Sunday, April 16, 2006
Markle Foundation & Electronic Health Records
The full report is here. I was the lead drafter of the report on how to audit, to assure good privacy and security in the use of health records.
House Judiciary Testimony
My testimony is here. Coverage in the Washington Post is here.
Sunday, April 02, 2006
Writing the Call for Action Against Phishing
I was the “reporter” – chief author – for “A Call for Action: Report from the National Consumers League Anti-Phishing Retreat.” The report drew on participation from consumers groups, leading tech companies, and other stakeholders. The report was released in March, with these principal recommendations:
1. Support greater consumer education.
2. The consumer experience must be “secure by design.”
3. There must be better user and site authentication.
4. There must be better tools for effective investigation and enforcement.
5. Learn from the lifecycle of the phisher.
6. ISPs and domain name owners can cooperate on white lists.
7. Use black lists to create a “phishing recall” approach.
Here is my column summarizing the report.
Here is the full report.
Security and Obscurity, for Open Source, Military, and More
One of my principal research projects for the past several years has been to answer the question: “When does disclosure help, or hurt, security?” Open source experts say “there is no security through obscurity.” Military experts say “loose lips sink ships.” My research provides the first theoretical model for answering the question of when disclosure is likely to help security.
The new article adds to the first A Model for When Disclosure Helps Security: What is Different About Computer and Network Security, which was published as a chapter in a book on cybersecurity by Cambridge University Press and in a law review.
Tuesday, March 21, 2006
Legal FAQs on NSA Wiretaps
At this time I don't know if I will update the document. It gives a plain-language discussion, however, of the legal issues involved.
My work here is based on my scholarship on the history of foreign intelligence surveillance law, as well as my extensive work on surveillance law while in government from 1999 to early 2001.
Immutable Audit Logs -- Markle Foundation Paper
This paper was released by the Markle Foundation Task Force on National Security in the Information Age.
The paper shows how "immutable audits," where even systems administrators cannot change the logs, can be useful for national security and other systems where there is a high need for public trust but where the details of the system are classified.
Op-ed about Cookies on Federal Web Sites
I participated in the 1999 and 2000 policies to assure privacy on Federal websites. The new column explains why it is important for the government to continue to follow those standards. The column describes recent evidence of non-compliance in federal agencies.