FISA Reform

Congress and the Executive Branch are poised to take up the issue of FISA reform in 2014. What has been missing from the discussion is a comprehensive view of ways in which reform could be given effect—i.e., a taxonomy of potential options. This article seeks to fill the gap. The aim is to deepen the conversation about abeyant approaches to foreign intelligence gathering, to allow fuller discussion of what a comprehensive package could contain, and to place initiatives that are currently under consideration within a broader, over-arching framework. The article begins by considering the legal underpinnings and challenges to the President\u27s Surveillance Program. It then examines how technology has altered the types of information available, as well as methods of transmission and storage. The article builds on this to develop a taxonomy for how a statutory approach to foreign intelligence gathering could be given force. It divides foreign intelligence gathering into two categories: front-end collection and back-end analysis and use. Each category contains a counterpoise structured to ensure the appropriate exercise of Congressionally-mandated authorities. For the front-end, this means balancing the manner of collection with requirements for approval. For the back-end, this means offsetting implementation with transparency and oversight. The article then considers the constituent parts of each category

The Federal Information Security Management Act of 2002: A Potemkin Village

Due to the daunting possibilities of cyberwarfare, and the ease with which cyberattacks may be conducted, the United Nations has warned that the next world war could be initiated through worldwide cyberattacks between countries. In response to the growing threat of cyberwarfare and the increasing importance of information security, Congress passed the Federal Information Security Management Act of 2002 (FISMA). FISMA recognizes the importance of information security to the national economic and security interests of the United States. However, this Note argues that FISMA has failed to significantly bolster information security, primarily because FISMA treats information security as a technological problem and not an economic problem. This Note analyzes existing proposals to incentivize heightened software quality assurance, and proposes a new solution designed to strengthen federal information security in light of the failings of FISMA and the trappings of Congress’s 2001 amendment to the Computer Fraud and Abuse Act

“As Usual, I Needed Assistance of a Seeing Person”: Experiences and Challenges of People with Disabilities and Authentication Methods

According to the World Health organization, about 16% of the world’s population live with a disability. While they could benefit from digital products and services, users with disabilities often face severe accessibility issues: tasks can only be completed with difficulty, a considerable investment of time, or with assistance of technologies or other people. Further, to access these products and services, they need to authenticate. The accessibility of authentication methods for users with disabilities has not been studied in depth. We use an accessible study design to conduct 13 semi-structured interviews with people with physical, hearing, visual, cognitive, or multiple impairments to better understand the accessibility issues they face when using knowledge- or token-based, and biometric authentication. Our qualitative content analysis shows that none of the commonly available authentication methods is fully accessible to participants, causing them to abandon services or develop workarounds that reduce their own security and privacy. Our results also reveal the role of assistive technologies and human assistants in the authentication experience of users with disabilities. We conclude by encouraging fellow researchers and practitioners to reflect on assisted access when designing security mechanisms, to include people with disabilities using accessible study designs, and to keep in mind that accessible security is about more than usability – to further benefit users without disabilities as well

Cyber-Democracy or Cyber-Hegemony? Exploring the Political and Economic Structures of the Internet as an Alternative Source of Information

Although government regulation of the Internet has been decried as undercutting free speech, the control of Internet content through capitalist gateways???namely, profit-driven software companies???has gone largely uncriticized. The author argues that this discursive trend manufactures consent through a hegemonic force neglecting to confront the invasion of online advertising or marketing strategies directed at children. This study suggests that ???inappropriate content??? (that is, nudity, pornography, obscenities) constitutes a cultural currency through which concerns and responses to the Internet have been articulated within the mainstream. By examining the rhetorical and financial investments of the telecommunications business sector, the author contends that the rhetorical elements creating ???cyber-safety??? concerns within the mainstream attempt to reach the consent of parents and educators by asking them to see some Internet content as value laden (sexuality, trigger words, or adult content), while disguising the interests and authority of profitable computer software and hardware industries (advertising and marketing). Although most online ???safety measures??? neglect to confront the emerging invasion of advertising/marketing directed at children and youth, the author argues that media literacy in cyberspace demands such scrutiny. Unlike measures to block or filter online information, students need an empowerment approach that will enable them to analyze, evaluate, and judge the information they receive.published or submitted for publicatio

TikTok Might Stop: Why the IEEPA Cannot Regulate Personal Data Privacy and the Need for a Comprehensive Solution

