“Cyber” Letters of Marque and Reprisal: A Path Forward on Hacking Back?

Posted By: Jordan Brunner

Hacking.we_are_the_hackersOn February 16, 2018, Special Counsel Robert Mueller indicted 13 Russians on charges of fraud and obstruction of justice for, among other things, assuming fake identities on social media and sowing discord in the 2016 U.S. presidential election. Mueller’s actions are in keeping with a general policy begun during the Obama administration of indicting foreign actors who use the Internet as a weapon against the United States. There are numerous justifications for this practice, the most prominent of which is to “name and shame” the perpetrators. As Lisa Monaco, Obama’s homeland security adviser, stated in a recent interview,

“[I]t [is] in our interest to publicly attribute that activity, to name and shame―if you will―to isolate that actor on the world stage, to garner international support to say, sanction or impose diplomatic costs. . . . The point there is: you’re calling out that activity, you’re identifying it, you’re naming it, you’re showing that you can attribute that, identify it, identify those actors. . . . And even if you don’t ultimately physically get your hands on your actors and get them into court, they aren’t going to be able to travel because otherwise that warrant will be out for them.”

Numerous actors have been indicted or sanctioned under this policy. Among those who have been indicted are:

In addition, North Korea was sanctioned in the aftermath of the Sony attack as a “proportional response,” to “ongoing provocative, destabilizing, and repressive actions and policies, particularly its destructive and coercive cyber attack on Sony Pictures Entertainment,” according to the Obama administration.

But without extradition to the United States, actual prosecution of the individuals or groups under indictment is unlikely. This has led some scholars to claim that the indictments have little deterrent value, and indeed may be counterproductive. And it has led to increasing frustration from certain companies that have been the victims of attacks against their intellectual property. It has also led companies to take matters into their own hands. Continue reading

Advertisements

First Amendment Right to Privacy and the DMCA

Posted By: Joseph Urtuzuastegui

DOD to observe Constitution Day, Citizenship Day on Sept. 17Not too long ago, I wrote a post about how you should not expect to have any First Amendment Rights when it comes to being censored by private social media sites. Now, I am here to tell you that the Digital Millennium Copyright Act (DMCA) may be unconstitutionally infringing on your right to privacy. The big difference in this circumstance deals with who is acting. The DMCA was adopted by the United States Congress, and thus, the Act is a government action, unlike the private actions of Twitter in my previous post. Since the DMCA is a government action, it cannot restrict your speech according to the First Amendment which, for those who have not memorized all the Constitutional amendments, reads: “Congress shall make no law…abridging the freedom of speech…,” simply put the government cannot keep you from speaking, except for some extreme exceptions.

Inherent in this freedom to speak is the right to privacy, which has been a right exercised even before the ratification of our Constitution. “The Federalist Papers” were a collection of articles and essays which were written to push for the ratification of the United States Constitution. There articles and essays were written by number of our Founding Fathers, and they had one thing in common, they all wrote under the pseudonym “Publius.” There are a few reasons for this, but the most compelling reason cited is that the founding fathers wanted The Federalist Papers to serve as the reason of ratification, but they did not want the arguments to be rejected because of a view of bias before there was a chance to prove their point for one of the greatest documents of all time. Needless to say, this right of privacy, specifically a right to remain anonymous while speaking, is one of the oldest and most important rights we have as Americans. Without it, there may not be a Constitution, and while this is one of our greatest rights, there has been no challenge to the DMCA stripping this right away with the “Take-Down” provision.  Continue reading

Internet Decency and the Communication Breakdown

Posted By: Peter Brown

594px-US_Statutes_at_Large

Photo from Coolcaesar at en.wikipedia

On April 3, 2018, Congress submitted H.R. 1865 to President Trump for signature. The bill, titled Allow States and Victims to Fight Online Sex Trafficking Act of 2017, alters the application of 47 U.S.C. § 230 protecting internet platforms from liability for users’ posts. Nestled within the larger Communications Decency Act (CDA), § 230 represents Congress’ intent in 1996 to foster the internet’s promise to improve communication, commerce, and education.

