Internet

Cyber Security Investigation and Online Tracking

May 14, 2013
Cyber Security, Internet

by Ude Lu, UMN Law Student, MJLST Staff.

Ude-Lue.jpgOn April 18th, 2013, Cyber Intelligence Sharing and Protection Act (CISPA) was passed with wide spread controversies. CISPA aims to help national security agencies to investigate cyber threats by allowing private companies, such as Google and Facebook, to search users’ personal data to identify possible threats. Commentators argue that CISPA compromises the Fourth Amendment, because, under CISPA, agencies can get privacy data of suspects identified by the privacy companies without a judicial order. CISPA bridges the gap between crime investigations and the privacy data stored and analyzed by social media companies.

Google and Facebook regularly track their user’s online behaviors, such as websites they visited or products they purchased, to figure out their personal preferences to perform targeted advertisements. These personal behavior analyses raise serious privacy concerns. Omer Tene and Jules Polonetsky in their article published in Volume 13 Issue 1 of the Minnesota Journal of Law Science and Technology, To Track or “Do Not Track: Advancing Transparency and Individual Control in Online Behavioral Advertising discussed these privacy concerns.

Tene and Polonetsky described that while targeted advertisement provides many advantages, one particular criticism is that users are deprived from meaningful control of their data. This led to various administrative proposals in the US and EU. In the US, FTC proposed “Do Not Track”, a signal sent by users’ browser to internet content providers requesting them not to track cookies. In the EU, the e-Privacy Directive required an opt-in consent for cookie tracking. The authors argue that whether cookie tracking should be “opt-in” or “opt-out” depends on how tracking is valued by the society. If the society in general values tracking as a positive measure to provide valuable services, then opt-out should be applied. On the contrary, if tracking is viewed by the society as an invasion to privacy, then opt-in should be applied.

Cybersecurity: Serious threat or “technopanic”?

April 17, 2013
Cyber Security, Internet, Law Enforecement

by Bryan Dooley, UMN Law Student, MJLST Staff

Thumbnail-Bryan-Dooley.jpgWhile most would likely agree that threats to cybersecurity pose sufficient risk to warrant some level of new regulation, opinions vary widely on the scope and nature of an appropriate response. FBIwebsite-sm-border.jpgThe Cyber Intelligence Sharing and Protection Act, one of several proposed legislative measures intended to address the problem, has drawn widespread criticism. Concerns voiced by opponents have centered on privacy and the potential for misuse of shared information. Some fear the legislation creates the potential for additional harm by allowing or encouraging private parties to launch counterattacks against perceived security threats, with no guarantee they will always hit their intended targets.

In Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle</strong>, published in Issue 14.1 of the Minnesota Journal of Law, Science & Technology, Adam Thierer discusses the danger of misguided regulation in response to new and potentially misunderstood technological developments. The discussion centers on what Thierer terms “technopanics”–hasty and often irrational pushes to address a problem in the face of uncertainty and misinformation, sometimes intentionally disseminated by parties who hope to benefit financially or advance a social agenda.

In the context of cyber security, Thierer argues that advocates of an aggressive regulatory response have exaggerated the potential for harm by using language such as “digital Pearl Harbor” and “cyber 9/11.” He argues technopanics have influenced public discourse about a number of other issues, including online pornography, privacy concerns associated with targeted advertising, and the effects of violent video games on young people. While these panics often pass with little or no real lasting effect, Thierer expresses concern that an underlying suspicion toward new technological developments could mature into a precautionary principal for information technology. This would entail a rush to regulate in response to any new development with a perceived potential for harm, which Thierer argues would slow social development and prevent or delay introduction of beneficial technologies.

It’s an interesting discussion. Whether or not cyber attacks pose the potential for widespread death and destruction, there is significant potential for economic damage and disruption, as well as theft or misuse of private or sensitive information. As in any case of regulation in the face of uncertainty, there is also clear potential that an overly hasty or inadequately informed response will go too far or carry unintended consequences.

Threats From North Korea: Switching Our Focus From Nuclear Weapons to Websites

April 8, 2013
Cyber Security, Internet, Law Enforecement

by Bryan Morben, UMN Law Student, MJLST Staff

Thumbnail-Bryan-Morben.jpgThere has been a lot of attention on North Korea and the possibility of a nuclear war lately. In fact, as recently as April 4, 2013, news broke that the increasingly hostile country moved medium-range missiles to its east coastline. It is reported that the missiles do not have enough range to hit the U.S. mainland, but is well within range of the South Korean capital. Tensions have been running high for several months, especially when the North took the liberty to shred the sixty year old armistice that ended the Korean War, and warned the world that “the next step was an act of ‘merciless’ military retaliation against its enemies.”

