13 July 2018

Smith Review on APS Security

The Department of the Prime Minister and Cabinet (PMC) has released the report by Ric Smith AO PSM on his review of the Department's 'security procedures, practices and culture, including the implications for the Australian Public Service more broadly'. It

The review followed publication by the ABC of a webpage called "The Cabinet Files", which featured a series of classified Commonwealth documents provided by a third party, reportedly found in a locked filing cabinets at a second-hand furniture shop in Canberra. Publication occasioned much schadenfreude across the APS.

The ABC comments 'Hundreds of top-secret and highly classified cabinet documents have been obtained by the ABC following an extraordinary breach of national security'.
The Cabinet Files is one of the biggest breaches of cabinet security in Australian history and the story of their release is as gripping as it is alarming and revealing. 
It begins at a second-hand shop in Canberra, where ex-government furniture is sold off cheaply. The deals can be even cheaper when the items in question are two heavy filing cabinets to which no-one can find the keys. They were purchased for small change and sat unopened for some months until the locks were attacked with a drill. Inside was the trove of documents now known as The Cabinet Files. 
The thousands of pages reveal the inner workings of five separate governments and span nearly a decade. 
Nearly all the files are classified, some as "top secret" or "AUSTEO", which means they are to be seen by Australian eyes only. 
But the ex-government furniture sale was not limited to Australians — anyone could make a purchase. 
And had they been inclined, there was nothing stopping them handing the contents to a foreign agent or government.
The Australian Federal Police (AFP) lost nearly 400 national security files in five years, according to a secret government stocktake contained in The Cabinet Files. 
The Department of Prime Minister and Cabinet regularly audits all government departments and agencies that have access to the classified documents to ensure they are securely stored. 
The missing documents are not the same files the ABC has obtained. 
The classified documents lost by the AFP are from the powerful National Security Committee (NSC) of the cabinet, which controls the country's security, intelligence and defence agenda. 
The secretive committee also deploys Australia's military and approves kill, capture or destroy missions. 
Most of its documents are marked "top secret" and "AUSTEO", which means they are to be seen by Australian eyes only.
The Department states it referred the matter to the Australian Federal Police for investigation into how these documents left the Commonwealth's possession; it is reasonably evident that the documents came from within PMC.

The Terms of Reference for the Smith review were
At 12 noon on Wednesday 31 January, the ABC published a webpage called "The Cabinet Files". The webpage referenced a series of classified Commonwealth documents provided to the ABC by a third party, reportedly following the purchase of locked filing cabinets at a second-hand furniture shop in Canberra. 
The Secretary of the Department of the Prime Minister and Cabinet (PMC) has referred this matter to the Australian Federal Police (AFP) for investigation into how these documents left the Commonwealth's possession. The Secretary has confirmed that it is reasonably evident that the documents came from within PMC. 
As part of the response to this incident, the Secretary has commissioned Mr Ric Smith AO PSM to undertake an independent review of PMC's security procedures, practices and culture, including the implications for the Australian Public Service more broadly. 
In order for it to effectively discharge its responsibilities, it is critical that the Australian Public Service appropriately safe guards all official information, to ensure its confidentiality, integrity, and availability. 
The review will make recommendations to ensure that PMC safeguards official information in an appropriately secure and practical manner that reflects the trust and confidence placed in them by the Government and the Opposition of the day, and will address the implications of these findings for the Australian Public Service. In particular, the review will consider PMC's security procedures, practices and culture, including:
• PMC practices, systems and documented procedures for handling, storing, disposing of and providing access to official information, as well as the safe guarding and disposal of assets used to store official information; 
• the effectiveness of these procedures in responding to staff movements and in different working environments; and 
• the formal and informal security culture within PMC, including ­ internal communication and training regarding security, and ­ the awareness, behaviours and attitudes of staff towards proper security.
The review will also address the implications of its findings on these matters for the broader Australian Public Service.
The 42 page report states
The incident that triggered this Review would have been very serious for any Public Service agency but was especially so for the Department of the Prime Minister and Cabinet (PMC) given its position at the apex of Commonwealth agencies. 
In commissioning this Review, the Secretary of the Department recognised the gravity of the incident and sought advice on measures that needed to be taken to optimise protective security management in the Department. 
The incident was investigated by the Australian Federal Police (AFP), whose report identified ‘human errors in the record keeping, movement, clearance and disposal of document storage containers by PMC in 2016 rather than a deliberate unauthorised disclosure’. 
This Review concluded that the Department should strengthen the high-level governance of its protective security responsibilities, and demand a more robust security culture in the organisation. While the Department’s procedures, protocols and guidelines are generally sound, they are in need of updating and modernising in response inter alia to its fast changing working environment. The shortcomings reflected in the incident which triggered this Review should be addressed through the revision of procedures, protocols and guidelines and through more targeted training programs. 
‘Protective security’ is a term which embraces the security of people, assets, systems, information and documents. Breaches of protective security may arise from activities or failures across a wide spectrum – ranging from espionage to carelessness and error, to assault on individuals, and attacks on property and assets. While the impact of breaches can be especially severe at the level of National Security, the importance of failings at any level should not be underestimated. They can affect government efficiency and inhibit frank consideration of policy or operational options. They can also erode confidence in the Public Service within both the Government and the Opposition, in the Australian community at large and among foreign governments with whom Australia works. Protective security is therefore critical to the functioning of government. 
In addressing its Terms of Reference, this Report describes the environment in which protective security must be managed within PMC (Chapter 1) and then, in order, describes and makes recommendations about:
• the protective security governance arrangements in place in PMC (Chapter 2), 
• the existing documentation in PMC, including practices, systems and procedures relating to protective security (Chapter 3) 
• PMC’s culture in regard to protective security and its relevant training programs (Chapter 4), and 
• the implications of the recent incident for the broader Public Service, including lessons that might be drawn from the Review for other agencies (Chapter 5).
 It goes on to make the following recommendations
Chapter One: PMC’s operating environment 
1. PMC's risk management framework should clearly identify the risks associated with the Department's unusually complex operating security environment. 
2. As a matter of risk management, all staff joining PMC at the level of EL2 and above, or promoted to those levels, should be briefed on the complexity of the Department's working environment and the level and nature of the risk they, as managers, are responsible for managing. 
3. A further review should be undertaken after 12 months to confirm that the agreed recommendations in this Report have been implemented and, to the extent possible, to measure their effectiveness. 
Chapter Two: Protective Security Governance arrangements 
4. Protective security should be specified as one of the whole-of-department responsibilities of Deputy Secretary Governance, who should attend the quarterly meetings of the Government Security Committee which is chaired by the Attorney-General's Department, with Deputy Secretary National Security attending National Security related meetings as appropriate. 
5. The Executive Board should consider regular, say monthly, compliance or breach reports prepared jointly by the IT Security Advisor (ITSA) and Agency Security Advisor (ASA), including data on breaches and security waivers, recording any incidents of particular concern and explaining the remedial action taken. 
6. To facilitate security compliance reporting to the Executive Board, processes for recording security breaches should be improved as soon as practicable to ensure robust security data is collected to enable comparisons over time and between work units. 
7. This data should be used to ensure that staff who incur breaches are actively counselled. A staff member who incurs two breaches in a Performance Agreement year should be counselled by a First Assistant Secretary. Three breaches in a year should lead to counselling by the Secretary or Deputy Secretary, and should trigger a review of the staff member's security clearance. 
8. In anticipation of a recommendation from a current review of the Protective Security Policy Framework (PSPF), PM&C should nominate the head of Corporate Division as Chief Security Officer, responsible for both ICT and non ICT security. 
9. Corporate Division should prioritise the completion of an integrated, real-time framework to link staff profiles and movements (e.g. onboarding, leave, promotion, temporary secondments, and exit) with asset registers including responsibility for individual containers, the assignment of digital devices, and other PMC records. 
10. The 'clear desk' policy required in the Department's Protective Security Plan should be enforced, and security staff clearly mandated to record and report breaches. 
Chapter Three: PMC’s documented practices, systems and procedures 
11. PM;C's Protective Security Plan (the Plan) and its supporting policies, protocols and guidelines should be updated as a matter of urgency to reflect Machinery of Government changes since 2015, lessons learned from the recent incident, increased digitalisation and changes in office configurations following from the implementation of 'Working Your Way'. 
12. The revision of the Plan and its supporting documents should aim for coherency and consistency across the Department's policies and procedures; avoid duplication; ensure that the revised documents are both clear and accessible; and distinguish clearly between those areas in which high-level principles are sufficient and those in which compliance-based directions are necessary. 
13. New and specific requirements to the disposal and relocation of security containers should be implemented with immediate effect. Detailed recommendations are set out in the Annex of Chapter 3. 
14. Consideration should be given to whether secure containers should simply be destroyed, that is transferred to a scrap metal dealer, with drawers removed, rather than passed to agents for public sale at the end of their useful life. 
Chapter Four: Culture, training and behaviours 
15. The Secretary and Deputy Secretaries should lead in raising awareness and accountabilities for security across the PMC network, including by using opportunities in their weekly communication with staff. 
16. All Canberra-based new starters should be required to undertake face-to-face security training within the first week of starting at PMC, including IT security, Physical and Personnel security, and storage and handling of Cabinet documents. 
17. All staff in the regional network should be required to complete mandatory online induction training within a week. 
18. In parallel, a PMC team, comprising Learning and Development staff and security personnel, should regularly evaluate the effectiveness of the Department's security training, including assessing the value of face to face training versus e learning modules and training. 
19. PMC's Security section should initiate random but frequent internal security checks, and periodic independent audits of staff security, with an emphasis on the storage of classified information. The outcomes of regular audits should inform targeted areas for further training and nudges. 
20. The ASA and the ITSA should consider working with the Behavioural Economics Team of the Australian Government to assess options for increasing security awareness at key points in information and document management processes. 
21. The redesign of PMC's working environments (physical and virtual), including the transition to Working Your Way, must be accompanied by a. an assessment of the implications of environmental changes, including the centralisation of key facilities such as shredders and storage facilities; b. enhanced promotion of advice for staff accessing PMC resources on mobile devices in public spaces. 
22. Consideration should be given to nominating 'Security Champions' in branches to help grow the security culture and establish a continuous line of communication with the ASA and ITSA. 
Chapter Five: Implications for the Australian Public Service 
23. Secretaries and agency heads should be advised to review protective security management arrangements in their agencies, paying particular attention to higher level governance and to ensuring an appropriate security culture. 
24. In addition to agencies' annual compliance reports, reports resulting from investigations or inquiries into significant security incidents in agencies should be passed to the Attorney-General's Department (AGD), redacted to exclude names and other personal or sensitive information; and AGD should use these reports and the agency compliance reports to develop an annual assessment for the Attorney-General about the 'protective security hygiene' of Commonwealth agencies. 
25. AGD should be asked to engage regularly with 'security executives' or ASAs to enable exchanges of information about developments in the area of non-IT protective security and to share 'lessons learned' from any investigations, reports or reviews in the area of protective security. 
26. The Australian Signals Directorate (ASD) should be asked to facilitate exchanges of information about cyber security and risk assessments to support greater alignment of risk and planning across agencies. 
27. AGD should be asked to survey suitable protective security courses and security training services, including but not limited to courses offered through Registered Training Organisations, and ask agency heads to review the training needs of their staff in this area. 
28. Protective security should be routinely included as a standing item on the agenda for Secretaries' Board meetings to enable the Secretary of AGD to report significant incidents and other matters of non-compliance with the PSPF, and to enable the Secretary of PMC to advise Secretaries on matters relating to agencies' handling of Cabinet documents.

