Day 2 Thoughts: Difference between revisions

From Cyberlaw: Difficult Issues Winter 2010
Jump to navigation Jump to search
No edit summary
Line 2: Line 2:


Daniel: the idea of a "digital driver's license" has been around for [http://www.youtube.com/watch?v=RrpajcAgR1E some time now]. Effective and simple [http://en.wikipedia.org/wiki/Digital_signature digital signature] schemes, outside corporate or governmental control, sound much more promising to me.
Daniel: the idea of a "digital driver's license" has been around for [http://www.youtube.com/watch?v=RrpajcAgR1E some time now]. Effective and simple [http://en.wikipedia.org/wiki/Digital_signature digital signature] schemes, outside corporate or governmental control, sound much more promising to me.
Jason: This was a great discussion. To borrow a taxonomy from the [http://consc.net/papers/facing.html philosophy of mind], I particularly liked that we were trying to identify the "hard" problems and the "easy" problems of cybersecurity - even if we didn't always agree about what they are. In theory, though, we might identify a class of easy problems because they seem to have incremental solutions. If your drone transmissions are getting intercepted, use encryption! If you're worried about data loss, generate lots of backups to the cloud or to a mesh network! If you're worried about your credit card being stolen when you buy on Amazon, how about a government-generated user ID system? Or (somewhat more controversially), if your Air Traffic Control system is vulnerable, spend some money and update it - maybe making it more appliancized, maybe adding more points of human control.
But that still leaves the hard problems that seem to need quantum solutions. How can we solve the attribution problem when the global network was fundamentally designed to be pretty  anonymous? How do we rectify the fact that the Internet carries both regular civilian communications and government transmissions? And how can we guarantee that hardware is secure when the only way to verify that it was built to spec is to take it apart? I'm looking forward to talking more about both kinds of problems, and both kinds of solutions.


== GNI ==
== GNI ==

Revision as of 14:45, 6 January 2010

Cybersecurity

Daniel: the idea of a "digital driver's license" has been around for some time now. Effective and simple digital signature schemes, outside corporate or governmental control, sound much more promising to me.

Jason: This was a great discussion. To borrow a taxonomy from the philosophy of mind, I particularly liked that we were trying to identify the "hard" problems and the "easy" problems of cybersecurity - even if we didn't always agree about what they are. In theory, though, we might identify a class of easy problems because they seem to have incremental solutions. If your drone transmissions are getting intercepted, use encryption! If you're worried about data loss, generate lots of backups to the cloud or to a mesh network! If you're worried about your credit card being stolen when you buy on Amazon, how about a government-generated user ID system? Or (somewhat more controversially), if your Air Traffic Control system is vulnerable, spend some money and update it - maybe making it more appliancized, maybe adding more points of human control.

But that still leaves the hard problems that seem to need quantum solutions. How can we solve the attribution problem when the global network was fundamentally designed to be pretty anonymous? How do we rectify the fact that the Internet carries both regular civilian communications and government transmissions? And how can we guarantee that hardware is secure when the only way to verify that it was built to spec is to take it apart? I'm looking forward to talking more about both kinds of problems, and both kinds of solutions.

GNI

Reuben: I think we should all congratulate ourselves on our prognostication skills. A lot of our predictions were right on the money. After reviewing my notes, I came away with a few main points. It seems the GNI has had two main benefits for those involved. First, it has helped companies establish processes for how they will handle sticky situations that arise in fields of free expression and privacy where previously those concerns went unrepresented or were dealt with an ad hoc scramble. Secondly, GNI has facilitated relationships between companies and human rights organizations that allow the two sides to work together collaboratively to map out strategies and get more effective results.

While the panelists recognized the effectiveness of the GNI in at least certain situations, I was a bit surprised by the degree to which at least some participants seemed to welcome government involvement in order to force more attention on the activities of smaller companies who don't stand out the same way a Microsoft, Google, Yahoo, or CISCO might.

Jason: I think that the discussion took a bit of steam out of the "Difficult" part of the "Difficult Problems" equation - at least with regard to why Cisco is not participating in GNI and how they make decisions that implicate human rights issues. Mark's explanation of Cisco's position was exceedingly compelling: to my mind, he left little doubt that they really do have a different sort of impact on human rights than companies higher up in the stack; that they face a vastly different competitive landscape and client base than other ICT companies; and that they have well-developed standards and principles going forward. From where I sit, they would be completely crazy to join the GNI - it'd be all potential downside with no upside that I can tell, for either the company or for human rights. (Sadly, Cisco did not pay me to say all that, even if I just completely toed the company line.)