UNAUTHORIZED
ACCESS

–––––––––––––––––––––––––––––––––––––––––––––––––

The Crisis in
Online Privacy and Security



UNAUTHORIZED
ACCESS

–––––––––––––––––––––––––––––––––––––––––––––––––

The Crisis in
Online Privacy and Security

Robert H. Sloan • Richard Warner


CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2014 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20130208

International Standard Book Number-13: 978-1-4398-3014-7 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any copyright material has
not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,
including photocopying, microfilming, and recording, or in any information storage or retrieval system,
without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.
com ( or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at

and the CRC Press Web site at



Contents at a Glance
Preface, xix
Acknowledgments, xxi
Authors, xxiii
CHAPTER 1   ◾   Introduction1
CHAPTER 2   ◾   An Explanation of the Internet, Computers,
and Data Mining


13

CHAPTER 3   ◾   Norms and Markets

53

CHAPTER 4   ◾   Informational Privacy: The General Theory

75

CHAPTER 5   ◾   Informational Privacy: Norms and Value
Optimality95
CHAPTER 6   ◾   Software Vulnerabilities and the Low-Priced
Software Norm

125

CHAPTER 7   ◾   Software Vulnerabilities: Creating
Best Practices

157

CHAPTER 8   ◾   Computers and Networks: Attack
and Defense

181

CHAPTER 9   ◾   Malware, Norms, and ISPs


221

v


vi    ◾    Contents at a Glance

CHAPTER 10   ◾   Malware: Creating a Best Practices Norm

251

CHAPTER 11   ◾   Tracking, Contracting, and Behavioral
Advertising273
CHAPTER 12   ◾   From One-Sided Chicken to Value Optimal
Norms303


Contents
Preface, xix
Acknowledgments, xxi
Authors, xxiii
CHAPTER 1   ◾   Introduction1
INTRODUCTION1
THE GOOD, THE BAD, AND THE IN BETWEEN2
The Good

2

The Bad


2

The In Between

3

MAKING TRADE-OFFS4
VALUES7
Profit-Motive-Driven Businesses

8

POLITICS9
TODAY AND TOMORROW: WEB 1.0, 2.0, 3.010
A LOOK AHEAD11
NOTES AND REFERENCES11
FURTHER READING12

CHAPTER 2   ◾   An Explanation of the Internet, Computers,
and Data Mining

13

INTRODUCTION13
PRIMER ON THE INTERNET13
History15
vii


viii    ◾    Contents


Nature of the Internet: Packet-Switched Network

17

End-to-End Principle and the “Stupid” Network

19

A More Technical View

22

Horizontal View: One Home’s LAN to the Backbone22
Vertical View: Internet Protocol Suite24
Internet Layer

25

Transport Layer

26

Application Layer

28

How the Layers Work Together: Packet Encapsulation

28


Numerical Addresses to Names: DNS

30

Putting It All Together

30

PRIMER ON COMPUTERS31
Basic Elements of a Computer

33

Operating Systems

38

PRIMER ON DATA, DATABASES, AND DATA MINING40
Data and Their Representation

40

Databases43
Information Extraction or Data Mining

43

NOTES AND REFERENCES48
FURTHER READING49


CHAPTER 3   ◾   Norms and Markets

53

INTRODUCTION53
NORMS DEFINED53
The Examples

53

The Definition

54

Why People Conform to Norms

54

Ought or Self-Interest?

55

How Do Norms Get Started?

55

COORDINATION NORMS56
Examples56
Definition of a Coordination Norm


58


Contents    ◾    ix

Conformity to Coordination Norms

58

Self-Perpetuating Inappropriate Norms

59

VALUE OPTIMAL NORMS59
Justification and Optimality

59

Lack of Value Optimality: An Example

60

Why Does Value Optimality Matter?