Procreative Liberty

Privatizing Procreative Liberty in the Shadow of Eugenics' by Dov Fox in (2018) Journal of Law and the Biosciences comments 
John Robertson is renowned for the theory of ‘procreative liberty’ that he expounded in his pioneering book, Children of Choice. Procreative liberty captures the ‘freedom to reproduce without sex’ above and beyond the ‘freedom to have sex without reproduction’ that are recognized by constitutional rights to abortion and birth control. Most controversial among Robertson's work on procreative liberty was its application to prenatal selection. Unless the state had very good reasons, he argued, people should be free to access reproductive medicine or technology to have a child who or would be born with particular traits. Prospective parents in the USA today face no official limits in using sperm banks, egg vendors, IVF clinics, or surrogacy agencies with an eye toward choosing for certain characteristics. But should they be protected, this essay asks, when mix-ups or misdiagnoses thwart the selection of offspring traits? The best answer to this question extends the theory of procreative liberty from government restrictions to professional negligence. It also demands sensitivity to genetic uncertainty, the limits of private law, and the history of eugenics in America.
Fox states
“Procreative liberty” draws life from the constitutional rights to access birth control and abortion. The U.S. Supreme Court has designated those practices among the handful of fundamental rights—like freedom of thought and movement—that demand the greatest measure of protection against government intrusion. So federal and state actors can’t ban contraception or abortion without the strongest possible justification. But neither right entitles a woman who can’t afford them to the “financial resources” they’d need “to avail herself of” those otherwise “protected choices.” These rights paradigmatically target the decision to prevent or end an unwanted pregnancy. But they also empower individuals to achieve wanted parenthood by refusing contraception or abortion. The Court articulated these rights in not just negative but positive terms: “to accomplish . . . conception”; “to conceive and to raise one’s children”; “whether to bear or beget.” Robertson argued such protections should extend to reproduction with assistance from donors, surrogates, or technology. But he appreciated that the landmark privacy cases allow this broader reach just as surely as they don’t compel it. Indeed, the Supreme Court hasn’t yet spoken to the involvement of third parties in reproductive rights. And state courts for their part almost always decline invitations to enlarge those rights beyond government restrictions on abortion and birth control. They’ve upheld restrictions on reproduction, for example, that range from probate conditions that forbid procreation and judicial orders barring drug-using parents from having additional children until they get clean to bans on donating sperm without pay and rules barring prisoners from mailing their sperm to their wives for the purpose of insemination. Professor Robertson weighed in on many of these questions over the years as advances in the methods and mores of procreation dramatically transformed the reproductive landscape over the quarter-century since his book’s publication,  including recently in the pages of this journal on matters of egg freezing and uterine transplants.
Most controversial among Robertson’s work on procreative liberty was its application to the prenatal selection of offspring characteristics. People should have a constitutional right, in his view, against laws that limit the use of reproductive medicine or technology to have (or avoid having) a child who is (or would be) born with particular traits. If people are generally free to choose whether or not to reproduce, Robertson argued, and if the genetic characteristics of expected offspring will affect that decision, then they should also be generally free to use genetic information in making those decisions. ...
... This essay seeks to extend Robertson’s arguments about procreative liberty from public restrictions to private ones, from government officials to medical professionals, from constitutional law to contracts and torts. Courts have consistently held that the private “law does not recognize disruption of family planning either as an independent cause of action or element of damages.” Contract or tort actions against wrongfully frustrated donor screening or embryo selection need “not [be] coextensive with or measured by the woman’s constitutional right to decide the fate of her pregnancy.” But reproductive interests in one domain of law can usefully inform the other. My focus lies with thwarted selection of offspring traits — what I have elsewhere called “confounded procreation.” The plaintiffs in these cases wanted a baby and got one, except that the defendant’s negligence led them to get a baby with genetic traits that are different than those they’d used reproductive medicine to select for. What they wanted, for any number of reasons, wasn’t just any child, but a child of a particular type. So they review ultrasound images or peruse donor profiles that enable them to learn certain information about what potential offspring might be like. Their goal is to use that information to choose among possible cells or tissues or nascent human beings before deciding which will be born or implanted or conceived. But then professionals fertilize patients with the wrong sperm, implant another couple’s embryos, misrepresent donor information, or misdiagnose fetuses. These kinds of errors lead patients to initiate, continue, or terminate pregnancies in ways that frustrate their preferences for a child of one kind or another. The most common thing that prospective parents are looking for when they use prenatal screening today is a child who’s biologically related to them or who’s free of some disease that they’re at risk of passing on. Other would-be parents are looking for traits other than health or heredity. Some people might try to have a girl or boy for nonmedical reasons; others a child who resembles their physical or other genetically influenced features that matter to them.

