause harm by increasing risk of harm
Law needs to get involved at this stage, higher in the chain
Possible Paradigmatic Solutions
Fiduciary duty analogies (Jessica Litman)
Data protectors should have a higher standard of conduct (doctor/patient, lawyer/client)
Tort Law
Emotional Distress: courts have been reluctant to allow this itself
BUT: John Doe case – SC ruled that release
of SSN wasn’t harm itself
Increased Risk of Future Harm
Petriello vs. Kahlman (sp) – medical malpractice
Structural Remedies
FTC has had a privacy role: companies intervene w/ breach of privacy policy
Charged MS Passport system for not providing adequate security
Settlement of improvement, and acceptance of monitoring and review
BUT: FTC only enforces that which is promised
GLB mandates security of information
Mandate for FTC to take action
From
Netsky – removed backdoors of myDoom, replace with its own
Current wave of virus attacks may be a turf war
We’re bystanders in this battle
Enormous loss, but hard to quantify: time, brand, service delivery, more security
Diversion of scarce resources hurts the poorer countries
Critical systems need to be isolated
Hacktivism hurts the marketplace of ideas (e.g. Al Jazeera takedown)
Denial of Service attack – server is overwhelmed by traffic and can’t use
Distributed: use of many computers under control of malware
42% of surveyed firms reported being a victim of these attacks
Why do security flaws happen?
1) Society will tolerate this because it’s too expensive to fix
2) Architecture issues
Underinvestement in security because of public good nature
Consumers don’t understand the issue
Perverse incentives in SW development – need to sell versions
Parties in DDOS that might be susceptible to tort liability
Victim can’t do much themselves for protection – high bandwidth, complex infrastructure, spoofing traffic
Websites that circulate information about how to run DDOS
Why drive info underground, how to ID the whitehat community?
ISP could block ports, screen traffic
Potential liability
Trend towards trusted computing
End users – why don’t they patch their systems since attacks happen after bug awareness
Patches are not always reliable, can be spoofed
Externality – owners of attacked computers unlikely to be victim themselves
Stop the users
Automated patching BUT EULA, destabilizing
Hold them liable
Disconnect them
Focusing on the end users not so helpful
Software developers – stop the problem at the beginning
What do you mean by SW?
Or have a competition between vendors to look for vulnerabilities
Monoculture issues – if you can attack one, you can attack all
Legislate security standards of software BUT – it’s complex, context dependent, bad track record
Gov’t should use purchase-driven mandate
Torts: Sue for negligence
Who will sue?
Purchaser has contract which may require arbitration, may contribute w/ lack of patches
Victim of DDOS would be a good plaintiff
Not involved in contract w/ vendor or contributed
Active harms from PR hit
Defense of SW vendor
Duty of care - Criminal 3rd party breaks chain of causation
BUT: may exist anyway i.e. landlord security negligent
Issues with cyberspace/real property analogies – may suppress innovation
Key feature: control over context where harm takes place – SW vendor may control this context
Not all SW – need ubiquity to
define context why? Why not any party who makes bad SW?
Pure economic loss hard to recover – how to limit liability in this context?
BUT: this might be relational economic loss
Cheaper overall – net economic gains
Hard to prove fault in acquisition of ownz0red boxes
Assumption of risk in a server on the net
[Presentation cut short, but paper addresses mechanism to determine standards]
Q: If bad business practices and governance, how did this come about? Profit maximizing, unintended consequences, political economy?
A: Privacy Act only restricted Agency use of SSNs, not private business. Businesses like SSNs because it makes linking data easier, so they want a common aspect. US vs. EU regimes, FTC is the safe harbor that tries to protect
Q: Why use negligence & tort liability?
A: Use as many tools as possible, ISPs would only stop propagation; attack the root cause
Q: International liability issues?
A:
Q: (from me) How to set standards, given multiple types of code error.
A: Buffer overflows are the most common à function of C, but it’s a known problem, can automate searches that make the testing smaller. This is a known and repetitive risk, that can be examined. BUILD SECURITY IN! Demand what’s reasonable.
Q: Is ID theft less of a problem in the EU wrt privacy laws?
A: We don’t know.
Q: (from Microsoft) Root cause is the criminals, not the SW; shouldn’t just blame the SW because law enforcement can’t catch the criminals. It’s just jumping to deep pockets. Time lag issues as well.
A: Government
Q: (Froomkin) Thing being operated is the HW – the owner of the machine is not using it right. It’s like a swimming pool without a fence. Law and Econ (hypothetically, of course) says that
A: Sticky to implement, hard to raise awareness.
Q: End user is liable sometimes: if a payment transaction fails b/c of SW, it’s the user that is still responsible.
Q: Agency regulations aren’t really all that effective.
A: What else will you use? Get rid of the FDA despite it’s faults?
Supposes that reform is necessary. Can have top-down regulations, technology and architecture-driven reform or common-law development. These papers address each of the three approaches.
From
Approach: What do ID cards make necessary? Can we have cards and still have privacy?
Is there a scenario where ID cards can enhance privacy?
