myU OneStop


Unit's home page.

Recently in Privacy Category

I'm sure I am not alone in remembering the constant urgings to be careful what I post online. I was told not to send anything in an email I wouldn't want made public, and I guess it made some sense that the internet was commonly viewed as a sort of public forum. It was the place teens went to be relieve their angst, to post pictures, and to exchange messages. But the demographic of people that use the internet is constantly growing. My mom and sister communicate their garden interests using Pinterest (despite the fact that my mom needs help to download her new podcasts), and as yesterday's teens become today's adults, what people are comfortable putting online continues to expand. For example, the advent of online finances illustrate that the online world is about so much more than frivolity. The truth of the matter is that the internet shapes the way we think about ourselves. And as Lisa Durham Taylor observed in her article for MJLST in the spring of 2014, the courts are taking notice.

The article concerns the role of internet privacy in the employment context, noting that where once a company could monitor its employee's computer activity with impunity (after all, it was being done on the company time and with company resources), courts have recently realized that the internet stands for more than dalliance. In it, Taylor notes that the connectedness of employees brings with it both advantages and disadvantages to the corporation. It both helps and hinders productivity, offering a more efficient way of accomplishing a task, but providing the material for procrastination in an accompanying hand. When the line blurs, and people start using company time for personal acts, the line-drawing can get tricky. Companies have an important interest in preserving the confidentiality of their work, but courts have recently been drawing the lines to favor the employee over the employer. This is in stark contrast to the early decisions, which gave companies a broad right to discharge an "at-will" employee and found that there was no expectation of privacy in the workplace. Luckily, courts are beginning to recognize that the nature of a person's online interactions make the company's snooping more analogous to going through an employee's personal possessions than it is to monitoring an employee's efficiency.

I would add into the picture the recently-decided Supreme Court case of Riley v. California, where the Court held that a police needed a warrant to search a suspect's phone. The Court said that there was not reasonable cause to search a cell phone because the nature of the technology means that the police would be violating more than necessary to conduct normal business. They likened it to previous restrictions which prevented police from searching locked possessions incident to arrest, and sarcastically observed that cell phones have become "such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy." The "vast quantities of personal information" and the fact that the phone itself is not a weapon make its taking unjustified in the course of a normal search.

This respect for the data of individuals seems to be signaling a new and incredibly complicated age of law. When does a person have the right to protect their data? When can that protection be broken? As discussed in a recent post on this blog, there is an ongoing debate about what to do with the data of decedents. To me, a conservative approach makes the most sense, especially in context with the cases discussed by Lisa Taylor and the decision in Riley v. California. However, courts have sided with those seeking access because the nature of a will grants the property of the deceased to the heirs, which has been extended to online "property." What Rebecca Cummings points out to help swing the balance back in favor of privacy, is that it is not just the property of the deceased to which you are granting access. The nature of email means that a person's inbox has copies of letters from others which may have never been intended for the eyes of someone else.

I can only imagine the number of people who, had they the presence of mind to consider this eventuality, would act differently either in the writing of their will or their management of their communications. I am sure that this is already something lawyers advise their clients about when discussing their plans for their estate, but for many, death comes before they have the chance to fully consider these things. As generations who have grown up on the internet start to encounter the issue in earnest, I have no doubt that the message will spread, but I can't help but feel it should be spreading already. So: what would your heirs find tucked away in the back of your online closet? And if the answer to that is something you'd rather not think about, perhaps we should support the shift to privacy in more aspects of the digital world.

Ke Huang, MJLST Lead Articles Editor

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) generally provides that, by 2015, healthcare providers must comply with the Act's electronic health record (EHR) benchmarks, or, the government would reduce these providers' Medicare payments by one percent.

These provisions of the HITECH Act are more than a health policy footnote. Especially for attorneys, the growing use of EHRs raises several legal issues. Indeed, in Volume 10, Issue 1 of the Minnesota Journal of Law, Science & Technology, published six years ago, Kari Bomash analyzes the consequence of EHRs in three legal-related aspects. In Privacy and Public Health in the Information Age, Bomash discusses how a Minnesota Health Records Act amendment relates to: (1) privacy, especially consent of patients, (2) data security (Bomash was almost prescient given the growing security concerns), and (3) data use regulations that affect medical doctors.