Critical Infrastructure

The Critical Infrastructure Security Act 2018 (Cth) is meant to provide a framework for managing risks to national security relating to critical infrastructure, including by:
(a) improving the transparency of the ownership and operational control of critical infrastructure in Australia in order to better understand those risks; and 
(b) facilitating cooperation and collaboration between all levels of government, and regulators, owners and operators of critical infrastructure, in order to identify and manage those risks. 
That framework does not construe telecommunications as critical infrastructure, in contrast to much overseas planning in terms of  'critical information infrastructure'.

The framework centres on disclosure of ownership and control, reflecting recent anxieties regarding overseas ownership of major facilities. It consists of
 (a) the keeping of a register of information in relation to critical infrastructure assets (the register will not be 6 made public); 
(b) requiring certain entities relating to a critical 8 infrastructure asset to provide information in relation to the asset, and to notify if certain events occur in relation  to the asset; 
(c) allowing the Minister to require certain entities relating to a critical infrastructure asset to do, or refrain from doing, an act or thing if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security; 
(d) allowing the Secretary to require certain entities relating to a critical infrastructure asset to provide certain  information or documents; 
(e) allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset.
Certain information obtained under, or relating to the operation of, the Act is 'protected information'. with restrictions on when a person may make a record of, use or disclose that information.Protected information is
(a) obtained by a person in the course of exercising powers, or performing duties or functions, under this Act; or 
(b) is the fact that the asset is declared under section 51 to be a  critical infrastructure asset; or 
(c) was information to which paragraph (a) or (b) applied and is obtained by a person by way of an authorised disclosure 21 under Division 3 of Part 4 or in accordance with section 46.
Civil penalty provisions of the Act may be enforced using civil penalty orders or injunctions, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. The Regulatory Powers (Standard Provisions) Act 2014 (Cth) is applied for these purposes. Other provisions may be enforced by imposing a criminal penalty.

The Minister for Home Affairs  may privately declare a particular asset to be a critical  infrastructure asset so that the Act applies to it. A private declaration can only be made if there would be a risk to national  security if it were publicly known that the asset is critical  infrastructure that affects national security. Presumably many people in academia, the consulting sector and journalists will make correct inferences.

The Secretary of the Home Affairs Department must give the Minister reports, for presentation to the Parliament, on the operation of the Act. Do not expect, of course, that the reports will be particularly detailed.

Under section 9 an asset is a critical infrastructure asset if it is:
 (a) a critical electricity asset; or 
(b) a critical port; or 
(c) a critical water asset; or 
(d) a critical gas asset; or 
(e) an asset declared under section 51 to be a critical infrastructure asset; or 
(f) an asset prescribed by the rules for the purposes of s 9. 
An asset is a critical electricity asset if it is:
 (a) a network, system, or interconnector, for the transmission or  distribution of electricity to ultimately service at least  100,000 customers; or 
(b) an electricity generation station that is critical to ensuring the  security and reliability of electricity networks or electricity  systems in a State or Territory, in accordance with  subsection (2). 
Rules may prescribe  requirements for an electricity generation station to be critical to  ensuring the security and reliability of electricity networks or   electricity systems in a particular State or Territory.

An asset is a critical port if it is land that forms part of any of  specified security regulated ports:  Broome;  Adelaide;   Brisbane;   Cairns;  Christmas Island;  Dampier;  Darwin;  Eden;  Fremantle;  Geelong;  Gladstone;  Hay Point;  Hobart;  Melbourne;  Newcastle;  Port Botany;  Port Hedland;   Rockhampton;  Sydney Harbour; Townsville;

 An asset is a critical gas asset if it is any of the following:
 (a) a gas processing facility that has a capacity of at least 300  terajoules per day or any other capacity prescribed by the  rules;  
(b) a gas storage facility that has a maximum daily quantity of 75  terajoules per day or any other quantity prescribed by the  rules;  
(c) a network or system for the distribution of gas to ultimately  service at least 100,000 customers or any other number of  customers prescribed by the rules;  
(d) a gas transmission pipeline that is critical to ensuring the 24 security and reliability of a gas market, in accordance with  subsection (2).  
The rules may prescribe   (a) specified gas transmission pipelines that are critical to 30 ensuring the security and reliability of a gas market; or  (b) requirements for a gas transmission pipeline to be critical to  ensuring the security and reliability of a gas market

