policy.bib
@misc{landau.dempsey.ea:challenging,
author = {Susan Landau and James X. Dempsey and Ece Kamar and Steven
M. Bellovin and Robert Pool},
date = {2024-06},
date-added = {2024-06-14 18:25:46 -0400},
date-modified = {2024-06-17 22:55:20 -0400},
month = {June},
title = {Challenging the Machine: Contestability in Government {AI}
Systems},
url = {https://arxiv.org/abs/2406.10430},
year = {2024},
bdsk-url-1 = {https://arxiv.org/abs/2406.10430}
}
@misc{landau.dempsey.ea:recommendations,
abstract = {Contestability -- the ability to effectively challenge a
decision -- is critical to the implementation of fairness.
In the context of governmental decision making about
individuals, contestability is often constitutionally
required as an element of due process; specific procedures
may be required by state or federal law relevant to a
particular program. In addition, contestability can be a
valuable way to discover systemic errors, contributing to
ongoing assessments and system improvement.
On January 24-25, 2024, with support from the National
Science Foundation and the William and Flora Hewlett
Foundation, we convened a diverse group of government
officials, representatives of leading technology companies,
technology and policy experts from academia and the
non-profit sector, advocates, and stakeholders for a
workshop on advanced automated decision making,
contestability, and the law. Informed by the workshop's
rich and wide-ranging discussion, we offer these
recommendations. A full report summarizing the discussion
is in preparation.},
author = {Susan Landau and James X. Dempsey and Ece Kamar and Steven
M. Bellovin},
date = {2024-03-04},
date-added = {2024-03-05 11:02:44 -0500},
date-modified = {2024-03-05 11:04:29 -0500},
month = {March},
title = {Recommendations for Government Development and Use of
Advanced Automated Systems to Make Decisions about
Individuals},
url = {http://arxiv.org/abs/2403.01649},
year = {2024},
bdsk-url-1 = {http://arxiv.org/abs/2403.01649}
}
@article{bellovin:rethinking,
author = {Steven M. Bellovin},
date = {2025},
date-added = {2024-02-05 19:56:32 -0500},
date-modified = {2024-02-08 22:47:48 -0500},
journal = {GWU Journal of Law and Technology},
lawcite = {Steven M. Bellovin, \textbf{1 Geo. Wash. J.L. \& Tech.}
(2025) (forthcoming)},
note = {To appear},
number = 1,
title = {Rethinking Privacy Regulation},
url = {https://osf.io/nct2y/?view_only=ac81baf15bb14f6aa07aa85707b60a86},
volume = 1,
year = {2025},
bdsk-url-1 = {https://osf.io/nct2y/?view_only=ac81baf15bb14f6aa07aa85707b60a86}
}
@article{zhang.bellovin:preventing,
author = {Janet Zhang and Steven M. Bellovin},
date = {2023},
issue = {Fall},
journal = {SMU Science and Technology Law Review},
lawcite = {Janet Zhang \& Steven M. Bellovin, \textbf{26 SMU Sci \&
Tech. L. Rev. 149 (2023)}},
month = {November},
pages = {149--215},
title = {Preventing Intimate Image Abuse Via Privacy-Preserving
Anonymous Credentials},
url = {https://scholar.smu.edu/scitech/vol26/iss2/2/},
volume = 26,
year = {2023},
bdsk-url-1 = {https://scholar.smu.edu/scitech/vol26/iss2/2/}
}
@article{bellovin:who,
abstract = {The phrase ``data shadow'' is commonly used in books and
articles on privacy. The origin of the phrase, though, is
mysterious. It is often attributed to Alan Westin, but it
does not seem to appear in any of his writings. I show that
it was coined in the early 1970s by Kerstin An{\'e}r, a
member of the Swedish parliament, as ``dataskugga.'' She
later used the phrase in English, later in the 1970s. It
was briefly popular then, but disappeared until the early
1990s. It since become a popular and evocative phrase to
describe how our activities, online and offline, follow us
around.},
author = {Steven M. Bellovin},
date = {2024-05},
date-added = {2023-08-02 11:16:06 -0400},
date-modified = {2024-06-14 21:19:07 -0400},
journal = {Ohio State Technology Law Journal},
lawcite = {Steven M. Bellovin, \textbf{20 Ohio St. Tech L.J. 317}
(2024)},
month = {May},
number = {2},
pages = {317},
title = {Who Coined the Phrase ``Data Shadow''?},
url = {https://kb.osu.edu/handle/1811/104614},
volume = {20},
year = {2024},
bdsk-url-1 = {https://osf.io/qbe2s/?view_only=6f082b795a4b48b5beccc22b21bb2c99}
}
@article{abelson.anderson.ea:bugs,
author = {Hal Abelson and Ross Anderson and Steven M. Bellovin and
Josh Benaloh and Matt Blaze and Jon Callas and Whitfield
Diffie and Susan Landau and Peter G. Neumann and Ronald L.
