Danielle Gallo's 1999 CFP Conference Report

Danielle Gallo's 1999 CFP Conference Report

[N.B. In general, square braces in Cipher indicate a comment from the editor. In the current article, text in square braces is the work of the author, not the editor (other than around this comment).
One personal observation on the conference I could not resist making: a concrete metaphor for the difficult and complicated road to freedom was a sparrow that spent the three days of the conference flitting about the auditorium looking for a way out.---Paul Syverson]

Computers, Freedom and Privacy 1999 was held in the Omni Shoreham Hotel in Washington, DC from April 6-8, 1999. This was my second CFP;  you can read the report I wrote from last year's conference here.  The theme "the Global Internet" was achieved through including many international panelists. It was refreshing to see Asian and South American panelists on the program, as they provide different experiences with privacy and censorship than most; it is also enlightening to hear their views and successes, as well as the problems they are still having.   The following summary is based on my notes and the newsletters distributed at the conference, which are available on the CFP site (Reports 1, 2, and 3). CFP is guaranteed to be chock full of information, and this year did not disappoint. I am only presenting a summary based on the panels I attended, so this report will not cover each session. I often refer to Roger Clarke's notes on CFP, which I found quite useful. Note: links to many papers can be found on the cfp99 site.  Now, let's get down to to it, shall we?

Tuesday's General Session
Wednesday's General Session
Thursday's General Session

Tuesday General Session (April 6, 1999)

The General Session began on Tuesday April 6, 1999 with the panel, "Freedom and Privacy and the Global Internet I" moderated by Deborah Hurley ( http://www.ksg.harvard.edu/iip/Biographies/hurley_bio.html), Director of the Harvard Information Infrastructure Project. Hurley began the panel with a series of statements about the human need to communicate, and how this essentially extends to the present information explosion. This explosion is coupled with the need to limit audiences. Presently, there are more ways to record communication; however, we lose the ability to limit the audience. As moderator, Hurley limited each speaker to five minutes. This limit had advantages and disadvantages, and as Roger Clarke (in his CFP 99 report) states, "successfully avoided any one person dominating the agenda; but it also limited speakers who wished to structure an argument."

President of the Open Society Institute Aryeh Neier offered the idea that "information is power and communication enhances that power." He states that we must use this power to gain freedom and also to inform others. Neier used Sarajevo under siege as an example of how information is publicized and transferred both into and out of the area. In regards to privacy, Neier offered that in some respects, the danger is as great as the power of technology. Moreover, even certain accurate information may be limiting, and this has a subsequent effect on freedom.

The US government viewpoint was presented by Paula Breuning, who remarked that despite it being essential for the Internet to grow, people must be comfortable using the medium. This means limiting the distribution of personal data so to restore privacy. The NTIA approach is to rely on self-regulation and sector specific legislation. Breuning places importance on posting privacy preferences and notifying customers of policies regarding personal data. Industry efforts include TRUSTe and the Online Privacy Alliance. The action suggested to facilitate this effort is performing a sweep of Web sites for posted privacy policies. I personally find industry regulation a process that is excruciatingly time-consuming and hard to gain majority acceptance for.

Simon Davies of the London School of Economics was next to speak. Understandably, Davies spent time enthusiastically responding to Scott McNeely's remark, "There is no privacy. Get over it." Davies made a solid point in stating that personal privacy should not be approached with such a laissez-faire attitude; he suggested a more aggressive attitude towards privacy protection. Davies offers the belief that privacy is one of the great features of culture, but as with any law, it is hard to maintain. The people causing the problem should be identified and forced to recognize their wrongdoing.

Hong Kong's Data Protection Commissioner Stephen Lau spoke about privacy in Hong Kong. Surprisingly (maybe not so surprisingly), there was not a word for privacy in Chinese until recently; the word now is comprised of "self" and "hide." Lau outlines the difficulties in protecting privacy through legislation. The results of a survey of approximately 6000 sites in Hong Kong showed that many local Web sites do not post privacy statements or conform to regulations found in the Data Protection law. Lau also offers the credo, "whatever is illegal offline is illegal online" and has produced guidelines for Internet privacy.