Bomash's discussion is not exhaustive. EHRs also raise legal issues running the gamut of intellectual property, e-discovery, to malpractice. Given that software runs EHRs, IP industry is very much implicated. So much so that some proponents of EHR even support open source. (Another MJLST Article explains the concept of open source.)

E-discovery may be more straightforward. Like other legal parties maintaining electronic stored information, health entities storing EHR must comply with court laws governing discovery.

And malpractice? One doctor suggested in a recent Wall Street Journal op-ed that EHR interferes with a doctor's quality of care. Since quality of care, or lack thereof, is correlated with malpractice actions, commentators raised the concern that EHR could raise malpractice actions. A 2010 New England Journal of Medicine study addressed this topic but could not provide a conclusive answer.

Even my personal experience with EHRs is one of the reasons that lead me to want to become an attorney. As a child growing up in an immigrant community, I often accompanied adult immigrants, to interpret in contract closings, small-business transactions, and even clinic visits. Helping in those matters sparked my interest in law. In one of the clinic visits, I noticed that an EHR print-out of my female cousin stated that she was male. I explained the error to her.

"I suppose you have to ask them to change it, then," she said.

I did. I learned from talking to the clinic administrator the EHR software was programmed to recognize female names, and, for names that were ambiguous, as was my cousin's, the software automatically categorized the patient as male. Even if my cousin's visit was for an ob-gyn check-up.

Will Orlady, MJLST Staff Member

In Privatizing Biomedical Citizenship: Risk, Duty, and Potential in the Circle of Pharmaceutical Life, Professor Jonathan Khan wrote: "genomic research is at an impasse." Though genomic research has advanced incrementally since the completion of the first draft of the human genome, Khan asserts, "few of the grandest promises of genomics have materialized." This apparent lack of progress is a complex issue. Further, one may be left asking whether, within the current economic and regulatory scheme, genomics actually has promising answers to give. But Khan's work cites to biomedical researchers, claiming that what is needed to propel genomic research forward is simple: more bodies.

Indeed, it is a simple answer, but to which question--or questions? Khan's article explores the "interconnections among five . . . federally sponsored biomedical initiatives of the past decade in order to illuminate critical aspects of the current drive to get bodies." To be sure, the article provides the literature with a fine starting analysis of public biomedical programs, synthesizing much of the previous research on biomedical research participation. It further evaluates previously proposed methods for increasing genomic research participation. Khan's article, however, left me with more questions than answers. If the public and private sectors cannot work together to produce results, then who is left to ensure progress? Is progress currently feasible? Are we being too hasty and impatient demanding results from an admittedly young scientific discipline? And, ultimately, if study participants/subjects are expected to participate with their own genetic material or bodies, what do they get in return?

Khan's article attempts to address the final question. That is, if we are to create a legal or social obligation to contribute to genomic research for the sake of the public, what benefit (or, at the least, what safety assurance) do contributors receive in return for their contribution? Clearly, issues associated with creating a system of duties while providing no corresponding rights are aplenty. Underlying this discussion is the notion that to ensure the timely progress of genomic research mandated participation in such research might be necessary. Herein lies a problem: "[t]hese duties effectively privatize citizenship, recasting service to the political community as a function of service to [an] . . . enterprise of biomedical research. . . . " What is more, Khan is keen to point out that time and time again, promises of genomic advancement in the hands of collaborating private and public entities have failed to produce promised results.

If we are to go forward privatizing citizenship, creating duties for persons to use their bodies for the benefit of society, we must be careful to ensure that (1) individual rights in the outcome of the research are secured; and, (2) that society will in fact benefit from the collectively imposed obligations.

Although Khan's article leaves many questions unanswered, I empathize with his weariness of creating a public duty to contribute to biomedical research. Solutions to such complex issues are not easily answered. Torpid genomic research is troubling. But, so is the notion of privatized citizenship ascribing duties without granting corresponding rights. Though more bodies may be needed to further the timely advance genomic research, policymakers academics alike should be cautious creating any programs which compromise the integrity of personal privacy for the sake of public advancement without granting corresponding rights.

