Reports from CFP 2000, Toronto
This one filled a conference room. It featured heavy hitters from various fields, including John Gilmore, longtime EFF board member and cypherpunk patron, Philip Zimmerman, creator of PGP, Ann Cavoukian, Canada's Information and Privacy Commissioner; and a host of other folks from places such as MIT Media Lab, Xerox PARC, AT&T Labs, and the Center for Democracy and Technology.
They had gathered for the purpose of a "hands-on, interactive experiment" exploring ways of using technology to bring about strong protections of civil liberties. The chief tool proposed in the morning session was a replacement for the existing domain name system (DNS), the naming scheme that translates human readable machine names (such as www.privacyplace.com) into IP addresses, strings of numbers.
According to the workshop proposal, the current DNS has several serious drawbacks: first, it encourages "land grabs," where either the big names (such as IBM, Microsoft, Barnes and Noble) take over domain names, or the first comers grab them, with the result, according to the workshop hand out, that "we have a situation in which everyone is suing everyone else, the address space has been exhausted in a very short amount of time, and nobody is having any fun". Also, the DNS has become a "political chokepoint," a place where anyone who objects to particular domain names can exert effective pressure. Finally, the DNS prevents anonymous discourse because any utterance posted on a particular domain can be traced. The authors of the Federalist Papers found it useful ,
Once the discussions began, it became apparent that there are numerous social, economic, political, and technical obstacles to replacing the DNS, and in fact, most of the comments I heard ended up stressing how difficult and in some ways even undesirable it would be to do so. However, the room was filled with people who had thought long and hard about these issues, and they brought a deep concern for civil liberties to the discussion.
The most important of these political realities to me is anonymous expression. While law enforcement and regulatory agencies of many kinds despise anonymity online, it remains for me one of the primary tests of civil liberties. As the workshop organizers pointed out, any number of political thinkers and agitators —including the authors of the Federalist Papers—have found it necessary or expedient to publish anonymously over the years. Hence their conclusion: "freedom of expression has been greatly compromised by the existing DNS".
Robert Ellis Smith, publisher of Privacy Journal, presented a remarkable historical overview. He has recently published a book, Ben Franklin's Web Site, that takes up precisely these issues, and so he was able to give a succinct, detailed picture of how privacy and surveillance have evolved since the beginnings of the United States. In doing so he provided a needed corrective to the view, implicit in so many contemporary discussions of privacy, that our privacy concerns are recent and novel, generated out of computer and telecommunications technology.
He was especially good at tracing the laws passed in recent years and pointing out the privacy protections that they give—or, more commonly, alas, don't give.
With regard to our current concerns, Smith pointed out the centrality of medical, financial, and employment information. In these areas, he said, "opt out" policies are essentially unacceptable as unwanted disclosure can constitute an actual hardship in our lives. With regard to online marketing practices— currently generating so much heat—he appeared less concerned, regarding the tactics of companies such as DoubleClick as annoying and often unwanted but seldom actually dangerous.
He also stressed that privacy is not exclusively, or in many cases, not even primarily, an online issue. Insurers, hospitals, and doctors, among others, can violate our privacy to startling effect without using the Internet (though they perhaps can commit more readily astounding violations online).
Smith came across, in short, as a well-informed, committed, and sensible privacy advocate, one with a strong sense of history and accompanying perspective.
This was a difficult session, largely because the material it covered demands a presentation of complex and sometimes minute details. Mark Eckenwiler, an attorney with the Computer Crime and Intellectual Property Section of the Department of Justice, led a small but dogged group through the evolution of federal law with regard to eavesdropping since the Omnibus Crime Control and Safe Streets Act of 1968. He was frighteningly well-informed about the various laws and the conditions that brought them about.
My law training has been conducted largely through assiduous attention to "NYPD Blue," "Law and Order," and other such sources, so I found the whole thing improbably interesting. I believe I'm much clearer, for instance, on the distinctions between subpoenas and warrants and the conditions appropriate to each. I also gather that every prohibition under the law—for instance an Internet service provider cannot freely disclose customer content to others —contains significant and subtle exceptions; also, it seems that protections for face to face and phone conversations are more stringent than those for electronic transmissions such as email.
