Difficult Problems in Cyberlaw

In the final days of class before presentations and papers were due, we dove into our cross-cutting themes and discussed takedown procedures and other processees, potential “rights” and interactions between individuals and entities. We talked about the platforms and sites that enable cooperation and trust and potential problems that arise out of situations like this. In these final few sessions we didn’t solve the difficult problems, but got to ask questions and learn from the answers.

The solutions proposed by the class for:

• Global Network Initiative
• Ubiquitous Human Computing
• Future of Wikipedia
• Cybersecurity

will be posted here in the coming days.

Last Tuesday night’s class was a smorgasbord of Cybersecurity and privacy cross-cutting-themes, fittingly on the day that Google announced it will begin to withdraw censorship from China.

We met with Michael Fertik, CIO of Reputation Defender and Ebele Okobi-Harris, Yahoo! Director of Business and Human Rights–we talked with Mark Surman, Aza Raskin and Julie Martin general counsel, all from Mozilla. We also heard from Ryan Calo, a SLS Fellow at CIS and Lauren Gelman, also with CIS and teaching next quarter. We were also joined by Carl Malamoud, who was present for the law.gov workshop happening at Stanford earlier in the day.

The first issue we tackled was information users voluntarily give out to websites. Are these users aware of where their data is going? How long it stays there? Where else it could be allocated to?

Mozilla seeks to undermine the current obfuscation of privacy messages towards users. Their Privacy Icons project is in very nascent stages and is actively seeking feedback from the public. They seek to inform users about the information they’re giving out online, via icons that allow users to comprehend the most significant pieces of privacy statements and terms of service (ToS). As a browser with hundreds of millions of users, Mozilla’s Firefox is situated in a unique but significant standpoint to attack the obscurity of privacy and ToS statements. Mozilla aims for these standards to be normative.

What types of icons would you implement? What type of icons would you have? Would you use a feature like this? What is the best way to foster a relationship between companies and a project like this going forward?

These problems have been addressed before, in projects like the Platform for Privacy Preferences, but solutions have not met widespread usage.

The class members pointed out the perceived disconnect between anonymity and privacy. On the first day of class, students had posted predictions for the day’s “difficult problems” but many felt that it was an invasive and surprising behavior when Professor Zittrain opened up the wiki with the day’s predictions submitted, by name, by members of the course. Though the information was “public” many were surprised when the supposedly buried and obscure information became the central point of conversation.

How can a user interface be changed to make users more aware of their actions and repercussions?

We discussed privacy from the standpoint of a schism in the Creative Commons (CC) community: is the point of CC to offer authors choice about how they want to license their stuff, ranging anywhere from all rights reserved (at which point you don’t need CC, it’s effectively copyright) to attribution only necessary, or is it more about representing a certain normative view of the world and encouraging the world to adopt this view?

The outlook on privacy rights can be viewed the same way–is it about choice for the user or is it about an ideology represented by a certain standard of norms?

We also heard from Ebele Okobi-Harris of Yahoo! who spoke about the Global Network Initiative (GNI) as an excellent vehicle for crisis situations and direct action. She also described how it is appropriate that GNI offers a roadmap for comapnies to make decisions but at the same time is not GNI’s place to make decisions for the companies. Each company in GNI has a different approach. Yahoo! unlike many other companies has its own department that heads up human rights for the company (of which Okobi-Harris is in charge). One of the specific issues she spoke about was an ongoing lawsuit in Belgium wherein law enforcement officials requested that Yahoo! hand over information (more details here) which is a human rights concern.

Do you agree with Yahoo!’s decision to withhold information? Do you feel that other companies of similar stature and influence should maintain a human rights department? What are other potential and effective approaches? What are advantages to having a department dedicated to this issue?

We finally landed on Reputation Defender, a fix for the other side of the ‘privacy and information ownership’ spectrum. Michael Fertik, CEO of the company explained that a vast amount of content about a person is not necessarily created nor controlled by that person themselves. The company will not erase records of a person (everything ranging from news stories to sex offender data cannot be erased) but can deal with writable areas of content such as discussion boards. Fertik explained that less than 1/3 of 1% of all revenue comes from this destroy feature of the website–fascinating since so much media attention to the company relates directly to this feature.

Users of his site can sign up for an internet version of the “do not call” list for telemarketers to not call particular phone numbers. Fertik sees privacy in three steps or areas online, first, virus protection then E-commerce (for example, credit card security features) and the third stage emerges as more and more aspects of life move online there arises the need to protect the privacy of web users themselves. In this third realm, users can become aware of and mitigate the ability of other actors to intercept and analyze information created both by users themselves and by others about them.

Is Reputation Defender a service that you would use? Is your online reputation something you worry about? Do you feel that your privacy is ever or could ever be infringed by companies or people accessing information about you online?

At the forefront of the security on the Internet, there lies the security problem of identity. How can internet users maintain their right to privacy while at the same time securing identity information when necessary?

IP addresses are the means by which information is passed from one destination to another online, and play a role in identity online. Given the number of IP addresses available in its current iteration IPv4 and the increasing number of devices that utilize IP addresses, the urgency for a new solution is becoming apparent.

