Berkeley Technology Law Journal http://btlj.org The Top Rated Technology Law Journal Fri, 11 Oct 2019 19:27:45 +0000 en-US hourly 1 https://wordpress.org/?v=5.2.4 The Top Rated Technology Law Journal Berkeley Technology Law Journal clean Berkeley Technology Law Journal btljwebmaster@gmail.com btljwebmaster@gmail.com (Berkeley Technology Law Journal) Do You Even Have A Tech Degree? Berkeley Technology Law Journal http://btlj.org/wp-content/uploads/2017/02/PodcastCoverArt3BCCSCOMPLIANT1.jpg http://btlj.org 137438150 5 Minutes in Tech Law – October 10th http://btlj.org/2019/10/5-minutes-in-tech-law-october-10th/ Fri, 11 Oct 2019 19:27:45 +0000 http://btlj.org/?p=6118 This week we discuss net neutrality, deepfakes, and the UK reviving an iPhone cookies case from earlier this … Continue Reading

The post 5 Minutes in Tech Law – October 10th appeared first on Berkeley Technology Law Journal.

]]>
This week we discuss net neutrality, deepfakes, and the UK reviving an iPhone cookies case from earlier this decade.
Hosts: Barbora Studihradová LLM ’20 and Veronica Bognot ’21

The post 5 Minutes in Tech Law – October 10th appeared first on Berkeley Technology Law Journal.

]]>
This week we discuss net neutrality, deepfakes, and the UK reviving an iPhone cookies case from earlier this … Continue Reading
Hosts: Barbora Studihradová LLM ’20 and Veronica Bognot ’21
]]>
Berkeley Technology Law Journal clean 8:27 6118
5 Minutes in Tech Law – October 3rd http://btlj.org/2019/10/5-minutes-in-tech-law-october-3rd/ Thu, 03 Oct 2019 18:40:28 +0000 http://btlj.org/?p=6106 This week, we discuss free public TV, Amazon preparing its own legislative proposals, and who gets sued if … Continue Reading

The post 5 Minutes in Tech Law – October 3rd appeared first on Berkeley Technology Law Journal.

]]>
This week, we discuss free public TV, Amazon preparing its own legislative proposals, and who gets sued if your Tesla gets into an accident as it drives toward you.

Hosts: Debbie Mosley ’22 and Andy Zachrich ’22

The post 5 Minutes in Tech Law – October 3rd appeared first on Berkeley Technology Law Journal.

]]>
This week, we discuss free public TV, Amazon preparing its own legislative proposals, and who gets sued if … Continue Reading Hosts: Debbie Mosley ’22 and Andy Zachrich ’22
]]>
Berkeley Technology Law Journal clean 7:52 6106
5 Minutes in Tech Law – September 26th http://btlj.org/2019/09/5-minutes-in-tech-law-september-26th/ Thu, 26 Sep 2019 17:54:30 +0000 http://btlj.org/?p=6064 This week, we cover developments on the right to be forgotten, Led Zeppelin, and Elon Musk’s proposed paycheck. … Continue Reading

The post 5 Minutes in Tech Law – September 26th appeared first on Berkeley Technology Law Journal.

]]>
This week, we cover developments on the right to be forgotten, Led Zeppelin, and Elon Musk’s proposed paycheck.
Hosts: Maximin Orsero LLM ’20 and Dan Noel ’21

The post 5 Minutes in Tech Law – September 26th appeared first on Berkeley Technology Law Journal.

]]>
This week, we cover developments on the right to be forgotten, Led Zeppelin, and Elon Musk’s proposed paycheck. … Continue Reading
Hosts: Maximin Orsero LLM ’20 and Dan Noel ’21
]]>
Berkeley Technology Law Journal clean 5:16 6064
5 Minutes in Tech Law – September 19th http://btlj.org/2019/09/5-minutes-in-tech-law-september-19th/ Wed, 25 Sep 2019 14:04:19 +0000 http://btlj.org/?p=6059 In the first episode of the series and of Issue 35, we cover recently announced tech antitrust investigations … Continue Reading

The post 5 Minutes in Tech Law – September 19th appeared first on Berkeley Technology Law Journal.

]]>
In the first episode of the series and of Issue 35, we cover recently announced tech antitrust investigations and some new California’s bills that will affect the tech giants.
Hosts: Allison Talker ’22 and Allan Holder ’21

The post 5 Minutes in Tech Law – September 19th appeared first on Berkeley Technology Law Journal.

]]>
In the first episode of the series and of Issue 35, we cover recently announced tech antitrust investigations … Continue Reading
Hosts: Allison Talker ’22 and Allan Holder ’21


]]>
Berkeley Technology Law Journal clean 4:10 6059
Volume 34, Special Issue http://btlj.org/2019/07/volume-34-special-issue/ Mon, 15 Jul 2019 16:00:42 +0000 http://btlj.org/?p=6038 COMPLETE VOLUME 34, SPECIAL ISSUE Complete Issue FRONT MATTER Front Matter ARTICLES One Judge’s Historical View of a … Continue Reading

The post Volume 34, Special Issue appeared first on Berkeley Technology Law Journal.

]]>
COMPLETE VOLUME 34, SPECIAL ISSUE

FRONT MATTER

ARTICLES

The post Volume 34, Special Issue appeared first on Berkeley Technology Law Journal.

]]>
6038
Volume 34, Issue 1 http://btlj.org/2019/05/volume-34-issue-1/ Mon, 13 May 2019 21:19:56 +0000 http://btlj.org/?p=6031 COMPLETE VOLUME 34, ISSUE 1 Complete Issue FRONT MATTER Front Matter ARTICLES Grants by W. Nicholson Price II … Continue Reading

The post Volume 34, Issue 1 appeared first on Berkeley Technology Law Journal.