Salient issue: SC case of XXX
Proponents: ID cards are touted as a solution to all sort of problems – working on examining merits of those claims
Cards not important so much as linked databases that it keys
Biometric is embedded ID card
Opponents: Image is highly visceral: “Papers please”
Status quo: Formally voluntary regime for ID cards – no actual requirement
You don’t have to have a driver’s license: makes due process a little sticky.
Due process is hard, and can’t enforce things
Starting point for analysis: Compare ID card regime to either privacy utopia BUT need a realistic counterfactual for comparison.
Mandated use of ID card with strong privacy protections
Status quo is bad, and getting worse
Cards can be designed well, protected with strict legal limitations
Complaint: centralized data will be a central point of failure, determined by business lobbyists
BUT: status quo has too many flaws, can’t control at all.
“Let’s roll the political dice”
People can get energized by privacy
Most people use rational privacy myopia
Transactional data: average cost for user is higher than marginal cost from consumers
Putting plastic in peoples pockets will make privacy more salient.
Why not to have privacy policies?
Psychological cost of defining relationship between
Malicious law enforcement – J Edgar problem
BUT: is this really that hard today? Compare w/ status quo
Social value to forgetfulness which dossiers make harder
BUT: aren’t we going there anyway
Predictive Profiling: criminals use credit cards for delivery pizza
National ID system as a DRM mechanism
Generalized Megan’s Law: warning about just about anything
Card system is better than just a biometric, since you can revoke it more easily
George Washington CS dept
Future issues needed from computer security
Accountability
Stopping ID theft
Freedom vs. security
Always on, all the time – technical protocols that deal with these
Build fast, fix later (never)
Example: Intelligent Transportation Systems
Parents monitoring where their kids are driving
Privacy vs. accountability
Short term anonymity
Thinking about a fishbowl society – need to consider ubiquitous data collection & storage
Who watches the watchers
Control rules over data: tamper resistant security & privacy audit control mechanisms in personal data records
charge/meter access if needed/wanted
Want “value-free system design”
Allow market, law and norms to determine
Take the technical “lessigian dot” out of the picture
Based on work by Pam Samuelson which ones?
Is this even possible?
Internet voting issues
General Access control rules
Pervasive tracking should lead to pervasive audit trails
Talking about Gateway security, internal security, security of data in transmission
Last is well covered by federal law already
Security today is like privacy in 1995
Status Quo
Federal Legislation
Gramm-Leach-Bliley
HIPPA security rule
State Legislation
CA state law: Breach of security requires notice to customers
FTC Enforcement Actions – sensitizing companies to these issues
Guess Inc. (2003) Lexis 85
Microsoft (2002) Lexis 43
Eli Lilly &
Internet Class Action Litigation
…
[Note taker had to duck out here]
Absence of standards make litigation inevitable and hard to predict
FTC and Attorneys General
Q: (Moderator)National ID would concentrate public attention, but would the regulations only apply to national ID itself? Why would companies buy in?
A: Data scrubbing can be legally addressed. But companies need something, and what will they do?
Q: (Moderator)Mandatory or Voluntary Audit trail for metadata?
A: This is/should be open to debate. Importance is to build the system, come up with model
Q: (Privacy Activism) Statutory Requirement à due process, but we’ve seen such a slippery slope (Airlines) today, why won’t use expand permanently.
A: Bringing it out in the open will bring out standard processes of due process. Now, it’s very secretive, and we don’t know what is going on. See John Gilmore case.
Q: (Microsoft) To protect identities, you need to authenticate the identity. Need a scrub list, which keeps ID. Ability to forget may not be so desirability.
A: [Froomkin] was talking about a more civil-rights driven forgetability, a second-chance idea. Most of the American lit is about the importance of forgetting
Q: (University of
A: Probably should have digital signatures on card. Public Welfare issues: Privacy Act isn’t bad about agency issues—we’re more concerned with law enforcement. Fraud prevention is a use of ID cards: end goal of reputable self-reporting. Census & Tax databases are fairly well protected, in part by strong bureaucracies.
Q: (TJ school of law) What happens when we shift the rules or have crooked bureaucrats? Why steer through the sirens?
A: Can use audit tools like Hoffman’s. The constitution does have some amount of protection.
Q: (
A: Dots are being connected right now. Convenience is also desirability. Utility vs. security. See also Brin’s Transparent society.
Q: Why do we have to take “dot connecting” for granted? See EU Directive.
A: There is a tradeoff.
Q: Cybercafes pose identification and authentication issues
A : Could require
Q: (Weinburg) Have the ID card and restrictions on data use, but how will the constitution protect our privacy against privacy-enroaching legislation?
A: 4th amendment might protect data records. (Controversial) and many abuses will be protected.
Q: (
A: Only respond to OECD rules
if it’s a WIPO treaty J And the EU doesn’t tie the
Q: Thoughts on impacts of state law of security breach notification?
A: [Ballon] counseled [his] clients against a security policy a la privacy policy.
Q: (Privacy Rights Clearinghouse) Connecting the dots and the wrong conclusions: What do you do about Robert Hatfeld as the guy who’s profile matched an anthrax terrorist.
A: Distinction between predictive profiling and publication. Suspect getting talked to vs. making it public. Statitistical profiling for investigation vs. capacity to destroy career. Counterquestion: is a visit to from the local constabulary a bad thing?
