The RFC has received quite a bit of attention, receiving over 80 comments so far. The US Chamber of Commerce submitted its comments on April 2nd, which go directly to the heart of why SOPA failed and why Internet users are resisting CISPA and skeptical of other Internet-related laws coming out of Congress. The Chamber’s comments are only about 5 pages, making only about five points, but most of their effort is spent on the first comment, which is the most telling.

According to the Chamber, the multistakeholder process will be most effective if “parts are conducted in private and off-the-record.” The ideal process as described in the comment:

“Once an issue is identified, industry should conduct private and off the record sessions to develop proposals to address the issue. Frank open, but confidential, discussions are necessary to determine a practical resolution. Businesses will not, and should not be expected to, reveal proprietary information or trade secrets about their practices in public to groups that may leak such information to the press, issue critical statements designed to influence the outcome of the deliberations, file complaints with federal agencies and/or bring class action suits against the same companies that are conscientiously engaged in the multi-stakeholder process.”

The Chamber goes on to say that codes of conduct are not regulatory undertakings and that “companies operating in a competitive marketplace are most likely to be productive when there is ample room for private and candid discussion.”

This comment embodies the heart of the policy struggles that the content industry and groups such as the Chamber keep facing in implementing Internet laws and regulations. If you read the comment, there is major piece missing – the public. The approach suggested by the Chamber replaces “stakeholder” with “industry” and would shut users out of the room in order to determine rules to govern an industry where the harm we are trying to solve is user privacy. This approach is often echoed by the MPAA, RIAA, Congress, and other industry lobbying groups active in recent Internet policymaking efforts. (see MPAA chief Chris Dodd’s recent Hollywood Reporter interview where his solution to the failure of SOPA is “the two industries need to come to an understanding” without any nod to the public)

How on earth can you expect to adequately address user privacy if no one advocating users is in the room? Users are the core stakeholders in the multistakeholder process – it is users we are trying to protect and are the only indispensable stakeholders to a meaningful process. To suggest shutting users out of the room in determining privacy rules that affect users more than any other stakeholder is terribly misguided.

This is the heart of the problem with supporters of SOPA, CISPA and similar bills. Internet users have realized they can make an impact in policymaking. The sleeping giant is awake. When lawmakers and organizations blatantly ignore users as key stakeholders the Internet resists.

The key difference here is that users are not shills for Google, Wikipedia or ” Silicon Valley.” Users have their own interests and their own rights and their own voice. The same users that joined Wikipedia and Google in opposing SOPA criticize Google heavily for their privacy policy changes and Wikipedia for its often-frustrating editor culture. The interests and rights of users must be considered distinctly from those of any industry. Users – the public – are a distinct stakeholder. Newly empowered, users will resist being shut out of decisions that severely impact their use of the Internet.

This lesson will eventually be learned, but the sooner the Chamber and others active in Internet policymaking understand and include users as an equal stakeholder, the sooner we can implement policies that protect the rights and enable success of businesses, rightsholders, and users. Hopefully the NTIA and FTC realize this and will ensure that a truly successful privacy framework is not possible without the public and ensure that the public is fully represented throughout the process.

The striking thing here is that the underlying assumption is that SOPA was a battle between Silicon Valley and Hollywood.  The problem is that this really wasn’t the case.  The protests and Internet blackout day was really user driven.  It started on the Internet bulletin board site Reddit and was picked up by other tech firms, but the driving force was not Google or Wikipedia but Internet users.  Industry insiders and Capitol Hill types don’t seem to understand this and will keep bumbling into PR disasters until they do.

Dodd’s comment on discussions around SOPA emphasize this point.  A “deal” between Silicon Valley and Hollywood is almost guaranteed to fail.  The SOPA uprising was not just a protest against the text of the bill but a protest against backroom deals that ignore interests critical to the biggest stakeholder involved – the public.  You can’t fix that with a backroom “deal” with Silicon Valley.

While “the Internet” does not wake often, it is paying attention to the SOPA issue.  Until the rightsholder lobby understands that it is not an industry v. industry fight they are going to continue to have serious problems with enforcement legislation.  The rightsholder lobby’s inability to understand the SOPA backlash is unfortunate.  There are productive things that could be done to protect content without trampling on the rights of Internet users but these solutions are not going to happen while rightsholders are viewing this as a Silicon Valley v. Hollywood battle.

Maybe a SOPA rehash supported by the tech industry would be a good thing.  It might be a good platform for the lesson that the public is an independent stakeholder that needs to be considered.  If Silicon Valley supports a bill but “the Internet” nonetheless rebels against it rightsholders may finally get the idea and we can get to working on productive solutions.

According to the EFF, the bill “effectively creates a ‘cybersecurity exemption’” to laws that restrict sharing private information with the government.  The CDT joins in, stating that the bill “permit[s] ISPs to funnel private communications and related information back to the government without adequate privacy protections and controls.  The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient.”