]]>
COMPLETE VOLUME 34, ISSUE 1

FRONT MATTER

ARTICLES

The post Volume 34, Issue 1 appeared first on Berkeley Technology Law Journal.

]]>
6031
Volume 33, Issue 4 http://btlj.org/2019/04/volume-33-issue-4/ Sat, 27 Apr 2019 17:48:38 +0000 http://btlj.org/?p=5988 COMPLETE VOLUME 33, ISSUE 4 Complete Issue FRONT MATTER Front Matter ARTICLES Foreword by Vanessa K. Ing & … Continue Reading

The post Volume 33, Issue 4 appeared first on Berkeley Technology Law Journal.

]]>
COMPLETE VOLUME 33, ISSUE 4

FRONT MATTER

ARTICLES

The post Volume 33, Issue 4 appeared first on Berkeley Technology Law Journal.

]]>
5988
What to Expect from Brazil’s General Data Protection Law? http://btlj.org/2019/04/what-to-expect-from-brazils-general-data-protection-law/ Tue, 23 Apr 2019 05:44:18 +0000 http://btlj.org/?p=6018 by Margareth Kang (L.L.M. 2019) According to David Banisar’s 2018 Report[i], around 120 countries currently have data protection/privacy … Continue Reading

The post What to Expect from Brazil’s General Data Protection Law? appeared first on Berkeley Technology Law Journal.

]]>
by Margareth Kang (L.L.M. 2019)

According to David Banisar’s 2018 Report[i], around 120 countries currently have data protection/privacy laws that protect personal data processed by both public and private parties, and nearly 40 countries have pending bills or initiatives on the subject. Although awareness in Latin America has been on the rise, Brazil, which has the largest economy, only adopted a general data protection law in 2018. Noting that, among the 12 countries in South America,[ii] five still have no general data protection regulation.[iii]

History and Background

The legislature began drafting the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD) in 2010. On two occasions between 2010 and 2015, the Ministry of Justice made a draft version of the Data Protection law available for public comment and contribution. Comments received during this period were added to the most recent version.

Between 2010 and 2018, several additional Personal Data Protection Draft Bills emerged, such as: PL4060/2012, PL 5276/16, PLS 330/2013, PLC 53/2018[iv], and others. Over these eight years the draft bills movement was inconstant. This phenomenon has many factors, such as the Brazilian political and economic crises from 2015 to 2017 ones of the most importance, which made congress very busy with other topics, putting data protection on a secondary ground.

However, on May 25 2018, the two main bills were joined, bill PL 5276/2016 was appended to bill PL 4060/2012,. Later, on May 29, the appended version was approved in the House of Representatives, and was sent to the Senate, where the draft bill received a new number, PLC 53/2018. The Senate approved the bill on July 10, 2018, and it was sanctioned with some vetoes by President Michel Temer on August 14. The vetoes mostly dealt with the National Data Protection Authority – NDPA[v]. It was claimed that the authority should be created by the Executive branch. But, in December 27, 2018, President Temer issued an Executive Act (Medida Provisoria MP n. 869/18) created the NDPA and added a few additional changes to the law.

It is important to note that Brazil approved a General Data Protection regulation in three months, though it would ultimately take eight years to reach its final draft. Many factors contributed to the sudden progress around the issue, including the influence of the GDPR, Brazil’s interest in becoming an OECD member,[vi] and suspicions of Cambridge Analytica’s involvement in influencing Brazilian elections.[vii]

What are the main characteristics of LGPD?

The Lei Geral de Proteção de Dados (LGPD) is the Brazilian general data protection law. It applies to both the private and public sectors and was heavily influenced by the GDPR. It will come into effect in August 2020. While Brazil had some provisions and sectoral laws[viii] concerning personal data before the LGPD was approved, the variety of terms and definitions and lack of additional regulation made these provisions difficult to apply. The uniformity LGPD provides will facilitate compliance not only with this regulation, but with other rules, as well.

In this regard, some of the most important topics of the LGPD are:

  1. Definition of Personal data. Personal data is divided into three categories: (i) Personal data is any information relating to an identified or identifiable person[ix]; (ii) Sensitive personal data is information regarding race/ethnicity, religious belief, political opinion, union membership, religious/philosophical/political organization, health/sexual life, genetic/biometric data linked to a person.[x]; (iii) Anonymized data is the data that cannot be identified through reasonable technical means available at the time.[xi] Anonymized data are outside the scope this law.
  2. Extraterritorial application. Personal data processors, even those not physically present in Brazil, are subject to the Law if (i) the data is processed in national territory, (ii) the purpose is offering goods or services or provide information about individuals located in the national territory, or (iii) the personal data was collected in the national territory. [xii]
  3. Legal Bases. Brazil LGDP has 10 legal bases that allow data collection and processing, including consent (not limited to written),[xiii] compliance with legal or regulatory obligation, public policy implementation, collection for research purposes, for contract execution where the data subject is part, regular exercise of a right, protection of life, protection of health, legitimate interest, and credit protection.
  4. Children under 12. For children under 12 years old, special consent is necessary.
  5. Difference between Anonymized and Pseudo-Anonymized data. If anonymized data[xiv] cannot identify a person by reasonable technical means available at that time, pseudo- anonymized data cannot identify the data subject without the use of additional information maintained by the controller. This pseudo-anonymized data falls under LGDP purview and, according to article 13, can only be used in conducting public health research.
  6. Data Exclusion/Deletion. The personal data must be eliminated by the controller after the end of processing. However, data subject can also ask for the deletion in any moment, with some exceptions[xv].
  7. Subject rights. The law aims at giving the person control of their own data through rights such as: access, rectification, to not consent, anonymization, confirmation of processing, deletion of unnecessary or excessive data, data portability, information regarding data sharing with any third parties, revocation of the consent and automated decision review[xvi].
  8. International Data Transfer. Allowed when (i) the countries or international organizations provide adequate data protection, which will be evaluated by the DPA; (ii) the controller guarantees compliance with LGPD by contractual clauses, certificates, global corporate norms and code of conduct; (iii) necessary for international juridical cooperation; (iv) when necessary for public policy; (v) others.[xvii]
  9. National Data Protection Authority (NDPA). The NDPA is the body of the federal administration directly connected to the President of Brazil.[xviii] It is a regulatory body for both private and public data processors, and can act in matters such as providing technical rules and standards, evaluating best practices, asking for data protection impact assessment reports, supervising, and imposing sanctions.[xix] It is important to note that the DPA’s functions and powers were established by Executive Act (Medida Provisória 869/18),[xx] which requires Congressional approval to become law. The voting is scheduled to June 2019 and there is no guarantee that a separate body for DPA will we created. If Congress makes any alterations, it will require further presidential sanction.
  10. Request for Privacy by Design.[xxi]
  11. Fines. Fines can be up to 2% of the revenue of the company, group, or conglomerate in Brazil in the last fiscal year, excluding taxes, limited to R$50.000.000,00 (Reais) per infringement.[xxii]

