Law Commons^™

Platforms, Encryption, And The Cfaa: The Case Of Whatsapp V Nso Group, Jonathon Penney, Bruce Schneier

Articles, Book Chapters, & Popular Press

End-to-end encryption technology has gone mainstream. But this wider use has led hackers, cybercriminals, foreign governments, and other threat actors to employ creative and novel attacks to compromise or workaround these protections, raising important questions as to how the Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking statute, is best applied to these new encryption implementations. Now, after the Supreme Court recently narrowed the CFAA’s scope in Van Buren and suggested it favors a code-based approach to liability under the statute, understanding how best to theorize sophisticated code-based access barriers like end-to-end encryption, and their circumvention, is now …

Fixing What’S Broken: The Outdated Guidelines Of The Sca And Its Application To Modern Information Platforms, Lutfi Barakat

Touro Law Review

In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to afford privacy protections to electronic communications and it has not changed since its inception. The ECPA has proven problematic as technology has advanced, but Congress has not modified the law to reflect this change. Courts have struggled to apply the law to both old technologies that have been updated and new technologies that have emerged. The ECPA needs to be revised to reflect the new advances in technology or be repealed and replaced with a new approach. This will ensure that consumer data will be safeguarded while in the …

Keeping The Zombies At Bay: Fourth Amendment Problems In The Fight Against Botnets, Danielle Potter

Washington and Lee Journal of Civil Rights and Social Justice

You may not have heard of a botnet. If you have, you may have linked it to election shenanigans and nothing else. But if you are reading this on a computer or smartphone, there is a good chance you are in contact with a botnet right now.

Botnets, sometimes called “Zombie Armies,” are networks of devices linked by a computer virus and controlled by cybercriminals. Botnets operate on everyday devices owned by millions of Americans, and thus pose a substantial threat to individual device owners as well as the nation’s institutions and economy.

Accordingly, the United States government has been …

Exploring Lawful Hacking As A Possible Answer To The "Going Dark" Debate, Carlos Liguori

Michigan Technology Law Review

The debate on government access to encrypted data, popularly known as the “going dark” debate, has intensified over the years. On the one hand, law enforcement authorities have been pushing for mandatory exceptional access mechanisms on encryption systems in order to enable criminal investigations of both data in transit and at rest. On the other hand, both technical and industry experts argue that this solution compromises the security of encrypted systems and, thus, the privacy of their users. Some claim that other means of investigation could provide the information authorities seek without weakening encryption, with lawful hacking being one of …

Transnational Government Hacking, Jennifer C. Daskal

Joint PIJIP/TLS Research Paper Series

No abstract provided.

Bytes Bite: Why Corporate Data Breaches Should Give Standing To Affected Individuals, Caden Hayes

Washington and Lee Journal of Civil Rights and Social Justice

High-profile data hacks are not uncommon. In fact, according to the Privacy Rights Clearinghouse, there have been at least 7,961 data breaches, exposing over 10,000,000,000 accounts in total, since 2005. These shocking numbers are not particularly surprising when taking into account the value of information stolen. For example, cell phone numbers, as exposed in a Yahoo! hack, are worth $10 a piece on the black market, meaning the hackers stood to make $30,000,000,000 from that one hack. That dollar amount does not even consider copies the hackers could make and later resell. Yet while these hackers make astronomical payoffs, the …

Is Tricking A Robot Hacking?, Ryan Calo, Ivan Evtimov, Earlence Fernandes, Tadayoshi Kohno, David O'Hair

Tech Policy Lab

The authors of this essay represent an interdisciplinary team of experts in machine learning, computer security, and law. Our aim is to introduce the law and policy community within and beyond academia to the ways adversarial machine learning (ML) alter the nature of hacking and with it the cybersecurity landscape. Using the Computer Fraud and Abuse Act of 1986—the paradigmatic federal anti-hacking law—as a case study, we mean to evidence the burgeoning disconnect between law and technical practice. And we hope to explain what is at stake should we fail to address the uncertainty that flows from the prospect that …

Civil Liberty Or National Security: The Battle Over Iphone Encryption, Karen Lowell

Georgia State University Law Review

On June 5, 2013, Edward Snowden released what would be the first of many documents exposing the vast breadth of electronic surveillance the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) had been conducting on millions of United States citizens. Although the federal agencies had legal authority under the Foreign Intelligence Surveillance Act (FISA) to collect metadata from companies such as Verizon, many Americans considered this data collection to be a massive invasion of privacy.

Equipped with the knowledge of sweeping domestic surveillance programs, citizens and technology firms fighting for strong privacy and security protection, have started …

Making Democracy Harder To Hack, Scott Shackelford, Bruce Schneier, Michael Sulmeyer, Anne Boustead, Ben Buchanan, Amanda N. Craig Deckard, Trey Herr, Jessica Malekos Smith

University of Michigan Journal of Law Reform

With the Russian government hack of the Democratic National Convention email servers and related leaks, the drama of the 2016 U.S. presidential race highlights an important point: nefarious hackers do not just pose a risk to vulnerable companies; cyber attacks can potentially impact the trajectory of democracies. Yet a consensus has been slow to emerge as to the desirability and feasibility of reclassifying elections—in particular, voting machines—as critical infrastructure, due in part to the long history of local and state control of voting procedures. This Article takes on the debate—focusing on policy options beyond former Department of Homeland Security Secretary …

Trending @ Rwu Law: Linn F. Freedman's Post: The Goal Of Gender Equality In Cybersecurity 08/23/2016, Linn F. Freedman

Law School Blogs

No abstract provided.