12 July 2018


'The Case of the Religious Gay Blood Donor' by Brian Soucek in William and Mary Law Review (Forthcoming) comments
The Food and Drug Administration prohibits sexually active gay men from donating blood. This essay envisions an original legal challenge to that rule: not the predictable equal protection suit, but a religious freedom claim brought by a gay man who wants to give blood as an act of charity. Because the FDA’s regulations substantially burden his exercise of religion—requiring a year of celibacy as its price—the FDA would be forced to show that its policy is the least restrictive means of preventing HIV transmission through the blood supply. Developments in testing technology and the experience of other countries suggest that this would be hard to prove. 
A lawsuit like this would either produce a major victory for gay rights or, as likely, would force courts to clarify and curtail some of the most controversial aspects of recent, mostly conservative, religious freedom efforts: their expansive view of religious burdens and their willingness to impose costs on the government or other third parties. In other words, by appropriating legal arguments from the right, a lawsuit like this presents a win-win proposition for progressive litigators. This essay considers why mainstream gay rights organizations may nonetheless shy away from bringing it.
Soucek's challenging article begins
Sexually active gay men cannot donate blood under current federal law. But federal law also prohibits the government from substantially burdening someone’s religious practice unless it is the least restrictive way of advancing a compelling governmental interest. 
So what happens if a gay man wants to donate blood as an act of charity—a religious practice encouraged by his church? 
This Essay imagines the lawsuit that might allow him to do so. The suit could go either of two ways. Given the generous understanding of religious liberty law in recent Supreme Court opinions, the case might be an easy win. Requiring celibacy as the price of living one’s faith surely counts as a burden that is substantial; and public health, while clearly a compelling governmental interest, does not necessitate such draconian means, as the experience of other countries, the testimony of medical experts, and advances in HIV testing all make clear. A win for the plaintiff would be a major gay rights victory, undermining an enduring and stigmatizing policy remnant of the AIDS crisis.
On the other hand, the government might claim that giving blood isn’t really a form of religious exercise, or that even if it is, it is a religious calling that can be answered in alternate ways. A gay man who wants to be charitable can donate money or time or soup—not blood. The government might also claim that expanding the pool of blood donors would either increase costs, if it is to be done safely, or else it would marginally increase the rate of HIV transmission through the blood supply—thereby imposing burdens on third parties like hemophiliacs and others who depend on transfusions of blood. 
This is all to say that the religious gay plaintiff could lose. But his loss would likely require courts to clarify—and curtail—some of the most controversial aspects of recent, mostly conservative, religious freedom efforts: the expansive and deferential notion of “substantial burden” at play in cases like Hobby Lobby,  and the disregard for governmental and thirdparty costs seen in recent actions by the Department of Justice, the Department of Health and Human Services, and those across the country seeking exemptions to antidiscrimination laws that protect gays and lesbians. In short, the case is a coin toss: heads, gay rights advocates win; tails, religious conservatives lose.
It needs to be asked, then, why gay rights advocates are not clamoring to bring such a case. Perhaps they just haven’t thought of it; after all, it has never been proposed in academic literature. But Part IV of this Essay suggests that deeper considerations may be at play: worries about the way this litigation could provoke anti-gay backlash and reinforce stereotypes, even as it promises to disrupt the stereotypical opposition between religion and gay rights.
Before getting there, Part III, the heart of the Essay, shows how this hypothesized challenge brings together in a single case all of the deepest unanswered questions in recent religious liberty law—from the nature of religious burdens and the fungibility of religious practice, to the costs of granting exemptions and the ways those costs can be disbursed without violating the constitution. Part III looks at how a religious gay blood donor could win either by actually winning his case, or by a loss that manages to curb recent advances in religious freedom law that are currently threatening LGBT and women’s rights.
Prior to that, Part II shows how a religious freedom challenge to the gay blood donation ban differs from the more predictable equal protection challenge that others have discussed10—and how the former may be a stronger claim. Part I begins by explaining the ban that is at issue in everything that follows.

Crypto and States

'Why Quantum Computing Will Not Destabilize International Security: The Political Logic of Cryptology' by Jon Lindsay comments
The implications of quantum information technology for cybersecurity and strategic stability seem worrisome. In theory, an adversary with a quantum computer could defeat the asymmetric encryption protocols that underwrite internet security, while an adversary using quantum communications guaranteed secure by the laws of physics could deny intelligence warning of surprise attack. To assess these claims, this article first develops a general political logic of cryptology grounded in the bargaining model of war, which understands uncertainty as an important cause of war and institutions as an important source of information. Cryptology of any technological vintage is shaped by both aspects of this logic, with ambiguous implications for strategic stability. In practice, strategic interaction between intelligence competitors using real quantum systems implemented in fallible human organizations will mitigate the impact of quantum computing. The upshot is that the revolutionary scientific innovation of quantum computing will probably have only marginal political impact, in part because the fields of cryptology and computing have already undergone important transformations in recent decades.
'Digital Switzerlands' by Kristen Eichensehr in (2019) 167 University of Pennsylvania Law Review (Forthcoming) comments
 U.S. technology companies are increasingly standing as competing power centers that challenge the primacy of governments. This power brings with it the capacity to bolster or undermine governmental authority, as well as increasing public demands for the companies to protect users from governments. The companies’ power raises serious questions about how to understand their role. Scholars have proposed varying conceptions, suggesting that the companies should be understood as public utilities, information fiduciaries, surveillance intermediaries, or speech governors. This Article takes up another possibility, one suggested by the companies themselves: that they are “Digital Switzerlands.” 
The companies’ claim to be Digital Switzerlands encompasses two ideas: that the companies are on par with, not subordinate to, the countries that try to regulate them, and that they are in some sense neutral. This Article critically evaluates the plausibility of these claims and explores how the companies differ from other powerful private parties. The Digital Switzerlands concept sheds light on why the companies have begun to resist both the U.S. and foreign governments, but it also means that the companies do not always counter governments. Understanding the relationship between companies, users, and governments as triangular, not purely hierarchical, reveals how alliances among them affect the companies’ behavior toward governments. But the companies’ efforts to maintain a posture of neutrality also carry a risk of passivity that may allow governmental attacks on users to go unchallenged. 
Turning to the normative, the Article proposes several considerations for assessing the desirability of having companies be Digital Switzerlands. Does the rise of the companies as competing power centers benefit individual users? Does the companies’ lack of democratic attributes render them illegitimate powers? If the companies claim the benefits of the sovereign analogy, should they also be held to the public law values imposed on governments, and if so, how? And if there is value in the companies acting as Digital Switzerlands, how can this role be entrenched to prevent backsliding? The Article offers preliminary answers to these questions, with the knowledge that the answers may well evolve along with the companies’ self-conception.

11 July 2018

Judicial Engagement and AV

'Judicial engagement and AV links: judicial perceptions from Australian courts' by Anne Wallace, Sharyn Roach Anleu and Kathy Mack in (2018) International Journal of the Legal Profession comments
Use of technology significantly impacts the nature of judicial work. While audio-visual (“AV”) links may generate some efficiencies, the increasing use of this technology conflicts with other important developments, notably procedural justice and therapeutic jurisprudence, which recognise and valorise the interactive nature of judicial work, especially sentencing in criminal cases. Analysing judicial perceptions of AV use in courts creates a clearer picture of its benefits and disadvantages, particularly in light of expectations of direct personal engagement.
The authors argue
Information and communications technologies are often key components of strategies to promote organisational efficiency and reduce costs in courts (see, for example, New South Wales Department of Justice, 2016–17 Annual Report). The use of audio-visual (“AV”) technology also has implications for managing judicial workloads and for the skills and qualities judicial officers need to perform their role. However, courtroom technology may have unintended effects on the quality of communication required for judicial work, especially with the defendant in criminal cases. 
After describing the volume and nature of work and the use of AV technology in Australian courts, the article draws on perceptions and experiences of judicial officers to investigate the implications of AV technology for the reciprocal communication between the judicial officer and others involved in the court process. This is important in light of developments, notably procedural justice and therapeutic jurisprudence, which valorise the interactive nature of everyday judicial work. 
This article reports findings from two projects. First, investigations undertaken nationally over the past decade by the Magistrates Research Project and Judicial Research Project (JRP) into several dimensions of judicial work. Second, research undertaken as part of a three-year empirical research project that investigated the use of AV links in Australian court proceedings (Gateways).

