Cybersecurity: Recent Legislation

I know, talking legislation is sexy stuff. But a short look back at some recent developments will be foundational to some important coming discussions.

The past several months have been packed with Cybersecurity legislation. Law making is inherently an iterative process and at the risk of sounding cynical, despite all the activity it’s fair to say we haven’t covered much new ground in 2015. But don’t interpret the following synopsis as cynicism. The legislation is absolutely indicative of substantive forward progress, but I feel there’s an opportunity at hand for larger leaps forward. A short recap of recent legislation and recurring themes to frame a later discussion:

Private Sector Information Sharing: 2015’s State of the Union address included a section focusing on Cybersecurity, specifically with a call for better efforts to “integrate intelligence.” Less than a month later, the President would raise that concern again at a Cybersecurity and Consumer Protection Summit. The summit featured the introduction of an Executive Order (EO) “Promoting Private Sector Cybersecurity Information Sharing.” Information sharing is hardly virgin ground for Cyber legislation.[i] The call for Cybersecurity Information Sharing and Analysis Organizations (ISAO) can be found in the Homeland Security Act of 2002, the 2013 State of the Union Address and the 2013 and 2015 versions of the proposed Cyber Intelligence Sharing and Protection Acts. The 2013 State of the Union Address also gave rise to its own EO (EO 13636) calling for the creation of a framework outlining processes for voluntary private sector information sharing. Two of four Cybersecurity bills passed late in 2014 called for similar collaboration, the Cybersecurity Enhancement Act and the National Cybersecurity Protection Act. Last month’s EO would add additional detail to ISAOs calling for formalized changes and updates to sharing policy as well as the creation of a non-government ISAO Standards Organization. If recent legislation has a predominant theme it’s “Please share…pretty please??”

Cyberspace as Critical Infrastructure: Legislation has also emphasized the protection of U.S. Cyberspace as key to economic, military and national security stability. Several sectors of U.S. Cyberspace were therefore defined as critical infrastructure in the Homeland Security Act of 2002. Provisions were made for critical infrastructure protection (CIP) in 2003’s Homeland Security Presidential Directive-7. Those CIP prescriptions were further refined in Cybersecurity guidance of 2013’s EO 13636 (titled Improving Critical Infrastructure“) & resiliency prescriptions of Presidential Policy Directive 21. And the Cybersecurity Enhancement Act of 2014 once again highlighted the importance of our cyber assets and infrastructure to American prosperity and well being. Second theme: “This stuff is important.”

Privacy and Civil Liberties Are Essential: There have been two recent long form attempts to describe privacy rights and civil liberties in Cyberspace, 2012’s Consumer Privacy Bill of Rights and last week’s 2015 version of the Consumer Privacy Bill of Rights. In the span between those two offerings preserving privacy has also been a stated outcome of 2013’s EO 13636, this year’s EO Promoting Private Sector Cybersecurity Information Sharing and The National Cybersecurity Protection Act of 2014. At one point President Obama also threatened to veto the 2013 version of the Cyber Intelligence Sharing and Protection Act if wasn’t amended to ensure privacy and civil liberty protections.

Now that the legal pedigree is behind us, that’s thirteen years of the same three part harmony:
Share information.”
Cyberspace is critical.”
Privacy is essential.”

And let’s be clear who the intended audience is – private sector. Because as of 2009 the vast majority of public sector organizations began some migration to some subset of the same government security standards. So after thirteen years, how are we still in roughly the same position? I believe it’s because, on their face, those three previous statements don’t provide enough incentive to bring the right stakeholders to consensus yet. I believe we’re close. I’ve offered what I think it will take to get us there absent some positive change. But I also believe public sector (and not necessarily just the Feds) has at least one more compelling incentive it can offer. I think evidence of that can be heard echoed here in the reactions of Trustwave’s Phil Smith, RSA’s Mike Brown and Denim Group’s John Dickson.

