Ethics in Security Vulnerability Research

Debate has arisen in the scholarly community, as well as among policymakers and business entities, regarding the role of vulnerability researchers and security practitioners as sentinels of information security adequacy. The exact definition of vulnerability research and who counts as a "vulnerability researcher" is a subject of debate in the academic and business communities. For purposes of this article, we presume that vulnerability researchers are driven by a desire to prevent information security harms and engage in responsible disclosure upon discovery of a security vulnerability. Yet provided that these researchers and practitioners do not themselves engage in conduct that causes harm, their conduct doesn't necessarily run afoul of ethical and legal considerations. We advocate crafting a code of conduct for vulnerability researchers and practitioners, including the implementation of procedural safeguards to ensure minimization of harm

Generation C: Childhood, Code, and Creativity

The article presents information on the impact of technology on children and the inability of law in addressing the resulting challenges. The need of controlling the digital space, the tensions related to unsustainability of data privacy, information security and free speech is discussed. The digital commercialization, childhood privacy and entrepreneurship in adulthood are also discussed

Resilience: Building Better Users and Fair Trade Practices in Information

Symposium: Rough Consensus and Running Code: Integrating Engineering Principles into Internet Policy Debates, held at the University of Pennsylvania\u27s Center for Technology Innovation and Competition on May 6-7, 2010. In the discourse on communications and new media policy, the average consumer-the user-is frequently eliminated from the equation. This Article presents an argument rooted in developmental psychology theory regarding the ways that users interact with technology and the resulting implications for data privacy law. Arguing in favor of a user-centric construction of policy and law, the Author introduces the concept of resilience. The concept of resilience has long been discussed in terms of the structure of technology systems themselves; but, the resilience of the human users of these systems-though equally if not more important to their functioning-has been neglected. The goal of fostering user resilience should be explicitly included in the discourse on technology policy with respect to data privacy and information security; a base of resilient users is an essential building block for the long run of a trusted marketplace in information technology products. Contract law reflects a long standing consideration of resilience concerns and offers promising avenues for building better users

Technoconsen(t)sus

This Article proposes to ease doctrinal noise in consent through creating an objective “reasonable digital consumer” standard based on empirical testing of real consumers. In a manner similar to the way in which courts assess actual consumer confusion in trademark law, digital user agreements can be tested for legal usability. Specifically, a particular digital agreement would be deemed to withstand an unconscionability challenge only to the extent that a drafter can demonstrate a “reasonable digital consumer” is capable of meaningfully understanding its terms and presentation. Part I of this Article introduces the challenges computer code presents to consent in the intellectual property space using the example of security-invasive DRM. It briefly describes DRM as a common business strategy for preemptively enforcing intellectual property rights. It then explains the negative consequences of this strategy for the information security of businesses, governments, and consumers. One of these negative consequences is industry confusion regarding the ethical norms of acceptable technology business conduct. Part II examines legal code and consent, placing the norm confusion described in Part I in legal context. This section describes the strain that the emergence of security-invasive DRM has placed on copyright law, computer intrusion law, and contract law in the United States. This tension forces us to come to terms with the preexisting problems of contractual consent and form contracts in a digital context. Current doctrinal construction of digital consent has analyzed user agreements only on grounds related to procedural unconscionability. This approach is flawed as a matter of contract doctrine: procedural and substantive unconscionability must be analyzed simultaneously under either Williston’s or Corbin’s standard of unconscionability. Either of these two approaches would correctly assess as unconscionable many current user agreements. Finally, Part III discusses the organizational code emerging at the intersection of computer code and legal code in digital contracting. It posits one possible legal approach to reconstructing meaningful consent in digital contracts in order to solve the problems of unconscionability discussed in Part II—generating an empirical objective “reasonable digital consumer” standard by looking to trademark law. Trademark case law offers well-established methods for determining whether a “reasonable” consumer is confused by a particular trademark or practice; these cases employ empirical testing by experts using real consumers. Importing this “legal usability testing” into digital contracting would benefit both users and content owners through creating predictability of legal outcome. Similarly, a reasonable digital consumer standard leverages the naturally occurring “hubs” of understanding that both courts and content owners seek to generate through form contracts. The proposed method strikes a successful balance between customization and standardization by using the real understandings of users. It also allows for evolution of these understandings over time as users’ familiarity with technology, and technology itself, advances

CYBER!

This Article challenges the basic assumptions of the emerging legal area of “cyber” or “cybersecurity.” It argues that the two dominant “cybersecurity” paradigms—information sharing and deterrence—fail to recognize that corporate information security and national “cybersecurity” concerns are inextricable. This problem of “reciprocal security vulnerability” means that in practice our current legal paradigms channel us in suboptimal directions. Drawing insights from the work of philosopher of science Michael Polanyi, this Article identifies three flaws that pervade the academic and policy analysis of security, exacerbating the problem of reciprocal security vulnerability—privacy conflation, incommensurability, and internet exceptionalism. It then offers a new paradigm—reciprocal security. Reciprocal security reframes information security law and policy as part of broader security policy, focusing on two key elements: security vigilance infrastructure and defense primacy. The Article concludes by briefly introducing five sets of concrete legal and policy proposals embodying the new reciprocal security paradigm