UK Research Integrity report

The UK House of Commons Science and Technology Committee report on research integrity comments
Research is fundamental to the process of pushing back the frontiers of human knowledge and understanding. Research helps cure diseases, tackle climate change, and understand the world around us. The UK has an enviable reputation for high-quality research, and researchers are among the most trusted groups of people in the eyes of the public. It is recognised that the vast majority of research undertaken in the UK is of high quality and high integrity.
Nevertheless, error, questionable practices, and outright fraud are possible in any human endeavour, and research integrity must be taken seriously and tackled head-on. The 2012 Concordat to Support Research Integrity provided a set of high-level commitments in this vein, but, six years on, while all the most research intensive-universities are complying with key recommendations of the Concordat, around a quarter of universities overall are not fulfilling the basic Concordat recommendation of producing an annual report on research integrity.
Compliance with the Concordat has technically been a prerequisite for receiving funding from UK research councils and higher education funding councils since 2013, but non-compliance has not led to any hard consequences. This reflects the fact that the Concordat has only high-level commitments and recommendations, meaning that ‘compliance’ is difficult to assess in practice. More broadly, there has been a lack of co-ordinated leadership to drive the implementation of its recommendations in universities, such as transparency in declaring the number of misconduct investigations carried out each year. The Concordat should be tightened so that compliance can be more easily assessed, with a timetabled route-map to securing 100% compliance. We welcome Universities UK’s plans to convene a meeting of the Concordat signatories to discuss the issues raised in our report and look forward to seeing further action in this area.
The current lack of consistent transparency means that it is impossible to assess the scale of the research integrity issue, leading to accusations that parts of the sector are policing themselves in a secretive way in order to maintain its reputation or, worse, a perception that investigations are not conducted properly in order to avoid embarrassment. Meanwhile, there is a risk that a future high-profile scandal could expose any weaknesses in this arrangement. Fraud appears to be rare, but the number of institutions reporting no investigations each year does not tally with other available information—the self-reported pressures on researchers to compromise on standards, an increase in the rate of journal articles being retracted, and a growth in image manipulation in articles. Part of the cause may be a lack of understanding of the principles of statistics among researchers, and greater emphasis should be placed on statistical rigour. The sector needs to see increased transparency and reporting of problems as a positive sign that issues are being identified and dealt with accordingly, rather than as a threat.
We see a gap in the UK research integrity system for a new committee to provide a means of independently verifying whether a research institution has followed appropriate processes in investigating misconduct, following similar models in Canada and Australia. The primary responsibility to investigate misconduct should remain with the employer, but there is also a need to improve confidence in the existing system of self-regulation and to adjust for the potential conflict of interest of ‘self-policing’. More broadly, the new committee should be responsible for championing research integrity in the sector, driving the future implementation of a tightened Research Integrity Concordat, and pursuing issues we identify in this report. The new committee will need to be established by and work closely with UK Research and Innovation, and produce an annual report on the state of research integrity in the UK. This is an opportunity for the research community to get ahead of this issue; without such a body being established, there is a risk that the demand for statutory regulation will grow in response to any future scandals, despite a consensus against such regulation within the community.
Meanwhile, there are other steps that can be taken to support research integrity rather than simply responding to problems. We are encouraged to hear that research integrity will form part of the ‘environment’ judgements for the next Research Excellence Framework, and that there are moves towards appropriate publishing of datasets, and better reporting of research methods. Meanwhile, UKRI needs to understand how the pressures and incentives within the research funding system affect research behaviour and consider where counterbalances are needed to ensure a healthy research culture. Training is key to ensuring that the right research culture is imbued by each new generation of researchers and their supervisors, and to ensuring that errors such as common misuses of statistics are avoided. In order to increase the effectiveness of research, increased emphasis should be put on the need to publish ‘negative’ research findings, especially in the field of medicine.
Employers, funders and publishers of research need to be able to share information to support investigations of misconduct, and it is encouraging that protocols are being developed to help employers to manage cases which cross institutional boundaries. 
 The Committee states
In January 2017 our predecessor Committee launched a follow-up inquiry into research integrity, to coincide with the publication of a briefing on this topic from the Parliamentary Office of Science and Technology (POST). 
The Committee called for written submissions on the issues identified in the POST briefing, including:
  • The extent of the research integrity problem; 
  • Causes and drivers of recent trends; 
  • The effectiveness of controls/regulation (formal and informal), and what further measures if any are needed; 
  • What matters should be for the research/academic community to deal with, and which for Government.
That inquiry was ended prematurely by the dissolution of Parliament for the General Election in 2017. We decided to continue this inquiry in the new Parliament, drawing on the 82 submissions to our predecessors and a further 48 accepted and published by us. We held six oral evidence sessions, hearing from 27 witnesses. We are grateful for all these contributions to our work. 
We did not seek to investigate specific allegations of research misconduct or to re-open old cases. We and our predecessor Committee rejected several written submissions on that basis. However, a small number of cases are referred to in our report where they illustrate current issues relating to research integrity.
Its Conclusions and Recommendations are
1. The Science Minister’s initial reluctance to give evidence to our inquiry was disappointing, not least as it risked sending the message that the Government does not take this issue seriously. Nevertheless, we welcome the fact that that the Minister was subsequently willing to appear and are grateful for his responses to our questions. (Paragraph 8) 
2. The Government rightly invests considerable sums of public money in research, and investment in research and development as a proportion of GDP is set to grow further in the coming years. The Government needs to be confident that all possible steps are being taken to ensure that this money is not wasted through problems with research integrity, and that the research that it buys is as reliable as possible. While the Government should not seek to interfere directly in research matters or compromise the independence of universities, it should nevertheless maintain an active interest in supporting research integrity and ensuring that all elements of self-regulation are functioning well in order to get the best value possible from public investment. (Paragraph 9) Understanding and measuring ‘research integrity’ 
3. The available data on misconduct investigations suggest that serious research misconduct is rare, but it is impossible to be certain without better data. There is a mismatch between the number of investigations and the scale of reported temptations to compromise on research standards, the ‘reproducibility crisis’ in some disciplines, the growth in journal article retraction rates, and trends in image manipulation. We hope that most researchers will never succumb to the temptations to compromise on research standards, and some of these trends may be the product of increased detection and correction of honest errors. Nevertheless, it is worrying that there seem to be so few formal research misconduct investigations conducted by universities. Increases in the number of investigations should be seen as a healthy sign of more active self-regulation. Further work is needed to determine the scale of the problem. (Paragraph 28) 
The Concordat to Support Research Integrity 
4. Most universities take their research integrity responsibilities seriously, but progress in implementing the Concordat to Support Research Integrity across the whole sector is disappointing. Six years on from the signing of the Concordat, the sector as a whole still falls some way short of full compliance in terms of publishing an annual statement, which risks giving the impression of pockets of complacency. We were surprised by the reasons that some universities gave for not publishing an annual statement on research integrity as recommended by the Concordat. The majority of universities have successfully balanced transparency against confidentiality in producing an annual statement, but a few are lagging behind and see transparency as a threat to their public image. Publishing an annual statement is a positive opportunity for an institution to set out the steps that it is taking to safeguard research standards, as well as to report on the number of investigations. We were encouraged that our letter to all Universities UK members prompted some of them to take steps to improve their compliance with the Concordat. More leadership is required to drive the implementation of the Concordat across the whole of the research sector, and we return to this issue in Chapter 6. We welcome Universities UK’s plans to convene a Research Integrity Forum meeting to consider our recommendations relating to the Concordat and look forward to seeing the results of their work. (Paragraph 39) 
5. Compliance with the Concordat has technically been a condition of receiving funding from research councils and higher education funding councils since 2013, but meaningful sanctions have never been deployed. The Concordat contains mainly high-level statements rather than explicit measurable requirements, and comprehensive information on ‘compliance’ is not collected by the funders. We recommend that the signatories update and strengthen the Concordat by making the requirements and expectations clearer, and produce a route map and timetable for reaching 100% compliance with the strengthened version within the next year. UKRI should collect and publish details of universities that are not compliant. In particular, the Concordat should be strengthened in relation to training on research integrity (discussed in Chapter 4), processes for responding to allegations of misconduct (see Chapter 5), commitments to clinical trials transparency (which we will return to in a dedicated report) and publication of ‘negative’ research results. (Paragraph 43) 
