What sort of legal and policy choices would lead to more secure and safer software and computing-enabled devices? The patchwork of existing legal regimes in the US is based on regulations imposed on a few verticals (finance, healthcare, and education in particular), and a complex web of compliance frameworks, contractual provisions, and consumer lawsuits. As we think about making software safer and more secure for users, the policy choices we preference now may have long reaching effects. This talk will explore the implications of relying on software liability or other ex-post options vs. regulations or similar ex-ante choices.
POLICE ACT, 1861 the details about police system.pptx
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
1. Regulatory nets vs the
fishing hook of litigation
Wendy Knox Everette
@wendyck
BSides Las Vegas 2017
2. Regulation might be a dirty word in
today's political climate, but security is
the exception to our small-government
bias. And as the threats posed by
computers become greater and more
catastrophic, regulation will be
inevitable. So now's the time to start
thinking about it. - Bruce Schneier, Feb
2017
3. I am a lawyer, but I am not your
lawyer. This is not legal advice.
Instead, we are going to talk
about how to think about
incentivizing safer and more
secure computer software.
Photo by dakiny
4. Who am I?
@wendyck
● Software developer ‘99 -
‘13
● GMU Law School,
National Security Law
Concentration, ‘13 - ‘16
● ZwillGen Fellow ‘16 - ‘17
Photo by dakiny
5. Regulation - in the US, on a few
verticals
vs
Liability - contractual provisions,
very little software product liability
What we have now:
6. Liability
Tort or contract liability
imposed in a civil court,
such as the famous
McDonald's hot coffee law
suit.
8. Contract Liability
Users can enter into
agreements to indemnify
each other, agree on the
services and goods they will
exchange, and receive
contract breach damages if
the agreement falls apart
10. Are these a difference without a
distinction?
No, they are not! Proponents of software liability often favor it as protective of
innovation, and indeed the US has generally limited software liability so far in part to
allow the computer software industry to develop and innovate.
Meanwhile, proponents of regulation endorse the certainty and clarity that can
come from laying out a baseline set of requirements ahead of time.
(But are US regulations really all that clear? Are they too prescriptive in some
instances? When that occurs, do they make us less secure?)
11. Ex ante vs Ex Post
Tort liability, as with negligence and product
liability is an ex-post scheme, because any
liability is imposed based on past actions, after a
product has been released.
In contrast, something like HIPAA regulations
are considered to be ex-ante, as they apply
before a piece of software is released, and they
will influence the design of the software to
comply with their regulatory provisions.
12. How do we best
incentivize security?
Attempt to fix responsibility wherever it will
most effectively reduce hazards to life and
health inherent in defective products that reach
the market
13. So which is
better?
This is a complicated question, and this talk will
not aim to definitely endorse one or the other.
But lets look at some considerations on each
side….
14. Liability regime
pros & cons
● Ex-post scheme: no
harm, no liability
● Allows for innovation
● At the same time, this
can lead to
uncertainty which
may actually lead to
excessive risk-
avoidance behavior
15. Consumer Suits
US Courts have so far been reluctant to impose liability for software bugs, data
breaches, and so forth, in suits brought by consumers because there has been no
physical harm to consumers.
Some suits have been brought by consumers alleging violations of various laws like
the Video Privacy Protection Act, but these are niche harms, and are often still
dismissed by courts based on lack of substantial harm
17. Regulatory regime
pros & cons
Although regulations may be ex-ante, they may
still lead to uncertainty.
Generalized requirements, meant to avoid
locking-in a particular technology and therefore
impeding innovation, may be so vaguely worded
that companies are unsure how to interpret and
apply the regulation to their products.
Photo by irenicrhonda
19. Just a sampling of US regulations affecting computer
security
● FTC §5 authority protects consumers from
deceptive & unfair practices
● HIPAA (protects personal health information)
● SEC Cybersecurity rules
● NHTSA Automotive cybersecurity
● NY State Department of Financial Services
Cybersecurity Rules
Photo by plasticbag
20. HIPAA
HHS tasked to “develop regulations protecting the privacy
and security of certain health information”
HIPAA Security Rule:
● Ensure the confidentiality, integrity, and availability of
e-PHI created, received, maintained or transmited
● Identify and protect against reasonably anticipated
threats to the security or integrity of the information
● Protect against reasonably anticipated, impermissible
uses or disclosures
Photo by Jan Erik
Waider
21. GDPR The EU's General Data Protection Regime is a
new set of regulations set to take effect in May
2018.
