Ukrainian Cyber Expert Andrii Paziuk to speak at Internet Governance Lab Roundtable on September 20th

On Wednesday, September 20, 2017, Ukranian cyber expert Andrii Paziuk will discuss “Digital Policy, Civil Rights, and Security” as part of the Internet Governance Lab’s Roundtable Speaker Series. The event will take place at 2:30 pm in McKinley Room 305.

As a 2017-18 Humphrey Fellow at AU’s Washington College of Law, Mr. Paziuk’s work draws on his experience in government, industry, and academia to explore questions focused on the intersection of cybersecurity, privacy, and transborder data flows.

Prior to joining AU Mr. Paziuk worked for the Parliament of Ukraine as a legal adviser and an assistant to Members of Parliament. Since 2012, Mr. Paziuk has been a lecturer and LL.M. program moderator of International Cyber Law at Taras Shevchenko National University of Kyiv. He completed his Ph.D. thesis on the protection of privacy and personal data trans-border flows in 2004 and his post-doctoral thesis on International Cyber Law in 2016. Paziuk is also an adviser to the State Special Telecommunications and Information Protection Service, a member of the Steering Committee of Ukrainian National Internet Governance Forum, and co-founder and chairman of the NGO Partners for Digital Rights Defenders and Vice-President to the Ukrainian Academy of Cyber Security. His current research is focused on ‘The Rule of Law and Internet Governance’ exploring recent trends in digital policy and law, civil rights, and security issues. 

 

Advertisements

Internet Governance Lab Welcomes Faculty Fellow Dr. Eric Novotny

Joining the Internet Governance Lab as a Faculty Fellow, Dr. Eric Novotny is the Hurst Adjunct Professorial Lecturer in the School of International Service at American University. He is also Senior Advisor, Democracy, and Technology, at the U.S. Agency for International Development. In this position, Dr. Novotny designs and manages a large portfolio of programs that use advanced information and communication technologies (ICTs) to stimulate economic growth, improve democratic processes, and reform governance policies in developing countries. Some of these efforts are stand-alone technology and governance projects while others embed advanced ICTs in larger development projects in applied areas such as service delivery and critical infrastructure. USAID has assistance programs in 80 countries worldwide. He holds a B.A. in Political Science, and M.A. in Government, and a Ph.D. in International Relations from Georgetown University, as well as an M.Phil in Management Studies from Oxford.

Dr. Novotny also serves as a faculty coordinator and coach for the Cyber 9/12 Student Challenge (along with Washington College of Law professor Melanie Teplinksi), a global competition designed to “encourage and educate the next generation of foreign policy leaders in cyber security issues.” Sponsored by the Atlantic Council, the annual event features teams of students from universities around the world competing to analyze, synthesize, and respond to the technical, legal, and policy issues involved in a fictional cyber security related scenario. In 2017 46 teams from 35 universities participated with AU teams winning awards three out of the past five years.

As the Program Director for the School of International Service Masters program in US Foreign Policy and Security Studies in the Fall, Dr. Novotny will teach courses in International Communication and Cyber Security Policy. In this capacity, Dr. Novotny will also continue his research, which focuses broadly on the intersection of Cyber Security and Internet Freedom, including projects titled, “Building Anti-Censorship into the Core Internet Architecture,” “Cyber Security Risk Management for Non-governmental Organizations,” and “Cyber Cabalities and Interference in the Electoral Process.”

 

 

Internet Governance Lab at Cyber Week in Tel Aviv

As a massive cyberattack spread across the globe on Tuesday, cybersecurity experts gathered in Tel Aviv for Cyber Week 2017, an annual conference bringing together scholars, industry leaders, and government officials to share methods and knowledge on a range of topics relevant to cybersecurity.

Among the experts in attendance was American University School of Communication Professor and Internet Governance Lab Co-director Dr. Laura DeNardis, who delivered a presentation titled “Privacy Complications in Cyber Physical Systems,” examining the privacy and security implications of the “Internet of Things.”

Also at the conference was Washington College of Law Professor and Internet Governance Lab Faculty Fellow Jennifer Daskal, who presented her work “Data and Territory: A Round Peg in a Square Hole,” addressing conflicts of law occurring at the intersection of the Internet and jurisdiction.

Both presentations, and indeed the entire conference, could not have been more timely.

On Tuesday ransomware attacks spread from Ukraine across the globe, crippling thousands of systems, including a major shipping company, at least one airport, ATM machines, and supermarket cash registers. Coming on the heels of a similar attack in May using the WannaCry ransomware, Tuesday’s Petya ransomware attack also used Eternal Blue, one of several hacking tools stolen from the National Security Administration and leaked by a group called the Shadow Brokers. And while it is still unclear who may be behind this latest attack (the fact that neither ransomware attacks collected much in the way of ransoms is leading some to suggest proxies working on behalf of nation-states), Professor DeNardis’s presentation underscored the extent to which the Internet of things introduces countless new vectors through which malicious code can spread.