6. We endorse the Government Chief Scientific Adviser’s call for Government departments to sign up to the Concordat on Research Integrity to ensure consistency of approaches to research governance. If the Concordat is suitably strengthened, as we recommend above, this will be a useful step forward. We look forward to receiving further details of actions taken by the departments in response to his initiative in the Government’s response to this report. (Paragraph 46) 
Supporting and promoting the integrity of research 
7. It is surprising that most UK universities are not subscribers to the UK Research Integrity Office. The result is that the profile and impact of UKRIO might be highest with the institutions which already choose to participate, rather than the ones that might need the most help. The default assumption for all universities should be that they are subscribers to UKRIO, unless they can explain why they do not need to use UKRIO’s advisory services. We recommend that the Government and Universities UK write jointly to all universities to encourage them to engage with UKRIO and consider subscribing to its services. (Paragraph 50) 
8. Creating a healthy ‘research culture’ is just as important as tackling lapses in research integrity, and would help ensure that a career in research is attractive to those who value rigour, accuracy, honest and transparency. We endorse Research England’s plans to require the REF 2021 assessors to consider how research integrity issues can be taken into account. We hope that this will underline the importance of research integrity to a healthy research environment, and counterbalance some of the pressures to compromise on integrity. For this to be successful it must be implemented in a way that encourages universities to be more transparent about research integrity and investigations, rather than an additional incentive to avoid drawing attention to lapses in integrity. (Paragraph 57) 
9. There is a need to understand more fully the effects of the current funding system on researcher and institutional behaviour, and consider how unwanted effects can be minimised. We recommend that UKRI commission research to understand the effects of incentives in the research system on researcher behaviour and assess where adjustments or counterbalances may be needed to support research integrity. (Paragraph 58) 
10. We are encouraged to hear that some universities make training in research integrity a mandatory part of doctoral studies and include it in their research supervisor training programme. It is important that the attitudes to research integrity transmitted to the next generation of researchers are the right ones, and that those supervising them are also suitably trained. We recommend that UKRIO provide guidance to universities on best practice in delivering training to doctoral supervisors. (Paragraph 66) 
11. The research councils do not have reliable information on what training is currently being delivered. The increased concentration of training, through ‘Centres for Doctoral Training’, presents an opportunity for monitoring whether suitable training on research integrity is being provided as part of a PhD. We recommend that UKRI assess whether suitable training is being provided in line with current requirements and report back to us on its findings. UKRI should also consider further the case for centralised provision of training on research integrity, or standards that could be set. (Paragraph 67) 
12. We recommend that UKRI consider how best to encourage research teams to engage with statisticians as part of their research, and how best to improve the statistical competencies of researchers in general. (Paragraph 68) 
13. We are encouraged to see moves towards open publishing of datasets, and steps being taken to improve reporting of research methods through reporting checklists. However, we also recognise the need for protocols for accessing research data to ensure that secondary analysis is conducted appropriately. The Centre for Data Ethics and Innovation should consider further how best to balance the need for data to be openly shared with the need to ensure that data is used responsibly in secondary analysis. (Paragraph 75) 
Detecting and responding to problems with research integrity 
14. There is a continuing need for publishers to invest in techniques and technologies to spot problems with research papers. While the purpose of peer review is not to detect fraud, the sector’s responsibility for the integrity of the research base includes taking reasonable steps to ensure that technology to detect problems is developed and put to good use. This may be an area in which market forces do not obviously support this investment of resource. A Concordat-style set of commitments in the academic publishing community to invest jointly in software for the detection of image manipulation—or common standards for checking images—may be required. We recommend that UKRIO convene a discussion with publishers to explore this. (Paragraph 82) 
15. Universities and other employers of researchers need to be able to demonstrate that they are following best practice in the way that investigations are conducted. The annual narrative report recommended by the Concordat (see Chapter 3) is one opportunity for institutions to review their processes and set out whether they reflect UKRIO’s guidance. Any suggestion that best practices are not being followed is a concern, particularly given the reputational risk of, for example, not using external panel members in some stages of the process. UKRIO’s guidance on misconduct processes was published in 2008; it is worrying that, ten years on, some institutions may not yet have acted on it. We recommend that following best practice in use of external panel members form an explicit part of a strengthened Concordat. (Paragraph 88)
16. Cases of researchers committing misconduct at a string of institutions suggest that either some universities are using non-disclosure agreements to keep misconduct quiet, or are not being sufficiently diligent in checking references when hiring researchers. Hiding misconduct through non-disclosure agreements is not acceptable, not least as it effectively makes the institution complicit in future misconduct by that individual. The Government should ask UKRI to consider how this practice can be effectively banned by institutions receiving public funds, and statements to this effect should be included in a strengthened Concordat (see Chapter 3). Meanwhile, there is a need for greater diligence in employers checking for past misconduct, and for previous employers fully disclosing such information. (Paragraph 101) 
17. Researcher mobility means that research misconduct investigations may require coordination between current and former employers, and between journals and funders. We are encouraged to see the Russell Group developing protocols for communicating with related parties when dealing with allegations that cross institutional boundaries. There is a need for all parts of the system to work together—including employers, funders and publishers of research outputs—but there appear to be problems with the required sharing of confidential information. We recommend that employers, funders and publishers of research work together to agree a protocol for information-sharing on researchers involved in research integrity problems in a way that meets employment protection legislation. Commitments in this vein could form part of a tightened Concordat (see Chapter 3). (Paragraph 106) 
Regulating research and researchers 
18. UK research has an enviable record of excellence and public trust, but this should not be taken for granted. There is a risk that public trust in science could be eroded in the future through high-profile examples of research misconduct, and a risk that this could lead to demands for knee-jerk and ill-advised changes to the research system in the UK. There is a need for the research community—including funders, publishers, and employers of researchers—to stay ahead of research integrity issues and how they are dealt with in public policy. The UK’s position of international high regard and public trust in researchers is strengthened if the community has the confidence to admit that no area of human endeavour is immune to misconduct and error at some scale. (Paragraph 110) 
19. We see a gap in the UK system for a body that can provide a means of independently verifying whether a research institution has followed appropriate processes to investigate misconduct, as in Australia and Canada. We recommend that the Government ask UKRI to establish a new national committee which could undertake this role. Employers should still have the first responsibility for investigating and taking action in response to allegations of research misconduct, but there should be a means of checking that processes have been followed appropriately. The new committee should be able to recommend to UKRI that funding be restricted or reclaimed if an employer has not followed appropriate processes in responding to research misconduct. While established under the auspices of UKRI, the new committee should have its own secretariat and sufficient independence from it so that it can act in cases where the research is not funded by UKRI. Without a body along the lines we suggest there is a risk that demands for statutory regulation will grow in the future. We recognise that there is a strong consensus within the community about the disadvantages that overbearing regulation could bring. We argue, however, that the onus is now on the community to support steps to avoid this. (Paragraph 122) 
20. We recommend that the national committee should also have formal responsibility for promoting research integrity, as the equivalent body does in Canada. Working with Universities UK, the new committee should take responsibility for driving the implementation of an updated and strengthened Concordat, and following up on other recommendations to the sector in this report. Meanwhile, UKRIO should continue its work in providing advice on research integrity and sharing best practice. It should now advise UKRI on the creation of the new body, including its work methods, drawing on the best international examples. (Paragraph 123) 
21. Transparency is a key feature of a healthy research integrity system. The new national research integrity committee we recommend should publish an annual report on the state of research integrity in the UK, looking across the whole of research, and collecting information on: retractions; misconduct investigations and their outcomes; Concordat compliance; and training undertaken. The data for this will come from university narrative statements and the aggregated data on screening-phase investigations that UKRI is now being provided with. The proposed national committee should also consider how best to engage industry with the issue of research integrity, and should incorporate meaningful information on this aspect in its annual report. (Paragraph 128)

