DOCSLIB.ORG

TTLF Working Papers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Stanford – Vienna Transatlantic Technology Law Forum A joint initiative of Stanford Law School and the University of Vienna School of Law TTLF Working Papers No. 9 Information Security Law in the EU and the U.S. – A Risk-Based Assessment of Regulatory Policies Lukas Feiler 2011 TTLF Working Papers About the TTLF Working Papers TTLF’s Working Paper Series presents original research on technology, and business- related law and policy issues of the European Union and the US. The objective of TTLF’s Working Paper Series is to share “work in progress”. The authors of the papers are solely responsible for the content of their contributions. The TTLF Working Papers can be found at http://ttlf.stanford.edu. Please also visit this website to learn more about TTLF’s mission and activities. If you should have any questions regarding the TTLF’s Working Paper Series, please contact Vienna Law Professor Siegfried Fina, Stanford Law Professor Mark Lemley or Stanford LST Executive Director Roland Vogl at the Transatlantic Technology Law Forum http://ttlf.stanford.edu Stanford Law School University of Vienna School of Law Crown Quadrangle Department of Business Law 559 Nathan Abbott Way Schottenbastei 10-16 Stanford, CA 94305-8610 1010 Vienna, Austria Sponsors This project was co-sponsored by the Stanford-Vienna Transatlantic Technology Law Forum (Stanford Law School/University of Vienna School of Law), the Stanford Center for E-Commerce, the Europe Center at the Freeman Spogli Institute for International Studies at Stanford University, as well as supported by the University of Vienna Research Grant 2010. About the Author Lukas Feiler is an associate at Wolf Theiss Attorneys at Law, Vienna. He earned his law degree from the University of Vienna School of Law in 2008 and a Systems Security Certified Practitioner (SSCP) certification from (ISC)² in 2009. He also studied U.S. cyberspace law and intellectual property law at Santa Clara University. Previous activities include a position of Vice Director at the European Center for E- Commerce and Internet Law, Vienna (2005-2011), a traineeship with the European Commission, DG Information Society & Media, Unit A.3 “Internet; Network and Information Security” in Brussels (2009), software developer positions with software companies in Vienna, Leeds, and New York (2000-2011), and a teaching position for TCP/IP networking and web application development at the SAE Institute Vienna (2002-2006). He is the co-author of three books, the author of numerous law review articles published inter alia in the Santa Clara Computer & High Technology Law Journal, the European Journal of Law and Technology, and the Computer Law Review International, and lead developer of the open source project Query2XML, which was accepted for inclusion in the official PHP Extension and Application Repository. He has been a TTLF Fellow since August 2009 and a Europe Center Research Affiliate since November 2009. General Note about the Content The opinions expressed in this paper are those of the author and not necessarily those of the Transatlantic Technology Law Forum or any of its partner institutions, or the sponsors of this research project Suggested Citation This TTLF Working Paper should be cited as: Lukas Feiler, Information Security Law in the EU and the U.S. – A Risk-Based Assessment of Regulatory Policies, TTLF Working Paper No. 9, http://www.law.stanford.edu/program/centers/ttlf/papers/feiler_wp9.pdf. Copyright © 2011 Lukas Feiler Abstract The advancement and proliferation of information technology has led to a drastic increase of the amount of personal and non-personal information that is being stored, processed, or transmitted by individuals, businesses, and governments. These developments have increased the need for effective information security—i.e. the preservation of confidentiality, integrity, and availability of information. Since private as well as governmental actors continue to fail to provide an adequate level of information security, policy makers (legislators, judges, and regulators) were prompted to formulate regulatory policies that explicitly address the issue of information security. This paper identifies, analyses, and comparatively assesses regulatory policies in EU and U.S. law which address information security. As regards U.S. law, the paper discusses federal law as well as the law of the States of California and New York. The assessed policies typically take one of the following forms: First, they may require the implementation safeguards, whether for publicly traded companies, service providers, government authorities, software manufacturers, or organizations which handle personal information. Second, they may impose or limit liability in particular as regards software manufacturers, service providers, payment service providers, payment service users, or entities that are responsible for the processing of personal information. Third, policies addressing information security may mandate transparency, in particular by requiring the notification of breaches of information security or breaches of network security, mandating the disclosure of vulnerabilities by publicly traded companies, or prohibiting deceptive security claims about products and services. Fourth, such policies may attempt to deter malicious actors from mounting any threats against the security of information, in particular by providing criminal sanctions. To aid this comparative assessment, a risk-based assessment methodology is developed which is based on different risk treatment options. The paper also contains a concluding comparative assessment that summarizes the current state of information security regulation in the EU and the U.S. This concluding assessment highlights the extent to which current regulatory policies make use of the available risk treatment options, which actors of the information security landscape receive the most regulatory attention and which are more or less ignored, as well as whether the current regulatory policies are suitable to address the fundamental challenges of information security. Building on this concluding assessment, policy recommendations equally applicable to the EU and the U.S. are presented. The paper does not propose the adoption of a single radical measure but rather a holistic web of balanced measures that in concert may have the potential to fundamentally improve information security. Contents—Summary 1. Introduction ..................................................................................................................... 8 2. The Foundations and Challenges of Information Security............................................ 12 2.1. Information Security Defined.................................................................................. 12 2.2. Related Policy Areas ............................................................................................... 19 2.3. Actors in the Information Security Landscape........................................................ 29 2.4. Fundamental Challenges in the Field of Information Security ............................... 57 3. A Methodology for Assessing Regulatory Policies ...................................................... 73 3.1. Information Security Risk Defined ......................................................................... 73 3.2. Risk Treatment Options .......................................................................................... 82 4. Regulating Information Security by Mandating Security Controls .............................. 89 4.1. Mandatory Security Controls for Personal Information Controllers....................... 89 4.2. Mandatory Security Controls for Publicly Traded Companies............................. 179 4.3. Mandatory Security Controls for Service Providers ............................................. 187 4.4. Mandatory Security Controls for Government Authorities................................... 224 4.5. Mandatory Security Controls for Software Manufacturers................................... 235 5. Regulating Information Security by Imposing or Limiting Liability.......................... 257 5.1. Liability of Personal Information Controllers for Breaches of the Security of Personal Information............................................................................................. 258 5.2. Liability of Service Providers ............................................................................... 297 5.3. Liability of Software Manufacturers..................................................................... 322 5.4. Limiting the Liability of Payment Service Users.................................................. 379 6. Regulating Information Security by Mandating Transparency................................... 387 6.1. Mandatory Vulnerability Disclosure for Publicly Traded Companies.................. 387 6.2. Mandatory Data Security Breach Notification...................................................... 402 6.3. Mandatory Network Security Breach Notification ............................................... 474 6.4. Prohibiting Deceptive Security Claims About Products and Services.................. 495 7. Regulating Information Security by Deterring Malicious Threat Agents................... 506 7.1. Federal Computer Crime Law............................................................................... 506 7.2. State Computer Crime Law................................................................................... 515 7.3. EU Framework Decision on Attacks
Recommended publications
  • A Security Analysis of Voatz, the First Internet Voting Application Used in U.S

