Improving Government Disclosure of Security Vulnerabilities

Last week, we wrote about the shared responsibility of protecting Internet security. Today, we want to dive deeper into this issue and focus on one very important obligation governments have: proper disclosure of security vulnerabilities.

Software vulnerabilities are at the root of so much of today’s cyber insecurity. The revelations of recent attacks on the DNC, the state electoral systems, the iPhone, and more, have all stemmed from software vulnerabilities. Security vulnerabilities can be created inadvertently by the original developers, or they can be developed or discovered by third parties. Sometimes governments acquire, develop, or discover vulnerabilities and use them in hacking operations (“lawful hacking”). Either way, once governments become aware of a security vulnerability, they have a responsibility to consider how and when (not whether) to disclose the vulnerability to the affected company so that developer can fix the problem and protect their users. We need to work with governments on how they handle vulnerabilities to ensure they are responsible partners in making this a reality today.

In the U.S., the government’s process for reviewing and coordinating the disclosure of vulnerabilities that it learns about or creates is called the Vulnerabilities Equities Process (VEP). The VEP was established in 2010, but not operationalized until the Heartbleed vulnerability in 2014 that reportedly affected two thirds of the Internet. At that time, White House Cybersecurity Coordinator Michael Daniel wrote in a blog post that the Obama Administration has a presumption in favor of disclosing vulnerabilities. But, policy by blog post is not particularly binding on the government, and as Daniel even admits, “there are no hard and fast rules” to govern the VEP.

It has now been two years since Heartbleed and the U.S. government’s blog post, but we haven’t seen improvement in the way that vulnerabilities disclosure is being handled. Just one example is the alleged hack of the NSA by the Shadow Brokers, which resulted in the public release of NSA “cyberweapons”, including “zero day” vulnerabilities that the government knew about and apparently had been exploiting for years. Companies like Cisco and Fortinet whose products were affected by these zero day vulnerabilities had just that, zero days to develop fixes to protect users before the vulnerabilities were possibly exploited by hackers.

The government may have legitimate intelligence or law enforcement reasons for delaying disclosure of vulnerabilities (for example, to enable lawful hacking), but these same vulnerabilities can endanger the security of billions of people. These two interests must be balanced, and recent incidents demonstrate just how easily stockpiling vulnerabilities can go awry without proper policies and procedures in place.

Cybersecurity is a shared responsibility, and that means we all must do our part – technology companies, users, and governments. The U.S. government could go a long way in doing its part by putting transparent and accountable policies in place to ensure it is handling vulnerabilities appropriately and disclosing them to affected companies. We aren’t seeing this happen today. Still, with some reforms, the VEP can be a strong mechanism for ensuring the government is striking the right balance.

More specifically, we recommend five important reforms to the VEP:

  • All security vulnerabilities should go through the VEP and there should be public timelines for reviewing decisions to delay disclosure.
  • All relevant federal agencies involved in the VEP must work together to evaluate a standard set of criteria to ensure all relevant risks and interests are considered.
  • Independent oversight and transparency into the processes and procedures of the VEP must be created.
  • The VEP Executive Secretariat should live within the Department of Homeland Security because they have built up significant expertise, infrastructure, and trust through existing coordinated vulnerability disclosure programs (for example, US CERT).
  • The VEP should be codified in law to ensure compliance and permanence.

These changes would improve the state of cybersecurity today.

We’ll dig into the details of each of these recommendations in a blog post series from the Mozilla Policy team over the coming weeks – stay tuned for that.

Today, you can watch Heather West, Mozilla Senior Policy Manager, discuss this issue at the New America Open Technology Institute event on the topic of “How Should We Govern Government Hacking?” The event can be viewed here.

Protecting the Open Internet in India

Net Neutrality in India

Millions of people in developing nations think that Facebook is the Internet. This is not a matter of mere confusion. It means that millions of people aren’t able to take advantage of all the things that the open, neutral Internet has to offer.

We’re committed to advancing net neutrality on a global scale. People around the world deserve access to the open Web: a Web ripe for exploration, education, and innovation. It’s especially critical to protect this right in countries where people are going online for the first time.