Thomas Hale-Kupiec, MJLST Staff Member

President Barack Obama proposed spending $215 million on a 'precision medicine' initiative. The largest part of the money, $130 million, would go to the National Institutes of Health in order to create a population-scale study. This study would create a database containing health information with genetic, environmental, lifestyle, medical and microbial data from both healthy and sick volunteers with the aim that it will be used to accelerate medical research and to personalize treatments to patients. Though some would call this a "bio-bank," Francis Collins, director of the National Institutes of Health, said that instead, the project is greater than that, as it is combining data from among what he called more than 200 large American health studies that are ongoing and together involve at least two million people. "Fortunately, we don't have to start from scratch," he said. "The challenge of this initiative is to link those together. It's more a distributed approach than centralized." Further, the President immediately attempted to alleviate concerns related to privacy: "We're going to make sure that protecting patient privacy is built into our efforts from Day 1. . . I'm proud we have so many patients-rights advocates with us here today. They're not going to be on the sidelines. This is not going to be an afterthought. They'll help us design this initiative from the ground up, making sure that we harness the new technologies and opportunities in a responsible way."

Three major issues seem to be implicated in this proposed database study. First, both informed consent and incidental findings seem to be problematic in this model. When ascertaining information from the American health studies, the government may be bypassing what users initially consented to when agreeing to participate in the study. Further, incidental findings and individual research results of potential health, reproductive, or personal importance to individual contributors are implicated in these studies; these aspects need to be considered in order to avoid any liability going forward, and provide participates with expectations of how their information may be used. Second, collection and retention of this information seem to be an issue. Questions on when, where, and how long this information is being held creates a vast array of privacy concerns. Further, security of this information may be implicated, as some of this data may be personal. Third, deletion or removal of this information may be an issue if the program ever becomes discontinued, or if users are allowed to opt-out. Options after closure include destroying the specimens, transferring them to another facility, or letting them sit unused in freezers. These raise a multitude of questions about what to do with specimens and when level of consent should be implicated.

Overall, this database seems to hold immeasurable potential for the future of medicine. This said, legal and ethical considerations must be considered during of this new policy's development and implementation; with this immeasurable power comes great responsibility.

Steven Groschen, MJLST Staff Member

Facebook recently announced a new policy that grants users the option of appointing an executor of their account. This policy change means that an individual's Facebook account can continue to exist after the original creator has passed. Although Facebook status updates from "beyond the grave" is certainly a peculiar phenomenon, it fits nicely into the larger debate of how to handle one's digital assets after their death.

Rebecca G. Cummings, in her article The Case Against Access to Decedents' Email: Password Protection as an Exercise of the Right to Destroy, discusses some of the arguments for and against providing access to a decedent's online account. Those favoring access to a decedent's account may assert one of two rationales: (1) access eases administrative burdens for personal representatives of estates; and (2) digital accounts are merely property to be passed on to one's descendants. The response from those disagreeing with access is that the intent of the deceased should be honored above other considerations. Further they argue that if there is no clear intent from the deceased (which is not uncommon because many Americans die without wills), then the presumption should be that the decedent's online accounts were intended to remain private.

Email and other online accounts (e.g. Facebook, Twitter, dating profiles) present novel problems for property rights of the deceased. Historically, a diary or the occasional love letter were among the most intimate property that could be transferred to one's descendants. The vast catalogs of information available in an email account drastically changes what is available to be passed on. In contrast to a diary, an email account contains far more than the highlights of an individual's day -- emails provide a detailed account of an individual's daily tasks and communications. Interestingly, this in-depth cataloging of daily activities has led some to the argument that information should be passed on as a way of creating a historical archive. There is certainly historical value in preserving an individual's social media or email accounts, however, it must be balanced against the potential invasion of his or her privacy.

As of June 2013, seven states have passed laws that explicitly govern digital assets after death. However, the latest development in this area is the Uniform Fiduciary Access to Digital Access Act, which was created by the Uniform Law Commission. This act attempts to create consistency among the various states on how digital assets are handled after an individual's death. Presently, the act is being considered for enactment in fourteen states. The act grants fiduciaries in certain instances the "same right to access those [digital] assets as the account holder, but only for the limited purpose of carrying out their fiduciary duties." Whether or not this act will satisfy both parties in this debate remains to be seen.

