Image for The Great
Image for Burkle Logo
Go Back to the article page

Please upgrade to a browser that supports HTML5 audio or install Flash.

Audio MP3 Download Podcast

Duration: 00:57:00

Amit-Elazari-Podcast-Edited-V2-with-Kal-Intro-us-355.mp3


Transcript:

0:00

Alright. Good afternoon everyone. So welcome. It's really an honor to have my colleague at Berkeley, lecturer at Berkeley, school of Information Studies and currently director of Global Cyber Security Policy at Intel, Amit Elazari. So Amit's going to talk for 20, 25 minutes. Depends on how long her slides are, how exciting they are. And at the end, then, we'll obviously have time for questions and discussion. But we'll begin with that and we'll run for about an hour. So Amit, welcome to UCLA. Take it away.

Thank you so much.

0:35

Hi, everybody, how are you doing? I want to kind of understand who we have here in the room, show of hands, how many of you are have legal education in the law school really have legal studies or something online? We have some hands and then political science or social sciences and the live to national. Okay, wonderful. And more on the technical side, we have some of that off your hands. Wonderful. Great. So, with that into consideration, I do have a lot of legal content here, but I will try to make it high level because I see we have here, a diverse crowd. And without further ado, I want to start with a direct question, because as you might have noticed, I'm Israeli. Let's get this out of the way. That's the accent that you're hearing. Proud Israeli born and raised in Tel Aviv, and into Israeli fashion. I want to start with a direct question. So I'm going to assume that no one here is familiar with you, Scott, but still I'm going to ask Okay, well, let me tell you a little bit about him. This is Kevin Fenster. He is a security researcher. And specifically this security researchers, this Ethical Hacker likes to tinker with one specific specific form of transportation. grumps and him in the process of his kind of tinkering, and hacking. He discovered, according to the reports in the media, a vulnerability, in one of the systems of DJI. DJI is a very known, respected drone manufacturer, that produce consumer and otherwise rounds. And he found about security vulnerability in one of their products According to the reports in the media, and he wanted to report this vulnerability to the corporation so they can mitigate the vulnerability and issue a patch for the user a fix, if you will. At the time, actually DJI actually launched something that is called bug bounty program. So So how many of you have heard about this term? Don't worry, we're going to talk about it. For those of you unfamiliar with this term, we're going to talk a little bit about it. This is a basically a concept that is really developing among our not just Silicon Valley companies, but the entire technology sector. This is the idea that companies can actually collaborate with external hackers with ethical hackers with friendly hackers, security researchers, that are not part of the organizations that are not employed by organization, but I rather out there and there are testing the devices for potential security vulnerabilities for potential issues that might leak information of users or whatnot. And they want to report these vulnerabilities to the organization so their organization can patch it. And the actually the companies are offering money bounties Yes, like in the wild, wild west. For each vulnerability for each bug that external researchers might propose and might kind A submit to the company is a way to invite external ecosystem. And basically if you will use this auto immune system of the internet for their benefit and for the benefit of society as a whole. So he wanted to report this vulnerability, but then the story got complicated and according to the report, there was some kind of miscommunications or kind of disagreements about whether the vulnerability itself was in scope of the program or not. And then According to the reports, in the course of the negotiations over this issue, legal threat draft legal threat letter was exchanged, mentioning one piece of legislation that you might have heard about, about it, show of hands computer crime and fraud and a computer crime Fraud and Abuse Act.

4:24

We see a few hands so this piece of law acronym CFAA is actually one of the main anti hacking laws that we have here in the United States. Federal law applies across the entire country. And it basically deals with the legality of activities like hacking an unauthorized access to computers. It was actually inspired according to some of their accounts by the movie wargames, a very famous movie, if you've seen it if you're not available, I'm sure on streaming, and it basically deals with issues of criminal and civil liability around hacking. So this kind of threat letter was exchanged. In the end he decided to not take in the beginning of the process according to report they actually told them this is this is a great for mobility, here's $30,000. for it, they actually offered him a bounty and it was there after that the in the communications. This red letter was a draft red letter was exchanged. According to the reports, he decided to not take the money. By the way, according to his account, he ordered a Tesla because he just got a $30,000 bounty had to cancel his order of the Tesla. And if you go on this, you can see the snapshot of the invitation, I encourage you also to go on DJI website and see their response to this, but basically decided to walk away and then publish a story. And really the key takeaway of this is, you know, as we think about issues around security security policy, which is what I'm going to guide you, for here to there are so many things we can talk about, right? There is innovation, there is partnership, there is growing regulation, security is really on top of mind of everybody, not just you know, corporations and industry, but also regulators. One of the most interesting things that I think about is how can we harness this power of the external security community, the ethical hacker community, and how the issues between that and the current legal landscape and the policy landscape are kind of interacting. So this is a very narrow field of the security landscape. But I do think it's not only important it going along headlines, and it's critical if we are to continue in this You know evolution of the connected world world where there is a lot of basically collaboration needed to to address some of the threats that we see in the landscape. And I want to make sure that you are probably, you know, getting the disclaimer because you will see a little bit of fine print and legal landscape and legal concepts here. So here, here's a little this legal disclaimer of my own. I have a doctoral degree from UC Berkeley, I'm trained as an attorney, I practiced in Israel. And I do love the law. I do. I'm not trained here. So while I am a lawyer, I'm not your lawyer. I'm not offering legal advice. And in this presentation, I'm going to be speaking a lot about my work and my own opinions. So moved from sunny Tel Aviv to UC Berkeley of around three years ago. did a lot of work on the intersection between intellectual property concept Okay, so this is not property like tangibles, disable the house that rhetoric concepts of copyrights, patents, trademarks, if you're familiar, but also issues in security and privacy law and computer crime law and how all these issues interact with contracts, right? I accept terms like end user licenses, all those things that we see online every day. And we click right I accept, or we browse through and are so influential in our day to day life and includes very important legal concept. So that was my whole area of research. And ever since then, I've been doing a lot of talks, and really presenting my research out there, too, because I think, you know, that type of dialogue between basically technologies and legal experts and people that do policy is critical. So I'm really excited that we have such a diverse audience here in the crowd with us today, because this is the type of dialogue that is facilitated by the Center that we should be thinking about, we cannot continue to think about those issues in silos, or independently just, you know, just lawyers are just engineers. We have to get everybody in the room and think about the issues together.