Mozilla’s entire community of open Web supporters is a demonstration of this commitment. Over one million Indians have mobilized through social media campaigns and on-the-ground efforts to “Save the Internet” and petition the Telecom Regulatory of India (TRAI). Indian Mozillians took a bold stand for net neutrality, because they care about freedom, choice, and innovation.

This week, Mozilla filed comments with TRAI. We’ve been engaged before with TRAI and the government of India on net neutrality, free data, and differential pricing. This time, we’re commenting on a pre-consultation paper on net neutrality. We are also contributing feedback on the Free Data consultation paper. This document asks for possible options that respect net neutrality while providing free data to users and complying with the Differential Pricing Regulation.

Our comments stress the need for a strong regulatory framework in India that ensures all internet traffic is treated equally, whether you’re a billion dollar company or a small startup. We also encourage the development of data-offering models that follow net neutrality principles:

  1. All points in the network should be able to connect with other points in the network
  2. Service providers should deliver all traffic from point to point as expeditiously as possible
  3. The Internet should remain a place for permissionless innovation.

We also articulate principles that define characteristics of equal-rating compliant models. We believe these principles will help TRAI and other regulators assess subsidized data offerings. Equal-rating means that offerings:

  • Are content-agnostic – data offered is not limited to specific content or types of content
  • Are not subject to gatekeepers – content doesn’t have to go through subjective or arbitrary processes to be included in the system
  • Do not allow pay-for-play – data can’t be bought outright, which would privilege providers who have more purchasing power
  • Are transparent – the terms are understandable and up-front for both end users and content providers
  • Allow for user and content choice – users and content providers ultimately have the power to be included in, or excluded from, the system.

The Work Ahead

We applaud the Indian government for taking encouraging steps to protect the open Internet. TRAI’s consultation on net neutrality is a welcome step toward enshrining net neutrality in India. Still, connecting the unconnected remains one of the greatest challenges of our time. More work is needed to develop new, alternative models that offer the full diversity of the open Internet to everyone. We’ll continue to support the open Internet and net neutrality in India and around the world.

Join us in this effort by engaging on social media with #SaveTheInternet. Stay tuned to this blog for more on these issues. Share your opinion with the TRAI. There’s still time!

EU Internet Users Can Stand Up For Net Neutrality

Over the past 18 months, the debate around the free and open Internet has taken hold in countries around the world, and we’ve been encouraged to see governments take steps to secure net neutrality. A key component of these movements has been strong public support from users upholding the internet as a global public resource. From the U.S. to India, public opinion has helped to positively influence internet regulators and shape internet policy.

Now, it’s time for internet users in the EU to speak out and stand up for net neutrality.

The Body of European Regulators of Electronic Communications (BEREC) is currently finalising implementation guidelines for the net neutrality legislation passed by EU Parliament last year. This is an important moment — how the legislation is interpreted will have a major impact on the health of the internet in the EU. A clear, strong interpretation can uphold the internet as a free and open platform. But a different interpretation can grant big telecom companies considerable influence and the ability to implement fast lanes, slow lanes, and zero-rating. It would make the internet more closed and more exclusive.

At Mozilla, we believe the internet is at its best as a free, open, and decentralised platform. This is the kind of internet that enables creativity and collaboration; that grants everyone equal opportunity; and that benefits competition and innovation online.

Everyday internet users in the EU have the opportunity to stand up for this type of internet. From now through July 18, BEREC is accepting public comments on the draft guidelines. It’s a small window — and BEREC is simultaneously experiencing pressure from telecom companies and other net neutrality foes to undermine the guidelines. That’s why it’s so important to sound off. When more and more citizens stand up for net neutrality, we’re empowering BEREC to stand their ground and interpret net neutrality legislation in a positive way.

Mozilla is proud to support savetheinternet.eu, an initiative by several NGOs — like European Digital Rights (EDRi) and Access Now — to uphold strong net neutrality in the EU. savetheinternet.eu makes it simple to submit a public comment to BEREC and stand up for an open internet in the EU. BEREC’s draft guidelines already address many of the ambiguities in the Regulation; your input and support can bring needed clarity and strength to the rules. We hope you’ll join us: visit savetheinternet.eu and write BEREC before the July 18 deadline.

A Step Forward for Net Neutrality in the U.S.

