Computers, Freedom and Privacy 1999
was held in the Omni Shoreham Hotel in Washington, DC from April 6-8, 1999.
This was my second CFP; you can read the report I wrote from last
year's conference here.
The theme "the Global Internet" was achieved through including many international
panelists. It was refreshing to see Asian and South American panelists
on the program, as they provide different experiences with privacy and
censorship than most; it is also enlightening to hear their views and successes,
as well as the problems they are still having. The following
summary is based on my notes and the newsletters distributed at the conference,
which are available on the CFP site (Reports 1, 2, and 3). CFP is guaranteed
to be chock full of information, and this year did not disappoint. I am
only presenting a summary based on the panels I attended, so this report
will not cover each session. I often refer to
Roger
Clarke's notes on CFP, which I found quite useful. Note: links to many
papers can be found on the cfp99 site. Now, let's get down to to
it, shall we?
Tuesday's General Session
Wednesday's General Session
Thursday's General Session
President of the Open Society Institute Aryeh Neier offered the idea that "information is power and communication enhances that power." He states that we must use this power to gain freedom and also to inform others. Neier used Sarajevo under siege as an example of how information is publicized and transferred both into and out of the area. In regards to privacy, Neier offered that in some respects, the danger is as great as the power of technology. Moreover, even certain accurate information may be limiting, and this has a subsequent effect on freedom.
The US government viewpoint was presented by Paula Breuning, who remarked that despite it being essential for the Internet to grow, people must be comfortable using the medium. This means limiting the distribution of personal data so to restore privacy. The NTIA approach is to rely on self-regulation and sector specific legislation. Breuning places importance on posting privacy preferences and notifying customers of policies regarding personal data. Industry efforts include TRUSTe and the Online Privacy Alliance. The action suggested to facilitate this effort is performing a sweep of Web sites for posted privacy policies. I personally find industry regulation a process that is excruciatingly time-consuming and hard to gain majority acceptance for.
Simon Davies of the London School of Economics was next to speak. Understandably, Davies spent time enthusiastically responding to Scott McNeely's remark, "There is no privacy. Get over it." Davies made a solid point in stating that personal privacy should not be approached with such a laissez-faire attitude; he suggested a more aggressive attitude towards privacy protection. Davies offers the belief that privacy is one of the great features of culture, but as with any law, it is hard to maintain. The people causing the problem should be identified and forced to recognize their wrongdoing.
Hong Kong's Data Protection Commissioner Stephen Lau spoke about privacy in Hong Kong. Surprisingly (maybe not so surprisingly), there was not a word for privacy in Chinese until recently; the word now is comprised of "self" and "hide." Lau outlines the difficulties in protecting privacy through legislation. The results of a survey of approximately 6000 sites in Hong Kong showed that many local Web sites do not post privacy statements or conform to regulations found in the Data Protection law. Lau also offers the credo, "whatever is illegal offline is illegal online" and has produced guidelines for Internet privacy.
AOL (http://www.aol.com) Senior Vice President George Vradenburg began by stating that AOL has a publicly visible privacy statement posted on aol.com. Vradenburg focuses on the pace of the Internet, and how companies like his are governed by it. He offers that traditional models don't always apply to the situation, and the government may not be the ideal intermediary. Industry can't look to regulatory models of the past in dealing with the medium that combines media, advocacy, and communication. Finally, Vradenberg supports the current self-regulation efforts in the Privacy Alliance and TRUSTe, and notes the significant market pressure on companies like AOL and Microsoft.
The last speaker was Barbara Simons of the ACM (http://www.acm.org), who posed this question to the audience: do we value privacy so little that we depend on chance to reveal breaks in it? Simons used the example of the existence of GUIDs in Microsoft Word and how they related to the recent spread of the Melissa macro virus. Simons relates the protection of intellectual property online to the problem of privacy; she states the same principles apply. Simons also predicts that instead of raising security, the general response to the dilemma will incorrectly be to increase surveillance.