● Will end up affecting many companies in
the US due to its broad scope
● For companies outside of regulated
industries like finance and healthcare, the
GDPR requirements may be the most
stringent regulations affecting them
Photo by volvob12b
24. Bounded
Risk
If regulations apply to more companies, we
might see more risk avoidance behavior
(because now it is clear that a particular
activity violates a particular regulation)
or
we might see more risk taking (because at
worst a company might be subject to a known
fine, which it decides is an acceptable risk to
bear)
Photo by Kundan
Ramisetti
25. Balancing
innovation with
due care
Should the goal be to make
bad products pricier?
Ex-post liability depends on
the assumption that
consumers correctly gauge
their risk levels & that all
consumers have the same
risk-utility curves
Photo by Mike
Sutherland
26. Reducing transaction costs
The Coase Theorem in economics states that if transaction costs (which include
monitoring for compliance) are reduced, then initial assignments of property rights
become un-important because people will negotiate their way to the most efficient
allocation of resources.
Transaction costs include trying to figure out how to comply with a regulation, or
guessing what actions a jury would pin liability on after an accident.
Would consumers bargain for perfectly safe devices?
27. Coase’s take
on the Coase
Theorem
“I don't like it because it's a
proposition about a system
in which there were no
transaction costs. It's a
system which couldn't exist.
And therefore it's quite
unimaginable.”
Photo by don_greene
28. Collective
Action
problems &
Uncertainty
Coase again, “There is no reason why, on
occasion... governmental administrative
regulation should not lead to an improvement
in economic efficiency,...this would seem
particularly likely when, as is normally the case
with the smoke nuisance, a large number of
people are involved and in which therefore the
costs of handling the problem through the
market or the firm may be high”
Photo by 1ulian
29. Who is the
least-cost risk
avoider?
Who is best positioned to take
actions to avoid bad outcomes?
Is it the company that created a
particular device?
A consumer who failed to apply a
patch or used a device in an
unanticipated manner?
A hacker who broke into a device
that was connected to the internet?
32. Risk Management Frameworks
Companies have been figuring out ways to negotiate with each other about
software services.
If we look at the rise of compliance and risk management frameworks, as well as the
development of standard contracting terms, we will see the industry trying to create
standards to protect their data and systems. In many ways these frameworks are
similar to regulatory regimes, in that they can be a known set of requirements
imposed ex-ante on a software service.
33. Auditing & Compliance Standards
Companies have begun taking vendor security more seriously, and are often now
reviewing their vendors and at the same time being reviewed by their business
partners or companies for which they are vendors.
These could be analogized to the various regulations that apply to some industries in
the US. Companies also often negotiate contracts with each other, requiring that
their business partners use reasonable security to protect confidential data or PII,
and contracting around representations, warranties, and SLAs. These, especially
requirements for "commercially reasonable security measures" could be analogized
to the ex-post liability regimes.
The legal and policy choices would lead to more secure and safer software and computing-enabled devices
What sort of legal and policy choices lead to more secure and safer software and computing-enabled devices?
https://www.schneier.com/blog/archives/2017/02/security_and_th.html
https://www.flickr.com/photos/dakiny/32881123852
https://www.flickr.com/photos/dakiny/32881123852
A patchwork of regulations imposed on a few verticals (finance, healthcare, and education in particular), and a complex web of compliance frameworks, contractual provisions, and consumer lawsuits
Why did PL develop?
- insurance function
- want incentives make products safer
Are these efficient?
- 1st party insurance is more efficient than 3rd party insurance
- could get disability insurance, rather than prove a defect in a product, have to share wins w/ lawyer
- Ideology behind PL: paternalistic, consumers not knowledgeable
https://www.flickr.com/photos/clry2/8282445472
https://www.flickr.com/photos/jfew/294316629/
Ex-ante uncertainty: if I take this action, could someone later impose some liability on me for it?
NY DFS
https://www.flickr.com/photos/irenicrhonda/8987718232
Can be more like strict liability in some instances but not all
Consumer private right of action
https://www.flickr.com/photos/aftab/5963074999
HIPAA Security Rule Standards and Implementation Specifications Required vs addressable implementation specification
https://unsplash.com/collections/493637/deep-blue?photo=JYvF1iMJpTY
Photo by Jan Erik Waider on Unsplash
https://unsplash.com/collections/493637/deep-blue?photo=OODWPtfXAF0
Photo by Kundan Ramisetti on Unsplash
(depends on assumption that consumers underestimate risk) (also considering that people have same risk utility curves)
https://www.flickr.com/photos/156015048@N08/35190304552 - Mike Sutherland