Q: Counter response – social forgiveness takes a long time, and the “usual suspects” is dangerous. Risk aversion means that you just don’t trust people who have been “tainted”
Q: (followup) Perverse incentives from police to get a suspect.
A: But this info can also be used to acquit people.
Data is flowing outward from these systems we use regularly. How to address this data flow?
University of
Backdrop of copyright law: RIAA/CRIA
EU – a positive right of information for seizure for origins of infringement
“Under this law, your home is not your castle anymore; you will have to defend it quite aggressively”
Technopolicy
triangle: technology, markets and regulation see paper for explication
When norm is empowered by tech, and you try to use regulation to stop it, tech will react by allowing circumvention/blocking enforcement
File sharing case study: file sharing was a strong social norm – 60% think it’s ok
Tech responded with innovations, will continue—no silver bullet
Given a certain small payment ($5/month from US, lower elsewhere) à $12 billion profit/year
No cost for distribution in this system, unlike CD sales
Why isn’t music industry doing this
Stuck in propertization paradigm – minimizing unauthorized usage
Should be maximizing authorized usage à liability regime
Need some central admin work
Collect data and money
Centralize licensing for rightsholders
Users – need early decoupling of personal usage
Who does it: Govt, ISPs, Collectives, new companies
Data collection needed to
disburse revenue, but can/should/must be done with privacy protection in mind.
Need an opt-out system: compulsory license systems are illegal under TRIPS
Lawyer for Northwestern & Jetblue, but
not wrt to this litigation
Passenger name records (PNR) are made available to TSA at flight time
Linking them, your list of PNR is big and complex
Can include personal information from 3rd parties, get lots of info
How are PNRs legally protected?
Privacy policy of airline websites are wildly diverse, many metasites or travel agencies have none
Controversy: PNRs turned over to government agencies (voluntarily, to help the country)
Jetblue: Outrage, 16 lawsuits, FTC complaints, attorneys general
Northwestern: Fewer suits, possibly chilled by the motions to dismiss
Will the state plaintiffs be preempted by federal law
What claims do plaintiffs have?
Electronic Communications Privacy Act (ECPA)
State common law claims: breach of contract or privacy tort
Basic question: what expectations of privacy does the consumer have for PNR data
Privacy claims against federal rules: if data goes from private sources to private contractors, gov’t privacy restrictions don’t apply
CAPS II: profiling program
1st and 14th amendment issues
What data will be collected, how long, shared with whom, how data mined
What’s an airline to do if gov’t demands data?
Need standards for handling PNR
Certainty required to promote aviation security
Many variables as stake
What is RFID? - Automatic ID and data collection systems
Small tags with data, will broadcast the data when queried by a reader
EPC: electronic product code is similar to a bar code, but
Doesn’t need to be scanned manually
Can be read quickly, out of line-of-site, many at a time
Item-level tagging unique
Huge for inventory management
Most tagging systems haven’t been standardized yet
Use a DNS-like system for linking objects to electronic records - ONS
Applications
RFID in passports, currency
Limit range to millimeters
Prescription drugs, kids, pets, library books
Embedded in supermarket loyalty cards
Privacy issues:
Risks of data usage require access to electronic network
Persistent identifier if no clear access: over time can build a profile
Current limits on technology
Price – tags still have non-trivial per-unit cost
Read rates – can’t read many at once
Competition might drive people away from open data display (Ross Stapleton-Gray)
What is new and unique about
the privacy threats of this technology?
1) Strangers can read your data without any relation to you, or affiliated parties, without consent or notice
No way to keep a tag from broadcasting information – too hard to get crypto
2) Can track you through geographic space in the world
3) Data isn’t linked to other identifiers
Classic privacy issues are linked to your name
Privacy threats of RFID
If tag info is associated with your identifiers
This info is coming from other sources getting rid of 2)
BUT: now info can only be drawn if I have previous contact, so 1) drops out
Now the new threat is 2) above
Tag number as persistent identifier
1) holds, for X person in their geographic space
Still have threat of tying information to this info
Tag gives identifier, with data, but not enduring
Violates personal space issues for marketing, access based on
Policy response
Limit linking of tags to info records
Limit constant tags releasing data: kill stations or no simple tags
Bulk of post-POS data collectors have no need for information
BUT: is this too costly? Maybe, but probably not, since the
[top] Tags that are personal should probably be more sophisticated
UC
Considerable about of R&D on sensor networks of small computers that can sense environment, transmit data
E.g. after an earthquake, is a building safe? Activities of elderly, weather/water info, bioterrorism
Sensor Networks vs. RFIDS
Both are tiny computational systems with wireless transmission abilities
Sensor networks are higher tech, and more active,
Sense physical activities rather than just identify
Technical challenge: tiny processors, transmission, energy conservation
Doing everything very small – tiny OSes, security, etc
CITRIS conversations
Collaboration with
technologists
Techies want to submit a query, and get an answer about law
Short window for development of good law
Lawyers must educate the technologists about law, but understand tech as well
Problems of escaping “toolkits” to use older paradigms, metaphors
FIPS and sensor networks
Data collection is the norm (notice & consent)
Absence of cues that sensing being done (notice & consent)
Boundaries b/n public & privacy spaces
Everyone is a potential data collector (i.e. RFID)
New kinds of data
New kinds of storage – where is data in the system?