The Creation of a Global Surveillance Network
This session was moderated by Barry Steinhardt of the American Civil
Liberties Union (http://www.aclu.org).
The focus is on surveillance, the level of which is necessary, and the
resultant effects on privacy. It is an interesting issue to consider the
degree to which global surveillance networks adhere to the responsibility
of tracking malice, and to what degree they are invading the privacy of
law abiding citizens. The panelists offer a range of viewpoints to this
ever-debated issue.
Representative Bob Barr focused on the efforts in Congress in regards to privacy. Barr states that the protection of privacy is currently being achieved by subventing federal laws. He argues that the 3rd century's biggest asset is information and the manipulation, gathering, communication, and passing of it. Barr also argues that difficulties in forging ahead with the privacy issue don't break down within party lines.
Steve Wright of the Omega Foundation described the Echelon system, a satellite projection system that wasn't only being used for surveillance for terrorists, but for economic surveillance as well. The Echelon system captures a large amount of European traffic. Wright states that surveillance system should ensure democratic accountability and only survey targeted parties. Statewatch, the independent human rights organization, questioned the government about this system; however, their questions were suppressed.
Ken Cukier of CommunicationsWeek International in France, compared the French Echelon system to the UK's; however, he states it's on a smaller scale. An interesting point made by Cukier here was that the desire to widen the system to other European countries may be the beginning of a Euro-wide effort for surveillance. He states, however, that a Trans-Atlantic effort may be difficult because the existence of two surveillance systems may trigger negative attention from privacy advocates.
USDOJ Computer Crime Unit head Scott Charney offered the viewpoint that the creation of a global surveillance network will give rise to a plethora of views on surveillance vs. privacy. Charney outlines the debate by pitting the advocates of tight surveillance against the "privacy-centric," who tend to support no surveillance at all. The middle ground is covered by the Fourth Amendment, which states the Constitution allows for an invasion of privacy to protect the public good. Does the Fourth Amendment still exist in Cyberspace? Charney believes it does. He states that although most people are law-abiding, there are some who are malicious and want to cause the community danger. As in the physical world, Charney believes that law enforcement must have the "tools to be able to investigate effectively." To achieve the necessary balance, Charney offers the Electronic Communications Privacy Act. The courts are involved in the process when any surveillance is necessary, and it is limited to serious crimes. Although the act will not make everyone happy, Charney believe is it a step in the right direction, and serves as a "pretty good model." Lastly, Charney also believe that we must strive to focus and protect the values rather than specific technologies.
In the Question and Answer portion, Patrick Ball of the AAAS (http://www.aaas.org) asked if a few dead human rights activists was all price to pay for strong encryption. USDOJ rep Scott Charney offered the predictable response that the exclusionary rule must be used; policy is not designed to solve all problems and there must be a balance. He states, though, that strong encryption does have positive uses.
Anonymity and Identity in Cyberspace
The last panel of Tuesday's general session was moderated by my colleague
at AT&T Research, Lorrie Cranor (http://www.research.att.com/~lorrie).
Lance Cottrell of Anonymizer, Inc.(http://www.anonymizer.com/3.0/index.shtml) began his portion of the discussion with the example of information flowing out of Kosovo in the clear. Postings through email attach an identity to the text; therefore, the user may be subject to abuse. The problem lies in being able to relate information securely and privately. According to Cottrell, the limitations include:
Mike Reiter of Lucent Technologies (http://www.bell-labs.com) outlined technology that can be used to hide information that may identify you. He uses the LPWA (Lucent Personal Web Assistant) proxy server as an example, explaining that users can redirect a Web request through the proxy. LPWA offers support for personalized browsing by issuing an account and password; a control code is entered into any Web form, and the LPWA provides the site the account/password so they are identified without really being identified. The problem with technology like this is the level of trust given to the administrators. The following question arises: do products like these make the issue worse? It seems to be a problem of scope; the more popular and advanced products like this become will increase the amount we will have to trust admins. Reiter is also the co-creator of Crowds (http://www.research.att.com/projects/crowds), an anonymous Web surfing technology.
