The Investigative Dynamics of the Use of Malware by Law Enforcement

The police have started to use malware—and other forms of government hacking—to solve crimes. Some fear coming abuses—the widespread use of malware when traditional investigative techniques would work just as well or to investigate political opponents or dissident speakers. This Article argues that these abuses will be checked, at least in part, by the very nature of malware and the way it must be controlled. This analysis utilizes a previously unformalized research methodology called “investigative dynamics” to come to these conclusions. Because every use of malware risks spoiling the tool—by revealing a software vulnerability that can be patched—the police will always encounter constraints and disincentives to widespread and unchecked use. These constraints will operate much like so-called legislative “superwarrant” requirements, which some have urged Congress to enact for malware. The investigative dynamics of malware suggest that Congress could follow this advice without disrupting police conduct in any significant measure

What the Surprising Failure of Data Anonymization Means for Law and Policy

Paul Ohm is an Associate Professor of Law at the University of Colorado Law School. He writes in the areas of information privacy, computer crime law, intellectual property, and criminal procedure. Through his scholarship and outreach, Professor Ohm is leading efforts to build new interdisciplinary bridges between law and computer science. Before becoming a law professor, Professor Ohm served as a federal prosecutor for the U.S. Department of Justice in the computer crimes unit. Before law school, he worked as a computer programmer and network systems administrator

Regulating Software When Everything Has Software

This Article identifies a profound, ongoing shift in the modern administrative state: from the regulation of things to the regulation of code. This shift has and will continue to place previously isolated agencies in an increasing state of overlap, raising the likelihood of inconsistent regulations and putting seemingly disparate policy goals, like privacy, safety, environmental protection, and copyright enforcement, in tension. This Article explores this problem through a series of case studies and articulates a taxonomy of code regulations to help place hardware-turned-code rules in context. The Article considers the likely turf wars, regulatory thickets, and related dynamics that are likely to arise, and closes by considering the benefits of creating a new agency with some degree of centralized authority over software regulation issues