Cover Image

PAPERBACK
$78.50



View/Hide Left Panel
Click for next page ( 274


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 273
Civil Liberties and Privacy Implications of Policies to Prevent Cyberattacks Robert Gellman information and Priacy Consultant I. INTRODuCTION The purpose of this paper is to consider the civil liberties and privacy implications of potential poli - cies and processes to prevent cyberattacks. Other than the general topic and a request to consider the possibility of licensing Internet users, little direction was offered. The topic raises a host of unbounded, complex, difficult, and contested legal and constitutional issues. Almost any one of the issues could be the subject of an entire paper, book, or even treatise. What can be accomplished here is to consider some of the issues raised by possible proposals aimed at preventing cyberattacks and to suggest some of the major fault lines that demarcate the borders of what is possible from what is uncertain from what is prohibited. To characterize the analysis another way, how far can prevention policies and processes go before they hit possible legal, constitutional, or other barriers? This paper is an analysis of selected issues raised by this question. The analysis of any proposal can differ significantly depending on who is performing an activity and where that activity is being performed. The federal government cannot do some things that private companies can do. Some activities would be less objectionable when done in a private, access-controlled network than when done on the Internet in general. Some activities can be more readily accomplished with the consent of data subjects than without consent. The laws of other nations may impose restric - tions that are absent in U.S. law, or vice versa, which can complicate prevention of cyberattacks on a global scale. The discussion here is organized under four main topics, search, speech, information privacy, and due process. Many potential cyberattack prevention policies and processes raise concerns under more than one of these topics, and the placement of issues under these topics is somewhat discretionary. For example, a requirement that Internet Service Providers (ISPs) retain data about a user’s Internet activi - ties raises concerns under the First Amendment, Fourth Amendment, privacy, and due process. 1 In this paper, data retention is considered in the search section. 1 Thetext of the U.S. Constitution and its amendments can be found at http://topics.law.cornell.edu/constitution, accessed August 30, 2010. 2

OCR for page 273
2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS II. ISSuES RELATINg TO SEARCH 1. Surveillance Cyberattack prevention activities will at times make use of the surveillance authority given to the government. It is not possible to summarize that authority in this document. There may be no more convoluted area of privacy law in the United States than surveillance law. One scholar describes the law of electronic surveillance as “famously complex.”2 The standards vary enormously, depending on numerous factors. Some of the factors that determine the nature of the surveillance that is permissible, the procedures that may be required as a prerequisite to surveillance, and the uses of the results of the surveillance include: • who is undertaking the surveillance (the government or a private party) • why the surveillance is being conducted (for law enforcement, national security, foreign intel - ligence, or private purposes) • whether the target of the surveillance is a U.S. citizen (including a permanent resident), foreign national, or agent of a foreign power • the form of a communication (e.g., telephone call, electronic mail) • whether a communication is stored by a third party or is in transit • whether a communication is transmitted by a wire • whether the surveillance captures video or sound • what is being intercepted (e.g., content of a communications or a telecommunications attribute, such as the telephone number dialed) • what is under surveillance (e.g., a public place, home, workplace, locker room, toilet stall) • where the surveillance is conducted from (e.g., a public place, a private place, an airplane, a place of employment) • the extent to which a place under surveillance has been protected from observation • whether the surveillance is subject to state law or to federal law • whether the technology used to undertake the surveillance is in general public use. The history, scope, and shortcomings of the Electronic Communications Privacy Act of 19863 (ECPA) are most relevant here. There are three titles to ECPA: the first amends the Wiretap Act; the second con - tains the Stored Communications Act; and the third addresses pen registers and trap and trace devices. The first two titles are most relevant here. The Wiretap Act is a criminal statute that seeks (1) to protect the privacy of wire and oral commu - nications, and (2) to set out the circumstances and conditions under which the interception of wire and oral communications may be authorized.4 In 1986, ECPA amended the existing Wiretap Act to extend to electronic communications protections against unauthorized interceptions that existed previously only for oral and wire communications via common carrier transmissions. The Stored Communications Act5 seeks to protect electronic communications and voice mail from unauthorized access by defining unlawful access as a crime. The goal was to protect the confidential - ity, integrity, and availability of such communications stored by providers of electronic communication service pending the messages’ ultimate delivery to their intended recipients. 2 Orin S. Kerr, lifting the “Fog” of internet Sureillance: How a Suppression Remedy would Change Computer Crime law, 54 Hastings Law Journal 805, 820 (2003). See also Gina Marie Stevens & Charles Doyle, Priacy: An oeriew of Federal Statutes goerning wiretapping and Electronic Sureillance (2009) (Congressional Research Service), available at http://assets.opencrs.com/rpts/98- 326_20091203.pdf; accessed on March 23, 2010. 3 Public Law 99-508, 100 Stat. 1848 (1986). 4 18 U.S.C. § 2511. 5 18 U.S.C. § 2701.

OCR for page 273
2 RoBERt gEllmAn One of the law’s exception permits access to electronic communications by service providers, and this provision allows employers who directly provide (as opposed to using a third party service pro - vider) email service to employees the ability to monitor email. 6 That monitoring ability could support the cyberattack prevention activities. Public employers remain subject to Fourth Amendment require - ments and may be more limited in their ability to review email.7 Privacy policies and terms of service established by an ISP could also be relevant to a user’s expectation of privacy and could authorize monitoring of email by the ISP. It is widely recognized today that ECPA’s assumptions about technology are outmoded and that the protections that ECPA sought to provide now operate inconsistently because of changes in technol - ogy and service offerings.8 For example, with respect to government surveillance, the law gives greater protection to email in transit than it does to email that has arrived in a user’s in-box at a service pro - vider. In addition, under the law, email that is more than 180 days old is more easily accessible to the government than newer email.9 Because some ISPs now offer massive or unlimited storage for email, the result is a significantly differing degree of legal protection for email depending on factors that many users no longer view as significant. Other questions arise with respect to newer services such as Voice over Internet Protocol. Documents placed on cloud computing sites may also have fewer protections under current law than email because ECPA only covers electronic communications and the transfer of information to a cloud computing provider may not qualify for protection. 10 The 1976 decision of the Supreme Court in U.S. . miller11 illustrates an important aspect of third party storage of information under the Fourth Amendment. The Supreme Court held that the Fourth Amendment does not recognize an expectation of privacy in an individual’s financial records held by a bank. Therefore, the Court allowed the government to obtain the records from the bank without providing the individual notice or an opportunity to contest the demand. The conclusion in miller with its broad implication that an individual has no expectation of privacy in any record held by a third party12 is an ever-increasing concern to civil libertarians and privacy advocates because most records of an individual’s existence—and especially an individual’s Internet activities—are held by third parties. ECPA partly curbs the effect of miller by establishing rules and procedures that limit the ability of the government to obtain electronic communications. 2. Other Approaches to Miller Shortly after the decision in miller, Congress passed the Right to Financial Privacy Act.13 The Act established limited statutory privacy protections for bank records that the Supreme Court declined to rec - ognize under the Fourth Amendment. The Act requires the federal government (but not state governments) to notify a bank customer when it uses a subpoena or summons to obtain a record about that customer 6 Id. at § 2701(c)(1). 7 See City of ontario . Quon, 560 U.S. ___ (2010). 8 The Center for Democracy and Technology (CDT) is leading a broad effort of privacy groups, businesses, and Internet compa - nies to seek amendment and modernization of ECPA. See CDT, digital due Process Coalition (including microsoft, google, and more) Call for tougher online Priacy laws, http://www.cdt.org/press_hit/digital-due-process-coalition-including-microsoft-google- and-more-call-tougher-online-priv; accessed April 20, 2010. 9 18 U.S.C. § 2703(a). 10 Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet. The proper characterization for ECPA purposes of cloud documents, which differs greatly in type and terms of service, is far from clear. See Robert Gellman, Priacy in the Clouds: Risks to Priacy and Confidentiality from Cloud Computing at 17 (World Privacy Forum, 2009), available at http://www.worldprivacyforum.org/pdf/WPF_Cloud_ Privacy_Report.pdf; accessed April 20, 2010. 11 425 U.S. 435 (1976). 12 See Smith . maryland, 442 U.S. 735, 743-44 (1979), (“a person has no legitimate expectation of privacy information he volun - tarily turns over to third parties”). 13 12 U.S.C. §§ 3401-3422.