Privacy in the Workplace and Wearable Technology

|

Jessica Ford, MJLST Staff Member

Lisa M. Durham Taylor's article, The Times They Are a-Changin': Shifting Norms and Employee Privacy in the Technological Era, in Volume 15 Issue 2 of the Minnesota Journal of Law, Science & Technology discusses employee workplace privacy rights in regard to new technologies. Taylor spends much of the article focusing on privacy concerns surrounding correspondence in the workplace. Taylor states that in certain cases, employees may be able to expect their personal email account correspondence to be private as seen in the 2008 case Pure Bower Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC. However, generally employers can legally monitor email messages and any websites an employee visits, including personal accounts.

Since Taylor's article, new technologies have emerged, bringing new privacy implications for the workplace with them. Wearable technologies such as Google Glass, smart watches, and fitness bands find themselves in a legal void, particularly in regard to privacy concerns. Several workplaces have implemented Google Glass through Google's Glass at Work program. While this could help productivity, especially in medical settings, it could also mean that an employer could review every recorded moment, even those containing personal conversations or experiences.

Smart watches could also have a troubling future due to the lack of legal boundaries. At the moment, it would be simple for a company to require employees to wear GPS-enabled smart watches and use the watches to track employees' locations, see if an employee is exceeding his break time, and instantaneously communicate with employees. Such uses could be frustrating, if not invasive. All messages and activities also could be tracked outside of the office, essentially eliminating any semblance of personal privacy. Additionally, as Taylor notes in her article, there is case precedent upholding a "public employer's search of text messages sent from and received on the employee's employer-issued paging device." This 2010 case, City of Ontario v. Quon, further allowed the employer to search personal messages.

For the moment, it appears that employers are erring on the side of caution. It will take some time to see whether the legal framework Taylor discusses will be applied to wearable technologies and whether it will be more permissive or restrictive for employers.

Mickey Stevens, MJLST Staff Member

If a person requires emergency medical treatment and shows up at any hospital that accepts payments from Medicare, that person will receive emergency health care treatment without regard to ability to pay, citizenship, or legal status. This happens because the Emergency Medical Treatment and Active Labor Act (EMTALA), enacted in 1986, requires such treatment as a method of preventing the practice of "patient dumping," where hospitals would refuse to treat people because of inability to pay, among other reasons. A recent circuit court decision and subsequent petition for writ of certiorari to the Supreme Court of the United States has challenged this part of the EMTALA as constituting a taking in violation of the Fifth Amendment.

In February 2014, E. H. Morreim published an article discussing the EMTALA in volume 15, issue 1 of the Minnesota Journal of Law, Science and Technology. In that article, Morreim argued that EMTALA violates the Fifth Amendment's Takings Clause. According to Morreim, the EMTALA satisfies the three elements of a taking - property, taking, and public use. The article argues that the property taken is both personal property (pharmaceuticals, medical devices, and paid staff time) and the physical invasion of spaces in the hospital, for the public use of ensuring immediate emergency care without regard to the ability to pay. Furthermore, Morreim suggests that the EMTALA may resemble what Justice Scalia has termed a "Robin Hood Taking" where the government takes wealth from those who have it and transfers it to indigent defendants. See Brown v. Legal Found. Of Wash., 538 U.S. 216, 252 (2003) (Scalia, J., dissenting).

At the time of the article's publication, neither the Supreme Court nor any of the circuit courts had addressed the constitutionality of the EMTALA. That is no longer the case. The Eleventh Circuit addressed the issue and upheld the EMTALA as constitutional in Baker County Medical Services, Inc. v. U.S. Attorney General, 763 F.3d 1274 (11th Cir. 2014). There, the Appellant hospital appealed the lower court's grant of a motion to dismiss a claim seeking a declaratory judgment that EMTALA was an unconstitutional taking. The Eleventh Circuit upheld the law on the basis that voluntary participation in a regulated program defeats a takings clause challenge. The decision concluded by saying that the Hospital should turn to Congress for a remedy, instead of the courts.