Increased ability to make patterns out of seemingly innocuous data
Data easy to reuse
Concept of “my data” is harder, ss
Lots of data is useless
Caselaw issues
Kyllo
What to do:
Privacy-sensitive technology
Context-dependent encryption for data
Authentication for access
Flush logs
Turn sensors off, or detect sensors
Q: (
A: Concept of public domain is ill defined, but yes, it’s a challenge.
A: Genuine tension between protecting privacy and free expression
Q: Cell phones are already a little bit of ubiquitous information collection
A: FCC has helped ensure that your cell phone knows where you are at all times. BUT: telling the phone company vs. telling the world
A: Voluntary cell phone acquisition vs. involuntary, unknown sensor nets
A: Anecdote: onstar knows where I am, but can’t say where their call center is.
Q: (service provider journal) RFIDs enable mayhem?
A: Yes, and there are other issues. Ross Stapleton-Gray talks about corporate espionage.
Q: (Hoffman) War driving ethical issues. How do you sandbox research issues.
A: See Stapleton-gray’s sorting door, where people could see what tags they have on them. CITRIS is trying to engage and build sandbox rules.
Q: VOIP and P2P – law enforcement issues,
A: Industry’s attitude has made users bitter, may be too late for licensing. Industry has reduced risky releases, only going for cash cows. Selling data for access is troublesome: importance is to collect data. The point of my P2P talk is that it’s not neutral.
Q: Followup – need fewer data points in the distribution chain to cull personal information.
Clients ask: “What do I have to do?” what are the info security obligations
Different approaches
“Just make it happen” – focus on results
Like HIPPA
“Do this specific thing” – implementation of specific security mechanism
CA reg: need to use crypto for transmission of SSN
“Do what is reasonable” Like a negligence standard
“Follow this process” – security is fact specific
Companies have a legal obligation, which extends to 3rd parties, lies with upper management
BUT: not fixed rules on what to do or how to do it
What is the process that you have to go through
(inspired by GLB & HIPPA)
Asset assessment
Hardware, PII, financial info, tax records, trade secrets, transaction info
Risk assessment
Size and scope of the operation
Written security program à implementation
Manage the risks, burden of implementing defense
Industry standards (BUT: TJ Hooper standard says that sometimes you need to do more than standard)
Monitoring & reassessment
Security is a process
No legal safe harbor for information security
From
Argument that state regulation will become ineffective in key economic areas
Solutions premised on clearly elucidated privacy interests
“Decentered” regulatory solutions have to work to manage trust and risk
Smooth evolution of law, focus on sectoral changes
Limited disruption
No attempt to tackle wider privacy interest questions
Avoids conflict
Potentially fatal to innovation, and we don’t have tools for radical change
Episodic evolution
Understanding of contextual nature and role of privacy interests
Need creative destruction: socially and economically valuable
Involve public in regulation
Reduces need for incremental additions
Was the EU Data Protection Directive Episodic? No.
Maintenance of status quo.
Lack of social engagement – not a lot of talk about what public or regulated firms wanted
Lack of flexibility
Need for additional regulation to clarify
Perspective: M-commerce (R )evolution
Federated identity management allows you to work through different environments
FIM vs. privacy
Cross borders
Distance subjects from data controllers
Distance subjects from other service providers
à hard to fit in existing regulations
Need an Episodic Step for
m-commerce privacy
Accept the demise of central data control regulation
Deregulate, or use industry-based approach
m-commerce has a trust-based motivation à self interest for privacy
What would successful policy look like?
Risk management
Ability to demonstrate due diligence
Legitimacy of regulated firms and the general public needed
Protects [public, firms]
Can be copied
Jurisdictional harmonization, rather than left up to interpretation
Organizational View of Privacy
Complex, cross-jurisdictional regulatory environment
Impacts firm trust and brand
Looking in on business perspective
Decentralized business structures
Uncertainty in data handling: what info, who has access, what are the compliance issues
Two schools of thought wrt privacy management in business
Old School: privacy is a cost center, not a growth driver à dislike more privacy laws & compliance
New School: customers like privacy
Privacy as an opportunity for brand
HIPAA Example
Old School: compliance in the absence of public values
Patients just sign form, little consumer info or care
Disconnects of privacy
Perception = reality in privacy
Policy Paralysis in complex regulatory environments
Intention vs. incentives – data misuse can be rewarded
Data quantity vs data quality – orgs get as much info as possible, figure out use later
Security = privacy fallacy
Online = offline privacy challenges
Rapid response program driven by Westin’s energized segment
Privacy = data management from the organizational perspective
How do you move from old school to new school of thinking?
Customer value perspective
Not one person, esp. in a large company, who knows what/where the data is
Most of the major cases have been mistakes, not malfeasance
How do you approach the issue, if you’re a company?
Theme: We’re currently in a contract regime
If it’s a market regime, there must be a market failure
Something’s not working here.
