Amie Stepanovich

Amie Stepanovich is legal counsel at EPIC. Her work includes issues of national security, government surveillance, digital security, and open government. Ms. Stepanovich is the moderator for #PrivChat, a weekly Twitter-based privacy discussion, and she regularly assists with EPIC's Internet and social media web presence. She often speaks publicly on privacy issues at conferences and in the media, and has given many educational lectures to students in high school, college, and law school. 

Prior to joining EPIC, Ms. Stepanovich graduated from New York Law School, where she pursued studies on media law, technology, and the First Amendment. She has a Bachelors of Science degree, magna cum laude, in advertising from the Florida State University. Ms. Stepanovich is the former editor-in-chief for the New York Law School Media Law & Policy law journal, and, during law school, was active in issues involving women's rights and civil liberties. While in law school, she completed internships with the Legal Aid Society and the Media Law Resource Center, and was a clerk at T-Systems North America, Inc. Ms. Stepanovich is a member of the New York bar. Ms. Stepanovich is a former EPIC IPIOP Clerk.

text of speech presented by Ms. Amie Stepanovich on 15th November 2011, to the General Assembly of the Atlantic Treaty Association in Tirana, Albania.

~Introduction and greetings~

EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC is also the civil society liaison for the OECD and maintains the Public Voice project, which, through international conferences and reports, promotes public participation in decisions concerning the future of the Internet.

As the token civil society representative on this panel, I want to start with one simple, and perhaps unexpected, observation: cybersecurity is important. More than important – it is absolutely vital for us to protect our networks and databases from those who would wrongly access them to cause harm. Yes, cybersecurity is a very good idea. It should not shock anyone to hear me say that, but it undoubtedly will. Just last week a reporter asked me how it was possible to balance the interests of civil liberties and robust security. But these are not interests to be balanced, they are tools to be used to compliment, strengthen, and reinforce one another.

The Internet is, at its very essence, a multi-stakeholder medium. We all are invested in the future of the Internet and its security because we are all users. The global nature of the Internet dictates that there is not one easy solution for the threats to cybersecurity. It is important to address cybersecurity threats because all users have much to gain and a lot to lose. If we all work together and coordinate our efforts, we may be preserve our rights on the Internet as we work to eliminate cybersecurity threats.

Civil society believes that cybersecurity efforts should not and do not require the forfeiture of individual rights and liberties. Governments and companies often use the auspice of cybersecurity to collect, retain, and share large amounts of sensitive and personal information. However, these practices often place that information at its highest risk of being compromised. Blanket authority to distribute information between numerous sources without mechanisms to protect privacy, and provide for meaningful oversight and accountability means that our cybersecurity efforts have failed us, before an attack has ever been attempted.  

As I said, security and privacy must walk together in order for either to stand. Meaningful privacy safeguards require strong security standards, and strong security is complimentary to robust privacy rights. Systems that adequately protect privacy necessarily rest on the proper implementation of security protocols. Individuals with a right in their data are most protected in circumstances where those protocols are strictly adhered to and enforced.  There are countless situations that have demonstrated this fact.

In 2009 Twitter’s financial and customer data was comprised after two incidents where Twitter failed to implement adequate security to prevent unauthorized access. In one event, an employee’s a weak password, consisting of a common dictionary word in all lowercase letters, was guessed by a random password generator run by a hacker. A second hack was accomplished after an employee was targeted by a spearphishing attack that uncovered an administrative password stored in plain text.

Earlier this year Japanese media conglomerate Sony suffered several attacks, most notably to the Sony Playstation network, which revealed personal data of over 77 million users around the globe, including the credit card information of many European users. However, perhaps even more egregious, was Sony’s third major hack in 2011, specifically of Sony Pictures, which compromised the personal data of more than one million consumers, in addition to 3.5 million other company records. Lulzsec, the hacker group who claimed responsibility for these attacks, claimed Sony was “asking for it” – “every bit of data” that had been taken was stored in plain text, unencrypted.