OCR for page 273
2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS from a bank. The customer then has an opportunity to contest the process in court before the bank hands over the records. The Act’s value is questionable since the grounds upon which a customer can challenge the government are limited (must show that the records are not relevant to a legitimate law enforcement investigation), and exceptions to customer notice cover many important agencies and activities. The federal health privacy rule14 also contains a provision that requires notice to a patient of a subpoena for the patient’s record held by a health care provider or insurer. For patients and for civil litigation, the health privacy rule’s provisions are stronger than in the Right to Financial Privacy Act, but the exceptions for law enforcement investigations provide even fewer rights for data subjects than the Right to Financial Privacy Act.15 Recent legislation, including updates to the USA PATRIOT Act, Foreign Intelligence Surveillance Act, and ECPA also modify some effects of miller by expanding requirements for judicial involvement in some electronic searches. None of the legislative changes to the miller holding has broad effect with respect to all or most information held by third party record keepers, however. Because of the tremendous volume and range of personal information held by ISPs and other third party record keepers, privacy advocates want to create a protectable privacy interest that would undermine the broad holding in miller. ECPA provides some protection for electronic communications. However, email only represents a portion of the information now held by third party Internet provid - ers, which include social networks, cloud computing service providers, photograph storage services, financial management websites, and a nearly unlimited number of other services. Indeed, a very large portion of Internet activities create records held by third parties, and the ongoing expansion of cloud computing will shift additional materials from locally owned and controlled computers to third par- ties. Whether and how Congress (or the courts) revise the principle that there is no privacy interest in records held by third parties will determine both the scope of that privacy interest and the ease with which government investigators can obtain personal and business records held by third parties. Any expansion of the privacy rights of data subjects with respect to records held by ISPs and other third party record keepers could affect the conduct of cyberattack prevention and investigation activities by creating substantive or procedural barriers to government acquisition of information about Inter- net activities. These activities may not be affected any more than any other government investigatory activities that center on Internet conduct. It remains to be seen how broadly any future ECPA reforms will affect the basic miller holding that there is no privacy interest in records held by a third party. Any significant change to these privacy protections could produce a major shift in the balance between indi - vidual rights and the government’s investigatory capabilities. The stakes grow larger as the Internet continues to expand as a central feature of modern life. At the same time, however, the issue in miller is personal privacy, and not every record created on or off the Internet qualifies as personal information. Government access to non-personal information held by third parties might be unaffected by any change in the privacy interest granted to individuals in third party records. This could include, perhaps, the content of many webpages, commercial trans - actions, foreign government operations, activities that occur outside the United States and beyond the scope of the Fourth Amendment, and more. 3. Data Retention In March 2006, the EU enacted a Data Retention Directive calling for the mandatory retention of communications traffic data.16 A leading argument for the directive is for combating terrorism. The 14 45 C.F.R. Part 164, issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA). Public Law 104–191, title II, § 264, 110 Stat. 2033 (1996), 42 U.S.C. § 1320d-2 note. 15 Id. at § 164.512(e) & (i). 16 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communica - tions networks and amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, available at http://eur-lex.europa.eu/LexUriServ/ LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF; accessed April 20, 2010.

OCR for page 273
2 RoBERt gEllmAn same general argument in support of data retention could be made with respect to cyberattack preven - tion either because cyberattacks may qualify as terrorism or because data retention would be useful in preventing cyberattacks regardless of motivation. The EU and many of its Member States required data retention to create a new capability in combating criminal and other undesirable activities. The extent to which data retention will work to achieve the stated goals is open to question and beyond the scope of this paper. Nevertheless, data retention is a tool with some potential application to cyberattack prevention. The EU Data Retention Directive requires Member States to adopt measures to ensure that electronic communications traffic data and location data generated or processed by providers of publicly avail - able electronic communications services be retained for not less than six months and not more than two years from the date of the communication. The Data Retention Directive requires the retention of data necessary: • to trace and identify the source of a communication • to trace and identify the destination of a communication • to identify the date, time and duration of a communication • to identify the type of communication • to identify the communication device to identify the location of mobile communication equipment.17 • The retention requirement applies only to data generated or processed as a consequence of a com - munication or a communication service. It does not apply to the content of a telephone call or of electronic mail. The data retained must be made available to competent national authorities in specific cases “for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.”18 Thus, each Member State can establish its own standards for serious crime as well as its own judicial or other procedures for access. The data retention directive has been controversial throughout Europe, with Internet activists strongly opposed to its implementation in many EU Member States. Litigation has resulted in some national courts finding laws implementing the directive unconstitutional. The German law suspended by the Federal Constitutional Court in early March 2010.19 The German Court ordered the deletion of data collected. The decision did not exclude the possibility that a data retention law could pass consti - tutional muster, but it found that the law’s provisions for security of data were inadequate and that the uses of the data were not sufficiently clear. The Romanian Constitutional Court found the Romanian data retention implementation law unconstitutional.20 A data retention law has been proposed for the United States, although it has not received much attention from Congress to date.21 The constitutionality of any data retention proposed will surely be contested on First Amendment and Fourth Amendment grounds. Much will depend on the scope and the details of any enacted law. For example, a data retention requirement for Internet activities could entail the storage of information about electronic mail that could include data about the sender, recipi - ent, header, attachment, content, and more. The retained data could be available to criminal or civil law enforcement, intelligence agencies, or private litigants after a showing of probable cause, reasonable cause, relevance, or another standard. Data subjects could have rights to object before or after retained information is disclosed or could have no rights. The details affect any privacy and civil liberties evalu - 17 Idat Article 5. 18 Id.at Article 1. 19 german High Court limits Phone and E-mail data Storage, Spiegel Online International (March 2, 2010), available at http://www. spiegel.de/international/germany/0,1518,681251,00.html; accessed April 20, 2010. The decision itself (in German) is at http:// www.bundesverfassungsgericht.de/pressemitteilungen/bvg10-011; accessed April 20, 2010. 20 Romanian Constitutional Court: data Retention law Unconstitutional, The Sofia Echo (Oct. 9, 2010), available at http://www. sofiaecho.com/2009/10/09/797385_romanian-constitutional-court-data-retention-law-unconstitutiona l; accessed April 20, 2010. 21 See S.436, 111th Congress (2009).

OCR for page 273
2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS ation, and any discussion of the possibilities would exceed the space available here. However, it seems clear that to the extent that a law requires the preservation of content rather than non-content informa - tion, the law will be harder to justify because existing precedents provide greater protections for the content of communications. However, if a data retention law covers traffic, location, or transaction data only, there are some precedents in U.S. law that allow for government access with fewer or no procedural protections for the privacy of the individuals involved. For example, U.S. law allows for the use of pen registers that record dialed numbers without a search warrant.22 The Stored Communications Act allows the government to order a provider of wire, electronic communication services, or remote computing services, to preserve records and other evidence in its possession pending the issuance of a court order or other process.23 The Bank Secrecy Act requires banks to keep records of various transactions, including some cash activities and, effectively, all checks.24 The Supreme Court upheld the law in 1974 as a valid exercise of federal power under the Commerce Clause.25 The distinction that the law makes for Fourth Amendment purposes between content and non-con - tent has increasingly been the subject of litigation under ECPA but litigation remains, in the words of a leading Fourth Amendment scholar, “remarkably sparse.”26 The step-by-step analogies that the courts have used to move legal reasoning from postal mail to telephone calls begin to break down when it comes to Internet activities because the content vs. non-content distinction is much harder to sustain over the wide range of Internet functions that extend far beyond basic communications. For email, the substance of a message may not be limited to the actual content of a message but may be visible in part from the header, subject line, title of attachments, or other elements. In a 2010 decision pertaining to electronic communications (albeit not on the content/non-content issue), the Supreme Court was tentative in offering guidance, observing that “[r]apid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior.”27 How the law develops in this area could make a significant difference to the ability of the government to prevent or investigate cyberattack activities on the Internet. Any expansion in the ability of the government to see content or content-like elements of Internet activities without a show - ing of probable cause will be strongly contested using Fourth Amendment arguments. However, at the same time, it will be argued that many Internet activities are voluntary, and a user’s expectations of privacy in this context are open to debate. Those expectations may be affected by the expansive moni - toring of Internet activities for commercial purposes.28 The routine and largely unrestricted commercial availability of the entrails of a user’s Internet activities could undermine arguments that the user had a reasonable expectation of privacy. Thus, privacy legislation affecting Internet monitoring of individuals by commercial entities could also be relevant to the discussion. First Amendment challenges to data retention requirements can also be anticipated. The right to associate, to speak, and to receive information would all be affected by data retention, with the specific arguments depending on the precise requirements of a data retention regime and on the standards and procedures under which the government could retrieve information from a service provider. Advocates would argue that the First Amendment requires that a retention law be justified under a strict scrutiny 22 Smith . maryland, 442 U.S. 735 (1979). 18 U.S.C. §§ 3121-3127. 23 18 U.S.C. § 2703(f). The Act is part of the Electronic Communications Privacy Act. An order under this provision is generally called data preseration. Data retention generally means a blanket requirement for the maintenance of some information on all communications. 24 31 C.F.R. § 103.34(b)(10). 25 California Bankers Association . Schultz, 416 U.S. 21 (1974) 26 Orin S. Kerr, Applying the Fourth Amendment to the internet: A general Approach, 62 Stanford Law Review (forthcoming 2010), available at http://ssrn.com/abstract=1348322; accessed July 1, 2010. 27 ontario . Quon, 560 U. S. __ (2010) (slip op. at 11). 28 For more on the current controversy over behavioral targeting of Internet users for advertising and other purposes, see, e.g., Federal Trade Commission, Staff Report: Self-Regulatory Principles for online Behaioral Adertising: tracking, targeting, and technology (Feb. 2009), available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf; accessed April 20, 2010.