Rivest and Jeffrey I. Schiller and Bruce Schneier and
Vanessa Teague and Carmela Troncoso},
date = {2024},
date-added = {2023-05-20 16:16:47 -0400},
date-modified = {2024-09-11 13:56:00 -0400},
journal = {Journal of Cybersecurity},
number = {1},
title = {Bugs in our Pockets: The Risks of Client-Side Scanning},
url = {https://doi.org/10.1093/cybsec/tyad020},
volume = {10},
year = {2024},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/bugs21.pdf}
}
@article{bellovin:antiquity,
abstract = {Software patents have long been controversial. Although
they are accepted today, if only implicitly---there is
nothing in the patent statute that explicitly permits
them---the Patent Office and the courts have gone back and
forth on the patentability of software. In the early 20th
century, though, patents were routinely issued for what
today would be termed software---more precisely,
programs---even though this was long before computers
existed. I recount some of this history and give several
examples of such patents, including objections (or the lack
thereof) from patent examiners per the file histories---and
later examples of where similar claims were disallowed by
the courts. Policy arguments aside, the precedents suggest
that algorithmic patents should be allowed, but their
precise scope has never been clearly delineated.},
author = {Steven M. Bellovin},
date = {2024-05},
date-added = {2023-05-20 16:14:57 -0400},
date-modified = {2024-06-24 16:19:50 -0400},
journal = {Ohio State Technology Law Journal},
lawcite = {Steven M. Bellovin, \textbf{20 Ohio St. Tech L.J. 365}
(2024)},
month = {May},
number = {2},
pages = {365},
title = {The Antiquity of Algorithmic Patents},
url = {https://kb.osu.edu/handle/1811/104612},
volume = {20},
year = {2024},
bdsk-url-1 = {https://osf.io/4pgu6/?view_only=026a1cd10a2f4ace863ad8d1ea6cf37f}
}
@article{bellovin.shostack.ea:ten,
author = {Steven M. Bellovin and Adam Shostack and Tarah Wheeler},
date = {2022-02-09},
date-added = {2022-02-08 20:16:19 -0500},
date-modified = {2024-04-22 12:14:13 -0400},
journal = {Lawfare},
month = {February 9,},
title = {Ten Questions We Hope the {Cyber Safety Review Board}
Answers---and Three It Should Ignore},
url = {https://www.lawfaremedia.org/article/ten-questions-we-hope-cyber-safety-review-board-answers%E2%80%94and-three-it-should-ignore},
year = {2022},
bdsk-url-1 = {https://www.lawfareblog.com/ten-questions-we-hope-cyber-safety-review-board-answers%E2%80%94and-three-it-should-ignore}
}
@article{bellovin.shostack:finally,
author = {Steven Bellovin and Adam Shostack},
date = {2021-06-07},
date-added = {2021-06-07 11:46:24 -0400},
date-modified = {2024-04-22 12:14:59 -0400},
journal = {Lawfare},
month = {June 7,},
title = {Finally! {A} Cybersecurity Safety Review Board},
url = {https://www.lawfaremedia.org/article/finally-cybersecurity-safety-review-board},
year = {2021},
bdsk-url-1 = {https://www.lawfareblog.com/finally-cybersecurity-safety-review-board}
}
@article{bellovin:columbias,
author = {Steven M. Bellovin},
date-added = {2021-01-10 13:47:32 -0500},
date-modified = {2021-01-10 13:47:32 -0500},
journal = {Columbia Spectator},
month = {October 13,},
title = {Columbia's riots and rebellions in the 1970s},
url = {https://www.columbiaspectator.com/opinion/2016/10/12/columbias-riots-and-rebellions-1970s/},
year = {2016},
bdsk-url-1 = {https://www.columbiaspectator.com/opinion/2016/10/12/columbias-riots-and-rebellions-1970s/}
}
@misc{bellovin:testimony,
author = {Steven M. Bellovin},
date = {2020-12-15},
date-added = {2020-12-16 17:42:20 -0500},
date-modified = {2020-12-16 17:44:11 -0500},
month = {December 15,},
title = {Testimony for the {New York City Council Committee on
Technology} Hearing on {``Benefits and Disadvantages of
Cloud-computing Systems''}},
url = {https://www.cs.columbia.edu/~smb/papers/nyc-cloud.pdf},
year = {2020},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/nyc-cloud.pdf}
}
@article{bellovin:mail-in,
author = {Steven M. Bellovin},
date = {2020-10-23},
date-added = {2020-10-23 18:06:50 -0400},
date-modified = {2020-10-23 18:06:50 -0400},
journal = {Columbia News},
month = {October 23,},
title = {Mail-in Ballots Are Secure, Confidential, and
Trustworthy},
url = {https://news.columbia.edu/in-mail-absentee-ballots-secure-vote-election},
year = {2020},
bdsk-url-1 = {https://news.columbia.edu/in-mail-absentee-ballots-secure-vote-election}
}
@misc{bellovin:testimony*1,
author = {Steven M. Bellovin},
date-added = {2020-03-06 14:08:23 -0500},
date-modified = {2020-03-06 15:41:44 -0500},
month = {February 25,},
title = {Testimony for the {New York City Council Committee on
Technology and Committee on Small Business} Hearing on
{``Cybersecurity for Small Businesses''}},
url = {https://www.cs.columbia.edu/~smb/papers/nyc-council-testimony.pdf},
year = {2020},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/nyc-council-testimony.pdf}
}
@article{bellovin.blaze.ea:seeking,
abstract = {The right to a fair trial is fundamental to American
jurisprudence. The Fifth Amendment of the Bill of Rights
guarantees ``due process,'' while the Sixth provides the
accused with the right to be ``confronted with the
witnesses against him.'' But ``time works changes, brings
into existence new conditions and purposes.'' So it is with
software. From the smartphones we access multiple times a
day to more exotic tools---the software ``genies'' of
Amazon Echo and Google Home---software is increasingly
embedded in day-to-day life. It does glorious things, such
as flying planes and creating CAT scans, but it also has
problems: software errors.
Software has also found its way into trials. Software's
errors have meant that defendants are often denied their
fundamental rights. In this paper, we focus on
``evidentiary software''---computer software used for
producing evidence---that is routinely introduced in modern
courtrooms. Whether from breathalyzers, computer forensic
analysis, data taps, or even FitBits, computer code
increasingly provides crucial trial evidence. Yet despite
the central role software plays in convictions, computer
code is often unavailable to examination by the defense.
This may be for proprietary reasons---the vendor wishes to
protect its confidential software---or it may result from a
decision by the government to withhold the code for
security reasons. Because computer software is far from
infallible---software programs can create incorrect
information, erase details, vary data depending on when and
how they are accessed---or fail in a myriad of other
ways---the only way that the accused can properly and fully
defend himself is to have an ability to access the software
that produced the evidence. Yet often the defendants are
denied such critical access.