Final Remarks

The Brazilian General Data Protection Law (LGPD) will take effect in August 2020 and bring many changes to personal data processing in Brazil. Although it received much influence from the GDPR, it retains its own particularities, such as the legal bases for data processing, which broadens data processing possibilities.

Additionally, though there is disagreement about the scope of the NDPA’s authority, it is fair to say that this regulation will bring more clarity for all sectors. The LGPD establishes the concepts, principles, and legal bases for personal data processing and protection. It is therefore recommended that shape their services and business according to the new law.


[i] Banisar, David. National Comprehensive Data Protection/ Privacy Laws and Bills 2018. September 04, 2018. Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416

[ii] Although Argentine, Chile, Uruguay, Paraguay, Peru, Colombia and French Guiana have General Data Protection Laws, only Argentine and Uruguay have appropriate data protection standards for EU. (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en)

[iii] Bolivia, Ecuador, Guiana and Venezuela have sectoral data protection laws. Suriname is the only country with any data protection law.

[iv] PLC 53/2018 is in fact a joint version of PL4060/12 with 5276/16.

[v] Brazil. Law n. 13.709/2018. Article 55 to 59.

[vi] Cruz, Bruna Souza. Por vaga na OCDE, governo quer criar órgão de proteção de dados. Uol Tecnologia. April, 13th 2018. Available at: https://noticias.uol.com.br/tecnologia/noticias/redacao/2018/04/13/por-vaga-na-ocde-governo-quer-criar-orgao-de-protecao-de-dados.htm

[vii] Padua. Luciano. Ministerio Publico investiga atuação da Cambridge Analytica no Brasil. Jota. March 21, 2018. Available at: https://www.jota.info/paywall?redirect_to=//www.jota.info/justica/ministerio-publico-investiga-atuacao-da-cambridge-analytica-no-brasil-21032018

[viii] Before the General Data Protection Law, Brazil already had other laws regarding data protection such as : Federal Constitution, (article 5, X),  Internet Bill of Rights (Marco Civil da Internet) Consumers Law (Código de Defesa do Consumidor, Article 43), Financial Records Act (Lei de Cadastro Positivo), Public Information Access Law (Lei de Acesso a Informação), Criminal Law n. 12.737/2012 (Lei Carolina Dieckmann), other sectoral laws and municipal laws that bring provisions related to personal data.

[ix] Brazil. Law n. 13.709/2018. Article 5, I.

[x] Brazil. Law n. 13.709/2018. Article 5, II.

[xi] Brazil. Law n. 13.709/2018. Article 5, III.

[xii] Brazil. Law n. 13.709/2018. Article 3, 4.

[xiii] Brazil. Law n. 13.709/2018. Article 7.

[xiv] Brazil. Law n. 13709/2018. Article 13 § 4º.

[xv] Brazil. Law n. 13.709/2018. Article 16 and 18. The exceptions regarding subject rights on data deletion are established in article 15 and 18.

[xvi] Brazil. Law n. 13.709/2018. Article 18 and 20.

[xvii] Brazil. Law n. 13.709/2018. Article 5, XV, 33, 34.

[xviii] Brazil. Law n. 13.709/2018. Article 55-A.

[xix] Brazil. Law n. 13.709/2018. Article 31, 32, 46, 50.

[xx] Although Executive Decree (Medida Provisoria) has immediate applicability, it needs the approval of the Congress (within 60 days automatically extended for the same period if it was not voted in the Congress) to become a permanent law. For this reason, if the Congress rejects the dispositions about DPA or rejects the entire Executive Act, the Act will lose its efficacy.

[xxi] Brazil. Law n. 13.709/2018. Article 46, § 1º

[xxii] Brazil. Law n. 13.709/2018. Article 52.

 

The post What to Expect from Brazil’s General Data Protection Law? appeared first on Berkeley Technology Law Journal.

]]>
6018
My Genes Don’t Fit Yours http://btlj.org/2019/04/my-genes-dont-fit-yours/ Tue, 23 Apr 2019 04:45:26 +0000 http://btlj.org/?p=6004 by Kaberi Basu (L.L.M. 2019) On April 24, 2018, a four-decade search for the Golden State killer came … Continue Reading

The post My Genes Don’t Fit Yours appeared first on Berkeley Technology Law Journal.

