Archives

Derek Bambauer, Exposed

Derek Bambauer, Exposed

Comment by: Collete Vogele

PLSC 2013

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2315583

Workshop draft abstract:

Ubiquitous recording capabilities via smartphones and Internet distribution have given rise to a disturbing trend: the unconsented distribution of images and videos that capture people nude or engaged in intimate activity. Current law may permit recourse against those who initially distribute this content, but immunity for intermediaries under 47 U.S.C. 230 generally permits the material to remain in circulation. This Article proposes a solution to this problem grounded in intellectual property doctrine. It first describes the problem, and advances both utilitarian and deontological theories of harm to justify regulatory intervention. Next, it proposes a civil IP-based regime (sounding either in copyright’s moral rights doctrine, or trademark law) that provides for injunctive and monetary relief against initial distributors, and that establishes a notice-and-takedown system for intermediaries, similar to that of the Digital Millennium Copyright Act. Written consent by subjects of the photos / videos would operate as an absolute defense, as would newsworthy use or distribution. Lastly, the statute examines potential doctrinal difficulties under the Copyright Act and the First Amendment, and analyzes why the proposal traverses both concerns.

Bryan Choi, The Tax Loophole to Constitutional Privacy

Bryan Choi, The Tax Loophole to Constitutional Privacy

Comment by: Derek Bambauer

PLSC 2013

Workshop draft abstract:

Even as the third party doctrine has come under sharp criticism in Fourth Amendment jurisprudence, an eerily similar workaround has been developing under the Fifth Amendment. The third party doctrine grew out of a tax enforcement case that held that a taxpayer has no reasonable expectation of privacy in financial records held by a third party such as a bank. That rule was later generalized to phone records and any other information held by a third party.

Likewise, a recent set of tax enforcement cases in the courts of appeals (5th, 7th, 9th) has held that taxpayers are not entitled to invoke the Fifth Amendment privilege against self-incrimination in order to withhold statutorily required records of offshore bank accounts. In essence, the reasoning adopted by those courts is that, if the records are required to be kept by the defendant, then the government already knows they exist and the compelled disclosure of those records is not incriminating — unless their very existence would indicate criminal activity. The fact that the contents of those records might be incriminating is irrelevant.

This case study provides an opportunity to reevaluate the controversial “required records” doctrine, as well as to revisit the long-running scholarly debate regarding the overlapping roles of the Fourth and Fifth Amendments in safeguarding individual privacy from governmental intrusion. In isolation, the tax enforcement cases seem innocuous enough. Yet, In future cases, the required records doctrine could easily be extended to phone records and other information of governmental interest, in the same manner as the third party doctrine. If we think the third party doctrine has gone too far, we should be wary of retracing its steps under a different guise.

Jane Bambauer and Derek Bambauer, Vanished

Jane Bambauer and Derek Bambauer, Vanished

Comment by: Eric Goldman

PLSC 2013

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2326236

Workshop draft abstract:

The conventional wisdom on Internet censorship assumes that the United States government makes fewer attempts to remove and delist content from the Internet than other democracies. Likewise, democratic governments are believed to make fewer attempts to control on-line content than the governments of non-democratic countries. These assumptions are theoretically sound: most democracies have express commitments to the freedom of speech and communication, and the United States has exceptionally strong legal immunities for Internet content providers, along with judicial protection of free speech rights that make it unique even among democracies. However, the conventional wisdom is not entirely correct. A country’s system of governance does not predict well how it will seek to regulate on-line material. And democracies, including the United States, engage in far more extensive censorship of Internet communication than is commonly believed.

This Article explores the gap between free speech rhetoric and practice by analyzing data recently released by Google that describes the official requests or demands to remove content made to the company by a government between 2010 and 2012. Controlling for Internet penetration and Google’s relative market share in each country, we examine international trends in the content removal demands. Specifically, we explore whether some countries have a propensity to use unenforceable requests or demands to remove content, and whether these types of extra-legal requests have increased over time. We also examine trends within content categories to reveal the differences in priorities among governments. For example, European Union governments more frequently seek to remove content for privacy reasons. More surprisingly, the United States government makes many more demands to remove content for defamation, even after controlling for population and Internet penetration.

The Article pays particular attention to government requests to remove content based upon claims regarding privacy, defamation, and copyright enforcement. We make use of more detailed data prepared specially for our study that shows an increase in privacy-related requests following the European Commission’s draft proposal to create a Right To Be Forgotten.

David Thaw, Comparing Management-Based Regulation and Prescriptive Legislation: How to Improve Information Security Through Regulation

David Thaw, Comparing Management-Based Regulation and Prescriptive Legislation: How to Improve Information Security Through Regulation

Comment by: Derek Bambauer

PLSC 2012

Workshop draft abstract:

Information security regulation of private entities in the United States can be grouped into two general categories. This paper examines these two categories and presents the results of an empirical study comparing their efficacy at addressing organizations’ failures to protect sensitive consumer information. It examines hypotheses about the nature of regulation in each category to explain their comparative efficacy, and presents conclusions suggesting two changes to existing regulation designed to improve organizations’ capacity to protect sensitive consumer information.