In this paper, we do an in-depth examination of the
problem. Then, providing a variety of examples of software
failure and discussing the limitations of technologists'
ability to prove software programs correct, we suggest
potential processes for disclosing software that enable
fair trials while nonetheless prevent wide release of the
code. },
author = {Steven M. Bellovin and Matt Blaze and Susan Landau and
Brian Owsley},
date = {2020-12},
date-added = {2020-02-15 11:15:44 -0500},
date-modified = {2021-10-16 12:15:21 -0400},
journal = {Ohio State Technology Law Journal},
lawcite = {Steven M. Bellovin et al., \textbf{17 Ohio St. Tech. L.J.
1 (2020)}},
month = {December},
number = {1},
pages = {1--73},
title = {Seeking the Source: Criminal Defendants' Constitutional
Right to Source Code},
url = {https://kb.osu.edu/bitstream/handle/1811/92288/OSTLJ_V17N1_001.pdf?sequence=1},
volume = {17},
year = {2020},
bdsk-url-1 = {https://moritzlaw.osu.edu/ostlj/2020/12/22/seeking-the-source-criminal-defendants-constitutional-right-to-source-code/}
}
@article{sethumadhavan.bellovin.ea:please,
author = {Simha Sethumadhavan and Steven M. Bellovin and Paul Kocher
and Ed Suh},
date = {2019-02-07},
date-added = {2019-02-07 19:38:37 -0500},
date-modified = {2019-02-07 19:40:15 -0500},
month = {February 7,},
title = {Please Disclose Security Vulnerabilities!},
url = {https://www.sigarch.org/please-disclose-security-vulnerabilities/},
year = {2019},
bdsk-url-1 = {Simha%20Sethumadhavan,%20Steven%20M.%20Bellovin,%20Paul%20Kocher,%20Ed%20Suh}
}
@article{bellovin:yes,
author = {Steven M. Bellovin},
date = {2019-01-24},
date-added = {2019-01-24 20:13:32 -0500},
date-modified = {2019-01-24 20:15:55 -0500},
journal = {Ars Technica},
month = {January 24,},
title = {Yes, "algorithms" can be biased. {Here's} why},
url = {https://arstechnica.com/tech-policy/2019/01/yes-algorithms-can-be-biased-heres-why/},
year = {2019},
bdsk-url-1 = {https://arstechnica.com/tech-policy/2019/01/yes-algorithms-can-be-biased-heres-why/}
}
@article{bellovin.landau:encryption,
author = {Steven Bellovin and Susan Landau},
date = {2018-10-26},
date-added = {2018-12-16 10:57:43 -0500},
date-modified = {2018-12-16 10:57:43 -0500},
journal = {Lawfare},
month = {October 26,},
title = {Encryption by Default Equals National Security},
url = {https://www.lawfareblog.com/encryption-default-equals-national-security},
year = {2018},
bdsk-url-1 = {https://www.lawfareblog.com/encryption-default-equals-national-security}
}
@misc{bellovin:comments,
abstract = {Today, all privacy regulations around the world are based
on the 50-year-old paradigm of notice and consent. It no
longer works. The systems we deal with---web pages with
their multiple levels of advertising, the Internet of
Things, and more---are too complex; consumers have no idea
what sites they are contacting nor what their privacy
policies are. Privacy harms are not well-defined,
especially under U.S. law. Furthermore, their privacy
policies are ambiguous and confusing. Use controls---the
ability for users to control how their data is used, rather
than who can collect it---are more promising but pose their
own challenges. I recommend research on a new privacy
paradigm, and give suggestions on interim changes to
today's privacy regulations until there is something new.
},
author = {Steven M. Bellovin},
date = {2018-11-07},
date-added = {2018-11-07 11:19:47 -0500},
date-modified = {2018-11-07 11:21:39 -0500},
howpublished = {LawArXiv},
month = {November},
note = {Comments submitted to the NTIA request for comments on
privacy.},
title = {Comments on Privacy},
url = {https://osf.io/preprints/lawarxiv/5s2vt},
year = {2018},
bdsk-url-1 = {https://osf.io/preprints/lawarxiv/5s2vt}
}
@article{bellovin.neumann:big,
author = {Steven M. Bellovin and Peter G. Neumann},
date = {2018-11},
date-added = {2018-10-29 18:34:14 -0400},
date-modified = {2018-10-29 18:35:26 -0400},
journal = {Communications of the {ACM}},
month = {November},
number = {11},
title = {The Big Picture},
url = {http://www.csl.sri.com/users/neumann/cacm245.pdf},
volume = {61},
year = {2018},
bdsk-url-1 = {http://www.csl.sri.com/users/neumann/cacm245.pdf}
}
@article{bellovin.blaze.ea:op-ed,
author = {Steven M. Bellovin and Matt Blaze and Dan Boneh and Susan
Landau and Ronald L. Rivest},
date = {2018-05-07},
date-added = {2018-05-07 17:05:15 +0000},
date-modified = {2018-05-07 17:06:14 +0000},
journal = {Ars Technica},
month = {May 07,},
title = {Op-ed: {Ray Ozzie's} crypto proposal---a dose of technical
reality},
url = {https://arstechnica.com/information-technology/2018/05/op-ed-ray-ozzies-crypto-proposal-a-dose-of-technical-reality/},
year = {2018},
bdsk-url-1 = {https://arstechnica.com/information-technology/2018/05/op-ed-ray-ozzies-crypto-proposal-a-dose-of-technical-reality/}
}
@article{bellovin:heres,
author = {Steve Bellovin},
date-added = {2018-01-21 20:12:27 +0000},
date-modified = {2018-01-21 20:13:35 +0000},
journal = {Ars Technica},
month = {January 21,},
title = {Here's how to make sure {Hawaii's} missile warning fiasco
isn't repeated},
url = {https://arstechnica.com/information-technology/2018/01/heres-how-to-make-sure-hawaiis-missile-warning-fiasco-isnt-repeated/},
year = {2018},