To be continued…

[i]  Information sharing is one means of attempting to scale efforts to combat an “open source adversary.” Open source adversaries, like cyber criminals and advanced persistent threats, can cheaply and easily replicate attack methods and vectors using scale to incredible advantage. J. Michael Daniel, cyber-security coordinator at the White House, gave this explanation of the counter tactic benefits: “We have seen industries that have increased their information sharing—such as in the financial services industry—and that does make a meaningful difference in being able to cut out a lot of the low-level attacks and intrusions. When you do that, then you can focus your humans on the more sophisticated intruders. I see this as a sort of baseline for us just to stay in the game.”  For a brief treatment on open source cyberwar see John Robb’s blog or the excellent example in his book Brave New War.

The Facebook Novel (That No One Will Read)

A good lawyer will tell you, “Never sign anything that you haven’t read or don’t understand.”  The same goes for accepting online agreements. But even in the face of so much sound advice, personal experience and anecdotal evidence suggest that reading the whole contract is batting well below the “Mendoza Line.”  You, however, are a diligent, meticulous, go-getter that always sweats the contract details, devouring the whole document for the smallest of minutia – right?  But what if that document includes links?  Do you read the links?  Are they incorporated into the parent agreement “by reference?”[1]  What if there are a lot of links?  What if the links contain links?  Enter Facebook’s newly updated terms, policies & “Privacy Basics”:

As you might’ve heard, on January 30th Facebook will be rolling out new language for their Statement of Rights and Responsibilities, Data Policy and Cookies Policy.  The opening paragraphs of Facebook’s initial announcement link to an explanatory privacy tool and 3 separate policies to be updated.  I won’t even attempt to form a legal opinion about what’s incorporated by reference in these updates and what isn’t.  Instead I wanted to figure out, as a techie lawyer, how much documentation and legalese does one have to consume to wrap their head around their rights and responsibilities as one of Facebook’s 1.35 billion active users.  The initial announcement alone included 14 unique links – to do this correctly, clearly I was going to need some terms and guidelines of my own.

“Supersizing” Facebook’s New T’s & C’s

Morgan Spurlock’s “Super Size Me” kept popping to mind.  In his 2004 documentary [2] Spurlock eats nothing but McDonald’s, 3 full meals a day, for a month and documents the results.  He lays out a few ground rules for the experiment but there was one that seemed relevant:  If the person taking the order asks if he’d like to “super size” the meal he’d say yes.  My analog was, “If the referenced document includes a link, I will click on that link as well.”  Unfortunately, the Facebook policy ecosystem is a wee bit more complex than the McDonald’s menu board, so this was going to require a few additional conditions to keep the results relevant & manageable.  My rules for a link to be included in the relevant Facebook T’s & C’s:

  • Only pages reached by following downstream links of the Facebook updated terms & policies announcement are in scope.
  • The linked content is related to privacy, security, rights and/or responsibilities.
  • The linked content is in the main context of the linked page (not the menu, template, banners, style sheets, peripheral web assets, etc.)
  • The content is applicable to users in the U.S., and not just users of a specific state.
  • Settings, configurations and purely technical information are not included unless they are related to managing or understanding some aspect of privacy, security, rights and/or responsibilities.
  • Links to external domains may be considered relevant and included, but no other links from those external domains can be clicked (“1 outside click” rule.)

Sounds like I’m considering a lot of content “out of bounds”, doesn’t it?  Again, I’d just like to restate the objective here:  If we assume incorporation by reference, starting with the Terms & Policy Update Announcement and using only clicks on relevant provided links, how much reading is involved in grasping everything Facebook wants you to know about terms, conditions, rights and responsibilities?

Any guesses?  In terms of links?  Unique documents?  Pages?  Words?  Last chance to formulate a guess…

Hint:  My link tree just for organizing this project was 26 pages and nearly 4,500 words long (with each URL being interpreted as only one word, mind you.)


