Skip to main content

Proceedings of a Workshop on Deterring Cyberattacks Informing Strategies and Developing Options for U.S. Policy (2010) / Chapter Skim
Currently Skimming:

Civil Liberties and Privacy Implications of Policies to Prevent Cyberattacks--Robert Gellman
Pages 273-310

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 273...
... For example, a requirement that Internet Service Providers (ISPs) retain data about a user's Internet activi ties raises concerns under the First Amendment, Fourth Amendment, privacy, and due process.
Read the entire page →
From page 274...
... • why the surveillance is being conducted (for law enforcement, national security, foreign intel ligence, or private purposes) • whether the target of the surveillance is a U.S.
Read the entire page →
From page 275...
... The conclusion in miller with its broad implication that an individual has no expectation of privacy in any record held by a third party12 is an ever-increasing concern to civil libertarians and privacy advocates because most records of an individual's existence -- and especially an individual's Internet activities -- are held by third parties. ECPA partly curbs the effect of miller by establishing rules and procedures that limit the ability of the government to obtain electronic communications.
Read the entire page →
From page 276...
... revise the principle that there is no privacy interest in records held by third parties will determine both the scope of that privacy interest and the ease with which government investigators can obtain personal and business records held by third parties. Any expansion of the privacy rights of data subjects with respect to records held by ISPs and other third party record keepers could affect the conduct of cyberattack prevention and investigation activities by creating substantive or procedural barriers to government acquisition of information about Internet activities.
Read the entire page →
From page 277...
... For example, a data retention requirement for Internet activities could entail the storage of information about electronic mail that could include data about the sender, recipi ent, header, attachment, content, and more. The retained data could be available to criminal or civil law enforcement, intelligence agencies, or private litigants after a showing of probable cause, reasonable cause, relevance, or another standard.
Read the entire page →
From page 278...
... For example, U.S. law allows for the use of pen registers that record dialed numbers without a search warrant.22 The Stored Communications Act allows the government to order a provider of wire, electronic communication services, or remote computing services, to preserve records and other evidence in its possession pending the issuance of a court order or other process.23 The Bank Secrecy Act requires banks to keep records of various transactions, including some cash activities and, effectively, all checks.24 The Supreme Court upheld the law in 1974 as a valid exercise of federal power under the Commerce Clause.25 The distinction that the law makes for Fourth Amendment purposes between content and non-con tent has increasingly been the subject of litigation under ECPA but litigation remains, in the words of a leading Fourth Amendment scholar, "remarkably sparse."26 The step-by-step analogies that the courts have used to move legal reasoning from postal mail to telephone calls begin to break down when it comes to Internet activities because the content vs.
Read the entire page →
From page 279...
... 29 Robert Gellman, Priacy in the Clouds: Risks to Priacy and Confidentiality from Cloud Computing at 17 (World Privacy Forum, 2009) , available at http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pd f; accessed April 20, 2010.
Read the entire page →
From page 280...
... 34 Because of the international scope of cyberattacks, any inquiry must consider other law that estab lishes diminished Fourth Amendment protections in international matters. The Foreign Intelligence Surveillance Act establishes lower standards for conducting surveillance in cases involving agents of a foreign power or a foreign terrorist group.
Read the entire page →
From page 281...
... The same principles may apply when the reasons for seeking termination of Internet access relate to cyberattack prevention. It may be possible to argue in some cases that immediate threats to critical infrastructure would justify a different or lesser set of due process procedures prior to termination of Internet access rights.40 Regardless, any rules or procedures with the potential to deny an individual access to the Internet will be controversial and the subject of considerable scrutiny on constitutional or legal grounds.
Read the entire page →
From page 282...
... 3. Restraining Publication of Security Information One method that may be relevant to preventing cyberattacks is to limit or prevent the publication of information about vulnerabilities of computer systems, whether the information is held by govern 42 Jonathan Turley, Registering Publius: the Supreme Court and the Right to Anonymity , Cato Supreme Court Review (2001-02)
Read the entire page →
From page 283...
... Contracts that require government employees not to publish any information without pre-publication review by the government offer one approach. In the leading case, the Supreme Court upheld a contract signed by an employee of the Central Intelligence Agency that imposed the restriction as a condition for access to classified information.
Read the entire page →
From page 284...
... The Supreme Court upheld the Children's Internet Protection Act,58 a law that tied certain federal financial assistance to a library to a policy of Internet safety for minors that includes the operation of filtering technology to protect against access to material that is obscene, child pornography, or harmful to minors. 59 There is no specific precedent upholding statutory limitations on publication of cybersecurity information on the same basis as Atomic Energy restricted data or in a manner analogous to allowable controls on obscenity.