AOL (http://www.aol.com) Senior Vice President George Vradenburg began by stating that AOL has a publicly visible privacy statement posted on aol.com. Vradenburg focuses on the pace of the Internet, and how companies like his are governed by it. He offers that traditional models don't always apply to the situation, and the government may not be the ideal intermediary. Industry can't look to regulatory models of the past in dealing with the medium that combines media, advocacy, and communication. Finally, Vradenberg supports the current self-regulation efforts in the Privacy Alliance and TRUSTe, and notes the significant market pressure on companies like AOL and Microsoft.

The last speaker was Barbara Simons of the ACM (http://www.acm.org), who posed this question to the audience: do we value privacy so little that we depend on chance to reveal breaks in it? Simons used the example of the existence of GUIDs in Microsoft Word and how they related to the recent spread of the Melissa macro virus. Simons relates the protection of intellectual property online to the problem of privacy; she states the same principles apply. Simons also predicts that instead of raising security, the general response to the dilemma will incorrectly be to increase surveillance.

The Creation of a Global Surveillance Network
This session was moderated by Barry Steinhardt of the American Civil Liberties Union (http://www.aclu.org). The focus is on surveillance, the level of which is necessary, and the resultant effects on privacy. It is an interesting issue to consider the degree to which global surveillance networks adhere to the responsibility of tracking malice, and to what degree they are invading the privacy of law abiding citizens. The panelists offer a range of viewpoints to this ever-debated issue.

Representative Bob Barr focused on the efforts in Congress in regards to privacy. Barr states that the protection of privacy is currently being achieved by subventing federal laws. He argues that the 3rd century's biggest asset is information and the manipulation, gathering, communication, and passing of it. Barr also argues that difficulties in forging ahead with the privacy issue don't break down within party lines.

Steve Wright of the Omega Foundation described the Echelon system, a satellite projection system that wasn't only being used for surveillance for terrorists, but for economic surveillance as well. The Echelon system captures a large amount of European traffic. Wright states that surveillance system should ensure democratic accountability and only survey targeted parties. Statewatch, the independent human rights organization, questioned the government about this system; however, their questions were suppressed.

Ken Cukier of CommunicationsWeek International in France, compared the French Echelon system to the UK's; however, he states it's on a smaller scale. An interesting point made by Cukier here was that the desire to widen the system to other European countries may be the beginning of a Euro-wide effort for surveillance. He states, however, that a Trans-Atlantic effort may be difficult because the existence of two surveillance systems may trigger negative attention from privacy advocates.

USDOJ Computer Crime Unit head Scott Charney offered the viewpoint that the creation of a global surveillance network will give rise to a plethora of views on surveillance vs. privacy. Charney outlines the debate by pitting the advocates of tight surveillance against the "privacy-centric," who tend to support no surveillance at all. The middle ground is covered by the Fourth Amendment, which states the Constitution allows for an invasion of privacy to protect the public good. Does the Fourth Amendment still exist in Cyberspace? Charney believes it does. He states that although most people are law-abiding, there are some who are malicious and want to cause the community danger. As in the physical world, Charney believes that law enforcement must have the "tools to be able to investigate effectively." To achieve the necessary balance, Charney offers the Electronic Communications Privacy Act. The courts are involved in the process when any surveillance is necessary, and it is limited to serious crimes. Although the act will not make everyone happy, Charney believe is it a step in the right direction, and serves as a "pretty good model." Lastly, Charney also believe that we must strive to focus and protect the values rather than specific technologies.

In the Question and Answer portion, Patrick Ball of the AAAS (http://www.aaas.org) asked if a few dead human rights activists was all price to pay for strong encryption. USDOJ rep Scott Charney offered the predictable response that the exclusionary rule must be used; policy is not designed to solve all problems and there must be a balance. He states, though, that strong encryption does have positive uses.

Anonymity and Identity in Cyberspace
The last panel of Tuesday's general session was moderated by my colleague at AT&T Research, Lorrie Cranor (http://www.research.att.com/~lorrie).

