Confidentiality, Security and ODR

Confidentiality, Security and ODR

 

Practical Issues of Cybersecurity and Automated Computer Responses

Are there Concerns with Privacy, Fairness, Etc. in Using an Online Platform?

W. Jay Hunston, Jr.

October 2, 2018

This report is intended to address two issues involving security and online dispute resolution (ODR).  These issues are the practical considerations of:  settlement offers via computer programs; and cybersecurity requirements for online communication.  These will be addressed separately.

Settlement Offers via Computer Programs:

The assumption here is that Online Dispute Resolution (ODR) will involve privately constructed dispute resolution programs which will, at some point in the negotiations, generate settlement alternatives for the parties.  Because these programs are created by private companies that have no regulation in terms of privacy, confidentiality, or fairness, the concern is that a program could be created which could be “slanted” in favor of or against one or more of the participating parties.

This issue has been recognized by Colin Rule, the original designer of the Modria dispute resolution system now owned and marketed by Tyler Technologies.  In an interview for The Digital Edge on February 13, 2018, he stated:  “… we have ethical standards for people who are serving as mediators and arbitrators and those are well-established, and they’ve been put together for almost 20 years at this point. But, we don’t have good ethical requirements for the programmers who are going to be writing the software that administers these online dispute resolution mechanisms.”

An effort to establish ethical standards for design, structure, practices and implementation of ODR systems has been undertaken by the International Council for Online Dispute Resolution (ICODR), building on prior work by the National Center for Technology and Dispute Resolution (NCTDR).  The proposed standards include accessibility, accountability, competence, confidentiality, equality, fairness/impartiality/neutrality, legality, security, and transparency [http://www.icodr.org].  According to Rule, “It’s all backed by the [NCTDR] at UMass Amherst, and we’re promoting these standards and we want to certify ODR providers to ensure that they abide by these new ethical standards.”

The issue becomes critical if and when a computer program actually becomes actively involved in the negotiations between the disputing parties by suggesting possible outcomes or alternatives to settle a dispute.  Imagine “Alexa” being the fourth participant in a mediation, with two parties, one mediator and Alexa.  In the face of a pending impasse, the mediator turns to Alexa and asks her “opinion”.  In the words of Rule, “ … that little Amazon Echo could go out and look at millions of cases and crunch a lot of numbers and come back and say, well, it appears to me a fair resolution would be this.”

ODR programs have been available for decades, including by way of example, Technology-enhanced Dispute Resolution (TeDR) and Settle-Now, marketed by ResolvNow, Smartsettle, marketed by iCan Systems, Inc., as well as Modria, now marketed by Tyler Technologies.  Adopting rules and regulations, ensuring that any ODR programs used in our Florida courts include the nine essential standards recognized by the ICODR, will be critical to avoiding the specter of Rule’s nightmare situation, “And you can imagine, somebody could build a digital kangaroo court, where they collect information from one party and assure them that it’s going to be confidential, and then secretly they hand it to the other side.”

Cybersecurity Requirements for Online Communication:

The issue of security or lack of security in online communications has been recognized for decades.  The European Union (EU) adopted the General Data Protection Regulation (GDPR) in 2016, with an effective date of May 25, 2018.  The GDPR requires no implementing legislation by the affected countries and is, therefore, already in effect throughout the EU.  The GDPR requires data protection “by design and by default,” which many commentators interpret to require, at a minimum, the use of fully encrypted emails in any electronic communications.

“An email is like a postcard! When you send an email, some people like for example the enterprise IT administrator or the internet service provider can read its content if they want to. Therefore sending a normal email including personal or sensitive information without encryption is considered to be illegal under GDPR.”  [“Emails and GDPR – The Need and Drawbacks of Encrypting Emails”, Nuncic, Ontrack, 6/11/18.]

The most common methods of email encryption are “transport encryption” and “content encryption”.  Transport encryption consists of sending emails through an “encrypted tunnel,” where they are encrypted leaving one server and decrypted upon arrival at the other server.  This only works, however, when the two servers are directly connected (i.e., within the same firm).  If the emails will pass through some other server on the way, which is the most common form of transmission, content encryption is an alternative.

Using content encryption, the email is encrypted — not the network tunnel through which the email passes.  Most common forms of content encryption today are S/MIME (Secure/Multipurpose Internet Mail Extensions) or Open PGP.  The basic concepts of security for both are similar:  “When implementing S/MIME in an MS Exchange Server a certificate is produced which contains the signature of the user and also contains his public key. When he sends another user (user “B”) this signature, he proves that he is the person he claims to be and gives his email recipient his public key and therefore gives him the right to send him encrypted emails. When user B then sends an encrypted email the next time to user A, the email client of user A “recognizes“ that the email is from a secure and known sender, searches for his private key inside the email client and decrypts the email on the fly.”  [Ibid.]  Unfortunately, in the event of a server malfunction or failure, encrypted emails may be unrecoverable if the encryption keys, certificates or decryption passwords are not kept separate from the original email server or desktop computer.

Most ADR professionals are not equipped to implement these high levels of security for online communications and most day to day disputes may not warrant the expense of such security.  However, the adoption of the GDPR in the EU foreshadows what may become the standard throughout the world, including the U.S.  If Florida is to adopt rules and regulations relating to ODR, security of online communications must also be addressed.