Read the entire page →
From page 285...
... Registrants who want anonymity to avoid identification and possible harassment and registrants who merely want to shield their personal information from marketers and other secondary users of their information would object. The conflicts over the privacy of the WHOIS database have raged for some time, involve privacy laws in other countries, and will require international coordination.
Read the entire page →
From page 286...
... For a short history of FIPs and some of the many variations of FIPs, see Robert Gellman, Fair information Practices: A Basic History, http://bobgellman.com/ rg-docs/rg-FIPshistory.pdf; accessed March 26, 2010.
Read the entire page →
From page 287...
... Other Aspects, http://www.justice.gov/opcl/1974definitions.htm#aspects; accessed March 26, 2010. 76 Whether IP addresses or even email addresses constitute personal information under the Act is not resolved.
Read the entire page →
From page 288...
... The Act establishes general rules governing the use and disclosure of personal information.84 The broad policy that the Act attempts to implement is that information collected for one purpose may not be used for another purpose without notice to or the consent of the subject of the record. However, this policy has so many exceptions, some the result of later enacted laws, that the relevance of the general principle is questionable.
Read the entire page →
From page 289...
... The effectiveness of the routine use provision as a protection against expansive uses of personal information has been questioned for years. If the Congress or the President established deterrence of cyberattacks as a purpose of the federal government, then agency sharing of personal information would be allowable under the Act pursuant to a routine use.89 Conceivably, if the charge were broad enough and the identity theft example were used as a model, every system of records in the federal government could include a routine use allowing disclosures for deterrence of cyberattacks.
Read the entire page →
From page 290...
... The specific exemptions are available for record systems that contain seven categories of records, of which only three are potentially relevant to cybersecurity. One exemption is for a system of records that has information classified for national defense or foreign policy reasons.99 Another is for investigatory material compiled for law enforcement purposes (other than material subject to the general criminal law enforcement purposes)
Read the entire page →
From page 291...
... The routine collection and maintenance of personal information about the Internet activities of individuals in the absence of a specific law enforcement investigation would raise questions about the scope of the activity and the corresponding obligations regarding the maintenance, use, and disclosure of the information. Obviously, the limitations of the Fourth Amendment and of surveillance statutes would be highly relevant here, establishing procedures and standards for some government actions.
Read the entire page →
From page 292...
... To the extent that cybersecurity activities involve the transfer of personal information across national borders, foreign data protection laws may impose some barriers on the export of data to the United States. 109 The best example comes from the European Union, where the EU Data Protection Directive establishes rules for the transfer of personal data to third countries.110 The general standard allows data exports to third countries that ensure an adequate leel of protection.111 The EU has not made any determination whether the United States generally meets this standard, and it is unlikely to do so.
Read the entire page →
From page 293...
... Microsoft's chief research and technology officer recently suggested licensing individuals, machines, and programs using the Internet as a response to the crime, fraud, spying, and other unwelcome Internet activities that have become commonplace. 115 Some type of Internet licensing scheme may have application for cyberattack prevention.
Read the entire page →
From page 294...
... SF 86 requires the applicant to authorize broadly the disclosure of information from third parties, includ ing employers, schools, landlords, financial institutions, criminal justice agencies, healthcare providers, retail business establishments, and others. The security clearance process operates subject to the Privacy Act of 1974,120 a law that provides a reasonably full set of fair information practices.
Read the entire page →
From page 295...
... , the layers of review and the rights to appeal are designed to address the possibility of bias or unfairness. While it would be too strong to suggest that there is no concern at all about the due process pro tections of the security clearance process, it is probably fair to suggest that the existing procedures are not so unbalanced as to raise significant public concerns or to cause ongoing debates.
Read the entire page →
From page 296...
... For a summary of the law from the non-partisan National Conference of State Legislatures, see http:// www.ncsl.org/IssuesResearch/Transportation/RealIDActof2005Summary/tabid/13579/Default.asp x; accessed March 15, 2010. The Driver's Privacy Protection Act (DPPA)
Read the entire page →
From page 297...
... 129 For a summary of various REAL ID cost estimates, see National Conference of State Legislatures, REAl id Cost Estimates, available at http://www.ncsl.org/Default.aspx? TabId=13578; accessed March 15, 2010.
Read the entire page →
From page 298...
... and issuing a set of privacy and security best practices that are built on the Fair Information Principles and Federal Information Security Management Act 133 (FISMA) standards to help guide the states in protecting the information collected, stored, and maintained pursuant to the REAL ID; and (5)