But perhaps the use of physical force by leader Kim Jong Un is not the only, or even the most important threat, from North Korea that the United States and its allies should be worried about. Despite the popular impression that North Korea is technologically inept, the regime boasts a significant cyber arsenal. The country has jammed GPS signals and also reportedly conducted cyber terrorism operations against media and financial institutions in the South. North Korea employs a host of sophisticated computer hackers capable of producing anonymous attacks against a variety of targets including military, governmental, educational, and commercial institutions. This ability to vitiate identity is one of the most powerful and dangerous parts about cyber warfare that isn’t possible in the physical world.

Susan Brenner is an expert in the field cyberwar, cybercrime, and cyber terrorism. She has been writing about how and why the institutions modern nation-states rely on to fend off the threats of war, crime, and terrorism have become ineffective as threats have migrated into cyberspace for over half a decade. Her article, Cyber-threats and the Limits of Bureaucratic Control, in Issue 14.1 of the Minnesota Journal of Law, Science & Technology outlines why we need a new threat-control strategy and how such a strategy could be structured and implemented. A strategy like the one Brenner recommends could help protect us from losing a cyberbattle with North Korea that most people aren’t even aware could happen.

21st Century Problem: Authentication of Prisoner Facebook Status Updates

March 6, 2013
Criminal Law, Internet, Social Media

by Eric Maloney, UMN Law Student, MJLST Staff

Thumbnail-Eric-Maloney.jpgFacebook has become a part of everyday life for people around the world. According to Mark Zuckerberg and Co., over one billion people (yes, with a “B”) are active on Facebook every month, with an average of more than 600 million active users every day in December 2012. Disregarding bogus or duplicate accounts, that means roughly one-seventh of the entire human population is active on Facebook every month (with the world population currently sitting somewhere in the neighborhood of seven billion people).

Apparently, Facebook has become so commonplace and ingrained in the daily routine of some that they feel the need to use the social networking service from the privacy of their prison cells.

A Harlem gang member named Devin Parsons has decided to cooperate with the government against fellow members of his gang, and is currently incarcerated while trial is pending. Instead of having the usual prison contraband smuggled in, he obtained a mobile phone and used it to post Facebook status updates under an assumed name. According to Trial Judge William H. Pauley III:

In some posts, Parsons reflected on his life in jail:

“everybody wanna live but don’t wanna die”;
“Life is crazy thay only miss yu ifyu dead or in jail”; and
“G.o.n.e”

In others, Parsons posted about his cooperation:

“I’m not tellin on nobody from HARLEM but I can give up some bx n****s that got bodys”; and
“be home sooner then yaH hereing 101[.]”

While not exactly “Letter from Birmingham Jail,” Parsons was surprisingly bold about disclosing the fact of his cooperation and about the risk of getting caught with a banned cell phone by the prison administration. The gang against which Parsons is testifying is charged with multiple counts of narcotics trafficking and murder, among other things.

One of the defendants in the case, Melvin Colon, sought to compel the disclosure of these postings under the Brady rule, which requires the government to release evidence to the defense before trial if the evidence is favorable to the defendant. Judge Pauley held that the government was not obligated to turn these postings over to Colon; for various reasons, the government was never in actual possession of the Facebook statuses and therefore had no duty to disclose under Brady.

This case highlights the continually growing relevance that Facebook and other social media data has in legal proceedings. In fact, this is not even the first ruling about Facebook in this case; the defendant Colon had earlier moved to suppress his own Facebook postings which the prosecution sought to introduce. Judge Pauley denied this motion as well, holding that Colon’s sharing of the postings with his Facebook “friends” meant he lacked a reasonable expectation of privacy in them.

A background issue in this case was the idea of authenticity of the Facebook poster; because Parsons was posting under a fake name, both sides were unaware of his conduct until after the account had already been deactivated. While not contested here, ensuring that the Facebook information originated from the user is an increasingly important evidentiary consideration as more and more of this data is used in both civil and criminal contexts.

Professor Ira P. Robbins laid out a possible framework for authenticating social networking evidence in his Minnesota Journal of Law, Science & Technology article “Writings on the Wall: The Need for an Authorship-Centric Approach to the Authentication of Social-Networking Evidence.” While voicing significant concerns about the current lack of a required nexus between the online content and its real-life poster, he proposed detailed admissions criteria for social network postings. He offered several factors to be examined by judges in making rulings about such data, including who owns the account, how secure the account is, and how / when the post in question was created.