]]>
by Kaberi Basu (L.L.M. 2019)

On April 24, 2018, a four-decade search for the Golden State killer came to rest. The use of genetic information to catch the suspect of a 40-year-old cold case, was welcomed with feelings of both relief and suspicion when the arrest finally provided closure to the relatives of the innumerable victims and the investigators. It pushed people to question privacy and ethical concerns attached to the procedure that was followed, as wells as concerns vis-à-vis the genetic information available with commercial institutions that could be used for criminal investigations.

Golden State Terror!

Beginning in 1976, Northern California’s East Bay area was terrorized by a violent streak of homicide, burglaries, and rapes that would last nearly a decade. The “Golden State Killer” committed as many as twelve homicides, 45 rapes and 120 burglaries in multiple counties from Sacramento to Orange County.

The FBI and local law enforcement agencies kept the search open until June 2016, when an award of $50,000 was offered for any information regarding the Golden State Killer. The perpetrator ransacked homes and took valuables. Neighborhood burglaries were often followed by clusters of sexual assaults.

With no reliable tips, no hits from criminal DNA databases, and no fingerprints found at the crime scene, police became frustrated with the case. Their research began with GEDmatch, a website that allows users to upload their genetic information and search a database of roughly 1 million profiles to identify biological relatives. A meticulously preserved evidence kit from a 1980 rape and murder, frozen, along with many other DNA samples that had previously been useless, was now a crucial piece of evidence. GEDmatch identified 10 to 20 distant relatives, whose lineages were traced back to the early 1800s to find an ancestor in common with the killer. Ancestry.com helped piece together 25 distinct family trees from one set of great-great-great-grandparents. Investigators scoured these trees for potential suspects, focusing on men who were roughly the same age as the killer and had connections to the Sacramento area. This led investigators to Joseph James DeAngelo, a former police officer living in Citrus Heights, a city less than 20 miles outside Sacramento. DeAngelo was put under surveillance, and  a discarded tissue found in DeAngelo’s garbage was collected and sent for matching.

Genetic Privacy

The 2018 closure of the Golden State Killer case brings up serious privacy related questions, many relating to for-profit genome testing companies like 23andMe and GEDmatch, which turn a profit by selling anonymized genetic data. One cannot help but wonder if sending genetic material to one of these companies amounts to relinquishing not just our own privacy, but the privacy of our relatives, as well.

Genetic privacy refers to an individual’s right to the protection of genetic information from involuntary disclosure. The emergence of genetic privacy in the past decade is an off-shoot of the development of genetic and information technology. Previously, information about hereditary traits was limited to what could, in principle, be known to others, such as individual and family health and obvious physical traits. However, recent rapid advances in sequencing technologies have made whole-genome sequencing faster and cheaper. The data sets are capable of linking 10,000 to 1 million human genome sequences and also enables identification of individuals with shared DNA sequences. It is now possible to work our way backwards from an unknown genetic data to the originator of the gene sample.

Genetic privacy is a limited application of information privacy. The different strata of informational privacy include limits on access to personal information: confidentiality, anonymity and secrecy. Confidentiality implies trust in private and in professional relationships between individuals. Anonymity refers to a state of blocked or restricted access to information that identifies persons. Secrecy implies having control over the disclosure of information, it entails an aspect of intentional concealment and can also be deliberately used to the detriment of others.

Issues

The Golden state killer’s investigation has raised other questions, as well. GEDmatch’s privacy policy informs users that broad consent for the further use of their data is granted every time someone uses the service. Conversely, 23andMe provides a form of open consent in which users can limit the scope of consent given for storage and use of their data.

Despite the prospects of reviving cold cases, the lack of third party consent is troublesome. The suspect in this case did not consent for his genetic information to be made available. Instead, a distant relative’s information was used to establish a connection to the accused. There was no consent taken from the accused himself. Moreover, the accused’s consent was never taken for the final match. Instead, a DNA sample was surreptitiously collected from the door handle of a car DeAngelo had been driving, and the tissue found in his garbage would ultimately match the suspect profile.

A second cause of concern is the security of these data sets. 23andMe’s privacy policy emphasizes that personally identifiable information is encrypted and stripped of any genetic data. However, the fact that they profit in part from selling this anonymized genomic data cannot be ignored. The concern is related to the storage of the data itself, and the susceptibility of the stored data to cyber-attacks, hacking, and even insider trading, as health information extracted from genetic data can be of extreme importance to the pharmaceutical and insurance industries.

23andMe has covered its tracks with regards to the Federal Trade Commission’s requirements. However, the loss of data affects its users immensely, as issues range from users being discriminated based on genetic information for insurance protections to social stigma because of discrimination by employers. In many cases, individual users do not have enough standing to take down a company for their data breach, unless a ‘substantial injury’ is shown. Even for the FTC to be able to take a stand under either the ‘unfairness theory’ or the ‘deception theory’, the presence of elements like “substantial injury” and “unavoidability,” which in many cases are difficult to prove, is required.

Biomedical research labs conducting DNA research are subject to rigorous compliance standards, requiring full consent by individuals, permission from multiple committees, and extremely secure data storage procedures. These rigorous standards are not likely the same as those with which commercial companies are required to comply. For pharmaceutical companies, even a set of unidentified genetic data could be useful. If a large pharmaceutical company that controls a large data set of genetic information decides to tailor their research, it could very well chill innovation and medical research. A tailored research on the basis of medical illness on the rise, evident from a large data, would be profit incentivised. Research work would be lucrative in a certain area and other areas would be left uncared for because of lack of funding and interest amongst the Pharma industry. The Genetic Information Non-discrimination Act currently prohibits the insurance companies and employers from any sorts of discrimination based on genetic information.

