JEFF KOSSEFF
Jeff Kosseff is an associate professor of cybersecurity law in the United States Naval Academy’s Cyber Science Department. He is the author of four books and more than 20 academic journal articles.
In fall 2023, Johns Hopkins University Press will publish his latest book, Liar in a Crowded Theater: Freedom of Speech in a World of Misinformation, which examines and defends legal protections for false speech. In 2019, he was named an Andrew Carnegie Fellow by the Carnegie Corporation of New York, to support his 2022 book The United States of Anonymous: How the First Amendment Shaped Online Speech. His 2019 book, The Twenty-Six Words That Created the Internet, traced the history of Section 230 of the Communications Decency Act. He also is the author of Cybersecurity Law, a textbook and treatise whose third edition was published by Wiley in 2022.
His articles have appeared in Iowa Law Review, Illinois Law Review, Wake Forest Law Review, Berkeley Technology Law Journal, Computer Law & Security Review, and other law reviews and technology law journals. His research interests include cybersecurity regulation, online intermediary liability, and the law of armed conflict as applied to cyberspace.
Jeff practiced cybersecurity, privacy, and First Amendment law at Covington & Burling, and clerked for Judge Milan D. Smith, Jr. of the United States Court of Appeals for the Ninth Circuit and Judge Leonie M. Brinkema of the United States District Court for the Eastern District of Virginia. Before becoming a lawyer, he was a technology and political journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting and recipient of the George Polk Award for national reporting.
He received a J.D. from Georgetown University Law Center, and a B.A. and M.P.P. from the University of Michigan.
His CV is available here.
The views on this website only are Jeff’s and do not represent the Defense Department, Navy, or Naval Academy.
Books
Cybersecurity Law (Wiley, 2017): Textbook/treatise on global cybersecurity laws and regulations for U.S. companies. Second edition published in December 2019; Third edition published in 2023; Fourth edition forthcoming in 2024.
The Twenty-Six Words that Created the Internet (Cornell Press, 2019): nonfiction narrative history of Section 230 of the Communications Decency Act
The United States of Anonymous: How the First Amendment Shaped Online Speech (Cornell Press, 2022)
Liar in a Crowded Theater: Freedom of Speech in a World of Misinformation (Johns Hopkins Press, 2023)
Selected Academic Publications
What Was the Purpose of Section 230? That’s a Tough Question, Boston University Law Review (2023): What was Congress’s intent in passing § 230? It sounds like a straightforward question, but it is anything but. Congress passed § 230 as a small part of the Telecommunications Act of 1996, the first overhaul of U.S. telecommunications laws in six decades. Section 230 received little attention in Congress or the media, so the legislative history is limited. Compounding the challenge is that § 230’s text evolved in subtle but consequential ways between its introduction and passage, making it difficult to divine a single intent of “Congress.”
Upgrading Cybersecurity Law, Houston Law Review (2023): The United States has long lacked a cohesive legal system to address the increasingly urgent issues surrounding cybersecurity. The nation relied on laws that mainly focused on privacy, identity theft, data security, hacking and other issues, but failed to directly address the most pressing cybersecurity challenges. The laws often lacked precision and efficacy. Fortunately, this has begun to change. In the early 2020s, U.S. lawmakers and regulators finally started to get serious about cybersecurity, and have begun to develop legal rules that address modern cybersecurity challenges. This is the third in a series of articles evaluating U.S. cybersecurity law. The first article defined the field, and the second suggested general principles for effective laws. This article assesses 10 recent upgrades and explains how they contribute to a cohesive cybersecurity legal system. The Article then evaluates the remaining gaps, and suggests a path forward.
