Transatlantische Konferenz: Building Common Approaches for Cybersecurity and Privacy in a Globalized World

Das Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG) organisiert – in Zusammenarbeit mit der New York University (NYU) – von 1. bis 3. Oktober 2018 die zweite von zwei Konferenzen zum Thema „Building Common Approaches for Cybersecurity and Privacy in a Globalized World“.


Transatlantic Conference:
Building Common Approaches for Cybersecurity and Privacy in a Globalized World
1–3 October 2018 | New York University School of Law
Lester Pollack Colloquium Room | 245 Sullivan Street, 9th Floor


Weiterlesen: Sammelband


Sammelband zur Konferenz (pdf)Die Konferenzen adressieren eine zentrale und zugleich hochgradig aktuelle Herausforderung in den transatlantischen Beziehungen: das Spannungsverhältnis zwischen Cybersicherheit und Datenschutz. Wir bringen Expertinnen und Experten zu Cybersicherheit, Datenschutz und Governance, Juristinnen und Juristen sowie Vertreterinnen und Vertreter von Sicherheitsbehörden, Wirtschaft und Politik an einen Tisch, um die Probleme in diesem Feld zu analysieren, das Verständnis für unterschiedliche Konzepte zu vertiefen sowie Lösungsansätze und -strategien zu entwickeln, und dabei zugleich eine produktivere Einbindung der jeweils relativ eigenständigen Diskurse in den USA und in Europa zu diesem Themenbereich sicherzustellen.

| Weitere Informationen im Sammelband zur Konferenz (pdf)
Please note that this is an invitation-only event.


Monday, 1 October 2018

06:00 p.m.Welcoming Remarks
Randy Milch (NYU Center for Cybersecurity; NYU Law School)
Ingolf Pernice (Humboldt University Berlin; HIIG)


Tuesday, 2 October 2018

Session 1: International Incentives toward Good Behavior?

09:30 a.m.The Value of Data. ​Data has value to holders and processors, yet compensating data subjects after data is lost has proven is a scattershot exercise. Are there ways of attributing value to data as it sits with holders and processors such that both data subjects and those profiting from data would be on notice of the monetary effects of a data breach? Would this positively incent behaviors to lower cyber risk?

Sasha Romanosky​  (RAND Corporation)
Kai von Lewinski​ (University of Passau)
Terrell McSweeny​ (Federal Trade Commission)

11:00 a.m.Coffee Break
11:15 a.m.A Return to Safe Harbors? ​Article 83 of the GDPR requires due regard be given to a list of 11 aggravating and mitigating factors when deciding whether to impose an administrative fine and deciding on the amount of such a fine. Among the mitigating factors is whether a data holder or processor adhered “to approved codes of conduct . . . or approved certification mechanisms.” Is ‘due regard’ a sufficient incentive for better cybersecurity and privacy practices? Would an American-style “safe harbor” be more useful?

Scott Shackelford​ (Kelley School of Business; Ostrom Workshop Program on Cybersecurity and Internet Governance)
Paul Rosenzweig​ (Senior Advisor to The Chertoff Group)
Gail Kent​ (Facebook)
Reinhard Priebe​ (European Commission)

12:45 p.m.Lunch


Session 2: Enabling International Cooperation: Evidence and Equities


02:30 p.m.The CLOUD Act and International Norms? ​The Microsoft Warrant case effectively ended with the sudden passage of The CLOUD Act, which both affirms the ability of the US Government to obtain US person information held overseas by US service providers and acknowledges international concerns by favoring bi-lateral agreements and requiring in certain circumstances a comity analysis. Will the CLOUD Act work to ease EU concerns? Is this a way toward international norms on trans-border evidence collection?

Théodore Christakis​ (Université Grenoble)
Serrin Turner​ (Latham & Watkins)
Todd Schulman​ (Verizon Communications Inc.)

04:00 p.m.Coffee Break
04:15 p.m.Vulnerabilities Equities Processes: Comparative Processes and Best Practices​: Law enforcement and intelligence services on both sides of the Atlantic face the same problem: publishing security vulnerabilities they know about would enable software manufacturers to provide fixes and thereby enhance the security of sometimes millions of devices and their users, while keeping those vulnerabilities secret would provide the services necessary, and at times the only tools for performing their duties in fighting serious crime and terrorism. Governments have begun to institutionalize decision processes regarding the dealing with the services’ knowledge of security vulnerabilities, by which the benefits and risks, and the competing rights and interests shall be assessed and balanced. What are the main lessons learned from experience so far? What are best practices that should be shared among the institutions responsible for VEP?

Michael Daniel​ (Cyber Threat Alliance)
Jason Healey​ (Columbia University’s School for International and Public Affairs)
Sven Herpig​ (stiftung neue verantwortung)


Wednesday, 3 October 2018

Session 3: Building Security: Design and Certification

09:00 a.m.Security by Design/Privacy and Data Protection by Design​: Article 25 of the GDPR requires data protection measures be implemented in IT systems, while Article 32 of the GDPR analogously mandates the implementation of security measures. Both provisions fail to clarify to which concepts or models of security, privacy and data protection by design they refer. The demand side being not clear, what has Computer Science to offer regarding privacy by design and security engineering approaches? What are best practices to be used for fleshing out the provisions of the GDPR?

Kyle Erickson​ (Palantir Technologies)
Nathaniel Good​ (Good Research)
Jörg Pohle​ (HIIG)

10:30 a.m.Coffee Break
10:45 a.m.Cyber Security Certification Regimes​: Recent legislation in the EU like the NIS Directive and current legislative initiatives, e.g. “EU Cybersecurity Act” as proposed by the European Commission, are establishing certification regimes for cyber security processes and technologies based on EU and international standards. Similar initiatives, e.g. “Internet of Things (IoT) Cybersecurity Improvement Act” proposed in 2017, can be observed in the U.S., though containing quite technologically specific requirements. Are there parallel developments on the global level, e.g. ISO standards, or in the private sector, e.g. Underwriters Laboratories? Is there a perspective of a common approach?

Christian Djeffal (HIIG)
Sarah Zatko (Cyber Independent Testing Lab)
Eric Wenger (CISCO)

12:15 p.m.Conclusions & Outlook
Randy Milch (NYU Center for Cybersecurity; NYU Law School)
Ingolf Pernice (Humboldt University Berlin; HIIG)



1. Okt 2018 – 3. Okt 2018 ical | gcal



NYU School of Law | Lester Pollack Colloquium Room,  245 Sullivan Street, 9th Floor,   New York


Jörg Pohle, Dr.

Forschungsprogrammleiter: Daten, Akteure, Infrastrukturen

Bleiben Sie in Kontakt

Melden Sie sich für unsere Newsletter an. So erfahren Sie als Erstes über neue Events und spannende Forschungsergebnisse.

Über das HIIG

Das HIIG erforscht die Entwicklung des Internets aus einer gesellschaftlichen Perspektive mit dem Ziel, die damit einhergehende Digitalisierung aller Lebensbereiche besser zu verstehen.

Schon unseren Podcast entdeckt?

Hören Sie den Wissenschaftspodcast Exploring digital spheres auf hiig.de, iTunes und Spotify.