  • 358 total links
  • 118 “unique” links
  • 5 external links
  • 2 instances of the “Privacy Dino
  • 2 broken links
  • 1 additional set of terms that you’d need to accept to use Custom Audiences features.
  • The total, nonduplicative text of these 118 unique pages comprises:  67,401 words
  • Or a 164 page standard format Word document


  • If it were a book, this text of the T’s & C’s would be longer thanTreasure Island, The Color Purple, The Scarlet Letter, All Quiet on the Western Front or Lord of the Flies
  • One of the closest books in terms of word count is John Green’s “The Fault in Our Stars” , and while I have been neglecting the adolescent romance titles of late, I can’t say for certain which text I would rather have been reading this past weekend. [4]
  • A good portion of the privacy content is geared at privacy with respect to other users, while that is important and the Facebook internal mechanisms aren’t completely opaque there are still a lot of questions about what goes on with our data under the covers and with Facebook’s partners.
  • This link allows you to opt out from online behavioral advertising campaigns with over 100 companies.
  • Of the 118 unique links visited, this is the only one that actually underlines (potentially legally incorporated by reference) links and doesn’t force you to squint for the nearly indiscernible dark blue link text as opposed to the regular black font.
  • The Facebook Principles are pretty good stuff.
  • Really want to trigger your “Privacy Spidey Sense?”  Check out your Facebook metadata.
  • These Facebook Companies links lead to 10 other Facebook subsidiaries with “privacy” in the URL.  The majority of these companies have their own privacy link tree and are not using these terms & conditions.
  • Facebook Payments, while not a separate company per se, also has its own privacy policy.
  • Facebook has a lot of products and services (e.g. Mobile, Messenger, Paper, etc.) in the Facebook ecosystem.  Regarding those services:  “in some cases, products and services that we offer have their own separate privacy policies and terms.”
  • So, 67,000 words (or one “Fault in Our Stars”) later, if something is designated as a “service” (like whether I’m using the mobile app or the messaging function) then none of this may apply???

But perhaps the most interesting link, in my opinion, is the page for “How can I report a legal violation of my rights other than copyright or trademark rights?”  This link will net you 64 total words asking you to write out the reason you’re writing, the right you believe was infringed, and your legal basis for claiming the right.  And that’s just it – we probably need 67,000 word Terms & Conditions frameworks because we live in a litigious, open society that has done little to define rights and expectations around data, identities, and identity attributes beyond the monetization of those elements under Intellectual Property law.  There is a presumptive expectation that because someone built these online services and you avail yourself of those services, that any data gathered, actions tracked and correlations realized are the sweat equity and the work product of the service.  But after another look at your Facebook Metadata, is there a question about whether the value lies in the service or is inherently an inextricable part of the individuals using it?

Let’s be clear, this is not intended as an indictment or a defense of Facebook. I appreciate the ecosystem of people and interactions Facebook provides.  Their policy update was worth exploring because of the number of users and the nature of the data involved.  But the core issue that forces a company to draft a 67,000 word terms framework in the first place is not unique to Facebook.  We have a critical mass of personal information, growing and expanding avenues of intended and unintended exposure of that information, and next to no substantive guidelines steering our expectations, responsibilities and duties in handling it.  We must set out to create those guidelines – or am I the only person who feels it’s just as unreasonable to maintain an environment where every online company drafts a 67,000 word policy structure as it is to expect every user to read it?

[1] Because every reputable explanation of a legal concept includes a Wikipedia link.

[2] And potential Jim Gaffigan dream sequence.

[3] Now might be the right time to point out that I made my best effort to catch every link, document meticulously, keep all included links relevant and have no duplicative material. I don’t believe I made any mistakes in capturing this material but I would not be surprised in the least if mistakes were made. Further, “relevant to privacy, security, rights and/or responsibilities” is a subjective concept (especially in regard to technical controls, interface settings, and configurations). Rational thinking people may have differing opinions as to whether I was too restrictive or lenient in my inclusions. Regardless, given my guidelines, I am very comfortable with these figures.

[4] Or as one friend informed me, “A maudlin nonsense piece about a girl with cancer whose love for her boyfriend doesn’t cure cancer.”