Not a lot of empirical data about what’s important and what people really care about it
Need to figure out what’s important
Challenges that companies face:
Managers trained to make money, not to think about privacy
Company won’t die for privacy missteps, but brand will take a hit
Incentives aligned: smart business people see that they shouldn’t blow privacy
Dynamics of firms in privacy environments
Consent
National Security Concerns, post 9/11
Need to make it readable
Temptation is to specify as much as possible
Yahoo! Spent a long time on it
McCain pulled it up on national TV as unintelligible
Contracts and Regulators: standard is that of gullible consumer
Unease with traditional contract law
Competing regulators
Not just online contracts – other data collection sources
Q: (Bridget McDermott) Online banking study showed that people will take a risk for a small amount of money.
A: Peter Coleman (MS privacy chief) RBC has quantified privacy value, but it might not address core value.
A: Different roles for security for these online transactions. Prevent bad stuff, comply with regulations, develop regulations. Context for needed level of trust because they know it’s safe.
Q: Where does EU email directive fit between smooth and episodic?
A: Very smooth. Tinkering around the edges.
Q: (Privacy Clearinghouse) Story about H&R Block kiosks, no protection for data.
Q: (Elaine Newton) Is there any evidence that people would be loyal to privacy or seek it out?
A: Permission-based marketing have advanced that theory, but what does “evidence” mean?
A: Haven’t seen rigorous data, but firms that blew it try to fix it immediately.
A: Anecdotal evidence
Q: Customers get pissed about spam, even with pre-existing relationships, companies have to listen. Will be blocked if they don’t listen to customers.
Q: What are effects of current regulation climate?
A: Is the government the best agent to dictate info processes? Need to bring customer into equation.
A: Regulatory regimes can be bad if innovation shifts it to be irrelevant or stifling.
[This talk was delivered very fast and the slides were too full of content
to read quickly, so I may not have captured the full focus of the talk]
Development of user trust
Starting point: Radin, Lessig
Merged with Le Corbosier, architectures for us
Lots of other interdisciplinary insights – cassel, turing, cybernetics, etc
Empirical & normative
Security with architectures of growth
Emergent organizational code vs. hierarchical top-down legislative & technical code
Ecology of internet data security
Is there legal emergence in data security contracting?
Is it adaptive, and does it build useful legal constructions?
2 constructions: privacy policies & terms of use
Hypothesis: More clear privacy policies, but more liability shifted to user
Empirical anaylsis of privacy policies of time
Sample – 75 firms public firms, good methodological sampling
Content analysis of privacy policy
Point based for disclosures, shifting provision
Sampling across time
Terms of use enforceability is backed by case study
Clickwraps valid à BUT need notice and visibility
Results
Significant shift in policies
BUT: burden shifted onto users
Browsewrap GUIs probably not up to code, but not user-friendly either
Weaknesses in current system
Lack of trust and uncertainty with both parties
Uncertainty in contractual construction and predictability outcome
Proposal – merge terms of use and privacy policy
Self-imposed fair…. [something]
Usability content testing
Use simultaneous standardization and customization for the user
Create new legal constructions that are adaptable,
A “daily me” of internet contracting
Relational conversational agent to negotiate these contractual issues
Informed by law & economics
Thinking about other policy tools to protect personal interests and information
Insurance is about aligning interests
Moral hazard, perverse incentives
Not an ideological perspective on property/torts/contracts
Boils down to the issue of trust
Narrow point: strict liability for failed information security systems
BUT: not negligence, like chandler
Only use liability as a mental model / thought experiment to get to the incentives perspective
Broader point: security and privacy should be thought of as a matter of social insurance
Focus on institutions and context of transactions
Social insurance: ensure trust in architecture
Highways, inoculation, securities law
Risk and uncertainty balanced by liability and accountability
See Nissenbaum’s paper on accountability
People will still use resources, but maybe not as efficient/effective
E.g. - CA law imposes a duty to warn à social insurance aspect
Case for & against strict products liability approach
Historical parallels
Product vs. service – how do you classify SW, wrt security issues?
Meaning of a defect – standards are hard. Need a risk utility analysis.
Difficulty in determining who is liable.
Redistributors, open source
Role of consumer modification defense – open source consideration as well
Implications of social insurance
Legislative solution modeled on strict product liability
Private rights vs. public structure and optimality
Privacy vs. security
Demand vs. supply
Individual right vs. public good
Need some language to discuss interaction
Language of the debate are disparate: rights, regulation, contracts
Privacy isn’t a useful word – focusing on “transactional data”
Non private, accurate as to what it portrays, corporate-individual exchanges
Case: Ms. Lindqvist, who worked at a church w/ website, disclosed health condition (sprained ankle) of colleague
Ended up in court vs. EU Directive
Contract law is inevitable for transaction data
Consent
Contracts grounded in interactions & transaction costs for legal enforcement of expectations
Issue: how do parties allocate and control data creation and use?
