Privacy and Cybersecurity Law in India and the U.S. Professor Peter Swire Ohio State University National Law University, Dwarka March 31, 2011

Overview Theme – the rules about information are important in the information age Theme – the rules about information are important in the information age Information privacy Information privacy Constitutional law Constitutional law Statutory and self-regulatory law, with Indian proposal under development Statutory and self-regulatory law, with Indian proposal under development Google Buzz settlement this weekGoogle Buzz settlement this week Cybersecurity Cybersecurity Risk-adjusted efforts for security, Indian proposal under development Risk-adjusted efforts for security, Indian proposal under development Encryption Encryption Current controversy on RIM/Blackberry, Skype, etc. Current controversy on RIM/Blackberry, Skype, etc. Reasons why the US decided to support strong crypto after intense debate in the 1990s Reasons why the US decided to support strong crypto after intense debate in the 1990s Disclaimer – I am not an expert on Indian law, but have been working on specific issues related to encryption and will have research paper this year on that Disclaimer – I am not an expert on Indian law, but have been working on specific issues related to encryption and will have research paper this year on that

Swire Background Law professor since 1990 Law professor since 1990 First Internet law writing 1992 First Internet law writing 1992 Chief Counselor for Privacy to President Clinton, Chief Counselor for Privacy to President Clinton, Big growth of Internet, and first U.S. national laws on medical privacy, financial privacy, Internet privacy Big growth of Internet, and first U.S. national laws on medical privacy, financial privacy, Internet privacy Wiretaps and other surveillance law for Internet (not just phones) Wiretaps and other surveillance law for Internet (not just phones) Encryption, big U.S. legal shift in 1999 Encryption, big U.S. legal shift in 1999 Special Assistant to President Obama, Special Assistant to President Obama, Issues included broadband, spectrum, privacy, cybersecurity Issues included broadband, spectrum, privacy, cybersecurity Theme: blend law, technology, business, government Theme: blend law, technology, business, government

U.S. Constitution 4 th Amendment to Constitution (in effect 1789) 4 th Amendment to Constitution (in effect 1789) Protects a reasonable expectation of privacy against government search Protects a reasonable expectation of privacy against government search Usually require warrant signed by judge to do search or seizure, such as entry to a home or business Usually require warrant signed by judge to do search or seizure, such as entry to a home or business Wiretaps for law enforcement generally require a warrant Wiretaps for law enforcement generally require a warrant Very complex case law Very complex case law

U.S. Constitution 1 st Amendment to Constitution (in effect 1789) 1 st Amendment to Constitution (in effect 1789) Strong rules against state limits on free speech or free press Strong rules against state limits on free speech or free press Important in case law about personal privacy Important in case law about personal privacy Common law protections for individual privacy Common law protections for individual privacy Public revelation of private facts, or false light about a person Public revelation of private facts, or false light about a person Intrusion on seclusion Intrusion on seclusion Protect a celebrity or other persons right of publicity – rule is that other person cant make money off of the celebritys name (no advertisement suggesting Tandulkar supports your product without his permission) Protect a celebrity or other persons right of publicity – rule is that other person cant make money off of the celebritys name (no advertisement suggesting Tandulkar supports your product without his permission) But 1 st Amendment guarantees free speech But 1 st Amendment guarantees free speech Newspaper can make money with Tandulkars name in headline Newspaper can make money with Tandulkars name in headline Many revelations of your personal life are protected speech Many revelations of your personal life are protected speech

Statutes for Private Sector Data In U.S. (and, I understand, India) no similar constitutional/human right to limit processing of personal information by private sector In U.S. (and, I understand, India) no similar constitutional/human right to limit processing of personal information by private sector European Convention on Human Rights, implemented in E.U. Data Protection Directive, does treat this as a human right European Convention on Human Rights, implemented in E.U. Data Protection Directive, does treat this as a human right U.S. Congress has passed statutes for some sensitive types of information U.S. Congress has passed statutes for some sensitive types of information HIPAA for medical privacy HIPAA for medical privacy Gramm-Leach-Bliley for financial services Gramm-Leach-Bliley for financial services Telecom Act of 1996 for data held by phone companies Telecom Act of 1996 for data held by phone companies Childrens Online Privacy Protection Act for information collected from under-13s Childrens Online Privacy Protection Act for information collected from under-13s Video Privacy Protection Act for movie rentals (Judge Bork) Video Privacy Protection Act for movie rentals (Judge Bork)

