Cybersecurity News & Commentary - June 2018

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news over the past month, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

June 29, 2018
Supreme Court Moves to Tax Online Sales

A Supreme Court ruling of 5-4 overturned a decades-old law that had allowed businesses to avoid collecting sales tax from online customers if the retailer had no physical presence in their state. Now, any state can require internet retailers to collect sales taxes even if they have no physical store in the area. The original lawsuit was brought against retailers Wayfair, Overstock, and Newegg by the state of South Dakota, leveraging a 2016 state rule that required out-of-state businesses with more than $100,000 in sales to collect sales tax from residents online. Brick-and-mortar retailers claimed that if online retailers weren't required to collect sales tax in all states for all transactions, they would continue to have an unfair price advantage. As some states have been flirting with bankruptcy, this verdict is poised to offer millions of dollars in new revenue.


Professor Sudheer Chava: "The ruling, on the one hand, may help brick-and-mortar businesses to compete with e-commerce firms on a level playing field. But on the other hand, it may create an entry barrier for small and emerging players in the online retail landscape.

"In a recent study (by Georgia Tech's Scheller College of Business: S. Chava, A. Oettl, M. Singh, L. Zeng), we analyzed the impact of the staggered rollout of a major e-commerce retailer’s warehouses on the income and employment of workers at geographically proximate brick-and-mortar retail stores. Using an employer-employee payroll dataset for approximately 2.6 million retail workers, we found that the establishment of an e-commerce warehouse in a county hurts the income of retail workers in that county and neighboring counties within 100 miles. The wages of hourly workers, especially part-time hourly workers, decrease significantly. Using sales and employment data for 3.2 million stores, we found that retail stores in counties around an e-commerce retailer’s warehouses experience a reduction in sales and their number of employees. Overall, our results highlight the extent to which a dramatic increase in e-commerce retail sales can have adverse consequences for workers at traditional brick-and-mortar stores.

"This ruling may help physical stores, both small and large, who were previously at a disadvantage relative to online retailers, and thereby, some of the workers of these retailers. But, smaller online vendors without the structure or capacity to build a tax collection apparatus in 45 different states, may also face challenges.  As states start requiring state sales tax collection for out-of-state retailers, the complexity of new regulations, legislation and enforcement are going to pose significant compliance challenges for small online retailers."

IISP Analyst Holly Dragoo: "To date, online streaming services like Netflix and Hulu have sporadically been subject to taxation in different states; it was only a matter of time before this issue graduated towards other e-commerce transactions with consistency. As is the case with many Internet-related Supreme Court cases (i.e. Microsoft vs. Ireland leading towards the CLOUD Act of 2018, or Zeran vs. AOL Inc. in 1998 leading to the Communications Decency Act amendments), it’s probably fair to say that legislation affecting both online streaming services and other goods will emerge in the next couple years to synchronize the different policies and formulate a true federal standard. Until then, it is up to states to, one-by-one, begin collecting sales tax for online purchases should they so choose."



The Promise and Perils of a Fully Connected World

Seven Facebook patents hold alarming new surveillance powers, according to The New York Times, which asked whether they indicate future directions by the popular social media channel. Among the patents are the ability to analyze facial expressions as users read their feeds, tools to predict major life events (such as death), analyze sleep, and learn whether one actually watches ads on TV or mutes them. The company responded that patent applications should not be interpreted as future product plans and that most of the technology "has not been included in any of our products, and never will be,” said Allen Lo, a Facebook vice president and deputy general counsel, to the The New York Times. Still, privacy advocates worry and warn that free services are never truly "free."

Asst. Professor Sauvik Das: "Many large tech companies have filed creepy patents to use your personal data (e.g., your online posts and what you say in your home) to infer sensitive information about you and your loved ones (such as, when you might die or when your kids are misbehaving). Few of these patents will result in real products. Often, these companies file patents preemptively before making any product decisions. However, these patents illustrate a more concerning point: while future consumer technologies will unlock a rich design space of application areas that should make our lives more enjoyable, they also will create a mass surveillance infrastructure that could irrevocably alter human behavior.

"The perception of being watched can produce a chilling effect on human behavior. In an always-on, fully connected environment, people may never be alone. Their social interactions will be stilted by the knowledge that everything may be logged and later audited. People may never feel empowered to voice controversial or unpopular opinions. In turn, they may never be able to develop new ideas that spark larger movements. This could have disastrous effects for democratic societies that are founded on the notion of a free exchange of ideas.

"A fully connected cyber-physical world is coming. It is imperative that we work towards both understanding the effects of these systems on human behavior and developing trustworthy protections against threats of mass surveillance in lockstep with any technical advances. The required efforts will be massive and work against market forces. But it’s important."


