No Evidence That Data Breach Privacy Laws Work

Have you ever received a notice that your data privacy has been breached? What the heck does that mean anyway? Most of the time what it means is that some piece of information that you wouldn’t normally disclose to others, like a credit card or your social security number, has been released unintentionally, and perhaps maliciously (e.g., stolen). About five years ago states began passing data breach privacy laws that required authorized possessors of such information to report to victims when a breach occurred. There were basically two goals for such laws:

Provide individuals warning that they may have suffered identity theft, so that they can take some steps to prevent it, like blocking a credit card or monitoring their credit reports; and
Provide a more general deterrent by embarrassing companies into behaving better. “Sunlight as a disinfectant,” as Justice Brandeis wrote.[1]

A study conducted by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti at CMU found that as of yet there can be no correlation found between these laws and identity theft rates. This could be for many reasons why the correlation isn’t there. First, actual usage of the stolen information seems to be only a small percentage. Second, it may be that just because a light has been shined doesn’t mean that there is anything the consumer will be capable or willing to do. For instance, suppose you buy something at your-local-favorite-website.com. They use a credit card or billing aggregation service that has its data stolen, and so that service reports to you that your data has been stolen. You might not even understand what that service has to do with you. Even if you do, what are the chances that you would be willing to not use your-local-favorite-website.com again? And if you hear about such a break-in from someone else, would it matter to you? Economists call that last one rational ignorance. In other words, hear no evil, see no evil.

Add to all of this that some people have said that there are huge loopholes in some of the laws. At WEIS and elsewhere several not-so-innovative approaches were discussed about how some firms are getting around the need to disclose.

This paper is not the final word on the subject, but clearly work needs to be done to improve these laws so that they have more impact. As longitudinal studies go, this one isn’t very long. It’s possible we’ll see benefits further down the road.

[1] The Brandeis quote could be found in the paper I cited (which is why I used it).

Time to Takedown: Successes and Failures

Takedown is a term used by Internet service providers and law enforcement officials that means the involuntary removal of a computer from the Internet. For instance, if a computer has been compromised and is attacking other computers, a takedown is seemingly appropriate. Tyler Moore and Richard Clayton have done some analysis on how long it takes to get a site off the net when it is doing something anti-social. They look at about six different circumstances: phishing, defamation, child pornography, copyright violation, spam and bot sites, and generally fraudulent web sites.

Not surprisingly, firms such as banks that actively defend their brand are able to expunge hosts serving bogus content the fastest, and service providers are the most cooperative (the numbers cross jurisdictional boundaries). Sites harboring material that exploit of children takes 10-100 times longer than banks. That’s an enormous difference. There are several likely reasons for this difference. First, banks are acting in their clear best interest and do not mind shouting at whoever they need to shout at to get rid of material. They’ve also likely developed strong relationships with service providers to speed the process.

The data on child protection is somewhat skewed by a single source, and that source had substantial jurisdictional issues, in as much as they did not feel empowered to deal directly with certain governments and service providers outside the UK, and in particular in the United States. Worse, images that were removed had a tendency to re-appear on the very same web sites, indicating that either the site was re-compromised or it was poorly managed or both.

The data points to a clear need for stronger coordination by service providers throughout the world to protect children. The fact that banks are able to be more successful in removing content that offends them demonstrates that it is possible when self-interest is a factor.

In the area of copyright violation, the RIAA has had success in removing sites that are clearly violating copyrights. By injecting themselves into P2P networks the RIAA has been able to determine many sources of copyright violation. The paper does not have a data source to analyze takedown periods.

Courting Disaster: Supreme Court lets guns into DC

I have yet to read the opinion of the Court as to the reasoning of this week’s 2nd amendment ruling, but let’s discuss just one point. Four justices earlier were upset that the court upheld Habeus Corpus, and the clear basis of their argument was not strict construction, but rather fear of attack. Those same four justices plus Justice Kennedy made use of strict construction in the DC opinion. That to me says that at least those four justices are perfectly comfortable with our government “defending” us against others, but they’re not comfortable with the government defending us against each other. Put another way, we can abuse others as much as we want, but heaven forbid we wish to assert government authority against our own citizenry.