Statutory Protections & Fair Information Practices For HIPAA, European laws, and other possible private-sector laws, have FIPS For HIPAA, European laws, and other possible private-sector laws, have FIPS On Internet, often done by self-regulation – promises like statutes On Internet, often done by self-regulation – promises like statutes Notice – how the personal data will be used Notice – how the personal data will be used Choice – We have business partners who may have offers. Do you want your data shared? Choice – We have business partners who may have offers. Do you want your data shared? Opt in: dont use data unless affirmative consent; aps for FBOpt in: dont use data unless affirmative consent; aps for FB Opt out: use data unless customer says no (tick box already checked but you can uncheck it)Opt out: use data unless customer says no (tick box already checked but you can uncheck it) Access – see your medical or other records Access – see your medical or other records Data security -- doesnt help to have privacy rules if the 12 year old can hack in Data security -- doesnt help to have privacy rules if the 12 year old can hack in Accountability – consequences if dont follow the rules Accountability – consequences if dont follow the rules

Accountability HIPAA enforced by U.S. Department of Health and Human Services HIPAA enforced by U.S. Department of Health and Human Services Patient complaints Patient complaints Opportunity for hospital, etc., to fix problem Opportunity for hospital, etc., to fix problem Consent decrees & penalties Consent decrees & penalties $1 million penalty last month for hospital$1 million penalty last month for hospital Federal Trade Commission enforces against unfair and deceptive trade practices, notably including broken privacy promises Federal Trade Commission enforces against unfair and deceptive trade practices, notably including broken privacy promises This week, consent decree for Google Buzz This week, consent decree for Google Buzz New service, log in, Sweet, send me to Buzz!New service, log in, Sweet, send me to Buzz! G signed Gmail users up for this new social network, saying unless you ticked Nah, send me to my inboxG signed Gmail users up for this new social network, saying unless you ticked Nah, send me to my inbox Claim Google broke its privacy policy and violated the U.S.-E.U. Safe Harbor Claim Google broke its privacy policy and violated the U.S.-E.U. Safe Harbor Google promises now comprehensive privacy program, with 20 years of outside privacy audits Google promises now comprehensive privacy program, with 20 years of outside privacy audits

Beyond FIPS: Legal Conflicts Often have intersection of a privacy rule (dont share data) and some other public policy purpose (need to share data) Often have intersection of a privacy rule (dont share data) and some other public policy purpose (need to share data) An example from HIPAA: doctor or hospital, and someone arrives who did/might have broken the law. Should the doctor report to the police? An example from HIPAA: doctor or hospital, and someone arrives who did/might have broken the law. Should the doctor report to the police? Perspective of the doctor? Hippocratic Oath? Why have that? Perspective of the doctor? Hippocratic Oath? Why have that? Perspective of the police? Knife wound? IV drug user? Perspective of the police? Knife wound? IV drug user? History of this in HIPAA History of this in HIPAA This question raised to me this week in India by a national security official This question raised to me this week in India by a national security official When is disclosure required/permitted/forbidden? When is disclosure required/permitted/forbidden? Hi Kenesa: Ill be talking about encryption on April 11. Also,

Cybersecurity Protections Already saw that security is an element of privacy FIPS Already saw that security is an element of privacy FIPS Dont steal from my bank account Dont steal from my bank account Dont reveal my medical or surfing records Dont reveal my medical or surfing records Government agencies and dont reveal secret government information Government agencies and dont reveal secret government information Basic idea of many cybersecurity laws: Basic idea of many cybersecurity laws: Must have risk-adjusted security provisions Must have risk-adjusted security provisions HIPAA, GLB, U.S. government (FISMA) HIPAA, GLB, U.S. government (FISMA) Online policies promise reasonable security, so FTC enforcement Online policies promise reasonable security, so FTC enforcement Some common elements Some common elements Responsible officials Responsible officials Policies, training Policies, training Identify areas of greatest risk, e.g., bank accounts vs. marketing materials Identify areas of greatest risk, e.g., bank accounts vs. marketing materials Good idea to specify technology? 40-bit? Have a firewall? No. Good idea to specify technology? 40-bit? Have a firewall? No.