Section 230 generally protects websites like Craigslist and Amazon.com from liability for what their users post on their platforms. As long as those sites are merely providing a soapbox for their users, the users may yell nearly anything without the site facing legal trouble. Yet, the recent whirlwind of horror, disappointment, and frustration whipping around Facebook, Cambridge Analytica, and most recently, sex-trafficking facilitator Backpage.com, has destabilized confidence in necessity of § 230’s protections. While H.R. 1865 targets websites like Backpage.com, the bill threatens to harm scrupulous websites and their users. Continue reading

Decreasing Cybersecurity by Criminalizing All Hacking

Posted By: Jamie Winterton

hacker2What should one do if one discovers a security problem on the internet? It’s not a question most internet users have to ask themselves, but something that hackers – whose hats range from snow white benevolence to pure black evil – must consider carefully. There are a variety of options. Some choose to leave it alone. Doing nothing is usually a safe bet. Some will choose the responsible disclosure route – contacting the company and having a private conversation about the vulnerability, its risk, and ways to remediate. Sometimes there are financial incentives. I don’t mean the nefarious ones – selling the vulnerability on the dark web, for example – but many companies and government organizations have established “bug bounty” programs, wherein a researcher who finds a security problem can get paid for disclosing it, the amount depending on the severity and potential impact of the bug. When implemented well, these programs have helped companies improve their security posture by getting new eyes on old problems that may have been overlooked.

But even as security researchers are incentivized by these new programs, independent security research in general is sharply constrained by legislation. One example is a recent bill in Georgia, one of the strictest measures proposed at the state level. Senate Bill 315 proposes to amend the Official Code of Georgia to create “the new crime of unauthorized computer access” and aligns significant punishments to match. The unfortunate part of the bill (which has yet to be signed by the governor) is that it provides no exemption for responsible disclosure, meaning that well-intentioned security researchers – those who report vulnerabilities rather than exploiting them or selling them – have no legal protection.

The bill specifically states that the newly-defined crime does not include “Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access” – but what the bill’s authors fail to realize is that offense is an essential part of defense in cybersecurity.Industry and government employ “red teams” – people whose job it is to attack specified networks – but even the best red teams can’t find everything. Computer networks are complex multi-layered systems. “You can’t find all the bugs yourself,” said Katie Moussouris, who designed Microsoft’s bug bounty program and developed ‘Hack the Pentagon’, the US federal government’s first bug bounty program. “Whether you’re a well-funded government like the U.S. or anyone else, you have to work with the hacker community.”  Oddly, Georgia SB315 excludes “persons who are members of the same household”, so hacking your spouse’s computer or devices is apparently acceptable to Georgia’s lawmakers.

Continue reading

AI in a Contract World

Posted By: Joseph Urtuzuastegui

artificial-intelligence-2167835_1920Artificial intelligence (“AI”) has been the subject of many science fiction stories for the past fifty-years, but just how close is society to blurring the lines between who is a real person and who is a computer? We would like to think that it was still a distant idea but it is actually already here. AI has moved front and center into the business marketing world. There are many ways a business will use AI in order to market to target customers, and AI has become a great resource to many businesses. But, what happens when AI gets so good that the people who are talking to it think they are speaking with a real person? Furthermore, how do we handle AI entering into a contract with a real person who thinks they are talking to a real warm-blooded human? These questions will have to be answered in the near future, and the way a court will have to answer them is through the good old-fashioned common law of contracts. This analysis will determine how and why AI will be able to enter into legally-enforceable contracts with humans, but don’t be so quick to give up as we will discuss some defenses for us measly mortals.  Continue reading

The Facebook Scandal: Illegal, or Just Unethical?

Posted by: Jensen Nevitt

facebookIf you have been paying any attention to the news of late, then you have heard of the Facebook/Cambridge Analytica scandal involving the dissemination of information relating to 87 million Facebook user profiles. This is not the first time that Facebook has gotten into trouble for infringing on the privacy of its users, and if left unchecked, it might not be the last. Even if it turns out that the actions of Facebook were not illegal, they were certainly unethical and deceitful. Congress has taken notice and wants answers. Given the outrage of users and declining trust in the company, perhaps it is time for further regulation of companies like Facebook that guard access to such vast amounts of personal information.

What Happened?

If you have not heard the background of the on-going Facebook scandal, then it might be time to familiarize yourself with what happened. “Why?”, you may ask. The answer is: you just might be one of the 87 million Facebook users whose personal information was accessed by Cambridge Analytica. Cambridge Analytica is a political data firm hired by the Trump campaign to identify an audience for political advertisements. Cambridge Analytica accessed the personal information of millions of users without those users being even slightly aware, which begs the question, “how can something like this even happen?” Continue reading

Physicist in a Law School: Learning to Cope With The Phrase “It Depends”

Posted by: Jamie Winterton

197px-Copyright.svgIn my role with the Global Security Initiative at Arizona State University, I work closely with colleagues in the law school. At law school events, I often introduce myself by saying:

“I’m a physicist by training… so I work with laws, but they’re in a much different jurisdiction.”

The lawyers usually get a laugh out of it. But there’s an element of truth there.

