This project addresses the question: What privacy rules should bind private corporations? It does so through a collaboration between a legal scholar knowledgeable about computer science issues and a computer scientist knowledgeable about legal and policy issues. The common themes running through the research are the current lack of agreed social norms concerning privacy, the interplay between computer security and privacy concerns, and the economic motivations that often are an important part of understanding various agents? actions. The goal is to contribute to the development of social norms concerning privacy that will simultaneously shape and inform both the development of appropriate technologies and appropriate business practices and laws. The interdisciplinary approach is essential to achieving this goal; it is also surprisingly unusual: There are remarkably few interdisciplinary examinations of privacy that effectively combine legal and computer science expertise. This project is a step toward remedying this lack. Together, the four aims address the immediate, serious, and unmet need for an approach to information privacy that is at once technically and legally sophisticated. The research will simultaneously shape and inform both the development of appropriate technologies and appropriate laws.
Broader impact. Currently public-policy and legal research cybersecurity policies and incentives that is deeply informed by computer science is in a fledgling state. Our research contributes to remedying this lack in the private sector. We do not consider governmental cybersecurity. We show how to design incentives, markets, and institutions to reduce both the likelihood of cyberattacks and the negative consequences of such attacks. We consider two key sources of unauthorized access: vulnerable software, and lack of adequate defense against malware. Intellectual merit. Individual, companies, and governments collectively lose billions when hackers exploit defects in software to gain unauthorized access to online information. Software buyers throw billions away because they demand low-priced, early-to-market software. Low-priced mass-market software often contains costly vulnerabilities. Reducing vulnerabilities requires a longer and more costly development process and sometimes yields software that is less easy to use. Buyers are unwilling to pay a higher price for more secure software that is slower to appear on the market and possibly more difficult to use. Our research contributes to the theoretical understanding of this problem by developing a theory of norms and markets and a theory of norm generation. The theory of norms and markets provides the theoretical tools for an informative characterization of norms and explains their incentive-shaping role in markets. A key point is that norms shape buyers’ demands. A mass-market buyer cannot unilaterally ensure that sellers will conform to his or her requirements; norms create collective demands to which profit-motive driven sellers respond. It also explains how norms may be "suboptimal" (in a sense we define) and why we should create new norms to replace suboptimal ones. The theory of norm generation explains how to create the new norms. We argue that buyers are trapped in the following suboptimal norm: "buyers demand low-priced (and hence vulnerability-ridden) software." We contend that a better norm is that buyers demand software designed following best practices for software development. One barrier to moving to the new "best practices" norm is that, although a variety of best practices exist, they do not comprise a sufficiently comprehensive set of practices. A sufficiently comprehensive set would define adequately justified overall tradeoffs between reducing software vulnerabilities and other key competing goals, such as promoting software innovation. No such set exists. We address this problem in the norm-generation theory. The situation is very similar in regard to malware. We contend that the norm is that consumers demand end-user-located antimalware programs. We argue that this norm is suboptimal. A better norm would be for consumers to demand that ISPs provide best practices malware defense. We argue both that the end users’ poor defense harms other third parties and that ISPs are much better positioned than end users to undertake some forms of defense. Malware raises two problems that software does not. Writing low-vulnerability software has much in common with writing high-quality software overall, which is a problem that has now been studied for several decades. While malware dates back to the 1980s, malware in its current form of for-profit, Internet borne malware, dates back only to 2005. The notion of best practices for malware defense is much less developed as are the defenses themselves. This poses a much more difficult norm generation task. This award funded a graduate student researcher for one year. Her research consisted in a 50-state survey of the place of technology in state privacy statutes. The graduate student and the two faculty researchers presented this material at a national conference on privacy. The two faculty researchers presented their results at four conferences (and in conference proceedings) and in two law journal publications.