In August 2020, President Trump announced a ban on the popular app TikTok, citing the risk that TikTok could be sharing Americans’ personal data with the Chinese government. In doing so, President Trump used his powers under the International Emergency Economic Powers Act (IEEPA), which authorizes Presidents to impose economic sanctions in the face of a national emergency. Associating TikTok’s data mining practices with a national emergency raises interesting questions about the governance of our personal data: is there a national security risk and if so, how should data be protected? This Note argues that ineffective personal data privacy regulation poses a grave national security risk—namely, that our data could be misused by hostile actors. However, protection of personal data cannot be successfully implemented through ad hoc maneuvering under IEEPA. Instead, effective protection requires comprehensive legislation that addresses what data may be collected and what companies can do with it

Closing the Data Gap: Protecting Biometric Information Under the Biometric Information Privacy Act and the California Consumer Protection Act

(Excerpt) Between May and June of 2014, Stacy Rosenbach bought her son, Alexander, a Six Flags season pass online. She submitted Alexander’s personal information and read that Alexander would complete the sign-up process at the park. No details described what the sign-up process would entail. After showing his online receipt at Six Flags, Alexander was brought to an office to provide the customary thumb scan. Alexander’s thumb scan, along with the season pass card, was required to permit him to enter the various rides. He was not given any information about how his thumb scan would be stored or used after his season pass expired. Alexander—a fourteen-year-old boy—thought nothing of this process and voluntarily gave Six Flags his thumb scan. Mrs. Rosenbach, on the other hand, was shocked to learn of this scan when Alexander returned home. After Mrs. Rosenbach asked Alexander for the paperwork from the season pass, he told her Six Flags “did ‘it all by fingerprint now.’ ” Although Alexander never returned to Six Flags, Six Flags kept his biometric information. Curiously, Six Flags has not revealed how long it planned to keep Alexander’s thumb scan or how it planned to use it

Fighting Cybercrime After \u3cem\u3eUnited States v. Jones\u3c/em\u3e

In a landmark non-decision last term, five Justices of the United States Supreme Court would have held that citizens possess a Fourth Amendment right to expect that certain quantities of information about them will remain private, even if they have no such expectations with respect to any of the information or data constituting that whole. This quantitative approach to evaluating and protecting Fourth Amendment rights is certainly novel and raises serious conceptual, doctrinal, and practical challenges. In other works, we have met these challenges by engaging in a careful analysis of this “mosaic theory” and by proposing that courts focus on the technologies that make collecting and aggregating large quantities of information possible. In those efforts, we focused on reasonable expectations held by “the people” that they will not be subjected to broad and indiscriminate surveillance. These expectations are anchored in Founding-era concerns about the capacity for unfettered search powers to promote an authoritarian surveillance state. Although we also readily acknowledged that there are legitimate and competing governmental and law enforcement interests at stake in the deployment and use of surveillance technologies that implicate reasonable interests in quantitative privacy, we did little more. In this Article, we begin to address that omission by focusing on the legitimate governmental and law enforcement interests at stake in preventing, detecting, and prosecuting cyber-harassment and healthcare fraud

On the Security of Bluetooth Low Energy in Two Consumer Wearable Heart Rate Monitors/Sensing Devices

Since its inception in 2013, Bluetooth Low Energy (BLE) has become the standard for short-distance wireless communication in many consumer devices, as well as special-purpose devices. In this study, we analyze the security features available in Bluetooth LE standards and evaluate the features implemented in two BLE wearable devices (a Fitbit heart rate wristband and a Polar heart rate chest wearable) and a BLE keyboard to explore which security features in the BLE standards are implemented in the devices. In this study, we used the ComProbe Bluetooth Protocol Analyzer, along with the ComProbe software to capture the BLE traffic of these three devices. We found that even though the standards provide security mechanisms, because the Bluetooth Special Interest Group does not require that manufacturers fully comply with the standards, some manufacturers fail to implement proper security mechanisms. The circumvention of security in Bluetooth devices could leak private data that could be exploited by rogue actors/hackers, thus creating security, privacy, and, possibly, safety issues for consumers and the public. We propose the design of a Bluetooth Security Facts Label (BSFL) to be included on a Bluetooth/BLE enabled device’s commercial packaging and conclude that there should be better mechanisms for informing users about the security and privacy provisions of the devices they acquire and use and to educate the public on protection of their privacy when buying a connected device