White Paper & Bio

---

Computer and network security researchers currently face a dearth of usable data about real networked information systems. Researchers, as well as Congress and funding agencies, have identified improving access to real-world data about these systems as critical to advancing the state of cyber defenses. In particular, increased sharing of communications data would help to shed light on modern-day threats and would significantly aid cyber defense research efforts. Despite considerable attention to this problem, and some highly innovative efforts within government and academia to address it, data sharing for security research remains a legally and economically risky endeavor. I offer a few thoughts about how legal, economic, and technical obstacles to data sharing interact, and how we might address these obstacles without unduly threatening individual privacy protection. 1. Technical Obstacles. Technology has an important supporting role to play in facilitating increased data sharing for research purposes, but technology alone appears unlikely to remedy the current dearth of useful data. Data anonymization remains a topic of active research, with new anonymization---and de-anonymization---techniques under active development. Different types of data present different challenges for anonymization; and, given the diverse types of data that security researchers need, relying on anonymization as a primary means of making sources comfortable with sharing data more broadly might set an impossibly high bar. Moreover, anonymization and other technical measures might not cure the legal and organizational problems that confront sharing communications data. 2. Legal Obstacles. A number of laws make sharing communications data a legally risky proposition, but the most generally applicable one is the Electronic Communications Privacy Act (ECPA). The ECPA generally prohibits interceptions of communications and, under many circumstances, prohibits the disclosure of stored communications contents and records. The ECPA, however, allows some leeway to organizations that intercept communications to protect the security of their own networks and computer systems; and it imposes essentially no limits on organizations' internal retention and uses of stored communications. Thus, the ECPA contains significant gaps with respect to protecting individual privacy, but its sharp distinction between use and disclosure poses a real obstacle for sharing data for the socially beneficial purpose of security research. A broader conversation about how the law should protect communications data is overdue. Though legal reform might not be sufficient to improve security researchers' access to data (see below), it may be necessary. 3. Economic and Organizational Obstacles. Even when the law doesn't prohibit sharing data, a number of other factors may prevent the organizations that control relevant data from sharing it. One concern is that data sources want to prevent security-sensitive data from falling into the hands of attackers, whether through accidental or purposeful disclosures. Another organizational impediment to data sharing is that some potential sources might promise their customers or subscribers more privacy protection than the law requires; or they might wish to avoid public backlash that might follow sharing data, even with strong technical and non-technical (e.g., non-disclsure agreements and risk assessments) measures in place. Finally, data sources wish to avoid sharing data that competitors might use against them. Finding ways to address these problems appears is a necessary complement to legal reform and technical approaches to protecting the confidentiality of data.