bdsk-url-1 = {https://arstechnica.com/information-technology/2018/01/heres-how-to-make-sure-hawaiis-missile-warning-fiasco-isnt-repeated/}
}
@article{bair.bellovin.ea:that,
author = {Jonathan Bair and Steven Bellovin and Andrew Manley and
Blake Reid and Adam Shostack},
date-added = {2017-12-01 23:50:16 +0000},
date-modified = {2018-09-14 16:10:21 -0700},
journal = {Colorado Technology Law Journal},
lawcite = {Jonathan Bair et al., \textbf{16 Colo. Tech. L.J. 327
(2018)}},
number = {2},
pages = {327--364},
title = {That Was Close! {Reward} Reporting of Cybersecurity ``Near
Misses''},
url = {https://ctlj.colorado.edu/wp-content/uploads/2018/09/4-Shostack-8.7.18-FINAL.pdf},
volume = {16},
year = {2018},
bdsk-url-1 = {https://ctlj.colorado.edu/wp-content/uploads/2018/09/4-Shostack-8.7.18-FINAL.pdf}
}
@article{bellovin:replacing,
author = {Steven Bellovin},
date = {2017-10-05},
date-added = {2017-10-05 17:25:04 +0000},
date-modified = {2017-10-05 17:25:04 +0000},
journal = {Vice Motherboard},
month = {October 5,},
title = {Replacing Social Security Numbers Is Harder Than You
Think},
url = {https://motherboard.vice.com/en_us/article/pakwnb/replacing-social-security-numbers-is-harder-than-you-think},
year = {2017},
bdsk-url-1 = {https://motherboard.vice.com/en_us/article/pakwnb/replacing-social-security-numbers-is-harder-than-you-think}
}
@article{bellovin.landau.ea:limiting*1,
author = {Steven M. Bellovin and Susan Landau and Herbert S. Lin},
date-added = {2016-11-23 23:03:06 +0000},
date-modified = {2017-04-27 21:32:59 +0000},
journal = {Journal of Cybersecurity},
number = {1},
title = {Limiting the Undesired Impact of Cyber Weapons: Technical
Requirements and Policy Implications},
url = {https://academic.oup.com/cybersecurity/article/3/1/59/3097802/Limiting-the-undesired-impact-of-cyber-weapons},
volume = {3},
year = {2017},
bdsk-url-1 = {https://academic.oup.com/cybersecurity/article/3/1/59/3097802/Limiting-the-undesired-impact-of-cyber-weapons}
}
@misc{bellovin.shostack:input,
author = {Steven M. Bellovin and Adam Shostack},
date = {2016-09-08},
date-added = {2016-09-08 16:10:32 +0000},
date-modified = {2016-09-08 16:12:57 +0000},
month = {September},
title = {Input to the {Commission on Enhancing National
Cybersecurity}},
url = {https://www.cs.columbia.edu/~smb/papers/Current_and_Future_States_of_Cybersecurity-Bellovin-Shostack.pdf},
year = {2016},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/fcc-nprm-bias.pdf}
}
@misc{bellovin:comments*1,
author = {Steven M. Bellovin},
date = {2016-07-06},
date-added = {2016-07-21 00:13:32 +0000},
date-modified = {2016-07-21 00:18:45 +0000},
month = {July},
title = {Comments on ``{P}rotecting the Privacy of Customers of
Broadband Other Telecommunications Services''},
url = {https://www.cs.columbia.edu/~smb/papers/fcc-nprm-bias.pdf},
year = {2016},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/fcc-nprm-bias.pdf}
}
@article{bellovin.blaze.ea:its,
abstract = {For more than forty years, electronic surveillance law in
the United States developed under constitutional and
statutory regimes that, given the technology of the day,
distinguished content from metadata with ease and
certainty. The stability of these legal regimes and the
distinctions they facilitated was enabled by the relative
stability of these types of data in the traditional
telephone network and their obviousness to users. But what
happens to these legal frameworks when they confront the
Internet? The Internet's complex architecture creates a
communication environment where any given individual unit
of data may change its status---from content to non-content
or visa-versa---as it progresses Internet's layered network
stack while traveling from sender to recipient. The
unstable, transient status of data traversing the Internet
is compounded by the fact that the content or non-content
status of any individual unit of data may also depend upon
where in the network that unit resides when the question is
asked. In this IP-based communications environment, the
once-stable legal distinction between content and
non-content has steadily eroded to the point of collapse,
destroying in its wake any meaningful application of the
third party doctrine. Simply put, the world of Katz and
Smith and the corresponding statutes that codify the
content/non-content distinction and the third party
doctrine are no longer capable of accounting for and
regulating law enforcement access to data in an IP-mediated
communications environment. Building on a deep technical
analysis of the Internet architecture, we define new terms,
communicative content, architectural content, and
architectural metadata, that better reflect the structure
of the Internet, and use them to explain why and how we now
find ourselves bereft of the once reliable support these
foundational legal structures provided. Ultimately, we
demonstrate the urgent need for development of new rules
and principles capable of regulating law enforcement access
to IP-based communications data. },
author = {Steven M. Bellovin and Matt Blaze and Susan Landau and
Stephanie Pell},
date-added = {2016-03-23 04:59:32 +0000},
date-modified = {2024-04-20 21:40:41 -0400},
issue = {Fall},
journal = {Harvard Journal of Law and Technology},
lawcite = {Steven M. Bellovin et al., \textbf{30 Harv. J.L. \& Tech.