And just last week, personal details of 16,000 Finnish residents were published on a file sharing website after a data breach of the Finnish National Bureau of Investigation. The records included names, social security numbers, addresses, and contact information. The hacker group that claimed responsibility, Anonymous this time, stated that getting a hold of the information was as easy as “cutting butter with a knife.”

These incidents, and countless more, are indisputable demonstrations of the absolute essential nature of vigorous security practices whenever government and corporate entities choose to hold personal data about individuals.

A positive model for the collection and transfer of sensitive information can be found in the EU-US safe harbour framework. The Safe Harbour Framework is predicated on a system of strong security standards that protect sensitive information during cross-border data transfers. Entities that wish to engage in these transfers are required to certify that they have implemented adequate privacy protections, including taking precautions that any data is protected from loss, misuse, and unauthorized access, disclosure, alteration, or destruction.

In 2002, after the September 11^th attacks, the U.S. mandated that passenger name records – so called PNR data – be disclosed to the United States government in advance of international flights. Australia and Canada have since passed similar provisions. A temporary agreement was reached under the Safe Harbour provisions to allow EU companies to transmit the required data, and it was finalized in 2004. However, in 2006, under a call from the European Parliament that the agreement did not sufficiently protect the personal information of European travelers, the European Court of Justice voided it due to a lack of legal authority. Despite intense negotiations, there has been to permanent agreement for the transmission of this personal information since 2006. The EU and the European Parliament have vocally evinced their reservations regarding security practices in the United States, believing that they are not strong enough to keep the data from being leaked or misused.

In the week since I finalized this presentation, the EU and the US announced that they had finally come to a new agreement, though it has yet to be signed. The true test will be when the European Parliament weighs in, since they have retained veto power over the final agreement.

In 1992, in response to what was, at the time, a new industry, the Organisation for Economic Cooperation and Development adopted an important set of principles to guide computer security in democratic societies. Several experts in computer security and members of civil society contributed to the development of the OECD guidelines, including academic and former judge Michael Kirby and EPIC Advisory Board Chairwoman Deborah Hurley. In order to adequately protect our security and our rights, perhaps it is now time to turn our focus back to these nine basic principles, which include principles of awareness, proportionality, and timeliness.

I would like to specifically discuss one of these principles – that of accountability. The OECD guidelines state, “the responsibilities and accountability of owners, providers, and users of information systems and other parties concerned with the security of information systems should be explicit.” The Safe Harbour Framework, discussed previously, has demonstrably adopted this principle. The Framework specifically provides for a system of accountability for government and corporate entities, and the failure to comply with the requirements as they are set out subjects the certifying entity to the “unfair and deceptive” jurisdiction of the U.S. Federal Trade Commission. Persistent violations disqualify the entity from Safe Harbour status.

Despite the common sense benefits of the implementation of accountability standards, the United States is actively moving away from such a system, a move that civil society cannot and will not support. Earlier this year, the White House released a legislative proposal that would, among other things, promote increased information disclosures between the government and the private sector in order to anticipate and prevent cyberattacks. The proposal envisions a public-private partnership that will have a greater capability to thwart the very real cyber threats we face than either sector working individually. However, despite these noble goals, the White House’s proposal would only damaging our privacy and our security.

One cannot help but notice how the White House’s “voluntary” systems to facilitate public-private information sharing bears a striking resemblance to President Bush’s warrantless wiretapping programs, particularly when past experiences demonstrate that voluntary information sharing with the government often and quickly becomes compulsory. And, like the NSA’s wiretapping, the proposal also includes a provision to immunize companies that choose to share sensitive information from any legal action. There is no provision setting out minimum legal standards for the security of the data, either during the transmission or once it has been stored within a database, and the proposal does not anticipate any system of oversight. And this is cybersecurity?

A successful method of conquering the cybersecurity threat must approach protection of privacy and individual data with as much vigor as it purports to secure the systems that house that information. I propose that there is no better time than now to find guidance in the emphasis that the Safe Harbour Framework places on both security and privacy and the nine principles set forth by the OECD as factors that support a secure and protective Internet. Only by embracing a system that recognizes the importance of the protection of the individuals who depend on the Internet and the necessity for oversight and accountability will we be able to truly begin to address the serious cyber threats that we all face.