Questions? Call 800-624-6242
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 273
Civil Liberties and Privacy Implications
of Policies to Prevent Cyberattacks
Robert Gellman
information and Pri�acy Consultant
I. INTRODuCTION
The purpose of this paper is to consider the civil liberties and privacy implications of potential poli -
cies and processes to prevent cyberattacks. Other than the general topic and a request to consider the
possibility of licensing Internet users, little direction was offered. The topic raises a host of unbounded,
complex, difficult, and contested legal and constitutional issues. Almost any one of the issues could be
the subject of an entire paper, book, or even treatise.
What can be accomplished here is to consider some of the issues raised by possible proposals aimed
at preventing cyberattacks and to suggest some of the major fault lines that demarcate the borders of
what is possible from what is uncertain from what is prohibited. To characterize the analysis another
way, how far can prevention policies and processes go before they hit possible legal, constitutional, or
other barriers? This paper is an analysis of selected issues raised by this question.
The analysis of any proposal can differ significantly depending on who is performing an activity
and where that activity is being performed. The federal government cannot do some things that private
companies can do. Some activities would be less objectionable when done in a private, access-controlled
network than when done on the Internet in general. Some activities can be more readily accomplished
with the consent of data subjects than without consent. The laws of other nations may impose restric -
tions that are absent in U.S. law, or vice versa, which can complicate prevention of cyberattacks on a
global scale.
The discussion here is organized under four main topics, search, speech, information privacy, and
due process. Many potential cyberattack prevention policies and processes raise concerns under more
than one of these topics, and the placement of issues under these topics is somewhat discretionary. For
example, a requirement that Internet Service Providers (ISPs) retain data about a user’s Internet activi -
ties raises concerns under the First Amendment, Fourth Amendment, privacy, and due process. 1 In this
paper, data retention is considered in the search section.
1 Thetext of the U.S. Constitution and its amendments can be found at http://topics.law.cornell.edu/constitution, accessed
August 30, 2010.
2��
OCR for page 274
2�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
II. ISSuES RELATINg TO SEARCH
1. Surveillance
Cyberattack prevention activities will at times make use of the surveillance authority given to the
government. It is not possible to summarize that authority in this document. There may be no more
convoluted area of privacy law in the United States than surveillance law. One scholar describes the
law of electronic surveillance as “famously complex.”2 The standards vary enormously, depending on
numerous factors. Some of the factors that determine the nature of the surveillance that is permissible,
the procedures that may be required as a prerequisite to surveillance, and the uses of the results of the
surveillance include:
• who is undertaking the surveillance (the government or a private party)
• why the surveillance is being conducted (for law enforcement, national security, foreign intel -
ligence, or private purposes)
• whether the target of the surveillance is a U.S. citizen (including a permanent resident), foreign
national, or agent of a foreign power
• the form of a communication (e.g., telephone call, electronic mail)
• whether a communication is stored by a third party or is in transit
• whether a communication is transmitted by a wire
• whether the surveillance captures video or sound
• what is being intercepted (e.g., content of a communications or a telecommunications attribute,
such as the telephone number dialed)
• what is under surveillance (e.g., a public place, home, workplace, locker room, toilet stall)
• where the surveillance is conducted from (e.g., a public place, a private place, an airplane, a place
of employment)
• the extent to which a place under surveillance has been protected from observation
• whether the surveillance is subject to state law or to federal law
• whether the technology used to undertake the surveillance is in general public use.
The history, scope, and shortcomings of the Electronic Communications Privacy Act of 19863 (ECPA)
are most relevant here. There are three titles to ECPA: the first amends the Wiretap Act; the second con -
tains the Stored Communications Act; and the third addresses pen registers and trap and trace devices.
The first two titles are most relevant here.
The Wiretap Act is a criminal statute that seeks (1) to protect the privacy of wire and oral commu -
nications, and (2) to set out the circumstances and conditions under which the interception of wire and
oral communications may be authorized.4 In 1986, ECPA amended the existing Wiretap Act to extend to
electronic communications protections against unauthorized interceptions that existed previously only
for oral and wire communications via common carrier transmissions.
The Stored Communications Act5 seeks to protect electronic communications and voice mail from
unauthorized access by defining unlawful access as a crime. The goal was to protect the confidential -
ity, integrity, and availability of such communications stored by providers of electronic communication
service pending the messages’ ultimate delivery to their intended recipients.
2 Orin S. Kerr, lifting the “Fog” of internet Sur�eillance: How a Suppression Remedy would Change Computer Crime law, 54 Hastings
Law Journal 805, 820 (2003). See also Gina Marie Stevens & Charles Doyle, Pri�acy: An o�er�iew of Federal Statutes go�erning
wiretapping and Electronic Sur�eillance (2009) (Congressional Research Service), available at http://assets.opencrs.com/rpts/98-
326_20091203.pdf; accessed on March 23, 2010.
3 Public Law 99-508, 100 Stat. 1848 (1986).
4 18 U.S.C. § 2511.
5 18 U.S.C. § 2701.
OCR for page 275
2��
RoBERt gEllmAn
One of the law’s exception permits access to electronic communications by service providers, and
this provision allows employers who directly provide (as opposed to using a third party service pro -
vider) email service to employees the ability to monitor email. 6 That monitoring ability could support
the cyberattack prevention activities. Public employers remain subject to Fourth Amendment require -
ments and may be more limited in their ability to review email.7 Privacy policies and terms of service
established by an ISP could also be relevant to a user’s expectation of privacy and could authorize
monitoring of email by the ISP.
It is widely recognized today that ECPA’s assumptions about technology are outmoded and that
the protections that ECPA sought to provide now operate inconsistently because of changes in technol -
ogy and service offerings.8 For example, with respect to government surveillance, the law gives greater
protection to email in transit than it does to email that has arrived in a user’s in-box at a service pro -
vider. In addition, under the law, email that is more than 180 days old is more easily accessible to the
government than newer email.9 Because some ISPs now offer massive or unlimited storage for email,
the result is a significantly differing degree of legal protection for email depending on factors that many
users no longer view as significant. Other questions arise with respect to newer services such as Voice
over Internet Protocol. Documents placed on cloud computing sites may also have fewer protections
under current law than email because ECPA only covers electronic communications and the transfer of
information to a cloud computing provider may not qualify for protection. 10
The 1976 decision of the Supreme Court in U.S. �. miller11 illustrates an important aspect of third
party storage of information under the Fourth Amendment. The Supreme Court held that the Fourth
Amendment does not recognize an expectation of privacy in an individual’s financial records held
by a bank. Therefore, the Court allowed the government to obtain the records from the bank without
providing the individual notice or an opportunity to contest the demand. The conclusion in miller with
its broad implication that an individual has no expectation of privacy in any record held by a third
party12 is an ever-increasing concern to civil libertarians and privacy advocates because most records of
an individual’s existence—and especially an individual’s Internet activities—are held by third parties.
ECPA partly curbs the effect of miller by establishing rules and procedures that limit the ability of the
government to obtain electronic communications.
2. Other Approaches to Miller
Shortly after the decision in miller, Congress passed the Right to Financial Privacy Act.13 The Act
established limited statutory privacy protections for bank records that the Supreme Court declined to rec -
ognize under the Fourth Amendment. The Act requires the federal government (but not state governments)
to notify a bank customer when it uses a subpoena or summons to obtain a record about that customer
6 Id. at § 2701(c)(1).
7 See City of ontario �. Quon, 560 U.S. ___ (2010).
8 The Center for Democracy and Technology (CDT) is leading a broad effort of privacy groups, businesses, and Internet compa -
nies to seek amendment and modernization of ECPA. See CDT, digital due Process Coalition (including microsoft, google, and more)
Call for tougher online Pri�acy laws, http://www.cdt.org/press_hit/digital-due-process-coalition-including-microsoft-google-
and-more-call-tougher-online-priv; accessed April 20, 2010.
9 18 U.S.C. § 2703(a).
10 Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by
others and accessed through the Internet. The proper characterization for ECPA purposes of cloud documents, which differs
greatly in type and terms of service, is far from clear. See Robert Gellman, Pri�acy in the Clouds: Risks to Pri�acy and Confidentiality
from Cloud Computing at 17 (World Privacy Forum, 2009), available at http://www.worldprivacyforum.org/pdf/WPF_Cloud_
Privacy_Report.pdf; accessed April 20, 2010.
11 425 U.S. 435 (1976).
12 See Smith �. maryland, 442 U.S. 735, 743-44 (1979), (“a person has no legitimate expectation of privacy information he volun -
tarily turns over to third parties”).
13 12 U.S.C. §§ 3401-3422.