Genetic information is personally identifiable, especially in the case where a genetic material is taken off a used tissue or cup and compared against a data set. Companies like 23andMe are diligent to make the data stored unidentifiable, though using the database to an already identified genetic information is still possible and a privacy concern.

Conclusion

To address these issues, an initial measure could be alerting the public about the risks of genetic data privacy, which would require informing consumers that it is not possible to fully guarantee that their data privacy will not be breached. Additionally, an open consent mechanism similar to that  23andMe employs is a good start. The choice of withdrawing our data at any point of time is pivotal to trust establishment. It is important to remember the human factor in the equation. Human imperfections remain a cause of concern in the data storage discussion. That insider trading is a possibility for data breach should not be ignored. And, finally, a detailed analysis of the risks of genetic privacy, along with regulatory updating, is required. It will be necessary to revisit concepts like consent and third-party consent, considering the present technological advancement of genetic information.

The post My Genes Don’t Fit Yours appeared first on Berkeley Technology Law Journal.

]]>
6004
Taking a Hard Look at the Vulnerabilities Equities Process and its National Security Implications http://btlj.org/2019/04/taking-a-hard-look-at-the-vulnerable-equities-process-in-national-security/ Tue, 23 Apr 2019 04:33:52 +0000 http://btlj.org/?p=6000 by Mimansa Ambastha (L.L.M. 2019) Modern information technology is intrinsically full of vulnerabilities, from software coding/algorithms to hardware … Continue Reading

The post Taking a Hard Look at the Vulnerabilities Equities Process and its National Security Implications appeared first on Berkeley Technology Law Journal.

]]>
by Mimansa Ambastha (L.L.M. 2019)

Modern information technology is intrinsically full of vulnerabilities, from software coding/algorithms to hardware security systems. Security professionals around the world agree that no cyber technology can claim to be 100% secure against manipulation, as any piece of technology inherently presents vulnerabilities that arise due to commercial considerations of choosing functionality over iron-tight security. One such flaw is a ‘Zero-Day vulnerability,’ i.e. a vulnerability that remains unknown to the software vendor/manufacturer, and which can be exploited by anyone with capabilities to launch immediate cyber-attacks (giving zero days to security professionals to fix the problem). While such zero-day vulnerabilities pose threats to user safety, they also provide opportunities for government agencies to build targeted Internet surveillance tools for law enforcement purposes, mass Internet surveillance tools for intelligence purposes, and cyber-weapons for military use.[1] Herein lies the dilemma: our state agencies are tasked with protecting the nation, a task that involves both securing the nation’s systems and gathering valuable intelligence against actual and potential adversaries. The former would require the agency to disclose any vulnerability to the vendor so that it may be patched, whereas the latter would require restricting disclosure and exploiting the vulnerability to target potential adversaries at the cost of general cybersecurity. Treated as an “equities” issue between conflicting national security value propositions, this dilemma gave birth to the Vulnerability Equities Process (“VEP”),[2] a high-level inter-agency deliberation process that guides the United States government (“USG”) to either disclose or restrict information on zero-day vulnerabilities.

The VEP is the result of a decade-long government review of cyber capabilities. In 2008, the George W. Bush Administration directed a working group to develop a joint plan for improving the government’s offensive capabilities and protecting both government and public information systems.[3] This working group recommended VEP adoption to strike a balance between the government’s “offensive and defensive mission interests” upon the discovery of a vulnerability.[4] In 2010, a working group led by the Obama administration’s Director of National Intelligence worked on this recommendation, producing the VEP in a document titled, “Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process.”[5] However, it wasn’t until 2014 that the VEP became publicly known, due in part to a blog post by then Special Assistant to the President and Cybersecurity Coordinator, Michael Daniel,[6] and a lawsuit[7] filed by the Electronic Frontier Foundation under the Freedom of Information Act that sought access to VEP workings surrounding the ‘Heartbleed bug’. Finally, in January 2016, the government released a redacted version of the 2010 VEP. After public insistence, this was followed by a superseding VEP “charter” released by the Trump Administration in November 2017.[8]

The VEP creates an Equities Review Board (“ERB”) to make disclosure decisions. It is comprised of representatives from multiple stakeholder agencies,[9] with the NSA acting as Executive Secretariat. The process covers only those zero-day vulnerabilities that are newly discovered—that is, discovered after the effective date of the initial VEP[10] and not publicly known to the vendor/supplier.[11] These could include exploits[12] developed by an agency or acquired on the open-market. Once a member agency identifies such a vulnerability, it may submit relevant information to the Executive Secretariat specifying its nature, impacted products and services, and recommendations for disclosure or restriction.[13] Other agencies claiming equities in the identified vulnerability can also submit their recommendations, which the ERB will use to make a decision by a majority vote.[14] Generally, decisions should favor disclosing vulnerabilities, and must only favor restriction in the exceptional cases of a demonstrable, overriding interest in using them for purposes of lawful intelligence, law enforcement, or national security.[15]

