An Intriguing Idea for Board of Directors Reform

“Boards are almost exactly as they were a hundred years ago: a collection of grey eminences who meet for a few days a year to offer their wisdom. They may now include a few women and minorities. There may be a few outsiders. But the fundamentals remain the same. Board members are part-timers with neither the knowledge nor the incentives to monitor companies effectively. And they are beholden to the people they are supposed to monitor. Boards are thus showcases for capitalism’s most serious problems: they are run by insiders at a time when capitalism needs to be more inclusive and are dominated by part-timers at a time when it needs to be more vigilant about avoiding future crises. In the May edition of the Stanford Law Review Stephen Bainbridge of the University of California, Los Angeles, and Todd Henderson of the University of Chicago offer a proposal for fixing boards that goes beyond tinkering: replace individual directors with professional-services firms.” – The Economist

Professors Bainbridge and Henderson’s paper (pdf): Boards-R-Us: Reconceptualizing Corporate Boards

08/26/2014: 

Should Twitter, Facebook and Google Executives be the Arbiters of What We See and Read?

“It’s an imperfect analogy, but, given this extraordinary control over the means of global communication, Silicon Valley giants at this point are more akin to public utilities such as telephone companies than they are ordinary private companies when it comes to the dangers of suppressing ideas, groups and opinions. It’s not hard to understand the dangers of allowing, say, AT&T or Verizon to decree that its phone lines may not be used by certain groups or to transmit certain ideas, and the dangers of allowing tech companies to do so are similar. In the digital age, we are nearing the point where an idea banished by Twitter, Facebook and Google all but vanishes from public discourse entirely, and that is only going to become more true as those companies grow even further.” – Glenn Greenwald at The Intercept

“We need, as web inventor Tim Berners-Lee has urged, to re-decentralize the Internet, and restore its promise as a medium where the action takes place at the edges of networks—where we wouldn’t need permission to communicate and innovate. The first way we users of Internet services can re-decentralize is to create—and make use of—our own home base online. In practical terms, this means getting your own domain name and creating, at a minimum, a blog where you establish your own identity. The page you think is yours at LinkedIn, Tumblr, Instagram (Facebook), or any of the other centralized services is emphatically not truly your own; it’s theirs.” – Dan Gillmor at The Atlantic

Matthew Green on the Problems with Email Encryption

  • “The path to a proper encrypted email system isn’t that far off. At minimum, any real solution needs:

  • ‘A proper approach to key management. This could be anything from centralized key management as in Apple’s iMessage — which would still be better than nothing — to a decentralized (but still usable) approach like the one offered by Signal or OTR. Whatever the solution, in order to achieve mass deployment, keys need to be made much more manageable or else submerged from the user altogether.’

  • ‘Forward secrecy baked into the protocol. This should be a pre-condition to any secure messaging system.’

  • ‘Cryptography that post-dates the Fresh Prince. Enough said.’

  • ‘Screw backwards compatibility. Securing both encrypted and unencrypted email is too hard. We need dedicated networks that handle this from the start.’”

– Professor Matthew Green, Johns Hopkins University, writing at his blog: A Few Thoughts on Cryptographic Engineering.

Recommended:

Cyber Law, Tech and Policy

General Interest

08/14/2014: 

Proposed Senate “USA Freedom Act” – Link Roundup

08/12/2014: 

Dan Geer: Cybersecurity as Realpolitik (video)

Dan Geer, CISO for In-Q-Tel, a not-for-profit investment firm that invests in technology that supports the missions of the CIA and broader U.S. intelligence community (i.e., the CIA’s venture arm), garnered headlines this past week for the proposal that the U.S. intelligence community corner the market on security vulnerabilities and then disclose them. His presentation at Black Hat 2014, however, is well worth watching in its entirety, as he touches on policy proposals on a wider variety of topics including:

Mandatory Vulnerability Reporting: 16:46
Net Neutrality: 22:20
Product Liability for Software: 25:31
Cyber Attack Counterstrikes: 32:12
Fallbacks/Resiliency: 33:28
Vulnerability Finding: 38:44
Right to be Forgotten: 40:15
Internet Voting: (only in Transcript)
Software Abandonment: 44:47
Convergence of Cyberspace and “Meatspace”: 47:04


08/11/2014: 

More Morozov

“A robust privacy debate should ask who needs our data and why, while proposing institutional arrangements for resisting the path offered by Silicon Valley. Instead of bickering over interpretations of Facebook’s privacy policy as if it were the US constitution, why not ask how our sense of who we are is shaped by algorithms, databases and apps, which extend political, commercial and state efforts to make us – as the dystopian Radiohead song has it – ‘fitter, happier, more productive’? This question stands outside the privacy debate, which, in the hands of legal academics, is disconnected from broader political and economic issues. The intellectual ping pong over privacy between corporate counsels and legal academics moonlighting as radicals always avoids the most basic question: why build the ‘private spaces’ celebrated by Mr Zuckerberg if our freedom to behave there as we wish – and not as companies or states nudge us to – is so limited?” — from Evgeny Morozov‘s OpEd in the Financial Times