As Facebook and other social networking information becomes increasingly important to the outcomes of legal cases, a framework like this is essential to bring our procedures in line with the nature of 21st century evidence and to ensure our system continues to meet Due Process standards. Digital evidence is largely unexplored territory for jurists and scholars alike, and it’s my hope that evidentiary standards like those proposed by Professor Robbins are seriously considered by the legal community.

Time for a New Approach to Cyber Security?

February 18, 2013
Cyber Security, Internet, Law Enforecement

by Kenzie Johnson, UMN Law Student, MJLST Managing Editor

Kenzie Johnson The recent announcements by several large news outlets including the New York Times, Washington Post, Bloomberg News, and the Wall Street Journal reporting that they have been the victims of cyber-attacks have yet again brought cyber security into the news. These attacks reportedly all originated in China and were aimed at monitoring news reporting of Chinese issues. In particular, the New York Times announced that Chinese hackers persistently attacked their servers for a period of four months and obtained passwords for reporters and other Times employees. The Times reported that the commencement of the attack coincided with a story it published regarding mass amounts of wealth accumulated by the family of Chinese Prime Minister Wen Jiabao.

It is not only western news outlets that are the targets of recent cyber-attacks. Within the past weeks, the United States Department of Energy and Federal Reserve both announced that hackers had recently penetrated their servers and acquired sensitive information.

This string of high-profile cyber-attacks raises the need for an improved legal and response structure to deal with the growing threat of cyber-attacks. In the forthcoming Winter 2013 issue of Minnesota Journal of Law, Science, and Technology, Susan W. Brenner discusses these issues in an article entitled “Cyber-Threats and the Limits of Bureaucratic Control.” Brenner discusses the nature, causes, and consequences of cyber-threats if left unchecked. Brenner also analyzes alternative approaches to the United States’ current cyber-threat control regime, criticizes current proposals for improvements to the current regime, and proposes alternative approaches. As illustrated by these recent cyber-attacks, analysis of these issues is becoming more important to protect sensitive government data as well as private entities from cyber-threats.

While 86% of Americans Oppose Behavioral Targeting of Voters, Campaigns Embrace It

December 5, 2012
Elections, Internet

by Bobbi Leal, UMN Law Student, MJLST Articles Editor

Thumbnail-Bobbi-Leal-ii.jpgWith the dramatic 2012 Presidential election behind us, new information about the campaign funds are being released. A recent Huffington Post article outlining the campaign funds allotted toward the mining and analysis of internet data about potential voters. President Obama and Mitt Romney’s campaigns spent a combined total of $13 million dollars on this controversial practice.

The Minnesota Journal of Law Science and Technology’s recent publication, “It’s the Autonomy, Stupid: Political Data-Mining and Voter Privacy in the Information Age,” points out that campaigns utilize data mining as a way to more effectively target voters. The mined data includes information gleaned or purchased from both public and private sources. To make use of the internet’s information on the individual, the campaigns use algorithms that match the attitudes of voters on specific issues with individual behaviors and tendencies. The individual behaviors they might look at include where you shop, which team you root for, which petitions you sign, who your friends are, and even what mobile device you use.

With a continued decrease in the number of undecided voters, the practice of using digital data to target particular individuals is an effective one. Further, online targeting can reach voters who would normally have no access to traditional campaigning, such as those in remote counties.

A study by the University of Pennsylvania Annenberg School of Communications revealed that a large majority of Americans (86%) are against behavioral targeting and tailored advertising for political or other purposes. However, privacy practices in the political context are not regulated like in the commercial sector due to protections afforded by political speech.

Six Strikes and You’re Out: Can a New RIAA Policy Solve Old Online File Sharing Problems?

December 4, 2012
Intellectual Property, Internet, Social Media

by Ian Birrell

Thumbnail-Ian-Birrell.jpgSince at least 1999 when Napster was originally launched, internet piracy, or downloading copyrighted materials (especially songs, videos, and games,) has been a contentious activity. The Recording Industry Association of America (RIAA) has historically taken a very public and aggressive stance by finding individuals associated with IP addresses matching those where this “file sharing” is coming from. After finding such a target, the RIAA would send a letter demanding a settlement for thousands of dollars or threatening litigation, risky and expensive to the target, despite a potentially very small monetary value of downloaded material. The RIAA suits, which have continued for a number of years, include a number of well publicized absurd claims.

This journal has written on the RIAA policies before. In 2008, we published a student note by Daniel Reynolds named The RIAA Litigation War on File Sharing and Alternatives more Compatible with Public Morality. Reynolds argued then that the policies were ineffective and unconscionable and urged change.