OCR for page 276
2�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
from a bank. The customer then has an opportunity to contest the process in court before the bank hands
over the records. The Act’s value is questionable since the grounds upon which a customer can challenge
the government are limited (must show that the records are not relevant to a legitimate law enforcement
investigation), and exceptions to customer notice cover many important agencies and activities.
The federal health privacy rule14 also contains a provision that requires notice to a patient of a
subpoena for the patient’s record held by a health care provider or insurer. For patients and for civil
litigation, the health privacy rule’s provisions are stronger than in the Right to Financial Privacy Act,
but the exceptions for law enforcement investigations provide even fewer rights for data subjects than
the Right to Financial Privacy Act.15
Recent legislation, including updates to the USA PATRIOT Act, Foreign Intelligence Surveillance
Act, and ECPA also modify some effects of miller by expanding requirements for judicial involvement
in some electronic searches. None of the legislative changes to the miller holding has broad effect with
respect to all or most information held by third party record keepers, however.
Because of the tremendous volume and range of personal information held by ISPs and other
third party record keepers, privacy advocates want to create a protectable privacy interest that would
undermine the broad holding in miller. ECPA provides some protection for electronic communications.
However, email only represents a portion of the information now held by third party Internet provid -
ers, which include social networks, cloud computing service providers, photograph storage services,
financial management websites, and a nearly unlimited number of other services. Indeed, a very large
portion of Internet activities create records held by third parties, and the ongoing expansion of cloud
computing will shift additional materials from locally owned and controlled computers to third par-
ties. Whether and how Congress (or the courts) revise the principle that there is no privacy interest in
records held by third parties will determine both the scope of that privacy interest and the ease with
which government investigators can obtain personal and business records held by third parties.
Any expansion of the privacy rights of data subjects with respect to records held by ISPs and other
third party record keepers could affect the conduct of cyberattack prevention and investigation activities
by creating substantive or procedural barriers to government acquisition of information about Inter-
net activities. These activities may not be affected any more than any other government investigatory
activities that center on Internet conduct. It remains to be seen how broadly any future ECPA reforms
will affect the basic miller holding that there is no privacy interest in records held by a third party. Any
significant change to these privacy protections could produce a major shift in the balance between indi -
vidual rights and the government’s investigatory capabilities. The stakes grow larger as the Internet
continues to expand as a central feature of modern life.
At the same time, however, the issue in miller is personal privacy, and not every record created on
or off the Internet qualifies as personal information. Government access to non-personal information
held by third parties might be unaffected by any change in the privacy interest granted to individuals
in third party records. This could include, perhaps, the content of many webpages, commercial trans -
actions, foreign government operations, activities that occur outside the United States and beyond the
scope of the Fourth Amendment, and more.
3. Data Retention
In March 2006, the EU enacted a Data Retention Directive calling for the mandatory retention of
communications traffic data.16 A leading argument for the directive is for combating terrorism. The
14 45 C.F.R. Part 164, issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA). Public Law
104–191, title II, § 264, 110 Stat. 2033 (1996), 42 U.S.C. § 1320d-2 note.
15 Id. at § 164.512(e) & (i).
16 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated
or processed in connection with the provision of publicly available electronic communications services or of public communica -
tions networks and amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, available at http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF; accessed April 20, 2010.
OCR for page 277
2��
RoBERt gEllmAn
same general argument in support of data retention could be made with respect to cyberattack preven -
tion either because cyberattacks may qualify as terrorism or because data retention would be useful
in preventing cyberattacks regardless of motivation. The EU and many of its Member States required
data retention to create a new capability in combating criminal and other undesirable activities. The
extent to which data retention will work to achieve the stated goals is open to question and beyond the
scope of this paper. Nevertheless, data retention is a tool with some potential application to cyberattack
prevention.
The EU Data Retention Directive requires Member States to adopt measures to ensure that electronic
communications traffic data and location data generated or processed by providers of publicly avail -
able electronic communications services be retained for not less than six months and not more than
two years from the date of the communication. The Data Retention Directive requires the retention of
data necessary:
• to trace and identify the source of a communication
• to trace and identify the destination of a communication
• to identify the date, time and duration of a communication
• to identify the type of communication
• to identify the communication device
to identify the location of mobile communication equipment.17
•
The retention requirement applies only to data generated or processed as a consequence of a com -
munication or a communication service. It does not apply to the content of a telephone call or of electronic
mail. The data retained must be made available to competent national authorities in specific cases “for
the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member
State in its national law.”18 Thus, each Member State can establish its own standards for serious crime
as well as its own judicial or other procedures for access.
The data retention directive has been controversial throughout Europe, with Internet activists
strongly opposed to its implementation in many EU Member States. Litigation has resulted in some
national courts finding laws implementing the directive unconstitutional. The German law suspended
by the Federal Constitutional Court in early March 2010.19 The German Court ordered the deletion of
data collected. The decision did not exclude the possibility that a data retention law could pass consti -
tutional muster, but it found that the law’s provisions for security of data were inadequate and that the
uses of the data were not sufficiently clear. The Romanian Constitutional Court found the Romanian
data retention implementation law unconstitutional.20
A data retention law has been proposed for the United States, although it has not received much
attention from Congress to date.21 The constitutionality of any data retention proposed will surely be
contested on First Amendment and Fourth Amendment grounds. Much will depend on the scope and
the details of any enacted law. For example, a data retention requirement for Internet activities could
entail the storage of information about electronic mail that could include data about the sender, recipi -
ent, header, attachment, content, and more. The retained data could be available to criminal or civil law
enforcement, intelligence agencies, or private litigants after a showing of probable cause, reasonable
cause, relevance, or another standard. Data subjects could have rights to object before or after retained
information is disclosed or could have no rights. The details affect any privacy and civil liberties evalu -
17 Idat Article 5.
18 Id.at Article 1.
19 german High Court limits Phone and E-mail data Storage, Spiegel Online International (March 2, 2010), available at http://www.
spiegel.de/international/germany/0,1518,681251,00.html; accessed April 20, 2010. The decision itself (in German) is at http://
www.bundesverfassungsgericht.de/pressemitteilungen/bvg10-011; accessed April 20, 2010.
20 Romanian Constitutional Court: data Retention law Unconstitutional, The Sofia Echo (Oct. 9, 2010), available at http://www.
sofiaecho.com/2009/10/09/797385_romanian-constitutional-court-data-retention-law-unconstitutiona l; accessed April 20, 2010.
21 See S.436, 111th Congress (2009).
OCR for page 278
2�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
ation, and any discussion of the possibilities would exceed the space available here. However, it seems
clear that to the extent that a law requires the preservation of content rather than non-content informa -
tion, the law will be harder to justify because existing precedents provide greater protections for the
content of communications.
However, if a data retention law covers traffic, location, or transaction data only, there are some
precedents in U.S. law that allow for government access with fewer or no procedural protections for the
privacy of the individuals involved. For example, U.S. law allows for the use of pen registers that record
dialed numbers without a search warrant.22 The Stored Communications Act allows the government to
order a provider of wire, electronic communication services, or remote computing services, to preserve
records and other evidence in its possession pending the issuance of a court order or other process.23 The
Bank Secrecy Act requires banks to keep records of various transactions, including some cash activities
and, effectively, all checks.24 The Supreme Court upheld the law in 1974 as a valid exercise of federal
power under the Commerce Clause.25
The distinction that the law makes for Fourth Amendment purposes between content and non-con -
tent has increasingly been the subject of litigation under ECPA but litigation remains, in the words of a
leading Fourth Amendment scholar, “remarkably sparse.”26 The step-by-step analogies that the courts
have used to move legal reasoning from postal mail to telephone calls begin to break down when it
comes to Internet activities because the content vs. non-content distinction is much harder to sustain
over the wide range of Internet functions that extend far beyond basic communications. For email, the
substance of a message may not be limited to the actual content of a message but may be visible in
part from the header, subject line, title of attachments, or other elements. In a 2010 decision pertaining
to electronic communications (albeit not on the content/non-content issue), the Supreme Court was
tentative in offering guidance, observing that “[r]apid changes in the dynamics of communication and
information transmission are evident not just in the technology itself but in what society accepts as
proper behavior.”27 How the law develops in this area could make a significant difference to the ability
of the government to prevent or investigate cyberattack activities on the Internet. Any expansion in the
ability of the government to see content or content-like elements of Internet activities without a show -
ing of probable cause will be strongly contested using Fourth Amendment arguments. However, at the
same time, it will be argued that many Internet activities are voluntary, and a user’s expectations of
privacy in this context are open to debate. Those expectations may be affected by the expansive moni -
toring of Internet activities for commercial purposes.28 The routine and largely unrestricted commercial
availability of the entrails of a user’s Internet activities could undermine arguments that the user had a
reasonable expectation of privacy. Thus, privacy legislation affecting Internet monitoring of individuals
by commercial entities could also be relevant to the discussion.