    A Security Analysis of Voatz, the First Internet Voting Application Used in U.S

    The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections∗ Michael A. Specter James Koppel Daniel Weitzner MIT† MIT‡ MIT§ Abstract The company has recently closed a $7-million series A [22], and is on track to be used in the 2020 Primaries. In the 2018 midterm elections, West Virginia became the In this paper, we present the first public security review of first state in the U.S. to allow select voters to cast their bal- Voatz. We find that Voatz is vulnerable to a number of attacks lot on a mobile phone via a proprietary app called “Voatz.” that could violate election integrity (summary in Table1). For Although there is no public formal description of Voatz’s se- example, we find that an attacker with root access to a voter’s curity model, the company claims that election security and device can easily evade the system’s defenses (§5.1.1), learn integrity are maintained through the use of a permissioned the user’s choices (even after the event is over), and alter the blockchain, biometrics, a mixnet, and hardware-backed key user’s vote (§5.1). We further find that their network protocol storage modules on the user’s device. In this work, we present can leak details of the user’s vote (§5.3), and, surprisingly, that the first public security analysis of Voatz, based on a reverse that the system’s use of the blockchain is unlikely to protect engineering of their Android application and the minimal against server-side attacks (§5.2).
  • Fngtf BOSTON, MA 02203 HEALTH, EDUCATION, LABOR, and PENSIONS P: 617- 565-3170