News of the bill is bubbling around the blogosphere, being tagged as the “new SOPA” or “son of SOPA” in many cases.  Major news media have not yet taken notice, but this is the first controversial technology bill since SOPA so it seems likely that at some point the mainstream will pick the story.

While clearly destined to cause controversy, the prospect of digging in to candidate’s profiles was too tempting to resist.  Personality tests and applications can only tell you so much about a candidate – who is certainly answering questions how they think the employer wants them to be answered.  Seeing the “real” candidate is a potential gold mine to weed out potentially problematic employees.

The question I have is why even mess with this?  Looking through a facebook is almost never going to give any indication of whether an employee is reliable or not.  HR managers are not trained as sociologists or psychologists.  Any conclusions are basically pure speculation.  Plus, if the candidate happens to be a protected class, you run into the problem of knowing that – potentially exposing yourself to discrimination liability.

And practically, are the employers really any different?  If they had their personal lives rummaged through how would they compare?  Yet the prospect of getting a “real” look at job candidates’ personalities and potential skeletons in their closet has proven too tempting.

Hopefully employers get the message and voluntarily stop the practice, but legislation seems likely in at least some states.  Unfortunately this might end up in a patchwork of laws similar to data breach notification laws where 46 states have 46 similar but not identical laws that causes headaches for anyone trying to comply nationwide.

Senators Schumer and Blumenthal have asked for a DoJ investigation.  Facebook has also spoken out against the practice, going so far as to threaten legal action.  Illinois now has proposed legislation banning the practice.

If the recent responses are any indication, this practice may not be long for this world.

An “anonymous coward” commenter poses an interesting question:

Here’s the real question:
If I have my marital status, my religion, my age, or DoB listed on my Facebook page, and I give my login to an HR person screening me, could it be argued that because they not have access to that information prior to employment, they in effect “asked” for it, which is a violation of discrimination laws as it relates to employment?

I don’t know whether or not asking for social media credentials actually violates discrimination laws.  If so it seems like an interesting argument to try.  Again – no idea if this would work (read: not legal advice) but a creative approach.

A “John Doe” follows up pointing out that many companies’ IT security policies prohibit sharing corporate user IDs with anyone (which from a non-legal security perspective should be universal).  Would the company be ok with someone else demanded your corporate credentials in exchange for something?  There are all sorts of “it’s different” arguments citing corporate secrets, duties of loyalty, personal info isn’t valuable, etc… but frankly none of them fly with me.

If it were the CIA or another very security-conscious organization this would be an interesting test of applicants.  If the applicant says absolutely not, perhaps that indicates the sort of security awareness and integrity you want.  If they give up secrets because they think it’s the “right” answer or might get them the job perhaps they are more vulnerable to bribery/extortion of secrets.  Hardly conclusive but I would not be surprised to see the strategy used.

The wrinkle in all this that doesn’t seem to get much press is that sharing your password with anyone is a violation of Section 4.8 of Facebook’s terms of service.  Many other social networks have similar provisions.

At this point, most people are probably just relenting because it just isn’t worth risking losing a job opportunity or athletic scholarship.  There is a natural imbalance of power at work that creates pressure to not fight the authoritative request.

The practical implications of this sort of breach of contract are probably minimal.  The worst Facebook would do is terminate your account, something they have little incentive to do given all the money you make them as a user.  However, given the Lori Drew case, there is at least the potential for severe consequences.  (tl;dr the Lori Drew argument was that by breaking the terms of service the user loses authorization to access the service and as such is hacking – it didn’t work but the argument will probably be used again)

It seems like a valid response to refuse to provide your password on the grounds that doing so would necessitate breaching a contract.  I’d like to see (and will try and look up if I have some time) whether you can be forced to break a contract in order to get a job/play a sport/get into college/etc…  Perhaps the argument is really that you can’t get punished for refusing to break a legally binding contract.  Is there a difference if it is a government request (1A/4A/14A considerations)?

“Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another,” Sen. Jay Rockefeller (D-W. Va.) testified at a Homeland Security and Government Affairs Committee hearing last month. “Or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington.”

Wow.  The first “threat” – running planes into each other – is nearly infinitesimally unlikely.  Not only would you have to take over the system, you’d have to somehow prevent the real controllers and the pilots from communicating (or successfully plant an insider) and feed them false information to keep them from figuring out what is going on.   You would then have to direct 2 planes to be in the same point in 3-dimensional space-time (not easy) while overriding the collision avoidance system and keeping the pilots from seeing with their own eyeballs (hard to hack) that they are about to run into another plane.

Someone good enough to do all of that is not going to be stopped by passing the Cybersecurity Act of 2012.   The train scenario is a little more plausible, but nearly as many things would have to go right in order to crash trains into each other.

