Dan Solove on Privacy Regulation

Read Time:2 Minute, 51 Second

Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article.” His mini-abstract:

In this Article I argue that most of the time, privacy consent is fictitious. Instead of futile efforts to try to turn privacy consent from fiction to fact, the better approach is to lean into the fictions. The law can’t stop privacy consent from being a fairy tale, but the law can ensure that the story ends well. I argue that privacy consent should confer less legitimacy and power and that it be backstopped by a set of duties on organizations that process personal data based on consent.

Full abstract:

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic”—it transforms things that would be illegal and immoral into lawful and legitimate activities. As to privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates; organizations post a notice of their privacy practices and people are deemed to consent if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems ­ people are ill-equipped to decide about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that most of the time, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary—an on/off switch—but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Rather than provide extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. Murky consent should be subject to extensive regulatory oversight with an ever-present risk that it could be deemed invalid. Murky consent should rest on shaky ground. Because the law pretends people are consenting, the law’s goal should be to ensure that what people are consenting to is good. Doing so promotes the integrity of the fictions of consent. I propose four duties to achieve this end: (1) duty to obtain consent appropriately; (2) duty to avoid thwarting reasonable expectations; (3) duty of loyalty; and (4) duty to avoid unreasonable risk. The law can’t make the tale of privacy consent less fictional, but with these duties, the law can ensure the story ends well.

Read More

Understanding how Rationality, Deterrence Theory, and Indeterminism Influence Cybercrime.

Read Time:9 Minute, 37 Second

Understanding the factors influencing cybercriminal behavior is essential for developing effective cybercrime prevention strategies. Rationality plays a significant role in shaping criminal decisions, particularly through the lens of the rational actor model and deterrence theory. This blog explores how rationality influences cybercriminal behavior, focusing on the rational actor model, the concepts of deterrence theory, their implications for understanding and preventing cybercrime activities, and how Bayesian theory can help overcome indeterministic human criminal behavior to provide risk management.

Brief History of Deterrence Theory:

Deterrence theory has its roots in classical criminology and the works of philosophers such as Cesare Beccaria and Jeremy Bentham, who introduced the concept of deterrence as a means of preventing crime through the application of punishment. This idea became further developed during the mid-20th century when the theory of nuclear deterrence emerged as a prominent concept in international relations. The understanding of deterrence broadened to be applied not only in preventing nuclear conflict but also in the context of criminal justice.

It was John Nash through his work in game theory that contributed significantly to the understanding of strategic decision-making and the potential for deterrence in various competitive situations. His insights were crucial in shaping the modern understanding of deterrence theory, particularly when applied to criminal decision-making and cybersecurity.[1]

Explanation of Deterministic, Non-Deterministic, and Indeterministic:

Deterministic: In the context of decision-making, determinism refers to the philosophical concept that all events, including human actions, are the inevitable result of preceding causes. This perspective suggests that given the same initial conditions and knowledge, an individual’s choices can be predicted with certainty. In other words, under deterministic assumptions, human behavior can be seen as fully predictable.[2]

Non-Deterministic: Non-deterministic views reject the idea that every event, including human actions, can be precisely determined or predicted based on preceding causes. Instead, non-deterministic perspectives acknowledge the role of uncertainty, chance, and randomness in decision-making. From this standpoint, human behavior is seen as influenced by a combination of factors, including personal choice, external circumstances, and unpredictable elements.[3]

Indeterministic: Indeterminism represents a specific form of non-determinism. In the context of decision-making, indeterministic views emphasize the idea that certain events or actions, particularly human choices, are not entirely determined by preceding causes or predictable factors. Instead, they are seen as influenced by random or unpredictable elements, such as personal spontaneity, free will, or external factors that defy precise prediction.[4]

The Indeterministic Nature of Cybercriminal Behavior:

The indeterministic nature of cybercriminal behavior suggests that not all cybercrimes are the result of rational choices. Some individuals may engage in cybercriminal behavior due to impulsive actions, vulnerabilities in systems, or external pressures that override rational decision-making processes. These factors highlight the limitations of solely relying on rationality as an explanatory framework for cybercriminal behavior.

Rationality and the Rational Actor Model in Cybercrime:

The rational actor model suggests that cybercriminals are rational decision-makers who engage in a cost-benefit analysis before committing a cybercrime.[5] According to this model, cybercriminals weigh the potential benefits and costs of engaging in cybercriminal behavior and make a rational choice based on their assessment.

The rational actor model assumes that cybercriminals have the capability to accurately assess the potential outcomes of their cyber actions and aim to maximize their self-interest.[6] It suggests that cybercriminal behavior is a result of rational decision-making processes where the benefits of the cyber act outweigh the costs.