Exploiting vulnerabilities is an established and often necessary tool for the USG to gain valuable intelligence insights and conduct foreign espionage. Indeed, given that USA’s allies and rivals around the world are in engaged in a cyber arms race,[16] immediate disclosure of all strategic vulnerabilities by the government might amount to unilateral disarmament.[17] Further, digital exploits have helped law enforcement dismantle crime rings,[18] nab kidnappers,[19] shut down child pornography websites,[20] monitor digital trails of criminal operations, and hack suspects’ computers or mobile devices for investigation and evidence.[21] However, it is equally true that an increasing number of undisclosed and unpatched vulnerabilities threaten the resilience of the nation’s digital infrastructure. In fact, recent reports indicate that 49% Americans do not feel confident about the federal government’s ability to protect their data.[22] Moreover, vulnerabilities significantly expand the government’s surveillance capabilities over its citizens, especially in light of recent amendments to Rule 41 of the Federal Rules of Criminal Procedure, which authorizes “remote access” warrants for mass hacking of computers.[23] This raises further concerns about the government using such powers to crack down on political dissidents and opposing perspectives. Vulnerabilities can be used to manipulate public opinion and tamper with voting machines[24]. Thus, the efficiency of VEP’s ‘balancing act’ in decision-making is crucial for a well-oiled democratic machinery. In its current form however, the VEP leaves much to be desired, and has created many new problems of its own.

One of the biggest concerns about the VEP is that it provides an impetus for a growing market for undisclosed vulnerabilities. While this market has existed for some time, it was previously dominated by companies offering “bug-bounties” to those who found security vulnerabilities in their products.[25] This incentivized hackers to disclose vulnerabilities that could be patched, improving software safety. It also encouraged private vendors to develop safer products in the first place, instead of shouldering the cost and bad press involved in announcing and patching each new vulnerability.[26] However, in the past decade, cyberspace has become a favored battlefront for nations and non-state actors alike to  remotely trigger debilitating cyber attacks like Stuxnet, WannaCry, and NotPetya, leading to failure of critical infrastructure and massive economic disruption.[27] This in turn has caused demand for vulnerability-exploits to increase exponentially, creating a highly lucrative market. – Western nations, led by the US,[28] offer 10 to 100 times[29] the rewards offered by software companies.[30] This has led to the rise of private malware vendors[31] who commonly offer zero-day exploits in popular products and services, including Microsoft Word, Adobe Reader, and Apple’s iOS operating systems.

Estimated Price List for Zero-Day Exploits for Popular Software Products[32]

The enticing purchase price of zero-day exploits has caused researchers to stop disclosing them in bug-bounty programs, instead opting to sell them to the highest bidder.[33] Defense contractors like ManTech, Booz Allen Hamilton, Harris, and Raytheon, for example, have reportedly acquired formal US government contracts to infiltrate targeted software.[34] Even mere brokers, who arrange transactions between government agencies and hackers, make millions of dollars.[35] This ‘reverse’ market trend has dismantled the previous structure, which encouraged public disclosure of vulnerabilities, at the cost of public cybersecurity. Concerns that software programmers may deliberately create vulnerabilities in a company’s products to sell them to government agencies later[36] further decrease overall market incentives for secure software.[37]

Malware vendors often sell exploits non-exclusively to multiple government agencies at once.[39] Even where exploits are purchased with accompanying exclusivity agreements,[40] a vulnerability’s continued secrecy is not guaranteed if it may be independently discovered by someone else.[41] In this sense, every decision to retain a vulnerability without fixing it arguably increases risk to national systems.

High purchase prices point to another disturbing criticism of VEP: even though the USG claims to disclose up to 90% of the vulnerabilities through VEP,[42] the government could simply choose not to disclose the few high-severity flaws that pose the greatest security concerns. Given the five to six-figure prices its buying vulnerabilities at, it seems logical that the USG is only paying so much for high-stake vulnerabilities that would be retained for law-enforcement or intelligence purposes, and obviously not for the benevolent purpose of donating their disclosure. This also emphasizes an oft-repeated concern that many of such purchased vulnerabilities may be deliberately kept out of the VEP disclosure process by defining them under the open ended language of ‘exceptions’ to disclosures. Agencies can over-use these exceptions or transgress beyond their reasonable interpretations in order to keep them from entering the process in the first place. Even though the VEP offers an annual internal audit that “may” be shared with Congress,[45] it offers little help without meaningful descriptions of how vulnerabilities were identified. This is especially true if agencies adopt differing substantive interpretations of VEP vulnerabilities, or end up submitting operational end-to-end exploits instead of technically specified vulnerabilities.[46] For example, the FBI purchased a so-called “black-box exploit”[47] to access a suspect’s iPhone after the 2016 San Bernardino attacks. The FBI later stated that it was unable to submit information on the vulnerability to the VEP because it had not purchased the rights to the technical details from the third party seller.[48] This raises additional concerns that purchase contracts could be intentionally structured to withhold exchanging technical components that would trigger the VEP, thereby avoiding the process entirely.[49]

If the treasure-trove of vulnerabilities amassed by USG were to be stolen or leaked, they could quickly become ammunition for devastating cyber-attacks. Case in point is the 2017 “WannaCry” ransomware attack, which exploited a Windows server vulnerability, crippling 10,000 organizations (including hospitals and transportation) in 150 countries. All told, it  caused damage of $4-8 billion.[50] This vulnerability, “EternalBlue,” was a manufactured exploit that the NSA had used for years before it was stolen and leaked in a 2016 breach.[51] Despite the NSA’s warnings before WannaCry’s onset, Microsoft’s hastily issued patch left many systems compromised.[52] A few months later, “EternalBlue” became the basis for the NotPetya malware attack, touted as the most destructive global cyberattack in history, causing upto $10 billion in damage worldwide.[53] 2017 also saw Wikileaks release dozens of exploits used by the CIA to hack Android and iOS smartphones, the sheer number of which suggested violations of VEP.[54] Worse still, WikiLeaks indicated that the vulnerabilities it released were in the hands of hackers before it even published them.[55] Such security breaches cast a harsh new light on vulnerability  retention under the VEP. Eliminating security breaches is crucial if the VEP is to remain justifiable.