Lance Cottrell of Anonymizer, Inc.(http://www.anonymizer.com/3.0/index.shtml) began his portion of the discussion with the example of information flowing out of Kosovo in the clear. Postings through email attach an identity to the text; therefore, the user may be subject to abuse. The problem lies in being able to relate information securely and privately. According to Cottrell, the limitations include:

Cottrell forces the audience to view the problem of anonymity through the Kosovo example. It becomes apparent that achieving anonymity in countries like this can be a serious challenge; however, he does not downplay the challenge of achieving it in technologically advanced countries like the US. Cottrell's reply to a question posed in the Q&A session furthers this idea. He states that anonymity in the physical world is taken for granted. For example, one does not have to identify themselves when buying groceries (if paying in cash) or sending a letter (neglecting to add a return address). This type of anonymity is harder to achieve on the Internet, where tighter surveillance is enabled.

Mike Reiter of Lucent Technologies (http://www.bell-labs.com) outlined technology that can be used to hide information that may identify you. He uses the LPWA (Lucent Personal Web Assistant) proxy server as an example, explaining that users can redirect a Web request through the proxy. LPWA offers support for personalized browsing by issuing an account and password; a control code is entered into any Web form, and the LPWA provides the site the account/password so they are identified without really being identified. The problem with technology like this is the level of trust given to the administrators. The following question arises: do products like these make the issue worse? It seems to be a problem of scope; the more popular and advanced products like this become will increase the amount we will have to trust admins. Reiter is also the co-creator of Crowds (http://www.research.att.com/projects/crowds), an anonymous Web surfing technology.

Paul Syverson of the Naval Research Laboratory spoke about the Onion Routing project (http://www.onion-router.net). The idea is based on a network of nodes scattered around the Internet. The current request only knows the previous and next nodes while raw TCP/IP sockets rout all traffic through the Onion. The technology can exist as a proxy and on a firewall. In addition, the Onion can exist at the desktop; it is interesting to note that, depending on how system is configured, local system administrators may or may not be privy to whom employees are communicating or what protocols they use. Essentially, this takes some emphasis off the admins.

The USDO's Phillip Reitinger was the gratuitous government representative for this panel. What's a panel on anonymity and privacy without a spoiler? Reitinger outlined law enforcement's concerns regarding anonymity. Reitenger states, "we can't put a pseudonym in jail." He concedes that anonymity is constitutionally protected in some forms; however, networks allow for anonymous crimes to be committed with distance, in regards to both location and identity. A communication trace can be easily circumvented, states Reitinger, by the use of fake email or IP addresses. Content can also be covered if encryption is used, and due to the lack of biometrics the crime may go unsolved. The core argument by the government rep is that anonymity services cause serious headaches for law enforcement (surprise).

The Q&A produced some interesting banter between audience members and the panelists. An interesting question posed was, how does the amount of anonymity in the physical world compare to the amount in Cyberspace? Reitinger offers that the Internet anonymity and traceability together, while the physical world keeps them separate. He also states that the amount of Internet privacy depends on the level of sophistication [in technology] utilized. Cottrell gives the answer seen above regarding the groceries and letter with no return address. Another question was, do anonymity service providers get approached by law enforcement to gain the identity of users? Austin Hill, president of Zero Knowledge (http://www.zeroknowledge.com), replies with a yes, but they remain true to their name. Crowds co-creator Mike Reiter states since its a distributed technology, there isn't a focal point for requests. Paul Syverson offers the same response as Reiter in regards to Onion Routing.

Squash anyone? The day closed with the EFF Pioneer Awards and the opening reception, followed by the evening working group. I didn't attend the 9:00-11:00 PM working group because I was enjoying the Washington DC nightlife.

Back to Top

Wednesday April 7, 1999 General Session

I'm sure the continental breakfast (that began at 7 am) was chock full of industrious attendees who were eager to exchange opinions and ideas on the previous day's session while nibbling on fresh fruit. I wouldn't know, though, as I was the one who ran down at around 8:05 and grabbed a bagel just as the first session was beginning. You can always network at lunch, you know, and it's better to be conscious for it.