8:32

So there are a lot of acronyms here. I think, you know, with what we're seeing with connectivity, we are seeing definitely a wise of proposed regulations of proposed policies in the area of security and privacy. So maybe maybe some of you heard about CCPA, the California privacy law, privacy law that is coming to consumers right here in California starting January 2020. In fact, open your mailbox, I'm sure already you're probably seeing him notifications from some of your favor. Ad providers maybe explain to you the implication of the slot that is coming here in California. This is just one example of kind of the issue that we're seeing and regulatory landscape, the issue of equipping users with rights, about their data, no longer just focusing on issues of data breach or whatnot, but actually what rights individuals have in their own data. This is this is an issue which is talk on my own mind. And you know, with the great connectivity and all the great things we can do with data, with innovation, with technology with delivery. ization of data. This is the kind of issues that are top of mind as you think about this landscape. And I'm just going to guide you through two concepts of free of any free concepts that i think you know, we should think about. Because there is so much to talk about when you think about CCPA and GDPR. And everything that we see around. But I think one of the biggest trends is that we move from a concept in which information security is not just about a breach of vulnerability, a technical issue of security, but rather a broader concept of misuse, right? Because the security is no longer just about the technical issues. It's about how basically everything in our environment in our in our society is working. So we are thinking about issues like data misuse, right, more broadly manipulation and whatnot. So what one thing that we're seeing is the basically the movement away from this concept of, you know, confidentiality, whatnot, or the entire integrity of the data, but thinking more broadly about issues of misuse of how the information is being handled. And this of course, we like today's show of privacy. So it's been, you know, we had in the past a lot of conversations about what's kind of damages arises whether data harms today we're talking we are seeing regulators talking a lot about issues like data rights. Okay, moving away from concepts of, of concerns or whatnot and investigation received a lot of regulatory concepts like what kind of whites individuals have in their data like, right to delete, right to port, their information. All these concepts are all these expansions, which are something that we're seeing in the regulatory landscape, and we need to think about things like harmonization, right, as we as we are addressing those issues. And other things that we're seeing is that the regulators are becoming very technical and very tech savvy. So Federal Trade Commission, maybe some of you heard about this organization, main consumer protection organization here in the United States. regulator operating in multiple areas, from articles to privacy and whatnot. And again, the FTC has done a lot of work in the area of security. And what's interesting is that if you look some of look at some of the settlements that they brought against companies, and this is just one example from Uber, they really go into the technical weeds, they look, you know, they have very detailed settlements. And they and they have technical experts, they have a whole division of engineers that are working together with the lawyers, and they go into the weeds. So this is just one example in an issue that addressed some very sophisticated concept of authentication, not even in in Uber's on environment, but better how the cloud the engineers were using for the work was accessing whether it was whether there was multi factor authentication, what were the authentication, kind of guard rails on cloud service for those of you are not familiar with the movie factor authentication. Here's my one accommodation for you today in the room. So just to make sure you get like really practical information, go ahead and enable two factor authentication, at least multi factor authentication on the devices on the services you're using. So you, for example, get a text or if you can obtain a yubikey, or even a more sophisticated form of multi factor authentication. When you sign on things, you make sure that beyond your password, which is much more complication, there is another one, right? That's a two factor, that's the movie. And that is something that is very helpful beyond just not recycling, passwords and beyond, of course, the good practice of using the password manager, so side trail to this presentation, but very important practical advice.