A User’s Guide to Section 230, and a Legislator’s Guide to Amending It (or Not), Berkeley Technology Law Journal (2023): Section 230 of the Communications Decency Act, which immunizes online service providers from liability for user content, is key to the business models of some of the nation’s largest online platforms. For two decades, the 1996 statute was mostly unknown outside of technology law circles. This changed in recent years, as large social media companies have played an increasingly central role in American life and have thus faced unprecedented scrutiny for their decisions to allow or remove controversial user content. Section 230 has entered the national spotlight as a topic of national media coverage, congressional hearings, and presidential campaign rallies. Unfortunately, not all this attention has accurately portrayed why Congress passed Section 230 or how the statute works. The misunderstandings of the law are particularly troubling as Congress is considering dozens of proposals to amend or repeal it. This Article attempts to set the record straight and provide a “user’s guide” to the statute, along with principles for legislators to consider as they evaluate amendments to this vital law.
Protecting Free Speech in a Post-Sullivan World (with Matthew Schafer), Federal Communications Law Journal (2022): Until 1964, courts were free to penalize journalists, activists, and others for criticizing the most powerful figures in the United States. That changed with the Supreme Court’s opinion in New York Times v. Sullivan, which requires public officials suing for defamation to establish actual malice, a daunting hurdle. Over the next three decades, the Court expanded on Sullivan and built a framework that provides vital First Amendment protections for modern journalism, online commentary, and other criticism. Those safeguards face their greatest threats ever, as high-profile figures weaponize defamation lawsuits and two Supreme Court justices call on their colleagues to join them in reconsidering Sullivan. As the Supreme Court has recently demonstrated, it will not shy away from rethinking even the most vital and established constitutional protections. To prevent the damage to free speech caused by a sudden reversal of Sullivan, we propose the federal Freedom of Speech and Press Act, which codifies many of the protections of Sullivan and its progeny and preempts state defamation laws that do not satisfy certain minimum standards that preserve “uninhibited, robust, and wide-open” debate across the country.
Hacking Cybersecurity Law, Illinois Law Review (2020): Unlike discrete legal fields such as patent and employment law, cybersecurity law spans a number of sections of the U.S. Code, as well as state and international laws. Because the contours of cybersecurity law are blurry, U.S. policymakers have not sufficiently determined how to most effectively align statutes and regulations with current cybersecurity threats. This Article builds on the author’s previous work to define the scope of cybersecurity law, and suggests seven guiding principles to radically reshape – or “hack” – the legal system to better address current and future cybersecurity threats. This Article draws on legal scholarship and other fields of law to derive high-level goals for policymakers as they seek to make cybersecurity law more effective, cohesive, and agile.
Hamiltonian Cybersecurity, Wake Forest Law Review (2019): Cyberattacks present existential challenges for U.S. national security and economic interests, yet Congress has failed to adopt a comprehensive regulatory framework to secure private-sector information and systems. To fill that gap, state legislatures have passed many laws that regulate data security, data breaches, and protection of personal data. The requirements of these laws vary significantly, are outdated, and sometimes conflict. This Article explains why this state-centric approach to cybersecurity is inadequate. First, the Article examines the Framers’ desire for a uniform approach to commercial regulations, and explains how the U.S. approach is scattered, outdated, and decentralized. A comprehensive federal cybersecurity statute would help to realize the Framers’ vision. Second, the Article asserts that, given this prudential argument, the state approach to cybersecurity and data protection regulations may be unconstitutional under the Dormant Commerce Clause, which prohibits state laws that unduly burden interstate commerce or impose inconsistent regulations.
Cybersecurity of the Person, First Amendment Law Review (2019): U.S. cybersecurity law is largely an outgrowth of the early-aughts concerns over identity theft and financial fraud. Cybersecurity laws focus on protecting identifiers such as driver’s licenses and social security numbers, and financial data such as credit card numbers. Federal and state laws require companies to protect this data and notify individuals when it is breached, and impose civil and criminal liability on hackers who steal or damage this data. In this paper, I argue that our current cybersecurity laws are too narrowly focused on financial harms. While such concerns remain valid, they are only one part of the cybersecurity challenge that our nation faces. Too often overlooked by the cybersecurity profession are the harms to individuals, such as revenge pornography and online harassment. Our legal system typically addresses these harms through retrospective criminal prosecution and civil litigation, both of which face significant limits. Accounting for such harms in our conception of cybersecurity will help to better align our laws with these threats and reduce the likelihood of the harms occurring.