08/11/2014: 

Tails, the operating system favoured by journalists, activists, and Edward Snowden for its high degree of privacy protection, has been shown to have critical vulnerabilities in its code. By exploiting these, attackers could peal away a Tails user’s cloak of anonymity. It’s just the latest reminder that tools touted as ‘anonymous’ are not infallible.” — Another Reminder That Anonymity Tools Aren’t Foolproof – Vice’s MotherBoard

Back Doors in Apple’s Mobile Platform for Law Enforcement, Bosses, Spies (Possibly)Cory Doctorow at BoingBoing: “Jonathan Zdziarski’s HOPE X talk, ‘Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices’, suggests that hundreds of millions of Iphone and Ipad devices ship from Apple with intentional back-doors that can be exploited by law enforcement, identity thieves, spies, and employers.”

Tor Break Talk Axed from Black Hat ConferenceZDNet: “A proposed talk by two Carnegie Mellon University researchers demonstrating how to de-anonymise Tor users on a budget of US$3,000 has been axed from the Black Hat USA 2014 conference in Las Vegas next month. The talk, ‘You don’t have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ by speakers, Alexander Volynkin and Michael McCord, from Carnegie Mellon University’s Computer Emergency Response Team, had reportedly been highly anticipated by punters.”

Visit the Wrong Website, and the FBI Could End Up in Your ComputerWired: “Security experts call it a ‘drive-by download’: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes . . . For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.”

Putin Sets $110,000 Bounty for Cracking Tor as Anonymous Internet Usage in Russia SurgesBloomberg.

08/6/2014: 

Kevin Kelly: You Are Not Late

“Can you imagine how awesome it would have been to be an entrepreneur in 1985 when almost any dot com name you wanted was available? . . . The internet was a wide open frontier then . . . Looking back now it seems as if waves of settlers have since bulldozed and developed every possible venue, leaving only the most difficult and gnarly specks for today’s newcomers . . . But, but . . here is the thing. In terms of the internet, nothing has happened yet. The internet is still at the beginning of its beginning. If we could climb into a time machine and journey 30 years into the future, and from that vantage look back to today, we’d realize that most of the greatest products running the lives of citizens in 2044 were not invented until after 2014 . . . There has never been a better time [to start something on the internet] with more opportunities, more openings, lower barriers, higher benefit/risk ratios, better returns, greater upside, than now. Right now, this minute . . . It is the best time EVER in human history to begin. You are not late.”

Kevin Kelly at Medium. Read the whole thing.

08/5/2014: 

Evgeny Morozov on Internet.org – “Facebook’s Gateway Drug”

“[T]he ‘Internet’ in ‘Internet.org’ is not a natural resource that looks and costs the same everywhere based on its inherent features. It is a result of complex, controversial policy decisions over the use and ownership of communication infrastructure. These decisions follow years of lobbying and clever manipulation of national and international bodies by telecom operators, and are a direct consequence of various privatization and liberalization reforms in those countries. Facebook, because of its own long-term interest in expanding its advertising reach in the developing world, can make that Internet more accessible. But to accept its bargain is to abandon the fight to create different institutional arrangements — say, to rein in the power of telecom operators and provide cheaper, more equitable services.” — from Morozov‘s OpEd in The New York Times

08/5/2014: 

Microsoft’s General Counsel on Privacy and Regulation

Brad Smith, executive vice president and general counsel at Microsoft, speaking at the Brookings Institution on “The Future of Global Technology, Privacy and Regulation” in light of the Snowden revelations.

“We need to recognize that we do need, in my opinion, a broad based legal and regulatory model when it comes to company use of personal information . . . . Imagine a bank that doesn’t take good care of its customers’ money. Do you think it has a bright future? What do you think of a tech company that doesn’t take good care of its customers information. I believe that over the long term the world will expect and even insist that we pay as much attention to the personal information of consumers as banks do to their money. And the sooner we get started on that, and the faster we come together to have [a] kind of broad based conversation . . . . . the more successful we will be.”