As discussed in the AT&T Cybersecurity Blog titled: Attacker Motivations, there are 7 basic motivations that drive cybercrime. These include: ·

Financial (extrinsic) – Theft of personally identifiable information (PII), that is then monetized is a classic example of financial motivation of cyberattacks. Primarily perpetrated by organized criminal groups, this motivation represents a large percentage of cyberattacks against retailers and health care providers.
Social/Political “Hacktivism” (primarily intrinsic) – Social or Ideological issues create a motivation for some to attack organizations to make a statement. The hacking and defacement of a U.S. Government system in which the attackers post messages disparaging remarks about capitalism or democracy would be a solid example of hacktivism.
Espionage (extrinsic) – Generally, we think of cyber espionage in terms of theft of intellectual property but it could also be focused upon the theft of confidential information related to acquisitions, marketing plans and other types of data. Nation State actors are considered the largest group of cyber espionage attackers but there have been examples of companies engaging in cyber espionage against competitors.
Revenge (intrinsic) – Disgruntled employees or former employees are those that typically commit the lion’s share of revenge-based cyberattacks. The news is replete with stories of disgruntled former employees attacking their former employees.
Nuisance/Destruction (intrinsic)- There are some that are intrinsically motivated to simply attack an organization or person for no other reason than to create chaos and destruction. It is unfortunate but true. A great example is that of the notorious bank robber “slick” Willy Sutton. There is an apocryphal story about why he robbed banks. When asked it was reported that he stated he robbed banks because “That is where the money is”. In reality he stated he “simply loved to rob banks”. Money was not a motivating factor.
War/Defense (extrinsic)- In the 21st century it would be irresponsible to ignore the fact that nation states and even ‘patriot hackers’ play in either initiating or defending against adversaries. Disrupting supply chains, destroying centrifuges and other attacks can be classified as War/Defense driven. The Stuxnet Virus identified in 2010 that was used to destroy the Iranian centrifuges is but one relevant example of such a motivation.
Facilitation (extrinsic)- Cyber attackers frequently use proxies and other systems to attack their final target. For this reason, it is important to note that some organizations and systems may simply be convenient targets which enable and facilitate attacker’s actions. Consider bot nets. Systems are compromised to enable them to then attack other systems. The compromise of a system that is within the bot net is simply used to facilitate another attack.

Deterrence Theory in the Context of Cybercrime:

Deterrence theory is a key framework for understanding the influence of rationality on cybercriminal decision-making. It posits that cybercriminals are deterred from engaging in cybercrimes when the perceived costs outweigh the benefits. The theory operates on the assumption that cybercriminals are rational actors who can assess the potential consequences of their cyber actions and make decisions based on the expected utility.[7]

Deterrence theory emphasizes three key elements in the context of cybercrime: severity, certainty, and swiftness of punishment. Severity refers to the harshness of the punishment imposed for cybercrimes. Certainty refers to the likelihood of being caught and punished for the offense, while swiftness refers to the promptness with which the punishment is administered. According to deterrence theory, an increase in the severity, certainty, or swiftness of punishment should deter cybercriminals from engaging in cybercrimes.

The Impact of Deterrence on Cybercriminal Decision-Making:

The concepts of deterrence theory have significant implications for cybercriminal decision-making. Efforts to enhance cybersecurity and the presence of effective law enforcement in the cyber realm can serve as deterrents, influencing cybercriminals to refrain from engaging in cybercriminal activities. The perceived certainty of being identified and caught acts as a deterrent, as cybercriminals are more likely to consider the potential costs and consequences of their cyber actions when they believe they will be caught.[8]

Similarly, the severity of punishment plays a crucial role in deterring cybercrimes. Harsh legal penalties, significant fines, or other severe consequences increase the perceived costs of engaging in cybercriminal behavior, making it less likely for cybercriminals to choose such actions. Additionally, the swiftness of punishment is important, as delayed consequences may weaken the deterrent effect. Swift action in identifying and punishing cybercriminals ensures that they experience the connection between their cyber behavior and its consequences, reinforcing the deterrent effect.

However, it is essential to recognize the limitations of deterrence theory and the rational actor model when explaining cybercriminal behavior. Human behavior, including cybercriminal behavior, is often influenced by factors beyond rational calculation. Emotions, psychological factors, social influences, and situational contexts can all impact decision-making, leading individuals to engage in cybercriminal behavior despite the rational assessment of costs and benefits.[9]

The Role of Bayesian Theory in Overcoming Indeterministic Behavior for Risk Management:

Bayesian theory offers a powerful tool for managing risk in the face of indeterministic human criminal behavior. By providing a framework for updating beliefs and probabilities in light of new evidence, Bayesian theory allows for a nuanced and dynamic understanding of risk. In the context of cybercrime, Bayesian methods can be employed to continuously assess and update the probability and impact of potential threats, enhancing the capacity to anticipate and mitigate criminal activities that may not conform to simple deterministic or rational models.[10] AT&T’s blog titled: “Quantifying CyberRisks to Solve the Riddle” provides an overview of how conditional probability theory can be used to more accurately gauge cyber risks.

Conclusion:

Rationality significantly influences cybercriminal behavior, particularly through the rational actor model and deterrence theory. The rational actor model posits that cybercriminals engage in cyber activities after considering the potential benefits and costs. Deterrence theory emphasizes the importance of perceived costs in deterring cybercrime, highlighting the significance of severity, certainty, and swiftness of punishment.