We’re thrilled to see the D.C. Circuit Court upholding the FCC’s historic net neutrality order, and the agency’s authority to continue to protect Internet users and businesses from throttling and blocking. Protecting openness and innovation is at the core of Mozilla’s mission. Net neutrality supports a level playing field, critical to ensuring a healthy, innovative, and open Web.

Leading up to this ruling Mozilla filed a joint amicus brief with CCIA supporting the order, and engaged extensively in the FCC proceedings. We filed a written petition, provided formal comments along the way, and engaged our community with a petition to Congress. Mozilla also organized global teach-ins and a day of action, and co-authored a letter to the President.

We’re glad to see this development and we remain steadfast in our position that net neutrality is a critical factor to ensuring the Internet is open and accessible. Mozilla is committed to continuing to advocate for net neutrality principles around the world.

The countdown is on: 24 months to GDPR compliance

Twenty four months from now, a new piece of legislation will apply throughout Europe: the General Data Protection Regulation (GDPR). Broadly speaking, we see the GDPR as advantageous for both users and companies, with trust and security being key components of a successful business in today’s digital age. We’re glad to see an update for European data protection law – the GDPR is replacing the earlier data protection “directive”,  95/46/EC, which was drafted over 20 years ago when only 1% of Europeans had access to the Internet. With the GDPR’s formal adoption as of 14th April 2016, the countdown to compliance has begun. Businesses operating in all 28 European Union (EU) member states have until 25th May 2018 to get ready for compliance, or face fines of up to 4% of their worldwide turnover.

The GDPR aims to modernise data protection rules for today’s digital challenges, increase harmonisation within the EU, strengthen enforcement powers, and increase user control over personal data. The Regulation moved these goals forward, although it is not without its flaws. With some elements of it, the devil will be in the details, and it remains to be seen what the impact will be in practice.

That aside, there are many good pieces of the Regulation which stand out. We want to call out five:

  1. Less is more: we welcome the reaffirmation of core privacy principles requiring that businesses should limit the amount of data they collect and justify for what purpose they collect data. At Mozilla, we put these principles into action and advocate for businesses to adopt lean data practices.
  2. Greater transparency equals smarter individual choice: we applaud the Regulation’s endorsement of transparency and user education as key assets.
  3. Privacy as the default setting: businesses managing data will have to consider privacy throughout the entire lifecycle of products and services. That means that from the day teams start designing a product, privacy must be top of mind. It also means that strong privacy should always be the “by-default setting”.
  4. Privacy and competition are mutually reinforcing: with added controls for users like the ability to port their personal data, users remain the owner of their data, even when they leave a service. Because this increases the ability to move to another provider, this creates competition and prevents user lock-in within one online platform.
  5. What’s good for the user is good for business: strengthened data and security practices also decreases the risks associated with personal data collection and processing for both users and businesses. This is not negligible: in 2015 data breaches have cost on average USD 3.79 million per impacted company, without mentioning the customer trust they lost.

Above and beyond the direct impact of the GDPR, its standard-setting potential is substantial. It is more than a purely regional regulation, as it will have global impact. Any business that markets goods or services to users in the EU will be subject to compliance, regardless of whether their business is located in the EU.

We will continue to track the implications of the GDPR over the next 24 months as it comes into force, and will stay engaged with any opportunities to work out the final details. We encourage European Internet users and businesses everywhere to join us – stay tuned as we continue to share thoughts and updates here.

This is what a rightsholder looks like in 2016

In today’s policy discussions around intellectual property, the term ‘rightsholder’ is often misconstrued as someone who supports maximalist protection and enforcement of intellectual property, instead of someone who simply holds the rights to intellectual property. This false assumption can at times create a kind of myopia, in which the breadth and variety of actors, interests, and viewpoints in the internet ecosystem – all of whom are rightsholders to one degree or another – are lost.

This is not merely a process issue – it undermines constructive dialogues aimed at achieving a balanced policy. Copyright law is, ostensibly, designed and intended to advance a range of beneficial goals, such as promoting the arts, growing the economy, and making progress in scientific endeavour. But maximalist protection policies and draconian enforcement benefit the few and not the many, hindering rather than helping these policy goals. For copyright law to enhance creativity, innovation, and competition, and ultimately to benefit the public good, we must all recognise the plurality and complexity of actors in the digital ecosystem, who can be at once IP rightsholders, creators, and consumers.

