Sunday, April 16, 2006


Markle Foundation & Electronic Health Records

For the past two years I have been working with the Markle Foundation's Connecting for Health project. In April, Connecting for Health issued a practical guide for next steps for creating electronic health records, consistent with privacy and security.

The full report is here. I was the lead drafter of the report on how to audit, to assure good privacy and security in the use of health records.


House Judiciary Testimony

On April 4 I testified before the House Judiciary Committee in a hearing on “Personal Information Acquired by the Government From Information Resellers: Is There Need for Improvement”

My testimony is here. Coverage in the Washington Post is here.

Sunday, April 02, 2006


Writing the Call for Action Against Phishing

I was the “reporter” – chief author – for “A Call for Action: Report from the National Consumers League Anti-Phishing Retreat.” The report drew on participation from consumers groups, leading tech companies, and other stakeholders. The report was released in March, with these principal recommendations:

1. Support greater consumer education.
2. The consumer experience must be “secure by design.”
3. There must be better user and site authentication.
4. There must be better tools for effective investigation and enforcement.
5. Learn from the lifecycle of the phisher.
6. ISPs and domain name owners can cooperate on white lists.
7. Use black lists to create a “phishing recall” approach.

Here is my column summarizing the report.

Here is the full report.


Security and Obscurity, for Open Source, Military, and More

One of my principal research projects for the past several years has been to answer the question: “When does disclosure help, or hurt, security?” Open source experts say “there is no security through obscurity.” Military experts say “loose lips sink ships.” My research provides the first theoretical model for answering the question of when disclosure is likely to help security.

The Houston Law Review has recently published “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Systems.” It can be downloaded from the bottom of this page.

The new article adds to the first A Model for When Disclosure Helps Security: What is Different About Computer and Network Security, which was published as a chapter in a book on cybersecurity by Cambridge University Press and in a law review.

Another part of this research project has been about the proper level of disclosure in foreign intelligence surveillance law. Wiretaps should be secret, but what should the public know about wiretap law and practice?

Also, coming soon will be an article on “Privacy and Information Sharing in the War Against Terrorism.” A PowerPoint version is available here.

This page is powered by Blogger. Isn't yours?