Paul Syverson of the Naval Research Laboratory spoke about the Onion Routing project (http://www.onion-router.net). The idea is based on a network of nodes scattered around the Internet. The current request only knows the previous and next nodes while raw TCP/IP sockets rout all traffic through the Onion. The technology can exist as a proxy and on a firewall. In addition, the Onion can exist at the desktop; it is interesting to note that, depending on how system is configured, local system administrators may or may not be privy to whom employees are communicating or what protocols they use. Essentially, this takes some emphasis off the admins.
The USDO's Phillip Reitinger was the gratuitous government representative for this panel. What's a panel on anonymity and privacy without a spoiler? Reitinger outlined law enforcement's concerns regarding anonymity. Reitenger states, "we can't put a pseudonym in jail." He concedes that anonymity is constitutionally protected in some forms; however, networks allow for anonymous crimes to be committed with distance, in regards to both location and identity. A communication trace can be easily circumvented, states Reitinger, by the use of fake email or IP addresses. Content can also be covered if encryption is used, and due to the lack of biometrics the crime may go unsolved. The core argument by the government rep is that anonymity services cause serious headaches for law enforcement (surprise).
The Q&A produced some interesting banter between audience members and the panelists. An interesting question posed was, how does the amount of anonymity in the physical world compare to the amount in Cyberspace? Reitinger offers that the Internet anonymity and traceability together, while the physical world keeps them separate. He also states that the amount of Internet privacy depends on the level of sophistication [in technology] utilized. Cottrell gives the answer seen above regarding the groceries and letter with no return address. Another question was, do anonymity service providers get approached by law enforcement to gain the identity of users? Austin Hill, president of Zero Knowledge (http://www.zeroknowledge.com), replies with a yes, but they remain true to their name. Crowds co-creator Mike Reiter states since its a distributed technology, there isn't a focal point for requests. Paul Syverson offers the same response as Reiter in regards to Onion Routing.
Squash anyone? The day closed with the EFF Pioneer Awards and the opening reception, followed by the evening working group. I didn't attend the 9:00-11:00 PM working group because I was enjoying the Washington DC nightlife.
Keynote Address: Mozelle Thompson, FTC
The FTC's (http://www.ftc.gov/) mission
is to create an environment of consumer protection so that markets will
flourish and consumers will benefit from the abundance of choice. The FTC
has been protecting consumer across all media, including the Internet.
Thompson suggests that E-commerce has had a growth rate of 200% annually,
and roughly $13 billion in 1998.
According to Thompson, the opportunities for Internet Fraud are abundant due to the low startup costs, real-time payments, and the ability to mimic a legitimate business. He adds that there are infinite places to hide from law enforcement.
Thompson examines the issues in preventing Internet fraud. He cites the need for "real, effective, and timely" self-regulation. Essentially, he asks if industry can take the lead in solving consumer public policy issues; he also asserts that consumers have a right to expect government and business to create a safe environment for them to conduct online business in. The FTC has been pressing industry to post privacy statements on their Web sites.
In my opinion, the idea of self-regulation is still a fantasy; Roger Clarke proposes an interesting co-regulatory scheme in his paper "Internet Privacy Concerns Confirm the Case for Intervention." Read it.
Keynote Address: Congressman Ed Markey
Markey asserts that privacy protection comes with exercising basic
civil freedom, and he would like to see strong pro-consumer encryption
policy and support for privacy policies. A posted privacy policy isn't
always a good one, he states; it must be clear, conspicuous, and concise.
Markey places importance on technological solutions such as P3P (http://www.w3.org/P3P/), as well as a government enforced set of basic privacy rules. Lastly, he promoted industry self-regulation. Markey seems enthusiastic about technological solutions, and supports necessary actions to ensure efforts by the private sector.
