UNAUTHORIZED
ACCESS
–––––––––––––––––––––––––––––––––––––––––––––––––
The Crisis in
Online Privacy and Security
UNAUTHORIZED
ACCESS
–––––––––––––––––––––––––––––––––––––––––––––––––
The Crisis in
Online Privacy and Security
Robert H. Sloan • Richard Warner
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2014 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20130208
International Standard Book Number-13: 978-1-4398-3014-7 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any copyright material has
not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,
including photocopying, microfilming, and recording, or in any information storage or retrieval system,
without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.
com ( or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
and the CRC Press Web site at
Contents at a Glance
Preface, xix
Acknowledgments, xxi
Authors, xxiii
CHAPTER 1 ◾ Introduction1
CHAPTER 2 ◾ An Explanation of the Internet, Computers,
and Data Mining
13
CHAPTER 3 ◾ Norms and Markets
53
CHAPTER 4 ◾ Informational Privacy: The General Theory
75
CHAPTER 5 ◾ Informational Privacy: Norms and Value
Optimality95
CHAPTER 6 ◾ Software Vulnerabilities and the Low-Priced
Software Norm
125
CHAPTER 7 ◾ Software Vulnerabilities: Creating
Best Practices
157
CHAPTER 8 ◾ Computers and Networks: Attack
and Defense
181
CHAPTER 9 ◾ Malware, Norms, and ISPs
221
v
vi ◾ Contents at a Glance
CHAPTER 10 ◾ Malware: Creating a Best Practices Norm
251
CHAPTER 11 ◾ Tracking, Contracting, and Behavioral
Advertising273
CHAPTER 12 ◾ From One-Sided Chicken to Value Optimal
Norms303
Contents
Preface, xix
Acknowledgments, xxi
Authors, xxiii
CHAPTER 1 ◾ Introduction1
INTRODUCTION1
THE GOOD, THE BAD, AND THE IN BETWEEN2
The Good
2
The Bad
2
The In Between
3
MAKING TRADE-OFFS4
VALUES7
Profit-Motive-Driven Businesses
8
POLITICS9
TODAY AND TOMORROW: WEB 1.0, 2.0, 3.010
A LOOK AHEAD11
NOTES AND REFERENCES11
FURTHER READING12
CHAPTER 2 ◾ An Explanation of the Internet, Computers,
and Data Mining
13
INTRODUCTION13
PRIMER ON THE INTERNET13
History15
vii
viii ◾ Contents
Nature of the Internet: Packet-Switched Network
17
End-to-End Principle and the “Stupid” Network
19
A More Technical View
22
Horizontal View: One Home’s LAN to the Backbone22
Vertical View: Internet Protocol Suite24
Internet Layer
25
Transport Layer
26
Application Layer
28
How the Layers Work Together: Packet Encapsulation
28
Numerical Addresses to Names: DNS
30
Putting It All Together
30
PRIMER ON COMPUTERS31
Basic Elements of a Computer
33
Operating Systems
38
PRIMER ON DATA, DATABASES, AND DATA MINING40
Data and Their Representation
40
Databases43
Information Extraction or Data Mining
43
NOTES AND REFERENCES48
FURTHER READING49
CHAPTER 3 ◾ Norms and Markets
53
INTRODUCTION53
NORMS DEFINED53
The Examples
53
The Definition
54
Why People Conform to Norms
54
Ought or Self-Interest?
55
How Do Norms Get Started?
55
COORDINATION NORMS56
Examples56
Definition of a Coordination Norm
58
Contents ◾ ix
Conformity to Coordination Norms
58
Self-Perpetuating Inappropriate Norms
59
VALUE OPTIMAL NORMS59
Justification and Optimality
59
Lack of Value Optimality: An Example
60
Why Does Value Optimality Matter?