Mozilla is an example of this complex rightsholder stakeholder. As a technology company, a non-profit foundation, and a global community, we hold copyrights, trademarks, and other exclusive rights. Yet, in the pursuit of our mission, we’ve also championed open licenses to share our works with others. Through this, we see an opportunity to harness intellectual property to promote openness, competition and participation in the internet economy.

We are a rightsholder, but we are far from maximalists. Much of the code produced by Mozilla, including much of Firefox, is licensed using a free and open source software licence called the Mozilla Public License (MPL), developed and maintained by the Mozilla Foundation. We developed the MPL to strike a real balance between the interests of proprietary and open source developers in an effort to promote innovation, creativity and economic growth to benefit the public good.

Similarly, in recognition of the challenges the patent system raises for open source software development, we’re pioneering an innovative approach to patent licensing with our Mozilla Open Software Patent License (MOSPL). Today, the patent system can be used to hinder innovation by other creators. Our solution is to create patents that expressly permit everyone to innovate openly. You can read more in our terms of license here.

While these are just two initiatives from Mozilla amongst many more in the open source community, we need more innovative ideas in order to fully harness intellectual property rights to foster innovation, creation and competition. And we need policy makers to be open (pun intended) to such ideas, and to understand the place they have in the intellectual property ecosystem.

More than just our world of software development, the concept of a rightsholder is in reality broad and nuanced. In practice, we’re all rightsholders – we become rightsholders by creating for ourselves, whether we’re writing, singing, playing, drawing, or coding. And as rightsholders, we all have a stake in this rich and diverse ecosystem, and in the future of intellectual property law and policy that shapes it.

Here is some of our most recent work on IP reform:

Reining in abuses of the DMCA notice system

The Digital Millennium Copyright Act (DMCA) should be reformed to help promote openness online. We’ve made this case before, posting about section 1201 on the circumvention of technological protection measures. Now, the U.S. Copyright Office has sought comments on section 512, on liability for intermediaries whose services may facilitate activity that infringes copyright. In this area, too, we argue for changes to better support openness. So, we filed comments in response to this consultation last week.

Section 512 gives an exemption (also known as a “safe harbor”) to the normal presumption of liability for copyright infringement, if the intermediary (usually a website, platform or ISP) follows a set of defined processes to deal with copyright complaints. These processes are centered around DMCA notices and counter-notices, and are a common occurrence in online life for creators who take advantage of fair use and other exceptions to copyright to build upon the work of others. Section 512’s protections have enabled the massive growth both of online services and, thereby, of the market and opportunities for licensing copyrighted works. Both of these outcomes have delivered great benefits to Internet users. Some believe these benefits have come with huge costs to rightsholders and believe the current approach should be gutted and replaced with a more punitive “notice-and-staydown” strategy; we believe these proposals should be ignored. But, there is room for improvement.

Because of important nuances of copyright law, it is not just the content but also the context in which content is found that determines infringement.  For example, a piece of content can be used as a parody or for criticism or comment – or the user may hold a license permitting the activity – which would not constitute infringement. However, automated systems which generate the majority of section 512 notices today work by detecting the presence of particular content. These systems cannot account for context, and thus many activities that are non-infringing trigger burdensome enforcement processes. This confusion, problematic in the current regime, would be amplified many times in a “notice-and-staydown” regime.

In our filing, we offer three main proposals for reform to improve on the current system:

  1. Rebalance the underlying incentive structures by introducing statutory damages as a component of the remedy for unwarranted DMCA takedown requests;
  2. Attach penalty of perjury to the accuracy of notices as a whole, not merely the authority of the complaining party to act; and
  3. Give intermediaries some discretion to preserve the availability of content during the statutory 10-day waiting period under good-faith belief of invalidity of the notice (for example, for users who are frequently targeted with invalid notices).

Considering how long ago it was written, and the major technological advancements since then, section 512 has aged very well. It should be viewed generally as a farsighted and well-designed attempt to promote the interests of users who want engaging online services. We hope that the reforms we propose will be adopted to ensure that it continues to maximally promote innovation and creativity online.