Copyright on the Line: Blame it on Rio? Or Title 17?
Jonathan Zittrain of Harvard Law School (http://www.law.harvard.edu/)
began this panel by speculating on numerous issues raised by the use of
compressed audio (mp3). Zittrain offers the use of digital watermarking
to determine ownership and questions if "fair use" should be built into
copyright law.
Henry Cross, Artist/producer, plays the true spoiler to the music industry in this panel. He emphatically asserts that the industry is attempting to crush MP3. His main points include:
Cross relayed his points in a dynamic and emphatic manner and was
quite influential.
Michael Robertson, President of Mp3.com (http://mp3.com), placed importance on the need for competition, which will enhance democracy and expose more artists simultaneously. His belief that "legislation shouldn't throttle technology" was apparent in the assertion that MP3 serves as a litmus test for other digital media and distribution.
Scott Moskowitz (Blue Spike, http://www.bluespike.com) spoke about the use of digital watermarking and encryption for ensuring content uniqueness. He would like to see artists/publishers to evolve from packaged media to a more dynamic distribution of content. Moskowitz argues that artists should be empowered to be their own PR and publishing force.
Carol Risher, Vice President of the American Association of Publishers, defended the segmented supply chain. She argued that each part of the chain adds a certain amount of value, and the emergence of digital distribution destroys potential opportunities and income for these parts. Roger Clarke points out, "she signally failed to address the key question about whether the industry value-chain could be greatly trimmed, and could provide a larger proportion of the revenue-stream to the originator."
Carey Scherman from the RIAA (http://www.riaa.com) predictably asserted the music industry's opinions of MP3; they are not concerned with MP3 so much as the piracy of it. According to Scherman, artists should have the right to put material on the Internet (it will benefit them), but protection should be in place so that they get paid. Scherman also discussed SDMI (Secure Digital Music Initiative), the movement to override MP3 by creating a standard; SDMI is intended to be an infrastructure for an infinite variety of ways music can be sold (such as subscription services, rent to own, or per number of listens). The SMDI will attempt to control piracy while pleasing the RIAA. Michael Robertson later stated that, "Cary [Scherman] is not for the artists. He's for his constituency, which pays his salary."
Unfortunately, I cannot do the panel/audience interaction following the statements justice, but Declan McCullaugh can. Read his Wired article on the panel. http://www.wired.com/news/news/politics/story/19007.html
Roger Clarke also made some interesting comments on this panel. http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP99.html
Chemical Databases on the Internet: Risk to Public Safety or Government
Accountability?
This panel focused on the scenario of a published electronic searchable
database of facilities and worst-case scenarios could give criminals an
advantage. It was argued that critical pieces of chemical information could
be used to plan an attack through the Internet. The National Security Council
is opposed to this type of database because the threat of terrorism it
poses. One panelist argued that the technological environment today is
vastly different from what it was in 1990; we can't control what's on the
Internet but we need some sort of safety net. There has been a growth in
information technology but not a proportional growth in information protection
technology; this is an important point in regards to this issue.
Industry has been more positive about informing society by describing what the worst case is, and why it's impossible.
Free Speech and Cyber-Censorship II
The panel in this discussion consisted of a diverse group of individuals
that spanned the globe, keeping with the conference theme. Richard Swetenham
from the European Commission DG XIII concentrated on the European Union
viewpoints on free speech and censorship. Since the EU doesn't have a federal
constitution, it promotes cooperation between law enforcement and citizens;
for example, they have a "tip line" where citizens may provide leads to
crimes, etc. In regards to content harmful to minors, Swetenham states
that it is illegal to give minors access to such content. The method of
determining what is harmful to minors is subjective, however; if parents
decide their children cannot see certain content, it's considered harmful.