First Amendment challenges to data retention requirements can also be anticipated. The right to
associate, to speak, and to receive information would all be affected by data retention, with the specific
arguments depending on the precise requirements of a data retention regime and on the standards and
procedures under which the government could retrieve information from a service provider. Advocates
would argue that the First Amendment requires that a retention law be justified under a strict scrutiny
22 Smith �. maryland, 442 U.S. 735 (1979). 18 U.S.C. §§ 3121-3127.
23 18 U.S.C. § 2703(f). The Act is part of the Electronic Communications Privacy Act. An order under this provision is generally
called data preser�ation. Data retention generally means a blanket requirement for the maintenance of some information on all
communications.
24 31 C.F.R. § 103.34(b)(10).
25 California Bankers Association �. Schultz, 416 U.S. 21 (1974)
26 Orin S. Kerr, Applying the Fourth Amendment to the internet: A general Approach, 62 Stanford Law Review (forthcoming 2010),
available at http://ssrn.com/abstract=1348322; accessed July 1, 2010.
27 ontario �. Quon, 560 U. S. __ (2010) (slip op. at 11).
28 For more on the current controversy over behavioral targeting of Internet users for advertising and other purposes, see, e.g.,
Federal Trade Commission, Staff Report: Self-Regulatory Principles for online Beha�ioral Ad�ertising: tracking, targeting, and technology
(Feb. 2009), available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf; accessed April 20, 2010.
OCR for page 279
2��
RoBERt gEllmAn
standard—the most stringent standard of judicial review that requires that a law address a compelling
governmental interest, that a law be narrowly tailored to achieve that interest, and that a law be the
least restrictive means for achieving its objective.
In some contexts, however, data retention may be largely unremarkable. Routine business activities,
whether online or offline, create records that must be retained for tax, credit, or many other purposes.
In private networks, all activities may be monitored and recorded by the network operator, who may
be a service provider, employer, or other person acting with or without notice to or the consent of the
individual. Backup systems retain copies of an entire network at regular intervals. Broad rights to use,
maintain, and disclose an individual’s information can be reserved by a service provider through routine
privacy policy or terms of service that its clients “consent” to by using the service. A recent report on
cloud computing and privacy observed that a cloud provider may acquire rights over materials placed
in the cloud “including the right to copy, use, change, publish, display, distribute, and share with affili -
ates or with the world the user’s information.”29 These rights may exceed anything that laws mandating
data retention require.
4. Terrorism and Cybersecurity
Congress enacted the USA PATRIOT Act less than two months after the events of September 11,
2001.30 The Act is long and complex, and Congress amended it on several occasions, and more amend -
ments are under consideration. Challenges to the Act have resulted in courts finding parts of the law
unconstitutional. The details of the Act and subsequent litigation are too complex for this space. Gener-
ally, the Act expanded the ability of federal agencies to prevent and prosecute terrorism, with one title
of the Act setting out enhanced surveillance procedures. For example, provisions make it easier for law
enforcement agencies to search telephone and electronic communications and other records.
The Act also amended laws that make terrorism a crime. The basic definition of terrorism in the
criminal code provides that terrorism must
(A) Involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the
United States or of any State, or that would be a criminal violation if committed within the jurisdiction of
the United States or of any State;
(B) appear to be intended—
(i) to intimidate or coerce a civilian population;
(ii) to influence the policy of a government by intimidation or coercion; or
(iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping. 31
Whether cyberattacks would fall within the definition of terrorism is not immediately clear, but it
seems a possibility, perhaps depending on the motivation of the attacker. The analysis might well depend
on the facts of any given case. The USA PATRIOT Act added the Computer Fraud and Abuse Act 32 to
the predicate offense list for wiretapping so at least some of the powers of the Act would be available
for cyberattack prevention or investigation.33 Other authorities provided in the Act may also be avail-
able today for some cyberattack prevention activities.
29 Robert Gellman, Pri�acy in the Clouds: Risks to Pri�acy and Confidentiality from Cloud Computing at 17 (World Privacy Forum,
2009), available at http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pd f; accessed April 20, 2010.
30 Public Law No. 107-56, 115 Stat. 272 (2001). The Act’s full name is Uniting and Strengthening America by Pro�iding Appropriate
tools Required to intercept and obstruct terrorism Act of 2001.
31 18 U.S.C. § 2331. There is a separate definition for international terrorism and for domestic terrorism. Both use a similar definition,
with the location of the activity being the difference. The part quoted here represents the core of the two definitions.
32 18 U.S.C. § 1030.
33 18 U.S.C. § 2516(1)(c).
OCR for page 280
2�0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
A broader question is whether Congress or the public would consider cyberattack prevention to be
of equal importance to terrorism prevention to justify the granting or use of powers equivalent to those
under the USA PATRIOT Act. The Act has remained highly controversial and the subject of continuing
congressional actions. Any expansion of the Act or enactment of a similar law for cyberattack preven -
tion would raise the same legal, constitutional, and political controversies that have dogged the Act
from its inception.
5. The Fourth Amendment and Special Needs Cases
Ordinarily, the Fourth Amendment requirement that searches and seizures be reasonable means that
there must be individualized suspicion of wrongdoing. In some circumstances, the usual rule does not
apply. Whether the prevention of cyberattacks could justify an exemption from strict application of the
Fourth Amendment is an open question.
In the so-called special needs cases, the courts have upheld suspicionless searches in some circum-
stances. For example, the Supreme Court allowed random drug testing of student athletes; drug tests for
some Customs Service employees; and drug and alcohol tests for railway employees involved in train
accidents. Searches were allowed for certain administrative purposes without particularized suspicion
of misconduct, provided that the searches are appropriately limited. The Supreme Court also upheld
brief, suspicionless seizures of motorists at a fixed Border Patrol checkpoint designed to intercept illegal
aliens and at a sobriety checkpoint aimed at removing drunk drivers from the road. 34
Because of the international scope of cyberattacks, any inquiry must consider other law that estab -
lishes diminished Fourth Amendment protections in international matters. The Foreign Intelligence
Surveillance Act establishes lower standards for conducting surveillance in cases involving agents of a
foreign power or a foreign terrorist group. The details of FISA, its amendments, litigation, and history
are far beyond the scope of this paper. However, even the diminished FISA standards have been held
to give way to the lower standards recognized in special needs cases. Thus, the United States Foreign
Intelligence Surveillance Court of Review held in 2008 that a foreign intelligence exception to the Fourth
Amendment’s warrant requirement exists when surveillance seeks foreign intelligence for national secu-
rity purposes and is directed against foreign powers or agents of foreign powers reasonably believed to
be located outside the United States.35
Whether prevention of cyberattacks could qualify as a special needs case is unknown. Any expan -
sion of special needs would be controversial, and a special needs case involving domestic cybersecurity
matters would be especially controversial.
III. ISSuES RELATINg TO SPEECH AND ASSOCIATION
The Internet raises a host of First Amendment speech and association issues, some of which are
relevant to activities seeking to prevent cyberattacks. This is an area where it is especially difficult to be
comprehensive and to disentangle issues.
Two preliminary observations are offered. First, the First Amendment does not protect against
actions taken by private entities, although there can be some overlap between the public and private
spheres at times. The First Amendment is a protection against abridgment of speech by government,
state or federal. Second, it has been famously said that on the global Internet, the First Amendment is
a local ordinance. To the extent that cyberattack protections involve other nations, First Amendment
protections may not be available with respect to Internet activity that originates in or passes through
those other nations.
34 City of indianapolis �. Edmond, 531 U.S. 32 (2000). However, the Court refused to allow a general interest in crime control to
provide a justification for suspicionless stops. Id.
35 in Re directi�es Pursuant to Sec. 10�B, 551 F. 3d 1004 (FISA Ct. Rev., 2008).
OCR for page 281
2�1
RoBERt gEllmAn
1. Internet as a Human Right
The Internet has rapidly become a vibrant public forum for speech of all types, including news,
political discussions, government communications, commercial speech, and everything else. In some
countries, access to the Internet is a fundamental right of its citizens. 36 In Finland, broadband access is a
legal right.37 However, rhetoric about the fundamental importance of the Internet does little to advance
the present discussion of preventing cyberattacks. Whatever right may exist is not an unlimited right.