Basic approach: no restriction on use unless express, or statutorily defined
Rights and social costs of data protection
Assa costs that need to be balanced by resulting benefits or exchanged
Compliance costs
Commercial speech
Effect on future transactions – finding permission
Value and response
AEI brookings study – value of personal information
[skipped slides]
Default rules have a function on contract settings
Most efficient if people can use info as a default
Sensitive data can be protected accordingly
Need to think about Trusted Computing issues
Need to encourage real notice, but need protection given notice à focus on environment of protection given notice
Identity theft is growing, hard to define – 10 million victims
Everything from using another’s credit cards vs. criminal arrests & false information
Focus: new lines of credit in other people’s names
Problem is bad business practices rather than consumer reporters
“Clifford J Dog” – guy took out a credit card in his dog’s name when solicited
Roots causes of
FCRA – burden isn’t high enough to prevent the credit report from going to unauthorized person: “reasonable procedures”
Trusted insider issue – really easy to pull credit reports on people
30,000 credit reports illegally accessed – Experion & Ford case
Credit granters do not have good standards to authenticate applications
Don’t need IDs, biometrics, just clerks to read the applications
Tons of examples
Aggressive competition
5 billion pre-approved credit offers – only need to add SSN & DoB (all easy to get)
Can even use an alternate address on card!
“Magic 3 seconds” of credit granting – instant authentication
Any liability for that?
Consumer tools for cure
People find out about it too late
Credit report monitoring can halt damage, but not eradicate it
Liability for false issuance of credit à hasn’t held up
Huggins vs. Citibank – no relation between issuing bank and the victim of ID theft
Phase shift for tools of credit - Default is that credit report is frozen and not accessible
Can thaw it on demand, for certain conditions
Password
Phone number access
Thaw it for a few days
Stops impermissible pull
Can opt out
Why not to change the credit system
Cost
(BUT – cost of the current system is $50 billion)
Inefficiency – maybe you want it
(BUT can opt out, build in personalizable authentication)
Q: Are contracts adequate to the task at hand
A: Contract is just one part of a broader scheme. Code and law from top down, emergent best practices from bottom up.
A: Need to define the problem. Can make a good case for SSNs to be inside a contract environment, but there’s so much info that
A: Mortgage firms make you sign a tax record release, but are sharing it with corporate affiliates. Need to stop this.
A: Areas where contracts don’t fill the need. Disparity of user sophistication.
A: Markets for information are complicated: subject of the contract itself but also the background of the transaction. How do you separate descriptive and substantiative information.
Q: Computer security acts are frightening because capture can preempt common law development.
A: State laws avoid controversy, which will be involved in privacy. Interstate Commerce issue is a little problematic too.
Q: What about ICC and state laws?
A: Yes, CA laws might not hold up constitutionality
A: Federal legislation has been getting weaker. State laws have been using FIPS,
Q: (Elaine Newton) What about P3P?
A: More flexibility, and force the user to engage in privacy and rights issues.
Q: (
A: Hard to compare internationally, wrt different credit practices. Costs now are transferred to issuers and merchants. Merchants are paying for fraud that they didn’t cause. ID theft victims paying the cost. We need to slow down credit, which synchs with economists saying that there’s too much consumer credit.
Q: Is there a merchant constituency?
A: MBNA is huge lobbyist, argued for Bankruptcy Bill
Q: (TJ law) Who is on the plaintiff side for SPL, and how do they contribute to the negligence?
A: Need some sort of reasonable standard for negligence. How is risk allocated among parties.
A: Interoperability issues are difficult.
Q: (Creative Commons) What about multi-party transactions? You involve your bank every time you talk about something else.
A: A typical credit card transaction has 3 contracts involved, online or offline. CC regulated by GLB.
Q: (Lillian Edwards) ID theft in EU is going up, according to a recent report.
Q: Andrea vs. P3P – consumers don’t want active involvement!
A: Use a technological solution, agent negotiation. Also, this will be an open standard. Isn’t P3P open?
Q: What did you mean by industry default rules?
A: UCITA had a possible clause about transaction data. Could have used Article 2 as a vehicle for standardized privacy issues. Thus, data not related to contract issue in
Q: (Beth Givens) FACTA was heralded, but it was driven by State laws.
Q: Readability experts should be involved in privacy policy drafting. But credit groups may not want super clear privacy policies, as an active involvement.
Q: Notice can work, if it’s done well.
A: Yes, readability important.
A: Hard to walk the line between simple, readable discussions and
From
[This guy] was hacking into Axiom for several years
Axiom assigns lifestyle grouping to each of us.
After hacking was discovered; FBI found several other hacking issues
Torch concepts (jet blue?) project: presentation about
“Shadow offenders” – no direct relationship to individuals, but massive data stores of personal information
E.g. Axiom, choice point, information brokers & data miners
Many offenses: misuse, mishandling of data à causes fraud, ID theft, credit mishandling
Not in privity of contract with users à users can’t sue them with contract theory
So: little incentive to protect data
Use principles of “quasi contract” for unjust enrichment
Permissible parties
Restitution
proposal: liable in restitution if firm is unjustly enriched at the expense of
individual
Remedy: restore benefit or pay money to eliminate unjust enrichment
Focus isn’t on enrichment, but on the unjust nature of that enrichment
Why use restitution for
1) Gives incentives to defend data
2) Doesn’t rely on presumption of a specific set of promises
3) Gives remedy to the actual victim, rather than injunctions and fines that benefit gov’t
4) Placing value on what the defendant gains à get a valuation of the harm
Avoid the battle propertization/valuation personal data
Is there enrichment w/ data mishandling?