Defining Cybersecurity Law, Iowa Law Review (2018): As data breaches, denial-of-service attacks, and other cybersecurity incidents lead to extraordinary economic and national security consequences, commentators increasingly look to the legal system for solutions. Unfortunately, U.S. laws do not have a unified and coherent vision for the regulation and promotion of cybersecurity. For that matter, the U.S. legal system lacks a consistent definition of the term “cybersecurity law.” This Article aims to fill that gap by defining cybersecurity law. Although many articles have addressed various aspects of cybersecurity, none have stepped back to define exactly what cybersecurity is and the goals of statutes and regulations that aim to promote cybersecurity. By defining the scope and goals of this new legal field, we can then examine how lawmakers could improve existing laws.
Developing Collaborative and Cohesive Cybersecurity Legal Principles, paper presented at the NATO Cooperative Cyber Defense Center of Excellence Conference on Cyber Conflict (Tallinn, Estonia) and published in the IEEE conference proceedings (June 2018): This Paper sets forth the need for nations to discuss common legal principles for promoting and regulating cybersecurity, similar to the privacy principles articulated in Organization for Economic Cooperation and Development’s Fair Information Practices in 1980. As a starting point for discussion, this Paper suggests four goals of common international principles for cybersecurity law: (1) modernization of cybersecurity laws; (2) uniformity of legal requirements; (3) coordination of cooperative incentives and coercive regulations; and (4) supply chain security. Although cybersecurity laws always will vary, international coordination could improve the efficacy of cybersecurity laws by providing some degree of consistency. A dialogue also could help policymakers learn from other nations’ cybersecurity successes and failures.
New York’s Financial Cybersecurity Regulation: Tough, Fair, and a National Model, Georgetown Law Technology Review 1 Geo. L. Tech. Rev. 432 (2017): This Article explores the new cybersecurity requirements that New York’s financial regulators will impose on its regulated companies, and argue that the revised regulation is a model of a rigorous, fair, and technologically sound cybersecurity regulation. New York’s regulation could serve as a model for a uniform nationwide cybersecurity regulation that would provide certainty and clarity to companies while protecting the confidentiality, integrity, and availability of information and systems. Cybersecurity law in the United States currently is a patchwork of outdated privacy and computer crime laws; New York’s regulation, in contrast, is a model cybersecurity statute for the modern era.
The Gradual Erosion of the Law that Shaped the Internet, Columbia Science and Technology Law Review, 18 Colum. Sci. & Tech. L. Rev. 1 (2017): In this Article, I review all Section 230-related court opinions published between July 1, 2015 and June 30, 2016 to determine the extent of immunity. The review found that in approximately half of the cases, courts refused to fully grant Section 230 immunity. Most commonly, the courts conclude that the online service provider actually created and published the content. To be sure, 20 years after Congress enacted Section 230, Section 230 remains a strong shield for online service providers in many cases. However, as the amount of user-generated content has exponentially increased in recent years, courts have struggled with what was once viewed as bullet-proof immunity for online intermediaries, and are slowly enlarging the loopholes that allow plaintiffs’ lawsuits against intermediaries to survive.
The Hazards of Cyber-Vigilantism, Computer Law & Security Review, 32:4 Comp. L. & Sec. Rev. 642 (2016): In recent years, some aggressive actions against cyber-criminals and terrorists have come not only from state actors, but also from independent third parties such as Anonymous. These groups have claimed some significant victories in their battles against ISIS and similar organizations, by hacking their email, publicly exposing their secret communications, and knocking their websites offline. The hacker groups also combat other cyber criminals, including distributors of child pornography. Some of the groups' activities, however, violate the computer hacking laws of many nations. Some commentators have criticized these statutes, claiming that the laws unnecessarily prohibit private actors from serving the public good. I defend the broad prohibition of cyber-vigilantism, and argue that well-intentioned private actors can accomplish their goals by working with governments.