    Fngtf BOSTON, MA 02203 HEALTH, EDUCATION, LABOR, and PENSIONS P: 617- 565-3170

    ELIZABETH WARREN UNITED STATES SENATE MASSACHUSETTS WASHINGTON, DC 20510-2105 P: 202- 224-4543 COMMITTEES: 2400 JFK FEDERAL BUILDING BANKING, HOUSING, AND URBAN AFFAIRS 15 NEW SUDBURY STREET tlnitfd ~tGtfS ~fnGtf BOSTON, MA 02203 HEALTH, EDUCATION, LABOR, AND PENSIONS P: 617- 565-3170 ARMED SERVICES 1550 MAIN STREET SUITE 406 SPECIAL COMMITTEE ON AGING SPRINGFIELD, MA 01103 P: 413- 788- 2690 www.warren.senate.gov September 4, 2019 The Honorable Mike Pompeo Secretary U.S. Department of State 2201 C Street, NW Washington, DC 20520 Dear Secretary Pompeo: I am writing to request information regarding recent reports that Vice President Mike Pence patronized President Donald Trump's Trump International Golf Links & Hotel Doonbeg while in Ireland - at the "suggestion" of the President. 1 This transaction - another example of what appears to be open corruption in this administration - deepens my concerns about the ongoing ethics issues related to the President's continued financial relationship with the Trump Organization and the abuse of taxpayer funds to enrich the President and his family through their business interests. During his two-day visit in Ireland earlier this week, Vice President Pence stayed at the Trump International Hotel in Doonbeg and "[flew] the hour-or-so into Dublin [on the other side of Ireland] for official meetings," rather than staying at a hotel in Dublin a short drive away.2 The Vice President's chief of staff indicated that the President encouraged the Vice President to stay at his hotel, telling him, "[Y]ou should stay at my place."3 The Vice President's decision to trek across country is "clearly not convenient.
  • In 2017, Broad Federal Search Warrants, As Well As

    In 2017, Broad Federal Search Warrants, As Well As

    A PUBLICATION OF THE SILHA CENTER FOR THE STUDY OF MEDIA ETHICS AND LAW | FALL 2017 Federal Search Warrants and Nondisclosure Orders Lead to Legal Action; DOJ Changes Gag Order Practices n 2017, broad federal search warrants, as well as from disclosing the fact that it had received such a request. nondisclosure orders preventing technology and social On Oct. 12, 2017, the Floyd Abrams Institute for Freedom of media companies from informing their customers that their Expression at Yale Law School and 20 First Amendment Scholars, information had been handed over to the government, led to including Silha Center Director and Silha Professor of Media legal action and raised concerns from observers. However, Ethics and Law Jane Kirtley, fi led an amici brief in response Ithe U.S. Department of Justice (DOJ) also changed its rules on the to the ruling, explaining that National Security Letters (NSL) gag orders, leading a large technology company to drop its lawsuit issued by the FBI are accompanied by a nondisclosure order, against the agency regarding the orders. which “empowers the government to preemptively gag a wire or In 2017, the DOJ fi led two search warrants seeking extensive electronic communication service provider from speaking about information from web hosting company DreamHost and from the government’s request for information about a subscriber.” Facebook in connection to violent protests in Washington, The brief contended that these orders constitute prior restraints D.C. during President Donald Trump’s January 20 inauguration in violation of the U.S. Constitution and U.S. Supreme Court festivities. On Aug.
  • Press Galleries* Rules Governing Press Galleries