Morreim's article addresses this so-called "voluntariness" of participation in EMTALA, arguing that the steep financial losses that would occur - the loss of all Medicare funding - render acceptance of the EMTALA obligations far from voluntary. In Baker County Medical Services, the court responded to these concerns, as raised by the Appellant hospital, by stating that economic hardship is not the same as compulsion.

The Eleventh Circuit's decision prompted the hospital to file a petition for writ of certiorari with the Supreme Court. 2014 WL 6449709. The petition, which cites to Morreim's article, was filed in November and may soon receive a response from the Supreme Court. As Morreim wrote, "[s]tay tuned . . . the conversation is likely to become quite interesting."

Dylan Quinn, MJLST Lead Note Comment Editor

The work week is winding down and you are furiously trying to reach an agreement with opposing counsel on some issue or dispute. You email back and forth until it appears you have reached an agreement - at least for the weekend. You will tell your client about the essential terms next week to see if you should "finalize" everything with the other side.

I don't want to ruin your weekend, but you may have already bound the client to an enforceable agreement. How, you ask, can this be possible if I did not sign anything? Well, in light of the UETA and developing case law, that automatic signature block at the bottom of all your emails might be enough.

Minnesota Statutes Section 481.08 provides that an "attorney may bind a client, at any stage of an action or proceeding, by agreement made ... in writing and signed by such attorney." In addition, Minnesota has long joined almost every other state by adopting a variation of the Uniform Electronic Transactions Act (UETA). The purpose of the UETA is to provide a legal framework for the use of electronic signatures and records in government of business transactions, making them as legal as paper and manually signed signature. In sum, the UETA will apply to agreements reached under Section 481.08.

Minnesota Statutes Section 325L(h), defines "electronic signature" as "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." Furthermore, Section 325L.05 (b), makes clear that the UETA in Minnesota only applies to transactions between parties where they both have "agreed to conduct transactions by electronic means," which is determined by the "context and surrounding circumstances, including the parties' conduct." However, any attorney negotiating a settlement or other stipulation via email will open themselves up to the argument that they intended to transact business electronically, so the central question is whether or not an attorney intended the signature block to constitute a legally significant act that authenticates the email, thus binding the client to a settlement or other agreement.

It has long been held that an email chain can constitute a binding agreement. This past summer, the Minnesota Court of Appeals, held that "an electronic signature in an email message does not necessarily evidence intent to electronically sign a document attached to the e-mail." See SN4, LLC v. Anchor Bank, fsb, 848 N.W.2d 559, 567 (Minn. Ct. App. 2014). While the decision adds to a growing body of jurisprudence in this area, the question of automated signature blocks was tabled by the decision and the parties involved were not attorneys. The Minnesota Supreme Court denied review this past September.

Other jurisdictions can offer some guidance. For example, In New York, where another law outside the UETA effectively serves the same purpose, it has long been held that automated imprints or signatures were insufficient to authentic every document. See Parma Tile Mosaic & Marble Co. v. Estate of Fred, 663 N.E.2d 633, 635 (NY Ct. App. 1996) (finding for Statute of Frauds purposes, automatic imprint of "MRLS Construction" on every faxed document did not amount to "sender's apparent intention to authentic every document subsequently faxed.").

In Texas, there is a split among the Courts on the issue of an attorneys signature block creating an enforceable agreement. Compare Cunningham v. Zurich Am. Ins. Co., 352 S.W.3d 519, 529-30 (Tex. App. 2011) (determining settlement agreement had not been reached because the Court declined "to hold that mere sending ... of an email containing a signature block satisfies the signature requirement when no evidence suggests that the information was typed purposefully rather than generated automatically."), with Williamson v. Bank of New York Mellon, 947 F. Supp. 2d 704, 710 (N.D. Tex. 2013) (disagreeing with Cunningham because (1) the attorney must have typed in the signature block information "at some point in the past," (2) a broad view of the electronic signature definition comports with UETA's purpose, and (3) "email communication is a reasonable and legitimate means of reaching a settlement in this day and age.").

On the one hand, it seems like a strong argument to point out the fact that all emails contain the signature block. How can that possibly evidence the requisite intent to authenticate statements or agreements? Do we really want to allow attorneys to use this argument any time they get close enough to reaching an agreement when emailing back and forth? In response, one must ask: in what instance should we allow an attorney to seemingly agree with opposing counsel via email, but get out of it because they did not use "/s/", and just had their automated signature block?