One thing I’ve always loved about physics is the precision with which we can describe our world. Why do the planets move the way they do? They’re obeying Kepler’s Laws of Planetary Motion. Why can’t you cool your house by leaving the refrigerator door open? That would violate the second law of thermodynamics. Our equations may be long and our explanations interminable, but the laws of physics are precise.

Coming from the field of physics, law often feels turbulent, or even “fuzzy”. The joke often told about law school (and the best jokes are based on truth!) is that everything in law boils down to the phase “it depends”. I hear it a lot from my law school colleagues. Richard Feynman, rock star physicist, once said “Imagine how much harder physics would be if electrons had feelings!” In the same vein, imagine how much harder physics would be if there were conflicting interpretations on how to apply the law of gravity. “The space mission was going well until the probe hit the 7th sector, which tends to favor a interpretation…” Or to riff on the phrasing from one famous copyright decision (which I’ll talk about more below): “So far, in the laboratories, the second law of thermodynamics has received a mixed reception. While some materials have adopted its reasoning… others have rejected it”.

To quote an ASU professor in Cyberspace Law: “You see the problem.” Continue reading

Cyber Security and Artificial Intelligence Forecasting: Short-Term Risk

Posted by: Alek Emery

22495460709_9f99309cf9_oRecent headlines surrounding cybersecurity incidents, like the EquiFax breach, illustrate the increasing importance of data security—and the potential harms resulting from security vulnerabilities within systems containing consumer information. It should come as no surprise then that the proliferation of artificial intelligence will likely play a crucial role in future cyber security developments. However, the convergence between public understanding of cyber security and artificial intelligence (AI) is lacking, particularly in the area of the already-occurring or near future possibilities for AI to create cyber security risks. In short, there are three (at least) compelling reasons for focusing on the short-term risks posed by AI when considering what can be done to prevent future harms. Continue reading

Patent Trolls, Silicon Valley & the Law

Posted by: Jensen Nevitt

SIGABA-patentPeople have long been intrigued by the legal profession as portrayed by the entertainment industry. Long before I ever set foot in law school, I was drawn to books by John Grisham. I was fascinated by movies ranging from serious dramas such as To Kill a Mockingbird and A Few Good Men, to more light-hearted films such as My Cousin Vinny. I loved watching the television show Suits. Few professions attract the attention of the public like the legal profession. I can think of only a few others, such as spies, doctors, to some extent politicians and journalists. After attending law school for a few semesters now, that affinity for law-based entertainment has only grown.

The difference is that now, my focus has changed. I used to watch the movies for the entertainment value. Now, I watch them with a critical eye. I watch them to for accuracy, always wondering if a lawyer or a judge would really do what the character did in a given situation. This recently occurred as I watched an episode of the HBO show Silicon Valley. In the episode, the characters confronted a patent troll. I reflected on the actions of the main character and his lawyer in the show, and asked myself if the result was realistic. I found out a little bit about software patents in Cyberspace Law class readings and decided to write this blog on the topic. I came to the conclusion that the attorney in the show did give solid advice to the main character and did so based on a conclusion that was probably also correct. Continue reading

Not so Safe Harbor for ISPs

Posted by: Rylan Stewart

2000px-Internet_Connectivity_Distribution_&_Core.svgThe battle rages on between copyright holders and internet service providers (“ISPs”) as the interests of these parties continue to be adverse. Copyright holders seek greater protection for their works under the DMCA in order to maximize revenue by stomping out infringers. At the same time, ISPs fight to maintain as many users as possible while maintaining immunity from liability under the safe harbor provisions of §512(a).

In order for ISPs to receive protection under the safe harbor provision, ISPs are required to adopt and reasonably implement a policy in which ISPs can terminate users who are found be engaging in repeat copyright infringement. The issue currently being played out is the interpretation of what it means to “reasonably implement” the policy adopted by an ISP. The interpretation of this language has huge implications as it can be the determining factor in deciding whether or not an ISP can claim the safe harbor provision as a defense against being held contributorily liable for infringing acts committed by the ISP’s users.

In the latest quarrel, BMG Rights Management (“BMG”) gained a victory for copyright holders by receiving a $25 million judgement against Cox Communications Inc. (“Cox”) for contributory liability for failing to reasonably implement a termination policy for users caught committing copyright infringement using Cox’s services.

BMG’s victory against Cox signals a victory for copyright holders by setting precedent which requires ISPs to actively terminate internet service to users who have been identified as infringers or face the consequences of being held contributorily liable for the infringements. While it is true that a user who has service terminated by one ISP for committing copyright infringement could just seek service from a new ISP, most areas have a finite number of service providers. In theory, if all ISPs were to strictly enforce termination policies, it could be a powerful tool to combat against repeat infringers. Continue reading