61
A Terminological Point and an Example
61
We Are “Playing without a Helmet”
61
Inappropriate Norms versus No Norms
62
NORMS AND MARKETS63
Detecting Norm Violations
64
Norm-Violation Detectors versus Norm-Inconsistent Sellers
65
Sellers’ Inability to Discriminate
65
The Profit-Maximizing Strategy
65
Perfect Competition
66
Perfect Competition or Close to It Will Force Sellers’
Compliance67
NORMS AND GAME THEORY67
Coordination Problems
68
Equilibria70
Value Optimality
71
NOTES AND REFERENCES72
FURTHER READING73
CHAPTER 4 ◾ Informational Privacy: The General Theory
75
INTRODUCTION75
PERSONALLY IDENTIFIABLE: A DISTINCTION WITHOUT
(MUCH OF) A DIFFERENCE76
THE REQUIREMENT OF FREE AND INFORMED CONSENT78
PROBLEMS WITH NOTICE AND CHOICE79
Notice and Choice Does Not Ensure Informed Consent
80
Notice and Choice Cannot Possibly Ensure Informed Consent 80
Notice and Choice Aims at the Wrong Target
81
x ◾ Contents
INFORMATIONAL NORMS82
Role-Appropriate Informational Norms as Coordination
Norms84
ENSURING FREE AND INFORMED CONSENT86
Informed Consent
86
Free Consent
87
The Argument That Consent Is Not Free
87
Radin’s Requirements Almost Fulfilled
88
But What about Contracts?
89
THE IDEAL OF NORM COMPLETENESS89
Two Ways to Fall Short
90
How Norms Can Cease to Be Value Optimal
90
NOTES AND REFERENCES91
FURTHER READING92
CHAPTER 5 ◾ Informational Privacy: Norms and Value
Optimality95
INTRODUCTION95
DIRECT MARKETING: RETAILERS AS INFORMATION
BROKERS96
Retailers as Information Brokers
97
Role-Appropriate Information Processing Norms
98
Retailers as Information Brokers Norm
99
The Norm Is Not Value Optimal
100
An Objection
101
A Consequence
102
INFORMATION AGGREGATORS103
The Current Norm and Its Problems
106
Beyond Lack of Control
107
THE HEALTH INSURANCE INDUSTRY107
The Norm
108
The Health Insurance Norm Is Not Value Optimal
109
Contents ◾ xi
MORE EXAMPLES109
Cookies110
Cookies and Targeted Advertising111
The Resort to the Illusion of Consent112
Cloud Computing
113
Unresolved Questions and the Resort to Notice and Choice115
Social Networking Sites
115
Blurring the Line117
More Blurring of the Line118
The Resort to Notice and Choice119
COLLABORATE OR RESIST?119
NOTES AND REFERENCES120
FURTHER READING122
CHAPTER 6 ◾ Software Vulnerabilities and the Low-Priced
Software Norm
125
INTRODUCTION125
WHAT BUYERS DEMAND126
Vulnerability-Exacerbating Features of the Software Market
127
Negative Externality and Ways to Cure It
129
STRICT LIABILITY130
NEGLIGENCE132
Vulnerability-Reducing Practices for Software Development
134
Negligence Liability Will Not Lead to Adoption of Better
Practices135
Why Developers Must Know How Much to Invest in
Reducing Vulnerabilities
137
Consequences of Not Knowing How Much to Invest in
Vulnerability Reduction
137
PRODUCT LIABILITY FOR DEFECTIVE DESIGN138
THE STATUTORY ALTERNATIVE139
WE ARE TRAPPED AND ONLY LEGAL REGULATION WILL
RELEASE US139
xii ◾ Contents
THREE EXAMPLES OF VALUE OPTIMAL PRODUCT-RISK
NORMS141
The Fitness Norm
141
The Negligent Design/Manufacture Norm
142
The Best Loss-Avoider Norm
145
A Key Feature: Norm-Implemented Trade-offs
145
THE LOW-PRICED SOFTWARE NORM146
Fitness, Negligent Design/Manufacture, and Best Loss
Avoider147
The Low-Priced Software Norm Is Not Value Optimal
149
WE NEED TO CREATE A VALUE OPTIMAL NORM—BUT
WHAT SHOULD IT BE?150
NOTES AND REFERENCES151
FURTHER READING152
CHAPTER 7 ◾ Software Vulnerabilities: Creating Best
Practices157
INTRODUCTION157
BEST PRACTICES DEFINED157
BEST PRACTICES FOR SOFTWARE DEVELOPMENT160
“To Some Extent”: An Important Qualification
161
CREATING THE BEST PRACTICES SOFTWARE NORM162
Defining Best Practices
165
Statutory and Regulatory Options for Defining Best
Practices166
Norm Creation in Ideal Markets
168
Real-World Markets: Lack of Market Power, No Barriers to
Entry or Exit, and Zero Transaction Costs
169
Five out of Six
170
The Perfect Information Barrier
170
NORM CREATION IN REAL MARKETS171
What Markets Should We Regulate?