Change is coming. Later this year, after a number of years in development, a number of major carriers are planning to institute a “six-strikes” plan. This is a voluntary agreement between ISPs and certain content providers (the government is not involved,) and is made to target peer-to-peer downloading. The plan has a notice phase, an acknowledgement phase, and a mitigation phase. Under the plan, a private carrier – say, Time Warner – will first notify a user that there has been an allegation of illegal copyright activity, then force a user who may be infringing (and who may or may not own the account) to acknowledge having received such notices, before the user finally suffers consequences. These consequences can include throttling of internet speed or having popular websites blocked.

Proponents point to a few positives under this proposal, including the user’s right to appeal to an independent arbitrator (for a $35 fee.) Additionally, though lawsuits are still permitted by copyright holders, the hope is that the system will educate the public about copyright infringement and that, on notice that their behavior is illegal, infringement will at least slow down. Ron Wheeler, a Senior VP at Fox, said that, “This system is not designed to produce lawsuits–it’s designed to produce education.

Unfortunately, a lack of education may not be the underlying problem. Reynolds noted that, even in 2004, awareness of the (il)legality of file sharing was widespread. And increasing awareness may not sharply decrease infringement. Critics further note that, despite the safeguards, penalties are ultimately based on accusations rather than definite findings of infringement. If the system ultimately works, though, it may be worth the headaches for both sides. Consumers will not be able to infringe (as much) but the public will also not suffer suits against twelve-year-olds for sharing music.

Growth of Social Media Outpaces Traditional Evidence Rules

November 14, 2012
Internet, Litigation, Social Media

by Sabrina Ly

Thumbnail-Sabrina-Ly.jpg Evidence from social networking websites is increasingly involved in a litany of litigation. Although the widespread use of social media can lead to increased litigation, as well as increasing the cost of litigation, use of social media has assisted lawyers and police officers in proving cases and solving crimes. In New Jersey, for example, two teenage brothers were arrested and charged with murder of a twelve year-old girl. What led to the two teenagers’ arrest was evidence left behind in their homes along with a Facebook post that made their mother suspicious enough to call the police. In another case, Antonio Frasion Jenkins Jr. had charges brought against him by an officer for making terroristic threats to benefit his gang. Jenkins posted a description of his tattoo on Facebook which stated: “My tattoo iz a pig get’n his brains blew out.” Pig is considered a derogatory term for a police officer.The tattoo also had the officer’s misspelled name and his badge number. The officer who is a part of the gang investigation team saw the Facebook post and immediately filed charges against Jenkins as he interpreted the tattoo as a direct threat against him and his family. These are two of the many situations in which social networking websites have been used as evidence to bring charges against or locate an individual.

The myriad of charges brought against an individual given evidence found on their social networking websites is the basis for Ira P. Robbin’s article “Writings on the Wall: The Need for an Author-Centric Approach to the Authentication of Social-Networking Evidence” published in Volume 13.1 of the Minnesota Journal of Law Science and Technology. Robbins begins by discussing the varying ways in which social networking websites have been used as evidence in personal injury and criminal matters. Specifically, Twitter, Facebook and Myspace postings have been deemed discoverable if relevant to the issue and admissible only if properly authenticated by the Federal Rules of Evidence. However, courts across the country have grappled with the evidentiary questions that are presented by social media. In some states, the court admitted the evidence given distinctive characteristics that created a nexus between the posting on the website and the owner of the account. In other states, the court found the proof of the nexus was lacking. Regardless, overall concerns of potential hackers or fictitious accounts created by a third-party posing as someone else create problems of authentication.

Robbins argues that the traditional Federal Rules of Evidence do not adapt well to evidence from social networking websites. Accordingly, Robbins proposes the courts adopt an author-centric authentication process that focuses on the author of the post and not just the owner of the account. Failing to adopt an authentication method for evidence obtained on social networking websites may create consequences that could harm the values and legitimacy of the judicial process. The ability to manipulate or fake a posting creates unreliable evidence that would not only undermine the ability of the fact-finder to determine its credibility but would also unfairly prejudice the party in which the evidence is presented against.

Technology is an area of law that is rapidly evolving and, as a result, has made some traditional laws antiquated. In order to keep pace with these changes, legislators and lawmakers must constantly reexamine traditional laws in order to promote and ensure fairness and accuracy in the judicial process. Robbins has raised an important issue regarding authentication of evidence in the technological world, but as it stands there is much work to be done as technological advances outpace the reformation of traditional laws that govern it.

Censorship Remains Viable in China– but for How Long?