Read the entire page →
From page 299...
... § 44903. TSA's 2008 Privacy Impact Assessment for the Secure Flight Program is available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_secureflight2008.pd f; accessed March 15, 2010.
Read the entire page →
From page 300...
... While Secure Flight is not quite a real-time clearance, it can be close to that. Normally, 139 http://www.dhs.gov/xlibrary/assets/pnr-2007agreement-usversion.pd f; accessed March 15, 2010.
Read the entire page →
From page 301...
... The federal government is already exploring and implementing identity, credentialing, and access management systems to provide a consistent approach for clearing and managing individuals requiring access to federal information systems and facilities.143 Identification and authorization systems can be unremarkable from a privacy and civil liberties perspective, but they can also raise a host of questions depending on the standards used, due process procedures, scope of application, and data collected and retained. These same issues can arise with any type of identification or licensing system.
Read the entire page →
From page 302...
... Despite their widespread de facto use as general-purpose identifiers, drivers' licenses were not as controversial until the REAL ID Act sought to alter the process of issuance, man dated collection and maintenance of more personal information, and established requirements and potential for its use that extended beyond established norms. The 1994 Driver's Privacy Protection Act addressed some of the privacy concerns that surrounded the marketing and other secondary uses of drivers' information.
Read the entire page →
From page 303...
... Some may raise civil liberties or privacy concerns, but private sector activities will fall outside most constitutional and statutory protections. However, if a citizen must have some form of identification or authorization in order to communicate or conduct ordinary, non-national security business with a government agency, the argument about the propriety of the identification requirement would turn in part on the nature of the communication or the business at issue.
Read the entire page →
From page 304...
... 149 In all of these cases, whether or not an Internet prerequisite violated a constitutional standard, it is nevertheless the case that civil liberties, due process, and privacy would be affected by the rules and procedures that attach to the prerequisite, by the process for issuing the identification, by the amount of personal information collected and maintained, and by the secondary uses for the information. Even with privately issued identification, some or all of these issues would arise, whether or not a public or private network relied on the identification.
Read the entire page →
From page 305...
... , a 1994 law intended to "to make clear a telecommunications carrier's duty to cooperate in the interception of communications for law enforcement purposes, and for other purposes." 155 The law requires telecommunications carriers and manufacturers of telecommunications transmission and switching equipment to ensure that equipment, facilities, and services allow the government to isolate and intercept all wire and electronic communications. Essentially, CALEA forces telecommunications 150 See generally 42 U.S.C.
Read the entire page →
From page 306...
... The global nature of the Internet and the presence of multiple and potentially overlapping regulatory regimes raise other vexing questions. These include the extent to which any national government could impose or seek to impose requirements on Internet users in other countries or users crossing borders, whether their own citizens or others, that would affect privacy or civil liberties.
Read the entire page →
From page 307...
... The same information could also be used by government for other purposes that may affect privacy or civil liberties interests. 158 See NextAdvisor, inside the internet's Financial Black markets -- How identity thiees Buy and Sell Your Personal information online, http://www.nextadvisor.com/blog/2008/09/16/inside-the-internets-financial-black-markets-%E2%80%93-how-identitythieves-buy-and-sell-your-personal-information-online/; accessed July 2, 2010.
Read the entire page →
From page 308...
... § 1030. 161 See, e.g., the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, available at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf; accessed March 15, 2010, and the implementing regulations at 201 CMR 17.00, available at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf, accessed August 30, 2010.
Read the entire page →
From page 309...
... It is not apparent in the abstract that any of these would necessarily raise significant civil liberties or privacy concerns, although civil liability can raise constitutional questions about violations of the Due Process Clause by grossly excessive or arbitrary punishments.174 The use of incentives to induce the private sector to adopt protections that the federal government could not impose directly has the potential be controversial.
Read the entire page →

Key Terms

  • accessed march
  • personal information
  • law enforcement
  • data retention
  • civil liberties

  • robert gellman
  • due process
  • deterring cyberattacks
  • cyberattack prevention
  • internet activities

  • fourth amendment
  • supreme court
  • secure flight
  • electronic communications
  • security clearance

  • accessed april
  • personal data
  • internet users
  • privacy laws
  • third party

  • privacy concerns
  • data protection
  • security clearances
  • records held
  • cloud computing

  • internet access
  • fair information
  • top secret
  • identification requirements
  • record keepers


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.