A new law in France illustrates the point. As originally enacted, the law would have allowed a
government agency to suspend an individual’s user account. The French constitutional court found
that the law violated constitutional free speech protections. After an amendment that required a judge
to make the decision to suspend, the court allowed the law to stand.38 During the controversy over the
French law, the European Parliament voted to make it illegal for any EU country to sever Internet service
unless a court finds a citizen guilty.39
Whatever the scope of an individual’s right to use the Internet may be, the view in Europe seems
to be that the right may be restricted through actions that are not disproportionate and that involve a
decision by an independent and impartial judge. The right to use the Internet is, in essence, the right
to due process of law before the ability to exercise the right to use the Internet is removed or restricted.
The same principles may apply when the reasons for seeking termination of Internet access relate to
cyberattack prevention. It may be possible to argue in some cases that immediate threats to critical
infrastructure would justify a different or lesser set of due process procedures prior to termination of
Internet access rights.40 Regardless, any rules or procedures with the potential to deny an individual
access to the Internet will be controversial and the subject of considerable scrutiny on constitutional or
legal grounds.
2. Anonymity
Anonymity on the Internet is a feature prized by many Internet users, often for different reasons.
Many Internet activities can be conducted with a significant degree of anonymity using onion routers, 41
free email accounts that do not require any form of identification, public kiosks, blogs that do not ask
posters to register, and in other ways. Whistleblowers, political activists, dissidents, and ordinary users
value anonymity. The extent to which Internet activities are truly anonymous is uncertain. Even a user
who takes concerted action to protect identity may not succeed all the time, especially against a person
or government determined to uncover that identity.
Discussing the right to anonymity online is difficult for several reasons. First, the scope of a First
Amendment right to anonymity is not clear, and tracking down the borders of anonymity leads far
afield from the Internet without necessarily providing clarity. Second, there are many different objectives
that a right to (or interest in) online anonymity may satisfy in whole or in part. For example, victims of
36 Colin Woodward, Estonia, where Being wired is a Human Right, Christian Science Monitor (July 1, 2003), available at http://
www.csmonitor.com/2003/0701/p07s01-woeu.html. A 2010 poll taken in 26 countries found that almost 79% of those questioned
said they either strongly agreed or somewhat agreed with the description of the Internet as a fundamental right. internet Access is
a Fundamental Right, BBC News (March 8, 2010), available at http://news.bbc.co.uk/2/hi/technology/8548190.stm.
37 Saeed Ahmed, Fast internet Access Becomes a legal Right in Finland, CNN.com (2009), available at http://www.cnn.com/2009/
TECH/10/15/finland.internet.rights/index.html.
38 Eric Pfanner, France Approves Wide Crackdown on Net Piracy (Oct. 23, 2009), New York Times, available at http://www.
nytimes.com/2009/10/23/technology/23net.html.
39 Kevin J. O’Brien, French Anti-Piracy Proposal Undermines E.U. telecommunications o�erhaul, New York Times, (May 7, 2009),
available at http://www.nytimes.com/2009/05/07/technology/07iht-telecoms.htm l.
40 The discussion below regarding the administrative license suspension for driver’s licenses may suggest a precedent.
41 With onion routing, messages are repeatedly encrypted and sent sequentially through different nodes. Each node removes
a layer of encryption to find instructions for sending the message to the next node. Intermediary nodes do not know the origin,
destination, or contents of the message.
OCR for page 282
2�2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
domestic violence have some unique interests that are not relevant here. Third, it is hard to cover every
possible cybersecurity activity that might affect an anonymity interest.
In cases involving political speech, the Supreme Court has consistently overturned laws that pro -
hibited the distribution of anonymous handbills and similar laws that prevented anonymous political
speech. Political speech is the most highly favored speech under the First Amendment. However, as
one scholar described cases in this area, “the Court failed to embrace the notion of a free-standing right
to anonymity and instead employed what would become a characteristic (and maddening) level of
ambiguity.”42
In other areas, a right to anonymity is not clearly established. In 2004, the Supreme Court upheld
the conviction of an individual who refused to identify himself to a police officer during an investiga -
tive stop involving a reported assault. A state statute required a person detained by an officer under
suspicious circumstances to identify himself.43 The case raised Fourth and Fifth Amendment issues, but
it was also seen as raising broader questions about the right to remain anonymous. The case’s relevance
to cyberspace is limited, but it illustrates that the Court does not universally favor anonymity.
The right to anonymity on the Internet has also been raised in a series of cases that balance the right
to speak anonymously against the right of those who claim injury from anonymous defamatory speech.
The law here is under development in many different courts and, not surprisingly, with the adoption
of different approaches. Courts tend to require a plaintiff to show that a suit is viable before ordering
disclosure of the speaker’s identity. According to one scholar, the standard that appears to be becoming
dominant requires a showing of evidence sufficient to establish a prima facie case of defamation coupled
with a balancing of the right to speak anonymously and the right to pursue a libel claim. 44
Anonymity concerns are likely to be raised by whistleblowers, i.e., individuals who raise concerns about
wrongdoing occurring in an organization. Scattered federal and state laws provide some protections for
whistleblowers, and the whistleblower community continues to press for stronger protections. Anonymity
can be a method for whistleblowers to raise issues while avoiding the consequences of identification. To the
extent that activities take place on a private network that does not support anonymity, the availability of
the Internet as an alternative way to communicate about possible wrongdoing lessens concerns about the
closed nature of a particular network and the lack of any anonymous methods of communications.
Political and other dissidents may also rely on anonymity to protect their identities when complain -
ing about government or other activities. Anonymity can also assist activists who seek to find and com -
municate with others who hold similar views and to organize their efforts. Anonymity can also allow
those with minority views, with unpopular views, or with other needs or fears to speak and organize.
Here too, restrictions on a closed network may be of lesser concern if, at the same time, the Internet
otherwise allows anonymity for communications and activities. However, if protections against cyberat-
tacks undermine or interfere with the ability to use the Internet anonymously, those protections will be
significantly more controversial politically and legally. It does not seem possible in the abstract to draw
a line where the federal government can lawfully prevent or punish anonymous speech, although it has
broader powers with respect to a network that it operates.
3. Restraining Publication of Security Information
One method that may be relevant to preventing cyberattacks is to limit or prevent the publication
of information about vulnerabilities of computer systems, whether the information is held by govern -
42 Jonathan Turley, Registering Publius: the Supreme Court and the Right to Anonymity , Cato Supreme Court Review (2001-02),
available at http://www.cato.org/pubs/scr/2002/turley.pdf; accessed April 20, 2010.
43 Hiibel �. Sixth Judicial district Court of ne�ada, 542 U.S. 177 (2004).
44 Lyrissa Barnett Lidsky, Anonymity in Cyberspace: what Can we learn from John doe?, 50 Boston College Law Review 1373, 1378
(2009).
OCR for page 283
2��
RoBERt gEllmAn
ment or private actors.45 Restrictions on the availability of information about security vulnerabilities
raise First Amendment issues. The practical difficulties of restricting speech on the Internet are real but
not necessarily material to the legal or constitutional issues.
Source Code
It is not entirely settled that the publication of source code constitutes speech protected under the
First Amendment. In a leading case that arose in the context of export regulations, the Ninth Circuit
concluded in the context of that case that encryption software qualified for First Amendment protec -
tions.46 An alternate view expressed in the dissent is that source code is a method of controlling com -
puters and is more function than speech.47 The case has a complex history and does not offer a broad
holding. The proper characterization of source code for First Amendment purposes has many different
perspectives.
Copyright
The anti-circumvention provisions of the Digital Millennium Copyright Act 48 (DMCA) principally
sought to stop copyright infringers from defeating anti-piracy protections in copyrighted works. The
DMCA bans both acts of circumvention and the distribution of tools and technologies used for circum -
vention. The law exempts some activities, including security testing and encryption research. The DMCA
has been used in a variety of ways to stop publication of information about security vulnerabilities,
remove content from the Internet, affect research activities, and in other ways. 49 Opponents of the law
contend that many of these uses chill free speech activities. The DMCA has some relevance to private
sector attempts to prevent cyberattacks, but federal government information is not subject to copyright
so the DMCA may not be relevant.50
Contractual methods
Tools, techniques, and policies allow for government controls over publication of some informa -
tion by some individuals. Contracts that require government employees not to publish any information
without pre-publication review by the government offer one approach. In the leading case, the Supreme
Court upheld a contract signed by an employee of the Central Intelligence Agency that imposed the
restriction as a condition for access to classified information. 51
Classification
The classification and control of federal government information in the interest of national defense
or foreign policy (security classification) is another possible approach to cyberattack prevention. Clas -
sification protects security information controlled by the federal government, makes its use and disclo -
45 See 6 U.S.C. § 133 (establishing restrictions on the use and disclosure of information regarding the security of critical infra -
structure voluntarily submitted to a Federal agency).
