Lunch of Day 3, OII Summer School.
Spent about half an hour with Danny Weitzner (MIT) on my ongoing research. Danny commented couple of things especially on my methodological aspects, which I think I’d better store them here.
He initially agreed with me on the use of CIA (Confidentiality, Integrity and Availability) concept as a model for my framework. However, he notes that such information security concept may not necessarily make a good regulatory framework, i.e. it’s an option. More importantly, he stressed on e priority or the first question should be what risk(s) is being addressed here? For whose interests? Etc.
The common failure of the regulatory framework, Danny argued, is that the law does not reflect the development of the technology. It must pass certain neutrality standards, such as technical neutrality as well as architectural neutrality. Need to learn from the American Privacy act (on wiretap, etc) that had not passed the architectural neutrality.
On the source of data: Danny agreed it is very important to approach the regulators, lawyers and computer scientists/practitioners; however, asking consumers’ may not be easy. It can be appropriately taken out.
Also, while it is interesting to assess whether or not CIA template is useful (eg the problem might lay heavily on confidentiality as opposed to other elements), it is far more important to understand what or where the existing law has failed. For this, it is very useful to ask people in the law enforcement, i.e. police, etc: ‘what are their problems in implementing the law?’
On top of that, Danny further emphasised the importance of comparative study with other countries/jurisdictions. Given the experience and exposures Danny as an academic possesses, this lunch chat was great.
Thanks Danny! (p.s.: Since 30th July 2009, Danny has been appointed to run the US Government Internet Policy Unit under the new US administration)
TRIBUTE 
Hi Sonny:
jenn b. from SDP here!
these are really interesting points from your discussion w/ Danny. I find myself wondering, however, about his suggestion to ask law enforcement about problems in implementing the law. In Canada on a couple of different occasions we’ve seen law enforcement claiming they need new powers (in law) to deal w/ new technologies, but when asked by Parliament to show *how* existing powers are falling short in the face of new technologies they’ve been unable to do so. Similarly, I think many commentators have suggested that post 9/11 American law enforcement saw an opportunity to ask for (and get) a “wish list” of new powers even though at least arguably their existing powers were sufficient. Which is all to say that while I think Danny’s right that it can be helpful to consult w/ law enforcement, I also think it’s important to review those responses critically to ensure that one can distinguish between what law enforcement *needs* for proper enforcement and what law enforcement would *like* for proper enforcement =)
if you’re interested in looking at the Canadian context on this, CIPPIC’s page on “lawful access” has some great links (http://www.cippic.ca/projects-cases-lawful-access/) where you can see not only Parliamentary evolution of such proposals but various community groups, advocacy groups etc. responses to them.
Good luck w/ your dissertation — i look forward to staying in touch and following your work!