This Q&A is part of a series featuring panelists who will participate in the Princeton-Fung Global Forum. This public event, to be held March 20-21 in Berlin, is being organized by the Woodrow Wilson School of Public and International Affairs. Register here.
Earlier this week, WikiLeaks released thousands of documents from the Central Intelligence Agency (C.I.A.), revealing the group’s powerful cyberspying capabilities.
How concerned should the country be about government surveillance? In such a vulnerable digital world, how can consumers protect privacy, liberty and democracy?
In this Q&A, Joel R. Reidenberg, a panelist at the upcoming Princeton-Fung Global Forum, addresses some of today’s top cybersecurity concerns.
An expert on information technology law and policy, Reidenberg is the Stanley D. and Nikki Waxberg Chair and Professor of Law at Fordham University, where he directs the Fordham Center on Law and Information Policy.
Q. What is your reaction to WikiLeaks’ claims of Central Intelligence Agency (C.I.A.) hacking? Should we be worried about the vulnerability of our smartphones?
Reidenberg: At this early stage, the leaked documents only show that the C.I.A. developed powerful hacking tools. This is no surprise. We know from the Federal Bureau of Investigation’s (FBI) dispute with Apple over the San Bernadino terrorist’s iPhone that the FBI was ultimately able to defeat the iPhone’s encryption. The magnitude and strength of the C.I.A’s capabilities may have surprised the general public, but the real concern should be over the way the C.I.A deploys these hacking tools. The disclosures have not yet shown how the C.I.A actually uses these tools nor whether they are shared with other government agencies.
Following the Snowden disclosures, many questions were raised about the efficacy and legitimacy of our foreign surveillance laws and oversight, prompting legislative changes. Here similar questions should be raised. Do we know if the C.I.A is complying fully with its legal obligations surrounding any hacking activities? Are those legal obligations sufficient in light of the scope of these hacking tools? Is the C.I.A sharing the tools with other agencies? Do we have adequate legal and practical oversight? Until these questions can be answered, we should all worry about our vulnerability.
Q. In your view, what are today’s most pressing privacy and cybersecurity issues, both nationally and globally?
Reidenberg: I think the most pressing privacy issue today is the deleterious impact of ubiquitous surveillance on our democratic values. This is both a national and global issue. Surveillance is a feature of our network infrastructure — e.g., cell phones cannot function without constant location tracking while web browsing; email traffic creates enormous data trails; Internet of Things devices like home thermostats or fitness watches are specifically designed to monitor users and their environments. This kind of surveillance undermines the ability of citizens to preserve privacy and consequently conflicts with a core democratic value of freedom of association because freedom of association requires privacy.
In terms of cybersecurity, the most pressing issues revolve around vulnerability and mitigation. Our critical infrastructures are frighteningly exposed to destructive attacks, and our individual reliance on connected devices puts our daily lives in the line of disruption. The digital ecosystem today, especially for consumers, needs a major upgrade in security. The Dyn attack — which was a distributed denial-of-service attacks that temporarily brought down Twitter, Netflix and other sites hosted on the Dyn provider — shows how household devices can be taken over and weaponized. We need to do a better job of creating and configuring more secure devices. At the same time, we also need to be planning for mitigation. No matter how hard we try to prevent them, successful attacks will occur. If we have good laws, policies and mechanisms in place to address the harms effectively, we reduce our vulnerability to significant disruption of services and daily life.
Q. It’s been found that Russia sought to influence the outcome of the 2016 U.S. presidential election. What are the implications for democracy? And should Germany, which also has an upcoming election, be worried?
Reidenberg: Foreign attempts to influence elections are not new. The United States is reported to have attempted to influence the Russian election of 1996 by engineering a $10.2 billion International Monetary Fund loan to help Boris Yeltsin, the first president of the Russian Federation. The United States is also said to have interfered in elections in other countries including Czechoslovakia, Haiti, Italy, Israel and Nicaragua.
The novelty presented by the Russian efforts in the 2016 U.S. presidential election is the use of cyber tools. Swaying votes by hacking and selectively releasing email is not dissimilar to a propaganda campaign, but it involves computer crimes and a previously unknown velocity of dissemination. The problem for democracy is how to respond effectively to rapidly spreading propaganda. Exposure may reduce the impact of propaganda but not eliminate its influence.
Hacking electronic voting machines themselves, however, presents a more fundamental challenge. If the voting machines are compromised, the integrity of an election’s actual outcome is lost, and the democratic legitimacy of the “winning” candidate is undermined.
Germany has every reason to be concerned for its upcoming election and to be prepared to confront information propaganda. If Germany uses electronic voting machines, they, too, should be carefully vetted, secured and tested for integrity.
Q. What’s the best way to use IT law – and should it be used - to prevent fake news and cyber hacks?
Reidenberg: Information technology law faces important capability limits in today’s digital ecosystem. Freedom of expression rights constrain how law can respond to problems like fake news and online hate. Practical issues like the difficulty of attribution and the geographical distance of cyber attackers can frustrate legal responses to hacking and cyber incidents. Information technology law, though, can be used to allocate liabilities in ways that encourage more responsible behavior. For example, hosting services in the United States have a broad statutory immunity from liability for third-party content except in cases of intellectual property right violations. It’s time to revisit this rule for civil rights harms and not privilege internet providers’ economic interests. Likewise, we should be thinking about using information technology law to address responsibility for security flaws in consumer products so that we discourage the sale of easily hackable devices that jeopardize cyber security for all.
Q. In your opinion, can liberty survive the digital age?
Reidenberg: Let me address two critical aspects of liberty: freedom of thought and freedom from coercion. Constant online monitoring, filtered information based on predicted interests and fake news will increasingly skew citizens’ thoughts. Facebook demonstrated this effect when the company experimenting on its users was able to demonstrate it could create emotional contagion. Likewise, cybersecurity threats such as ransomware and data exfiltration are effective tools for coercion that we have not yet been able to undermine. Our governing mechanisms today are poorly matched for the digital age and, unless we develop more effective ways to govern and assure public accountability, I think we will lose these freedoms in the years to come.
Q. You’re the founding director of the Center on Law and Information Policy. Can you describe some of the projects you’re currently working on?
Reidenberg: Our projects range from organizing conferences like the one we just held on “Artificial Intelligence, Machine Learning and Law in the Financial Services Sector” to research on law and policy questions for information technologies. At the moment, our research agenda is focused on the “Usable Privacy Policy Project.” We are working collaboratively with computer scientists at Carnegie Mellon University on the development of technologies that will assist users in understanding online privacy policies. For example, our team has pioneered work on the automated analysis of mobile apps to determine if the apps’ actual data practices are consistent with their privacy policies.