13:20

And, you know, the FTC, the FTC work and everything we're seeing in the regulatory landscape really kind of inter inter one intersects with this important concept of what is reasonable security practices. Now, what is reasonable, right, very good. Question from the engineers in the room, they might tell me Well, I mean, reasonable is a very vague concept. That is right. One of the key concepts of security policy security. And basically technology policy is as we think about technology, which is often you know, moving along in a very rapid pace and innovation that keeps driving the sport. They're moving best, often faster than the law can keep up. So often in those landscape from a legal from a policy perspective, you will see standards, you will see performance or resolve outcome based requirements as opposed to design specific requirements that are basically baking into the law, a specific technology for technical concepts that might become outdated. So today, you know, we are thinking about passwords. There might be a world out there in which you know, we will not have it will be zero user touch experience. You will not have passwords anymore. application would be done, you know, the keys embedded in the hardware. And these are the kind of innovations that we've already working on. This idea of the reasonable security practice continues to evolve. And I think one of the big takeaway for this audience is just understanding this issue between, you know, how do we do regulation? Or how do we do policy. Now, let's get into the box so quickly, that we know that we need something flexible. So one way to do it is to use the concept of reasonable as reasonable as the change with time. That is why this concept of reasonable security policy, which is something you can find the GDPR, in the FCC in many state was in many other relationships. Privacy regulation, is one of the key policies in this legal netscape. Now, I want to take a second to really

15:23

introduce it to the cop this concept of bug bounties, because I do feel it's interesting and I think one of the things that we are seeing is that among the security community, and there are some several evidence that the truth But let me just share with you, we know there was a culture of legal risks. We know the security researchers in service they were that were done with them. For example, one server that addressed more than five 400 researchers 60% of the six zero to explain that when they think about sharing a vulnerability, okay after they already found the data testing the founder, but they are now sitting on a button a report that has a vulnerability in it that the corporation can remediate and help end users with they have already found it. And they are thinking about communicating this and do what we call is responsible disclosure of bond sorry, with coordinated disclosure vulnerabilities with our thinking about doing it. 60% of them in that Service says said that legal risk is something that is on their mind, and whether they're going to share that or not. depends on whether they think there might be legal risk associated with basically given this piece of evidence under the applicable computer quite a lot. The organization so we know this is on their mind. This is one of the reasons why I'm specifically have researched this area of the interaction between security researchers and hackers and friendly hackers in the computer crime law, because it's an issue we need to solve or address in order to build bridges. And this interacts with this concept of bug bounties. So as I said, bug bounties, not just, you know, done by the hack by the Pentagon and the army in the Air Force, but also by your local coffee shop. Starbucks, and also by financial institutions, is a very popular way to invite external researchers to submit vulnerabilities and get paid. Intel has a vibrant of bounty program. happy to report that as well. And I think one of the most interesting thing is is that these kind of programs allow individuals like Jack Table here with I think right now, maybe 19, or 20, he's a good friend. He's a Stanford -- sorry to bring Stanford into to the discussion -- I know this is UCLA as the UC Berkeley employee and grad I know this is you know, a tough issue. But he's in Stanford, he helps Stanford with their bug bounty. This guy, really a good friend good and hacker age of 17. Already was able to right out of high school go literally the Pentagon, something that I personally haven't done. And this is after he was invited to participate in this program by by by the Pentagon, where they invited external researchers from all over to hacker system and he shared that basically this experience this idea of the bug bounty programs are great not just because you get the recognition and look at all the challenge coins, that Jack -- by the way I have one of them to show you here -- chart this kind of challenge coins are are very have a high value of reputation. It's not the it's not the monetary values is the fact that they're reserved only to the top hackers. But he said they give you the programs and Jack here has, you know, a handful of them from various from the Air Force and whatnot. And he explains it's not just a recognition, it's the fact that I can work with a company, and I don't need to hide it. OK, so again, talking about these issues of the legal risk. And as I said, one of the greatest advantage advantages of these programs that, you know, should be done carefully. And, you know, there is a lot of nuance and equipment, disadvantages, but the main point is, you know, if done well, they can provide a lot of value and one of the value is HR recruiting. And that's how the Pentagon got Jack here, directly out of high school to enter there. So isn't that exciting? So I wanna I think I'm, I'm going to use let's use this to explain this a little a little bit.

19:27

So what is what what is the big deal with the with the issue of, of anti hacking laws and how do they interact and this is Just a little bit in the weeds, but I'm going to give you the overview

