Ariel Rabkin

[Commentary] On Jan 4, it was announced that the New York Times app for Apple devices would no longer be available in China. This is notable, because the Times app bypassed Chinese internet censorship, and so Apple is meaningfully reducing Chinese access to unfiltered media.

According to Apple, this action was in response to a declaration by the Chinese government that the app violates local law. The story has been widely reported and has caused some concern about the precedent being set. Should US companies aid in Chinese censorship? This question in turn reflects a broader unease about the way that multinational technology companies enable government misbehavior.

[Ariel Rabkin was a postdoctoral researcher at Princeton University from 2012 to 2014.]

[Commentary] The Internet Corporation for Assigned Names and Numbers (ICANN) argues that it cannot be ordered to transfer a domain because the United States government, not ICANN, is really in charge.

The US government is proposing to allow its agreements with ICANN to lapse, however. At that point, ICANN would become autonomous and accountable only to its Board of Directors. ICANN would seemingly lose this line of defense, and thus invite the courts to hold it responsible for domain allocation.

This suggests that Department of Commerce oversight is holding off the unhappy possibility that every US District Court would be free to give orders to ICANN. Perhaps we should not be so quick to give up the current legal arrangements.

[Rabkin is a professional software engineer]

[Commentary] Many activists would like to treat Internet service as a utility, to be regulated the way the power and water systems are. In those industries, a government board sets rates and can authorize or reject proposed capital investments.

The Federal Communications Commission’s Open Internet Order requires ISPs to provide detailed data about their internal routing policies and performance metrics. Does it make sense to view ISPs as utilities? Internet pipes are very different from water pipes. An ISP doesn’t just deliver data packets -- it delivers particular data packets to particular destinations.

[Rabkin is a professional software engineer]

[Commentary] By a strange and convoluted process, a pending legal case about payments to terror victims may end up clarifying several open questions about Internet law.

The US Congress has authorized lawsuits against sovereign governments for terrorism that has harmed Americans. Plaintiffs in several cases have successfully convinced US courts that the government of Iran is responsible for funding terrorism against American citizens.

Getting the money is not so easy, since Iran has been almost totally cut off from the US banking system. However, Iran has not been cut off from the Internet, and it turns out that by virtue of being on the Internet, Iran has financial ties to American entities after all.

On June 24, the US District Court for DC authorized preliminary steps towards seizing Iranian payments to ICANN in several ongoing cases. The court authorized subpoenas against ICANN for information on its negotiations with Iran, and issued writs of attachment against any Iranian payments.

[Rabkin is currently a postdoctoral researcher at Princeton University]

[Commentary] On May 19, the Obama Administration announced indictments of five Chinese military officers for cyber-espionage against US companies. The named individuals work for Unit 61398 of the Chinese People’s Liberation Army (PLA), a cyber-espionage organization. The problem of Chinese hacking of US companies is real, but these indictments are an unwise step.

They are unlikely to achieve any positive result and could well have significant negative consequences for the United States. Indicting PLA officers for cyber-espionage is not merely pointless, it is dangerous. The precedent we have set here is that uniformed military personnel can be indicted by foreign powers for activity conducted lawfully in their home country.

The NSA analyzes large volumes of foreign telecommunications traffic -- we almost certainly have wiretapped millions of Chinese citizens. Any hostile government, or impish prosecutor, would be able to use our actions here as justification for indicting NSA employees and contractors, or other Americans who work for our intelligence services. As a result, these indictments have the potential to impose more costs on us than on China. National courts are sometimes used as tools of foreign policy.

The term “lawfare” has been coined to describe the process of manipulating international legal standards for strategic ends The Obama Administration is in effect trying something of the sort here, normalizing new and aggressive cross-border prosecutions. However, these indictments are a dangerously slapdash sort of lawfare.

We have introduced and thereby legitimated a new tactic in our conflict with China. There is no evidence that we have considered the implications. Our government has expressed no guiding principles for when and how this tactic might be used in the future, either by us or by our adversaries.

[Rabkin is a researcher interested in techniques for building and debugging complex software systems and a guest contributor to TechPolicyDaily.com]

[Commentary] The technology press has been awash in stories recently about the so-called Heartbleed bug that releases sensitive user data from any service using the OpenSSL encryption library.

To hold companies accountable for Heartbleed, we would need not product liability or restrictions on contract liability waivers, but rather, some sort of tort liability for service operators. Internet services can grow very popular very quickly. Consequently, increased liability could result in a structural shift in the Internet ecosystem.

Large, established companies such as Facebook or Google would likely become more averse to security risks, making them more cautious and shy about innovation. Small startup companies, on the other hand, who are constantly at risk of failing, would not have the resources or incentives to increase security and would take the risk of innovating without investing in security. Therefore, smaller companies would get an increasing advantage over their slower-moving, larger rivals who delayed new innovation in order to minimize security risks. Such a market, where low-security startups represent an increasing share of the computing industry, would be inherently more hazardous.

Ideally, large companies would voluntarily collaborate to improve the security of common shared infrastructure like OpenSSL or Linux. However, no intervention along these lines is likely to more than a moderate benefit. We don’t have robust ways to measure security improvements, or how security-critical any piece of code is. As a result, we aren’t going to be able to construct robust incentives here. Ultimately, the right lesson to draw from the Heartbleed bug is that we do not yet know the right technical or social mechanisms for building large software systems securely and economically.

[Rabkin is a researcher interested in techniques for building and debugging complex software systems]