46 Bernstein �. U.S. dept. of Justice, 176 F.3d 1132 (9th Cir. 1999), withdrawn, 192 F.3d 1308 (9th Cir. 1999).
47 176 F.3d at 1147.
48 17 U.S.C. § 1201.
49 See generally, Electronic Frontier Foundation, Unintended Consequences: twel�e Years under the dmCA, available at https://
www.eff.org/wp/unintended-consequences-under-dmca; accessed April 20, 2010.
50 17 U.S.C. § 105.
51 Snepp �. United States, 444 U.S. 507 (1980).
OCR for page 300
�00 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
vided by a passenger when making an airline reservation, with information on the watch lists. In order
to do better matches of records, TSA and the airlines started requiring passengers to provide full name,
data of birth, and gender at the time of a reservation. These additional elements are supposed to help
prevent misidentification of passengers with similar names. Other information that TSA receives from
the airline includes itinerary, passport number (for an international flight or if otherwise available to the
airline), and reservation control number. TSA can obtain a full Passenger Name Record (PNR), which
reveals other information including food, health, and other preferences.
TSA retains records for individuals not identified as potential matches by the automated matching
tool for seven days after completion of travel. TSA keeps records of an individual who is potential or
confirmed match for no less than seven years. TSA keeps records of an individual who is a confirmed
match for 99 years. Data retained by airlines is not subject to these limits, and TSA may obtain the data
from the airlines.
A registered tra�eler program allowed passengers who paid a fee and submitted to a background
check to use reserved security lanes with shorter waits at airport checkpoints. The program was volun -
tary and run by the private sector. An applicant provided additional information, including a biometric,
and received a smart card credential. When the company that provided the bulk of the service went
out of business, the registered traveler program disappeared. Some criticized the program as providing
special treatment for wealthy travelers.
B. Redress
TSA has a program offering redress to travelers who experience denied or delayed airline boarding,
who experience denied or delayed entry into and exit from the U.S., or who are continuously referred
for additional (secondary) screening. The tra�el Redress inquiry Program (DHS TRIP) basically allows an
individual to ask for a review in order to minimize or eliminate future watch list name confusion. TSA
will not reveal whether an individual is on a watch list, however. An individual seeking redress fills
out a form and may be asked to provide additional documentation. A successful traveler will receive a
Redress Control Number that airlines collect and that may help to minimize identification or screening
problems. An individual who is dissatisfied with the DHS TRIP process may file an appeal with DHS.
Effective judicial review of DHS actions may not be available.
The Secure Flight program collects and maintains information on international travelers from air-
lines, travel agencies, and tour operators in other countries. This brings aspects of the program under the
purview of foreign data protection laws. For example, in 2007, the European Union and DHS entered into
an agreement about the processing and transfer to DHS of Passenger Name Records (PNR) by airlines
operating in Europe.139 The agreement reflects a determination by the European Commission that U.S.
laws, in conjunction with DHS policies regarding the protection of personal data and the U.S.-EU Pas -
senger Name Record Agreement, are adequate to permit transfers of PNR data to the U.S government
and that the transfers comply with EU standards under the Data Protection Directive. The agreement
is now subject to ratification by the European Parliament,140 where some members have been critical
of the terms of the data transfers.
C. discussion
The Secure Flight process differs significantly from the process for granting security clearances and
drivers’ licenses. While Secure Flight is not quite a real-time clearance, it can be close to that. Normally,
139 http://www.dhs.gov/xlibrary/assets/pnr-2007agreement-usversion.pd f; accessed March 15, 2010.
140 SeeEuropean Parliament, Legislative Observatory, available at http://www.europarl.europa.eu/oeil/file.jsp?id=5836052; ac-
cessed March 15, 2010. On May 5, 2010, the European Parliament showed its displeasure with the agreement by postponed voting
on its approval. http://www.europarl.europa.eu/news/expert/infopress_page/019-74146-125-05-19-902-20100505IPR74145-05-
05-2010-2010-false/default_en.htm; accessed May 21, 2010.
OCR for page 301
�01
RoBERt gEllmAn
there is no review of identity documents other than a limited check at an airport security checkpoint or
the presentation of passports for international travel. The program mostly matches individuals against
lists of people not allowed to fly or who require additional screening. These lists are compiled by TSA
and other agencies separately and based on criteria that are not publicly known. TSA will not directly
inform an individual if he or she is on one of the lists, although inferences are possible from the way
that the individual is treated at the airport. Clearance operations are not conducted in public view, and
travelers do not know the details of the review process. Secure Flight clears as many as several million
people daily and hundreds of millions of people annually, many more people than seek security clear-
ances or drivers’ licenses.
The Secure Flight redress process came as a legislative direction that followed regular news reports
of continuing problems with the clearance process. Congress intervened several times during the devel -
opment and implementation of airport passenger clearance systems to express concern about privacy
and about redress. Secure Flight also raises directly issues of international privacy standards that are
absent from drivers’ licenses and security clearances. It is possible that the international consequences of
any standards for cybersecurity activities would require negotiations with other countries similar to the
negotiations with the EU about Secure Flight. Finally, Secure Flight has been controversial, with interest
groups raising privacy and constitutional objections to the data collection, screening, and secrecy.
4. Other Methods, Other Models
Broader use of identification for general purposes or for cybersecurity purposes will raise harder
political, legal, and constitutional issues. The precise terms of any identification use, issuance procedures,
due process rules, and information processing policies will shape the arguments about constitutionality
and effects on civil liberties and privacy. It is not possible here, to make all the arguments or resolve
any of them. However, it is apparent that an identification system has the potential to impinge on ano -
nymity, inhibit speech and association, affect the right to travel, affect other fundamental constitutional
or statutory rights, and perhaps exceed the authority of the federal government in other ways (Tenth
Amendment). Whether the courts would recognize any of these concerns at the constitutional level is
impossible to predict, but it seems certain that these issues will arise.
In 2008, the Supreme Court upheld a state law requiring citizens voting in person to present
government-issued photo identification.141 It may or may not be telling that the identification require-
ment did not extend to those who did not vote in person. However, the Help America Vote Act of 2002
requires first time registrants voting by mail to include a copy of identification with the ballot. 142 The
Court did not require strict scrutiny of the voter ID law, but judicial consideration of a requirement that
affects broad First Amendment speech issues is less likely to use the same, weaker standard of judicial
review. Regardless, it is difficult to use this decision to assess possible Internet identification require -
ments because the facts and the particulars could make a major difference. Still, the Court upheld the
identification requirement here and reached a similar outcome in the Hiibel case discussed above. Clearly,
the Court is not strongly averse to identification requirements.
The federal government is already exploring and implementing identity, credentialing, and access
management systems to provide a consistent approach for clearing and managing individuals requiring
access to federal information systems and facilities.143 Identification and authorization systems can be
unremarkable from a privacy and civil liberties perspective, but they can also raise a host of questions
depending on the standards used, due process procedures, scope of application, and data collected and
retained. These same issues can arise with any type of identification or licensing system. 144
141 Crawford v. Marion County Election Bd., 553 U.S. ___, 128 S. Ct. 1610 (2008).
142 42 U.S.C. § 15483(b)(3).
143 See http://www.idmanagement.gov/drilldown.cfm?action=ica m; accessed April 15, 2010.
144 See generally Committee on Authentication Technologies and Their Privacy Implications, National Research Council, who
goes there? Authentication through the lens of Pri�acy (2003).
OCR for page 302
�02 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
In particular, an Internet identification or authentication system can be a surveillance mechanism if
the system routinely creates a central record of all Internet activities of each user as a result of the clear-
ance process. An Internet identification or authentication system would raise privacy and security con -
cerns that could easily exceed in range and detail the information about the exercise of First Amendment
rights collected in a driver’s licensing system, by Secure Flight, or even through the security clearance
process. A system that fails to properly assess the degree of risk involved or that makes unwarranted
demands on users may exacerbate civil liberties and privacy concerns.145 If the federal government relied
on credentials issued by private entities, those concerns could extend beyond government functions and
spill over into the rules and procedures of those private entities.
The federal government’s use of systems to control access to go�ernment computers is not the most
troublesome part of credentialing or licensing. A broader government requirement for a license for gen -
eral use of the Internet beyond access to government facilities would be of greater concern. If licensing
were the only way to overcome security problems that made the Internet significantly dysfunctional,
the argument for licensing might be stronger than if the purpose of the licensing were to require com -
plete identification and accountability for all Internet activities so that criminals could be identified
more readily after the fact. The circumstances that result in licensing of users would make a significant
difference to the analysis.