19:52

as the hacking laws, the Federal ad jacking laws in in the United States, but more generally often rely on this concept of authorization of consent. Now, this is a big concept right in law contracts you know vehicle to 10% Terms of Use your acceptance cell phone contract, vehicle to consent right. Also in the name of anti hacking laws, the question of whether the hacking the testing the security testing the specific device are could have legal implication often interacts with this notion of the organization, whether there was a third session and whether opposition was exceeded. How we do for ization is it where you have fire or do I put a technical barrier right? Or is it you know, I tell you not to use my computer not use my password is a contract although issues are issues that are one of the key questions as we think about the Computer Fraud and Abuse Act. And those are issues that we still have some legal ambiguity around academically speaking here in the United States. So there is like a circuit motor costs of explicit where some states in some circuits in some places, and it states there was one interpretation and the other, there is a difference. They touch upon key issues like the legality of scraping, scraping information from the internet, and the relationship between employees and companies and what employers are potential and how employees potentially violate the company. computer usage policies and things along those lines. So I do want to wrap it up quite fast and get to questions. So I'm just going to tell you a little bit about my own research what I did here, and why I think it's interesting and we can, you know, skip two questions. A lot of my work my work that I did Berkeley and also the work I continue now in the Intel is also very focused on how we can collaborate with external, external researcher ecosystem better. How can we really invest in that relationship because that ecosystem is very important to us. And I think it's very important to a lot of organizations. When I when I, when I first looked into this issues, one of the things that I've seen is that we have a lot of bug bounty contracts. So again, those programs that I spoke about, where a company's invited some of this assistance, there is a weapon, usually there is a there is their terms are policies, this is what you can test. This is what we want you to report, this is how much you will pay, right? we retain full discretion, but this is this is setting expectations about Damon. And those kind of contracts really were very different between companies. So when I did my research and I looked at 300 400 of these contracts because no one here maybe is reading the stuff The likes of contracts that I really enjoyed them within my whole dissertation on them. So when I read them, I found that we don't have like one approach. Now, I am sure that some of you are familiar with open source contracts, right open source licenses, maybe even creative comments. And maybe sometimes copyright licenses. We have an idea, which is when we want to strive to formalization, which is, by the way, another key policy in a key policy principle as we do security policy. To avoid recommendations, we can use one language of contracts. So a lot of my work was to get all the industry to use one language, very similar to open source licenses or Creative Commons. So I created a GitHub project with some language. I created this initiative called Disclose IO together with Background which is a bug bounty platform. And really, the idea is we're going to have one contract, you're going to take it to your lawyer because this is not legal advice. But this is how we strive to harmonize this landscape. And one of the issues that I tried to address in that language is this issue of how can we create protections, safe harbors for bringing hackers that are calling the policy and are basically following the rules? How can we create those pathways of collaborations which are so important for us? And one of the most amazing things that happen I work with companies like Dropbox and Salesforce and many others, I also was lucky enough to propose Tesla, that they should change something in the terms and it took a few months they actually did it. And they not only did they change their terms to include the protection from anti hacking laws, they also said that if you are pre approved external hacker, who happens to own a Tesla, and you pre approve yourself, you say to the program, I wanted this, this Tesla and I wanted to dissipate in your bug bounty.

24:36

And guess what something goes wrong. Because there are accidents, a term that I learned cocaine users with an age, because when you do hacking, not everything is so clean, you know, and works according to the plan. In fact, the whole idea is to be creative, right and go out of the box, right? Something goes wrong, they will fix the test of for free. So in the usual warranty, you have limitations and what you can do security testing, right? That basically they waive the for the purpose of the bug bounty, recognizing that testers are pretty expensive. And if you want to work with external ecosystem on those type of expensive products, this is one way you can do it. Tesla gave me a challenge coin, one of 20 in the world, for that for that work, not because I hacked your Tesla myself, by the way, anyone else's Tesla because of that work, all of this to suggest is you know, and this is the language we should be, you know, continuing to think about This interesting story DJI, remember I talked about them in the beginning, they also change their language, they also had protections into their bug bounty. And this is an issue we are continuing to work on as the concept of bug bounty is expanding from security to data, generally. So in fact, you know, I'm going to wrap it up, but I'm just going to share with you I have two boundaries of my own. This is my work from Berkeley. 5k from Google, 10k from Facebook, not just for me, it was co authored with my hacker friends from XZ, which is the Berkeley securities that one of the Berkeley security testing kind of computer science, lab experts. And one of the bounties was a data use bounty was a privacy issue, violation of children privacy on Facebook, and Facebook gave us money for each developer, they kicked out of the platform because we reported potential violations of karma. So the next you know, generation of issues really about collaboration and increasing collaboration. And I think, you know, This is going to be even more important as we think about all the regulatory initiatives and concepts that we have in the area of IoT security, Internet of Things Security, which is an area which is definitely top of mind. There are a lot of things going around, I can go for hours talking about them. But I will just bring one to your attention because it's very local, California, as a specific law on IoT security taking effect in January 2020, by the way, Oregon as well. And it's going to address issues of reasonable security practices in connected devices in IoT devices as defined in the law, and specifically has unique language about the issue of if there is a complication means what type of unique passwords unique, the passwords are not default passwords that are used in one devices will also in others, how should that should be addressed, given a lot of given a lot of issues around botnet and attacks that are utilizing an army of IoT devices that are excellent devoted attackers, because they're using the same password over again. For example, one on one, right again and again and again. So if you heard about those botnet if you if you heard about those issues in the news, or attack secondly, right. We have seen in the last few years, these are all connected to some of the issues we're seeing now to security, where we also have a lot of opportunity for innovations. So we got let me wrap it up. We haven't, you know, we're not able to go through everything. But still, we had an important conversation. And I think the bottom line is we have a great opportunity to foster innovation that really brings, you know, trust, to the core to the foundational level. It's a technological opportunity as well. It's a collaboration opportunity. And, you know, it's exciting. And with that, you know, please let's continue the conversation going to be here on what you know, excited for Kyle's question excited for your all's question. If you want to follow me on Twitter, here's my contact and thanks for listening.