Keynote Address: Mozelle Thompson, FTC
The FTC's (http://www.ftc.gov/) mission is to create an environment of consumer protection so that markets will flourish and consumers will benefit from the abundance of choice. The FTC has been protecting consumer across all media, including the Internet. Thompson suggests that E-commerce has had a growth rate of 200% annually, and roughly $13 billion in 1998.

According to Thompson, the opportunities for Internet Fraud are abundant due to the low startup costs, real-time payments, and the ability to mimic a legitimate business. He adds that there are infinite places to hide from law enforcement.

Thompson examines the issues in preventing Internet fraud. He cites the need for "real, effective, and timely" self-regulation. Essentially, he asks if industry can take the lead in solving consumer public policy issues; he also asserts that consumers have a right to expect government and business to create a safe environment for them to conduct online business in. The FTC has been pressing industry to post privacy statements on their Web sites.

In my opinion, the idea of self-regulation is still a fantasy; Roger Clarke proposes an interesting co-regulatory scheme in his paper "Internet Privacy Concerns Confirm the Case for Intervention." Read it.

Keynote Address: Congressman Ed Markey
Markey asserts that privacy protection comes with exercising basic civil freedom, and he would like to see strong pro-consumer encryption policy and support for privacy policies. A posted privacy policy isn't always a good one, he states; it must be clear, conspicuous, and concise.

Markey places importance on technological solutions such as P3P (http://www.w3.org/P3P/), as well as a government enforced set of basic privacy rules. Lastly, he promoted industry self-regulation. Markey seems enthusiastic about technological solutions, and supports necessary actions to ensure efforts by the private sector.

Copyright on the Line: Blame it on Rio? Or Title 17?
Jonathan Zittrain of Harvard Law School (http://www.law.harvard.edu/) began this panel by speculating on numerous issues raised by the use of compressed audio (mp3). Zittrain offers the use of digital watermarking to determine ownership and questions if "fair use" should be built into copyright law.

Henry Cross, Artist/producer, plays the true spoiler to the music industry in this panel. He emphatically asserts that the industry is attempting to crush MP3. His main points include:

Cross relayed his points in a dynamic and emphatic manner and was quite influential.

Michael Robertson, President of Mp3.com (http://mp3.com), placed importance on the need for competition, which will enhance democracy and expose more artists simultaneously. His belief that "legislation shouldn't throttle technology" was apparent in the assertion that MP3 serves as a litmus test for other digital media and distribution.

Scott Moskowitz (Blue Spike, http://www.bluespike.com) spoke about the use of digital watermarking and encryption for ensuring content uniqueness. He would like to see artists/publishers to evolve from packaged media to a more dynamic distribution of content. Moskowitz argues that artists should be empowered to be their own PR and publishing force.

Carol Risher, Vice President of the American Association of Publishers, defended the segmented supply chain. She argued that each part of the chain adds a certain amount of value, and the emergence of digital distribution destroys potential opportunities and income for these parts. Roger Clarke points out, "she signally failed to address the key question about whether the industry value-chain could be greatly trimmed, and could provide a larger proportion of the revenue-stream to the originator."

Carey Scherman from the RIAA (http://www.riaa.com) predictably asserted the music industry's opinions of MP3; they are not concerned with MP3 so much as the piracy of it. According to Scherman, artists should have the right to put material on the Internet (it will benefit them), but protection should be in place so that they get paid. Scherman also discussed SDMI (Secure Digital Music Initiative), the movement to override MP3 by creating a standard; SDMI is intended to be an infrastructure for an infinite variety of ways music can be sold (such as subscription services, rent to own, or per number of listens). The SMDI will attempt to control piracy while pleasing the RIAA. Michael Robertson later stated that, "Cary [Scherman] is not for the artists. He's for his constituency, which pays his salary."

Unfortunately, I cannot do the panel/audience interaction following the statements justice, but Declan McCullaugh can. Read his Wired article on the panel. http://www.wired.com/news/news/politics/story/19007.html

Roger Clarke also made some interesting comments on this panel. http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP99.html

Chemical Databases on the Internet: Risk to Public Safety or Government Accountability?
This panel focused on the scenario of a published electronic searchable database of facilities and worst-case scenarios could give criminals an advantage. It was argued that critical pieces of chemical information could be used to plan an attack through the Internet. The National Security Council is opposed to this type of database because the threat of terrorism it poses. One panelist argued that the technological environment today is vastly different from what it was in 1990; we can't control what's on the Internet but we need some sort of safety net. There has been a growth in information technology but not a proportional growth in information protection technology; this is an important point in regards to this issue.