OCR for page 273
2 RoBERt gEllmAn standard—the most stringent standard of judicial review that requires that a law address a compelling governmental interest, that a law be narrowly tailored to achieve that interest, and that a law be the least restrictive means for achieving its objective. In some contexts, however, data retention may be largely unremarkable. Routine business activities, whether online or offline, create records that must be retained for tax, credit, or many other purposes. In private networks, all activities may be monitored and recorded by the network operator, who may be a service provider, employer, or other person acting with or without notice to or the consent of the individual. Backup systems retain copies of an entire network at regular intervals. Broad rights to use, maintain, and disclose an individual’s information can be reserved by a service provider through routine privacy policy or terms of service that its clients “consent” to by using the service. A recent report on cloud computing and privacy observed that a cloud provider may acquire rights over materials placed in the cloud “including the right to copy, use, change, publish, display, distribute, and share with affili - ates or with the world the user’s information.”29 These rights may exceed anything that laws mandating data retention require. 4. Terrorism and Cybersecurity Congress enacted the USA PATRIOT Act less than two months after the events of September 11, 2001.30 The Act is long and complex, and Congress amended it on several occasions, and more amend - ments are under consideration. Challenges to the Act have resulted in courts finding parts of the law unconstitutional. The details of the Act and subsequent litigation are too complex for this space. Gener- ally, the Act expanded the ability of federal agencies to prevent and prosecute terrorism, with one title of the Act setting out enhanced surveillance procedures. For example, provisions make it easier for law enforcement agencies to search telephone and electronic communications and other records. The Act also amended laws that make terrorism a crime. The basic definition of terrorism in the criminal code provides that terrorism must (A) Involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or of any State, or that would be a criminal violation if committed within the jurisdiction of the United States or of any State; (B) appear to be intended— (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping. 31 Whether cyberattacks would fall within the definition of terrorism is not immediately clear, but it seems a possibility, perhaps depending on the motivation of the attacker. The analysis might well depend on the facts of any given case. The USA PATRIOT Act added the Computer Fraud and Abuse Act 32 to the predicate offense list for wiretapping so at least some of the powers of the Act would be available for cyberattack prevention or investigation.33 Other authorities provided in the Act may also be avail- able today for some cyberattack prevention activities. 29 Robert Gellman, Priacy in the Clouds: Risks to Priacy and Confidentiality from Cloud Computing at 17 (World Privacy Forum, 2009), available at http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pd f; accessed April 20, 2010. 30 Public Law No. 107-56, 115 Stat. 272 (2001). The Act’s full name is Uniting and Strengthening America by Proiding Appropriate tools Required to intercept and obstruct terrorism Act of 2001. 31 18 U.S.C. § 2331. There is a separate definition for international terrorism and for domestic terrorism. Both use a similar definition, with the location of the activity being the difference. The part quoted here represents the core of the two definitions. 32 18 U.S.C. § 1030. 33 18 U.S.C. § 2516(1)(c).

OCR for page 273
20 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS A broader question is whether Congress or the public would consider cyberattack prevention to be of equal importance to terrorism prevention to justify the granting or use of powers equivalent to those under the USA PATRIOT Act. The Act has remained highly controversial and the subject of continuing congressional actions. Any expansion of the Act or enactment of a similar law for cyberattack preven - tion would raise the same legal, constitutional, and political controversies that have dogged the Act from its inception. 5. The Fourth Amendment and Special Needs Cases Ordinarily, the Fourth Amendment requirement that searches and seizures be reasonable means that there must be individualized suspicion of wrongdoing. In some circumstances, the usual rule does not apply. Whether the prevention of cyberattacks could justify an exemption from strict application of the Fourth Amendment is an open question. In the so-called special needs cases, the courts have upheld suspicionless searches in some circum- stances. For example, the Supreme Court allowed random drug testing of student athletes; drug tests for some Customs Service employees; and drug and alcohol tests for railway employees involved in train accidents. Searches were allowed for certain administrative purposes without particularized suspicion of misconduct, provided that the searches are appropriately limited. The Supreme Court also upheld brief, suspicionless seizures of motorists at a fixed Border Patrol checkpoint designed to intercept illegal aliens and at a sobriety checkpoint aimed at removing drunk drivers from the road. 34 Because of the international scope of cyberattacks, any inquiry must consider other law that estab - lishes diminished Fourth Amendment protections in international matters. The Foreign Intelligence Surveillance Act establishes lower standards for conducting surveillance in cases involving agents of a foreign power or a foreign terrorist group. The details of FISA, its amendments, litigation, and history are far beyond the scope of this paper. However, even the diminished FISA standards have been held to give way to the lower standards recognized in special needs cases. Thus, the United States Foreign Intelligence Surveillance Court of Review held in 2008 that a foreign intelligence exception to the Fourth Amendment’s warrant requirement exists when surveillance seeks foreign intelligence for national secu- rity purposes and is directed against foreign powers or agents of foreign powers reasonably believed to be located outside the United States.35 Whether prevention of cyberattacks could qualify as a special needs case is unknown. Any expan - sion of special needs would be controversial, and a special needs case involving domestic cybersecurity matters would be especially controversial. III. ISSuES RELATINg TO SPEECH AND ASSOCIATION The Internet raises a host of First Amendment speech and association issues, some of which are relevant to activities seeking to prevent cyberattacks. This is an area where it is especially difficult to be comprehensive and to disentangle issues. Two preliminary observations are offered. First, the First Amendment does not protect against actions taken by private entities, although there can be some overlap between the public and private spheres at times. The First Amendment is a protection against abridgment of speech by government, state or federal. Second, it has been famously said that on the global Internet, the First Amendment is a local ordinance. To the extent that cyberattack protections involve other nations, First Amendment protections may not be available with respect to Internet activity that originates in or passes through those other nations. 34 City of indianapolis . Edmond, 531 U.S. 32 (2000). However, the Court refused to allow a general interest in crime control to provide a justification for suspicionless stops. Id. 35 in Re directies Pursuant to Sec. 10B, 551 F. 3d 1004 (FISA Ct. Rev., 2008).