1 (2016)}},
month = {Fall},
number = {1},
pages = {1--101},
title = {It's Too Complicated: How the {Internet} Upends {\em
{Katz}}, {\em {Smith}}, and Electronic Surveillance Law},
url = {http://jolt.law.harvard.edu/assets/articlePDFs/v30/30HarvJLTech1.pdf},
volume = {30},
year = {2016},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/internet-3rd-party.pdf}
}
@article{bellovin.blaze.ea:insecure,
author = {Steven M. Bellovin and Matt Blaze and Susan Landau},
date-added = {2016-03-03 23:20:16 +0000},
date-modified = {2021-04-16 16:35:59 -0400},
journal = {{IEEE} Computer},
month = {March},
note = {An earlier version is available at
{\url{https://www.cs.columbia.edu/~smb/papers/rsearch.pdf}}},
number = {3},
pages = {14--24},
title = {Insecure Surveillance: Technical Issues with Remote
Computer Searches},
url = {https://www.computer.org/csdl/magazine/co/2016/03/mco2016030014/13rRUEgarwD},
volume = {49},
year = {2016},
bdsk-url-1 = {https://www.computer.org/cms/Computer.org/ComputingNow/issues/2016/06/mco2016030014.pdf}
}
@article{abelson.anderson.ea:keys,
abstract = { Twenty years ago, law enforcement organizations lobbied
to require data and communication services to engineer
their products to guarantee law enforcement access to all
data. After lengthy debate and vigorous predictions of
enforcement channels ``going dark,'' these attempts to
regulate security technologies on the emerging Internet
were abandoned. In the intervening years, innovation on the
Internet flourished, and law enforcement agencies found new
and more effective means of accessing vastly larger
quantities of data. Today, there are again calls for
regulation to mandate the provision of exceptional access
mechanisms. In this article, a group of computer scientists
and security experts, many of whom participated in a 1997
study of these same topics, has convened to explore the
likely effects of imposing extraordinary access mandates.We
have found that the damage that could be caused by law
enforcement exceptional access requirements would be even
greater today than it would have been 20 years ago. In the
wake of the growing economic and social cost of the
fundamental insecurity of today's Internet environment, any
proposals that alter the security dynamics online should be
approached with caution. Exceptional access would force
Internet system developers to reverse ``forward secrecy''
design practices that seek to minimize the impact on user
privacy when systems are breached. The complexity of
today's Internet environment, with millions of apps and
globally connected services, means that new law enforcement
requirements are likely to introduce unanticipated, hard to
detect security flaws. Beyond these and other technical
vulnerabilities, the prospect of globally deployed
exceptional access systems raises difficult problems about
how such an environment would be governed and how to ensure
that such systems would respect human rights and the rule
of law. },
author = {Abelson, Harold and Anderson, Ross and Bellovin, Steven M.
and Benaloh, Josh and Blaze, Matt and Diffie, Whitfield and
Gilmore, John and Green, Matthew and Landau, Susan and
Neumann, Peter G. and Rivest, Ronald L. and Schiller,
Jeffrey I. and Schneier, Bruce and Specter, Michael A. and
Weitzner, Daniel J.},
date-added = {2015-11-24 16:07:02 +0000},
date-modified = {2021-06-03 18:48:34 -0400},
doi = {10.1093/cybsec/tyv009},
issn = {2057-2085},
journal = {Journal of Cybersecurity},
month = {September},
number = 1,
publisher = {The Oxford University Press},
title = {Keys Under Doormats: Mandating Insecurity by Requiring
Government Access to All Data and Communications},
url = {https://academic.oup.com/cybersecurity/article/1/1/69/2367066?login=true},
volume = 1,
year = {2015},
bdsk-url-1 = {http://dx.doi.org/10.1093/cybsec/tyv009}
}
@misc{bellovin.blaze.ea:comments,
author = {Steven M. Bellovin and Matt Blaze and Susan Landau},
date = {2014-10-31},
date-added = {2014-10-31 19:48:47 +0000},
date-modified = {2014-10-31 19:50:45 +0000},
month = {October},
title = {Comments on Proposed Remote Search Rules},
url = {https://www.cs.columbia.edu/~smb/papers/rsearch.pdf},
year = {2014},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/rsearch.pdf}
}
@article{bellovin.blaze.ea:going,
abstract = {Mobile IP-based communications and changes in
technologies, including wider use of peer-to-peer
communication methods and increased deployment of
encryption, has made wiretapping more difficult for law
enforcement, which has been seeking to extend wiretap
design requirements for digital voice networks to IP
network infrastructure and applications. Such an extension
to emerging Internet-based services would create
considerable security risks as well as cause serious harm
to innovation. In this article, the authors show that the
exploitation of naturally occurring weaknesses in the
software platforms being used by law enforcement's targets
is a solution to the law enforcement problem. The authors
analyze the efficacy of this approach, concluding that such
law enforcement use of passive interception and targeted
vulnerability exploitation tools creates fewer security
risks for non-targets and critical infrastructure than do
design mandates for wiretap interfaces.},
author = {Steven M. Bellovin and Matt Blaze and Sandy Clark and
Susan Landau},
date = {2013-01/2013-02},