November 6, 2012
Internet, Privacy

by Greg Singer, UMN Law Student, MJLST Managing Editor

Thumbnail-Greg-Singer.jpgIn the west, perhaps no right is held in higher regard than the freedom of speech. It is almost universally agreed that a person has the inherent right to speak their mind as he or she pleases, without fear of censorship or reprisal by the state. Yet for the more than 1.3 billion currently residing in what is one of the oldest civilizations on the planet, such a concept is either unknown or wholly unreflective of the reality they live in.

Despite the exploding amount of internet users in China (from 200 million users in 2007 to over 530 million by the end of the first half of 2012, more than the entire population of North America), the Chinese Government has remained implausibly effective at banishing almost all traces of dissenting thought from the wires. A recent New York Times article detailing the fabulous wealth of the Chinese Premier Wen Jiabao and his family members (at least $2.7 billion) resulted in the almost immediate censorship of the newspaper’s English and Chinese web presence in China. Not stopping there, the censorship apparatus went on to scrub almost all links, reproductions, or blog posts based on the article, leaving little trace of its existence to the average Chinese citizen. Earlier this year, the Bloomberg News suffered a similar fate, as it too published an unacceptable report regarding the unusual wealth of Xi Jinping, the Chinese Vice President and expected successor of current President, Hu Jintao.

In “Forbidden City Enclosed by the Great Firewall: The Law and Power of Internet Filtering in China,” published in the Winter 2012 version of the Minnesota Journal of Law, Science & Technology, Jyh-An Lee and Ching-Yi Liu explain that it is not mere tenacity that permits such effective censorship–the structure of the Chinese internet itself has been designed to allow the centralized authority to control and filter the flow of all communications over the network. Even despite the decentralizing face of content creation on the web, it appears as though censorship will remain technically possible in China for the foreseeable future.

Yet still, technical capability is not synonymous with political permissibility. A powerful middle class is emerging in the country, with particular strength in the large urban areas, where ideas and sentiments are prone to spread quickly, even in the face of government censorship. At the same time, GDP growth is steadily declining from its tremendous peak in the mid-2000s. These two factors may combine to produce a population that has the time, education, and wherewithal to challenge a status quo that will perhaps look somewhat less like marvelous prosperity in the coming years. If China wishes to enter the developed world as a peer to the west (with an economy based on skilled and educated individuals, rather than mass labor), addressing its ongoing civil rights issues seems like an almost unavoidable prerequisite.

Political Data-Mining and Election 2012

November 6, 2012
Elections, Internet, Privacy

by Chris Evans, UMN Law Student, MJLST Managing Editor

Thumbnail-Chris-Evans.jpgIn “It’s the Autonomy, Stupid: Political Data-Mining and Voter Privacy in the Information Age,” I wrote about the compilation and aggregation of voter data by political campaigns and how data-mining can upset the balance of power between voters and politicians. The Democratic and Republican data operations have evolved rapidly and quietly since my Note went to press, so I’d like to point out a couple of recent articles on data-mining in the 2012 campaign.

In August, the AP ran this exclusive: “Romney uses secretive data-mining.” Romney has hired an analytics firm, Buxton Co., to help his fundraising by identifying untapped wealthy donors. The AP reports:

“The effort by Romney appears to be the first example of a political campaign using such extensive data analysis. President Barack Obama’s re-election campaign has long been known as data-savvy, but Romney’s project appears to take a page from the Fortune 500 business world and dig deeper into available consumer data.”

I’m not sure it’s true Buxton is digging any deeper than the Democrats’ Catalist or Obama’s fundraising operation. Campaigns from both parties have been scouring consumer data for years. As for labeling Romney’s operation “secretive,” the Obama campaign wouldn’t even comment on its fundraising practices for the article, which strikes me as equally if not more secretive. Political data-mining has always been nonpartisanly covert; that’s part of the problem. When voters don’t know they’re being monitored by campaigns, they are at a disadvantage to candidates. (And when they do know they’re being monitored, they may alter their behavior.) This is why I argued in my Note for greater transparency of data-mining practices by candidates.

A more positive spin on political data-mining appeared last week, also by way of the AP: “Voter registration drives using data mining to target their efforts, avoid restrictive laws.” Better, cheaper technology and Republican efforts to restrict voting around the country are inducing interest groups to change how they register voters, swapping their clipboards for motherboards. This is the bright side of political data-mining: being able to identify non-voters, speak to them on the issues they care about, and bring them into the political process.

The amount of personal voter data available to campaigns this fall is remarkable, and the ways data-miners aggregate and sort that data is fascinating. Individuals ought to be let in on the process, though, so they know what candidates and groups are collecting what type of personal information, and so they can opt out of the data-mining.

Home | Contact Publishing Services | My Account