OCR for page 273
21 RoBERt gEllmAn 1. Internet as a Human Right The Internet has rapidly become a vibrant public forum for speech of all types, including news, political discussions, government communications, commercial speech, and everything else. In some countries, access to the Internet is a fundamental right of its citizens. 36 In Finland, broadband access is a legal right.37 However, rhetoric about the fundamental importance of the Internet does little to advance the present discussion of preventing cyberattacks. Whatever right may exist is not an unlimited right. A new law in France illustrates the point. As originally enacted, the law would have allowed a government agency to suspend an individual’s user account. The French constitutional court found that the law violated constitutional free speech protections. After an amendment that required a judge to make the decision to suspend, the court allowed the law to stand.38 During the controversy over the French law, the European Parliament voted to make it illegal for any EU country to sever Internet service unless a court finds a citizen guilty.39 Whatever the scope of an individual’s right to use the Internet may be, the view in Europe seems to be that the right may be restricted through actions that are not disproportionate and that involve a decision by an independent and impartial judge. The right to use the Internet is, in essence, the right to due process of law before the ability to exercise the right to use the Internet is removed or restricted. The same principles may apply when the reasons for seeking termination of Internet access relate to cyberattack prevention. It may be possible to argue in some cases that immediate threats to critical infrastructure would justify a different or lesser set of due process procedures prior to termination of Internet access rights.40 Regardless, any rules or procedures with the potential to deny an individual access to the Internet will be controversial and the subject of considerable scrutiny on constitutional or legal grounds. 2. Anonymity Anonymity on the Internet is a feature prized by many Internet users, often for different reasons. Many Internet activities can be conducted with a significant degree of anonymity using onion routers, 41 free email accounts that do not require any form of identification, public kiosks, blogs that do not ask posters to register, and in other ways. Whistleblowers, political activists, dissidents, and ordinary users value anonymity. The extent to which Internet activities are truly anonymous is uncertain. Even a user who takes concerted action to protect identity may not succeed all the time, especially against a person or government determined to uncover that identity. Discussing the right to anonymity online is difficult for several reasons. First, the scope of a First Amendment right to anonymity is not clear, and tracking down the borders of anonymity leads far afield from the Internet without necessarily providing clarity. Second, there are many different objectives that a right to (or interest in) online anonymity may satisfy in whole or in part. For example, victims of 36 Colin Woodward, Estonia, where Being wired is a Human Right, Christian Science Monitor (July 1, 2003), available at http:// www.csmonitor.com/2003/0701/p07s01-woeu.html. A 2010 poll taken in 26 countries found that almost 79% of those questioned said they either strongly agreed or somewhat agreed with the description of the Internet as a fundamental right. internet Access is a Fundamental Right, BBC News (March 8, 2010), available at http://news.bbc.co.uk/2/hi/technology/8548190.stm. 37 Saeed Ahmed, Fast internet Access Becomes a legal Right in Finland, CNN.com (2009), available at http://www.cnn.com/2009/ TECH/10/15/finland.internet.rights/index.html. 38 Eric Pfanner, France Approves Wide Crackdown on Net Piracy (Oct. 23, 2009), New York Times, available at http://www. nytimes.com/2009/10/23/technology/23net.html. 39 Kevin J. O’Brien, French Anti-Piracy Proposal Undermines E.U. telecommunications oerhaul, New York Times, (May 7, 2009), available at http://www.nytimes.com/2009/05/07/technology/07iht-telecoms.htm l. 40 The discussion below regarding the administrative license suspension for driver’s licenses may suggest a precedent. 41 With onion routing, messages are repeatedly encrypted and sent sequentially through different nodes. Each node removes a layer of encryption to find instructions for sending the message to the next node. Intermediary nodes do not know the origin, destination, or contents of the message.

OCR for page 273
22 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS domestic violence have some unique interests that are not relevant here. Third, it is hard to cover every possible cybersecurity activity that might affect an anonymity interest. In cases involving political speech, the Supreme Court has consistently overturned laws that pro - hibited the distribution of anonymous handbills and similar laws that prevented anonymous political speech. Political speech is the most highly favored speech under the First Amendment. However, as one scholar described cases in this area, “the Court failed to embrace the notion of a free-standing right to anonymity and instead employed what would become a characteristic (and maddening) level of ambiguity.”42 In other areas, a right to anonymity is not clearly established. In 2004, the Supreme Court upheld the conviction of an individual who refused to identify himself to a police officer during an investiga - tive stop involving a reported assault. A state statute required a person detained by an officer under suspicious circumstances to identify himself.43 The case raised Fourth and Fifth Amendment issues, but it was also seen as raising broader questions about the right to remain anonymous. The case’s relevance to cyberspace is limited, but it illustrates that the Court does not universally favor anonymity. The right to anonymity on the Internet has also been raised in a series of cases that balance the right to speak anonymously against the right of those who claim injury from anonymous defamatory speech. The law here is under development in many different courts and, not surprisingly, with the adoption of different approaches. Courts tend to require a plaintiff to show that a suit is viable before ordering disclosure of the speaker’s identity. According to one scholar, the standard that appears to be becoming dominant requires a showing of evidence sufficient to establish a prima facie case of defamation coupled with a balancing of the right to speak anonymously and the right to pursue a libel claim. 44 Anonymity concerns are likely to be raised by whistleblowers, i.e., individuals who raise concerns about wrongdoing occurring in an organization. Scattered federal and state laws provide some protections for whistleblowers, and the whistleblower community continues to press for stronger protections. Anonymity can be a method for whistleblowers to raise issues while avoiding the consequences of identification. To the extent that activities take place on a private network that does not support anonymity, the availability of the Internet as an alternative way to communicate about possible wrongdoing lessens concerns about the closed nature of a particular network and the lack of any anonymous methods of communications. Political and other dissidents may also rely on anonymity to protect their identities when complain - ing about government or other activities. Anonymity can also assist activists who seek to find and com - municate with others who hold similar views and to organize their efforts. Anonymity can also allow those with minority views, with unpopular views, or with other needs or fears to speak and organize. Here too, restrictions on a closed network may be of lesser concern if, at the same time, the Internet otherwise allows anonymity for communications and activities. However, if protections against cyberat- tacks undermine or interfere with the ability to use the Internet anonymously, those protections will be significantly more controversial politically and legally. It does not seem possible in the abstract to draw a line where the federal government can lawfully prevent or punish anonymous speech, although it has broader powers with respect to a network that it operates. 3. Restraining Publication of Security Information One method that may be relevant to preventing cyberattacks is to limit or prevent the publication of information about vulnerabilities of computer systems, whether the information is held by govern - 42 Jonathan Turley, Registering Publius: the Supreme Court and the Right to Anonymity , Cato Supreme Court Review (2001-02), available at http://www.cato.org/pubs/scr/2002/turley.pdf; accessed April 20, 2010. 43 Hiibel . Sixth Judicial district Court of neada, 542 U.S. 177 (2004). 44 Lyrissa Barnett Lidsky, Anonymity in Cyberspace: what Can we learn from John doe?, 50 Boston College Law Review 1373, 1378 (2009).

OCR for page 273
2 RoBERt gEllmAn ment or private actors.45 Restrictions on the availability of information about security vulnerabilities raise First Amendment issues. The practical difficulties of restricting speech on the Internet are real but not necessarily material to the legal or constitutional issues. Source Code It is not entirely settled that the publication of source code constitutes speech protected under the First Amendment. In a leading case that arose in the context of export regulations, the Ninth Circuit concluded in the context of that case that encryption software qualified for First Amendment protec - tions.46 An alternate view expressed in the dissent is that source code is a method of controlling com - puters and is more function than speech.47 The case has a complex history and does not offer a broad holding. The proper characterization of source code for First Amendment purposes has many different perspectives. Copyright The anti-circumvention provisions of the Digital Millennium Copyright Act 48 (DMCA) principally sought to stop copyright infringers from defeating anti-piracy protections in copyrighted works. The DMCA bans both acts of circumvention and the distribution of tools and technologies used for circum - vention. The law exempts some activities, including security testing and encryption research. The DMCA has been used in a variety of ways to stop publication of information about security vulnerabilities, remove content from the Internet, affect research activities, and in other ways. 49 Opponents of the law contend that many of these uses chill free speech activities. The DMCA has some relevance to private sector attempts to prevent cyberattacks, but federal government information is not subject to copyright so the DMCA may not be relevant.50 Contractual methods Tools, techniques, and policies allow for government controls over publication of some informa - tion by some individuals. Contracts that require government employees not to publish any information without pre-publication review by the government offer one approach. In the leading case, the Supreme Court upheld a contract signed by an employee of the Central Intelligence Agency that imposed the restriction as a condition for access to classified information. 51 Classification The classification and control of federal government information in the interest of national defense or foreign policy (security classification) is another possible approach to cyberattack prevention. Clas - sification protects security information controlled by the federal government, makes its use and disclo - 45 See 6 U.S.C. § 133 (establishing restrictions on the use and disclosure of information regarding the security of critical infra - structure voluntarily submitted to a Federal agency). 46 Bernstein . U.S. dept. of Justice, 176 F.3d 1132 (9th Cir. 1999), withdrawn, 192 F.3d 1308 (9th Cir. 1999). 47 176 F.3d at 1147. 48 17 U.S.C. § 1201. 49 See generally, Electronic Frontier Foundation, Unintended Consequences: twele Years under the dmCA, available at https:// www.eff.org/wp/unintended-consequences-under-dmca; accessed April 20, 2010. 50 17 U.S.C. § 105. 51 Snepp . United States, 444 U.S. 507 (1980).