61

A Terminological Point and an Example

61


We Are “Playing without a Helmet”

61

Inappropriate Norms versus No Norms

62

NORMS AND MARKETS63
Detecting Norm Violations

64

Norm-Violation Detectors versus Norm-Inconsistent Sellers

65

Sellers’ Inability to Discriminate

65

The Profit-Maximizing Strategy

65

Perfect Competition

66


Perfect Competition or Close to It Will Force Sellers’
Compliance67
NORMS AND GAME THEORY67
Coordination Problems

68

Equilibria70
Value Optimality

71

NOTES AND REFERENCES72
FURTHER READING73

CHAPTER 4   ◾   Informational Privacy: The General Theory

75

INTRODUCTION75
PERSONALLY IDENTIFIABLE: A DISTINCTION WITHOUT
(MUCH OF) A DIFFERENCE76
THE REQUIREMENT OF FREE AND INFORMED CONSENT78
PROBLEMS WITH NOTICE AND CHOICE79
Notice and Choice Does Not Ensure Informed Consent

80

Notice and Choice Cannot Possibly Ensure Informed Consent 80
Notice and Choice Aims at the Wrong Target


81


x    ◾    Contents

INFORMATIONAL NORMS82
Role-Appropriate Informational Norms as Coordination
Norms84
ENSURING FREE AND INFORMED CONSENT86
Informed Consent

86

Free Consent

87

The Argument That Consent Is Not Free

87

Radin’s Requirements Almost Fulfilled

88

But What about Contracts?

89


THE IDEAL OF NORM COMPLETENESS89
Two Ways to Fall Short

90

How Norms Can Cease to Be Value Optimal

90

NOTES AND REFERENCES91
FURTHER READING92

CHAPTER 5   ◾   Informational Privacy: Norms and Value
Optimality95
INTRODUCTION95
DIRECT MARKETING: RETAILERS AS INFORMATION
BROKERS96
Retailers as Information Brokers

97

Role-Appropriate Information Processing Norms

98

Retailers as Information Brokers Norm

99

The Norm Is Not Value Optimal


100

An Objection

101

A Consequence

102

INFORMATION AGGREGATORS103
The Current Norm and Its Problems

106

Beyond Lack of Control

107

THE HEALTH INSURANCE INDUSTRY107
The Norm

108

The Health Insurance Norm Is Not Value Optimal

109



Contents    ◾    xi

MORE EXAMPLES109
Cookies110
Cookies and Targeted Advertising111
The Resort to the Illusion of Consent112
Cloud Computing

113

Unresolved Questions and the Resort to Notice and Choice115
Social Networking Sites

115

Blurring the Line117
More Blurring of the Line118
The Resort to Notice and Choice119
COLLABORATE OR RESIST?119
NOTES AND REFERENCES120
FURTHER READING122

CHAPTER 6   ◾   Software Vulnerabilities and the Low-Priced
Software Norm

125

INTRODUCTION125
WHAT BUYERS DEMAND126
Vulnerability-Exacerbating Features of the Software Market


127

Negative Externality and Ways to Cure It

129

STRICT LIABILITY130
NEGLIGENCE132
Vulnerability-Reducing Practices for Software Development

134

Negligence Liability Will Not Lead to Adoption of Better
Practices135
Why Developers Must Know How Much to Invest in
Reducing Vulnerabilities

137

Consequences of Not Knowing How Much to Invest in
Vulnerability Reduction

137

PRODUCT LIABILITY FOR DEFECTIVE DESIGN138
THE STATUTORY ALTERNATIVE139
WE ARE TRAPPED AND ONLY LEGAL REGULATION WILL
RELEASE US139



xii    ◾    Contents

THREE EXAMPLES OF VALUE OPTIMAL PRODUCT-RISK
NORMS141
The Fitness Norm

141

The Negligent Design/Manufacture Norm

142

The Best Loss-Avoider Norm

145

A Key Feature: Norm-Implemented Trade-offs

145

THE LOW-PRICED SOFTWARE NORM146
Fitness, Negligent Design/Manufacture, and Best Loss
Avoider147
The Low-Priced Software Norm Is Not Value Optimal

149

WE NEED TO CREATE A VALUE OPTIMAL NORM—BUT
WHAT SHOULD IT BE?150

NOTES AND REFERENCES151
FURTHER READING152

CHAPTER 7   ◾   Software Vulnerabilities: Creating Best
Practices157
INTRODUCTION157
BEST PRACTICES DEFINED157
BEST PRACTICES FOR SOFTWARE DEVELOPMENT160
“To Some Extent”: An Important Qualification

161

CREATING THE BEST PRACTICES SOFTWARE NORM162
Defining Best Practices

165

Statutory and Regulatory Options for Defining Best
Practices166
Norm Creation in Ideal Markets

168

Real-World Markets: Lack of Market Power, No Barriers to
Entry or Exit, and Zero Transaction Costs

169

Five out of Six


170

The Perfect Information Barrier

170

NORM CREATION IN REAL MARKETS171
What Markets Should We Regulate?