28:42

Okay, so we have about 30 minutes for discussion. So I'm just going to start off with a couple of questions. And then we'll open it up to the audience and, and then we'll wrap a little bit after one. So thank you so much for coming out internet interesting. layout. So I thought there's a lot of policy tech, I'm not a technology person. So maybe we'll I know, there are actually quite a few University technology people in the room, we'll get into that. But I just on a policy level, I guess I thought I'd start you made a very strong case for bug bounties as being a great thing. So I want to ask you a couple things. So one, who doesn't do bug bounties? either in the valley, or let's say in China, and why don't they do it?

29:23

You know, it's an interesting question. I didn't usually I go much into the weeds into things like the DOJ framework for quantum vulnerability disclosure that outlines some of the considerations How you do bug bounties. And the point of that is that it's not a, it's not an easy thing to do. It's an area which is evolving. There are a lot of, you know, best practices out there. There is a lot of international standards, there's a lot of expertise that is development industry, it requires resources on your back end, there is a reason by why it's, you know, often done by big corporations. So I will I don't want to, you know, make the case to, you know, make, I want to make it clear that there are considerations, and among others, there are legal considerations. So, you know, even doing something like a safe harbor for Safe Harbor, where you provide the authorization requires due diligence to your third party rights, understanding what you have in your system, because if you're going to allow external hackers to test it, and you're going to tell them this is authorized. Do you have a physicians from everybody in your stack to do that? So that's one of the issues that they outlined in the DOJ framework. And this is just one example from legal concept we have seen, we have seen things like the Linda and indictment. So there is actually one CFA indictment over an issue that relates to a bug bounty. And what's it's According to the reports, it's reported, I believe in TechCrunch. And you can see the what media says around it, but the indictment is, you know, you can read it, it's available, and it's just show some of the complexities that can occur. I mean, what we're seeing now is, you know, Batman TV liquid web application. That's, you know, where it started with with a very significant crowd of expertise. There is growth in areas where embedded hardware for example, what we're doing IoT Internet of Things, crypto, very, very there is a lot of growth in cryptocurrency in bug bounties, by the way. And definitely we're definitely seeing, you know, even government agencies looking into that as well. I think the key issues even before bug bounty is another concept which is vulnerability disclosure programs. And this is really simple. This is the idea. Well doing that is Not simple, there are standards about that there, you need expertise. But I'm saying this is simpler than my balcony in the sense that you're not paying for vulnerabilities. You're simply putting a point of contact and set of expectations of policy and asking that if people encounter vulnerabilities, they know where to report it. So if you've seen if you saw things like a security at email that is perhaps the simplest form of a vulnerability disclosure program. So now we're seeing companies they do you know, they have the VP, we know that, you know, at least in two cases, the FTC together with many other things around section five, you're not alone, together with many other things has suggested in a settlement that having that kind of process to see one abilities is important and not having that could be unreasonable under the law. So that is interesting. I think we're seeing the range of it. You know, we're seeing a lot of private bug bounty, which are infinite invite only only for a couple of hackers. And I think this is really the what we say how we call it in the industry. The crawl, walk, run approach. Is that you start small and expand? I think, you know, there are a lot of organizations that are still hesitant for legal reasons for other reasons to do it. And maybe it's not the right stage for them to do it. You know, as I said, it can produce a lot of value out of the box value, which is not just the vulnerabilities itself. But it there is a lot of work that goes into doing that properly, and all the resources that goes into doing it properly. My main key message to this audience and why I talked about it, because I think it's an amazing story about how we can open ourselves to the friendly hacker community and adopt that mindset, and why we need that mindset, even if we have the best hackers in the world emails.

33:13

Are there major companies that operate in Silicon Valley that have decided not so you kind of give some reasons why they wouldn't? Yeah, you know, I'm trying to think what habit does everybody that we would think of as a top line firm, have said,

33:48

I'm trying to think of their specific companies that I'm aware or are aware of the don't have it? I think one of the, you know, one of the issues is that They're less familiar to everybody is the fact that even if the company doesn't have a public website, public bug bounty, they might have a private account, which is invite lonely. And in fact, that is the absolute majority of the market. So the majority of the market of the bug of the bug bounty programs is not public. In fact, it is private. And if you look at the platforms hacker one back when they report, you would see, there are many companies that have private bug bounty. So I think one example of a private bug bounty, which is very, you know, is is known there there are publicly private is Salesforce. And they have a private bug bounty, which is really, you know, publicly known to be really good and great and even dig. I don't know the numbers. And I think it's public. So I would be cautious about naming someone, because that is the that's the big segment of the market just to show you how much of creative solutions that are in this market and yet how complex it is, and how much expertise is needed to do it. Right.

34:33

So we'll open up a second just Pivot to China so so we have more and more Chinese companies operating at a very high level. You know, tech talks, maybe the most well known example right now, but lots of others. Is there anything like this in either China or

34:49

Europe?