The Cybersecurity Privilege, I/S: A Journal of Law and Policy for the Information Society, 12:2 I/S: A Journal of Law & Policy 641 (2016): Cybersecurity work often relies on highly confidential information about a company’s network vulnerabilities, and therefore the disclosure of the work product or communications could be useful to plaintiff’s lawyers or regulators after a data security incident. To protect against this risk, companies attempt to cover their cybersecurity professionals’ communications and work product under an existing evidentiary privilege, such as the attorney-client privilege or work product doctrine. However, such privileges are an uneasy fit for some cybersecurity work, particularly prophylactic measures that are not directly tied to ongoing or potential litigation. In other words, current evidentiary law discourages companies from investing in the services necessary to prevent cyberattacks from occurring. In this Article, I propose the creation of a stand-alone privilege for cybersecurity work.
Select Presentations
Panelist, Privacy and Civil Liberties Oversight Board, Panel on Section 702 Reauthorization (Jan. 12, 2023)
Speaker, A Crash Course on Section 230 of the Communications Decency Act, DGAP German-American Initiative on Influencers, Disinformation, and Democracy in the Digital Age (Nov. 30, 2022)
Panelist, Catholic University Journal of Law and Technology, 25 Years and 26 of the Internet’s Most Controversial Words: Section 230 and the Modern Internet (April 1, 2022)
Keynote Speaker, Cardozo Arts & Entertainment Law Journal Spring Symposium on Section 230 (March 31, 2022)
Panelist, Rutgers Law School Computer & Technology Law Journal Symposium, Section 230 of the Communications Decency Act (March 31, 2022)
Speaker, Silicon Flatirons (University of Colorado), The United States of Anonymous (March 28, 2022)
Speaker, University of Florida Technology, Media, & Privacy Law Conference (March 25, 2022)
Panelist, Journal of National Security Law and Policy (Georgetown) Symposium, Social Media and Misinformation (March 8, 2022)
Panelist, Oregon State Bar Association, Civil Rights Committee Section 230 panel (Dec. 9, 2021)
Panelist, Practicing Law Institute, Communications Law in the Digital Age, Section 230 panel (Nov. 19, 2021)
Speaker, New Jersey State Bar Association Data Privacy Summit (Nov. 16, 2021)
Panelist, Federalist Society Seventh Annual Texas Chapters Conference, Big Tech and the Future of Section 230 (Sept. 18, 2021)
Panelist, Federal Communications Bar Association, Current Law on Content Moderation (July 8, 2021)
Panelist, Beverly Hills Bar Association, Program on Section 230 (May 25, 2021)
Panelist, Congressional Hispanic Caucus Institute Spring Policy Summit, The Role of Online Platforms in Content Moderation (May 19, 2021)
Speaker, Oxford University Strategic Studies Group, Reforming Cybersecurity Law to Bolster National Security (May 18, 2021)
Panelist, National Academies of Sciences, Engineering and Medicine, Section 230 Protections workshop (April 22 and 27, 2021)
Panelist, MIT Summit on Social Media (April 22, 2021)
Panelist, National Association of Attorneys General, Section 230 Briefing to State Attorneys General (April 16, 2021)
Dialogue Leader, The Sedona Conference Working Group 11 Annual Meeting (April 15, 2021)
Panelist, Association for Education in Journalism and Mass Communication annual meeting, Section 230: The Twenty-Six Words That Turned Online Speech Into Techlash (March 19, 2021)
Speaker, Unpacking Section 230 with Professor Jeff Kosseff, virtual event organized by Lincoln Network, a technology policy organization (July 13, 2020)
Panelist, Yale Information Society Project (virtual), Everything You Need to Know About Section 230 in 5 Hours (June 22, 2020)
Panelist, Federal Communications Bar Association Summer Series for Students on the Practice of Communications Law and Policy - virtual panel (June 15, 2020)