173

Should We Worry about a “Lemons” Market?

175


Contents    ◾    xiii

UNAUTHORIZED ACCESS: BEYOND SOFTWARE
VULNERABILITIES177
NOTES AND REFERENCES177
FURTHER READING178

CHAPTER 8   ◾   Computers and Networks: Attack and
Defense181
INTRODUCTION181
TYPES OF DOORS182
Gates (Outermost Doors)

183


Doors into Our Computers

184

Unintended Doors

185

Zero-Day Attacks

186

The CIA Triad

186

ATTACKS ON AVAILABILITY187
ATTACKING CONFIDENTIALITY: HANGING OUT IN THE
NEIGHBORHOOD189
Packet Sniffing

190

Session Hijacking

191

ATTACKS ON AUTHENTICATION192
Password Cracking


193

ATTACKS ON INTEGRITY194
Secret Doors

194

Unintended Doors: Software and Hardware Vulnerabilities

195

Unwanted Doors: Web Server Vulnerabilities

196

Doors We Are Tricked into Opening

201

MULTIPLYING, ELIMINATING, AND LOCKING DOORS206
Multiplying Doors

207

Eliminating Doors

207

Locking Doors


208

POSTING GUARDS209
Authentication210
Firewalls210


xiv    ◾    Contents

Intrusion Detection and Prevention Services

213

LOCKING AND GUARDING DOORS IS HARD AND WE
DO A POOR JOB214
Unlocked Doors We Don’t Know About

214

Doors We Don’t Realize We Should Lock

215

Limitations on Guards

215

SHOULD ISPS LOCK DOORS AND CHECK
CREDENTIALS?217

NOTES AND REFERENCES217
FURTHER READING219

CHAPTER 9   ◾   Malware, Norms, and ISPs

221

INTRODUCTION221
A MALWARE DEFINITION222
Malware and Lack of Consent

223

Don’t We Just Mean Illegal, or at Least Harmful?

224

Making “Especially Objectionable” More Precise

225

Are Tracking Cookies Malware?

227

THE MALWARE ZOO228
Viruses and Worms

229


Trojans231
Rootkits231
Bots and Botnets

233

Spyware235
The Latest Trend

235

WHY END-USER DEFENSES ARE SO WEAK236
The Limits of Detection

236

Poor Use of Poor Tools

237

The ISP Alternative

239

THE “END-USER-LOCATED ANTIVIRUS” NORM240
Importance of Network Neutrality

241

Home-User-Located Antimalware Defense Is Not Value

Optimal242


Contents    ◾    xv

FIRE PREVENTION AND PUBLIC HEALTH243
COMPARE MALWARE244
IS BETTER PROTECTION WORTH VIOLATING NETWORK
NEUTRALITY?245
The Risk to Privacy

245

The Risk to Free Expression

246

THE VALUE OPTIMAL NORM SOLUTION247
NOTES AND REFERENCES247
FURTHER READING249

CHAPTER 10   ◾   Malware: Creating a Best Practices Norm

251

INTRODUCTION251
CURRENT BEST PRACTICES FOR ISP MALWARE DEFENSE251
Sample Current Technical Best Practices

252


The Other Categories of ISP (Best?) Practices

256

Why Current Best Practices Are Not All That We Need

257

AN ADDITIONAL WRINKLE: THE DEFINITION OF
MALWARE IS NOT FULLY SETTLED260
DEFINING COMPREHENSIVE BEST PRACTICES261
Definitional Issues

261

CREATING THE NORM262
Norm Creation in Perfectly Competitive Markets

262

No Market Power, No Entry/Exit Barriers, and No
Transaction Costs

264

The Perfect Knowledge Barrier

264


NORM CREATION IN REAL MARKETS265
No Worry about Lemons Market

266

THE END-TO-END AND NETWORK NEUTRALITY
PRINCIPLES267
HAS OUR FOCUS BEEN TOO NARROW?268
WAS OUR FOCUS TOO NARROW IN ANOTHER WAY?270
NOTES AND REFERENCES270
FURTHER READING272


xvi    ◾    Contents

CHAPTER 11   ◾   Tracking, Contracting, and Behavioral
Advertising273
INTRODUCTION273
BEHAVIORAL ADVERTISING AND THE ONLINE
ADVERTISING ECOSYSTEM275
HOW WEBSITES GAIN INFORMATION ABOUT YOU:
STRAIGHTFORWARD METHODS277
You Identify Yourself Using a Login ID