It wasn’t until 2017 that the VEP was fully unclassified, and it will surely be fine-tuned in the coming years with help from the public. There is much room for improvement. As an executive creation, the VEP does not bear legislative sanction that is typically required when citizens grant their government powers of surveillance and policing in exchange for greater security. In fact, so far, citizens or their elected representatives do not have a participating or deciding role in VEP at all, despite the fact that unpatched vulnerabilities pose substantial threats to their interests. Comprehensive legislation on this topic would be difficult, given the constantly evolving nature of vulnerabilities and their impacts; not to mention the need for secrecy, high-level expertise, and quick-decision making. To strike a balance, VEP’s current composition can be diversified by adding an elected representative (or two) and civilian agencies who can counter any biases that intelligence and military agencies may harbor towards retention. The VEP’s Executive Secretary function should be transferred from the NSA to the Department of Homeland Security to remove any appearance of NSA bias.[58] Agencies in general must maintain the highest possible security standards around their exploit stash. Vulnerabilities enormously empower agencies’ national security operations, but citizens cannot be expected to accept the VEP bargain if agencies fail in their primary responsibility of keeping these vulnerabilities out of the wrong hands.

There needs to be additional transparency concerning VEP’s implementation. It no doubt attempts to make disclosure the rule and restriction the exception, and lays down fair criteria[59] to calculate the net benefits to overall national security. These include factors such as the vulnerability’s demonstrated and future value, its operational effectiveness, the possibility of patching and risk mitigation, the likelihood of third-party discovery, and the existence of alternatives.[60] Participating agencies have too much discretion in defining vulnerabilities, which further prevents many vulnerabilities from entering the process in the first place.  Even when a vulnerability is known to be undisclosed, there is no way of knowing if this was determined by the ERB under the VEP, or if the vulnerability simply never entered the process in the first place.[61] It’s no wonder then that both the House of Representatives[62] and Senate[63] have prepared bills imposing basic reporting requirements for vulnerabilities. Passage of such laws is a good first step to improving the quantity and quality of disclosures. Further, civilian agencies participating in VEP, while beyond the scope of these bills, should voluntarily report the same information as their intelligence counterparts to improve overall transparency.

Finally, there are strong indications that the VEP in fact legitimizes and bolsters the market for zero-day vulnerabilities, reducing remediation of software flaws by vendors. This issue, while perhaps difficult to address, is significant: by incentivizing hackers to keep vulnerabilities secret, government participants in this market may become indirectly complicit in the attacks on network infrastructure. One possible way to address this issue is to look beyond the binary determinations of disclosure/retention, and instead opt for alternatives illustrated in the VEP itself. Restriction of the vulnerability must only be justified when it provides an enormous benefit that is irreplaceable and unobtainable by other means. Importantly, USG needs to prioritize sharing information with private vendors rather than alienating them, as much of USA’s IT infrastructure and cyber-capabilities are privately developed, and lasting trust and cooperation with the private sector will, realistically, be necessary.

The (present) impossibility of creating ‘perfect’ technology leaves us to make peace with the existence of vulnerabilities—hidden or otherwise—that will continue to play a role in cybersecurity and national security. However, we should keep watch for excessive government use, which frequently undermines the cybersecurity of citizens and enterprises alike. The aforementioned norms surrounding transparency, participation, and cooperation with civilian and market stakeholders—though cumbersome—ought to be implemented as an initial step towards fairly informing the choices that both security propositions offer. After all, the government is of the people, by the people and for the people, before anything else.

[1] Bruce Schneier, ‘The Vulnerabilities Market and the Future of Security’, Forbes, May 30, 2012 (https://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security/#31fffacd7536)

[2] Vulnerabilities Equities Policy and Process for the United States Government, November 15, 2017 (https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF)

[3] Ari Schwartz and Rob Knake, “Government’s Role in Vulnerability Disclosure,” Discussion Paper 2016-04, June 2016, at http://www.belfercenter.org/sites/default/files/legacy/files/vulnerability-disclosure-web-final3.pdf.

[4] The White House, “HSPD-54/HSPD-23 Cybersecurity Policy,” presidential directive, January 8, 2008, at https://epic.org/privacy/cybersecurity/EPIC-FOIA-NSPD54.pdf.

[5] Director of National Intelligence, “Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process,” directive, at https://www.eff.org/files/2015/09/04/document_71_- _vep_ocr.pdf.

[6] Michael Daniel, ‘Heartbleed: Understanding When We Disclose Cyber Vulnerabilities’, April 28, 2014 ( https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities)

[7] Complaint, Electronic Frontier Foundation v. National Security Agency (https://www.eff.org/files/2014/07/01/eff_v_nsa_odni_-_foia.pdf )

[8] Supra note 2.

[9] Agencies include Department of Defense (including the NSA), Department of Justice (including the FBI), Department of State, Department of Energy, Department of Homeland Security, Central Intelligence Agency, Defense Intelligence Agency, Office of Management and Budget, Department of the Treasury, Department of Commerce etc. Supra note 2 at 3.

[10] February 16, 2010, which is the date when the VEP was first conceptualized as the “Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process under a working group led by the Director of National Intelligence under the Obama Administration.

[11] Supra note 2, Annex A at 11.

[12] An exploit is the manner of transforming a vulnerability into an actual tool to breach a system.

[13] Supra note 2 at 7-9.

[14] Id.

[15] Supra note 2 at 1.