Beware The Supreme Court

Most of the time when you see that headline the next comment talks about abortion or gun control or the death penalty. But this Supreme Court seems to be after something far more dangerous: its own power. It’s an axiom in Washington that each branch of government vigorously protects its own constitutional turf. Not necessarily so with some of the justices, however.

While this Court has at times shown great deference to the President, they have recently repeatedly slapped the administration for overreaching. This past week the Court handed down two separate decisions, that said that the administration cannot hold someone indefinitely under its control – regardless of location – without a hearing before a judge. In one case, Boudemiene v. Bush, the justices affirmed that the Writ of Habeus Corpus (sometimes called the Great Writ) applies to inmates at Guantanamo Bay in spite of the fact that Congress had specifically limited Habeus reviews in the Detainee Treatment Act of 2005. Anthony Kennedy wrote for a bare majority of five justices that, “To hold that the political branches may switch the Constitution on or off at will would lead to a regime in which they, not this Court, say `what law is.'” They arrived at this conclusion having determined that those acting on the color of authority of the United States are subject to the limits of the Constitution. Doesn’t this seem brilliantly obvious?

Our problems reside in what the other four justices were thinking. Justice Roberts hides behind an abused procedure to keep these people prisoners, and then mischaracterizes Combatant Status Review Tribunals (CSRTs) as sufficing for purposes of Habeus review. Sadly former participants of that review have said in open court precisely that it is inadequate. We don’t know because they’re secret.

Justice Scalia went further, arguing the end of the world in the first section of his opinion, because, he argues, what the Court has done is to strip the government away from mechanisms necessary to protect the United States. Like torture? Holding someone indefinitely without any judicial review? If Justice Scalia believes such a system would be to his liking, perhaps he would prefer to live in Zimbabwe where such thinking is enacted on a daily basis. Of course he doesn’t have to go anywhere near so far as the third consecutive decision of this Court to require reasonable review has of yet not caused a single prisoner to be released or even reviewed by a judge.

The Court for a long time has attempted to shy away from deciding laws on constitutional grounds. Much better to use more limited methods of finding conflicting law or a narrow interpretation that squeezes through any bars put forth by the Writ. Here, however, the situation was simple: the U.S. controlled the prisoners, and the prisoners were not given by any reasonable characterization a meaningful review. The Court then gets to decide whether or not Habeus is to be enforced. Four justices have chosen to ignore Marbury v. Madison in favor of expediency, or a doctrine of President as king. Neither bodes well for separation of powers.

Oil and Us: Friedman gets it right (for once)

Thomas Friedman of the New York Times today on the matter. While I don’t think much of some of his other opinions I found this piece by Thomas Friedman of the New York Times very much aligned to my own thinking. At some point or another we will have to come to terms with actually conserving energy. In the meantime, however, there is a game going on, and the world consumer is a participant, whether we like it or not. Things you can do to not play include these:

Don’t travel
Telecommute
Don’t use air conditioning
Live in a house or apartment with good insulation

It was about 29°C outside and 23° inside my home office as I wrote this post. Here’s a little piece of humor I alluded to earlier: we have two gas guzzling cars, but how much does it matter if you don’t drive them? That first bullet is hard for me and for our family, with relatives and friends so far away. My recollection is that an efficient airplane gets you about 20-30 passenger miles per gallon of fuel. As I travel to New Hampshire this week that will be a round trip distance of over 7,500 miles, which equates to about 250 gallons of fuel. Put another way, I normally use about 13 gallons of fuel per month in my car, and so one plane trip to the United States is greater than my entire year’s use of gasoline. This is one of five trips I’ll make across the pond this year, nevermind those we’ve caused relatives to make. I’m as bad as the next person, I suppose.