Panelist, Yale Law School Workshop on Cyber Norms (New Haven) (Feb. 5, 2020)
Speaker, CES Conference (Las Vegas) (Jan. 8, 2020)
Panelist, Social Media and the First Amendment, Knight First Amendment Institute and Georgetown University's Free Speech Project (Sept. 23, 2019)
Panelist, Should We Reform Section 230? American Enterprise Institute (Sept. 6, 2019)
Presenter, The Twenty-Six Words That Created the Internet, Johns Hopkins University Applied Physics Laboratory Symposium (Aug. 23, 2019)
Speaker, Internet Governance Forum - USA (July 23, 2019)
Presenter, The Twenty-Six Words That Created the Internet book talk, R Street Institute (May 16, 2019)
Panelist, The Twenty-Six Words That Created the Internet (Book Forum Panel), Cato Institute (April 17, 2019)
Panelist, The Internet and Society, Los Angeles Times Book Festival (April 13, 2019)
Panelist, Cybersecurity and National Security, Notre Dame Journal of International Law annual symposium (Feb. 22, 2019)
Presenter, The Twenty-Six Words That Created the Internet, Boston University Cyber Security, Law, and Society Alliance Presentation (Jan. 16, 2019)
Presenter, The Twenty-Six Words That Created the Internet, Mississippi State University, Office of Research and Economic Development Research Seminar (Jan. 11, 2019)
Panelist, First Amendment Law Review Symposium, University of North Carolina (Nov. 17, 2018)
Presenter, Hamilton’s Private Key: American Exceptionalism and the Right to Anonymity, DEF CON Crypto & Privacy Village, Las Vegas (Aug. 10, 2018)
Panelist, Briefing to United States House of Representatives Research and Development Caucus, Access to Science and Technology Expertise in Congress (May 11, 2018)
Panelist, Stanford Technology Law Review and Stanford Law and Public Policy Review 2018 Cybersecurity Law Symposium (April 27, 2018)
Panelist, Fighting Sex Trafficking Online: In Search of a Legislative Solution (congressional staff briefing), TechFreedom (Jan. 30, 2018)
Panelist, Breach Response, Albany Law School Cyber Security and the Law Conference (Oct. 20, 2017)
Moderator, Discussion with Deputy Attorney General Rod J. Rosenstein, Naval Academy Encryption and Going Dark Conference (Oct. 10, 2017)
Presenter, Defining Cybersecurity Law, Johns Hopkins University, Applied Physics Laboratory (Aug. 16, 2017)
Panelist, Inside Job, Improving Cybersecurity with Better Cyber Hygiene (June 15, 2017)
Presenter (with MIDN 1/C Dennis Devey), Understanding the Cybersecurity Act of 2015, BSidesCharm conference (April 30, 2017)
Moderator, The Future of Cybersecurity Regulation, Joint Service Academy Cyber Security Summit (Mar. 24, 2017)
Panelist, Governance, Risk Management & Compliance, Boston Conference on Cyber Security (Mar. 8, 2017)
Co-presenter (with Mike Bilzor), Cyber Reconnaissance and Intrusion, at Developing a Normative Framework for Cyberwarfare conference (Oct. 17, 2016)
Presenter: The Value of Intermediary Immunity: The U.S. Experience, Oxford Internet Institute Internet, Policy, & Politics Conference (Sept. 23, 2016)
Presenter, Cyber Security and the Law conference, French-American Foundation and Interpol (Sept. 16, 2016)
Panelist, Cyber Sovereignty: Ethical and Legal Considerations, Cyber Endeavor 2016, Naval Postgraduate School (June 22, 2016)
Moderator, Making Privacy Rules for New Networks: The FCC’s Regulation of Broadband ISPs, International Association of Privacy Professionals Global Privacy Summit (April 6, 2016)
Presenter, Preserving the Privilege During Breach Response, RSA Conference (Mar. 3, 2016)
Presenter, Ten Reasons to Adopt the NIST Cybersecurity Framework, The Law & Policy of Cybersecurity Symposium, University of Maryland (Feb. 5, 2016)
Presenter, Positive Cybersecurity Law: Creating a Consistent and Incentive-Based System (symposium article), Chapman Law Review, Chapman University (Jan. 29, 2016)
Presenter, Protecting the Privilege During Breach Investigations, InfoGovCon, Hartford, CT (Sept. 30, 2015).