    Press Galleries* Rules Governing Press Galleries

    PRESS GALLERIES* SENATE PRESS GALLERY The Capitol, Room S–316, phone 224–0241 Director.—S. Joseph Keenan Deputy Director.—Joan McKinney Media Coordinators: Elizabeth Crowley Wendy A. Oscarson-Kirchner Amy H. Gross James D. Saris HOUSE PRESS GALLERY The Capitol, Room H–315, phone 225–3945 Superintendent.—Jerry L. Gallegos Deputy Superintendent.—Justin J. Supon Assistant Superintendents: Ric Andersen Drew Cannon Molly Cain Laura Reed STANDING COMMITTEE OF CORRESPONDENTS Maureen Groppe, Gannett Washington Bureau, Chair Laura Litvan, Bloomberg News, Secretary Alan K. Ota, Congressional Quarterly Richard Cowan, New York Times Andrew Taylor, Reuters Lisa Mascaro, Las Vegas Sun RULES GOVERNING PRESS GALLERIES 1. Administration of the press galleries shall be vested in a Standing Committee of Cor- respondents elected by accredited members of the galleries. The Committee shall consist of five persons elected to serve for terms of two years. Provided, however, that at the election in January 1951, the three candidates receiving the highest number of votes shall serve for two years and the remaining two for one year. Thereafter, three members shall be elected in odd-numbered years and two in even-numbered years. Elections shall be held in January. The Committee shall elect its own chairman and secretary. Vacancies on the Committee shall be filled by special election to be called by the Standing Committee. 2. Persons desiring admission to the press galleries of Congress shall make application in accordance with Rule VI of the House of Representatives, subject to the direction and control of the Speaker and Rule 33 of the Senate, which rules shall be interpreted and administered by the Standing Committee of Correspondents, subject to the review and an approval by the Senate Committee on Rules and Administration.
  • Sexing the Mueller Report

    Sexing the Mueller Report

    SEXING THE MUELLER REPORT Ruthann Robson* I. INTRODUCTION Sexual indiscretion, misconduct, and deceit percolate throughout the extensive 2019 Report On The Investigation Into Russian Interference In the 2016 Presidential Election—known as the Mueller Report.1 President Trump’s sexual behaviors are certainly not the focus of the Mueller Report, which resulted from the Acting Attorney General’s appointment of Robert S. Mueller, III as Special Counsel for the United States Department of Justice to investigate “any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump,” and “any matters that arose or may arise directly from the investigation.”2 Volume I of the Mueller Report addresses Russian interference with the 2016 election and any Trump campaign links in approximately 200 pages. Volume II of the Mueller Report, which is slightly longer at 241 pages, focuses on the question of whether the president obstructed justice in connection with the Russia-related investigations, including presidential actions related to the Special Counsel’s investigation itself. Given its charge, it is both predictable and understandable that the Mueller Report only obliquely addresses President Trump’s sexual * © 2020, All rights Reserved. Professor of Law & University Distinguished Professor, City University of New York School of Law. Appreciation to the editors and staff of Stetson Law Review, and for discussions on the Mueller Report and the role of sex, to Professors Penelope Andrews, Janet Calvo, Julie Goldscheid, Ellen Podgor, and Sarah Valentine. 1. 1 ROBERT MUELLER, REPORT ON THE INVESTIGATION INTO RUSSIAN INTERFERENCE IN THE 2016 PRESIDENTIAL ELECTION (2019) [hereinafter MUELLER REPORT VOL.
  • Full Program Announcement