OCR for page 273
00 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS vided by a passenger when making an airline reservation, with information on the watch lists. In order to do better matches of records, TSA and the airlines started requiring passengers to provide full name, data of birth, and gender at the time of a reservation. These additional elements are supposed to help prevent misidentification of passengers with similar names. Other information that TSA receives from the airline includes itinerary, passport number (for an international flight or if otherwise available to the airline), and reservation control number. TSA can obtain a full Passenger Name Record (PNR), which reveals other information including food, health, and other preferences. TSA retains records for individuals not identified as potential matches by the automated matching tool for seven days after completion of travel. TSA keeps records of an individual who is potential or confirmed match for no less than seven years. TSA keeps records of an individual who is a confirmed match for 99 years. Data retained by airlines is not subject to these limits, and TSA may obtain the data from the airlines. A registered traeler program allowed passengers who paid a fee and submitted to a background check to use reserved security lanes with shorter waits at airport checkpoints. The program was volun - tary and run by the private sector. An applicant provided additional information, including a biometric, and received a smart card credential. When the company that provided the bulk of the service went out of business, the registered traveler program disappeared. Some criticized the program as providing special treatment for wealthy travelers. B. Redress TSA has a program offering redress to travelers who experience denied or delayed airline boarding, who experience denied or delayed entry into and exit from the U.S., or who are continuously referred for additional (secondary) screening. The trael Redress inquiry Program (DHS TRIP) basically allows an individual to ask for a review in order to minimize or eliminate future watch list name confusion. TSA will not reveal whether an individual is on a watch list, however. An individual seeking redress fills out a form and may be asked to provide additional documentation. A successful traveler will receive a Redress Control Number that airlines collect and that may help to minimize identification or screening problems. An individual who is dissatisfied with the DHS TRIP process may file an appeal with DHS. Effective judicial review of DHS actions may not be available. The Secure Flight program collects and maintains information on international travelers from air- lines, travel agencies, and tour operators in other countries. This brings aspects of the program under the purview of foreign data protection laws. For example, in 2007, the European Union and DHS entered into an agreement about the processing and transfer to DHS of Passenger Name Records (PNR) by airlines operating in Europe.139 The agreement reflects a determination by the European Commission that U.S. laws, in conjunction with DHS policies regarding the protection of personal data and the U.S.-EU Pas - senger Name Record Agreement, are adequate to permit transfers of PNR data to the U.S government and that the transfers comply with EU standards under the Data Protection Directive. The agreement is now subject to ratification by the European Parliament,140 where some members have been critical of the terms of the data transfers. C. discussion The Secure Flight process differs significantly from the process for granting security clearances and drivers’ licenses. While Secure Flight is not quite a real-time clearance, it can be close to that. Normally, 139 http://www.dhs.gov/xlibrary/assets/pnr-2007agreement-usversion.pd f; accessed March 15, 2010. 140 SeeEuropean Parliament, Legislative Observatory, available at http://www.europarl.europa.eu/oeil/file.jsp?id=5836052; ac- cessed March 15, 2010. On May 5, 2010, the European Parliament showed its displeasure with the agreement by postponed voting on its approval. http://www.europarl.europa.eu/news/expert/infopress_page/019-74146-125-05-19-902-20100505IPR74145-05- 05-2010-2010-false/default_en.htm; accessed May 21, 2010.

OCR for page 273
01 RoBERt gEllmAn there is no review of identity documents other than a limited check at an airport security checkpoint or the presentation of passports for international travel. The program mostly matches individuals against lists of people not allowed to fly or who require additional screening. These lists are compiled by TSA and other agencies separately and based on criteria that are not publicly known. TSA will not directly inform an individual if he or she is on one of the lists, although inferences are possible from the way that the individual is treated at the airport. Clearance operations are not conducted in public view, and travelers do not know the details of the review process. Secure Flight clears as many as several million people daily and hundreds of millions of people annually, many more people than seek security clear- ances or drivers’ licenses. The Secure Flight redress process came as a legislative direction that followed regular news reports of continuing problems with the clearance process. Congress intervened several times during the devel - opment and implementation of airport passenger clearance systems to express concern about privacy and about redress. Secure Flight also raises directly issues of international privacy standards that are absent from drivers’ licenses and security clearances. It is possible that the international consequences of any standards for cybersecurity activities would require negotiations with other countries similar to the negotiations with the EU about Secure Flight. Finally, Secure Flight has been controversial, with interest groups raising privacy and constitutional objections to the data collection, screening, and secrecy. 4. Other Methods, Other Models Broader use of identification for general purposes or for cybersecurity purposes will raise harder political, legal, and constitutional issues. The precise terms of any identification use, issuance procedures, due process rules, and information processing policies will shape the arguments about constitutionality and effects on civil liberties and privacy. It is not possible here, to make all the arguments or resolve any of them. However, it is apparent that an identification system has the potential to impinge on ano - nymity, inhibit speech and association, affect the right to travel, affect other fundamental constitutional or statutory rights, and perhaps exceed the authority of the federal government in other ways (Tenth Amendment). Whether the courts would recognize any of these concerns at the constitutional level is impossible to predict, but it seems certain that these issues will arise. In 2008, the Supreme Court upheld a state law requiring citizens voting in person to present government-issued photo identification.141 It may or may not be telling that the identification require- ment did not extend to those who did not vote in person. However, the Help America Vote Act of 2002 requires first time registrants voting by mail to include a copy of identification with the ballot. 142 The Court did not require strict scrutiny of the voter ID law, but judicial consideration of a requirement that affects broad First Amendment speech issues is less likely to use the same, weaker standard of judicial review. Regardless, it is difficult to use this decision to assess possible Internet identification require - ments because the facts and the particulars could make a major difference. Still, the Court upheld the identification requirement here and reached a similar outcome in the Hiibel case discussed above. Clearly, the Court is not strongly averse to identification requirements. The federal government is already exploring and implementing identity, credentialing, and access management systems to provide a consistent approach for clearing and managing individuals requiring access to federal information systems and facilities.143 Identification and authorization systems can be unremarkable from a privacy and civil liberties perspective, but they can also raise a host of questions depending on the standards used, due process procedures, scope of application, and data collected and retained. These same issues can arise with any type of identification or licensing system. 144 141 Crawford v. Marion County Election Bd., 553 U.S. ___, 128 S. Ct. 1610 (2008). 142 42 U.S.C. § 15483(b)(3). 143 See http://www.idmanagement.gov/drilldown.cfm?action=ica m; accessed April 15, 2010. 144 See generally Committee on Authentication Technologies and Their Privacy Implications, National Research Council, who goes there? Authentication through the lens of Priacy (2003).