date-added = {2013-02-02 20:51:50 +0000},
date-modified = {2016-12-28 01:28:40 +0000},
doi = {10.1109/MSP.2012.138},
issn = {1540-7993},
journal = {{IEEE} Security \& Privacy},
keyword = {Computer security;Law enforcement;Peer to peer
computing;Privacy;Software;Surveillance;Technological
innovation;CALEA;Communications Assistance for Law
Enforcement Act;exploit;law enforcement;national
security;security;surveillance;telecommunications;wiretap;},
month = {January--February},
number = {1},
pages = {62--72},
title = {Going Bright: Wiretapping without Weakening Communications
Infrastructure},
url = {https://www.cs.columbia.edu/~smb/papers/GoingBright.pdf},
volume = {11},
year = {2013},
bdsk-url-1 = {http://dx.doi.org/10.1109/MSP.2012.138},
bdsk-url-2 = {https://www.cs.columbia.edu/~smb/papers/GoingBright.pdf}
}
@misc{hawthorn.simons.ea:statewide,
author = {Paula Hawthorn and Barbara Simons and Chris Clifton and
David Wagner and Steven M. Bellovin and Rebecca Wright and
Arnold Rosenthal and Ralph Poore and Lillie Coney and
Robert Gellman and Harry Hochheiser},
date-modified = {2020-02-16 13:28:53 -0500},
month = {February},
note = {Report commissioned by the U.S. Public Policy Committee of
the Association for Computing Machinery},
title = {Statewide Databases of Registered Voters: Study Of
Accuracy, Privacy, Usability, Security, and Reliability
Issues},
url = {https://www.acm.org/binaries/content/assets/public-policy/usacm/e-voting/reports-and-white-papers/vrd_report2.pdf},
year = {2006},
bdsk-url-1 = {http://usacm.acm.org/usacm/VRD/}
}
@misc{bellovin.blaze.ea:security,
author = {Steven M. Bellovin and Matt Blaze and Ernest Brickell and
Clinton Brooks and Vint Cerf and Whitfield Diffie and Susan
Landau and Jon Peterson and John Treichler},
title = {Security Implications of Applying the {Communications
Assistance to Law Enforcement Act to Voice over IP}},
url = {https://www.cs.columbia.edu/~smb/papers/CALEAVOIPreport.pdf},
year = {2006},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/CALEAVOIPreport.pdf}
}
@misc{bellovin.blaze.ea:comments*1,
author = {Steven M. Bellovin and Matt Blaze and David Farber and
Peter Neumann and Gene Spafford},
month = {December},
title = {Comments on the {Carnivore} System Technical Review
Draft},
url = {http://www.mattblaze.org/papers/carnivore_report_comments.html},
year = {2000},
bdsk-url-1 = {http://www.mattblaze.org/papers/carnivore_report_comments.html}
}
@misc{bellovin:cybersecurity,
author = {Steven M. Bellovin},
date-modified = {2017-02-04 22:00:29 +0000},
month = {July},
note = {Testimony before the House Select Committee on Homeland
Security, Subcommittee on Cybersecurity, Science, Research,
\& Development, hearing on ``Cybersecurity---Getting it
Right''. Transcript at
https://archive.org/details/gov.gpo.fdsys.CHRG-108hhrg98150},
psurl = {https://www.cs.columbia.edu/~smb/papers/Statement.ps},
title = {Cybersecurity Research Needs},
url = {https://www.cs.columbia.edu/~smb/papers/Statement.pdf},
year = {2003},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/Statement.pdf}
}
@article{bellovin.bradner.ea:as,
author = {Steven M. Bellovin and Scott O. Bradner and Whitfield
Diffie and Susan Landau and Jennifer Rexford},
journal = {Communications of the {ACM}},
note = {Note: this is a shorter version of ``Can it really
work?''},
title = {As Simple As Possible---But Not More So},
url = {https://www.cs.columbia.edu/~smb/papers/simple-as-possible.pdf},
xmonth = {August},
xnumber = {8},
xvolume = {54},
year = {2011},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/simple-as-possible.pdf}
}
@article{bellovin.bradner.ea:can,
abstract = {In 2004 the increasing number of attacks on U.S. federal
civilian agency computer systems caused the government to
begin an active effort to protect federal civilian agencies
against cyber intrusions . This classified program,
EINSTEIN, sought to do real-time, or near real-time,
automatic collection, correlation, and analysis of computer
intrusion information as a first step in protecting federal
civilian agency computer systems . EINSTEIN grew into a
series of programs, EINSTEIN, EINSTEIN 2, and EINSTEIN 3,
all based on intrusion-detection and intrusion-prevention
systems (IDS and IPS). Then there was public discussion of
extending the EINSTEIN system to privately held critical
infrastructure. \par Extending an EINSTEIN-like program to
the private sector raises serious technical and managerial
issues. Scale matters, as do the different missions of the
private sector and the public one. Expanding EINSTEIN-type
technology to critical infrastructure is complicated by the
complex legal and regulatory landscapes for such systems.
There are simply fundamental differences between
communication networks supporting the U.S. federal
government and those supporting the private-sector critical
infrastructures that create serious difficulties in
attempting to extend EINSTEIN-type technologies beyond the
federal sector. This paper examines the technology's
limitations, pointing out the problems involved in
expanding EINSTEIN beyond its original mandate.},
author = {Steven M. Bellovin and Scott O. Bradner and Whitfield
Diffie and Susan Landau and Jennifer Rexford},
date-modified = {2020-08-06 14:53:41 -0400},
journal = {Harvard National Security Journal},
lawcite = {Steven M. Bellovin et al., \textbf{3 Harv. Nat'l. Sec.