Summary Thus Far Constitutional provisions, especially about government intrusion into personal space Constitutional provisions, especially about government intrusion into personal space Statutes – privacy FIPs, risk-weighted cybersecurity Statutes – privacy FIPs, risk-weighted cybersecurity Beyond statutes to self regulation, but have enforcement Beyond statutes to self regulation, but have enforcement Interesting legal issues where conflicts between reasons to share data and to limit data flows Interesting legal issues where conflicts between reasons to share data and to limit data flows Goal of an overall regime where important things are protected and important data uses also succeed Goal of an overall regime where important things are protected and important data uses also succeed Next – current controversy about encryption Next – current controversy about encryption Idea of encryption: Alice sends to Bob; she wraps her text in code, and only he can decode it Idea of encryption: Alice sends to Bob; she wraps her text in code, and only he can decode it Current statute in India from 1998 – encryption bit length maximum 40 bits Current statute in India from 1998 – encryption bit length maximum 40 bits Current banking regulators – encryption bit length minimum 128 bits Current banking regulators – encryption bit length minimum 128 bits RIM/Blackberry and should messages be available to a government in the clear, in real time? RIM/Blackberry and should messages be available to a government in the clear, in real time? Hi Kenesa: Ill be talking about encryption on April 11. Also, Hi Kenesa: Ill be talking about encryption on April 11. Also,

Local switch Phone call Telecom Company Alice Bob

Local switch Phone call Telecom Company Alice Bob

Bob ISP Alice ISP %!#&*YJ#$ Hi Bob! Internet : Many Nodes betwee n ISPs Alice Bob %!#&*YJ#$

Problems with Weak Encryption Nodes between A and B can see and copy whatever passes through Nodes between A and B can see and copy whatever passes through Brute force attacks became more effective due to Moores Law; today, 40 bits very easy to break by many Brute force attacks became more effective due to Moores Law; today, 40 bits very easy to break by many From a few telcos to many millions of nodes on the Internet From a few telcos to many millions of nodes on the Internet Hackers Hackers Criminals Criminals Foreign governments Foreign governments Amateurs Amateurs Strong encryption as feasible and correct answer Strong encryption as feasible and correct answer Scaled well as Internet users went over one billion Scaled well as Internet users went over one billion

U.S. Experience 1990s Initial inter-agency victory for law enforcement (FBI) and national security (NSA), early-mid 90s Initial inter-agency victory for law enforcement (FBI) and national security (NSA), early-mid 90s Fear of loss of ability to wiretap Fear of loss of ability to wiretap Strong crypto within US Strong crypto within US Exports were controlled, on idea that crypto = munition Exports were controlled, on idea that crypto = munition Political system supports law enforcement and national security Political system supports law enforcement and national security Sept. 1999, shift in U.S. policy to allow strong crypto for export Sept. 1999, shift in U.S. policy to allow strong crypto for export I chaired WH working group on encryption 1999 I chaired WH working group on encryption 1999 Part of WH announcement 1999 of shift to strong crypto exports Part of WH announcement 1999 of shift to strong crypto exports Why the change to position contrary to view of law enforcement and security agencies? Why the change to position contrary to view of law enforcement and security agencies?

Crumbling of Weak Crypto Position Futility of weak crypto rules Futility of weak crypto rules Meeting with Senator or Congressman Meeting with Senator or Congressman Start the clock, how long to search for encryption download? Start the clock, how long to search for encryption download? Get PGP or other strong crypto in less than one minuteGet PGP or other strong crypto in less than one minute In world of weak crypto rules, effect on good guys and bad guys In world of weak crypto rules, effect on good guys and bad guys Bad guys – download PGP, stop the wiretap Bad guys – download PGP, stop the wiretap Good guys – follow the rules, legitimate actors get their secrets revealed Good guys – follow the rules, legitimate actors get their secrets revealed Banking, medical records, retail salesBanking, medical records, retail sales The militarys communications on the Internet, government agencies, critical infrastructureThe militarys communications on the Internet, government agencies, critical infrastructure