Finally I'll note that transactional records of our activities online—such as our web browsing practices, file transfers, and the like—can be shared by our service providers with anyone ... except, oddly, the government, which must go through a legal process to see the same records. This provision of the ECPA (as we legal mavens call it) was won by the telecommunications industry, which wanted the right to sell this information to just about anyone.
We all stood and sang "O, Canada" at the opening session of this tenth Computers, Freedom & Privacy Conference.
Well, not really.
The distinctive themeof the opening session was, however, distinctly Canadian here in Toronto, the first non-US venue for the conference. We were greeted by a phalanx (though that's probably not the right collective noun) of Canadians: Ann Cavoukian, Information and Privacy Commissioner of Ontario, Bruce Phillips, Privacy Commissioner of Canada, and Austin Hill, president of Zero-Knowledge Systems.
The speakers made reference to the emergence of privacy as a mainstream issue, and as I reflect back on CFP's origins and history, this point is clear. In its early days, CFP was the province of outsiders—for instance, techies with a political bent, computer crackers, the lawmen who tracked them, and extreme libertarians—not of high-level government officials and corporate executives. There were a great many more odd folks to be seen in its hallways, and the whole affair had a whiff of the outlaw. Over the years things have changed incrementally, and now it is comparatively genteel and well-behaved, better-dressed and more polite.
As was their due, the speakers celebrated Canada's benign privacy climate, one where just last night a major bill was passed extending federal protections for privacy into the private (so to speak) sector. Bruce Phillips, in his tenth and probably final year as national privacy commissioner, said the passage of C-6, the bill referred to, was the best present a departing privacy commissioner could want. He also made the rather touching statement that where information technology collides with civil rights and human values, information technology must give way.
The many members of the audience from the US could only nod at these displays of enlightened government, given that our federal and state governments have shown little interest in making any such broad affirmations of the privacy rights of their citizens. Our legislators have apparently been seduced by government agencies such as the FBI and NSA and massive corporate interests, both of whom have their own agendas, on which privacy figures in mostly as a nuisance. The notion that major government officials would share many of the goals of the hardcore privacy advocates at CFP, as their Canadian counterparts did, is, well, hallucinatory.
Austin Hill gave the session's keynote speech. His theme was protocols and privacy. Roughly, this boils down to the idea that at the heart of information exchange, we will guarantee either excellent privacy or none at all. Our cell phones, refrigerators, cash cards, and so on will either track us absolutely or will not allow us to be tracked. We now have most of the tools for maintaining our privacy and doing all the wonderfully easy things that a wired future promises, he said. "No Faustian bargain is required." However, we will have to build privacy into the protocols, which means that we will have to provide tools for authentication (so that we can do complex business online) which nonetheless allow us to maintain anonymity (or pseudonymity, which is the goal of Hill's own software).
To me the conference manifests a paradox: mainstream as it is, it nonetheless can pose threats to the agencies and enterprises that continue to threaten our privacy and, in fact, appear to be gaining headway in doing so. Perhaps this is why Canada, in the popular mind the most innocuous and well-behaved of nation states, has been characterized as home to "cyberterrorists". I'm afraid that if things go the wrong way in the US, as they show signs of doing, some of us may find ourselves moving north—if, of course, the Canadians will have us.
Other sessions followed, among them:
What a name for a presentation—reading it, one feels buried in linguistic oatmeal. It actually comprised a series of only modestly connected presentations: from a representative from the Center for Democracy and Technology, an FBI agent, a Sacramento, California Superior Court Judge, and a biometrics expert.
James Dempsey, from the CDT, presented a series of somewhat alarming graphics —soon to be available at the CDT website, I gathered—about the use of sophisticated information gathering technologies by law enforcement agencies in the US, with special emphasis on the FBI. They all indicated that the bureau is making excellent use of generally available sources, such as Lexis-Nexis, as well as its own databases, such as NCIC. The bureau has also put into play two special computerized programs, Casa de Web (I'm not making this up, as Dave Barry says) and Digital Storm, both intended to make powerful use of computer analysis and telecommunications. The real question, according to Dempsey, is how fair information practices map on to law enforcement data gathering, and the simple answer is not very well. This is only partly because of the coercive nature of law enforcement, he said; it is also because we do not have necessary legal structures to constrain the agencies involved.
