Stanford Law School: Center For Internet and Society: Securing Privacy in the Internet Age (SPIA)
[updated Sun 14 March 04 21:07 GMT-8 for clarity -GF]
Sunday 14 March 2004
Notes and commentary of Graham Freeman (graham@jahiel.net, www.jahiel.net)
My personal commentary/questions/responses/whatnot are almost always presented like so: [GF: blah blah blah blah] Almost everything else is my interpretation of what the presenter in question said.
09h47
Hope I'm not late. Nope, everyone's still outside - good.
10h00
welcome from Lauren Gelman
lots of people still trickling in; much ambient noise from luggage being opened and whatnot
intro by Anupam Chander
He spoke about upcoming talks, paradigm from tort law of strict liability
10h03
Andrea Matwyshyn - Northwestern University School of Law
Wow, she talks fast. I can either take good notes, or comment on what I notice. I'll talk about what I notice.
Stanford plug: She mentioned that Radin and Lessig put forth ideas on which her paper was built. Radin: personalization vs. standardization; Lessig: architectures of control
She slowed down a bit. Whew
She phrases things in Eric Raymond's terms: Organizational code is the "bazaar" and East/West Coast Code are the "cathedral".
She sped up again.
Among her questions: Is legal emergence in data security contracting currently happening?
She examined 75 web sites of publicly-traded companies and examined current privacy/terms of use policies and evaluated each for enforceability according to several recent cases: ProCD vs. Zeidenberg, Register.com vs Verio, Specht vs. Netscape, Ticketmaster vs. Tickets.com. Found that all web sites had unenforceable terms of use according to aforementioned cases.
Found that current internet data security constructions are nonadaptive constructions that will not develop into architectures of growth.
U.S.-centric approach in these companies' TOS - almost certainly unenforceable in EU.
Advocates merging privacy and terms of use policies into a single contractual memorialization of the web site 'conversation' between web site viewer and web site publisher.
If I understand her correctly, she advocates paradigm in which users can negotiate contract with content providers, rather than the current take-it-or-leave-it approach. [GF: I wholeheartedly agree - 'voting with your dollars' has value, but it's not adequate especially when dealing with a monopoly. Silent Q from Graham the not-lawyer: Would this strengthen contract law by making it a more healthy and equitable aspect of society?]
10h25
Shubha Ghosh of University of Buffalo SUNY Law School and Vikram Mangalmurti of Heinz School of Public Policy
Topic: A Social Insurance Perspective on Cybersecurity and Privacy
Vikram gave intro
Shubha started by noting that the term 'social insurance' sometimes brings a welfare paradigm to mind - this is not necessarily what he means.
Among his central points: Need to consider policy tools beyond contract and property to protect personal interests in information. [Silent applause from Graham]
Pointed out via quoting Hamilton vs. Microsoft complaint that "Microsoft's attempts to ... integrate ... applications with its operating system have significantly contributed to ... complexity and ... vulnerability."
Quoting one of his slides:
Ensuring trust in architecture
* Highways
* Inoculation
* Securities laws
Three elements
* Risk and uncertainty in transactions
* Liability system
* Accountability within the system
[GF to-do: Read Helen Nissenbaum on accountability]
How does this play into peer-to-peer and open-source systems? Who is the liable party? Pointed out that strict products liability (SPL) paradigm may be more favourable to open-source than to proprietary commercial software.
10h51
Raymond Nimmer of University of Houston Law Center
Topic: Contracts and Data Protection
Language: Rights talk (ownership, infringement, compliance, waiver; who owns?); Regulation talk (rules, mandates, compliance); Contract talk (agreements, performance, expectation, markets)
Emphasized issue of ownership. Implicit argument that transactional data, having been created by both individual and vendor, belong to both. Seems to leap from there to saying that aforementioned data are therefore non-private.
[GF: I (silently) argue that this simply means that the data are now shared private data. Shared secrets are less secret, but they're still understood to be private and confidential. I would further argue that, given the choice, individuals are generally only willing to disclose personal/private information to entities which they trust will take reasonable steps to maintain the confidentiality of those data.]
[GF: First time I've ever heard "sexy" describe "regulatory", and I'm a lefty.]
Talks about transactional data: Says that it is information voluntarily transferred or created as part of a transaction with another party, and that it's non-private personal information that is accurate as to what it portrays.
Views contract law as unavoidable when dealing with transactional data.
11h11
Chris Hoofnagle of Electronic Privacy Information Center (EPIC)
Topic: Putting Identity Theft on Ice: Phase Shifting Credit to Prevent Lending to Imposters
Started by thanking presenters who did not wear ties and by thanking Microsoft for actually trying to do something serious about computer security.
[GF to-do: Find out what SSRN is. Mentioned in context with Lexis and academic research.]
Says that individual credit information is currently in 'liquid' form - anyone who asks for it can get it.
Mentioned cases of dogs getting lines of credit. Clifford J. Dog with $1,500 line of credit, shiatzu with $24,000 line of credit.
Trusted insider problem: An entity signs a form promising not to do bad stuff, and then are granted wholesale access to credit reporting database.
Argues that fraud alerts are too little, too late - people usually learn about identity theft after the damage has already been done.
Also argues that credit monitoring is insufficient, but doesn't really explain why. I think the real failure of credit monitoring is that it is sold as a revenue-enhancing product rather than granted as the price of doing business.
Argues that default credit reports should be 'frozen' by default, and that it should be accessible only when individuals 'thaw' credit record either on a case-by-case basis (such as planning for a 3-day period in which you shop for a car) or indefinitely (opt-out).
[GF: I think that sounds good, but I can't see that ever happening - it would eliminate a lot of impulse spending, and industry won't stand for that.]
11h30
Panel discussion, moderated by Anupam Chander
Andrea: Contract is just one part of a broad scheme of best practices.
Vikram: Pointed out that average person doesn't understand or pay attention to such things as the implications of click-wrap licenses. Also pointed out that third parties to folks involved in a vendor/client contract are often harmed in DdoS attacks, and contract law does not provide restitution to these damaged parties.
[GF: Example: Lazy Sysadmin has a contract with JustAConduit Internet Services. Lazy Sysadmin gets his inadequately maintained server taken over by malicious crackers, who then use it to launch an attack against the web site of Outspoken Activist, whose site is hosted with Unrelated Internet Services. Outspoken Activist has no contract with Lazy Sysadmin or JustAConduit Internet, and thus has no recourse under contract law.]
Raymond: (if I'm interpreting him correctly) Argues that state law is an impossible venue through which to resolve nationwide issues, due to desire on the part of state legislatures to achieve politically expedient solution.
[GF, silently: Sometimes "politically expedient" really means "reflective or responsive of popular will".]
Elaine Newton, CMU: Asked Andrea her opinion of P3P as solution. Andrea: Argues for more proactive, in-your-face approach than P3P.
Tim Wu (Univ of Virginia): Asks what costs are for Chris' favoured approach to slowing down credit. Chris argues that slowing down credit is (due in large part to >$2T consumer debt) desireable and that part of the costs of credit card fraud are transferred to merchants through chargeback fees.
Robert Newman (Thomas Jefferson School of Law): How to enforce strict liability when each vendor blames each other for various problems? Shubha: Modification defense applies to end-user, not to other vendors. Robert: Is installing software modification?
[GF to-do: Read and understand Gramm-Leach-Bliley act]
Beth Givens argues that notice is more effective when notice is in plain English.
12h07 break for lunch