Objection – We Want the Keys The failure of the Clipper Chip The failure of the Clipper Chip Idea was that all users of strong crypto would escrow their keys with law enforcement Idea was that all users of strong crypto would escrow their keys with law enforcement Advocates for it had various safeguards, e.g., two people in the government had to agree for the key to be revealedAdvocates for it had various safeguards, e.g., two people in the government had to agree for the key to be revealed Very strong technical arguments against this Very strong technical arguments against this Some people didnt trust the governmentSome people didnt trust the government If do this for 200 nations worldwide, more people dont trust all the governmentsIf do this for 200 nations worldwide, more people dont trust all the governments Single point of failure – if the databank of keys is ever revealed, most/all communications can be readSingle point of failure – if the databank of keys is ever revealed, most/all communications can be read Personal communications Personal communications Corporate secrets Corporate secrets Government communications over the Internet Government communications over the Internet

Objection – We Want the Keys Even apart from key escrow, is useful to walk briefly through how public key encryption works, to show limits of requests for we want the keys Even apart from key escrow, is useful to walk briefly through how public key encryption works, to show limits of requests for we want the keys Basic approach of public key encryption Basic approach of public key encryption RSA a well-known instance of this approach RSA a well-known instance of this approach Alice and Bob each have a public key that anyone can wrap plaintext with Alice and Bob each have a public key that anyone can wrap plaintext with They each have a private key that is the only way to unwrap the encrypted text (unless someone tries brute force or other attack) They each have a private key that is the only way to unwrap the encrypted text (unless someone tries brute force or other attack) Wrapping like multiplication (multiply two huge prime numbers); unwrap is like division (find the two primes); cryptosystem is one-way function Wrapping like multiplication (multiply two huge prime numbers); unwrap is like division (find the two primes); cryptosystem is one-way function

Encrypt Encrypted message – Hi Bob! 1 Alice Bob's public key Bob's private key – Alice's local ISP Decrypt Hi Bob! – Bob's local ISP – Backbone provider Bob

Encrypt Encrypted message – Hi Fred! 2 Jill at Corporation A, Tata Public key of Corporation B – Reliance Private key of Corporation B, Reliance – Corporation A's ISP Decrypt Hi Fred! – Corporation B's ISP – Backbone provider Fred at Corporation B Reliance. Lawful process: (1)Ask Tata before encryption (2)Ask Reliance after decryption Lawful process: (1)Ask Tata before encryption (2)Ask Reliance after decryption

Limits to Getting the Keys In many instances, the keys are held by Alice and Bob In many instances, the keys are held by Alice and Bob No one else has the keys No one else has the keys That can include the software maker or service providerThat can include the software maker or service provider Can be encryption at rest – your laptopCan be encryption at rest – your laptop Keep a backup, or else computer brickifies Keep a backup, or else computer brickifies Can be encryption in communicationCan be encryption in communication You may be only one with access to the private key, in some systems select it yourself or it is created by a one- way function where the originator has no access You may be only one with access to the private key, in some systems select it yourself or it is created by a one- way function where the originator has no access Technical experts prefer/insist on this Technical experts prefer/insist on this

Objection – Isnt There a Back Door? As with Clipper Chip, law enforcement would love to have a back door As with Clipper Chip, law enforcement would love to have a back door Back door = designed security flaw in the system Back door = designed security flaw in the system May be that law enforcement only can read (Clipper Chip) May be that law enforcement only can read (Clipper Chip) May be that software/service provider can read (they promise security but keep a secret way in) May be that software/service provider can read (they promise security but keep a secret way in) Goal of back door: Goal of back door: All the good guys can get in (and know they can ask for it) All the good guys can get in (and know they can ask for it) No one else, including bad guys, get in: No one else, including bad guys, get in: Criminals and their hackersCriminals and their hackers Foreign governments and spy servicesForeign governments and spy services Ph.D. computer expertsPh.D. computer experts White hat hackers – people who detect flaws and tell CERTs and others about themWhite hat hackers – people who detect flaws and tell CERTs and others about them