    Full Program Announcement

    FOR IMMEDIATE RELEASE CONTACT: Cultivate PR Cultivate PR Cultivate PR Sam Davidson Amanda Sprague Samantha Foster [email protected] [email protected] [email protected] 512-689-7668 512-743-3941 512-670-6744 U.S. SENS. TED CRUZ & JOHN CORNYN TO JOIN CECILE RICHARDS, DAN RATHER AND MORE THAN 250 TOP SPEAKERS AT THE 2017 TEXAS TRIBUNE FESTIVAL FULL LINEUP AND PROGRAM NOW RELEASED Sept. 22-24 on the University of Texas at Austin campus AUSTIN, TEXAS (August 1, 2017) – The Texas Tribune is proud to announce the full program and schedule for its seventh-annual Festival, to be held Sept. 22-24 at the University of Texas at Austin. The event will host 250 legislators, thought-leaders and media in discussions tackling the state’s and the nation’s most pressing political issues. In a rare joint appearance, U.S. Sens. John Cornyn and Ted Cruz, both Republicans from Texas, will share the stage. Cornyn, the Senate Majority Whip, is the highest-ranking senator from Texas since Lyndon Johnson served as majority leader more than 50 years ago. Before being elected to the Senate in 2002, he previously served as a Texas Supreme Court justice and Texas attorney general. Cruz was the longest serving Solicitor General of Texas before being elected to the U.S. Senate in 2012 and has argued before the U.S. Supreme Court nine times. The Festival boasts a roster of more than 250 speakers and prominent figures from the worlds of public policy and politics, including Montana Gov. Steve Bullock; U.S. Rep.
  • Enhancing Cybersecurity for Industry 4.0 in Asia and the Pacific

    Enhancing Cybersecurity for Industry 4.0 in Asia and the Pacific

    Enhancing Cybersecurity for Industry 4.0 in Asia and the Pacific Asia-Pacific Information Superhighway (AP-IS) Working Paper Series P a g e | 2 The Economic and Social Commission for Asia and the Pacific (ESCAP) serves as the United Nations’ regional hub promoting cooperation among countries to achieve inclusive and sustainable development. The largest regional intergovernmental platform with 53 member States and 9 associate members, ESCAP has emerged as a strong regional think tank offering countries sound analytical products that shed insight into the evolving economic, social and environmental dynamics of the region. The Commission’s strategic focus is to deliver on the 2030 Agenda for Sustainable Development, which it does by reinforcing and deepening regional cooperation and integration to advance connectivity, financial cooperation and market integration. ESCAP’s research and analysis coupled with its policy advisory services, capacity building and technical assistance to governments aim to support countries’ sustainable and inclusive development ambitions. The shaded areas of the map indicate ESCAP members and associate members. Disclaimer : The Asia-Pacific Information Superhighway (AP-IS) Working Papers provide policy-relevant analysis on regional trends and challenges in support of the development of the AP-IS and inclusive development. The findings should not be reported as representing the views of the United Nations. The views expressed herein are those of the authors. This working paper has been issued without formal editing, and the designations employed and material presented do not imply the expression of any opinion whatsoever on the part of the Secretariat of the United Nations concerning the legal status of any country, territory, city or area, or of its authorities, or concerning the delimitation of its frontiers or boundaries.
  • Supreme Court of the United States

    Supreme Court of the United States

    No. 19-783 IN THE Supreme Court of the United States NATHAN VAN BUREN, Petitioner, v. UNITED STATES, Respondent. ON WRIT OF CERTIORARI TO THE UNITED STATES CouRT OF APPEALS FOR THE ELEVENTH CIRcuIT BRIEF OF AMICI CURIAE COMPUTER SECURITY RESEARCHERS, ELECTRONIC FRONTIER FOUNDATION, CENTER FOR DEMOCRACY & TECHNOLOGY, BUGCROWD, RAPID7, SCYTHE, AND TENABLE IN SUPPORT OF PETITIONER ANDREW CROCKER Counsel of Record NAOMI GILENS ELECTRONic FRONTIER FOUNDATION 815 Eddy Street San Francisco, California 94109 (415) 436-9333 [email protected] Counsel for Amici Curiae 296514 A (800) 274-3321 • (800) 359-6859 i TABLE OF CONTENTS Page TABLE OF CONTENTS..........................i TABLE OF CITED AUTHORITIES ..............iii INTEREST OF AMICI CURIAE ..................1 SUMMARY OF ARGUMENT .....................4 ARGUMENT....................................5 I. The Work of the Computer Security Research Community Is Vital to the Public Interest...................................5 A. Computer Security Benefits from the Involvement of Independent Researchers ...........................5 B. Security Researchers Have Made Important Contributions to the Public Interest by Identifying Security Threats in Essential Infrastructure, Voting Systems, Medical Devices, Vehicle Software, and More ...................10 II. The Broad Interpretation of the CFAA Adopted by the Eleventh Circuit Chills Valuable Security Research. ................16 ii Table of Contents Page A. The Eleventh Circuit’s Interpretation of the CFAA Would Extend to Violations of Website Terms of Service and Other Written Restrictions on Computer Use. .................................16 B. Standard Computer Security Research Methods Can Violate Written Access Restrictions...........................18 C. The Broad Interpretation of the CFAA Discourages Researchers from Pursuing and Disclosing Security Flaws ...............................22 D. Voluntary Disclosure Guidelines and Industry-Sponsored Bug Bounty Programs A re Not Sufficient to Mitigate the Chill .
  • HCW Mar-Apr 2017 Newsletter V2.Pages