L.J. 1 (2011)}},
pages = {1--38},
publisher = {Harvard},
title = {Can It Really Work? {Problems} with Extending {EINSTEIN~3}
to Critical Infrastructure},
url = {https://www.cs.princeton.edu/~jrex/papers/einstein12.pdf},
volume = {3},
year = {2012},
bdsk-url-1 = {http://harvardnsj.org/wp-content/uploads/2012/01/Vol.-3_Bellovin_Bradner_Diffie_Landau_Rexford1.pdf}
}
@article{bellovin:why,
author = {Steven M. Bellovin},
date = {2013-10-15},
date-modified = {2021-10-19 21:04:26 -0400},
journal = {CNN.com},
month = {October 15,},
title = {Why Healthcare.gov Has So Many Problems},
url = {http://www.cnn.com/2013/10/14/opinion/bellovin-obamacare-glitches/},
year = {2013},
bdsk-url-1 = {http://www.cnn.com/2013/10/14/opinion/bellovin-obamacare-glitches/}
}
@article{bellovin:danger,
author = {Steven M. Bellovin},
date = {2015-11-18},
journal = {CNN.com},
month = {November 18,},
title = {The Danger of `Exceptional Access'},
url = {http://www.cnn.com/2015/11/18/opinions/bellovin-encryption-debate/index.html},
year = 2015,
bdsk-url-1 = {http://www.cnn.com/2015/11/18/opinions/bellovin-encryption-debate/index.html}
}
@incollection{johnson.bellovin.ea:computer,
abstract = {Computer security research frequently entails studying
real computer systems and their users; studying deployed
systems is critical to understanding real world problems,
so is having would-be users test a proposed solution. In
this paper we focus on three key concepts in regard to
ethics: risks, benefits, and informed consent. Many
researchers are required by law to obtain the approval of
an ethics committee for research with human subjects, a
process which includes addressing the three concepts
focused on in this paper. Computer security researchers who
conduct human subjects research should be concerned with
these aspects of their methodology regardless of whether
they are required to by law, it is our ethical
responsibility as professionals in this field. We augment
previous discourse on the ethics of computer security
research by sparking the discussion of how the nature of
security research may complicate determining how to treat
human subjects ethically. We conclude by suggesting ways
the community can move forward.},
author = {Maritza L. Johnson and Steven M. Bellovin and Angelos D.
Keromytis},
booktitle = {Financial Cryptography and Data Security},
publisher = {Springer Berlin / Heidelberg},
series = {Lecture Notes in Computer Science},
title = {Computer Security Research with Human Subjects: Risks,
Benefits and Informed Consent},
url = {https://www.cs.columbia.edu/~smb/papers/wecsr2011-irb.pdf},
year = {2011},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/wecsr2011-irb.pdf}
}
@misc{abelson.anderson.ea:risks,
author = {Hal Abelson and Ross Anderson and Steven M. Bellovin and
Josh Benaloh and Matt Blaze and Whitfield Diffie and John
Gilmore and Peter G. Neumann and Ronald L. Rivest and
Jeffrey I. Schiller and Bruce Schneier},
month = {May},
note = {A report by an ad hoc group of cryptographers and computer
scientists},
title = {The Risks of Key Recovery, Key Escrow, and Trusted
Third-Party Encryption},
url = {https://www.cs.columbia.edu/~smb/papers/paper-key-escrow.pdf},
year = {1997},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/paper-key-escrow.pdf}
}
@article{bellovin.blaze.ea:lawful,
abstract = {For years, legal wiretapping was straightforward: the
officer doing the intercept connected a tape recorder or
the like to a single pair of wires. By the 1990s, though,
the changing structure of telecommunications---there was no
longer just ``Ma Bell'' to talk to---and new technologies
such as ISDN and cellular telephony made executing a
wiretap more complicated for law enforcement. Simple
technologies would no longer suffice. In response, Congress
passed the Communications Assistance for Law Enforcement
Act (CALEA), which mandated a standardized lawful intercept
interface on all local phone switches. Technology has
continued to progress, and in the face of new forms of
communication---Skype, voice chat during multiplayer online
games, many forms of instant messaging, etc.---law
enforcement is again experiencing problems. The FBI has
called this ``Going Dark'': their loss of access to
suspects' communication. According to news reports, they
want changes to the wiretap laws to require a CALEA-like
interface in Internet software. CALEA, though, has its own
issues: it is complex software specifically intended to
create a security hole---eavesdropping capability---in the
already-complex environment of a phone switch. It has
unfortunately made wiretapping easier for everyone, not
just law enforcement. Congress failed to heed experts'
warnings of the danger posed by this mandated
vulnerability, but time has proven the experts right. The
so-called ``Athens Affair'', where someone used the
built-in lawful intercept mechanism to listen to the cell
phone calls of high Greek officials, including the Prime
Minister, is but one example. In an earlier work, we showed
why extending CALEA to the Internet would create very
serious problems, including the security problems it has
visited on the phone system. In this paper, we explore the
viability and implications of an alternative method for
addressing law enforcement's need to access communications:
legalized hacking of target devices through existing
vulnerabilities in end-user software and platforms. The FBI
already uses this approach on a small scale; we expect that
its use will increase, especially as centralized
wiretapping capabilities become less viable. Relying on
vulnerabilities and hacking poses a large set of legal and
policy questions, some practical and some normative. Among
these are: * Will it create disincentives to patching? *
Will there be a negative effect on innovation? (Lessons
from the so-called ``Crypto Wars'' of the 1990s, and, in
particular, the debate over export controls on
cryptography, are instructive here.) * Will law
enforcement's participation in vulnerabilities purchasing
skew the market? * Do local and even state law enforcement
agencies have the technical sophistication to develop and
use exploits? If not, how should this be handled? A larger
FBI role? * Should law enforcement even be participating in
a market where many of the sellers and other buyers are
themselves criminals? * What happens if these tools are
cpatured and repurposed by miscreants? * Should we sanction
otherwise-illegal network activity to aid law enforcement?