The narrower the purpose and application of an ID system/technology, the less likely it will be
to raise these concerns. Despite their widespread de facto use as general-purpose identifiers, drivers’
licenses were not as controversial until the REAL ID Act sought to alter the process of issuance, man -
dated collection and maintenance of more personal information, and established requirements and
potential for its use that extended beyond established norms. The 1994 Driver’s Privacy Protection Act
addressed some of the privacy concerns that surrounded the marketing and other secondary uses of
drivers’ information.
The widespread use of Social Security numbers (SSNs) for identification has, after many years,
brought legislative responses at the federal and state level restricting the collection, use, or display of
SSNs in some contexts.146 Many but not all of these responses followed the explosion of identity theft
and of complaints from individuals about the consequences of identity theft.
For many individuals, an identification requirement or other prerequisite for using the Internet (as
opposed to a prerequisite for using a particular website) would almost certainly be viewed today as
similar in importance to a driver’s license, if not more important. Access to the Internet, whether or not
a fundamental human right, is now for most people in the United States necessary for employment,
communication, routine commercial activities, and many other essential, routine, and daily activities.
None of the licensing models described in this section affects an activity as close to the heart of First
Amendment values as an Internet licensing scheme would. A governmentally established identifica -
tion/authorization prerequisite to general Internet access would be, to say the least, controversial. The
level of controversy would vary with the scope of the requirement and the amount of information about
Internet access and usage that was retained.
However, a governmentally established prerequisite to access a non-public government network
would not be controversial or even novel. The federal government operates classified systems with
access limited to individuals who have security clearances. A private requirement for access to a private
network or website is largely unremarkable as well. It is not that civil liberties and privacy concerns
are entirely absent, but that the basic notion of controlling access to some information and facilities is
familiar.
145 The Office of Management and Budget calls for a risk assessment for authentication and a matching of risks to an appropriate
assurance level. OMB Memorandum to the Heads of all Departments and Agencies, E-Authentication guidance for Federal Agencies
(Dec. 16, 2003), http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf; accessed April 15, 2010.
146 Section 7 of the Privacy Act of 1974, Public Law 93-579, 88 Stat. 1909 (1974), 5 U.S.C. § 552a note, restricts collection of SSNs
by federal, state, and local government agencies. This was one of the first legislated restrictions on SSN use. Many more followed
in the 1990s and later.
OCR for page 303
�0�
RoBERt gEllmAn
When an identification/authorization requirement is narrow in application, limited in scope, and
simple to meet (e.g., user name and password), controversy is less likely to arise. Indeed, simple, limited
purpose identification and authorization systems are in widespread use today with few objections. To
the extent that private activities (whether voluntary or required by law) collect and maintain additional
records about Internet usage by individuals, those records can become available to the government
without notice to or participation by the subject of the records. The availability to the government of a
list of every website visited by every Internet user would be controversial, to say the least. 147 The earlier
discussion about U.S. �. miller and the lack of privacy protections for records held by third party record
keepers is relevant here.
If we split the issue of authorization from identification, we face different choices and analyses.
Identification might be required for some functions, but there might be a range of allowable activities
that call for demonstrating other attributes (e.g., age) rather than identification. 148 An individual might
only receive authorization to undertake some activities (e.g., change computer settings or use a private
network) after showing competence in security matters.
Drawing lines, however, is not that simple. Even if restricting access to private networks—whether
operated by the government or others—is not on its face problematic, much will depend on what
activities occur on the private network. We already have private systems with varying identification
and authentication prerequisites. Some may raise civil liberties or privacy concerns, but private sector
activities will fall outside most constitutional and statutory protections. However, if a citizen must have
some form of identification or authorization in order to communicate or conduct ordinary, non-national
security business with a government agency, the argument about the propriety of the identification
requirement would turn in part on the nature of the communication or the business at issue. The require-
ment would raise, for example, concerns about impinging on the right to petition the government for
a redress of grievances, the right to associate with others, or perhaps the right to practice a religion, all
rights protected by the First Amendment.
An Internet identification/authentication requirement could make it impossible or unduly difficult
for a citizen without identification to fulfill legal duties (e.g., file tax returns), obtain benefits available
by law, or exercise rights. The REAL ID Act is controversial, in part, for this reason. That Act could make
it difficult or impossible for a citizen to enter a federal building without an identification document that
qualifies under the Act. The analysis would be different if the user of a particular government activity
had no alternative to using an identification-restricted Internet than if use of a restricted Internet were
one of several options. For example, if meeting particular Internet identification requirements in order
to vote or receive Social Security benefits were the only option, the conclusion might be different than
if in-person or postal mail alternatives also existed at the same time.
Even an Internet identification/authentication requirement for a private network operated prin -
cipally for private purposes, it still could raise concerns about how citizens can carry out basic tasks
essential to function in society, many of which remain entangled with government activities or regula -
tions. For example, for many people the health care sector is an amalgam of private and government
players and actions. A private requirement for an Internet ID that effectively served as a prerequisite to
interfacing with the governmental part of the health care system could raise more intensive civil liberties
147 The issuance of a driver’s license or an automobile license plate has not in the past resulted in the reporting or collection of
information about where an individual or automobile goes. However, with the use of electronic toll collection devices, conges -
tion pricing for highways, and other automated automobile information collection systems, the compilation of additional records
about driving habits may become both more commonplace and more controversial. One difference between driving and Internet
usage is that driving typically takes place in a public space and much Internet usage does not. The extent of privacy rights in
public spaces appears to be undergoing some rethinking at present. United States �. maynard, decided in August 2010 by the D.C.
Circuit, is one of several recent cases where the issue of the applicability of the Fourth Amendment to tracking an automobile in
public by use of a GPS device arose. http://pacer.cadc.uscourts.gov/docs/common/opinions/201008/08-3030-1259298.pd f.
148 Identification or authentication requirements could offer additional privacy protections (by limiting identity theft) or assist
with other objectives (keeping children away from websites aimed at adults). Whatever other benefits might arise, they do not
necessarily relate to the cybersecurity matters under discussion here.
OCR for page 304
�0� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
concerns. Additionally, if a government Internet ID were adopted by the private sector and became a
practical prerequisite to using the Internet even for private activities, the government process might be
questioned for its practical effect on citizens, for any discriminatory effect that the process might have
in design or in practice, for its privacy consequences, and otherwise.
Depending on the purpose of identification in the narrower context of preventing cyberattacks, it
remains open to debate whether a greater use of identification would be successful in either deterring
bad actors or finding them after the fact. The prevalence of identity theft suggests that those interested in
using the credentials of others for cyberattack purposes might have little difficulty doing so by stealing
the elements needed to impersonate another. Further evidence on this point is the ability of malfeasors
to establish and control remotely other computers connected to the Internet. A significant percentage
of computers connected to the Internet may be part of a botnet. Botnets could be another channel for
cyberattacks unaffected by identification requirements for users because the computers on the network
have credentials.
In addition to identifying individuals using the Internet, it is also possible that the government
could require Internet users to demonstrate proficiency in some important Internet skills pertaining to
security or otherwise. Automobile drivers must pass both written tests and road tests that demonstrate
knowledge of laws and rules and the ability to drive. Arguably, the same types of prerequisites could
apply to some or all Internet usage. The cost and difficulty of managing a proficiency requirement and
keeping it up-to-date aside, any proposal would likely be challenged as a limit on the exercise of First
Amendment rights. It would likely be seen as the equivalent of requiring a government license to read
a newspaper, use a telephone, or mail a postal letter. It might well prove difficult or impossible to show
that a proficiency requirement is compatible with the First Amendment. An employer, including the
government, may impose training requirements on its workers, but a general-purpose rule applicable
to the population at large would be more challenging to justify. 149
In all of these cases, whether or not an Internet prerequisite violated a constitutional standard, it is
nevertheless the case that civil liberties, due process, and privacy would be affected by the rules and
procedures that attach to the prerequisite, by the process for issuing the identification, by the amount
of personal information collected and maintained, and by the secondary uses for the information. Even
with privately issued identification, some or all of these issues would arise, whether or not a public or
private network relied on the identification. Laws prohibiting discrimination would presumably apply
to private sector identification schemes, for example. The discussion of security clearances, driver’s
licenses, and flight clearance shows is that we have found ways to balance the rights and interests
involved in licensing schemes. That does not mean, however, that acceptable balances will always be
found for the next licensing idea.
Licensing computer technicians, programmers, cybersecurity specialists, or other professionals
whose activities directly affect cybersecurity on the Internet is another possibility. We have consider-
able experience in licensing professionals through state or private sector actions, with due process and
privacy concerns similar to the licensing activities discussed above. Licensing of Internet professionals
would be less controversial than licensing Internet users. Licensing requirements for computer programs
is another possibility, and one that would raise more civil liberties concerns because computer programs
are intertwined with speech and are protected by the First Amendment. Whether any of these types of
licenses would have any significant effect on preventing unlicensed actors or malware from affecting
use of the Internet is far from clear, however. For some users, computer maintenance is accomplished
by grandchildren and not by professionals. A system that effectively controls computer programs is
difficult to envision. As with any licensing system, a criminal who engages in an illegal activity is not
likely to care that his or her actions also violate the obligation to obtain a license.
