Schneier's Analogy: Today's Pending Tech Laws to 1978's Credit Card $50 Liability Cap Act

Last week I posted a Googler's question of ethics (shouldn't techies "all be learning about, the world?") to security expert Bruce Schneier in Googler Embarrassed by Zuckerberg (Schneier at Google).

Today's a good day to post Schneier's credit card liability analogy to privacy laws brewing in the U.S. (The House of Representatives' Energy and Commerce Committee held hearings today on pending privacy laws, and the Senate Commerce Committee will hold hearings tomorrow. More on that in future posts.)

Schneier's talk explored the bridging of techology and policy in 2019. He begins:

But how do we give them [policy makers] the expertise to do it right?

Uh, my guess is the courts are going to do some things relatively quickly. Because cases will appear. And that regulatory agencies will follow.

I think Congress comes last. But don't count them out. Nothing motivates governments like fear. Think back to the terrorist attacks of September 11th - we had a very small government administration, create a massive bureaucracy kind of out of thin air? And that was all fear-motivated.

And when something happens, there will be a push that something must be done.

And we are past the choice between smart government involvement, vs. no government involvement.

Our choice now is smart government involvement, vs. stupid government involvement. And the more we can talk about this now, the more we could make sure it's smart.

Next Schneier talks about one policy that helped commerce thrive and was more win/win (corporation wins, consumer wins) than people remember - a policy regarding credit cards:

My guess is any good regulation will incent private industry...

The reason we have such bad security is not technological, it's more ... economic.

There's lots of good tech, and, you know, while some of these problems are hard, they're like ... send-a-man-to-the-moon hard, they're not fast-and-light-travel hard. And once the incentives are in place, industry will figure out how to do it right. A good example might be credit cards.

In the early days of credit cards, we were all liable for uh, for frauds and losses. That changed in 1978, the Fair Credit Reporting Act. That's what, uh, mandated the maximum liability for credit card fraud for the consumer is $50.

And you understand what that means? That means I could take my card, fling it in the middle of this room, give you all lessons on forging my signature! And my maximum liability is $50. Right? It might be worth it for the fun!

But what that meant, right, that change, that even if the consumer is at fault, the credit card company is liable. That led to all sorts of security measures:
- That led to online verification of, uh, of credit and card validity.
- That led to anti-forgery, uh, measures like the holograms and the microprinting.
- That led to mailing the card and the activation information separately.
- And requiring you to call from a known phone number.
- And actually, most importantly, that enabled back-end expert systems that troll the uh, credit, the transaction database, looking for fraudulent spending patterns.

None of that would have happened if the consumers were liable. Because the consumers had no ability to implement any of that.

You want the entity that can fix the problem to be responsible for the problem. That is just smart policy. So I see a lot of innovation that's not happening because the incentives are mis-matched.

So I think Europe is moving in this direction, right? The EU is right now the regulatory superpower on the planet. And they're not afraid to use their power. We've seen that in the GDPR in the privacy space. I think they're going to turn to security next. I mean they're already working on what responsible disclosure means. Uh there's that ... have you ever seen that on manufactured goods, there's that label called C.E.? That's an EU label. Basically means "meets all applicable standards." They're working on standards for cybersecurity. You'll see them get incorporated into trade agreements, into GATT...

In the shadow of high-drama hearings with the president's former lawyer and "fixer" on Capital Hill, there's much chatter in privacy advocacy circles this week regarding congress' privacy hearings taking place today and tomorrow.

Last year, California Governor Jerry Brown signed the California privacy act into law, that takes effect in 2020. The Electronic Frontier Foundation at one time urged federal lawmakers not to pass a national law that would "pre-empt" or weaken the various state privacy laws like California's. But Silicon Valley Congressman Ro Khanna at one time said we need a federal privacy law this year and seemed determined to get in front of that effort.

T'will be interesting to see how this develops, and whether a privacy act makes its way out of committee this week.

Schneier packs a lot into one hour, to promote his latest book Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. His book talks about security in a world where now "everything is a computer." I recommend his writings highly, they're often lively and surprisingly sensible.





This work by AJ Fish is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.