173
Should We Worry about a “Lemons” Market?
175
Contents ◾ xiii
UNAUTHORIZED ACCESS: BEYOND SOFTWARE
VULNERABILITIES177
NOTES AND REFERENCES177
FURTHER READING178
CHAPTER 8 ◾ Computers and Networks: Attack and
Defense181
INTRODUCTION181
TYPES OF DOORS182
Gates (Outermost Doors)
183
Doors into Our Computers
184
Unintended Doors
185
Zero-Day Attacks
186
The CIA Triad
186
ATTACKS ON AVAILABILITY187
ATTACKING CONFIDENTIALITY: HANGING OUT IN THE
NEIGHBORHOOD189
Packet Sniffing
190
Session Hijacking
191
ATTACKS ON AUTHENTICATION192
Password Cracking
193
ATTACKS ON INTEGRITY194
Secret Doors
194
Unintended Doors: Software and Hardware Vulnerabilities
195
Unwanted Doors: Web Server Vulnerabilities
196
Doors We Are Tricked into Opening
201
MULTIPLYING, ELIMINATING, AND LOCKING DOORS206
Multiplying Doors
207
Eliminating Doors
207
Locking Doors
208
POSTING GUARDS209
Authentication210
Firewalls210
xiv ◾ Contents
Intrusion Detection and Prevention Services
213
LOCKING AND GUARDING DOORS IS HARD AND WE
DO A POOR JOB214
Unlocked Doors We Don’t Know About
214
Doors We Don’t Realize We Should Lock
215
Limitations on Guards
215
SHOULD ISPS LOCK DOORS AND CHECK
CREDENTIALS?217
NOTES AND REFERENCES217
FURTHER READING219
CHAPTER 9 ◾ Malware, Norms, and ISPs
221
INTRODUCTION221
A MALWARE DEFINITION222
Malware and Lack of Consent
223
Don’t We Just Mean Illegal, or at Least Harmful?
224
Making “Especially Objectionable” More Precise
225
Are Tracking Cookies Malware?
227
THE MALWARE ZOO228
Viruses and Worms
229
Trojans231
Rootkits231
Bots and Botnets
233
Spyware235
The Latest Trend
235
WHY END-USER DEFENSES ARE SO WEAK236
The Limits of Detection
236
Poor Use of Poor Tools
237
The ISP Alternative
239
THE “END-USER-LOCATED ANTIVIRUS” NORM240
Importance of Network Neutrality
241
Home-User-Located Antimalware Defense Is Not Value
Optimal242
Contents ◾ xv
FIRE PREVENTION AND PUBLIC HEALTH243
COMPARE MALWARE244
IS BETTER PROTECTION WORTH VIOLATING NETWORK
NEUTRALITY?245
The Risk to Privacy
245
The Risk to Free Expression
246
THE VALUE OPTIMAL NORM SOLUTION247
NOTES AND REFERENCES247
FURTHER READING249
CHAPTER 10 ◾ Malware: Creating a Best Practices Norm
251
INTRODUCTION251
CURRENT BEST PRACTICES FOR ISP MALWARE DEFENSE251
Sample Current Technical Best Practices
252
The Other Categories of ISP (Best?) Practices
256
Why Current Best Practices Are Not All That We Need
257
AN ADDITIONAL WRINKLE: THE DEFINITION OF
MALWARE IS NOT FULLY SETTLED260
DEFINING COMPREHENSIVE BEST PRACTICES261
Definitional Issues
261
CREATING THE NORM262
Norm Creation in Perfectly Competitive Markets
262
No Market Power, No Entry/Exit Barriers, and No
Transaction Costs
264
The Perfect Knowledge Barrier
264
NORM CREATION IN REAL MARKETS265
No Worry about Lemons Market
266
THE END-TO-END AND NETWORK NEUTRALITY
PRINCIPLES267
HAS OUR FOCUS BEEN TOO NARROW?268
WAS OUR FOCUS TOO NARROW IN ANOTHER WAY?270
NOTES AND REFERENCES270
FURTHER READING272
xvi ◾ Contents
CHAPTER 11 ◾ Tracking, Contracting, and Behavioral
Advertising273
INTRODUCTION273
BEHAVIORAL ADVERTISING AND THE ONLINE
ADVERTISING ECOSYSTEM275
HOW WEBSITES GAIN INFORMATION ABOUT YOU:
STRAIGHTFORWARD METHODS277
You Identify Yourself Using a Login ID
277
Websites Know Your IP Number
278
Cookies: A Deeper Dive into the Technology
279
Making a “Signature” out of Browser, OS, Fonts Installed, etc. 283
OTHER WAYS OF GETTING YOUR ONLINE
INFORMATION284
WHAT IS WRONG WITH BEHAVIORAL ADVERTISING?285
Lack of Choice for Buyers
285
Acquiescence via Contract
286
Fixing What Is Broken
287
THE SECOND-ORDER CONTRACTUAL NORM288
Compatibility290
Are We Right?
