SwireBlog

For the past two years I have been working with the Markle Foundation's Connecting for Health project. In April, Connecting for Health issued a practical guide for next steps for creating electronic health records, consistent with privacy and security.

The full report is here. I was the lead drafter of the report on how to audit, to assure good privacy and security in the use of health records.

On April 4 I testified before the House Judiciary Committee in a hearing on “Personal Information Acquired by the Government From Information Resellers: Is There Need for Improvement”

My testimony is here. Coverage in the Washington Post is here.

I was the “reporter” – chief author – for “A Call for Action: Report from the National Consumers League Anti-Phishing Retreat.” The report drew on participation from consumers groups, leading tech companies, and other stakeholders. The report was released in March, with these principal recommendations:

1. Support greater consumer education.
2. The consumer experience must be “secure by design.”
3. There must be better user and site authentication.
4. There must be better tools for effective investigation and enforcement.
5. Learn from the lifecycle of the phisher.
6. ISPs and domain name owners can cooperate on white lists.
7. Use black lists to create a “phishing recall” approach.

Here is my column summarizing the report.

Here is the full report.

One of my principal research projects for the past several years has been to answer the question: “When does disclosure help, or hurt, security?” Open source experts say “there is no security through obscurity.” Military experts say “loose lips sink ships.” My research provides the first theoretical model for answering the question of when disclosure is likely to help security.

The Houston Law Review has recently published “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Systems.” It can be downloaded from the bottom of this page.

The new article adds to the first A Model for When Disclosure Helps Security: What is Different About Computer and Network Security, which was published as a chapter in a book on cybersecurity by Cambridge University Press and in a law review.

Another part of this research project has been about the proper level of disclosure in foreign intelligence surveillance law. Wiretaps should be secret, but what should the public know about wiretap law and practice?

Also, coming soon will be an article on “Privacy and Information Sharing in the War Against Terrorism.” A PowerPoint version is available here.

In response to the controversy about NSA wiretaps, I drafted "Legal FAQs on NSA wiretaps." It was published on January 30, 2006 by the Center for American Progress, where I am a visiting Senior Fellow.

At this time I don't know if I will update the document. It gives a plain-language discussion, however, of the legal issues involved.

My work here is based on my scholarship on the history of foreign intelligence surveillance law, as well as my extensive work on surveillance law while in government from 1999 to early 2001.

Jeff Jonas and I were the primary drafters for "Creating a Trusted Information Sharing Environment: Using Immutable Audit Logs to Increase Security, Accountability, and Transparency."

This paper was released by the Markle Foundation Task Force on National Security in the Information Age.

The paper shows how "immutable audits," where even systems administrators cannot change the logs, can be useful for national security and other systems where there is a high need for public trust but where the details of the system are classified.

This column ran in Federal Computer Week on January 23, 2006: "Making privacy a priority: Citizens should be able to browse federal sites without creating a permanent record."

I participated in the 1999 and 2000 policies to assure privacy on Federal websites. The new column explains why it is important for the government to continue to follow those standards. The column describes recent evidence of non-compliance in federal agencies.