34:50

Yeah, so in Europe, it is definitely becoming, you know, popular there. There are bounty platforms like, I believe bug bounty factory and others. In fact, the Swedish, the Dutch community, there, they're really they're tremendous, you know, hackers there. If you look over on the US, each and every view, you know, you can go on Twitter and look at the live hacking event and look on the dashboard you will often see Twin City teams Sweden, winning the competition just because of the amount of really exceptional hackers that are bug bounty hunters that are there. So it's very popular in Europe. In fact, the EU I think they had

35:30

public bead for open source coming from

35:34

From the Commission on on this issue, China, you know, last DEFCON that like I went to DEFCON. I Tencent was there with a very big presence in the DEFCON with DEFCON is the biggest hacker convention in the world. Right? It's in Vegas, I think, I don't know, maybe 70,000 hackers go there I go there, we're really amazing and cancelled was they're inviting, inviting everybody, you know, to parties. I think it was the I'm not sure. I think I first am. I personally saw them on the ground there. But DEFCON is also coming to China. So they're definitely Chinese companies that are doing bug bounties. But, you know, we also know we are We also know that the Chinese have proposed a regulation on vulnerability, corner vulnerability, disclosure and New America which is they have a translation of that both regulation. So you know, the main takeaway is technologies International, right. We live in an age where everything is into one data division, the process, the process of multi party calling vulnerability, disclosure and quantum vulnerability disclosure, especially in complex environments. This is this is crossing borders, technologies crossing borders. That's why we have international standards on this. That's why the community the international community went together. And you know, with great leadership sits set together and thought about what are the best technical concepts? And that's why we need harmonization in that landscape. But I do feel I do think that, you know, I've definitely seen some papers from an ISA talking about best practices in the area of controllability disclosure. The UK court of practice that I haven't showed here, suggested that vulnerability disclosure policy is one of the issues that they want to see in IoT security. So definitely, this is a global issue. We need to harmonize and we need to think about the global nature of technology.

37:24

Great, thank you. Okay, so let's start. I always like to invite students in the room. First question.

37:33

Well, so

38:53

So recently is a I guess. So you made an announcement on how I think FTC made this

39:21

agreement that find YouTube. Yeah. A lot of money for

39:53

children. Yes. COPPA. Yeah.

39:55

Yeah. I'm just wondering, so this is a type of like cyber cyber security policy and I'm wondering if there's like a line like personally where you would cause a line between whether this type of protection can like hinder this like because you should is a huge business right. And then when you two tries to court respond to this, I guess, protections policy they have to like, I guess it holds the market a lot. So I'm just wondering where's the line between protection and and how in nine, potentially hinders business growth. Like you guys know, yes. Like, do you think policymakers should consider this? We were just put this because after all, its children's privacy, I guess, data.

39:48

As a

39:50

engineer's perspective, I feel like data is something that everybody uses. It's not like an open it's like an open secret at this point. Everybody uses their data and then like Facebook or whatnot, they just kind of not even abuse this they just use it a lot. And I'm just wondering if they

39:08

if this type of Protection Policy

39:43

Yeah, like I said to people, like a wink over there making the seven policy but yes, sir.

40:19

I have absolutely hope so so COPPA is a personal favorite of mine because my... Why don't you define that? Yeah. So this is the children online privacy protection act. So this is the main for so in the United States. Maybe you know In some difference to GDPR and Europe, there are there are some specific laws for specific areas of increased protections of certain types of populations or data. So HIPAA, for example, government's health data, specific goals that we have rules in the financial sector. And COPPA is specific, specific to children data information, and children's device defined as under 13. And it's a federal law. It's enforced by the FTC. It's also enforced by Attorney General's and states. And my prior research was very my bounties are, are focused on on COPPA, and my prior work was on COPPA, on looking at Android apps on Google Play Store, so mostly games, and what do app developers do with information and what do they collect? And I will give you one interesting reference in a second. I think you know, this is a critical issue. As I said, there is an opportunity for innovation, the solutions are not just going to be policy regulatory, they're also going to be technical privacy by design, privacy, enhancing technologies, right. And innovation is important. It's important for society. And as you said, There is so much good that comes with data. So I think, you know, not hindering innovation is definitely something that is top of mind when regulators operating this field. That's why we have concepts like consensus based standards. That's why we strive to use, you know, concepts that are you that basically are developed by experts, by industry also as well by technical experts. As we think about those, you know, how we regulate the space in with that it is important to have the appropriate guardrails to ensure to ensure there are no unintended consequences. So it's a balance and I think this Balance is something that is constantly evolving. It's constantly moving. That's the beauty of the law. Maybe that's why we are in this business. I definitely like it because of that, but it's that type of balancing act, how do how do we get it, right? That's constantly changing, but there is a balance and innovation and not an flexibility and not sticking, you know, not regulating, not baking in something that might change, living room for that, for that technical, technical, technological innovation. That is critical, because some of the solutions are going to come from the technology itself. But we also need to, to, to bring solutions to the table. And we also need to address the unintended consequences. So I think, you know, the FTC is going to doing a great job in you know, Mo speaks generally are not specifically on YouTube, but definitely as the regulators in this area there they and you know, generally speaking, they're doing you know, great job in the area of the sets of issues and, you know, at least Intel has the federal proposed privacy bill that is suggesting that, you know, there are, we should do privacy on the federal level and avoid fragmentation and then also a quick the FTC with more resource. And again, I'm not specifically talking about that settlement because I don't know that settlement as well. My work on COPPA was referenced in a different document not by the FTC, but I think by the Attorney General New Mexico, so different regulator.