Carpenter v U.S. Gives New Privacy Coverage for Locational Data

A closely watched Supreme Court case came to conclusion with another 5-4 ruling against law enforcement's use of cell-site location information (CSLI) without a warrant. Using CSLI data obtained from a mobile service provider, officials had been able to reconstruct a history of plaintiff Timothy Carpenter at or near a series of robberies, leading to his conviction. Historically speaking, law enforcement has been granted access to non-content data that is necessary for telecommunication since it had been considered, by definition, publicly available data (Smith vs. Maryland, 1979). However, the Supreme Court now states that such precedents from prior years did not take into account the “exhaustive chronicle of location information casually collected by wireless carriers today.”


IISP Analyst Holly Dragoo: "With the disclaimer to say I am not a lawyer, I can say that on the surface this departure (from the prior precedent of Smith vs. Maryland) will significantly hurt law enforcement efforts to pursue criminals in an ever-evolving digital landscape. Yes, they can always go get a warrant for the data – and in this case maybe they could have – but in many cases, analysis of CSLI is the basis that allows for warrants in the first place. It may be controversial, but fundamentally this is about the fourth amendment definition of “private property” and what a “search” is. Places where you have been are not “things” you can possess or safeguard, and therefore in my opinion do not have an expectation of privacy. Rapid periods of technological change will continue forever. Fear of big data should not be the basis of altering fourth amendment definitions."


Microsoft Document Provides Insight Into Tech Giant's Philosophy for Addressing Vulnerabilities

Microsoft has published a draft of a six-page document that describes how their security response center decides how to handle vulnerabilities reported by security researchers. The document explains that vulnerabilities that violate certain security boundaries or security features are subject to patching, whereas other vulnerabilities may only be addressed in future versions of their products. The document also clarifies which security features are subject to bug-bounty awards and which are not.


IISP Analyst Joel Odom""A short draft publication like this may not at first seem to be the kind of material that is worth much commentary, but its release in the security research community has stirred interest because of the insight it provides into what security features Microsoft considers most important. It's an educational piece for security managers and for technical persons alike.

"According to the paper, there are two questions that Microsoft asks when deciding how to triage a security vulnerability.  The questions can be simplified into: Is the vulnerability dangerous in a security feature that Microsoft is committed to protecting?  If the answer is yes, then Microsoft will patch the vulnerability. It's a common-sense question that balances business costs and security. The meat of the paper explains how Microsoft answers this question.

"A large section discusses security boundaries. Most computers have network connections, multiple users, and may be used to run software (including web applications) from different sources. Security boundaries to protect a computer and its data reside at the point of network entry, at the boundary between tabs in a web browser, and at the boundary between user applications and the operating system. The rise of virtualization has created the need to protect virtual computers running on the same host from each other. The Microsoft paper includes an informative list of important security boundaries, every one of which Microsoft indicates they are committed to protecting. Understanding these security boundaries is important to understanding how a modern operating system protects data.

"The paper also discusses security features, such as access-control features that authenticate users onto the system and that make decisions about what actions an authenticated user is allowed to take. System cryptography services, which both user applications and the operating system use to perform exceptionally sensitive operations, are also included in the list of security features. As in the case of the security boundaries listed in the paper, Microsoft indicates that they are committed to patching all of the security features described in the paper.

"We also learn from this document the kinds of features that Microsoft is not necessarily committed to patching.  In particular, Microsoft notes that defense-in-depth features, which provide extra layers of safety, will not necessarily be patched if a flow is discovered.  For example, User Account Control, which gives a user a visual cue when applications request administrative access to the system, will not necessarily be patched. This is not a problem from a security standpoint. Security is never perfect, and there is always a tradeoff between business requirements and the cost of security. The insight into how Microsoft calculates this tradeoff within the paper should be interesting to security managers and techies alike."


An Access Model for WhoIs Data that Respects Registrants' Rights

Following implementation of GDPR, the battleground over privacy for domain-name owners listed in the WhoIs directory has shifted to the question of how people can get past new restrictions and access the personal information that used to be there. Interest groups that favored an open WhoIs directory are pushing to restore unlimited, anonymous access. In this post, Georgia Tech's Internet Governance Project proposes a model that would allow those with a legitimate interest to gain access to the data, would be GDPR-compliant, and would respect the rights of both parties: those who need access and those whose data is accessed.

Internet Governance Project:

IISP Analyst Farzaneh Badiei"We submit this model for community discussion at the ICANN 62 meeting in Panama [held June 25-28]....Access to personal information of domain name registration WHOIS directory should take place under the following conditions: 1) a confederated RDAP; 2) No thick registries; 3) Registrars in change of granting access; 4) Law enforcement agencies develop their own accreditation; 5) Narrow legitimate interest in line with ICANN's mission; 6) Access restricted to individual queries, and 7) Requestor accountability." Read the full proposal in the link above.