149 The HIPAA health privacy rule contains a requirement that covered entities train health care workers in privacy. 45 C.F.R.
§ 164.530(b). This seems unremarkable. However, a training requirement for patients would be another matter and considerably
more difficult to carry out or justify.
OCR for page 305
�0�
RoBERt gEllmAn
We have not exhausted the identification requirements that might arguably be relevant to prevent -
ing cyberattacks. Instead of, or in addition to, licensing individuals to use the Internet, it is possible
for government to require identification or licensing of machines that access the Internet. Individual
computers or other devices could be required to have and to disclose as a condition of access to the
Internet a unique identifier that might be required to be registered in advance or subject to association
with particular individuals after the fact. An alternative approach might require that computers access -
ing the Internet contain specific hardware or software with particular functionality (e.g., virus checking
software). Another approach could require regular inspection of Internet devices to determine if they
meet specific requirements and are up-to-date.
All of these techniques are used today for automobiles. Each automobile has a Vehicle Identification
Number (VIN), a unique serial number used by the automotive industry to identify individual motor
vehicles. Automobiles must display unique license plates issued by governments. Most states mandate
some form of safety inspection, including an inspection for emissions in some areas. 150 Federal rules
require auto manufacturers to install safety equipment, such as airbags. States require proof of insurance
before allowing an automobile to be registered.
The federal government likely has the power under the Commerce Clause to regulate computers
in similar ways, at least up to the point where the regulations clash with First Amendment interests.
Requiring serial numbers for some or most Internet access devices may be possible. For technical
reasons, cell phones are identified to the cellular network in order to function so identification seems
less of an issue. Internet devices typically use Internet Protocol addresses, which offer a type of iden -
tification that may or may not be constant for each device over time. A fixed IP address could serve as
an identifier.151 Registration or identification requirements for other devices would be controversial,
of course. In the last 1990s, Intel proposed to produce computer chips with a unique Processor Serial
Number (PSN). Objections from the privacy community (“Big Brother Inside”) pressured the company
into abandoning its plans, and the PSN was dropped.152 Google released its Chrome browser with a
unique identifier with criticism from some privacy advocates, but reports suggest that Google plans to
abandon the identifier.153
Computers that access the Internet now include many types of devices—including televisions and
refrigerators—and requiring some types of inspection seems impractical. The so-called Internet of things
(connection of routine objects and devices to the Internet) could result in a vast expansion of items con -
nected to the Internet, including every household item connected to the electrical grid, articles of cloth -
ing, body parts, and much else.154 As a practical matter, it may be unworkable to design and implement
a system that mandates and enforces an identification requirement for every Internet device.
One can envision, possibly, a remote inspection of all Internet access devices for security pur-
poses. The government might be able to mandate remote inspection using powers available under the
Commerce Clause. A possible precedent is the Communications Assistance for Law Enforcement Act
(CALEA), a 1994 law intended to “to make clear a telecommunications carrier’s duty to cooperate in
the interception of communications for law enforcement purposes, and for other purposes.” 155 The
law requires telecommunications carriers and manufacturers of telecommunications transmission and
switching equipment to ensure that equipment, facilities, and services allow the government to isolate
and intercept all wire and electronic communications. Essentially, CALEA forces telecommunications
150 See generally 42 U.S.C. § 7401 et seq.
151 It is a contested issue today whether an IP address is a personal identifier. The value of an IP address as a personal identifier
is cloudy when there are multiple users for a single computer.
152 See http://bigbrotherinside.org/; accessed March 17, 2010.
153 Ryan Whitwam, google to drop Unique ids from their Chrome Browser, MaximumPC, available at http://www.maximumpc.
com/article/news/google_drop_unique_ids_their_chrome_browser; accessed March 17, 2010.
154 See, e.g., Commission of the European Communities, internet of things—An Action Plan for Europe (June 18, 2009) (COM(2009)
278 final), http://ec.europa.eu/information_society/policy/rfid/documents/commiot2009.pd f; accessed April 15, 2010.
155 47 U.S.C. §§ 1001-1010.
OCR for page 306
�0� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
carriers to design their networks so as not to impede authorized law enforcement surveillance requests.
CALEA does not directly affect consumer devices, but Congress might require consumer devices include
the capability of allowing for government access via remote inspection under specified circumstances.
Again, the practicalities of implementing and enforcing a remote inspection scheme for all Internet
devices seem overwhelming, and the constitutional issues are most difficult.
Enforcement of some or all of these requirements would be additionally challenging because many
of these devices enter the country or access the Internet from abroad every day. The government has
broad authority to conduct suspicionless border searches of laptops and other electronic storage devices,
although it would be hard to do a search of every person and every device.156 Further, devices in other
countries that access networks in the United States present additional compliance and enforcement
issues. A uniform international scheme for controlling Internet devices seems a remote possibility at best.
The global nature of the Internet and the presence of multiple and potentially overlapping regulatory
regimes raise other vexing questions. These include the extent to which any national government could
impose or seek to impose requirements on Internet users in other countries or users crossing borders,
whether their own citizens or others, that would affect privacy or civil liberties.
It would certainly be argued that any type of regulation that affects the means of speech on the
Internet would be akin to regulating speech directly or to licensing printing presses. The regulation
would be strongly challenged on First Amendment grounds. The level of judicial scrutiny of an Internet
access regulatory scheme would be an important and debatable point. If the government’s actions were
strictly content neutral, proponents would argue for intermediate scrutiny under which the actions
would only have to serve an important or substantial governmental interest unrelated to the suppression
of speech and could not burden speech more than is necessary to satisfy that interest. For example, a
mandate that personal computers use parts that are readily recyclable would be more likely to be seen
as a content neutral regulation.
Yet it is much more likely that a requirement that every computer include a permanent and uneras -
able keystroke logger would draw very strong objections on First Amendment grounds, with demands
for review under the strictest scrutiny standard that would require the government to demonstrate that
the regulation furthered an overriding state interest and was drawn with narrow specificity to avoid
any unnecessary intrusion on First Amendment rights. A potentially intermediate example might be a
requirement that every computer have virus protection software installed and kept up-to-date. Other
possible intermediate examples are a requirement that all ISPs examine Internet messages for malware
or a mandate that all browsers include specific features.
Regardless of the standard that would apply for constitutional assessment of these requirements,
it seem certain that there would be considerable political controversy about any increased role for the
federal government in defining prerequisites for access to or use of the Internet. There would likely be
strong objections to even the most mild-mannered mandate because it would open the door to stronger
and more invasive legislative mandates in the future.
In the absence of a specific identification, licensing, or authentication system, the discussion is
quite abstract and unsatisfying. Controls that may have some appeal at a high level of abstraction can
face overwhelming practical implementation problems and significant costs in additional to the legal,
constitutional, and political objections. The REAL ID law, which is much less sweeping in scope than an
Internet licensing scheme would be, started with enough political support to become law, but rapidly
became the target of practical, cost, and civil liberties objections. Years after passage, REAL ID languishes
with few steps toward implementation actually accomplished.
156 In2009, the Department of Homeland Security issued directives on border searches of electronic media. U.S. Customs and
Border Protection, Border Search of Electronic de�ices Containing information (CBP Directive No. 3340-049, (Aug. 20, 2009), available
at http://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pd f; accessed March 18, 2010; U.S. Immigration and Customs
Enforcement, Border Search of Electronic de�ices (Directive No. 7-6.1) (Aug. 18, 2009), available at http://www.dhs.gov/xlibrary/
assets/ice_border_search_electronic_devices.pdf; accessed March 18, 2009. The Department’s Privacy Impact Assessment for these
policies is available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_cbp_laptop.pd f; accessed March 18, 2009.
OCR for page 307
�0�
RoBERt gEllmAn
It is easy to suggest that licensing of users or similar schemes will have benefits, but it another thing
to develop a system that will actually work to meet its objectives in the worldwide Internet with untold
number of devices connected to it, hundreds of millions of users connecting and disconnecting every
day, and rapid technological changes. A licensing system that controlled 99% of users and devices would
still leave plenty of opportunities for evasion by those who are motivated, assisted by insiders within
the licensing administration, supported by hostile foreign governments, or others. 157 Identity thieves
already operate a robust, underground market where stolen information and illegal services are sold
and advertised.158 An expansion of these activities to include information about Internet identities and
licensees can be anticipated.