However, it is crucial to acknowledge the inherent indeterministic aspects of cybercriminal behavior. Emotions, psychological factors, and situational contexts can impact cybercriminal decision-making, leading individuals to engage in cybercrime despite the rational assessment of costs and benefits. Acknowledging these complexities and leveraging flexible risk management models such as Bayesian theory is essential for a comprehensive understanding of cybercriminal behavior and the development of effective cybercrime prevention strategies.

In overcoming indeterministic human criminal behavior, Bayesian theory provides an invaluable asset for risk management by allowing for the formulation of more flexible and adaptive strategies to cybercrime prevention. It offers a means to continuously update and refine risk assessments, particularly in scenarios where traditional rational and deterministic models may fall short in providing effective countermeasures.

AT&T’s Risk Advisory Services can help clients understand and quantify or qualify risks, as appropriate to enable for the prioritization and addressing of risks in an efficient and cost-effective manner. From enterprise risk management solutions to compliance-based consulting and management, AT&T provides comprehensive risk management for organizations of all sizes.

References:

[1] Nash, J. (1950). Equilibrium points in n-person games. Proceedings of the National Academy of Sciences, 36(1), 48-49.

[2] Tsementzis, D. (2011). Deterministic and stochastic models of AIDS epidemiology. Springer Science & Business Media.

[3] Cartwright, N. (2010). The Dappled World: A Study of the Boundaries of Science. Cambridge University Press.

[4] Broad, C. D. (2011). Determinism, indeterminism and libertarianism. Routledge.

[5] Cornish, D. B., & Clarke, R. V. (Eds.). (2014). The reasoning criminal: Rational choice perspectives on offending. Routledge. 

[6] Nagin, D. S., & Pogarsky, G. (2003). An experimental investigation of deterrence: Cheating, self-serving bias, and impulsivity. Criminology, 41(1), 167-194.

[7] Cressey, D. R. (1960). Deterrence, rationality, and corruption. In J. Menell & P. Thompson (Eds.), White-Collar Crime: Theory and Research (pp. 25-36). Free Press.

[8] Hollis, M. (2015). The philosophy of social science: An introduction. Cambridge University Press

[9] Becker, G. S. (1968). Crime and punishment: An economic approach. Journal of Political Economy, 76(2), 169-217.

[10] Lindley, D. V. (2006). Understanding uncertainty. John Wiley & Sons.

Read More

USN-6748-1: Sanitize vulnerabilities

Read Time:21 Second

It was discovered that Sanitize incorrectly handled noscript elements
under certain circumstances. An attacker could possibly use this issue to
execute a cross-site scripting (XSS) attack. This issue only affected
Ubuntu 22.04 LTS. (CVE-2023-23627)

It was discovered that Sanitize incorrectly handled style elements under
certain circumstances. An attacker could possibly use this issue to
execute a cross-site scripting (XSS) attack. (CVE-2023-36823)

Read More

USN-6747-1: Firefox vulnerabilities

Read Time:2 Minute, 2 Second

Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-3852,
CVE-2024-3864, CVE-2024-3865)

Bartek Nowotarski discovered that Firefox did not properly limit HTTP/2
CONTINUATION frames. An attacker could potentially exploit this issue to
cause a denial of service. (CVE-2024-3302)

Gary Kwong discovered that Firefox did not properly manage memory when
running garbage collection during realm initialization. An attacker could
potentially exploit this issue to cause a denial of service, or execute
arbitrary code. (CVE-2024-3853)

Lukas Bernhard discovered that Firefox did not properly manage memory
during JIT optimisations, leading to an out-of-bounds read vulnerability.
An attacker could possibly use this issue to cause a denial of service or
expose sensitive information. (CVE-2024-3854, CVE-2024-3855)

Nan Wang discovered that Firefox did not properly manage memory during
WASM garbage collection. An attacker could potentially exploit this issue
to cause a denial of service, or execute arbitrary code. (CVE-2024-3856)

Lukas Bernhard discovered that Firefox did not properly manage memory
when handling JIT created code during garbage collection. An attacker
could potentially exploit this issue to cause a denial of service, or
execute arbitrary code. (CVE-2024-3857)

Lukas Bernhard discovered that Firefox did not properly manage memory when
tracing in JIT. An attacker could potentially exploit this issue to cause
a denial of service. (CVE-2024-3858)

Ronald Crane discovered that Firefox did not properly manage memory in the
OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read
vulnerability. An attacker could possibly use this issue to cause a denial
of service or expose sensitive information. (CVE-2024-3859)

Garry Kwong discovered that Firefox did not properly manage memory when
tracing empty shape lists in JIT. An attacker could potentially exploit
this issue to cause a denial of service. (CVE-2024-3860)

Ronald Crane discovered that Firefox did not properly manage memory when
handling an AlignedBuffer. An attacker could potentially exploit this
issue to cause denial of service, or execute arbitrary code.
(CVE-2024-3861)

Ronald Crane discovered that Firefox did not properly manage memory when
handling code in MarkStack. An attacker could possibly use this issue to
cause a denial of service or execute arbitrary code. (CVE-2024-3862)

Read More