Meanwhile, Professor Daskal’s discussion focusing on the incongruities of territorial sovereignty in cyberspace proved especially salient on Wednesday as Canada’s Supreme Court ruled that it could force Google to remove search results worldwide. Also on Wednesday, Pavel Durov, founder of the controversial messaging app Telegram, agreed to comply with a Russian law that requires information technology companies operating in the country to store data locally, as well as agreeing to hand over information to Russian authorities on request.

Cyber Week 2017 runs through Thursday, June 28th. You can follow along at #CyberWeek.

Q&A with Internet Governance Lab Faculty Fellow Jennifer Daskal

Joining the Internet Governance Lab as a Faculty Fellow, Jennifer Daskal is an Associate Professor of Law at American University Washington College of Law, where she teaches and writes in the fields of criminal, national security, and constitutional law. She is on academic leave from 2016-2017, and has received an Open Society Institute Fellowship to work on issues related to privacy and law enforcement access to data across borders. From 2009-2011, Daskal was counsel to the Assistant Attorney General for National Security at the Department of Justice. Prior to joining DOJ, Daskal was senior counterterrorism counsel at Human Rights Watch, worked as a staff attorney for the Public Defender Service for the District of Columbia, and clerked for the Honorable Jed S. Rakoff. She also spent two years as a national security law fellow and adjunct professor at Georgetown Law Center.

Daskal is a graduate of Brown University, Harvard Law School, and Cambridge University, where she was a Marshall Scholar. Recent publications include Law Enforcement Access to Data Across Borders: The Evolving Security and Rights Issues (Journal of National Security Law and Policy 2016); The Un-Territoriality of Data (Yale Law Journal 2015); Pre-Crime Restraints: The Explosion of Targeted, Non-Custodial Prevention (Cornell Law Review 2014); and The Geography of the Battlefield: A Framework for Detention and Targeting Outside the ‘Hot’ Conflict Zone (University of Pennsylvania Law Review 2013). Daskal has published op-eds in the New York TimesWashington Post, and International Herald Tribune and has appeared on BBC, C-Span, MSNBC, and NPR, among other media outlets. She is an Executive Editor of and regular contributor to the Just Security blog.

Recently, we discussed her research and some of the many hot topics arising at the intersection of Internet governance and national security law. 

You’ve worked at the Department of Justice, in the NGO space at Human Rights Watch, in the DC Public Defender’s office, and now in academia. How do these varied experiences inform your current work? When it comes to the intersection of Internet governance and national security law, does Miles’s law hold (does where you stand really depend on where you sit)?

The move from Human Rights Watch to the National Security Division at the Department of Justice was quite eye-opening.  I thought I had prepared myself for the shift, but the adage that where you stand depends on where you sit turned out to be even more true than I had imagined.  In many ways, it makes sense.  At Human Rights Watch, the primary goal was to ensure that government pursued its national security policies in ways that protected human rights.  In the government, the primary goal was to protect the American public from the perceived national security threats.  Ideally, these two goals work in tandem, and both policy and law are generally at their best when it does.  But the primary starting point is quite different and that alters the lens through which just about everything is viewed.

Much of your research focuses on law enforcement’s use of online data.  To what extent are law enforcement officials concerned about the risks of fragmentation/balkanization associated with data localization and so-called “Internet sovereignty”? 

That depends a great deal on who you ask (and where you sit).  As Americans, we have long been used to having access to or control over a majority of the world’s data, thanks in large part to the dominance of American service providers.  Fragmentation of the Internet is thus a threat that undermines this dominance. But for many countries, this is not the case.  Mandatory data localization requirements and Internet fragmentation provide a means of ensuring access to sought-after data and asserting control.

From my perspective, these trends are quite concerning.  Mandatory data localization laws are extremely costly for companies that want to operate internationally, often pricing smaller start-ups out of the market.  The trend toward localization also serves as a means for authoritarian governments to limit free speech and assert increased control.

Any early indications as to how the new administration may handle cross-border data requests? Should we expect a more transactional approach, more multilateral cooperation, or a continuation of the status quo? What impacts could such decisions have on privacy and interoperability? 

The new administration hasn’t yet taken a public stance on these issues, but there are two key issues that ought to be addressed in short order.  First is the concerning impact of the Second Circuit decision in the so-called Microsoft Ireland case.  As a result of that decision, U.S. warrants for stored communications (such as emails) do not reach data that is held outside the United States. If the data is outside the United States, the U.S. government must make a mutual legal assistance request for the data to the country where it is located – even if the only foreign government connection to the investigation is simply that the data happens to be held there.  This makes little normative or practical sense, incentivizes the very kind of data localization efforts that the United States ought to be resisting, undercuts privacy, and is stymying law enforcement’s ability to access sought-after data in legitimate investigations.

