Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Assignment: Policy Analysis

This assignment involves looking at a proposal for a new policy related to cybersecurity, and giving it careful consideration.

This is an individual assignment, though if you want to, you can work with a partner on it. If you work with a partner, I expect a higher quality assignment with more thorough analysis. If you work with a partner, both partners should turn in identical papers, and both papers should have both names on them.

Dad Took a Photo of his Toddler

CSAM, or “Child Sexual Abuse Material”, are pornographic text, images, or videos involving children. Currently, making, possessing or distributing this material is against the law in the US and many other countries. This crime is taken very seriously by law enforcement, and a lot of effort is put into catching and prosecuting offenders who create or distribute it.

As a result, people who are interested in this use a lot of advanced tools and technologies to try to hide their activities from law enforcement. These people have custom online communities and chat services to share this material, and often use technologies like 2-factor authentication and end-to-end encryption to protect themselves from law enforcement.

There has been a lot of pressure by activists and the government for technology companies to provide back-doors into their secure technologies so that offenders can be caught and prosecuted. Technology companies generally agree in principle – no company wants to be known as the child porn company – and generaly try to help law enforcement as much as they can.

With that background, we will start with a case study to set the stage. Google is one of the tech companies that does not want to support and distribute CSAM. They work hard to detect and report possible offenders to law enforcement, and will delete people’s accounts if it is detected. Recently, there was an interesting story about someone this happened to:

https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html

Part 1: Understand the Case

Let’s use the skills we’ve been developing to understand this case. Start by reading the news article linked above. You’ve read through a number of case studies, and are starting to get a better gut feeling for what information is important and what information isn’t. This one is a bit different – it is a “false positive” case, where someone was accused of something that they didn’t really do, or at least, isn’t the intend of the law. Still, we can use many of the same tools to think through this case

Let’s go through the same process we have been doing for the last couple of weeks to map out and understand what is happening:

  1. Figure out who the relevant actors are. We’ve got the attackers, the victim, additional defenders, etc. Fill out an actors and motivations worksheet for each of them to try to think through who was doing what, and why they did what they did.

  2. Figure out the attack, and what vulnerability enabled the attack. Specially, think about how an actual attacker (someone distributing child porn) might use these tools, and what Google might do to stop them. Feel free to grab the vulnerability worksheet and fill it out, trying to understand what the weakness was that these (hypothetical) attackers might try to exploit.

Don’t spend too long on this. Details help, but all of this work is really to help you gain a basic understanding of what happened. You should hopefully be getting faster and better at these tasks as you practice them every week.

Part 2: Policy Proposal

Modern mobile devices include a number of security technologies collectively known as “mobile encryption” that help protect the device and its content from hackers. This includes both encrypting communications like text messages as they are sent, and encryption of data on the device itself, so it can only be accessed if you have the password.

Recently, parts of the U.S. Government, along with many other governments, have suggested that we should require technology companies to create a “backdoor” into this encryption so that the government can access data encrypted by the mobile device (with appropriate safeguards e.g. a warrant).

That is, they have made a policy proposal: mobile devices that use encryption need to have some technical means to give access to government officials when they need it, even over the objection of the device owner and technology company.

The US Congress has proposed adding requirements to mobile devices intended to prevent the spread of Child Sexual Abuse Material (CSAM). The proposed law would require companies to follow a best practice that stores encryption keys (or simply doesn’t use encryption) so that police can decryption text messages and email send by people who are suspected of sending and receiving CSAM. Apple proposed a slightly different technical solution to this problem. This discussion focused on encrypted communications rather than encrypted devices, but the underlying policy issue is very similar.

Here is a proposed policy for the US, which is very similar to the recently proposed EARN IT act:

Companies that build technology for mobile communication are currently immune from liability for how those technologies are used by users. For example, if someone uses an Android phone to commit a crime (like making or distributing child sexual abuse material), Google (the manufacturer of the phone) is not liable for that crime. The proposed policy is to make that liability conditional on providing law enforcement access. Companies that use technologies to enable electronic communication are only immune from liability if they include in the technology some technical means for authorized law enforcement (e.g police with a warrant) to get through the encryption and access the raw data on the mobile device.

This proposed policy is not currently the law, but it is an active bill under consideration before the US congress.

This policy proposal is part of a conversation that has been happening in public for a long time, and goes under the name Crypto Wars.

There are roughly two opposing viewpoints about this policy. On one side, advocates for the policy are likely to be concerned about law enforcement being able to do their job, and are concerned with “going dark” and the criminals being able to use encryption to shield their crimes from law enforcement.

On the other side, advocates against the policy are likely to bring up aspects of free speech and freedom of expression, rights of privacy, abuse of this access, and create potential backdoors for hackers. This side likes to say that requiring companies to weaken encryption is like requiring people to leave their keys under their doormats.

This conversation is happening in the US, and also in parts of Europe, which recently decided that requiring law enforcement access to encrypted communications is a violation of human rights.