If our goal is to make our critical infrastructure systems as secure as possible, the best way to do that is to evaluate vulnerabilities and solutions realistically.  There is a lot of rhetoric all over the place in the cybersecurity debate.  At best it is misleading as to the actual benefits of passing legislation and at worst it creates false complacence that if we pass a bill, everything will be ok.

For example, the testimony at the Senate hearing on S.2105 (Cybersecurity Act of 2012) saw repeated warnings of catastrophic potential harm if we don’t act now.  Commerce Secretary John Dyson wrote a recent op-ed in Politico playing up the threat of corporate espionage to support the passage of “cybersecurity reform.”  But let’s take a quick look at what the bill does to see if it could actually stop the corporate espionage, cyber warfare capabilities, and other hacks that are all about to bring down the country.

The Cybersecurity Act basically sets minimum “performance requirements” for critical infrastructure owners and creates some educational and awareness programs around cybersecurity.  The regulatory regime is based around third party annual assessments testing compliance with applicable sector-specific performance requirements.  

Ok, so what are the issues with such an approach?

1. A regulatory approach is inherently retrospective.

So basically the Cybersecurity Act requires going out once a year and testing compliance with standards set at some point in the past – an inherently backward-looking process that will necessarily always trail the leading edge of technology.  After all, we have to know about a threat in order to write a rule requiring protecting against it, then have to wait until the next compliance cycle comes around before there are any consequences to failing to protect against the threat.

2. Vague performance requirements will have to balance bureaucracy, clarity, complyability, and security

Some supporters of the Cybersecurity Act tout its “light touch” approach that focuses not on specific regulations but on “performance requirements.”  No one has actually said yet what these performance requirements will look like – just that they will be nonspecific enough that they will not be telling critical infrastructure owners what firewall to buy or what software to run.

However, these requirements need to provide enough clarity that regulated parties know what is required of them.  They will be passed and maintained by the federal bureaucracy with all of its quirks, they will have to be written in a way that they can actually be complied with (i.e. not NSA-grade), and will have to actually provide security.  This is a tall order and one I don’t think any government agency is up to.

3. Regulations just can’t protect against the threats being sold

Let’s face it, persistent attackers who are talented and well-funded are going to break into our cybersecurity systems.  Attacks on sophisticated networks succeed because defense is a lot harder than offense.  I don’t necessarily agree with the Senate hearing testimony of Stewart Baker that HBGary, RSA, and other security companies are significantly harder to hack than others, but sophistication does not guarantee success.

You just can’t regulate your way to preventing the cyberattacks we are being warned about.  A compliance floor can be set, but that floor will never be perfect and is highly unlikely to be more stringent than the security measures HBGary, RSA, and others already had in place.  Yet they were hacked.  To cite horrible vulnerabilities then stump for cybersecurity legislation paints the impression that the legislation will solve the harms.  Such an impression creates a false sense of security and has the potential to be more harmful than helpful.

Contrary to the tone of this post, this does not mean that I don’t think regulations are a good idea.  Regulations can do a lot to remove low-hanging fruit from reach of cyber attackers.  However, we need to be realistic about the ability of legislation to secure critical infrastructure against persistent and talented aggressors.  That reality is that you just can’t.  I have a few ideas that will be put forth in later posts, but the issue here is not that regulations can’t help, it is that the idea is being sold that all we need to do is pass a law and we will be secure when that is a long way from the truth.

This all depends on developing battery technology that would support long-range driving and improvement in recharge times (or some sort of battery pack swap out system) – the Chevy Volt has an EPA estimated range of 35 miles electric-only and the Tesla Roadster claims over 200, but some question that assertion.

So, assuming technology works out the kinks of range and recharge, how much would it cost to “fill up” an electric car to drive 350 miles (guesstimate at average range of gas-powered cars)?  At current rates, electricity runs consumers somewhere around $.10/kWh.  The Chevy Volt range estimates are based on a 36 kWh/100 miles calculation and the soon-to-be-released Tesla S hovers around 25.

Using the less generous Volt calculations, it takes about 126 kWh to go 350 miles.  At $.10/kWh, that would be about $12.60 in electricity to fill your tank.  It would take almost 12 gallons for a 30mpg car to go the same distance.  At a generous $3.50/gal, that is about $42.00 for a gas car to go the same distance.

When you add in that electric cars don’t need spark plugs, hoses, belts, oil changes, or muffler work, the maintenance costs should be considerably less (or at least less frequent) over the lifetime of an electric vehicle.

So why aren’t we putting our full weight behind converting to an all-electric fleet of cars in the US rather than arguing over whether and where we need to drill and who can keep gas prices lowest?  It will probably take a good 20 years to fully covert, but it seems like a no-brainer.  The sooner we start the sooner we get there and get to stop worrying about gas prices.