Paul George, the FBI agent, gave rather a different picture. After making the obligatory, lame X-Files joke, he acknowledged that "if there is going to be a Big Brother, it's going to be us," but he assured the crowd that the bureau operates under stringent regulations concerning access to data and that in the years since passage of the Privacy Act (1974), the bureau has become greatly "professionalized" with regard to data gathering. Its task, his said, is to investigate crime, not to amass material about the the opinions, beliefs, and habits of US citizens. He explicitly referred to the "black bag" jobs conducted by bureau agents in the early 1970—though, perhaps understandably, he didn't mention J. Edgar Hoover's decades long obsession with compiling personal dossiers on anyone he didn't approve of. Oddly, all this was oddly comforting, as Special Agent George (I assume he is a special agent) appeared to be well-informed, competent, and honest. Though Dempsey's points remain compelling, at least I got the impression that the agents doing the work were proceeding in a lawful and indeed, as the man said, professional manner.
Finally, George Tomko, a biometrics expert, gave an interesting appraisal of the implications of biometrics technologies for privacy. A biometric—I believe that's the proper usage—is any measurable physical attribute. It is scanned, converted to an image, the image converted to a number. The essential point of Tomko's analysis was that any biometric signature can serve as a kind of universal i.d. card—the number that results from the process being uniquely ours. A central problem with this is that all sorts of secondary uses can be made of biometric information—uses we might not intend or permit, if asked. Further, individual databases can find themselves connected, almost inadvertently, to others. Ellen Ullman, author of Close to the Machine, remarked to me in response that the one thing she's learned after years of working with computers and databases is "databases want to be linked." For instance, a fingerprint given at a welfare agency might find itself identified in a search through fingerprints gathered at a crime scene. Tomko's solution to these secondary use problems entails a variant on public key cryptography. Without getting into the technicalities, the principle is that the biometric attribute would itself serve as a kind of password or PIN. It seems to me a quite elegant solution.
The unintentional theme of the presentation thus became the perils of secondary use of personal information. We give out data about ourselves in a particular context, but the persistent and easily transmittable nature of computerized databases makes it very easy for that data to appear in places we did not intend or permit, to the extreme detriment of our privacy.
Representatives of Privacy International, one of whom was decked out as Doctor Evil, handed out their awards "to the government and private sector organizations which have done the most to invade personal privacy in the United States". These are striking statues in the form of a boot crushing a human skull, an image derived, of course from George Orwell's 1984. The individual recipients were:
Notable among the award recipients was Darth Vader, who I believe accepted the award for TransUnion, but his expressions of gratitude were essentially inaudible because of his breathing apparatus.
In fact, the entire ceremony had a rather hectic quality due to being shoehorned into a reception area, where the scramble for food and drink and the severe ambient noise coming from a Toronto Raptors charity ball taking place immediately above the proceedings lent a chaotic tone to the ceremonies.
The Brandeis Awards, named after US Supreme Court Justice Louis Brandeis, who described privacy as "the right to be left alone," are given to those have done exemplary work to protect and champion privacy. Recipients were:
I was of course delighted to see Richard Smith, PrivacyPlace's Hero of the Revolution, receive another token of public esteem.
Stephenson, author of, most famously, Snow Crash and Cryptonomicon, gave the after dinner speech.
He took seriously the announced theme of this iteration of the conference, "Challenging the Assumptions," and gave what might be described as a contrarian speech. In what at times appeared to be a vastly entertaining but perhaps infinite series of digressions, he used themes such as "threat analysis" and "domination systems" to insist that we must put concerns for privacy in larger contexts, where numerous systems of domination threaten us all.
His manner was deadpan and quite funny, but his message was deadly serious: privacy advocates can become focused on Big Brother to the exclusion of almost everything else, as prehistoric people focused on hyenas to the exclusion of other, more generally more dangerous threats.
In theme and content, his talk was very different from any I've heard at CFP and provided an interesting corrective to what is often the monomania of privacy and cryptography advocates.
Presented by Duncan Campbell, longtime thorn in the sides of various intelligence agencies, including GCHQ (Government Communications Headquarters), the British counterpart to the NSA, this talk made the point rather forcefully that the NSA is gathering intelligence around the globe and that its doing so contravenes several kinds of national laws, regulations and practices among the countries involved. It also noted that other countries, particularly England, Australia, and New Zealand, have played along, offering the NSA facilities and access to the intelligence gathered there. It was, however, rather difficult to follow which of Mister Campbell's assertions were based on hard data (or at least reliable and verifiable sources) and which were somewhat speculative or soft. I suppose that if you weren't aware of Echelon's existence, this lecture might have been eye-opening and alarming. However, if you have been following the Echelon stories and debates, then it offered little new in the way of excitement or alarm.