Read (or at least, skim) all of these links, and use them to think about this policy proposal and consider its implications.

Part 3: Policy Analysis

Your main goal for this assignment is to examine this policy proposal, consider both sides carefully, and make an informed decision whether to support the proposed policy or not.

Start by looking at the concepts from economics that we discussed in class, and trying to see which of these help you to better understand the situation and the proposed policy. The economics concepts also all have possible solutions associated with them. The readings pages on this website do a good job associating which policy solutions are commonly associated with each concept from economics. The main economics concepts are:

  • Misaligned Incentives: Look at who currently has incentives to protect against CSAM. Who has the incentive to protect? Is that person / organization the same as whoever is in the best position to actually invest in protection? Misaligned incentives can be solved by changing when people are liable, by making rules that stop them before committing crime (ex ante) rather than trying to catch them after the fact (ex post). They are also often solved by assigning liability to the person or organization in the best place to stop the problem.
  • Externalities: Are there externalities involved here? Are there positive externalities (network effects) that cause benefits the more people do it and create lock-in? Are there negative externalities, where one person’s decisions cause harm to other people? Externalities are hard to solve, but often play an important role in understanding what is actually happening and why
  • Information Asymmetry: Is there one group that has more or less information than another? Don’t just consider attackers and defenders; often one group of defenders has more information than another group of defenders. When information asymmetry exists, look for problems related to adverse selection, moral hazard, and a market for lemons. Is there a way to force people to share information to eliminate the information asymmetry (required disclosure)?

Some, but not all, of these concepts will be helpful in understanding this case and this policy proposal. Think about it carefully and try to figure out which concept(s) are most useful to you in thinking objectively about this policy idea.

Next, figure out how to argue for both sides. I want you (and your partner, if you have one) to write compelling and convincing arguments for each sides: that yes, we should do this policy, and that no, we shouldn’t do this policy.

As you write these arguments, bring in these concepts from economics. Consider whether the policy is an ex ante policy (before an attack / decision) or an ex post policy (kicks in after an attack / decision). Think about when each of these types of policies are appropriate. If the policy involves resolving an information asymmetry, consider goal is usually not just revealing information; it is for that information to cause a change in behavior. What change in behavior is the policy hoping for, and is it likely to actually happen?

In thinking about this policy, consider all of the social science ideas we have learned in class. We talked about a number of social scientific concepts that may or may not be relevent to this policy, such as theories of persuasion and education; how and why people lie; lemons markets; economic markets for vulnerabilities; weakest link vs. best shot vs. total effort defenses; etc. Try to use at least one of these ideas in your thinking about this policy proposal.

Finally, after you’ve finished writing both arguments, decide which one you agree with. What should we do as a society? Why? Should we enact this policy proposal as law? Explain why you have made your decision about this policy proposal.

Deliverable

You goal for this assignment is to write up a document intended to brief someone about this potential policy. It should start with an “executive summary”: a one paragraph description of your analysis and conclusions. What is your bottom line conclusion: Should we adopt this policy? Why or why not? (1 paragraph)

We talk a lot in this class about starting with a specific incident (or case study), and then trying to come up with solutions to prevent incidents like that in the future. The first assignment was learning how to understand specific incidents. This assignment is about the second half – thinking about solutions. As such, you don’t need to write up anything about the specific incident / case that motivated this assignment. You just have to write up your analysis of the solution.

The policy that is proposed in part 2 is an example of a policy that might help to fix that problem. This is a very realistic policy that is under consideration by the US Congress. In addition to the executive summary, the main body of your paper needs to have at least 4 parts:

  • A description of the proposed policy
  • An argument for why we should enact this policy
  • An argument for why we should not enact this policy
  • Your opinion: which argument do you find more compelling and why

Along the way, you must use concepts from this class, and specifically the concepts from economics that we discussed over the last few weeks, in your description of the policy and in your arguments for and against the policy. This is important: connect this policy with the larger concepts from economics will help you gain a broader perspective on why this proposed policy might or might not work.

Connecting the proposed policy with the economics concepts might also suggest alternative strategies for solving this problem. As part of the last part (your opinion), you are welcome to say that you disagree with this policy because you think a different policy would work better. If you do that, explain why you think that is.

Each of these four parts should probably be 1-3 pages long, with the whole document less than 10 pages in total. (Groups of 2 can go longer, but no longer than 15 pages).

This assignment is intended to be an individual assignment; each person must come up with their own policy analysis and justification. However, if you like, you can work with a partner (a group of 2). If you work in a group of 2, the policy brief document should include both student’s names on it, and both students should submit identical documents on Canvas. Groups of 2 will be expected to have longer documents that include more details about the policy arguments and rationale, and a more thorough analysis.

Finally, be prepared to describe your analysis and conclusions in class. In class on Tuesday, I will ask about 5-10 people/groups to come up and present their conclusions to the class for discussion and feedback. Discussion and feedback is how you improve ideas. You idea doesn’t need to be perfect, but it helps to get up and talk about it so you can make it better.