(by Zach Goldberg, TLPC Student Attorney)
Over the past month, the TLPC has researched autonomous vehicle technology and its susceptibility to physical layer cyber attacks, with the aim of encouraging research and development efforts to counteract such threats. We sought to gain deeper understanding of the communication systems that enable autonomous vehicle technology, the vulnerabilities of these systems to jamming and spoofing attacks, and possible defenses against such attacks. We explore these issues in the attached comment, filed in the National Highway Traffic Safety Administration’s latest proceedings relating to autonomous vehicle safety and vehicular cyber security.
• Autonomous Vehicle Jamming and Spoofing Comment
(by Zachary Goldberg, Colorado Law 2L)
Apparently Yahoo waited two full months to disclose to its customers the largest consumer data breach in history, which Yahoo officials claim went undetected for two full years
On September 22, 2016, Yahoo officials announced that 500 million of its customers’ email accounts were hacked in 2014. The Yahoo security team believes that “state-sponsored hackers” somehow managed to penetrate Yahoo’s system to target its email users’ identifying information, passwords, and security question responses. At this stage in their investigation, Yahoo officials have not indicated precisely when they discovered the breach, and they know neither specific details as to who orchestrated it, nor how they gained access to Yahoo’s email system.
Continue reading “Last Week in Tech Law & Policy, Vol. 36: Another Yahoo! Data Breach? Personal Consumer Information and the U.S. Government’s Intelligence Collection Practices”
(by Kiki Council, Colorado Law 3L)
Last week’s blog post concerned the ramifications of sponsored and compelled government hacking with the use of backdoor encryption. This week’s post concerns how government hacks of computers using the Tor browser, and whether those hacks are considered a “search” under the Fourth Amendment.
Continue reading “Last Week in Tech Law & Policy, Vol. 32: Is government hacking a “search” under the Fourth Amendment?”
(by Colter Donahue, Colorado Law 3L)
Should government agencies possess, compel, or sponsor hacking and backdoors? A backdoor is a method of bypassing the normal authentication system of a website, messaging service, or other means of electronic communications.
Privacy and encryption advocates point out that the tools created or vulnerabilities exploited by backdoors pose a privacy risk. The vulnerabilities are not not limited to exploit by U.S. agencies like the FBI and NSA; bad actors and other nations can use them too. Hacking tools don’t always stay secret; once exposed, potential damage may be measured on a global scale. But what happens when law enforcement needs access for investigatory purposes? The following post will look at a recent example and the balance of competing interests.
Continue reading “Last Week in Tech Law & Policy, Vol. 31: Sponsored and Compelled Hacking, Government Edition”
The government intelligence community has long vocally advocated for so-called “backdoors” in encrypted digital communications systems. Proponents of these special modes of entry and intercept into otherwise protected databases and communications believe they are a necessary part of national security in the modern age. However, attempts to statutorily codify these ideas have met significant opposition.
Not to be deterred, the government is currently seeking alternate ways to gather information about suspected criminals and terrorists. Two weeks ago, the Senate passed the Cybersecurity Intelligence Sharing Act (CISA). This bill seeks primarily to permit information technology companies to “voluntarily” share information about security threats with the Department of Homeland Security. Companies would be given immunity both from liability and from FOIA requests regarding this information sharing. A proposed amendment that would have required the scrubbing of personally identifiable information in this information sharing failed to pass.
Continue reading “Last Week in Tech Law and Policy, Vol. 25: The CISA/CISPA See-Saw of Cybersecurity”
(by Jeffrey Westling, Colorado Law 2L)
Last Friday, the Federal Communications Commission closed the comment period for ET Docket No. 15-170, a controversial proceeding that may limit Wi-Fi users’ ability to install open source firmware on wireless routers. The FCC has remained adamant that their goal in this process is not to restrict users from modifying their routers, but rather to ensure that routers do not operate outside certain regulatory parameters. However, Wi-Fi users fear that the new rules may actually incentivize manufacturers to block all open source firmware from being installed on their devices rather than just limiting signal boosting capabilities or operating outside of the correct channels.
Continue reading “Last Week in Tech Law and Policy, Vol. 22: Open Source Firmware and the Future of Router Modification”
(by Ellis Dobkin, Colorado Law 2L)
Many of our discussions deal with the struggles of government regulation in the Internet age. This week’s blog post focuses on the issues that 3D-printed firearms pose and the problems with potential regulation.
Continue reading “Last Week in Tech Law and Policy, Vol. 20: Regulating 3D-Printed Firearms”
(by Annie Tooley, Colorado Law 2L)
Following on last week’s post, another dark cloud continues to loom over the Internet: malware. Malware is somewhat two-faced. On one side, hackers use malware to gain access to personal information. On the other side, the government uses malware to track down criminals and terrorists. But what happens when the line separating the two starts to blur? This post will explore the “good” and “bad” sides of deceptive delivery of malware.
Continue reading “Last Week in Tech Law and Policy, Vol. 16: The Art of Deception: a Gift or a Curse?”
We’re back for Season 2 of our ongoing weekly recap of current tech policy news. As always, the TLPC Director (that’s me—Blake Reid) takes on the first blog post of the semester before the TLPC’s student attorneys take over for the duration. As summer comes to a close in Boulder, this post explores some of the dark clouds have circled over the Internet in recent weeks.
Continue reading “Last Week in Tech Law and Policy, Vol. 15: The Internet’s Lousy Summer Vacation”
(by Chelsea E. Brooks, Colorado Law 2L)
State of the Union: This week, I want to look ahead to President Obama’s State of the Union Address, which will be held Friday, January 20th. The President has revealed cybersecurity as being one of the key issues he will address. In particular, he is proposing a 30-day window in which companies must notify consumers that their data has been breached, is championing criminalization of selling credit card information outside of the U.S., and is expected to recommend to Congress a Consumer Privacy Bill of Rights. In addition to consumer-focused proposals, the President wants to broaden the legal definition of unauthorized computer access under the Computer Fraud and Abuse Act (CFAA) and increase penalties for computer access crimes.
Back to Sony: Connecting back to last week’s post, could the Sony hacking scandal have been influential in directing this agenda? As mentioned in Vol.1, the Sony hack has “broad implications for the future of law enforcement, crime and punishment, privacy, and war.” Those implications may already be coming to light as Shaun Donovan, the Director of the Office of Management and Budget, has cited to the Sony hack in writing the Administration’s cybersecurity proposals to Congress. Donovan states:
[T]he dramatic increase in cyber intrusions and the recent destructive and coercive attack on Sony Pictures Entertainment offer a stern reminder that we must act with urgency to do everything possible to better protect the Nation and economy against cyber threats.
With that statement in mind, consider two questions posed by the New York Times:
When should the federal government step in to fight hackers? And is America’s own use of cyberweapons a complicating factor?
Blackhat: Hollywood’s recent connections with cybersecurity don’t stop with the Sony hack. The just-released Blackhat glamorizes the world of hacking and raises the question: could the current climate of fear of cyber crime lead to over-inclusive policy making? Members of the Obama administration are already citing to the Sony hack as reasoning for increasing punishments and broadening the power of the CFAA. Is this reasoning justifiable? Can increasing penalties effectively deter undesirable hacking? (The legal ramifications didn’t seem to deter the Sony hackers.)