Regardless of the outcome, the potential impact of a decision one way or the other will have far reaching impacts on legal practice, and more specifically litigation, in Minnesota. As the Court recognized in Williamson, "email communication is a reasonable and legitimate means of reaching a settlement in this day and age." If the entire purpose of the UETA was to facilitate electronic transactions, and the Minnesota Supreme Court is in charge of providing professional and ethical guidance for the profession within the state, they should grant review as opposed to tabling the issue.

Until then, all parties transacting business electronically, but especially attorneys, should be conscious of that little signature block they typed in the first day they set up their email account.

Sen "Alex" Wang, MJLST Staff Member

In Volume 13 Issue 1 of the Minnesota Journal of Law, Science & Technology, Ira P. Robbins called for special attention for social-networking evidence used in civil and criminal litigation and proposed an authorship-centric approach to the authentication of such evidence. In recent years, social-networking websites like Facebook, MySpace, and Twitter have become an ingrained part of our culture. However, at least as it appears to Robbins, people are stupid with regard to their online postings since they document their every move no matter how foolish or incriminating on social-networking sites. The lives and careers of not only ordinary citizens, but also lawyers, judges, and even Congress members have been damaged by their own social-networking postings.

Social-networking sites are designed to facilitate interpersonal relationships and information exchanges, but they have also been used to harass, intimidate, and emotionally abuse or bully others. With no effective check on fake accounts or false profiles, the anonymity of social-networking sites permits stalkers and bullies to take their harmful conduct above and beyond traditional harrying. The infamous Lori Drew and Latisha Monique Frazier cases provide excellent examples. Moreover, hackers and identity thieves have also taken advantages of the personal information posted on social-networking sites. Thus, Robbins argued that the growth in popularity of social-networking sites and the rising number of fake accounts and incidents of hacking signal that information from social-networking sites will begin to play a central role in both civil and criminal litigation.

Often unbeknownst to the social-networking user, postings leave a permanent trail that law-enforcement agents and lawyers frequently rely upon in crime solving and trial strategy. Robbins argued that the ease with which social-networking evidence can be altered, forged, or posted by someone other than the owner of the account should raise substantial admissibility concerns. Specifically, Robbins stated that social-networking postings are comparable to postings on websites rather than e-mails. Thus, the authentication of social-networking evidence is the critical first step to ensuring that the admitted evidence is trustworthy and, ultimately, that litigants receive a fair and just trial.

Robbins, however, further argued that the current judicial approaches to authentication of such evidence have failed to require rigorous showings of authenticity despite the demonstrated unreliability of information on social-networking sites. In the first approach, the court effectively shirks its gate-keeping function, deflecting all reliability concerns associated with social-networking evidence to the finder of fact. Under the second approach, the court authenticates a social-networking posting by relying solely on testimony of the recipient. The third approach requires testimony about who, aside from the owner, can access the social-networking account in question. With the fourth approach, the court focuses on establishing the author of a specific posting but failed to provide a thorough framework.

As a solution, Robbins proposed an authorship-centric approach that instructs courts to evaluate multiple factors when considering evidence from social-networking websites. The factors fall into three categories: account security, account ownership, and the posting in question. Although no one factor in these categories is dispositive, addressing each will help to ensure that admitted evidence possesses more than a tenuous link to its purported author. For account security, the inquiry should include at least the following questions: (1) Does the social-networking site allow users to restrict access to their profiles or certain portions of their profiles? (2)Is the account that was used to post the proffered evidence password protected? (3) Does anyone other than the account owner have access to the account? (4) Has the account been hacked into in the past? (5) Is the account generally accessed from a personal or a public computer? (6) How was the account accessed at the time the posting was made? As to account ownership, a court should address, at a minimum, the following key questions: (1) Who is the person attached to the account that was used to post the proffered evidence? (2) Is the e-mail address attached to the account one that is normally used by the person? (3) Is the alleged author a frequent user of the social-networking site in question? Finally, the court should ask at least these questions regarding the posting in question: (1) How was the evidence at issue placed on the social-networking site? (2) Did the posting at issue come from a public or a private area of the social-networking website? (3) How was the evidence at issue obtained from the website?