Pamela Samuelson, professor at UC Berkeley and MacArthur Fellow, moderated a panel that considered various implications of what might be called the new regime of intellectual property law—that is to say, the evolving consequences of the 1998 Digital Millennium Copyright Act in the arena of contemporary computing and telecommunications technologies, which is proving to have a profoundly troublesome set of consequences for the Internet in particular and copyright in general. I can only suggest some of the issues covered in the panel.
Yochai Benkler of NYU Law School talked rather gloomily of what he called "the political economy of enclosure," by which he evidently meant the current tendency in law, regulation, and court interpretation to give overwhelming intellectual property rights to owners of that property, to the detriment of fair use and the flow of information.
David Post of Temple Law School took up the notion of "cybersquatting" —which, as several people pointed out, is the sort of pejorative term that tends to imbalance all discussion of domain name acquisition. I won't go into any of the details of domain names and their regulating body, ICANN, but will say that both were recurring themes of discussion at the conference, with ICANN being scorned and soundly dissed on both principles and practice.
Finally, Randall Davis of MIT talked about what he called the "collision of intellectual property and information infrastructure". He made the point that digitizing information changes the nature of information exchange, that, for instance, in the digital realm having access to information means copying it, and so natural barriers to copyright infringement have eroded. Also, intellectual property law has increasingly become concerned with private behavior. In this new arena, intellectual property law has become complex, the subject of differing interpretations, contested by numerous shareholders in an international and intense debate. In the process, licensing often replaces law, and both tend to focus on experience (such as seeing a movie or listening to a song) rather than artifact.
The themes of this panel were carried forward at lunchtime by Jessica Litman, Professor of Law at Wayne State University and an internationally recognized expert on copyright. She surveyed the largely unfortunate evolution of copyright law over the past thirty years or so, which has essentially wiped out a couple of centuries of copyright, when the author was granted limited rights over the property, and in return the work was made public and ultimately put into the public domain. It was, in short, a bargain in which both sides benefited. Then, a regime evolved where the author was assumed to strive for a maximum protection of property rights, that granting the author this right provided maximum incentive to production of intellectual property, and there is no good reason that copyright shouldn't become evermore restrictive and longer-lasting. In the past five years, Litman said, copyright has become less about incentives to authors than to controlling all access.
Litman made the point an important right once granted to users of intellectual property—the right to make legal but unauthorized use of the material, such as in copying a CD to tape—is in danger of disappearing. Content owners have turned all unauthorized uses into "piracy". Further, the courts have agreed to rather preposterous assertions by content owners (such as Mattel and the MPAA) that any behavior that can be construed as possible or hypothetical piracy is piracy.
In short, as a culture we are in danger of doing away with the concept of fair use of intellectual property and of creating ubiquitous systems of monitoring all personal uses of any information whatsoever.
Litman is pessimistic, as indeed many of us are, about the possibility of correcting this situation through legislation—the US Congress is simply too deeply in the grip of content providers with big bucks. However, she says, we might try to persuade the courts to read existing law in ways more in line with "a reasonable construction" and not with their current absurd insistence on the absolute power of content owners, so that a fifteen year old who copies his favorite songs into MP3 files is a pirate.
In this brief report, I cannot do justice to the subtlety of Litman's reading of the metaphors associated with copyright; however, the conference web site will soon contain video records of all the proceedings, so I would urge those interested in this matter to stay tuned—I will point you to the material when it becomes available.