43:12

Okay, Other questions?

43:13

Yes. Also regards to counter policy, I always found that the law's been relatively close to me and I kind of feel as this has ended with technological policy mentoring that lawmakers adopt a very analytical view of the world which they then apply to the internet, which in many cases I find does not really work. Do you feel that there is a certain lack of technical philosophical understanding of the policymaking side.

43:40

Yeah, I certainly think there is. I mean, I come from that discipline and top line philosophy and Berkeley. And just to make To be clear, I'm when I reference my prior work, my work on carpets or prior work that I've done in Berkely before until

43:54

absolute, and I will just give you one example.

44:05

What is privacy? The notion of privacy there is there are different approaches to it. The European conception of it is more based on

44:10

rights, personhood. You know, the lesson, you know, I would say a consent model that is mostly harm based. That's just one example. I am not the philosophical expert on that actually, I did all work on intellectual property, and law and philosophy. I think, you know, the Constitution embodies an understanding of intellectual property which is utilitarian, that, you know a lot we can we can have a whole debate on that, but this is just one example. So, it goes you know, there are so many, you know, conceptions of law and philosophy around technology. And some of it goes all the way to you can find it is supreme court decisions, you can find it in a meet up so you can find it, you know, in legislative history language explaining the conceptualization of the law, and very much is driving the cultural differences are driving different approaches to core issues of technology law around the world. privacy's just one very prominent example. We can talk about others. But I do think there is, but there is, you know, as an, as a former academic, I will always say that we're still on academic, there is always room for more. So I encourage you, if you're familiar if you're interested in that area, there is a lot going around a lot of technology and philosophy and There is a lot of there is a lot of room to write on it. And some of the writing is not even legal. It comes from the great experts that are doing sort of sorts of technical work. We are people like, Helen, this is a great example. So these are people that come from the technical discipline, but are writing on, you know, how do we do values in design due to Mulligan, others, you know, direct duties legal scholar, but she collaborates a lot with Fred Schneider or other scholars that are coming from the technical side. So this is just to say, yes, and here are a few examples. But you know, we can always start for more. Right.

46:14

I would just add that I think not only do lawmakers have very little understand we've seen this in Senate House hearings, almost no understanding of technology whatsoever. But I think law schools actually don't do a very good job. We have here at UCLA, we do not have a lot of people who teach courses that really are long tech now. We have somebody coming in this year. We're just going to start doing that more. But we don't do a great job privacy law. There's a whole petition going around right now around law school saying we need to law school deans, we need to make privacy law, a big part of what law schools do in the 21st century. And there are very few privacy law courses offered at the lean American law schools. So the whole thrust of that is not really focused on these kinds of issues.

46:56

Well, maybe

46:58

because of Berkeley,

46:59

Berkeley is probably the place that does the best on that. And so there's a weakness. All right. Other questions?

47:07

Yes.

47:12

more technology, and spinning off with a lot of

47:18

other underlying issues underpinning theoretical rationales of the EU and US frameworks In comparison, in relation to data privacy, where we indeed see a more philosophical rationale in the EU folks in the right space program, your American will see data as a commodity, and therefore spurring innovation, when you kind of look at a more underpinning basis of these rationales, that's you can see that competition was the huge kind of hinders the growth of similar corporations like Amazon, Google, Facebook and Apple. And that's the anti trust ratings in the US and aspersions kind of companies to grow. That in that respects, it goes beyond the philosophical approach of how these perspective peace to the world view privacy, and that in order to get to a framework that harmonize is what we were talking about data privacy approach, that we should first look at these underlying problems that are hindering the harmonized price.

48:20

Good question. And you just touched upon, you know, some of the areas again, speaking academically, I think, certainly the the cultural perceptions around those issues that are localized that come from You know, either China, you know, even I'm Israeli Israel those things sometimes differently. Those and as you said those underlying cultural perception, the norms, even things like your legal systems, right even you know, we have civil law systems, we have common law systems, these are not the same. We have mixed jurisdictions where they have a combination of both, all that is affecting I think, and touching upon our need to harmonize and, and just the nature of technologies into wine is really needed. Meaning you know, requiring that level of harmonization, we're seeing a lot of great work done through standards, technical standards, international standards ISO, and the like, and collab color private public collaborations, internationally, consortiums and the like. We're seeing great collaborations there. When but you're also singing a lot of, you know, work driven by things like WTO right? and International Law norms around trade or whatnot. I think you know, yes, it exists and be it's related to the cultural norms and and the underlining things that are different in the legal systems. And this will continue to be kind of an issue and a challenge that we need to address. Do I have the perfect solution? personally? No, it's actually not also my core area of the law. I mostly am more focused on, you know, technology, law, per se. But there, there is great scholarship and things like policy diffusion, and how do we do that? And how should we do that? And I think there's great work also done by for example, Schwartz, and others on specifically, how should we think about it in privacy? I'm just not the experts. But I think you're in terms of what you're articulating, academically, you're right, that there is a connection between the fragmentation that we're seeing and just the backbone of the culture in the North is just the nature of law as a social construct. That is stemming from our, from that those deep, you know, cultural.