    HCW Mar-Apr 2017 Newsletter V2.Pages

    Harvard Club of Washington, D.C. March - April 2017 HE Tihomir Stoytchev, The Ambassador of -Highlights- Saturday, March 4 Bulgaria, Awaits Us Ivy Singles Hike & Air and Ambassador Tihomir Stoytchev is a career diplomat. Space Museum On June 27, 2016, he presented his Letters of Credence to President Barack Obama, accrediting him Sunday, March 5 as Ambassador Extraordinary and Plenipotentiary of Gridiron Reception & Reprise the Republic of Bulgaria to the United States of America. Friday, March 10 Opening Night of Hexagon 2017 6:30-6:45pm: Registration of Guests Saturday, March 11 6:45-7:15pm: HE The Ambassador of Bulgaria will Address the Harvard Club Volunteer at Rock ’n’ Roll 7:15-7:30pm: Questions and Answers Marathon 7:30-8:30pm: Reception Sunday, March 26 Business attire is required. Out of respect for the staff, please do not arrive at the Tour of Sculptures of South Asia Embassy before 6:15pm. and the Himalayas Members and their guests - $45 Tuesday, April 4 When: Thursday, March 16, 6:30pm - 8:30pm Netsuke Exhibition Tour Where: The Embassy of Bulgaria, 1621 22nd Street, NW, Washington, DC 20008 Wednesday, April 5 A Dinner Conversation with David Fahrenthold Salute to Harvard Veterans in Congress David Fahrenthold is a reporter for The Washington Post and a CNN contributor. IVY/Seven Sisters Chess Event Saturday, April 8 David will discuss his experience covering Donald J. Wizards vs. Miami Heat Trump during the 2016 U.S. presidential election, including how he uncovered facts that the campaign Thursday, April 20 tried to keep hidden, and how he was called "a nasty Puglia: A Unique Architectural guy" by the future President.
  • Conflict in Cyberspace and International Law Ido Kilovaty a Thesis Submitted in Partial Fulfillment of the Requirements For

    Conflict in Cyberspace and International Law Ido Kilovaty a Thesis Submitted in Partial Fulfillment of the Requirements For

    Conflict in Cyberspace and International Law Ido Kilovaty A thesis submitted in partial fulfillment of the requirements for the degree of Doctor of Juridical Science (S.J.D.) at the Georgetown University Law Center 2017 1 Published as: Law journal publications Doxfare – Election Hacking as Prohibited Intervention 9 HARVARD NATIONAL SECURITY JOURNAL (Forthcoming Fall 2017) World Wide Web of Exploitations: The Case of Peacetime Cyber Espionage Operations Under International Law: Towards a Contextual Approach 18 COLUMBIA SCIENCE AND TECHNOLOGY LAW REVIEW 42 (2017) Virtual Violence – Disruptive Cyberspace Operations as "Attacks" under International Humanitarian Law 22 MICHIGAN TELECOMMUNICATION AND TECHNOLOGY LAW REVIEW 113 (2017) ICRC, NATO and the U.S. – Direct Participation in “Hacktivities” – Targeting Private Contractors in Cyberspace under the Law of Armed Conflict 15 DUKE LAW AND TECHNOLOGY REVIEW 1 (2016) Op-eds Want to Keep Hackers Out of Gadgets? Try International Law WIRED.COM (February 7, 2017). Violence in Cyberspace: Are Disruptive Cyberspace Operations Legal under International Humanitarian Law? JUST SECURITY (March 3, 2017). The Democratic National Committee Hack: Information as Interference JUST SECURITY (August 1, 2016). Will “Cyber Bonds” Mitigate Transnational Cyberspace Threats? JUST SECURITY (June 15, 2016). 2 ABSTRACT Conflict in Cyberspace and International Law Ido Kilovaty In this dissertation, through four separately published articles, I address several contentious questions with regard to offensive cyberspace capabilities and the role of international law in the digital era. Offensive cyberspace capabilities, which for clarity purposes I refer to as “cyber- attacks,” are operations in cyberspace that target the confidentiality, integrity, and availability (colloquially known as the CIA triad) of information technology systems.1 Throughout these four articles, I explore contemporary international law as it applies to cyber conflict.
  • Going from Bad to Worse: from Internet Voting to Blockchain Voting

