The Center for Internet and Society at Stanford Law School is a leader in the study of the law and policy around the Internet and other emerging technologies.
President-elect Donald Trump’s repeated attacks on the Intelligence Community and denials of Russian involvement in the hacking of the Democratic National Committee (DNC) risk emboldening U.S. adversaries. Attribution of cyber intrusions to particular perpetrators is a necessary precondition to every possible response, from criminal indictments to economic sanctions to countermeasures.
Last year, the ongoing encryption debate took a backseat to a steady drip of stories and developments related to government hackings. This set the stage for a set of policy and legal innovations that are critical but that now seem unlikely to occur. As a result, we may look back on 2016 as the year we legitimized government hacking without establishing safeguards to prevent its abuse.
Before talking about the implications of that fact, it is worth walking through some of the events of the last year and take stock of what we learned:
The 2016 election has put squarely on the public agenda a series of questions related to the norms of social media, everything from the proliferation of fake news on Facebook to the trolling culture of Twitter. These questions are not new. The culture of abuse online towards women, for example, is a matter about which one of us wrote a book.
On December 14, 2016, the Federal Trade Commission settled a complaint with the company running the adult finder site Ashley Madison over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices.
This afternoon the White House announced several actions against Russia in retaliation for Russian interference in the U.S. election. Key among them is the use of the cybersecurity sanctions regime created by Executive Order 13694 in April 2015. But the White House had to amend the Executive Order to use it against Russia.
Managing information is central to the criminal justice system, and so it’s inevitable that mistakes happen. Names get confused, files lost. When these errors occur, the police can mistakenly arrest or detain people with no legal cause. But what happens when software is responsible for a wrongful arrest or detention?