EU efforts are currently directed at providing funding for self-rating
schemes.
The next speaker [Sobel] outlined the universal aspects of the censorship issue, and the relationship between free speech and privacy. The government needs a way to identify and locate the person who breaks the "harmful content" regulation which will lead to more ways of locating "posters" and identity-location mechanisms. One solution is to utilize online age verification; the individual will identify themselves through a credit card. Obviously, this has an effect on anonymity.
Sobel goes on to evaluate the options by stating that parental responsibility and education is a viable option, but neither law nor technology will protect children from harmful content. Technology offers commercial software, which Sobel notes is clumsy on the average. In essence, Sobel notes that no system can keep up with the growth of the Internet, and the use of technology may not always be voluntary (may be mandated by government). In my opinion, Sobel seems to provide a middle of the road account of the problem without tackling any of the issues underneath the surface.
Professor Zehao Zhou of York College (http://www.york.edu) spoke about China's situation regarding privacy and censorship. Zhou states that China has made significant strides in these areas but still has a way to go. For example, the 1998 Starr Report was banned in print format but was available online. The government controls all Chinese Web sites, and only occupational and social information is allowed. In regards to censorship, Zhou explains how Website access and use is monitored. One interesting thing to note is Zhou's statement that the Internet is a status symbol; therefore, the desire to get online is increasing rapidly.
Fadi al-Qadi offers the viewpoint that the Internet has no code of ethics and therefore no possibility of regulation. The lack of philosophic backbone to the Internet proposes the true challenge of finding ways to utilize information technology; we must use the Internet as a true censorship free vehicle for information communication. Not surprisingly, he also asserts that the Internet is no longer a US based entity. The challenge offered by al-Qadi is insurmountable for the fundamental reason that we can never create a unified view of what constitutes as censorship.
Lastly, Margarita Lacabe of the Derechos Human Rights offered the Latin American viewpoint to the panel. She stated that censorship in Latin America is indirect; for example, journalists and human rights activists receive threats with little prosecution of the offenders. In addition, the government prohibits the publication of insults to [government] officials. Of course, the Internet allows everyone to have a voice without filters; however, people who don't share the correct views are in danger. Anonymity isn't always guaranteed and the tools available to track the anonymous are becoming more advanced. On the other hand, Lacabe offers the terrorist law in Argentina as a success.
The day closed with the Privacy International Big Brother Awards, followed by the banquet dinner. Recipients of the Big Brother Awards included:
Keynote Address: Tim Berners Lee, W3C Director
The talk is available at http://www.w3.org/Talks/1999/0408-cfp-tbl/.
Lee outlined the Web itself, focusing on the major points:
Finally, I'd like to add comments from Roger Clarke's report on his conversation with Tim Berners-Lee following the talk.
Read more from the CNet News article on this panel.
I found this year's CFP to be enlightening and informative. Last year was my first CFP so I was a little overwhelmed by the amount of information that springs out of the panels. Not that I wasn't overwhelmed this year, as CFP packs a lot of panels, working groups, and keynotes into each day's session. I learned more about tools to achieve anonymity, something I didn't feel I knew enough about. It was also refreshing to hear the global views on censorship and content monitoring (especially for Asia and South America); being a netzien based in the US, I often don't consider the principles and procedures in regards to these issues (how selfish).
Random Thoughts...
Like everyone else, I still think self-regulation needs work...this
year's CFP made a valiant effort at giving a global perspective... I think
the SMDI is going to spark a huge music industry/independent explosion
in the future (more than it currently has)...I don't think MP3 will die
any time soon...still haven't gotten a pair of tie-dyed socks like the
ones I saw John Gilmore wearing at last year's CFP...that's about it. See
you next year.
By the way, the chair for CFP2000 is Lorrie Cranor.
Disclaimer: The views presented in this document are entirely my own and do not reflect the views of my employer, AT&T. Any complaints, rants, or even compliments should come directly to me.