50:39

Yes.

50:41

Thank you for the great talk. I'm actually not annoyed by the GDPR. Ups because I'm annoying for the United States. We don't have

50:54

the bare minimum rights under the EU has.

50:57

They're coming here in California.

50:59

Well, it's still only a fraction of what

51:03

I would say, the United States and the principles here actually are very pro civil rights and human rights. And part of that is to be able to have some personal space where the tech companies can make you the product without your consent. So I have a very technical question for you, given the email is clear text, meaning unless you send an encrypted email Anything you send an email can get captured? What do you think is going to happen with regards to data breaches involves companies sending your data, an email, clear text, without encrypting it.

51:57

I mean, as a general matter, you know, data breach laws.

52:02

Fifth Level, I want to say,

52:05

almost all states, but not federal, and the type of information that is covered under each and every data rich law, it's slightly different. I think, you know, this is an issue that is already very relevant. It's not when it's going to happen. I think this is you know, those data breach laws are applicable in most jurisdictions in most states in the United States. And there are rules in place with respect to you know, what has been encrypted what should not water to protections I'm not an expert in data breach law. And I'm not even licensed in the United States, as I said before, but I think, you know, this is not a theoretical question. It's right now it's these are these are principles that are applying right now. You know, and, and emails are just one form of information that could be obtained in data breach, but then information about individuals could be obtaining a data breach from an open s3 bucket on Amazon, which is very, I guess, you know, some of the things that we have we have heard about so it's not definitely the you know, this area of data breach what is defined information and what are the ways you know, and some of the ways to get it. It's a constantly evolving there are laws already in place. We have seen multiple implicate legal implications from everything from class actions to FTC, to state attorney general states settlements, to You know, already in Europe, we are starting to see GDPR enforcement. So it's really depends on the piece of legislation and what you have there and, and basically pair the law, the lawyers do the analysis and decide what type of technical protections the company needs to have in place. And it could be encryption could be, you know, minimization of collection of information, it could be various things, according to the replicable legislation. So, very broadly, very, very bad question that requires very specific legal response, according to the technology and not you're connecting and whichever section and, you know,

54:11

hire a lawyer.

54:15

Okay, so we have time for maybe just a quick question and quick answer.

54:22

Yeah, go ahead. I'll try to make it.

54:22

So you talked about how companies going to their rights,

54:26

individuals want more control regulation,

54:28

going into a job? Yeah.

54:31

But at the same time, a lot of companies are still being hit with major breaches.

54:35

Capital One recently was a big one and Marriott

54:38

very recently as well.

54:39

So are the policies or the regulation going to change with regards to what companies and firms need to do in order to safeguard this information?

54:50

So these are again, so the both Marriott and both I haven't seen what's the result of the Capital One. I don't know what they're what class sec, what's the actual, you know, legal claims. But you know, those again, data breach laws, almost all states, very ordinary and which federal harmonization would be great. In my personal, humble opinion,

55:16

is that also an Intel position?

55:18

Well, we have a position definitely on on the issue of the Federal we have a proposed federal privacy. Intel has a federal privacy bill that you know, also talks about the issues of individual and protecting the rights of individuals. It's public, I encourage you to go out there and look Look at it look at the provisions. It talks about the need to avoid, you know, state by state fragmentation in the United States and have those protection at the federal level. So that is an incapacity and I would say harmonization in general on those issues of privacy is important. And I and I would, to your to your question, I think, you know, yeah, the regulatory landscape is changing. Also a lot is changing on the on, you know, the private side. So we're seeing more class actions, we're seeing more, you know, more cases, we're going to learn from all the case law. You know, as I said, FTC becoming more sophisticated, the already broad more than 50 K system security and privacy, I think, alone, you know, the settlements are very kind of, you know, all that is continuing to evolve. I think, you know, you know, one of the issues, which is always kind of Top of Mind speaking academically is how do we do it right. How do we Do it in an harmless way, and how do we equip the right regulators that are really best suited to the job with the right resources to do it to do enforcement. So for example, in the federal bill, we talk about FTC and equipping them with or you know, Intel talks about FTC and equipping them with more resource is gonna change Hell yeah.

56:56

Okay, thank you so much for coming out.

Transcribed by https://otter.ai


Home

Events

Research

Initiatives

News

Multimedia

Internships

Funding

Resources

Support

About Us

11353 Bunche Hall

Box 951487

Los Angeles, CA 90095-1487

Campus Mail Code: 148703

Tel: (310) 206-6365

Fax: (310) 206-3555

Email: burkle@international.ucla.edu


Sign up to join our listserv

© 2025 The Regents of the University of California. All rights reserved.