A Code-Based Approach To Unauthorized Access Under The Computer Fraud Abuse Act, Patricia L. Bellia

Journal Articles

Thirty years ago, Congress passed the Computer Fraud and Abuse Act (CFAA) to combat the emerging problem of computer crime. The statute’s core prohibitions targeted one who “accesses” a computer “without authorization” or who “exceeds authorized access.” Over time, incremental statutory changes and large-scale technical changes have dramatically expanded the potential scope of the CFAA. The question of what constitutes unauthorized access has taken on far greater significance than it had thirty years ago, and courts remain deeply divided on this question. This Article explores the text, purpose, and history of the CFAA, as well as a range of normative …

Silencing The Call To Arms: A Shift Away From Cyber Attacks As Warfare, Ryan Patterson

Loyola of Los Angeles Law Review

Cyberspace has developed into an indispensable aspect of modern society, but not without risk. Cyber attacks have increased in frequency, with many states declaring cyber operations a priority in what has been called the newest domain of warfare. But what rules govern? The Tallinn Manual on the International Law Applicable to Cyber Warfare suggests existent laws of war are sufficient to govern cyber activities; however, the Tallinn Manual ignores fundamental problems and unique differences between cyber attacks and kinetic attacks. This Article argues that several crucial impediments frustrate placing cyber attacks within the current umbra of warfare, chiefly the problems …

Hacking The Anti-Hacking Statute: Using The Computer Fraud And Abuse Act To Secure Public Data Exclusivity, Nicholas A. Wolfe

Nicholas A Wolfe

Work smarter, not harder. Perhaps no other saying better captures the era of hyper-productivity and automation in which we live. Titles such as ‘Top Ten Hacks to Avoid Paywalls,’ ‘Five ways You’re Wasting Your time,’ and ‘One Weird Trick’ fly across our computer screens on a commoditized basis. [1] These tips and tricks help us automate our lives and get more done, faster. Better living through automation. However, as these shortcut solutions get better and automation advances, a question arises. When does working smarter cross the line into cheating?

The Computer Fraud and Abuse Act was designed to draw this …

Public School Governance And Cyber Security: School Districts Provide Easy Targets For Cyber Thieves, Michael A. Alao

Michael A. Alao

School districts rely on information systems to a similar extent as private, business organizations, yet the rules and regulations to ensure that school districts maintain adequate security to prevent data breaches and theft have failed to keep pace with private-sector developments. Advances in the private sector include notice-of-breach laws, consumer protection laws limiting individual liability for fraudulent electronic funds transfers, and auditing and reporting of internal controls. The public sector, including school districts, has also made advances in cyber security rules and regulations, but to a more limited extent than the private sector. Because of the sheer number of public …

Book Review Of Hacking: The Next Generation (Written By Nitesh Dhanjani, Billy Rios & Brett Hardin), Katina Michael

Professor Katina Michael

Hacking: The Next Generation demonstrates just how hackers continue to exploit “back doors”. New ways of working and new ways of communicating have meant that the number of attack vectors continue to rise rapidly. This provides hackers with a greater number of opportunities to penetrate systems using blended approaches while organizations struggle to come up to speed with the latest technology developments and commensurate security capabilities. Dealing with anticipated threats is a lot harder than dealing with known threats.

Deception Absent Duty: Computer Hackers & Section 10(B) Liability, Brian A. Karol

University of Miami Business Law Review

No abstract provided.

Data Collection And Leakage, Philip Howard, Kris Erickson

Chicago-Kent Law Review

Every year millions of digital records containing personally identifiable information are exposed. When are malicious hackers to blame, and when is it organizational malfeasance? Which kinds of organizations—private firms, government agencies, or educational institutions—lose the most data? With over 1.9 billion records lost (on average that's 9 records per U.S. adult), a surprising number of breaches can be attributed to organizational practices.

Trade Secrets, Data Security And Employees, Elizabeth Rowe

Chicago-Kent Law Review

This essay argues that data security is important to the protection of trade secret information, and that trusted employees on the inside pose the biggest threat to the protection of trade secrets. While investments in technical measures such as firewalls and encryption are important, it is also necessary for companies to consider the internal threats from employees when creating corporate security programs. Ultimately, a more comprehensive approach that includes technical and human elements, as well as consideration of inside and outside threats is likely to be more effective in the battle to secure data.

Optimal Hackback, Jay P. Kesan, Ruperto Majuca

Chicago-Kent Law Review

Professor Jay Kesan from the University of Illinois College of Law, in joint work with Ruperto Majuca of the University of Illinois Department of Economics, argue in favor of legal rules that allow "hacking [data] back" in certain business circumstances. They analyze the strategic interaction between the hacker and the attacked company or individual and conclude that neither total prohibition nor unrestrained permission of hack-back is optimal. Instead, they argue that when other alternatives such as criminal enforcement and litigation are ineffective, self-defense is the best response to cybercrime because there is a high likelihood of correctly attacking the criminal, …

Alphaco: A Teaching Case On Information Technology Audit And Security, Hüseyin Tanriverdi, Joshua Bertsch, Jonathan Harrison, Po-Ling Hsiao, Ketan S. Mesuria, David Hendrawirawan

Journal of Digital Forensics, Security and Law

Recent regulations in the United States (U.S.) such as the Sarbanes-Oxley Act of 2002 require top management of a public firm to provide reasonable assurance that they institute internal controls that minimize risks over the firm’s operations and financial reporting. External auditors are required to attest to the management’s assertions over the effectiveness of those internal controls. As firms rely more on information technology (IT) in conducting business, they also become more vulnerable to IT related risks. IT is critical for initiating, recording, processing, summarizing and reporting accurate financial and non-financial data. Thus, understanding IT related risks and instituting internal …