* Is the probability of success from such an approach too
low for it to be useful? As we will show, though, these
issues are indeed challenging. We regard them, on balance,
as preferable to adding more complexity and insecurity to
online systems.},
author = {Steven M. Bellovin and Matt Blaze and Sandy Clark and
Susan Landau},
date-modified = {2013-09-10 00:39:24 +0000},
journal = {Northwestern Journal of Technology and Intellectual
Property},
lawcite = {Steven M. Bellovin et al., \textbf{12 Nw. J. Tech. \&
Intell. Prop. 1 (2014)}},
number = {1},
pages = {1--64},
title = {Lawful Hacking: Using Existing Vulnerabilities for
Wiretapping on the {Internet}},
url = {http://scholarlycommons.law.northwestern.edu/njtip/vol12/iss1/1/},
volume = {12},
year = {2014},
bdsk-url-1 = {http://scholarlycommons.law.northwestern.edu/njtip/vol12/iss1/1/}
}
@article{bellovin.hutchins.ea:when,
author = {Steven M. Bellovin and {Ren\'{e}e} M. Hutchins and Tony
Jebara and Sebastian Zimmeck},
date-added = {2013-09-02 20:55:30 +0000},
date-modified = {2021-02-01 21:06:07 -0500},
journal = {NYU Journal of Law and Liberty},
lawcite = {Steven M. Bellovin et al., \textbf{8 NYU J.L. \& Liberty
555 (2016)}},
number = {2},
pages = {555--628},
title = {When Enough is Enough: Location Tracking, Mosaic Theory,
and Machine Learning},
url = {https://digitalcommons.law.umaryland.edu/cgi/viewcontent.cgi?article=2379&context=fac_pubs},
volume = {8},
year = {2014},
bdsk-url-1 = {http://lawandlibertyblog.com/s/Hutchins.pdf}
}
@misc{blaze.bellovin:open,
author = {Matt Blaze and Steven M. Bellovin},
month = {July},
note = {Written testimony for a hearing on ``Fourth Amendment
Issues Raised by the FBI's `Carnivore' Program'' by the
Subcommittee on the Constitution, House Judiciary
Committee},
title = {Open {Internet} Wiretapping},
url = {http://www.mattblaze.org/papers/openwiretap.html},
year = {2000},
bdsk-url-1 = {http://www.mattblaze.org/papers/openwiretap.html}
}
@article{bellovin.blaze.ea:risking,
author = {Steven M. Bellovin and Matt Blaze and Whitfield Diffie and
Susan Landau and Peter G. Neumann and Jennifer Rexford},
date = {2008-01/2008-02},
journal = {IEEE Security \& Privacy},
month = {January--February},
number = {1},
pages = {24--33},
title = {Risking Communications Security: Potential Hazards of the
{``Protect America Act''}},
url = {https://www.cs.columbia.edu/~smb/papers/j1lanFIN.pdf},
volume = {6},
year = {2008},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/j1lanFIN.pdf}
}
@article{bellovin.blaze.ea:internal,
author = {Steven M. Bellovin and Matt Blaze and Whitfield Diffie and
Susan Landau and Peter G. Neumann and Jennifer Rexford},
journal = {Communications of the ACM},
month = {December},
number = {12},
title = {Internal Surveillance, External Risks},
volume = {50},
year = {2007}
}
@misc{bellovin:submission,
author = {Steven M. Bellovin},
month = {July},
title = {Submission to the {Privacy and Civil Liberties Oversight
Board}: Technical Issues Raised by the {Section} 215 and
{Section} 702 Surveillance Programs},
url = {https://www.cs.columbia.edu/~smb/papers/PCLOB-statement.pdf},
year = {2013},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/PCLOB-statement.pdf}
}
@inproceedings{rekhter.resnick.ea:financial,
author = {Yakov Rekhter and Paul Resnick and Steven M. Bellovin},
booktitle = {Proceedings of Telecommunications Policy Research
Conference},
title = {Financial Incentives for Route Aggregation and Efficient
Address Utilization in the {Internet}},
url = {https://www.cs.columbia.edu/~smb/papers/piara/index.html},
year = {1997},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/piara/index.html}
}
@article{blaze.bellovin:tapping,
author = {Matt Blaze and Steven M. Bellovin},
journal = {Communications of the ACM},
month = {October},
number = {10},
title = {Tapping on my Network Door},
url = {http://www.mattblaze.org/papers/carnivore-risks.html},
volume = {43},
year = {2000},
bdsk-url-1 = {http://www.mattblaze.org/papers/carnivore-risks.html}
}
@inproceedings{schneider.bellovin.ea:critical,
author = {Fred Schneider and Steven M. Bellovin and Alan Inouye},
booktitle = {Telecommunications Policy Research Conference},
month = {October},
psurl = {https://www.cs.columbia.edu/~smb/papers/tprc.ps},
title = {Critical Infrastructures You Can Trust: Where
Telecommunications Fits},
url = {https://www.cs.columbia.edu/~smb/papers/tprc.pdf},
year = {1998},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/tprc.pdf}
}
@article{bellovin.blaze.ea:real,
author = {Steven M. Bellovin and Matt Blaze and Susan Landau},
journal = {Communications of the ACM},
month = {November},
note = {``Inside RISKS'' column},
number = {11},
title = {The Real National-Security Needs for {VoIP}},
url = {https://www.cs.columbia.edu/~smb/papers/voip-calea.pdf},
volume = {48},
year = {2005},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/voip-calea.pdf}
}
@article{bellovin:wiretapping,
author = {Steven M. Bellovin},
issue = {Summer},
journal = {The Bridge},
month = {Summer},
number = {2},
organization = {National Academy of Engineering},
pages = {21--26},
psurl = {https://www.cs.columbia.edu/~smb/papers/bridge.ps},
title = {Wiretapping the {Net}},
url = {https://www.cs.columbia.edu/~smb/papers/bridge.pdf},
volume = {20},
year = {2000},
bdsk-url-1 = {https://www.cs.columbia.edu/~smb/papers/bridge.pdf}
}
@article{bellovin.dutta.ea:privacy,
author = {Steven M. Bellovin and Preetam K. Dutta and Nathan
Reitinger},
date-modified = {2018-09-26 13:36:20 -0400},
journal = {Stanford Technology Law Review},
lawcite = {Steven M. Bellovin et al., \textbf{22 Stan. Tech. L. Rev.
1 (2019)}},
number = {1},
pages = {1--52},
title = {Privacy and Synthetic Datasets},
url = {https://law.stanford.edu/publications/privacy-and-synthetic-datasets/},
volume = {22},
year = 2019,
bdsk-url-1 = {https://law.stanford.edu/publications/privacy-and-synthetic-datasets/}
}