Zen and the Art of Cybersecurity

data-retention-zen

In the hothouse of Congress, members have been sweating over the need to do something – anything – about “cybersecurity.” They were under pressure from the administration, the intelligence services, and the tech industry. But the latest news is that the Republican majority will be turning, in the few days left before the recess, from the contentious highways bill to a bill to defund Planned Parenthood, likely shifting the previously-catastrophically-urgent cybersecurity crisis through to the fall. So Congress, like my seven-year-olds in school assembly, can take a few deep breaths and imagine that they can smell a flower.

The truth is, there never was a “cybersecurity crisis.” Companies are already legally allowed to share information on hacking attempts with the government, and they usually do. This debate is not really about making US companies or the US government more secure; it’s about putting more of your information, that you have voluntarily shared with US companies, into the government’s hands, without companies being liable for violating their privacy policies for sharing personally identifiable information. All proposals on the table in Congress would immunize companies from suit in this way. In this sense, it would be perfectly all right for Congress to do nothing.

Nevertheless, there is a cybersecurity problem that is worth trying to solve. The government is not a good custodian of our data. Its networks are often poorly secured and vulnerable to outside intrusion. In the surveillance arena, there are now over five million people with security clearances, who are in a position to leak sensitive information. Cultivating a more disciplined approach to network protection and data retention would seem to be a good idea. That’s where the principle above comes in.

In this spirit, let’s calmly reflect on what a bill dealing with this real problem would look like.

Continue reading “Zen and the Art of Cybersecurity”

Time to Gut CFAA Like The Rotten Fish It Is: Protests and Reform Proposals for Computer Crime, with Added Matthew Broderick

It’s not usually our dealio here at Digital Fourth to weigh in on federal digital rights, because terrific organizations like EFF, Fight for the Future, Demand Progress and the ACLU generally do that heavy lifting for us. But so much has happened regarding prosecutions under the Computer Fraud and Abuse Act that it’s worth focusing on what this law is, why it’s in such a mess, and what can usefully be done about it.

When originally passed way back in 1986, the intent of the CFAA was to ban hacking. This kind of hacking:

Wait, Ally Sheedy was in this? I must watch it again.
Wait, Ally Sheedy was in this?

In other words, what they were concerned about was access to “Federal interest computers”, namely computers belonging to the government, or at certain designated utilities like nuclear power stations or financial institutions. Now, however, the law covers pretty much any computer held by anyone.

Why is that a problem? Read on!

Continue reading “Time to Gut CFAA Like The Rotten Fish It Is: Protests and Reform Proposals for Computer Crime, with Added Matthew Broderick”