IPv6 is a new protocol that will consist of longer IP addresses (128-bit rather than 32 to be exact). IPv6 has many advantages, including increased address space, larger data packets, the potential for individual devices to have their own IP addresses. The ability for individual IPs will simplify network design and allow more specific connectivity. (For those of you about to search for IPv5, here’s your answer, and also the Internet Society or ISOC has a good Q and A on the details of IPv6 )

The International Telecommunications Union (ITU), a United Nations agency is working to improve international technological infrastructure and seeks to aide connecting the world via technology. The ITU settles long-distance international dialing country codes, so many hope that they can provide an impartial source of distribution for IPv6 addresses, as compared to the ad-hoc distribution of IPv4, whose irregularities have be seen as unfair.

Their work spans government and industry and are currently working towards online child protection, addressing cyberthreats and also creating the cybersecurity gateway with links to resources such as conferences and papers.

Who should have the control over IP distribution? What is the best way to implement a new protocol? What types of problems arise when individual devices no longer have to share IPs?

Another solution to the identity question are platforms like Oauth and the communities such as Kantara that support such technologies. Oauth is an open protocl giving users the power distribute varrying degrees of access to content on a particular site or platform.

Would this type of implementation be ideal? What risks are involved? What potential downsides (if any) are there to so much customization?

To deal with the issue of identity, many have suggested having a government issued online identity, much like a drivers license ID.

Will people online trust and warmly receive a government issued ID? How would the government deal with the problem of online identity theift? How could this ID be misused to track people? What are commercial and interpersonal situations where it would prove beneficial to have an online identity (ie: receiving a phone call or buying an app)? How would this change the relationship between people and corporations for the identity of each of them?

Another government impelmented approach is outlined in the White House’s Cyberspace Policy Review. This document outlines near-term and mid-term action plans, including short term goals that raise many relevant questions.

(excerpts from p. 37 of the report)

Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.

Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

Initiate a national public awareness and education campaign to promote cybersecurity.

Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.

Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement

In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.

How can the government implement these plans while serving privacy and civil liberties? What are best practices for an incident response plan? What is an appropriate and effective way to educate about cybersecurity? What does a strong cybersecurity policy look like?

Cybersecurity is an international issue spanning monetary, governmental and personal concerns. Professors Jack Goldsmith and Jonathan Zittrain led a conversation about the careful balances and difficult solutions involved.

Networks like the Internet are pervasive, yet vulnerable. Cyber attacks can be broken down into two categories, attacks and exploitations. Cyber attacks are computer network activities that change, destroy or manipulate data. Cyber exploitation is reading and potentially copying information.

Professor Goldsmith broke down cybersecurity into four threat vectors:

• remote attack, or  an attack from one computer system to another such as DOS. Narrowly and colloquially speaking a DOS (or denial of service) attack is a surplus of requests to a particular website, making it inaccessible, but more broadly speaking it is any resource that cannot interact on the network.

• supply chain attack, or something that affects critical infrastructure, such as trojan hardware or software

• exploitation, or the copying of data, such as industrial or governmental espionage, or the copying of individual personal information such as credit card numbers

• military/intelligence problem, for GPS locations and the control of UAVs(unmanned aerial vehicles)

Cybersecurity differs from other forms of security due to the type of anonymous attacks possible. From an investigative and enforcement standpoint, anyone can be an aggressor, which in turn facilitates the blur between public and private. In this way it is more difficult to identify or punish or deter aggressors, especially with the potential for delayed attacks hidden in software or hardware. How safe is your computer and what are you willing to do about it, economically, time-wise and in terms of policy support and advocacy? Where do you draw the line between security and human rights/privacy concerns for individuals? How can a government respond to attacks of unknown origin?

Interventions can be incremental or quantum, the question remains both a policy and economic debate. How can risk be calculated? Can we have the open Internet and solve the cybersecurity problem? What would a solution look like? What kind of losses are you willing to accept?

New innovations in cloud computing, or the ability to store data and computational resources online rather than on a personal computer are also susceptible to cybersecurity debates. On one hand, large storage services have higher security implemented than the average computer user, but information on aggregate becomes a more appealing target for exploitation. How can we design resilient systems that uphold against attacks (though they wont’ be perfect)?

In the coming three weeks, students from Harvard, MIT and Stanford will be tackling real-life problems of Internet commerce, governance, security and information dissemination. These problems themselves are not only conceptual issues but also identifiable struggles within their spheres. Students will be engaged with practitioners and academics–people who potentially hold the power to shape the future of these issues or at least provide the course with a sounding board to articulate better questions about the future.

An important aspect of the trajectory of this course is the students’ participation in the Internet phenomena they have chosen to investigate for these few weeks. Students will be required to understand cycles perpetuated by Reputation Defender, participate in human computing sites like Amazon Mechanical Turk and understand debates around the successes and perils of Couchsurfing.com (of course, through forums, as three weeks at Stanford is a quite lengthy amount of time to couchsurf!). The students are also offered field trips to interact firsthand with various components of the technical sphere they seek to understand including Facebook, Ebay and Google. The idea behind this immersion is to allow students the participatory (albeit “couchsurfing” free) understanding of the media they consume and now also advise.