Moderated in exceptionally genteel fashion by Jason Catlett of Junkbusters Corp., this panel put together privacy advocates—Beth Givens of Privacy Rights Clearinghouse and new recipient of the Brandeis Award and Alexander Dix, Commissioner for Data Protection and Access to Information, Brandenburg, Germany—with representatives of infomediary companies—Ray Everett-Church of AllAdvantage.com, Steve Lucas of Privaseek, Inc., and Paul Perry of Microsoft. Catlett introduced the idea of infomediary as trusted third party who aggregates consumer information in order to negotiate with vendors on consumers' behalf. Beth Givens quickly weighed in with the idea that trust is the key, and it is hard to imagine who could earn that much of it. She also spoke about the dangers of secondary use—another pervasive theme at this CFP—referring to possible subpoenas, civil and criminal. Alexander Dix, who stated his belief that everyone should have the ability to surf without footprints, also worried about the accumulation of "rich personal profiles". Steve Lucas stated the infomediary creed—customers should own their own information—and that customer information should be released only conditionally, ideally, with partners and audited third parties. He noted that companies are contractually obligated to do what they say they will with information. Ray Evans-Church put forward his own company's model, which is somewhat different: in it, no information is given directly to third parties; rather, advertisers are given access to specified kinds of customers through the infomediary, without knowing who these customers are; in return, customers are paid (currently, a maximum of $12.50 per month). Paul Perry, who, like other Microsoft representatives I've seen at gatherings such as this one, looked rather ill at ease, spoke about Hotmail and its Passport system, an electronic wallet essentially used for authentication, and generally disavowed that Passport is an infomediary. Everyone seemed in favor laws to regulate the infomediary process—the word "baseline" was often used.
Then the discussion changed to the topic of P3P, a possible standard for machine-readable interpretations of web site privacy policies, much-argued, often despaired-over at this conference and elsewhere. I confess I could only sit through a bit of this one, as it has started to sound like a long-running dispute in a dysfunctional family, filled with unspoken recrimination and regret.
A hundred or more of the conference attendees managed to find their way to the St. Lawrence Hall, a modestly genteel setting in 18th century style, where our hosts fed us liquor and then wouldn't let us eat until after the awards presentation, which made for some rather giddy responses from the audience during the presentations themselves. First came the Cooperative Computing Awards, which received a distinctly mathematical introduction concerning prime numbers and the history of the search for ever longer ones.
Then individual Pioneer Awards were given:
Tim Berners-Lee appeared on videotape to accept the award and to talk in an understated, intense, and charming manner about his concerns about the Internet, including the current flurry of patent awards and disputes, which he apparently regards as both pernicious and rather silly. Agre's award was accepted by Simon Davies of Privacy International, who in the persona of Doctor Evil had been giving away his own awards the night before. And Karen Schnieder was been chosen to accept Librarians Everywhere award "as a representative of librarians around the world fighting for the public's right to free expression in cyberspace". She was smart and funny; her story about researching the size of alligator penises showed the absurdity of content filtering in libraries and, perhaps obviously, reduced her giddy audience to helpless laughter.
That's "birds of a feather" session, an informal, topic-centered gathering where people are invited to hash out things of interest. I co-hosted this one with Karen Coyle, a librarian activist and conference organizer. After a long day of meetings and award ceremonies, &c., we figured that few people would be ready at 9:30 PM to haggle over infomediaries, but we were wrong. An intense little group gathered and argued and questioned spiritedly. From the session, it appeared that people are confused about what exactly an infomediary is, why one would want to employ one, whether the business model is at all believable, whether infomediaries can be made to serve privacy rights, and whether infomediaries should be regarded as analogous to (a) banks, doctors, and lawyers, or (b) pimps. At 11:30 or so, everyone collapsed and went off to bed or to the bar for a final drink.
This was my getaway day, so I could do little more than write up yesterday's events—for which, see below—pack up, and listen to Whit Diffie's luncheon speech.
Diffie, one of the founders of public-key encryption, has a special place at CFP; he is, in effect, one of the gathering's patron saints.
He gave the audience a brief survey of the evolution of the use of computing technology from timeshare mainframes to the modern-day networked PC and slightly beyond, to the "network computer" or "thin client" computer. His central point was that this new vision, where the network supplies much of the power, is a return to the days of timeshare computing—when the user had what were called "dumb terminals"—and that this means a return to centralized control and snooping, though by a different technological path. Diffie's speech was thus, alas, yet another of the many cautionary bordering on alarmist presentations made at the conference. ...
From the point of view of CFP, we have entered, especially in the US, a period when a number of powerful forces are working to regulate and commercialize the net, which is to say to close it: to replace its traditional—in fact, essential—altruism with a regime of licenses and patents; to banish its play of intellect and identity and institute a system of total authentication and control; to filter its chaos in order to give the illusion of safety; to subject it to the most glaring scrutiny in order to prevent commercial and governmental interests from being inconvenienced.
This work is licensed under a Creative Commons License.