• Selected
• Entire List

Abstract:
Late in 2005, Sony BMG released millions of Compact Discs containing digital rights management technologies that threatened the security of its customers' computers and the integrity of the information infrastructure more broadly. This Article aims to identify the market, technological, and legal factors that appear to have led a presumably rational actor toward a strategy that in retrospect appears obviously and fundamentally misguided.

The Article first addresses the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy. After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures, the Article examines law, the third vector of influence on Sony BMG's decision to release flawed protection measures into the wild, and argues that existing doctrine in the fields of contract, intellectual property, and consumer protection law fails to adequately counter the technological and market forces that allowed a self-interested actor to inflict these harms on the public.

The Article concludes with two recommendations aimed at reducing the likelihood of companies deploying protection measures with known security vulnerabilities in the consumer marketplace. First, Congress should alter the Digital Millennium Copyright Act (DMCA) by creating permanent exemptions from its anti-circumvention and antitrafficking provisions that enable security research and the dissemination of tools to remove harmful protection measures. Second, the Federal Trade Commission should leverage insights from the field of human computer interaction security (HCI-Sec) to develop a stronger framework for user control over the security and privacy aspects of computers.

DRM, TPM, copy protection, HCI-Sec, rootkit, copyright, DMCA, security

Abstract:
Administrative agencies increasingly rely on technology to achieve substantive goals. Often this technology is employed to collect, exchange, manipulate and store personally identifiable information, raising serious concerns about the erosion of personal privacy.

Congress has recognized this problem. In the E-Government Act of 2002, it required administrative agencies to conduct privacy impact assessments (PIAs) when developing or procuring technology systems that handle personal information. Despite this new requirement, however, agency adherence to privacy mandates is highly inconsistent.

In this paper, we ask why. We first explore why both process requirements and traditional means of political oversight are often weak tools for ensuring that policy reflects privacy commitments. We then consider what factors might, by contrast, promote agency consideration of privacy concerns.

Specifically, we compare decisions by two federal agencies - the Department of State and the Department of Homeland Security - to use RFID technology, which allows a wireless-access data chip to be attached to or inserted into a product, animal, or person. These two cases suggest the importance of internal agency structure, culture, and personnel, as well as alternative forms of external oversight, interest group engagement, and professional expertise, as important mechanisms for ensuring bureaucratic accountability to the secondary privacy mandate imposed by Congress.

The analysis speaks to debates in both public administration and privacy protection. It implicates disputes over the efficacy of external controls on bureaucracy, and the less-developed literature on opening the black box of administrative decisionmaking. It further offers insight into pre-conditions necessary to advance privacy commitments in the face of social and bureaucratic pressure to manage risk by collecting information about individuals. Finally, it offers specific proposals for policy reform intended to promote agency accountability to privacy goals.

Privacy, Administrative Law, Regulation, Decisionmaking, Accountability, Department of Homeland Security, Department of State, Administrative Agencies, Technology, RFID, Privacy Impact Assessment, PIA, E-Government Act, e-Passport, US-VISIT

Abstract:
In the wake of the California energy crisis of 2000-2001, the California Energy Commission and California Public Utilities Commission are aggressively pursuing "demand response" energy programs aimed at reducing peak energy demand. Demand response systems convey information about market conditions through pricing or reliability signals to customers, who in turn, hopefully, alter their electricity consumption choices. One complication with such systems is that they radically increase the amount of information about activities inside the home that the electricity company can see. In some parts of California, smart meters are being installed that will send information in intervals ranging from 15 minutes to one hour. This is 750-3000 times more information than the monthly meter read that has been the norm for many years. The case law generally considers information held by utilities to be "business records," subject to far less privacy protections than information kept inside the home. In this Article, Deirdre Mulligan and Jack Lerner argue that courts and policymakers should take "the long view" of technology that reveals information about activities inside the home, and give greater protection to such information - whether it is held by utilities or by an individual.

fourth amendment, privacy, probable cause, energy, utilities, utility, kyllo, demand response, electricity, demand/response, smart meters