The goals of any licensing system could matter a great deal. We regulate drivers not with the expec -
tation of removing every improper driver or car from the road. The overall regulatory system results
in improvements and not perfection. Despite laws, we still have unregistered cars, unlicensed drivers,
stolen license plates, and uninsured motorists on the road every day. A system to prevent cyberattacks
could have narrower goals of improving privacy and security on the Internet without necessarily
expected to avoid everyone who is highly motivated or well-financed. However, to the extent that a
licensing system affects the exercise of First Amendment values, narrower goals may make it harder to
justify sweeping restrictions.
On the other hand, proponents of regulating Internet devices would argue that licensing and cre -
dentialing have the potential to provide better privacy and other protections to individuals. Problems for
users that result from spam, malware, identity theft, and the like might diminish with the adoption of
broad licensing and credentialing systems. Thus, societal costs from computer viruses might decrease if
all computers had adequate anti-virus protection. Still, the benefits of licensing Internet users or activities
still might not be enough to overcome the constitutional limitations on governmental powers. The issues
involved here are obviously multidimensional and cannot be fairly assessed using a single scale.
Regardless of the applicable standard, however, Internet device regulation that restricts or limits
speech in any way might well fail to be upheld because of First Amendment concerns. One hypothetical
analysis of the constitutionality of licensing printing presses concluded that it is fairly certain licensing
would be unconstitutional.
The difficulty that a licensing regime would have in satisfying First Amendment standards is reflected in
the consensus view: “Although it is virtually impossible to find a case that directly so holds, it is fairly
clear that any attempt to license a newspaper or magazine would violate the Constitution.” 159
For Internet regulation, the arguments—and perhaps the result—would surely vary depending on
the specific type of regulation, the problem that the government sought to address, and the factual jus -
tification for the regulation. However, it seems likely that the burden of defending a regulation would
be great.
vI. CLOSE
The principal purpose of this closing section is to identify some issues that, for a variety of reasons
including lack of space, have not been discussed in any depth. There are no conclusions because mean -
ingful conclusions are not available given the largely abstract review of issues addressed. Proposals for
157Any type of activity that creates central information about Internet users has a similar potential to create a resource that
could be exploited by identity thieves or others for criminal purposes. The same information could also be used by government
for other purposes that may affect privacy or civil liberties interests.
158 See NextAdvisor, inside the internet’s Financial Black markets—How identity thie�es Buy and Sell Your Personal information
online, http://www.nextadvisor.com/blog/2008/09/16/inside-the-internets-financial-black-markets-%E2%80%93-how-identity-
thieves-buy-and-sell-your-personal-information-online/; accessed July 2, 2010.
159 Stuart Minor Benjamin, the logic of Scarcity: idle Spectrum as a First Amendment violation, 52 Duke Law Journal 1, 31 (2002)
(footnote omitted), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=310121; accessed March 17, 2010.
OCR for page 308
�0� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
preventing cyberattacks can only be fully evaluated for their civil liberties and privacy consequences
when the details are available because the specific elements will make a significant difference to the
evaluation.
Criminal laws that seek to deter unwanted activities and to punish those who engage in them
have not been addressed. A leading example is the Computer Fraud and Abuse Act, 160 which generally
protects computers belonging to the federal government or a financial institution or to any computer
affecting interstate or foreign commerce. Laws about identity theft are also not addressed in detail,
although some of these laws have non-criminal law components. Generally, the tools and techniques of
criminal law enforcement have some relevance to cybersecurity (e.g., deterrence), but further analysis
is not possible in the available space.
Some federal and state161 legislation also establishes security standards for computer systems. For
example, the 2002 Federal Information Security Management Act (FISMA) 162 directs the head of each
federal agency to provide “information security protections commensurate with the risk and magnitude
of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction
of” agency information or information systems.163 Laws establishing private sector security requirements
are not common, but there are some, including:
• Section 404 of Sarbanes-Oxley164 requires a publicly owned company’s management and the
external auditor to report on the adequacy of the company’s internal control over financial report -
ing. Because the financial reporting processes of many companies depend on information technology
systems, controls over those systems may fall within the scope of a required assessment of financial
risks.
• The Gramm-Leach-Bliley Financial Services Modernization Act includes a few privacy and secu -
rity provisions. It expresses a policy that each financial institution has an affirmative and continuing
obligation to protect the security and confidentiality of nonpublic personal information about custom -
ers.165 Financial services regulatory agencies issued regulations with more detailed standards. 166
• The Health Insurance Portability and Accountability Act167 (HIPAA) requires the Secretary of
Health and Human Services to issue security rules for covered entities (mostly health care providers and
insurers). The rules cover electronic health information.168 The HIPAA security requirements are more
detailed than some comparable rules, rely on industry standards, and give covered entities considerable
discretion in application.
Legislation is a crude tool for mandating security, and legislators appear to understand its limitations.
Security legislation is typically stated in broad, high-level terms with few details, and the civil liberties
and privacy implications of current legislation are of lesser significance here. That could change. Some
security laws call for the use of encryption, which can have value in deterring cyberattacks. Encryption
can be employed or mandated in a multitude of different ways and, depending on the specifics, can
have significant consequences for privacy and civil liberties. A Clinton Administration proposal (Clip -
per Chip) for mandatory encryption of data communications involving the escrow of encryption keys
160 18 U.S.C. § 1030.
161 See, e.g., the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201
CMR 17.00, available at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf; accessed March 15, 2010, and the
implementing regulations at 201 CMR 17.00, available at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf, ac-
cessed August 30, 2010.
162 44 U.S.C § 3541 et seq.
163 44 U.S.C. § 3544(a)(1)(A).
164 15 U.S.C. § 7262.
165 15 U.S.C. § 6801.
166 See, e.g., 16 C.F.R. Part 314 (Federal Trade Commission).
167 42 U.S.C. §1320d-2(d).
168 45 C.F.R. Part 160 and Part 164, Subparts A & C.
OCR for page 309
�0�
RoBERt gEllmAn
with the government was highly controversial among civil liberties advocates, Internet users, industry,
and others. The proposal was eventually dropped.169
Some other subjects that are largely outside the scope here are better training, consumer educa -
tion, reporting and collaborative efforts,170 voluntary activities,171 security breach notification,172 and
polygraph regulation. Most but not all of these activities are less likely to raise privacy or civil liberties
concerns.
Emergency powers may allow the President to seize property; organize and control the means of
production; seize commodities; assign military forces abroad; institute martial law; seize and control
all transportation and communication; regulate the operation of private enterprise; restrict travel;
and, in a variety of ways, control the lives of United States citizens. 173 The scope of these powers with
respect to the Internet is not immediately clear, but any exercise would raise civil liberties and privacy
concerns that cannot be considered here. Recent circulation of a draft legislative proposal by a Senator
that would expand the authority of the emergency powers of the President with respect to operation
of the Internet attracted considerable controversy. Direct presidential control over the operation of the
Internet or the collection of information about Internet activities data raises a large number of issues
for individuals, companies, and organizations. The inherent borderlessness of the Internet does nothing
to simplify these issues.
Also unexplored here are uses of incentives for those individuals, companies, or other entities that
adopt better cyberattack protections. The range of possible incentives is broad, including civil liability
that would make software, hardware, service vendors, or users responsible for their failure to provide
adequate security measures or their failure to use adequate security measures; civil liability for ISPs who
fail to verify the identity of users; and subsidies or tax incentives for “good” behaviors. It is not apparent
in the abstract that any of these would necessarily raise significant civil liberties or privacy concerns,
although civil liability can raise constitutional questions about violations of the Due Process Clause by
grossly excessive or arbitrary punishments.174 The use of incentives to induce the private sector to adopt
protections that the federal government could not impose directly has the potential be controversial.
169 See, e.g., A. Michael Froomkin, the metaphor is the key: Cryptography, the Clipper Chip, and the Constitution, 143 U. Pa. L. Rev.
709 (1995).
170 See, e.g., United States Computer Emergency Readiness Team (US-Cert), http://www.us-cert.gov/; accessed March 17,
2010.
171 See, e.g., the Critical Infrastructure Information Act, 6 U.S.C. §§ 131-134.
172 Both the federal government and the states have enacted security breach notification laws, but there is no general federal
statute (either preemptive or otherwise) despite much congressional activity over several years.
173 Harold C. Releya, national Emergency Powers (2007) (Congressional Research Service), http://www.fas.org/sgp/crs/
natsec/98-505.pdf; accessed April 14, 2010.
174 See, e.g., State Farm mutual insurance Co. �. Campbell, 538 U.S. 408 (2003).
OCR for page 310