10 July 2018

IoT Privacy report

The 151 page  Clearly Opaque: Privacy Risks of the Internet of Things report by Gilad Rosner and Erin Kenneally comments
There have been many names for the IoT over time: ubiquitous computing, ambient intelligence, machine-tomachine communications, pervasive computing, and, most recently, cyberphysical systems. The terms emerged from various disciplines, but they all point in the same direction. These persistent attempts to find a suitable term for the phenomenon reveal an awareness that the world is in rapid transition towards more comprehensive monitoring and connectivity, that this will likely have a profound impact on our lives, and that it is important to start anticipating the potential consequences. Our physical and informational world is evolving, and with it, the concept of privacy as we know it.
The authors argue that
The IoT will expand the data collection practices of the online world to the offline world.  
— The IoT will enable and normalize preference and behavior tracking in the offline world. This is a significant qualitative shift, and a key reason to evaluate these technologies for their social impact and effect on historical methods of privacy preservation. The very notion of an offline world may begin to decline. 
The IoT portends a diminishment of private spaces. 
— The scale and proximity of sensors being introduced will make it harder to find reserve and solitude. The IoT will make it easier to identify people in public and private spaces. 
The IoT will encroach upon emotional and bodily privacy. 
— The proximity of IoT technologies will allow third parties to collect our emotional states over long periods of time. Our emotional and inner life will become more transparent to data collecting organizations. 
Given the likelihood of ubiquitous data collection throughout the human environment, the notion of privacy invasion may decompose; more so as people’s expectation of being monitored increases. 
— Much of consumer IoT is predicated on inviting these devices into our lives. The ability to know who is observing us in our private spaces may cease to exist. The IoT will hasten the disintegration of the ‘reasonable expectation of privacy’ standard as people become more generally aware of smart devices in their environments. 
When IoT devices fade into the background or look like familiar things, we can be duped by them, and lulled into revealing more information than we might otherwise. Connected devices are designed to be unobtrusive, so people can forget that there are monitoring devices in their environment. 
IoT devices challenge, cross and destabilize boundaries, as well as people’s ability to manage them. 
— The home is in danger of becoming a ‘glass house,’ transparent to the makers of smart home products. And, IoT devices blur regulatory boundaries – sectoral privacy governance becomes muddled as a result. 
As more and more products are released with IoT-like features, there will be an “erosion of choice” for consumers – less of an ability to not have Things in their environment monitor them. Market shifts towards ‘smart’ features that are intentionally unobtrusive lead to less understanding of data collection, and less ability to decline those features. 
The IoT retrenches the surveillance society, further commodifies people, and exposes them to manipulation. 
The IoT makes gaining meaningful consent more difficult. The IoT is in tension with the principle of Transparency. 
The IoT threatens the Participation rights embedded in the US Fair Information Practice Principles and the EU General Data Protection Regulation. 
IoT devices are not neutral; they are constructed with a commercial logic encouraging us to share. The IoT embraces and extends the logic of social media – intentional disclosure, social participation, and continued investment in interaction. 
The IoT will have an impact on children, and therefore give parents additional privacy management duties. 
— Children today will become adults in a world where ubiquitous monitoring by an unknown number of parties will be business as usual.
The report identifies 'emerging frameworks and strategies' regarding IoT privacy
Having broad non-specialist social conversations about data (use, collection, effects, socioeconomic dimensions) is essential to help the populace understand the technological changes around them. Privacy norms must evolve alongside connected devices – discussion is essential for this. 
Human-Computer Interaction (HCI) and Identity Management (IDM) are two of the most promising fields for privacy strategies for IoT. 
A useful design strategy is the ‘least surprise principle’ – don’t surprise users with data collection and use practices. Analyze the informational norms of personal data collection, use and sharing in given contexts. 
Give people the ability to do fine-grained selective sharing of the data collected by IoT devices. 
Three major headings for emerging frameworks and strategies to address IoT privacy: 
— User Control and Management
— Notification
— Governance 
User Control and Management Strategies 
— Pre-Collection
• Data Minimization – only collect data for current, needed uses; do not collect for future as-yet-unknown uses 
• Build in Do Not Collect ‘Switches’ (e.g., mute buttons or software toggles)  
• Build in wake words and manual activation for data collection, versus the truly always-on 
• Perform Privacy Impact Assessments to holistically understand what your company is collecting and what would happen if there was a breach 
— Post-Collection
• Make it easy for people to delete their data 
• Make it easy to withdraw consent 
• Encrypt everything to the maximum degree possible 
• IoT data should not be published on social media or indexed by search engines by default – users must review and decide before publishing 
• Raw data should exist for the shortest time possible 
— Identity Management
• Design strategies: > Unlinkability – build systems that can sever the links between users’ Emerging Frameworks and Strategies to address activities on different devices or apps >; Unobservability – build or use intermediary systems that are blind to user activity 
• Give people the option for pseudonymous or anonymous guest use 
• Design systems that reflect the sensitivity of being able to identify people 
• Use selective sharing as a design principle > Design for fine-grained control of data use and sharing > Make it easy to “Share with this person but not that person” 
• Create dashboards for users to see, understand and control the data that’s been collected about them 
• Design easy ways to separate different people’s use of devices from one another 
— Notification Strategies
• Timing has an impact on privacy notice effectiveness. 
• Emerging privacy notice types: > Just-in-time;  > Periodic;  > Context-dependent;  > Layered 
• Test people’s comprehension of privacy policies 
• Researchers are exploring privacy notification automation: > Automated learning and setting of privacy preferences;  > Nudges to encourage users to think about their privacy settings;  > IoT devices advertising their presence when users enter a space 
— Governance Strategies
• Creation of baseline, omnibus privacy laws for US 
• Regulations restricting IoT data from certain uses 
• Regulator guidance on acceptability of privacy policy language and innovation 
• Requirement to test privacy policies for user comprehension 
• Expansion of “personally-identifiable information” to include sensor data in the US 
• Policymaker discussions of the collapse of the ‘reasonable expectation of privacy’ standard 
• Greater use of the ‘precautionary principle’ in IoT privacy regulation 
• More technologists embedded with policymakers 
• Trusted IoT labels and certification schemes