OCR for page 273
02 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS In particular, an Internet identification or authentication system can be a surveillance mechanism if the system routinely creates a central record of all Internet activities of each user as a result of the clear- ance process. An Internet identification or authentication system would raise privacy and security con - cerns that could easily exceed in range and detail the information about the exercise of First Amendment rights collected in a driver’s licensing system, by Secure Flight, or even through the security clearance process. A system that fails to properly assess the degree of risk involved or that makes unwarranted demands on users may exacerbate civil liberties and privacy concerns.145 If the federal government relied on credentials issued by private entities, those concerns could extend beyond government functions and spill over into the rules and procedures of those private entities. The federal government’s use of systems to control access to goernment computers is not the most troublesome part of credentialing or licensing. A broader government requirement for a license for gen - eral use of the Internet beyond access to government facilities would be of greater concern. If licensing were the only way to overcome security problems that made the Internet significantly dysfunctional, the argument for licensing might be stronger than if the purpose of the licensing were to require com - plete identification and accountability for all Internet activities so that criminals could be identified more readily after the fact. The circumstances that result in licensing of users would make a significant difference to the analysis. The narrower the purpose and application of an ID system/technology, the less likely it will be to raise these concerns. Despite their widespread de facto use as general-purpose identifiers, drivers’ licenses were not as controversial until the REAL ID Act sought to alter the process of issuance, man - dated collection and maintenance of more personal information, and established requirements and potential for its use that extended beyond established norms. The 1994 Driver’s Privacy Protection Act addressed some of the privacy concerns that surrounded the marketing and other secondary uses of drivers’ information. The widespread use of Social Security numbers (SSNs) for identification has, after many years, brought legislative responses at the federal and state level restricting the collection, use, or display of SSNs in some contexts.146 Many but not all of these responses followed the explosion of identity theft and of complaints from individuals about the consequences of identity theft. For many individuals, an identification requirement or other prerequisite for using the Internet (as opposed to a prerequisite for using a particular website) would almost certainly be viewed today as similar in importance to a driver’s license, if not more important. Access to the Internet, whether or not a fundamental human right, is now for most people in the United States necessary for employment, communication, routine commercial activities, and many other essential, routine, and daily activities. None of the licensing models described in this section affects an activity as close to the heart of First Amendment values as an Internet licensing scheme would. A governmentally established identifica - tion/authorization prerequisite to general Internet access would be, to say the least, controversial. The level of controversy would vary with the scope of the requirement and the amount of information about Internet access and usage that was retained. However, a governmentally established prerequisite to access a non-public government network would not be controversial or even novel. The federal government operates classified systems with access limited to individuals who have security clearances. A private requirement for access to a private network or website is largely unremarkable as well. It is not that civil liberties and privacy concerns are entirely absent, but that the basic notion of controlling access to some information and facilities is familiar. 145 The Office of Management and Budget calls for a risk assessment for authentication and a matching of risks to an appropriate assurance level. OMB Memorandum to the Heads of all Departments and Agencies, E-Authentication guidance for Federal Agencies (Dec. 16, 2003), http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf; accessed April 15, 2010. 146 Section 7 of the Privacy Act of 1974, Public Law 93-579, 88 Stat. 1909 (1974), 5 U.S.C. § 552a note, restricts collection of SSNs by federal, state, and local government agencies. This was one of the first legislated restrictions on SSN use. Many more followed in the 1990s and later.

OCR for page 273
0 RoBERt gEllmAn When an identification/authorization requirement is narrow in application, limited in scope, and simple to meet (e.g., user name and password), controversy is less likely to arise. Indeed, simple, limited purpose identification and authorization systems are in widespread use today with few objections. To the extent that private activities (whether voluntary or required by law) collect and maintain additional records about Internet usage by individuals, those records can become available to the government without notice to or participation by the subject of the records. The availability to the government of a list of every website visited by every Internet user would be controversial, to say the least. 147 The earlier discussion about U.S. . miller and the lack of privacy protections for records held by third party record keepers is relevant here. If we split the issue of authorization from identification, we face different choices and analyses. Identification might be required for some functions, but there might be a range of allowable activities that call for demonstrating other attributes (e.g., age) rather than identification. 148 An individual might only receive authorization to undertake some activities (e.g., change computer settings or use a private network) after showing competence in security matters. Drawing lines, however, is not that simple. Even if restricting access to private networks—whether operated by the government or others—is not on its face problematic, much will depend on what activities occur on the private network. We already have private systems with varying identification and authentication prerequisites. Some may raise civil liberties or privacy concerns, but private sector activities will fall outside most constitutional and statutory protections. However, if a citizen must have some form of identification or authorization in order to communicate or conduct ordinary, non-national security business with a government agency, the argument about the propriety of the identification requirement would turn in part on the nature of the communication or the business at issue. The require- ment would raise, for example, concerns about impinging on the right to petition the government for a redress of grievances, the right to associate with others, or perhaps the right to practice a religion, all rights protected by the First Amendment. An Internet identification/authentication requirement could make it impossible or unduly difficult for a citizen without identification to fulfill legal duties (e.g., file tax returns), obtain benefits available by law, or exercise rights. The REAL ID Act is controversial, in part, for this reason. That Act could make it difficult or impossible for a citizen to enter a federal building without an identification document that qualifies under the Act. The analysis would be different if the user of a particular government activity had no alternative to using an identification-restricted Internet than if use of a restricted Internet were one of several options. For example, if meeting particular Internet identification requirements in order to vote or receive Social Security benefits were the only option, the conclusion might be different than if in-person or postal mail alternatives also existed at the same time. Even an Internet identification/authentication requirement for a private network operated prin - cipally for private purposes, it still could raise concerns about how citizens can carry out basic tasks essential to function in society, many of which remain entangled with government activities or regula - tions. For example, for many people the health care sector is an amalgam of private and government players and actions. A private requirement for an Internet ID that effectively served as a prerequisite to interfacing with the governmental part of the health care system could raise more intensive civil liberties 147 The issuance of a driver’s license or an automobile license plate has not in the past resulted in the reporting or collection of information about where an individual or automobile goes. However, with the use of electronic toll collection devices, conges - tion pricing for highways, and other automated automobile information collection systems, the compilation of additional records about driving habits may become both more commonplace and more controversial. One difference between driving and Internet usage is that driving typically takes place in a public space and much Internet usage does not. The extent of privacy rights in public spaces appears to be undergoing some rethinking at present. United States . maynard, decided in August 2010 by the D.C. Circuit, is one of several recent cases where the issue of the applicability of the Fourth Amendment to tracking an automobile in public by use of a GPS device arose. http://pacer.cadc.uscourts.gov/docs/common/opinions/201008/08-3030-1259298.pd f. 148 Identification or authentication requirements could offer additional privacy protections (by limiting identity theft) or assist with other objectives (keeping children away from websites aimed at adults). Whatever other benefits might arise, they do not necessarily relate to the cybersecurity matters under discussion here.

OCR for page 273
0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS concerns. Additionally, if a government Internet ID were adopted by the private sector and became a practical prerequisite to using the Internet even for private activities, the government process might be questioned for its practical effect on citizens, for any discriminatory effect that the process might have in design or in practice, for its privacy consequences, and otherwise. Depending on the purpose of identification in the narrower context of preventing cyberattacks, it remains open to debate whether a greater use of identification would be successful in either deterring bad actors or finding them after the fact. The prevalence of identity theft suggests that those interested in using the credentials of others for cyberattack purposes might have little difficulty doing so by stealing the elements needed to impersonate another. Further evidence on this point is the ability of malfeasors to establish and control remotely other computers connected to the Internet. A significant percentage of computers connected to the Internet may be part of a botnet. Botnets could be another channel for cyberattacks unaffected by identification requirements for users because the computers on the network have credentials. In addition to identifying individuals using the Internet, it is also possible that the government could require Internet users to demonstrate proficiency in some important Internet skills pertaining to security or otherwise. Automobile drivers must pass both written tests and road tests that demonstrate knowledge of laws and rules and the ability to drive. Arguably, the same types of prerequisites could apply to some or all Internet usage. The cost and difficulty of managing a proficiency requirement and keeping it up-to-date aside, any proposal would likely be challenged as a limit on the exercise of First Amendment rights. It would likely be seen as the equivalent of requiring a government license to read a newspaper, use a telephone, or mail a postal letter. It might well prove difficult or impossible to show that a proficiency requirement is compatible with the First Amendment. An employer, including the government, may impose training requirements on its workers, but a general-purpose rule applicable to the population at large would be more challenging to justify. 149 In all of these cases, whether or not an Internet prerequisite violated a constitutional standard, it is nevertheless the case that civil liberties, due process, and privacy would be affected by the rules and procedures that attach to the prerequisite, by the process for issuing the identification, by the amount of personal information collected and maintained, and by the secondary uses for the information. Even with privately issued identification, some or all of these issues would arise, whether or not a public or private network relied on the identification. Laws prohibiting discrimination would presumably apply to private sector identification schemes, for example. The discussion of security clearances, driver’s licenses, and flight clearance shows is that we have found ways to balance the rights and interests involved in licensing schemes. That does not mean, however, that acceptable balances will always be found for the next licensing idea. Licensing computer technicians, programmers, cybersecurity specialists, or other professionals whose activities directly affect cybersecurity on the Internet is another possibility. We have consider- able experience in licensing professionals through state or private sector actions, with due process and privacy concerns similar to the licensing activities discussed above. Licensing of Internet professionals would be less controversial than licensing Internet users. Licensing requirements for computer programs is another possibility, and one that would raise more civil liberties concerns because computer programs are intertwined with speech and are protected by the First Amendment. Whether any of these types of licenses would have any significant effect on preventing unlicensed actors or malware from affecting use of the Internet is far from clear, however. For some users, computer maintenance is accomplished by grandchildren and not by professionals. A system that effectively controls computer programs is difficult to envision. As with any licensing system, a criminal who engages in an illegal activity is not likely to care that his or her actions also violate the obligation to obtain a license. 149 The HIPAA health privacy rule contains a requirement that covered entities train health care workers in privacy. 45 C.F.R. § 164.530(b). This seems unremarkable. However, a training requirement for patients would be another matter and considerably more difficult to carry out or justify.

