Last Week in Tech Law and Policy, Vol. 9: International Hacking

(by Jeff Ward-Bailey, student technologist)

Government surveillance has been a frequent news items ever since the summer of 2013, when Edward Snowden leaked his first set of documents to journalists, explaining the software tools the NSA uses to monitor communications in the United States and abroad. But governments have employed shadowy means to gather intelligence about their own citizens and those of other countries, and have even attempted to disrupt the operations of governments perceived to be hostile to their interests, for many years.

In 2008 a sophisticated piece of malware called “Regin” began spying on governments and individuals in Russia, Saudi Arabia, Ireland, and a handful of other countries. Security researchers didn’t notice Regin until 2014, but the software hadn’t done any damage to infected systems: it had simply run in the background, watching its targets. Researchers initially surmised that Regin had been written by the US, Israel, or the UK to gather intelligence on foreign governments, and further investigation suggested that the British GCHQ spy agency had written the malware.

In 2010 the Stuxnet computer worm was discovered, which targeted industrial controllers in Iran and caused centrifuges used for the enrichment of nuclear material to tear themselves apart. It’s still not known for certain who wrote Stuxnet, but in 2011 Wired reported that it was “believed to have been created by the United States,” and in 2012 The New York Times reported that it was the product of a joint US-Israeli intelligence operation.

 Earlier this year security researchers uncovered a suite of surveillance platforms nicknamed EquationLaser, EquationDrug, and GrayFish. Circumstantial evidence suggests that the tools may be connected with the NSA (for example, the tools in the platforms match the names of tools in an NSA spy tool catalog leaked in 2013). Five Iranian companies who were previously infected by Stuxnet were also infected by the “Equation Group” tools.

Few would argue that when a government intentionally infects another government’s systems with malware in an effort to spy on them that practice is, at least, in an ethical grey area. But is such cyberspying (some would call it cyberwarfare, especially when the destruction of property is involved) necessary to protect against attacks? Does the potential for mitigating harm outweigh the ethical implications of spying? And does a government’s mandate to protect the safety of its citizens justify the practice of hacking or spying on other governments?

Last Week in Tech Law & Policy, Vol.5: Funding Privacy

(by Joseph de Raismes, Colorado Law 3L)

This week, I would like to look at internet privacy, how privacy tools are funded, and what  the future of privacy should look like.

Last week, ProPublica ran Julia Angwin’s excellent profile of GnuPG’s lead developer Werner Koch. Koch wrote the free email  encryption tool GNuPG in 1997, and has been keeping the project alive basically single-handedly ever since. In response to ProPublica’s profile, Koch received an outpouring of support in the form of private donations and grants.

Werner Koch’s situation drew the attention of cryptographer Matt Green, who questioned the entire framework of how we fund the long-term development of privacy tools.  In his post, Matt draws attention to the fact that the US government has been an extremely important funding source for key privacy tools, but questions the sustainability of the current framework for funding research and development in this area.

In light of the Snowden revelations, real name systems, perma-cookies, browser fingerprinting, and other sophisticated tracking measures, internet privacy seems more and more like a thing of the past. Is internet privacy a value that should be fostered (and funded) in a cohesive manner?

TLPC FIles Security Research DMCA Exemption Comments

(by Chelsea E.  Brooks,  Student Attorney, Joseph N. de Raismes, Student Attorney, Andy J. Sayler, Student Technologist)

Last week, we filed three comments in response to the Copyright Office’s DMCA Section 1201 Tri-annual Exemption Notice of Proposed Rulemaking: a Short Comment for Class 27 (Medical Devices), a Short Comment for Class 22 (Vehicle Software), and a Long Comment for Class 25 (Security Research). All comments were filed on behalf of our client, Professor Matthew Green.

Professor Green is an Assistant Research Professor in the Information Security Institute at Johns Hopkins University and needs to be able to circumvent various access controls on software and devices in the process of conducting good faith security research. Such circumvention is chilled by Section 1201 of the Digital Millennium Copyright Act (DMCA). In our long comment, we argue for an exemption to Section 1201’s anti-circumvention provisions and show that preventing circumvention of access controls is chilling good faith security research and creating other adverse effects. Our short comments reiterate this point with respect to specific types of security research and urge the Copyright Office to grant a broad exemption to the Section 1201 anti-circumvention rules for all forms of good faith security research.

Next up in the proceedings is the second round of public comments filed by those that oppose each exemption. The objection comment deadline is March 27, 2015. Following that, there will be a third round of public comments in which supporters can respond to the objectors’ comments. This round closes on May 1, 2015, after which the Copyright Office will begin the internal process of making their decisions.

Last Week in Tech Law & Policy, Vol.4: A Look at Health Technology

( by Allison N. Daley, Colorado Law 2L)

This week I want to focus on a specific area of tech law and policy: health care. With the advent of telemedicine as a way of providing health care at a distance, there is exciting potential for innovation, however with this innovation comes new challenges in law and policy.

As just one example, there is a new app, Harbinger, that transmits communication from Emergency Medical Service (EMS) workers in an ambulance to hospitals in real time. The hope is that such technology can improve care by sending protected health information (PHI) such as drivers licenses and insurance cards to hospitals for faster registration.  The app even allows EMS workers to send pictures and videos of injuries or accident scenes for more rapid diagnosis and treatment.