As numerous Second Circuit judges opined, Congress should weigh in—and the new administration should support an update to the underlying law.  Specifically, Congress should amend the underlying statute to ensure U.S. law enforcement can access to extraterritorially-located data pursuant to a warrant based on probable cause, but also ensure that both law enforcement and the courts take into account countervailing foreign government interests.

Conversely, foreign governments are increasingly frustrated by U.S. laws that preclude U.S.-based companies from turning over emails and other stored communications content to foreign governments – even in situations where the foreign governments are seeking access to data about their own citizens in connection with a local crime.  These frustrations are also further spurring data localization requirements, excessively broad assertions of extraterritorial jurisdiction in ways that put U.S. companies in the middle of two conflicting legal obligations, and use of surreptitious means to access sought-after data.  These provisions should likewise be amended to permit, in specified circumstances, foreign governments to access that data directly from U.S.-based companies.  The legislation should specify baseline substantive and procedural standards that must be met in order to benefit from this access – standards that are essential to protecting Americans’ data from overzealous foreign governments.

What role do private companies play in establishing the normative and legal bounds of cross-border data requests? Do you see this role changing going forward?

Private companies play significant roles in numerous different ways.  They are, after all, the recipients of the requests.  They thus decide when to object and when to comply.  They also have a strong policy voice – meeting with government officials in an effort to shape the rules.  And they also exert significant power through a range of technological and business decisions about where to store their data and where to locate their people; these decisions determine whether they are subject to local compulsory process or not.

While the majority of ISPs and content platforms are currently located in the U.S., many have expressed concerns about the long-term impact(s) policies like Trump’s travel ban could have for Silicon Valley. Taking these concerns to their logical conclusion, do you see the geography of ISPs and content platforms changing significantly as a result of these policies, and if so, how might these changes alter the legal landscape vis-a-vis cross-border data requests?

I think it’s a fair assumption that whatever the reason, at some point the share of ISPs and content platforms located in the United States will decrease.  It is, as a result, critically important that the United States think about the broader and long-term implications of the rules it sets.  At some point, it may no longer hold the dominant share of the world’s data and will need the cooperation of foreign partners to access sought-after data.  The rules and policies that are adopted should take these long-term interests into account.

Can you tell us a bit about what you’re currently working on?

I continue to work on issues associated with law enforcement access to data across borders, engaging in a comparative analysis as to how some of these key issues are playing out in both the United States and the European Union.  More broadly, I am also examining the increasingly powerful role of private sector in setting norms, policies, and rules in this space. And I continue to do research and writing on the Fourth Amendment as it applies to the digital age. 

New Paper on Cyber Sovereignty v. Distributed Internet Governance

fullsizerender2261

On November 30, 2016, Laura DeNardis, Gordon Goldstein, and Ambassador David A. Gross presented their new paper, “The Rising Geopolitics of Internet Governance: Cyber Sovereignty v. Distributed Governance at the Columbia School of International and Public Affairs (SIPS) on November 30, 2016. The paper was part of the Columbia SIPS Tech & Policy Initiative and the panel discussion was moderated by Columbia SIPA Dean Merit Janow.

 Internet governance is at a crossroads. The 21st century has given rise to two incommensurable visions for the global Internet and how it is governed. One envisions a universal network that generally supports the free flow of information and whose governance is distributed across the private sector, governments and new global institutions in an approach that has historically been described as “multistakeholder” governance. This vision has materialized, albeit imperfectly, in how the Internet and its coordination has historically progressed and is an approach advocated by the United States government and many other countries. This is the model of Internet governance that has dominated throughout the past decade. The competing vision advocates for greater multilateral and top-down administration of the Internet in the name of social order, national cyber sovereignty, and tighter control of information flows. China and other countries interested in greater administrative control over the flow of information have been vocal proponents of a more multilateral approach to Internet governance. These visions are often debated using the language of abstract theoretical constructs but they involve actual policy choices that have arisen in particular historical contexts and whose future will have tangible effects on American foreign policy interests, American values of freedom of expression and innovation, the global digital economy, and the stability and resiliency of Internet infrastructure itself. This paper provides some historical context to the rise of distributed Internet governance, describes some of the key geopolitical conflicts that involve incommensurability between the ideology of national sovereignty and the technical topology and transnational characteristics of private Internet infrastructure, and argues for the preservation of private-sector-led multistakeholder governance rather than a shift to greater government control.