OCR for page 273
0 RoBERt gEllmAn We have not exhausted the identification requirements that might arguably be relevant to prevent - ing cyberattacks. Instead of, or in addition to, licensing individuals to use the Internet, it is possible for government to require identification or licensing of machines that access the Internet. Individual computers or other devices could be required to have and to disclose as a condition of access to the Internet a unique identifier that might be required to be registered in advance or subject to association with particular individuals after the fact. An alternative approach might require that computers access - ing the Internet contain specific hardware or software with particular functionality (e.g., virus checking software). Another approach could require regular inspection of Internet devices to determine if they meet specific requirements and are up-to-date. All of these techniques are used today for automobiles. Each automobile has a Vehicle Identification Number (VIN), a unique serial number used by the automotive industry to identify individual motor vehicles. Automobiles must display unique license plates issued by governments. Most states mandate some form of safety inspection, including an inspection for emissions in some areas. 150 Federal rules require auto manufacturers to install safety equipment, such as airbags. States require proof of insurance before allowing an automobile to be registered. The federal government likely has the power under the Commerce Clause to regulate computers in similar ways, at least up to the point where the regulations clash with First Amendment interests. Requiring serial numbers for some or most Internet access devices may be possible. For technical reasons, cell phones are identified to the cellular network in order to function so identification seems less of an issue. Internet devices typically use Internet Protocol addresses, which offer a type of iden - tification that may or may not be constant for each device over time. A fixed IP address could serve as an identifier.151 Registration or identification requirements for other devices would be controversial, of course. In the last 1990s, Intel proposed to produce computer chips with a unique Processor Serial Number (PSN). Objections from the privacy community (“Big Brother Inside”) pressured the company into abandoning its plans, and the PSN was dropped.152 Google released its Chrome browser with a unique identifier with criticism from some privacy advocates, but reports suggest that Google plans to abandon the identifier.153 Computers that access the Internet now include many types of devices—including televisions and refrigerators—and requiring some types of inspection seems impractical. The so-called Internet of things (connection of routine objects and devices to the Internet) could result in a vast expansion of items con - nected to the Internet, including every household item connected to the electrical grid, articles of cloth - ing, body parts, and much else.154 As a practical matter, it may be unworkable to design and implement a system that mandates and enforces an identification requirement for every Internet device. One can envision, possibly, a remote inspection of all Internet access devices for security pur- poses. The government might be able to mandate remote inspection using powers available under the Commerce Clause. A possible precedent is the Communications Assistance for Law Enforcement Act (CALEA), a 1994 law intended to “to make clear a telecommunications carrier’s duty to cooperate in the interception of communications for law enforcement purposes, and for other purposes.” 155 The law requires telecommunications carriers and manufacturers of telecommunications transmission and switching equipment to ensure that equipment, facilities, and services allow the government to isolate and intercept all wire and electronic communications. Essentially, CALEA forces telecommunications 150 See generally 42 U.S.C. § 7401 et seq. 151 It is a contested issue today whether an IP address is a personal identifier. The value of an IP address as a personal identifier is cloudy when there are multiple users for a single computer. 152 See http://bigbrotherinside.org/; accessed March 17, 2010. 153 Ryan Whitwam, google to drop Unique ids from their Chrome Browser, MaximumPC, available at http://www.maximumpc. com/article/news/google_drop_unique_ids_their_chrome_browser; accessed March 17, 2010. 154 See, e.g., Commission of the European Communities, internet of things—An Action Plan for Europe (June 18, 2009) (COM(2009) 278 final), http://ec.europa.eu/information_society/policy/rfid/documents/commiot2009.pd f; accessed April 15, 2010. 155 47 U.S.C. §§ 1001-1010.

OCR for page 273
0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS carriers to design their networks so as not to impede authorized law enforcement surveillance requests. CALEA does not directly affect consumer devices, but Congress might require consumer devices include the capability of allowing for government access via remote inspection under specified circumstances. Again, the practicalities of implementing and enforcing a remote inspection scheme for all Internet devices seem overwhelming, and the constitutional issues are most difficult. Enforcement of some or all of these requirements would be additionally challenging because many of these devices enter the country or access the Internet from abroad every day. The government has broad authority to conduct suspicionless border searches of laptops and other electronic storage devices, although it would be hard to do a search of every person and every device.156 Further, devices in other countries that access networks in the United States present additional compliance and enforcement issues. A uniform international scheme for controlling Internet devices seems a remote possibility at best. The global nature of the Internet and the presence of multiple and potentially overlapping regulatory regimes raise other vexing questions. These include the extent to which any national government could impose or seek to impose requirements on Internet users in other countries or users crossing borders, whether their own citizens or others, that would affect privacy or civil liberties. It would certainly be argued that any type of regulation that affects the means of speech on the Internet would be akin to regulating speech directly or to licensing printing presses. The regulation would be strongly challenged on First Amendment grounds. The level of judicial scrutiny of an Internet access regulatory scheme would be an important and debatable point. If the government’s actions were strictly content neutral, proponents would argue for intermediate scrutiny under which the actions would only have to serve an important or substantial governmental interest unrelated to the suppression of speech and could not burden speech more than is necessary to satisfy that interest. For example, a mandate that personal computers use parts that are readily recyclable would be more likely to be seen as a content neutral regulation. Yet it is much more likely that a requirement that every computer include a permanent and uneras - able keystroke logger would draw very strong objections on First Amendment grounds, with demands for review under the strictest scrutiny standard that would require the government to demonstrate that the regulation furthered an overriding state interest and was drawn with narrow specificity to avoid any unnecessary intrusion on First Amendment rights. A potentially intermediate example might be a requirement that every computer have virus protection software installed and kept up-to-date. Other possible intermediate examples are a requirement that all ISPs examine Internet messages for malware or a mandate that all browsers include specific features. Regardless of the standard that would apply for constitutional assessment of these requirements, it seem certain that there would be considerable political controversy about any increased role for the federal government in defining prerequisites for access to or use of the Internet. There would likely be strong objections to even the most mild-mannered mandate because it would open the door to stronger and more invasive legislative mandates in the future. In the absence of a specific identification, licensing, or authentication system, the discussion is quite abstract and unsatisfying. Controls that may have some appeal at a high level of abstraction can face overwhelming practical implementation problems and significant costs in additional to the legal, constitutional, and political objections. The REAL ID law, which is much less sweeping in scope than an Internet licensing scheme would be, started with enough political support to become law, but rapidly became the target of practical, cost, and civil liberties objections. Years after passage, REAL ID languishes with few steps toward implementation actually accomplished. 156 In2009, the Department of Homeland Security issued directives on border searches of electronic media. U.S. Customs and Border Protection, Border Search of Electronic deices Containing information (CBP Directive No. 3340-049, (Aug. 20, 2009), available at http://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pd f; accessed March 18, 2010; U.S. Immigration and Customs Enforcement, Border Search of Electronic deices (Directive No. 7-6.1) (Aug. 18, 2009), available at http://www.dhs.gov/xlibrary/ assets/ice_border_search_electronic_devices.pdf; accessed March 18, 2009. The Department’s Privacy Impact Assessment for these policies is available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_cbp_laptop.pd f; accessed March 18, 2009.