292
HOW THE NORM ARISES IN IDEAL MARKETS293
REAL MARKETS: HOW THE COORDINATION NORM
ARISES294
Buyers294
Sellers296
How Contracting Can Go Wrong
298
THE LACK OF CONSENT TO PAY-WITH-DATA
EXCHANGES298
NOTES AND REFERENCES300
FURTHER READING301
CHAPTER 12 ◾ From One-Sided Chicken to Value Optimal
Norms303
INTRODUCTION303
Contents ◾ xvii
CHICKEN WITH CARS303
THE PAY-WITH-DATA GAME OF ONE-SIDED CHICKEN305
Buyers’ Preferences
306
Sellers’ Preferences
307
One-Sided Chicken
308
Escaping One-Sided Chicken
308
NORM CREATION IN PERFECTLY COMPETITIVE
MARKETS309
Approximation to Perfect Competition in Pay-with-Data
Exchanges309
Approximation to Perfect Information in the Real World
312
NORM CREATION IN THE REAL MARKET313
Buyers Will Use Blocking Technologies
313
Advertising Revenue Will Decline
314
Sellers Will Conform More Closely to Buyers’ Preferences
314
Norms? Yes. Value Optimal? Yes, but…
315
DOES FACEBOOK PLAY ONE-SIDED CHICKEN?316
As Goes Facebook, So Goes Google?
317
DO-NOT-TRACK INITIATIVES318
MORE “BUYER POWER” APPROACHES TO NORM
GENERATION320
Mobile Apps
320
Cloud Computing
322
Summary of Our Norm-Generation Strategies So Far
322
TWO VERSIONS OF THE BEST PRACTICES STATUTE
APPROACH323
PRISONER’S DILEMMA325
Information Aggregators
325
A Classic Prisoner’s Dilemma
326
Prisoner’s Dilemma for Business Buyers
328
How Many Players Are in This Game Anyway?
329
Trust and Commitment
331
xviii ◾ Contents
THE NEED FOR TRUST334
Retailers as Information Brokers
334
Health Insurance
337
Employer Hiring
338
Beyond Buying and Selling
339
IF WE FAIL TO CREATE NORMS340
THE BIG DATA FUTURE341
APPENDIX: A GAME THEORETIC ANALYSIS OF
FACEBOOK’S PRIVACY SETTINGS344
NOTES AND REFERENCES349
FURTHER READING352
Preface
T
his book grew out of a course the two of us taught together about
online privacy and security to an integrated group of computer science and law students. By teaching that course, we learned how to explain
thorny legal issues to computer science students, as well as complex technical questions of computer security to law students who were once English
and political science majors.
Privacy and security are, of course, affected by technological decisions
made by the likes of Microsoft, Facebook, Google, and the major Internet service providers. However, many of their decisions are driven by legal, regulatory, and economic considerations, which are in turn profoundly influenced
by public policy. This book considers what public policy should be for online
privacy and security. In this book we take a step beyond works that present
the issues and problems and we also propose specific solutions. People always
point out drawbacks to solutions, and they will do so with ours, but creating
a framework for this discussion is one of our central goals. We believe in our
solutions, and we believe even more firmly that society will not resolve critical questions about privacy and security without an informed discussion.
An informed discussion must be a discussion among disparate disciplines—including, at a minimum, computer scientists, economists, lawyers, and public-policy makers. We hope that this book will bridge the
gaps between these disciplines. We describe sophisticated technological,
economic, legal, and public policy issues, but we write in plain English.
