Abstract
Chris Noofnagle: Research Challenges in Privacy and Security Policy
Abstract: Researchers performing privacy and security forensic analyses with an eye toward policy face several challenges. First, R1 universities used to have the best data and the best tools for research. Increasingly, tools and data reside in the private sector, requiring relationships that may burden research with limits on academic freedom and presenting problems of deep capture. Thus, maintaining academic independence is a growing challenge. Second, companies can design products to leverage copyright and terms-of-use legal protections and possibly prohibit security and privacy forensics. As IoT devices rely on the cloud, they will become increasingly inscrutable. Third, some wish to reorient privacy rules to focus on how data are used rather than whether data were collected. Data use is more difficult to forensically verify than data collection, and there is a need to create tools that document uses and limit data access to specified uses. Finally, several legal challengers allege that no “harm” flows from security breaches or that the government bears a burden to prove harm in an exacting way. Thus, conceptualizing and documenting injury from privacy invasions and insecurity is key for the future of cybersecurity enforcement.