May not be the necessary cause and effect
Issues with mechanism of restitution
From
Privacy worth pursuing, threatened by state AND the market
State vs. citizen à constitutional law
Corp. vs. user à common law
(State + corps) vs. citizen/user à ???
“The Invisible Handshake”
Players:
The state - IT has reduced state’s control devices
Private sector – increased power
Increased power of information gatways à gatekeepers
Law can reduce competition
Context: post 9/11 legislation
Recruiting of private sector
CALEA tech capacity, data retention, Data preservation, obligations and immunities of OSP’s
.gov + .com = ?
No longer bipolar relationship b/n state & citizen
ISP as a 3rd player b/n govnt’ and citizen
Con law and common law only cover part of the relationship
Meaning of “Invisible Handshake”
Unholy alliance
Private actors enjoy additionally power.
Fighting terror has a cost: liberty encroachments
Minimize costs: constitution, state action doctrine, judicial oversight
à Make invisible handshake
Why criminal liability?
Why not to do this: It’s draconian and messy—be parsimonious
Civil liability is not enough sometimes: need a specific “harm”
I.e. fraud or stalking
Systemic interest that is significant – generalized social harm
What is privacy? Right, property, source?
What does it encompass? Many facets, not a unitary concept
Privacy as an antonym, something that is defined in opposition
Subjective: “reasonable”, “expections of privacy”
Assume risk of no privacy
Arms race
Different kinds of data (Katz) how related to Katz?
Tool data: SSN, usable to commit crime
Biographical data: not private
Transactional data: assumed risk of disclosed data
Criminal liability
Individual control BUT: people don’t understand consequences
Individual “harm”
Institutional control – generalized “harm”
I.e. US v. Park – grocery CEO held criminally liable for rats in warehouse
Risk of not securing the data put on data custodians
Traditional model is reactive, based on state, borders à doesn’t work for cybercrime
Need flexible standards, tech neutral
Agent of the state question – a hacker discovers child pornography and tells state
Imposing liability on institutions, need criminal
liability as an incentive/deterrent
From UVA law, presentation
is part of The Return of the
Leviathan
Can a legislator flapping wings in
Interactions between states creating a de facto privacy regime
How can other countries ruin or strengthen a domestic privacy regime
Country interactions example: i.e. Libel across borders
Internet: site can be located outside state, not bound by laws (or so they say)
Model 1: Restrictive rule wins – Yahoo case, Dow Jones v. Gutnick Libel
Restrictive law wins because firms want to avoid asset seizure
Model 2: Least restrictive state wins – IP, gambling obscenity
“Cyberanarchy”
Difference between models: physical presence in a country exposes them to harms
Business model drives the difference
Privacy problem
Intrusive – non-consensual taking of intrinsically valuable information (Harvesting emails)
Least powerful entities involved, hardest to stop à lack of assets limit power
Controls largely confined to use of intermediaries
State might have become more powerful
Transactive – misuse of consensually supplied data by known entities (online airline booking)
More powerful entities, multinationals
Restrictive rule – i.e. EU Directive
Governmental violations
WTO and unilateral sanctions
It depends on what you care about
International regime will lead you to different systems
Q: How do economics drive attention or rejection of national laws by multinational firms?
A: If yahoo makes enough money selling nazi goods, then it
will ignore
Q: Policy prescription for making the invisible handshake more visible
A: Require judicial review
Q: Race to the top of regulatory scale through the use of gov’t controlled intermediaries: how does gov’t put pressure on them?
A: Targeting credit card companies, follow the money trail, controlling citizens indirectly. All through physical assets located in specific jurisdictions. BUT: not always a race to the top.
A: Search engines, and the copyright enforcement issues.
Q: (Michael Robin) Private companies sharing info with government, but what about gov’t outsourcing data to businesses?
A: Falls within regular paradigm of constitutional law, which governs gov’t abuse
Q: What does invisible handshake look like in
A: More cooperation between public and private. NB: Israeli private sector is closer to EU model, and the transactions are fairly visible. E.g. cell operator licenses are bound to act according to “secret appendix” so we know that info is being gathered, but subject to judicial review. Concern is more about the casual, voluntary interactions between ISPs and law enforcement.
Q: What about hack-back? Can a victim fight back, or at least break law by patching others systems?
A: [Susan] doesn’t think it’s a good idea. Vigilante justice comes up with there are gaps (or perceived gaps) in law enforcement, but it’s still not a good idea. Error rate, anarchy, legitimacy in the process,
A: The LE budget is below what it should be. Challenges aren’t that much difficult than the real world.
A: A bank in
Also – no evidence
that it will be an effective deterrent
Q: What is cyberlaw like in
A: Protected in public sphere by “basic law of human dignity” which is constitutional. Similar to Canadian charter. Comprehensive privacy act in 1981, identifying privacy as a right.
Q: Anything specifically applied to internet?
A: Use common law, apply previous laws to internet. BUT: disappointing record of compliance in websites à depends on awareness and willingness of rights holders
Q: (Beth Givens) Any thought to the value of personal information in terms of restitution? (persons name & address is worth $.05-1.00)
A: Haven’t looked into it yet, maybe another paper.