Total time: 1 hour, 30 minutes.
Brad Smith’s main presentation: 03:50 to 48:35
Moderator questions: 49:47 to 1.05:11
Audience questions: beginning 1.05:50

Related: Personal Privacy Is Only One of the Costs of NSA SurveillanceWired:

“American firms in the cloud computing sector are feeling the pressure as consumers and corporate clients reconsider using third-party storage companies in the U.S. for their data. Companies like Dropbox and Amazon Web Services reportedly have lost business to overseas competitors like Artmotion, a Swiss hosting provider. The CEO of the European firm reported that within a month after the first revelations of NSA spying went public, his company’s business jumped 45 percent. Similarly, 25 percent of respondents in a survey of 300 British and Canadian businesses earlier this year said they were moving their data outside the US as a result of NSA spying. The Information Technology and Innovation Foundation has estimated that repercussions from the spying could cost the U.S. cloud computing industry some $22 to $35 billion over the next few years in lost business.”

08/1/2014: 

Recommended:

Cyber Law, Tech and Policy

  • Meet Executive Order 12333: The Reagan Rule that Lets the NSA Spy on Americans — John Napier Tye, former section chief for Internet freedom in the State Department’s Bureau of Democracy, Human Rights and Labor, in an OpEd at The Washington Post:

    “A legal regime in which U.S. citizens’ data receives different levels of privacy and oversight, depending on whether it is collected inside or outside U.S. borders, may have made sense when most communications by U.S. persons stayed inside the United States. But today, U.S. communications increasingly travel across U.S. borders — or are stored beyond them. For example, the Google and Yahoo e-mail systems rely on networks of ‘mirror’ servers located throughout the world. An e-mail from New York to New Jersey is likely to wind up on servers in Brazil, Japan and Britain. The same is true for most purely domestic communications. Executive Order 12333 contains nothing to prevent the NSA from collecting and storing all such communications — content as well as metadata — provided that such collection occurs outside the United States in the course of a lawful foreign intelligence investigation. No warrant or court approval is required, and such collection never need be reported to Congress. None of the reforms that Obama announced earlier this year will affect such collection. Without any legal barriers to such collection, U.S. persons must increasingly rely on the affected companies to implement security measures to keep their communications private. The executive order does not require the NSA to notify or obtain consent of a company before collecting its users’ data.”

  • Network Neutrality and Quality of Service: What a Non-Discrimination Rule Should Look Like – a new paper (pdf) by Stanford Law Professor Barbara Van Schewick.

  • Why the Security of USB Is Fundamentally BrokenWired:

    ”Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken.”

General Interest

08/1/2014: 

The Importance of Privacy

National security reporter, Barton Gellman, responding in a Washington Post Q&A to the question of why anyone should care about U.S. government surveillance if they have nothing to hide:

“Information is power. The US government (and US companies) now learn more about us than anyone has ever known about anyone, and secrecy prevents us from learning what they do. That puts us, in effect, behind a one way mirror. As a citizen who wants to hold my government to account, I find that troubling. I am not saying that the government is abusing the power it has accrued. Sometimes the scandal is what’s legal, especially if lawmakers and citizens had no reasonable opportunity to learn what the executive branch believed it was authorized to do. But abuse is not far behind us in our history. Spying on enemies was one of the Articles of Impeachment against Nixon, and the FBI’s Hoover died in the lifetime of many people still living. I don’t know whether I’ve ever met someone who truly has nothing to hide. If you think that’s you, post a link to everything on your phone, your computer, your email accounts and your web browsing and purchasing history. And even if you have no secrets, you’re probably in possession of the secrets of others — the friend who is going to leave her husband, or wants to find a new job, or just got diagnosed with something she does not want people to know about. Privacy is relational. We may tell things to our friends we don’t tell our parents or our kids, and so on. I want control of my own secrets, personal and professional. That’s the bottom line.”

Also worthwhile: Barton Gellman‘s 2003 lecture at Princeton on Secrecy, Security and Self-Government: An Argument for Unauthorized Disclosures (transcript: Part I and Part II), as well as Conor Friedersdorf‘s Why the Press Can Publish Any Classified Material It Likes in The Atlantic.

07/31/2014: 

Black Hole Sun

Blackest is the New Black: Scientists Develop a Material So Dark that You Can’t See ItThe Independent: “A British company has produced a ‘strange, alien’ material so black that it absorbs all but 0.035 per cent of visual light, setting a new world record. To stare at the ‘super black’ coating made of carbon nanotubes – each 10,000 times thinner than a human hair – is an odd experience. It is so dark that the human eye cannot understand what it is seeing. Shapes and contours are lost, leaving nothing but an apparent abyss.”