Presenter, The Attorney-Client Privilege for Cybersecurity Investigations, Cyber Security Technology and Training Forum (Aug. 19, 2015)
Media commentary
What Protects Fox News Also Protects Democracy, New York Times (April 14, 2023)
It’s Time to Stop Arresting People for Trolling the Government, Wired (April 13, 2023)
State Legislatures Threaten the Right to Anonymous Speech, Lawfare (March 8, 2023)
9 People Hold the Internet’s Fate in Their Hands, Wired (Feb. 24, 2023)
If Congress Wants to Protect Section 702, It Needs to Rein in the FBI, Lawfare (Feb. 9, 2023)
The Most Important Supreme Court Precedent for Freedom of the Press Is in Jeopardy, Slate (with Matthew Schafer) (Jan. 22, 2023)
How States and Congress Can Prepare for a Looming Threat to Freedom of Speech, Lawfare (with Matthew Schafer) (July 5, 2022)
Happy 25th Anniversary to the Supreme Court Decision That Shaped the Internet We Have Today, Slate (with Jared Schroeder) (June 26, 2022)
America’s Favorite Flimsy Pretext for Limiting Free Speech, The Atlantic (Jan. 2, 2022)
Why Outlawing Harmful Social Media Content Would Face an Uphill Legal Battle, Washington Post (with Daphne Keller) (Oct. 9, 2021)
Why It’s No Laughing Matter That a Senator Asked Facebook to ‘Commit to Ending Finsta,’ Slate (Oct. 7, 2021)
The Lawsuit Against America Online That Set Up Today's Internet Battles, Slate (July 14, 2020)
Meet One of the Earliest Victims of Internet Bullying, Slate (Feb. 20, 2020)
What's in a Name? Quite a Bit if You're Talking About Section 230, Lawfare (Dec. 19, 2019)
Congress is Finally Tackling Privacy! Now Let's Do Cybersecurity, Slate (Dec. 3, 2019)
Section 230 Created the Internet As We Know It. Don't Mess With It, Los Angeles Times (Mar. 29, 2019)
Prevent Data Breaches, Don't Just Report Them, TechCrunch (May 9, 2017)
A VHS-Era Privacy Law in the Digital Age, TechCrunch (May 24, 2016)
In the Apple Encryption Debate, Can We Just Have the Facts, Please? TechCrunch (Oct. 26, 2016)
Should Tech Companies be Subject to the Fourth Amendment? TechCrunch (Dec. 13, 2015)
Time for a Serious Talk About Encryption, The Hill (Nov. 23, 2015)
The Biggest Cybersecurity Risk is Not Identity Theft, TechCrunch (Nov. 13, 2015)
Congress Looks at Car Hacking, The Hill (Oct. 26, 2015)
Notified About a Data Breach? Too Late, Wall Street Journal (Oct. 9, 2015)
Can Decency Be Legislated? TechCrunch (Oct. 9, 2015)
Cybersecurity is Expensive – That’s Why We Should Offer Tax Incentives, Forbes (Sept. 23, 2015)
To Fix Cybersecurity Law, Ask More Questions, TechCrunch (Sept. 15, 2015).
Education
Georgetown University Law Center
Juris Doctor, magna cum laude and Order of the Coif (2010)
Executive Articles Editor, Georgetown Law Journal
University of Michigan
Master of Public Policy, economic policy (2001)
Bachelor of Arts, economics (2000)
Courses Taught (United States Naval Academy)
SY406: Cyber Law & Ethics
SY403: Cyber Policy & Planning
SY485B: Politics of Cyberspace