The Likelihood of Back Doors? Lets think through the likelihood that widely-used strong encryption actually has back doors for some law enforcement/national security agencies Lets think through the likelihood that widely-used strong encryption actually has back doors for some law enforcement/national security agencies My view – much less likely than many people think My view – much less likely than many people think Swire writings on when secrecy helps/hurts security Swire writings on when secrecy helps/hurts security Key point is that secrecy not likely to be successful when there are many attackers, who can attack repeatedly, and can report successful attacks Key point is that secrecy not likely to be successful when there are many attackers, who can attack repeatedly, and can report successful attacks A simpler way to say this: Wikileaks A simpler way to say this: Wikileaks What likelihood that the FBI has been pervasively using a backdoor, with knowledge of software/services companies, and it hasnt leaked since 1999 approval of strong crypto? What likelihood that the FBI has been pervasively using a backdoor, with knowledge of software/services companies, and it hasnt leaked since 1999 approval of strong crypto? What likelihood that none of the smart Ph.Ds and white hat hackers have ever found an example of this? What likelihood that none of the smart Ph.Ds and white hat hackers have ever found an example of this? What brand effect on Microsoft (Bit Locker) and other global brands if they promised security and secretly broke it? What penalties for fraud? What brand effect on Microsoft (Bit Locker) and other global brands if they promised security and secretly broke it? What penalties for fraud?

Why We Dont Want Weak Cybersecurity Key point so far on encryption – weak crypto is weak cybersecurity Key point so far on encryption – weak crypto is weak cybersecurity A world full of attackers can and will read data sent over the Internet unless there is strong crypto A world full of attackers can and will read data sent over the Internet unless there is strong crypto Indian and all other governments have spoken strongly about the need for strong cybersecurity Indian and all other governments have spoken strongly about the need for strong cybersecurity Numerous quotes about the need for strong cybersecurity Numerous quotes about the need for strong cybersecurity Cyber warfare and threats to cyber security are fast becoming the next generation of threats. We need to make our cyber systems as secure and as non-porous as possible. Indian Defense Minister, Shri A.K. Antony, May 2010 Cyber warfare and threats to cyber security are fast becoming the next generation of threats. We need to make our cyber systems as secure and as non-porous as possible. Indian Defense Minister, Shri A.K. Antony, May 2010 Critical infrastructure open to attack Critical infrastructure open to attack Financial system Financial system Medical records and other sensitive personal information Medical records and other sensitive personal information Including records used in cross-border provision of servicesIncluding records used in cross-border provision of services

Lack of Strong Crypto as Legal Violation Strong crypto increasingly becoming legal requirement Strong crypto increasingly becoming legal requirement State of Massachusetts computer security law now in effect State of Massachusetts computer security law now in effect Strict penalties for loss of laptop or other loss of data unless strong encryption in placeStrict penalties for loss of laptop or other loss of data unless strong encryption in place U.S. funding of $19 billion for electronic health records U.S. funding of $19 billion for electronic health records Rules for reimbursementRules for reimbursement Strong encryption is expected to qualify for fundingStrong encryption is expected to qualify for funding More generally, numerous laws worldwide require cost-effective security measures, on pain of penalties More generally, numerous laws worldwide require cost-effective security measures, on pain of penalties What is adequate protection under E.U. law?What is adequate protection under E.U. law? For instance, Gramm-Leach-Bliley safeguards rule for U.S. financial servicesFor instance, Gramm-Leach-Bliley safeguards rule for U.S. financial services With strong crypto low-cost and pervasive, its absence violates many lawsWith strong crypto low-cost and pervasive, its absence violates many laws

Conclusion Privacy and cybersecurity are key information law issues for the information age Privacy and cybersecurity are key information law issues for the information age New generation of lawyers will become expert on these topics New generation of lawyers will become expert on these topics International Association of Privacy Professionals, from 140 people in 2001 to over 2000 people at the conference this year, over 7000 members (CIPP certification) International Association of Privacy Professionals, from 140 people in 2001 to over 2000 people at the conference this year, over 7000 members (CIPP certification) Intellectually interesting – law to match cutting-edge technology, trying to govern global data flows Intellectually interesting – law to match cutting-edge technology, trying to govern global data flows For lawyers who understand the needs of technology, business, and government, the chance to build a better Information Society For lawyers who understand the needs of technology, business, and government, the chance to build a better Information Society Come aboard for this interesting ride Come aboard for this interesting ride