A Fundamental Problem with the NSA’s Domestic Bulk Data Collection

NSA = J. Edgar Hoover On SteroidsThe Big Picture:

“With a few hundred cable probes and computerized decryption, the NSA can now capture the kind of gritty details of private life that J. Edgar Hoover so treasured and provide the sort of comprehensive coverage of populations once epitomized by secret police like East Germany’s Stasi. And yet, such comparisons only go so far. After all . . . . J. Edgar Hoover still only knew about the inner-workings of the elite in one city: Washington, D.C. To gain the same intimate detail for an entire country, the Stasi had to employ one police informer for every six East Germans — an unsustainable allocation of human resources. By contrast, the marriage of the NSA’s technology to the Internet’s data hubs now allows the agency’s 37,000 employees a similarly close coverage of the entire globe with just one operative for every 200,000 people on the planet. In the Obama years, the first signs have appeared that NSA surveillance will use the information gathered to traffic in scandal, much as Hoover’s FBI once did.”

Read the whole thing. Domestic bulk data collected by the NSA conveys immense power on those with access to this information and will be prone to political (and financial) abuse. History demonstrates that the lure of such data for improper purposes likely will be irresistible. Hoover stayed in office for decades, aided in large part by the information the the FBI had collected on politicians of the day. Imagine what could be done with the data collected by the NSA.

07/16/2014: 

Recommended:

Cyber Law, Tech and Policy

“Arnbak and Goldberg said that the NSA could increase its surveillance of Americans by modifying overseas communications networks so that they would intercept data being transmitted between destinations inside the United States. As soon as the data passes through a foreign server, the NSA could legally monitor it, they said. ‘There are all sorts of things you can do to change the flow of traffic,’ Goldberg said.”

Internet traffic rerouting, swaps and sharing of intelligence with foreign intelligence services, etc. – all these loopholes serve to make vigorous Congressional and judicial oversight of permitted U.S. intelligence activities of prime importance. See also, by the paper’s authors, ‘Loopholes for Circumventing the Constitution’, the NSA Statement, and Our Response at Freedom to Tinker.

“’You should presume that someday, we will be able to make machines that can reason, think and do things better than we can,’ Google co-founder Sergey Brin said in a conversation with Khosla Ventures founder Vinod Khosla. To someone as smart as Brin, that comment is as normal as sipping on his super-green juice, but to someone who is not from this landmass we call Silicon Valley or part of the tech-set, that comment is about the futility of their future . . . . [T]he new machine age is already underway, unseen by us. ‘It is not really just a human world,’ said Sean Gourley, cofounder and CTO of Quid who points out that our connected world is producing so much data that it is beyond human cognitive abilities and machines are going to be part of making sense of it all. So the real question is what will we do and what should we — the technology industry and we the people do?”

General Interest

07/14/2014: 

The Latest on the EU’s “Right to Be Forgotten”

“[T]he incongruity of having Google – or any private party, for that matter – as a decision maker about rights. To place Google in that role is to diminish Europe’s sovereign power, not enhance it, even if the role is compelled by European authorities. It turns a rights problem into a customer service issue, and one that Google and others in its position no doubt rightly disdain. If Google can process 70,000 requests, so can and should the data protection authorities. And not every public decision needs the full, lawyer-heavy trial format to be sufficient to the cause – any more than Google is using it now. This would place decisions about rights in the public sphere where they belong, and limit the scope to the sovereign’s jurisdiction, so a European decision would still not affect use beyond the relevant country-specific Google portals.”

Professor Zittrain also puts forward the sensible proposal that redactions pursuant to the “right to be forgotten” be limited in duration, with claimants required to pursue renewals – after all, information not relevant today for public policy purposes could become so tomorrow.

“[T]he European court found that people have the right to ask for information to be removed from search results that include their names if it is ‘inadequate, irrelevant or no longer relevant, or excessive’. In deciding what to remove search engines must also have regard to the public interest. These are, of course, very vague and subjective tests . . . [W]e obviously respect the court’s authority and are doing our very best to comply quickly and responsibly. It’s a huge task, as we’ve had over 70,000 take-down requests covering 250,000 web pages since May. So we now have a team of people reviewing each application individually, in most cases with limited information and almost no context . . . When it comes to determining what’s in the public interest, we’re taking into account a number of factors. These include whether the information relates to a politician, celebrity or other public figure; if the material comes from a reputable news source, and how recent it is; whether it involves political speech; questions of professional conduct that might be relevant to consumers; the involvement of criminal convictions that are not yet ‘spent’; and if the information is being published by a government. But these will always be difficult and debatable judgments.”

“The issue with the ECJ judgement isn’t European privacy law, or the response by Google. The real problem is the impossibility of an accountable, transparent, and effective censorship regime in the digital age, and the inevitable collateral damage borne of any attempt to create one, even from the best intentions. The ECJ could have formulated a decision that would have placed Google under the jurisdiction of the EU’s data protection law, and protected the free speech rights of publishers. Instead, the court has created a vague and unappealable model, where Internet intermediaries must censor their own references to publicly available information in the name of privacy, with little guidance or obligation to balance the needs of free expression. That won’t work in keeping that information private, and will make matters worse in the global battle against state censorship.”