This authorship-centric approach properly shifts a court's attention from content and account ownership to authorship, it underscores the importance of fairness and accuracy in the outcome of judicial proceedings that involve social-networking evidence. In addition, it fit within the current circumstantial-evidence authentication framework set out by Federal Rules of Evidence 901(b)(4) and will not require the courts to engage in a more exhaustive inquiry than is already required for other types of evidence.

Is the US Ready for the Next Cyber Terror Attack?

|

Ian Blodger, MJLST Staff Member

The US's military intervention against ISIL carries with it a high risk of cyber-terror attacks. The FBI reported that ISIL and other terrorist organizations may turn to cyber attacks against the US in response to the US's military engagement of ISIL. While no specific targets have been confirmed, likely attacks could result in website defacement to denial of service attacks. Luckily, recent cyber terror attacks attempting to destabilize the US power grid failed, but next time we may not be so lucky. Susan Brenner's recent article, Cyber-threats and the Limits of Bureaucratic Control, published in the Minnesota Journal of Law Science and Technology volume 14 issue 1, describes the structural reasons for the US's vulnerabilities to cyber attacks, and offers one possible solution to the problem.

Brenner argues that the traditional methods of investigation do not work well when it comes to cyber attacks. This ineffectiveness results from the obscured origin and often hidden underlying purpose of the attack, both of which are crucial in determining whether a law enforcement or military response is necessary. The impairment leads to problems assessing which agency should control the investigation and response. A nation's security from external attackers depends, in part, on its ability to present an effective deterrent to would be attackers. In the case of cyber attacks, however, the US's confusion on which agency should respond often precludes an efficient response.

Brenner argues that these problems are not transitory, but will increase in direct proportion to our reliance on complex technology. The current steps taken by the US are unlikely to solve the issue since they do not address the underlying problem, instead continuing to approach cyber terrorists as conventional attackers. Concluding that top down command structures are unable to respond effectively to the treat of cyber attacks, Brenner suggests a return to a more primitive mode of defense. Rather than trusting the government to ensure the safety of the populace, Brenner suggests citizens should work with the government to ensure their own safety. This decentralized approach, modeled on British town defenses after the fall of the Roman Empire, may avoid the ineffective pitfalls of the bureaucratic approach to cyber security.

There are some issues with this proposed model for cyber security, however. Small British towns during the early middle ages may have been able to ward off attackers through an active citizen based defense, but the anonymity of the internet makes this approach challenging when applied to a digitized battlefield. Small British towns were able to easily identify threats because they knew who lived in the area. The internet, as Brenner concedes, makes it difficult to determine to whom any given person pays allegiance. Presumably, Brenner theorizes that individuals would simply respond to attacks on their own information, or enlist the help of others to fed off attacks. However, the anonymity of the internet would mean utter chaos in bolstering a collective defense. For example, an ISIL cyber terrorist could likely organize a collective US citizen response against a passive target by claiming they were attacked. Likewise, groups utilizing pre-emptive attacks against cyber terrorist organizations could be disrupted by other US groups that do not recognize the pre-emptive cyber strike as a defensive measure. This simply shows that the analogy between the defenses of a primitive British town and the Internet is not complete.

Brenner may argue that her alternative simply calls for current individuals, corporations, and groups to build up their own defenses and protect themselves from impending cyber threats. While this approach would avoid the problems inherent in a bureaucratic approach, it ignores the fact that these groups are unable to protect themselves currently. Shifting these groups' understanding of their responsibility of self defense may spur innovation and increase investment in cyber protection, but this will likely be insufficient to stop a determined cyber attack. Large corporations like Apple, JPMorgan, Target, and others often hemorrhage confidential information as a result of cyber attacks, even though they have large financial incentives to protect that information. This suggests that an individualized approach to cyber protection would also likely fail.

With the threat of ISIL increasing, it is time for the United States to take additional steps to reduce the threat of a cyber terror attack. At this initial stage, the inefficiencies of bureaucratic action will result in a delayed response to large-scale cyber terror attacks. While allowing private citizens to band together for their own protection may have some advantages over government inefficiency, this too likely would not solve all cyber security problems.