With this great technology, however, privacy concerns abound. Because cell phones store data on the device itself, PHI is much more likely to fall into the wrong hands if a cell phone is lost or stolen.  While the Health Insurance Portability and Accountability Act (HIPAA)  does not have any official rules banning the use of cell phones, the HIPAA Privacy Rule requires health care providers to implement appropriate safeguards to reasonably protect health information.

In order to solve this problem, the Harbinger app promises:

[P]atient information is encrypted with today’s most advanced methods. The data is transported to our server with the industry standard for banks and credit cards, and is stored in an encrypted format.

While this sounds like it may satisfy HIPAA standards, patients and hospitals will likely still have concerns about this new technology. The founders, both Coloradoans, are currently negotiating with hospitals and we may see the system operating by the end of the year.

For more information, check out Harbinger’s website.

See you next week!

 

Last Week in Tech Law & Policy, Vol.2: The Inside Scoop

(by Chelsea E.  Brooks, Colorado Law 2L)

State of the Union:  This week, I want to look ahead to President Obama’s State of the Union Address, which will be held Friday,  January 20th.  The President has revealed cybersecurity as being one of the key issues he will address. In particular, he is proposing a 30-day window in which companies must notify consumers that their data has been breached, is championing criminalization of selling credit card information outside of the U.S.,  and is expected to recommend to Congress a Consumer Privacy Bill of Rights.  In addition to consumer-focused proposals, the President wants to broaden the legal definition of unauthorized computer access under the Computer Fraud and Abuse Act (CFAA) and increase penalties for computer access crimes.

Back to Sony:  Connecting back to last week’s post, could the Sony hacking scandal have been influential in directing this agenda?  As mentioned in Vol.1, the Sony hack has “broad implications for the future of law enforcement, crime and punishment, privacy, and war.”  Those implications may already be coming to light as Shaun Donovan, the Director of the Office of Management and Budget, has cited to the Sony hack in writing the Administration’s cybersecurity proposals to Congress.  Donovan states:

[T]he dramatic increase in cyber intrusions and the recent destructive and coercive attack on Sony Pictures Entertainment offer a stern reminder that we must act with urgency to do everything possible to better protect the Nation and economy against cyber threats.

With that statement in mind, consider two questions posed by the New York Times:

When should the federal government step in to fight hackers? And is America’s own use of cyberweapons a complicating factor?

Blackhat:  Hollywood’s recent connections with cybersecurity don’t stop with the Sony hack.  The just-released Blackhat glamorizes the world of hacking and raises the question: could the current climate of fear of cyber crime lead to over-inclusive policy making?  Members of the Obama administration are already citing to the Sony hack as reasoning for increasing punishments and broadening the power of the CFAA. Is this reasoning justifiable?  Can increasing penalties effectively deter undesirable hacking?  (The legal ramifications didn’t seem to deter the Sony hackers.)

Last Week in Tech Law & Policy, Vol.1: Net Neutrality and the Sony Hack

(by Blake E. Reid, TLPC Director)

Just about every week during the fall and spring semesters, the TLPC spends time discussing current events in tech law and policy. Our students do a great job researching and highlighting current events, so this semester we thought we’d share what we’re reading with the world.

I have the task of leading our inaugural discussion, so I’m going to focus on two events that have blown up over our winter break:

Net Neutrality. While it’s hard to narrow down the 10+ year-old net neutrality / Open Internet discussion down, the biggest news over break was the soft-launch of the Commission’s plan to reclassify ISPs under Title II of the Telecommunications Act— announced at the Consumer Electronics Show—in rules to be voted on at the Commission’s February open meeting. Other interesting issues waiting in the wings include the treatment of wireless providers, the Commission’s approach to forbearance, various other bells and whistles of the final item (I’m particularly interested in the treatment of reasonable network management and the premises operator exception), and how the courts and Congress will ultimately impact the state of play (or not).

The Sony Hack. There’s so much to say about this, but I’ve been most interested in the epistemological debate over whodunit (is it North Korea, or isn’t it?), and the difficulty of assessing adversaries online. This is the tip of the iceberg for this phenomenon, which has broad implications for the future of law enforcement, crime and punishment, privacy, and war.

See you next week!

Will the FCC Let You Retain Your Privacy and the Cybersecurity of Your Information When You Text 911?

(by Spencer Rubin and Trip Nistico, Colorado Law 2Ls, and Vickie Stubbs, ATLAS Institute)

Two weeks ago, the TLPC submitted reply comments on the Third Further Notice of Proposed Rulemaking (FNPRM) in the Federal Communications Commission’s Text-to-911 (TT911) docket. Among the many areas in which the FCC sought comment on rules for text messages to 911, we focused on the privacy and cybersecurity implications of sharing enhanced location information via text message to emergency responders.

Continue reading “Will the FCC Let You Retain Your Privacy and the Cybersecurity of Your Information When You Text 911?”

TLPC files DMCA exemption for good faith security research

The TLPC continued its efforts in the Copyright Office’s triennial review last week by filing a petition for exemption from the anti-circumvention measures in Section 1201 of the Digital Millennium Copyright Act (DMCA) for circumventing technological protection measures (TPMs) to perform good faith security research. The TLPC filed the petition, drafted by student attorneys Chris Meier, Amber Williams, and Bridgett Murphy on behalf of  Dr. Matthew Green, Assistant Research Professor at the Johns Hopkins Information Security Institute.