OCR for page 273
0 RoBERt gEllmAn It is easy to suggest that licensing of users or similar schemes will have benefits, but it another thing to develop a system that will actually work to meet its objectives in the worldwide Internet with untold number of devices connected to it, hundreds of millions of users connecting and disconnecting every day, and rapid technological changes. A licensing system that controlled 99% of users and devices would still leave plenty of opportunities for evasion by those who are motivated, assisted by insiders within the licensing administration, supported by hostile foreign governments, or others. 157 Identity thieves already operate a robust, underground market where stolen information and illegal services are sold and advertised.158 An expansion of these activities to include information about Internet identities and licensees can be anticipated. The goals of any licensing system could matter a great deal. We regulate drivers not with the expec - tation of removing every improper driver or car from the road. The overall regulatory system results in improvements and not perfection. Despite laws, we still have unregistered cars, unlicensed drivers, stolen license plates, and uninsured motorists on the road every day. A system to prevent cyberattacks could have narrower goals of improving privacy and security on the Internet without necessarily expected to avoid everyone who is highly motivated or well-financed. However, to the extent that a licensing system affects the exercise of First Amendment values, narrower goals may make it harder to justify sweeping restrictions. On the other hand, proponents of regulating Internet devices would argue that licensing and cre - dentialing have the potential to provide better privacy and other protections to individuals. Problems for users that result from spam, malware, identity theft, and the like might diminish with the adoption of broad licensing and credentialing systems. Thus, societal costs from computer viruses might decrease if all computers had adequate anti-virus protection. Still, the benefits of licensing Internet users or activities still might not be enough to overcome the constitutional limitations on governmental powers. The issues involved here are obviously multidimensional and cannot be fairly assessed using a single scale. Regardless of the applicable standard, however, Internet device regulation that restricts or limits speech in any way might well fail to be upheld because of First Amendment concerns. One hypothetical analysis of the constitutionality of licensing printing presses concluded that it is fairly certain licensing would be unconstitutional. The difficulty that a licensing regime would have in satisfying First Amendment standards is reflected in the consensus view: “Although it is virtually impossible to find a case that directly so holds, it is fairly clear that any attempt to license a newspaper or magazine would violate the Constitution.” 159 For Internet regulation, the arguments—and perhaps the result—would surely vary depending on the specific type of regulation, the problem that the government sought to address, and the factual jus - tification for the regulation. However, it seems likely that the burden of defending a regulation would be great. vI. CLOSE The principal purpose of this closing section is to identify some issues that, for a variety of reasons including lack of space, have not been discussed in any depth. There are no conclusions because mean - ingful conclusions are not available given the largely abstract review of issues addressed. Proposals for 157Any type of activity that creates central information about Internet users has a similar potential to create a resource that could be exploited by identity thieves or others for criminal purposes. The same information could also be used by government for other purposes that may affect privacy or civil liberties interests. 158 See NextAdvisor, inside the internet’s Financial Black markets—How identity thiees Buy and Sell Your Personal information online, http://www.nextadvisor.com/blog/2008/09/16/inside-the-internets-financial-black-markets-%E2%80%93-how-identity- thieves-buy-and-sell-your-personal-information-online/; accessed July 2, 2010. 159 Stuart Minor Benjamin, the logic of Scarcity: idle Spectrum as a First Amendment violation, 52 Duke Law Journal 1, 31 (2002) (footnote omitted), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=310121; accessed March 17, 2010.

OCR for page 273
0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS preventing cyberattacks can only be fully evaluated for their civil liberties and privacy consequences when the details are available because the specific elements will make a significant difference to the evaluation. Criminal laws that seek to deter unwanted activities and to punish those who engage in them have not been addressed. A leading example is the Computer Fraud and Abuse Act, 160 which generally protects computers belonging to the federal government or a financial institution or to any computer affecting interstate or foreign commerce. Laws about identity theft are also not addressed in detail, although some of these laws have non-criminal law components. Generally, the tools and techniques of criminal law enforcement have some relevance to cybersecurity (e.g., deterrence), but further analysis is not possible in the available space. Some federal and state161 legislation also establishes security standards for computer systems. For example, the 2002 Federal Information Security Management Act (FISMA) 162 directs the head of each federal agency to provide “information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of” agency information or information systems.163 Laws establishing private sector security requirements are not common, but there are some, including: • Section 404 of Sarbanes-Oxley164 requires a publicly owned company’s management and the external auditor to report on the adequacy of the company’s internal control over financial report - ing. Because the financial reporting processes of many companies depend on information technology systems, controls over those systems may fall within the scope of a required assessment of financial risks. • The Gramm-Leach-Bliley Financial Services Modernization Act includes a few privacy and secu - rity provisions. It expresses a policy that each financial institution has an affirmative and continuing obligation to protect the security and confidentiality of nonpublic personal information about custom - ers.165 Financial services regulatory agencies issued regulations with more detailed standards. 166 • The Health Insurance Portability and Accountability Act167 (HIPAA) requires the Secretary of Health and Human Services to issue security rules for covered entities (mostly health care providers and insurers). The rules cover electronic health information.168 The HIPAA security requirements are more detailed than some comparable rules, rely on industry standards, and give covered entities considerable discretion in application. Legislation is a crude tool for mandating security, and legislators appear to understand its limitations. Security legislation is typically stated in broad, high-level terms with few details, and the civil liberties and privacy implications of current legislation are of lesser significance here. That could change. Some security laws call for the use of encryption, which can have value in deterring cyberattacks. Encryption can be employed or mandated in a multitude of different ways and, depending on the specifics, can have significant consequences for privacy and civil liberties. A Clinton Administration proposal (Clip - per Chip) for mandatory encryption of data communications involving the escrow of encryption keys 160 18 U.S.C. § 1030. 161 See, e.g., the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, available at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf; accessed March 15, 2010, and the implementing regulations at 201 CMR 17.00, available at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf, ac- cessed August 30, 2010. 162 44 U.S.C § 3541 et seq. 163 44 U.S.C. § 3544(a)(1)(A). 164 15 U.S.C. § 7262. 165 15 U.S.C. § 6801. 166 See, e.g., 16 C.F.R. Part 314 (Federal Trade Commission). 167 42 U.S.C. §1320d-2(d). 168 45 C.F.R. Part 160 and Part 164, Subparts A & C.

OCR for page 273
0 RoBERt gEllmAn with the government was highly controversial among civil liberties advocates, Internet users, industry, and others. The proposal was eventually dropped.169 Some other subjects that are largely outside the scope here are better training, consumer educa - tion, reporting and collaborative efforts,170 voluntary activities,171 security breach notification,172 and polygraph regulation. Most but not all of these activities are less likely to raise privacy or civil liberties concerns. Emergency powers may allow the President to seize property; organize and control the means of production; seize commodities; assign military forces abroad; institute martial law; seize and control all transportation and communication; regulate the operation of private enterprise; restrict travel; and, in a variety of ways, control the lives of United States citizens. 173 The scope of these powers with respect to the Internet is not immediately clear, but any exercise would raise civil liberties and privacy concerns that cannot be considered here. Recent circulation of a draft legislative proposal by a Senator that would expand the authority of the emergency powers of the President with respect to operation of the Internet attracted considerable controversy. Direct presidential control over the operation of the Internet or the collection of information about Internet activities data raises a large number of issues for individuals, companies, and organizations. The inherent borderlessness of the Internet does nothing to simplify these issues. Also unexplored here are uses of incentives for those individuals, companies, or other entities that adopt better cyberattack protections. The range of possible incentives is broad, including civil liability that would make software, hardware, service vendors, or users responsible for their failure to provide adequate security measures or their failure to use adequate security measures; civil liability for ISPs who fail to verify the identity of users; and subsidies or tax incentives for “good” behaviors. It is not apparent in the abstract that any of these would necessarily raise significant civil liberties or privacy concerns, although civil liability can raise constitutional questions about violations of the Due Process Clause by grossly excessive or arbitrary punishments.174 The use of incentives to induce the private sector to adopt protections that the federal government could not impose directly has the potential be controversial. 169 See, e.g., A. Michael Froomkin, the metaphor is the key: Cryptography, the Clipper Chip, and the Constitution, 143 U. Pa. L. Rev. 709 (1995). 170 See, e.g., United States Computer Emergency Readiness Team (US-Cert), http://www.us-cert.gov/; accessed March 17, 2010. 171 See, e.g., the Critical Infrastructure Information Act, 6 U.S.C. §§ 131-134. 172 Both the federal government and the states have enacted security breach notification laws, but there is no general federal statute (either preemptive or otherwise) despite much congressional activity over several years. 173 Harold C. Releya, national Emergency Powers (2007) (Congressional Research Service), http://www.fas.org/sgp/crs/ natsec/98-505.pdf; accessed April 14, 2010. 174 See, e.g., State Farm mutual insurance Co. . Campbell, 538 U.S. 408 (2003).

OCR for page 273