08 July 2018

Climate Change Litigation

'Climate Change and the Individual' by Margaret Rosso Grossman in (2018) 66 The American Journal of Comparative Law comments
 “Climate change, once considered an issue for a distant future, has moved firmly into the present.” Atmospheric and ocean temperatures are rising, “[p]recipitation patterns are changing, sea level is rising, the oceans are becoming more acidic, and the frequency and intensity of some extreme weather events are increasing.” The 2017 Climate Science Special Report describes the current state of scientific knowledge about U.S. and global climate change. The report concludes that “it is extremely likely that human influence has been the dominant cause of the observed warming since the mid-20th century. For the warming over the last century, there is no convincing alternative explanation.”
Global data show that 2016 was the warmest year on record and the third consecutive year for record global average surface temperatures. In the continental United States, 2016 was the second warmest year on record, after 2012, with higher than average precipitation and fifteen climate-related disasters including drought, wildfire, floods, and severe storms, which caused losses of more than $1 billion.
The emission of greenhouses gases (GHGs), which move about in the atmosphere, is a major cause of global climate change. GHGs absorb terrestrial radiation that leaves the Earth’s surface. Although GHGs “create the natural heat-trapping properties of the atmosphere” and are “necessary to life as we know it,” high concentrations of GHGs cause an increase in the Earth’s absorption of energy and the resulting increase in temperature referred to as global warming.
Recent research identifies deadly effects of climate change, “one of the biggest global threats to human health of the 21st century.” If global GHG emissions are not reduced, heat waves will affect 74% of the world’s population by 2100. Even with drastic GHG reductions, almost half of humans will face deadly heat. In Europe, increasing temperatures will result in weather disasters, especially heat waves and coastal flooding, and a sharp increase in climate-related deaths by 2100. By 2050, climate change may affect nutrition in developing countries as rising temperatures reduce availability of plant proteins.
Although a number of U.S. statutes govern human activities related to climate change, no comprehensive climate change legislation exists. Federal programs (including the Obama administration’s Climate Action Plan13), as well as regional, state, and local initiatives, promised to mitigate and adapt to the effects of climate change. Recent developments, however, have diluted federal efforts. For example, in March 2017, President Trump revoked significant Obama-administration climate change policies, including the Climate Action Plan and related strategies. This revocation and others that followed are likely to result in increased emissions and a failure to meet climate targets (e.g., energy efficiency, methane emissions).
Significantly, in June 2017, the United States announced its withdrawal from the Paris Agreement, a decision that triggered international condemnation, as well as criticism from state and local governments and large corporations in the United States. In August 2017, the United States notified the United Nations of its intent to withdraw from the Paris Agreement as soon as the United States is eligible, unless it “identifies suitable terms for reengagement.” The U.S. withdrawal was characterized as a “severe backwards move and an abrogation of its responsibility as the world’s second largest emitter . . . when more, not less, commitment is needed from all governments to avert the worst impacts of climate change.” Despite this withdrawal, however, the United States could meet its Paris goals through the efforts of cities, states, and businesses. The global crisis of climate change has affected the practice of law. Indeed, in recent years, climate change has engendered “a rapidly building wave of litigation” in the United States. Although the judiciary is “a latecomer to the crisis that has worsened in the hands of the legislative and executive branches,” litigation can play a role in forcing government regulatory action and perhaps in providing remedies for harm from GHG emissions. As commentators observed, “[t]he president might root out climate policy from executive branch decision-making, but he cannot unilaterally remove the issue from judicial consideration.”
This Report, guided by a questionnaire prepared for the Twentieth General Congress of the International Academy of Comparative Law, addresses the topic of climate change lawsuits and the individual. The questionnaire focuses on lawsuits filed by individual plaintiffs against public and private actors to achieve mitigation of climate change or adaptation to its effects. It does not focus on legal persons, such as corporations and other legal entities. Of the hundreds of climate change cases filed in the United States, only a small number involve individual plaintiffs. Other cases involve environmental organizations that sue on behalf of their members, demanding mitigation or adaptation and sometimes damages for injury. To provide background, this Report first reviews possible causes of action to remedy climate change. It raises a number of difficult issues faced by plaintiffs in climate change litigation. The Report then reviews a number of cases brought by individual plaintiffs and environmental organizations against public and private actors.

Security Duty

'The Duty of Data Security' by William McGeveran in (2018) 102 Minnesota Law Review comments
As data breaches become larger and more frequent, the question naturally arises: what precautions does the law require of the data custodians who hold our personal information in their digital files? What is the legal duty of data security? According to some scholars and lawyers, the law is insufficiently specific, concrete, or uniform to answer that question. Attorneys representing companies that have been breached go so far as to argue that the duty of data security is “an unknown (and unknowable) standard.” Under this view, private entities warehouse vast quantities of personal data, but cannot possibly ascertain the obligations the law imposes on them to protect it. 
That claim is balderdash. This Article demonstrates that the law is already settling upon a well-defined, if context-dependent, duty of data security. It examines fourteen different sources of data security obligations for private companies in the United States, half of them formal legal rules and half derived from the private ordering of industry-based requirements. This analysis demonstrates how all these frameworks, selected to represent the breadth of data security obligations, are converging on a common set of standards. The numerous sources of a duty of data security sound together in harmony, not cacophony. The nascent consensus formulates a duty just as clear as countless other requirements of reasonableness that permeate the law. 
In addition, this Article identifies normative justifications for the content and nature of this emerging duty of data security, particularly its underpinning in principles of reasonableness and risk assessment. Indeed, the duty of data security is taking its early steps along a well-worn path in the law. It is being guided by deeply familiar legal forces, including the preference for standards over rules when governing fast-moving and complex subjects; the adoption of industry custom, which has shaped law from early contract doctrine to modern professional liability; and even a version of Judge Learned Hand’s cost-benefit calculus from the legendary Carroll Towing decision.