The first category is prescriptive legislation, which lays out performance standards that regulated entities must achieve. State Security Breach Notification (SBN) statutes are the primary example of this type, and require organizations to report to consumers breaches involving certain types of sensitive personal information. This form of legislation primarily lays out performance-based standards, under which the regulatory requirement is that entities achieve (or avoid) certain conditions. Such legislation may also lay out specific means by which regulatory goals are to be achieved.

The second category describes forms of management-based regulatory delegation, under which administrative agencies promulgate regulations requiring organizations to develop security plans designed to achieve certain aspirational goals. Two notable examples are the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach- Bliley Financial Modernization Act (GLBA). The Federal Trade Commission also engages in such activity reactively through its data security consumer protection enforcement actions. The regulatory requirement in this case is the development of the plan itself (and possible adherence to the plan), rather than the necessary achievement of stated goals or usage of certain methods to achieve those goals.

This paper presents the results of an empirical study analyzing security breach incidence to evaluate the efficacy of information security regulation at preventing breaches of sensitive personal information. Publicly reported breach incidents serve as a proxy for the efficacy of organizations’ security measures, and while clearly limited in scope (as noted below) they are currently the only data point uniformly available across industrial sectors. Analysis of breaches reported between 2000 and 2010 reveals that the combination of prescriptive legislation and management-based regulatory delegation may be four times more effective at preventing breaches of sensitive personal information than is either method alone.

While this method of analysis bears certain limitations, even under unfavorable assumptions the results still support a conclusion that prescriptive standards should be added to existing regulations. Such standards would abate a current “race to the bottom,”

whereby regulated entities adopt compliance plans consistent with “industry-standards” but often (and in some cases woefully) inadequate to achieve the aspirational goals of the regulation. Since the conclusion of this study, there have been two notable such additions of performance-based standards: 1) the inclusion of a breach notification requirement in HIPAA, and 2) the recent promulgation of regulations by the SEC requiring publicly traded companies to report material security risks and events to investors. The results of this analysis also support the expansion of management-based regulatory models to other industrial sectors.

The second component of empirical analysis presented in this paper includes the results of a qualitative study of Chief Information Security Officers (CISOs) at large U.S. regulated entities. The interview data reveals the effects of regulation both on information security practices and on the role of technical professionals within organizations. The results of these interviews suggest hypotheses to explain both the weaknesses in compliance plan design and the proposition that, notwithstanding new performance-based standards, security conditions remain ineffective.

The first hypothesis suggests that the relative effects of prescriptive legislation and management-based regulatory delegation on the role of technical professionals in organizations explain the inability of performance-based standards fully to address information security failures. The data suggest two specific outcomes – first, that current performance-based standards weaken the role of technical professionals; and second, that management-based models of regulatory delegation strengthen professionals’ role. This result stems from reliance on technical professionals’ skill in developing compliance plans to meet management-based regulatory goals. The current model of performance- based regulation, by contrast, under which security failures are exempt from (the regulatory penalty of) reporting when the compromised data is encrypted, decreases reliance on technical skill by effectively specifying one means-based approach to “compliance.” By redirecting essentially-fixed resources to a specific means of compliance addressing only a single threat, these performance-based standards hamper the ability of CISOs adequately to address other salient threats. In this regard, SBNs effectively lock the front door to the bank while leaving the back window wide open.

The second hypothesis suggests that the lack of proactive guidance by regulators hampers the ability of CISOs to justify requests for increased resources to address vulnerabilities not covered by performance-based standards. This hypothesis answers the question of why “industry-standards” may be so ineffective at achieving the aspirational goals of the regulation. Management-based regulatory delegation models rely heavily on a context of “reasonableness,” many of which scale to the size, complexity, and capabilities of the regulated entity. Reasonableness is a well-examined concept in law, but becomes problematic in the context of a highly-technical and fast-changing regulatory environment. Regulators’ failure to provide proactive guidance regarding what constitutes reasonable security hampers the ability of CISOs to justify the need for greater resources. Combined with the “redirection” of resources to address specific compliance objectives associated with performance-based standards, these pressures cause broad-based security plans to be inadequate (either in design or implementation) at addressing the broader base of threats facing the organization. The effects of this condition are evident in the abundance of “low-hanging fruit” available to regulators – review of the Federal Trade Commission’s data security enforcement actions reveals few answers to “gray areas” of reasonableness, and many examples of security failures extreme in degree.

These findings and analysis suggest three conclusions. First, regulators should increase the use of performance-based standards, specifically standards not tied to specific means of implementation. Second, management-based regulatory models should be expanded to other industrial sectors beyond finance and healthcare, perhaps through the promulgation of proactive regulations by the FTC consistent with its history of enforcement action. Third, regulators should provide more proactive guidance as to the definition of reasonable security, so as to avoid a “race to the bottom” in the development security plans to address management-based regulatory goals.