With Ruperto Majuca and Bill Yurcik
People already have insurance, but they’re designed to cover traditional, not cyber perils
International losses, tangible losses,
Why cyber insurance? Economic case for it
Compare with self-insurance to mitigate loss
Compare with self-protection to prevent loss
Cyberinsurance increases self-protection
Raise awareness
Incentivize self-protection à better IT safety
Cyberinsurance complements
self protection and vice versa
Cyberinsurance
facilitates socially-optimal precautions
Information pooling and expertise à more/better standards
Cyberinsurance increases social welfare
Creating a market for internet risk bearing
Maximize total utility on loss and no loss - > pick optimal level of insurance for social optimality
Emerging cyberinsurance practice
IT safety and precautions emphasized
Aggressive pursuit of attackers
Large and growing demand: $2.5 bn by 2005
Need to facilitate the creation of a market in internet risk bearing
GLB – sensitive info and customer notices
When is notice required à section 501
Agencies set security guidelines
2 tiered mandatory disclosure scheme
Agency notification
Customer notification – after sensitive info (SSN, etc), only if possibility of harm or misuse
Two competing responses from GLB regulations in the comments
Fleet – market based approach to customer notices
Leave us alone, don’t make us tell our customers
Narrow notification to where harms have occurred, or the possibility
If we have to disclose too much, we won’t disclose….
Legal & reputational sanctions chase security breaches out of system
Financial info bears a lot of risk
Reputational concern
Allows for self-policing
BUT: disclosure disincentive – incentive to conceal b/c of reputation – lying to the marketplace
BUT: Disclosure externality – won’t internalize full costs b/c info can be used to defraud other institutions
Bank X may be able to manage own risk after harm, but it could spread
Can’t trace fraud back to info leak of any specific bank
FRB of
Recognize worry about disclosure
Anonymizer intermediary about security breaches
This anonymized leaking information is given to customer without bank name
Still prompts good customer behavior
Target their ex post behavior
Lemons equilibrium because customers may not select bank because of
Model
Benefit to customers
Benefit other institutions w/ externalities
Response coordinations
BUT: less information about reputations à customers don’t use it anyway
BUT: maybe less incentive to secure information
Disclosure regulation is necessary
Enforcement model vs. market enhancing model
Edinburgh, IP & Technology Law
Privacy is now in Marie Claire
What are the harms to consumers?
Unwarranted disclosures
Spam, popups
ID theft:
up 45% in the
Advantages of sharing data
Get personalized services, convenience
Businesses get an asset
Trusted relationship b/n business and consumer
Fix problem, don’t throw out baby with bath water
EU DP model has some issues
Tran jurisdictional issues (spam isn’t from the EU)
Hard to enforce it in cyberspace (elephants vs. mice)
Very casual enforcement mech
40% of commercial websites didn’t know what info they had
Lack of customer pressure to enforce it – DP enforcement depends on this
Lack of awareness on DP rights
Notions of consent, opt-in, opt-out, contested
Self regulation
“we’ve talked about this”
Code - Automated bargaining
No real choices, not real protection from privacy policies
Possible consumer perception as a firewall
How can you value it in aggregate
Control of information
How to secure it?
Contract, tort, DP, code, criminalization
Alternate model –
(Inspired by Terry Fisher’s P2P approach: give out music, get money back from some social tariff)
“Date wants to merge” (“flow”)
Controlling
flow of personal information doesn’t work
Trust model
Truster gives asset to trustee who hold it for the
beneficiary subject to fiduciary obligations
Protracted gift, no consent needed
Individuals have an incentive to aggregate data for higher value of datem
Data collector has highest standard of care
Individuals have a right of action, abuse of trust
Does away with consent
Tax on data collection from companies
Pay to middle person
Too hard to give money back to data subjects
Use money for:
Mitigate losses from privacy harm
Free availability for PETS with this money
Payout for statutory fines.
BUT: tragedy of the commons, since no one firm would have loss
Q: Don’t underestimate importance of protecting brand
A: Tradeoff between identification of breacher and how future harms will be prevented. Key problem – institutions play chicken not to be the first one to disclose breach. Still try to capitalize the brand.
Q: Insurance of cybersecurity is different because we don’t have a point of product liability à distributional issue
A: If price mechanisms will work, need to identify who will pay for what. Insurance hold vendors liable, but they can’t forsee the entire risk. So price mechanisms may not work
Q: But won’t I be subsidizing Microsoft?
Q: (Tim Wu) With EU model, why wouldn’t we want to predominantly target the “elephants” since no one trusts “mice” with their info anyway. If the elephants comply, isn’t that successful. A: Mice get data from elephants. People are making money from data collection, and that they owe some kind of payoff.
These notes were recorded on the fly by Allan Friedman, and any omissions or inaccuracies are purely his fault. To learn more about the papers here, please see the conference website, see the Symposium volume to be published in the fall, or contact the authors directly.
I am not a lawyer. Thus, many of the complex legal terms may have been skipped over, and it’s possible I have misrepresented an argument. Please contact me (allan_friedman at ksg.harvard.edu) for any corrections or clarifications.
I apologize for the horrendous formatting; I took notes in Microsoft Word and was lazy about dumping things into HTML, so plenty of nasty artifacts remain.