Daniel Castro
ITIF’s Castro: How Congress can fix 'internet of things' security
[Commentary] In the wake of recent cyberattacks, many policymakers are left wondering what, if anything, they can do to prevent future attacks and how they can make the burgeoning Internet of things more secure. Fortunately, there is a relatively simple step that Congress could take to jump-start cybersecurity in the fledgling internet of things: require companies to publish a security policy. Most companies today publish a privacy policy. The Federal Trade Commission (FTC), in particular, has actively monitored the privacy practices of the private sector and held companies accountable for adhering to their stated practices. The overall result is that companies in the United States have a significant degree of autonomy and flexibility in how they collect and use personal data, which has allowed innovation to flourish, but they still must answer both to their users and to government regulators.
As the Information Technology and Innovation Foundation (ITIF) has argued before, the United States, like most other countries, has a schizophrenic approach to cybersecurity that is broken and ineffective. The current policy emphasizes relative security over absolute security. Nations want to be able to hack in to the systems of their adversaries, but they do not want their own systems to be vulnerable. So rather than working together to improve global information security practices for everyone, nations spend billions to penetrate systems and horde zero-day vulnerabilities. This needs to change. But in the interim, there is at least one concrete step policymakers can take to begin to change the security practices of the private sector and help pave the way for a more secure Internet of things.
[Castro is vice president of the Information Technology and Innovation Foundation]
Key Principles For Coordination Of Internet Unique Identifiers
These key principles and mechanisms should be embedded into the structure of Internet Corporation for Assigned Names and Numbers (ICANN) through the multistakeholder accountability process:
- Community of Stakeholders as Ultimate Authority: he community of ICANN stakeholders should be the ultimate overseer of the DNS, responsible for: promoting a single, decentralized, open, and interoperable Internet; preserving the integrity, transparency and accountability of IP numbers and their assignments; managing domain names, and protocol number assignments; maintaining the security, stability and resiliency of the DNS; and meeting the needs and expectations of global customers and partners of the DNS.
- Separation of Functions: policy making, dispute resolution and implementation.
- Policy Making Function: : ICANN’s existing structure of Supporting Organizations (SOs) and Advisory Committees (ACs), which provide technical and policy guidance and which comprise its bottom-up, consensus multi-stakeholder model, should continue to be responsible for policy making.
- Dispute Resolution Function: Expansion of ICANN’s Independent Review Panel
- Implementation Function
- Protection from Government Capture: neither the CEO nor the members of either Board of Directors should be a member of a government or government-controlled organization.
- Transparency
- Specific Rights and Responsibilities Appropriate for Each Function:
- Consensus: a significant supermajority for final action on all policy decisions.
- Budget and Revenue Limitation
- Equitable Agreements
- Prior Adoption: These principles and their assured implementation should be adopted and made effective prior to the transfer of the IANA contract to ICANN, or to any other party that replaces the US as contract counterparty; should be embedded in ICANN’s Articles of Incorporation & By-Laws.
The FTC should reward, not penalize, companies that innovate in good faith
[Commentary]The Federal Trade Commission (FTC) announced that it has filed a lawsuit against Amazon.com, alleging that the company had failed to set sufficiently tight controls for purchases made by children while using mobile apps.
The Amazon suit reflects an unfortunate trend. By forcing companies into consent decrees, instead of using its own rulemaking authority or waiting for Congress to act, the FTC circumvents the democratic process, reduces transparency and limits public participation. These agreements can end up serving as de facto policy, which is a problem since they only reflect the agreement of two parties, rather than all stakeholders. At times, consent decrees may even be anti-competitive, by creating greater barriers for new entrants and entrenching established interests.
Rather than fostering disruptive innovation, these types of 20-year agreements lock companies into stagnant business practices and discourage companies from taking risks lest they be subject to the wrath of the FTC. A better approach is for the FTC to take ambiguity out of the equation by establishing clear rules and taking action against companies that knowingly violate them, or by going after companies that knowingly and willfully harm consumers, such as any app developers who try to exploit the in-app payment system in apps directed at children.
[Castro is a senior analyst with the Information Technology and Innovation Foundation]
Time to forget the "right to be forgotten"
[Commentary] It is unfortunate that privacy laws have degenerated from upholding the "right to be left alone" to an overbearing attempt at obscuring reality. And where will this end?
If individuals have the right to erase public data about themselves, why stop with search engines? Did someone say something true about you on Facebook or Twitter? Time to file a complaint. Did you write something you regret in an email? Just require the email provider to track down and delete all copies of your message. You will never again need to worry about learning from your mistakes since you can just forget them.
The European Union is in the midst of updating its privacy laws, so this ruling will certainly not be the last word on the subject. But as policymakers both in the United States and abroad continue to refine privacy laws and regulations in the coming years, they should consider who exactly it is they are trying to protect.
In this case, it is hard to see how rules designed to protect people like Donald Sterling, Anthony Weiner and Mel Gibson serve the common good. Since privacy laws almost always involve a trade-off between different values, policymakers should be aware what they are giving up when they make these decisions and strive to find a more balanced approach.
[Castro is a senior policy analyst with the Information Technology and Innovation Foundation]