Challenges to openness under U.S. copyright law

The Mozilla Manifesto has as its second principle, “The Internet is a global public resource that must remain open and accessible.” The Internet is the most significant social and technological medium of our time, and an invaluable public resource that must be protected and supported. Yet, Internet openness is at risk all around the world, from a number of different directions. One of these is copyright law, and the restrictions that are, at times, imposed on socially and economically beneficial activity. Mozilla has been engaging in various copyright reform processes in the European Union over the past several months, advocating for a European wide framework that promotes competition and innovation online. Now, we are bringing that advocacy across the Atlantic to the United States.

The U.S. Copyright Office is currently seeking comment on part of the Digital Millennium Copyright Act, Section 1201 of Title 17, which prohibits the circumvention of technical measures that effectively control access to copyright protected works. In response, we have submitted comments articulating our view of the problems associated with this law as it stands today, and have offered suggestions that promote openness online, within the general framework of the law.

In practice, Section 1201 implements a different balance of interests than copyright law. It allows copyright holders to impose more severe restrictions on user freedoms than copyright law alone permits. The combination of technical measures and circumvention liability is unable to distinguish between infringing and non-infringing uses of content – so, in service of the ostensible goal of limiting infringement, innovative and positive activities, that do not violate copyright law, get caught up as well. The statute includes some limitations to try to alleviate this harm, including a few specific permanent exceptions as well as a process for requesting additional temporary ones, but these measures fall short. As a result, Section 1201 stifles fair use and other legitimate activities, posing risk of long-term harm to competition, innovation, and culture.

The notice of inquiry asks for suggestions for both general improvements, and for specific changes to the statute’s exceptions. In our filing, we identified gaps where the permanent exceptions have fallen short of accomplishing their ostensible objectives. We also offered three suggestions to help improve the 3-year exemption review process:

The changes we propose would not “fix” Section 1201. It’s hard to conceive of anything that would be a complete fix, so long as the law allows a different balance of interests to be imposed than that set under copyright law. However, the changes we propose, if implemented, would help protect openness to a greater degree than the current approach.

Mozilla stands up for public participation and openness in Trans-Pacific Partnership

The Trans-Pacific Partnership (TPP), like many modern trade deals, encompasses complex aspects of Internet policy, yet the voice of the Internet community is excluded from the nearly decade long negotiations. As a result, the balance shifts away from users and the public interest. It is our belief that effective global Internet policy and governance decisions can’t be made without openness and that the TPP’s processes fail in this regard.

The lack of open processes and public discussion is a primary concern for us because:

  • Global Internet policy issues, including copyright and free expression, are complex and impact the core of openness online in ways that can’t be solved in isolation;
  • Openness is core to both the Internet (including Internet governance) and Mozilla’s mission and values; and
  • When Internet policy decisions and processes lack openness, lack of participation means that user interests are often undervalued and underserved.

We have seen this same thing happen in the past. In January 2012, PIPA/SOPA attempted to create intellectual property policy without public input. At the end of the same year, the World Conference on International Telecommunications (WCIT) attempted to build Internet governance processes without a public role. In both cases, public pressure prevailed and defeated these threats to openness and public benefit. Our concern is that when these same threats come cloaked within trade deals, they may not be visible as threats until the damage has already been done.

In the final draft of the TPP, we see copyright losing ground with the balance tipping away from users and the public interest and towards businesses built on IP maximization. Provisions are strong where the rights of some major institutions and traditional business models are at stake, such as implementing software patent frameworks, expanding copyright terms (with retroactive effect), and establishing minimum damages for copyright infringement. Yet, the provisions that have been added to support the rights of the public are softer, including those related to public domain and limitations and exceptions to copyright.

End of January 2016, the Electronic Frontier Foundation (EFF) organized a strategy meeting on creating reform of trade negotiation processes — a two day summit held in Brussels. Over 30 diverse organizations – including Mozilla – came together to collectively discuss strategy and tactics on how to improve transparency in the negotiation processes for current and future trade deals. The result was a declaration being released today, which Mozilla has signed.

While we recognize there may be compelling reasons for sensitivity in some of the negotiations of the TPP and other trade agreements, our view is that these processes are not appropriate to resolve global Internet policy challenges. The future of Internet policy and governance issues must be determined through open and transparent processes that allow all voices to be heard and all rights to be fairly weighed. We look forward to working alongside other stakeholders to collectively forge needed reform of trade deals like the TPP.