Readers need no technical and no legal expertise. We emphasize the need
to make trade-offs among the complex concerns that arise in the context
of online privacy and security. We introduce the theme of trade-offs in the
first chapter and we close with it in the last chapter. Our book is a call for
reasoned compromise. Please critique our solutions.
Robert Sloan
Richard Warner
xix
Acknowledgments
W
e benefited greatly from the work of Helen Nissenbaum and
James Rule. Nissenbaum deepened our understanding of norms
and how they work, and Rule provided insight into the need for trade-offs
and the complex issues they raise. We also gratefully acknowledge our
debt to Lori Andrews. We benefited from her work, from discussions of
privacy, and from her encouragement. Harold Krent read early versions of
(what became) Chapters 3 through 7 and we benefited from his insights.
Shai Simonson read later versions of Chapters 1 through 4 and provided
much helpful feedback. Earlier versions of Chapters 4, 5, and 12 were presented at the 2011 and 2012 Privacy Law Scholars Conference, and we
thank our audiences for helpful comments and encouragement. We thank
Dan Bernstein, Jon Solworth, and Venkat Venkatakrishnan for helpful
conversations and insights about a number of the fine points of computer
security; Mark Grechanik for helpful conversations and insights about
software engineering; and Bob Goldstein for providing the viewpoint of a
senior IT manager on several security threats. We thank Daniel Saunders
for his excellent help with our line drawings and other figures.
We thank the National Science Foundation and program officer
extraordinaire Dr. Sylvia Spengler for support of our general research
in this area, including the 2011 and 2012 Privacy Law Scholars papers
(though not this book directly), under National Science Foundation Grant
Number IIS-0959116. Of course, any opinions, findings, and conclusions
or recommendations expressed in this book are those of the authors and
do not necessarily reflect the views of the National Science Foundation.
We are indebted to our editors, Alan Apt and Randi Cohen of Taylor &
Francis, for their time and expertise; we wish Alan a glorious retirement
and thank him for originally signing this project.
Robert Sloan gratefully acknowledges the patience and kind understanding of his wife, Maurine Neiberg, and daughters, Rose and Emma
xxi
xxii ◾ Acknowledgments
Neiberg Sloan, during the writing of this book. He further thanks older
daughter Rose for some helpful proofreading and feedback, and Maurine
(ScM, computer science, and JD) for extensive reading and commentary; he congratulates her for successfully walking the very narrow path
between constructive criticism and inciting a riot.
Richard Warner gratefully acknowledges the unending patience and
support of his wife, Ky Southworth, who made it possible for him to devote
so much of the day to writing and from whose common sense about privacy he always profits. He would also like to thank Sip, the coffeehouse in
which he did most of the writing, for its hospitality and coffee.
Authors
Robert H. Sloan is professor and department head in the Department
of Computer Science of the University of Illinois at Chicago. For 2 years,
starting in January 2001, he served as the program director of the Theory
of Computing Program at the National Science Foundation. He has published extensively in the areas of computer security, theoretical computer
science, and artificial intelligence. He holds a BS (mathematics) from
Yale University and an SM and PhD from the Massachusetts Institute of
Technology (computer science). He was a postdoctoral fellow at Harvard
and also spent 1 year taking classes at Yale Law School.
Richard Warner is professor and Norman and Edna Freehling scholar at
the Illinois Institute of Technology Chicago-Kent College of Law, where he
is the faculty director of the Center for Law and Computers. Prior to joining Chicago-Kent, he was a philosophy professor, first at the University of
Pennsylvania and then at the University of Southern California. He is visiting foreign professor in the law faculty at University of Gdańsk, Poland.
He is the director of the School of American Law, which has branches
in Poland, Ukraine, and Georgia; editor-in-chief of Emerging Markets:
A Review of Business and Legal Issues; and a member of the US Secret
Service’s Electronic and Financial Crimes Taskforce. From 1994 to 1996,
he was president of InterActive Computer Tutorials, a software company,
and from 1998 to 2000, he was director of Building Businesses on the Web,
an Illinois Institute of Technology executive education program. He holds
a BA (English literature) from Stanford University; a PhD (philosophy)
from the University of California, Berkeley; and a JD from the University
of Southern California. His research interests include privacy, security,
contracts, and the nature of values and their relation to action.
xxiii