277

Websites Know Your IP Number

278


Cookies: A Deeper Dive into the Technology

279

Making a “Signature” out of Browser, OS, Fonts Installed, etc. 283
OTHER WAYS OF GETTING YOUR ONLINE
INFORMATION284
WHAT IS WRONG WITH BEHAVIORAL ADVERTISING?285
Lack of Choice for Buyers

285

Acquiescence via Contract

286

Fixing What Is Broken

287

THE SECOND-ORDER CONTRACTUAL NORM288
Compatibility290
Are We Right?

292

HOW THE NORM ARISES IN IDEAL MARKETS293
REAL MARKETS: HOW THE COORDINATION NORM
ARISES294
Buyers294

Sellers296
How Contracting Can Go Wrong

298

THE LACK OF CONSENT TO PAY-WITH-DATA
EXCHANGES298
NOTES AND REFERENCES300
FURTHER READING301

CHAPTER 12   ◾   From One-Sided Chicken to Value Optimal
Norms303
INTRODUCTION303


Contents    ◾    xvii

CHICKEN WITH CARS303
THE PAY-WITH-DATA GAME OF ONE-SIDED CHICKEN305
Buyers’ Preferences

306

Sellers’ Preferences

307

One-Sided Chicken

308


Escaping One-Sided Chicken

308

NORM CREATION IN PERFECTLY COMPETITIVE
MARKETS309
Approximation to Perfect Competition in Pay-with-Data
Exchanges309
Approximation to Perfect Information in the Real World

312

NORM CREATION IN THE REAL MARKET313
Buyers Will Use Blocking Technologies

313

Advertising Revenue Will Decline

314

Sellers Will Conform More Closely to Buyers’ Preferences

314

Norms? Yes. Value Optimal? Yes, but…

315


DOES FACEBOOK PLAY ONE-SIDED CHICKEN?316
As Goes Facebook, So Goes Google?

317

DO-NOT-TRACK INITIATIVES318
MORE “BUYER POWER” APPROACHES TO NORM
GENERATION320
Mobile Apps

320

Cloud Computing

322

Summary of Our Norm-Generation Strategies So Far

322

TWO VERSIONS OF THE BEST PRACTICES STATUTE
APPROACH323
PRISONER’S DILEMMA325
Information Aggregators

325

A Classic Prisoner’s Dilemma

326


Prisoner’s Dilemma for Business Buyers

328

How Many Players Are in This Game Anyway?

329

Trust and Commitment

331


xviii    ◾    Contents

THE NEED FOR TRUST334
Retailers as Information Brokers

334

Health Insurance

337

Employer Hiring

338

Beyond Buying and Selling


339

IF WE FAIL TO CREATE NORMS340
THE BIG DATA FUTURE341
APPENDIX: A GAME THEORETIC ANALYSIS OF
FACEBOOK’S PRIVACY SETTINGS344
NOTES AND REFERENCES349
FURTHER READING352


Preface

T

his book grew out of a course the two of us taught together about
online privacy and security to an integrated group of computer science and law students. By teaching that course, we learned how to explain
thorny legal issues to computer science students, as well as complex technical questions of computer security to law students who were once English
and political science majors.
Privacy and security are, of course, affected by technological decisions
made by the likes of Microsoft, Facebook, Google, and the major Internet service providers. However, many of their decisions are driven by legal, regulatory, and economic considerations, which are in turn profoundly influenced
by public policy. This book considers what public policy should be for online
privacy and security. In this book we take a step beyond works that present
the issues and problems and we also propose specific solutions. People always
point out drawbacks to solutions, and they will do so with ours, but creating
a framework for this discussion is one of our central goals. We believe in our
solutions, and we believe even more firmly that society will not resolve critical questions about privacy and security without an informed discussion.
An informed discussion must be a discussion among disparate disciplines—including, at a minimum, computer scientists, economists, lawyers, and public-policy makers. We hope that this book will bridge the
gaps between these disciplines. We describe sophisticated technological,
economic, legal, and public policy issues, but we write in plain English.

