Lunch of Day 3, OII Summer School.
Spent about half an hour with Danny Weitzner (MIT) on my ongoing research. Danny commented couple of things especially on my methodological aspects, which I think I’d better store them here.
He initially agreed with me on the use of CIA (Confidentiality, Integrity and Availability) concept as a model for my framework. However, he notes that such information security concept may not necessarily make a good regulatory framework, i.e. it’s an option. More importantly, he stressed on e priority or the first question should be what risk(s) is being addressed here? For whose interests? Etc.
The common failure of the regulatory framework, Danny argued, is that the law does not reflect the development of the technology. It must pass certain neutrality standards, such as technical neutrality as well as architectural neutrality. Need to learn from the American Privacy act (on wiretap, etc) that had not passed the architectural neutrality.
On the source of data: Danny agreed it is very important to approach the regulators, lawyers and computer scientists/practitioners; however, asking consumers’ may not be easy. It can be appropriately taken out.
Also, while it is interesting to assess whether or not CIA template is useful (eg the problem might lay heavily on confidentiality as opposed to other elements), it is far more important to understand what or where the existing law has failed. For this, it is very useful to ask people in the law enforcement, i.e. police, etc: ‘what are their problems in implementing the law?’
On top of that, Danny further emphasised the importance of comparative study with other countries/jurisdictions. Given the experience and exposures Danny as an academic possesses, this lunch chat was great.
Thanks Danny! (p.s.: Since 30th July 2009, Danny has been appointed to run the US Government Internet Policy Unit under the new US administration)