    Going from Bad to Worse: from Internet Voting to Blockchain Voting

    Going from Bad to Worse: From Internet Voting to Blockchain Voting Sunoo Park Michael Specter Neha Narula Ronald L. Rivest MIT & Harvard∗ MITy MITz MIT§ November 6, 2020 (DRAFT) Abstract Voters are understandably concerned about election security. News reports of possible election in- terference by foreign powers, of unauthorized voting, of voter disenfranchisement, and of technological failures call into question the integrity of elections worldwide. This article examines the suggestions that “voting over the Internet” or “voting on the blockchain” would increase election security, and finds such claims to be wanting and misleading. While current election systems are far from perfect, Internet- and blockchain-based voting would greatly increase the risk of undetectable, nation-scale election failures. Online voting may seem appealing: voting from a computer or smartphone may seem convenient and accessible. However, studies have been inconclusive, showing that online voting may have little to no effect on turnout in practice, and it may even increase disenfranchisement. More importantly: given the current state of computer security, any turnout increase derived from with Internet- or blockchain-based voting would come at the cost of losing meaningful assurance that votes have been counted as they were cast, and not undetectably altered or discarded. This state of affairs will continue as long as standard tactics such as malware, zero days, and denial-of-service attacks continue to be effective. This article analyzes and systematizes prior research on the security risks of online and electronic voting, and show that not only do these risks persist in blockchain-based voting systems, but blockchains may introduce additional problems for voting systems.
  • Shining-A-Light-Encr

    Shining-A-Light-Encr

    SHINING A LIGHT ON THE ENCRYPTION DEBATE: A CANADIAN FIELD GUIDE JOINT RESEARCH PUBLICATION, MAY 2018 BY THE CITIZEN LAB AND THE CANADIAN INTERNET POLICY & PUBLIC INTEREST CLINIC LEX GILL TAMIR ISRAEL CHRISTOPHER PARSONS SHINING A LIGHT ON THE ENCRYPTION DEBATE: A CANADIAN FIELD GUIDE This page has intentionally been lef blank. SHINING A LIGHT ON THE ENCRYPTION DEBATE: A CANADIAN FIELD GUIDE COPYRIGHT © 2018 Citizen Lab and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, “Shining a Light on the Encryption Debate: A Canadian Field Guide,” by Lex Gill, Tamir Israel, and Christopher Parsons Licensed under the Creative Commons BY-SA 4.0 (Attribution-ShareAlike Licence) Electronic version first published by Citizen Lab and the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic in 2018. This work can be accessed through https://citizenlab.ca and https://cippic.ca. Citizen Lab and the Canadian Internet Policy & Public Interest Clinic (CIPPIC) are collaborative research partners. Together, the two groups engage in research that investigates the intersection of digital technologies, law, and human rights. This report is a joint research publication. Document Version: 1.0 The Creative Commons Attribution-ShareAlike 4.0 license under which this report is licensed lets you freely copy, distribute, remix, transform, and build on it, as long as you: • give appropriate credit; • indicate whether you made changes; and • use and link to the same CC BY-SA 4.0 licence. However, any rights in excerpts reproduced in this report remain with their respective authors; and any rights in brand and product names and associated logos remain with their respective owners.