Readers need no technical and no legal expertise. We emphasize the need
to make trade-offs among the complex concerns that arise in the context
of online privacy and security. We introduce the theme of trade-offs in the
first chapter and we close with it in the last chapter. Our book is a call for
reasoned compromise. Please critique our solutions.
Robert Sloan
Richard Warner
xix



Acknowledgments

W

e benefited greatly from the work of Helen Nissenbaum and
James Rule. Nissenbaum deepened our understanding of norms
and how they work, and Rule provided insight into the need for trade-offs
and the complex issues they raise. We also gratefully acknowledge our
debt to Lori Andrews. We benefited from her work, from discussions of
privacy, and from her encouragement. Harold Krent read early versions of
(what became) Chapters 3 through 7 and we benefited from his insights.
Shai Simonson read later versions of Chapters 1 through 4 and provided
much helpful feedback. Earlier versions of Chapters 4, 5, and 12 were presented at the 2011 and 2012 Privacy Law Scholars Conference, and we
thank our audiences for helpful comments and encouragement. We thank
Dan Bernstein, Jon Solworth, and Venkat Venkatakrishnan for helpful
conversations and insights about a number of the fine points of computer
security; Mark Grechanik for helpful conversations and insights about
software engineering; and Bob Goldstein for providing the viewpoint of a
senior IT manager on several security threats. We thank Daniel Saunders

for his excellent help with our line drawings and other figures.
We thank the National Science Foundation and program officer
extraordinaire Dr. Sylvia Spengler for support of our general research
in this area, including the 2011 and 2012 Privacy Law Scholars papers
(though not this book directly), under National Science Foundation Grant
Number IIS-0959116. Of course, any opinions, findings, and conclusions
or recommendations expressed in this book are those of the authors and
do not necessarily reflect the views of the National Science Foundation.
We are indebted to our editors, Alan Apt and Randi Cohen of Taylor &
Francis, for their time and expertise; we wish Alan a glorious retirement
and thank him for originally signing this project.
Robert Sloan gratefully acknowledges the patience and kind understanding of his wife, Maurine Neiberg, and daughters, Rose and Emma
xxi


xxii    ◾    Acknowledgments

Neiberg Sloan, during the writing of this book. He further thanks older
daughter Rose for some helpful proofreading and feedback, and Maurine
(ScM, computer science, and JD) for extensive reading and commentary; he congratulates her for successfully walking the very narrow path
between constructive criticism and inciting a riot.
Richard Warner gratefully acknowledges the unending patience and
support of his wife, Ky Southworth, who made it possible for him to devote
so much of the day to writing and from whose common sense about privacy he always profits. He would also like to thank Sip, the coffeehouse in
which he did most of the writing, for its hospitality and coffee.


Authors
Robert H. Sloan is professor and department head in the Department
of Computer Science of the University of Illinois at Chicago. For 2 years,

starting in January 2001, he served as the program director of the Theory
of Computing Program at the National Science Foundation. He has published extensively in the areas of computer security, theoretical computer
science, and artificial intelligence. He holds a BS (mathematics) from
Yale University and an SM and PhD from the Massachusetts Institute of
Technology (computer science). He was a postdoctoral fellow at Harvard
and also spent 1 year taking classes at Yale Law School.
Richard Warner is professor and Norman and Edna Freehling scholar at
the Illinois Institute of Technology Chicago-Kent College of Law, where he
is the faculty director of the Center for Law and Computers. Prior to joining Chicago-Kent, he was a philosophy professor, first at the University of
Pennsylvania and then at the University of Southern California. He is visiting foreign professor in the law faculty at University of Gdańsk, Poland.
He is the director of the School of American Law, which has branches
in Poland, Ukraine, and Georgia; editor-in-chief of Emerging Markets:
A Review of Business and Legal Issues; and a member of the US Secret
Service’s Electronic and Financial Crimes Taskforce. From 1994 to 1996,
he was president of InterActive Computer Tutorials, a software company,
and from 1998 to 2000, he was director of Building Businesses on the Web,
an Illinois Institute of Technology executive education program. He holds
a BA (English literature) from Stanford University; a PhD (philosophy)
from the University of California, Berkeley; and a JD from the University
of Southern California. His research interests include privacy, security,
contracts, and the nature of values and their relation to action.

xxiii