[16] ‘China tips the scale of global cybersecurity by hoarding vulnerabilities’, AccessNow, September 20, 2018 (https://www.accessnow.org/china-tips-the-scale-of-global-cybersecurity-by-hoarding-vulnerabilities/)

[17] White House Statement – Rob Joyce, ‘Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do’, November 15, 2017 ( https://www.whitehouse.gov/articles/improving-making-vulnerability-equities-process-transparent-right-thing/)

[18] ‘The Secret World of Vulnerability Hunters’, The Christian Science Monitor, February 10, 2017, (https://www.csmonitor.com/World/Passcode/2017/0210/The-secret-world-of-vulnerability-hunters)

[19] Id.

[20] ‘The FBI Used a ‘Non-Public’ Vulnerability to Hack Suspects on Tor’, MotherBoard, November 29 2016, (https://motherboard.vice.com/en_us/article/kb7kza/the-fbi-used-a-non-public-vulnerability-to-hack-suspects-on-tor)

[21] Supra note 18

[22] ‘How Americans have viewed government surveillance and privacy since Snowden leaks’, Pew Research Centre, June 4, 2018 ( http://www.pewresearch.org/fact-tank/2018/06/04/how-americans-have-viewed-government-surveillance-and-privacy-since-snowden-leaks/)

[23] Jennider Daskal, ‘Rule 41 Has Been Updated: What’s Needed Next’, JustSecurity, December 5, 2016 (https://www.justsecurity.org/35136/rule-41-updated-needed/) ;  ‘Help Us Stop the Updates to Rule 41’, Electronic Frontier Foundation, June 16, 2016 (https://www.eff.org/deeplinks/2016/06/help-us-stop-updates-rule-41)

[24] ‘The Vulnerabilities of Our Voting Machines’, Scientific American, November 1, 2018 ( https://www.scientificamerican.com/article/the-vulnerabilities-of-our-voting-machines/)

[25] Supra note 1.

[26] Id.

[27] Id.

[28] ‘Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits’. Forbes March 23, 2012 ( https://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/#25419cf72660)

[29] In August 2017, Apple launched a $200,000 bug bounty program for finding vulnerabilities in its products. Zerodium, a highly popular online marketplace for vulnerabilities, offered $1.5 million for a “fully functional zero-day exploit” for cracking iOS 10, Apple’s mobile operating system. See Supra note 18.

[30] ‘Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)’, Forbes, Mar 21, 2012 ( https://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/#c54c2d31f745)

[31] Examples include Northrop Grumman Corporation, Vupen Security, Netragard Inc., Endgame, Raytheon etc.

[32] Supra note 28.

[33] Id.

[34] Supra note 18.

[35] Supra note 28.

[36] Supra note 1.

[37] Marcia Hofmann & Trevor Timmmarch, ‘”Zero-day” exploit sales should be key point in cybersecurity debate’ March 29, 2012, Electronic Frontier Foundation, (https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate)

[39] Supra note 30.

[40] Id.

[41] Supra note 18.

[42] ‘Feds Explain Their Software Bug Stash—But Don’t Erase Concern’, Wired, November 15, 2017 (https://www.wired.com/story/vulnerability-equity-process-charter-transparency-concerns/)

[43] Michelle Richardson, ‘Locking in Transparency on the Vulnerabilities Equities Process,’ JustSecurity, July 27, 2018 (https://www.justsecurity.org/59795/locking-transparency-vulnerabilities-equities-process/)

[44] Supra note 2 at 10.

[45] Id at 5.

[46] Michelle Richardson and Mike Godwin, ‘What the White House Needs to Disclose about its Process for Revealing Cybersecurity Vulnerabilities’, JustSecurity, November 2, 2017, (https://www.justsecurity.org/46647/white-house-disclose-process-revealing-cybersecurity-vulnerabilities/)

[47] A black-box exploit examines the functionality of the exploit without peering into the internal structures or workings of the vulnerabilities it is based on. See Gao, Tsao et al, Testing and Quality Assurance for Component-based Software, Artech House. pp. 170 (2003). ISBN 978-1-58053-735-3.

[48] ‘FBI: Sorry, But We’re Keeping the iPhone Crack Secret’, Fortune, April 27, 2016 (http://fortune.com/2016/04/27/fbi-apple-iphone-crack/)

[49] Vulnerabilities Equities Process, Electronic Privacy Information Center, (https://epic.org/privacy/cybersecurity/vep/)

[50] ‘Why Governments Won’t Let Go of Secret Software Bugs’, Wired, May 16, 2017 (https://www.wired.com/2017/05/governments-wont-let-go-secret-software-bugs/)

[51] ‘NSA officials worried about the day its potent hacking tool would get loose. Then it did.’ Washington Post, May 16, 2017 (https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html?utm_term=.57719c9bd5aa)

[52] Id.

[53] ‘The Untold Story of NotPetya, the Most Devastating Cyberattack in History’, Wired, August 22, 2018 (https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ )

[54] How the CIA’s Hacking Hoard Makes Everyone Less Secure’, Security, August 3, 2017 ( https://www.wired.com/2017/03/cias-hacking-hoard-makes-everyone-less-secure/)

[55] ‘Vault 7: CIA Hacking Tools Revealed’, WikiLeaks Press Release March 7, 2017 (https://wikileaks.org/ciav7p1/)

[58] Supra note 3 at 15.

[59] Supra note 2, Annex B at 13.

[60] Id.

[61] Supra note 46.

[62] Section 1510 of H.R. 6237 ( https://www.congress.gov/bill/115th-congress/house-bill/6237/text )

[63] Section 721 of S. 3153 ( https://www.congress.gov/bill/115th-congress/senate-bill/3153/text )

The post Taking a Hard Look at the Vulnerabilities Equities Process and its National Security Implications appeared first on Berkeley Technology Law Journal.

]]>
6000