Industry has been more positive about informing society by describing what the worst case is, and why it's impossible.

Free Speech and Cyber-Censorship II
The panel in this discussion consisted of a diverse group of individuals that spanned the globe, keeping with the conference theme. Richard Swetenham from the European Commission DG XIII concentrated on the European Union viewpoints on free speech and censorship. Since the EU doesn't have a federal constitution, it promotes cooperation between law enforcement and citizens; for example, they have a "tip line" where citizens may provide leads to crimes, etc. In regards to content harmful to minors, Swetenham states that it is illegal to give minors access to such content. The method of determining what is harmful to minors is subjective, however; if parents decide their children cannot see certain content, it's considered harmful. EU efforts are currently directed at providing funding for self-rating schemes.

The next speaker [Sobel] outlined the universal aspects of the censorship issue, and the relationship between free speech and privacy. The government needs a way to identify and locate the person who breaks the "harmful content" regulation which will lead to more ways of locating "posters" and identity-location mechanisms. One solution is to utilize online age verification; the individual will identify themselves through a credit card. Obviously, this has an effect on anonymity.

Sobel goes on to evaluate the options by stating that parental responsibility and education is a viable option, but neither law nor technology will protect children from harmful content. Technology offers commercial software, which Sobel notes is clumsy on the average. In essence, Sobel notes that no system can keep up with the growth of the Internet, and the use of technology may not always be voluntary (may be mandated by government). In my opinion, Sobel seems to provide a middle of the road account of the problem without tackling any of the issues underneath the surface.

Professor Zehao Zhou of York College (http://www.york.edu) spoke about China's situation regarding privacy and censorship. Zhou states that China has made significant strides in these areas but still has a way to go. For example, the 1998 Starr Report was banned in print format but was available online. The government controls all Chinese Web sites, and only occupational and social information is allowed. In regards to censorship, Zhou explains how Website access and use is monitored. One interesting thing to note is Zhou's statement that the Internet is a status symbol; therefore, the desire to get online is increasing rapidly.

Fadi al-Qadi offers the viewpoint that the Internet has no code of ethics and therefore no possibility of regulation. The lack of philosophic backbone to the Internet proposes the true challenge of finding ways to utilize information technology; we must use the Internet as a true censorship free vehicle for information communication. Not surprisingly, he also asserts that the Internet is no longer a US based entity. The challenge offered by al-Qadi is insurmountable for the fundamental reason that we can never create a unified view of what constitutes as censorship.

Lastly, Margarita Lacabe of the Derechos Human Rights offered the Latin American viewpoint to the panel. She stated that censorship in Latin America is indirect; for example, journalists and human rights activists receive threats with little prosecution of the offenders. In addition, the government prohibits the publication of insults to [government] officials. Of course, the Internet allows everyone to have a voice without filters; however, people who don't share the correct views are in danger. Anonymity isn't always guaranteed and the tools available to track the anonymous are becoming more advanced. On the other hand, Lacabe offers the terrorist law in Argentina as a success.

The day closed with the Privacy International Big Brother Awards, followed by the banquet dinner. Recipients of the Big Brother Awards included:

The Brandeis privacy awards went to PGP developer Phil Zimmerman and Diana Mey, the Virginia housewife who fought and won against a relentless telemarketing firm. Congratulations to the Brandeis recipients!

Back to Top

Thursday April 8, 1999 General Session

Unfortunately, I did not attend all of Thursday's session because I was traveling in the late afternoon and sightseeing for part of the morning. I attended the Mock Trial and Tim Berners Lee's keynote address. I attempted to attend the Point-Counterpoint session, "Are There Limits to Privacy?" but I spilled hot chocolate on my pants on my way into the ballroom. By the time I changed and got back down, the session was over. So, blame my lack of coordination on missing that one.

Keynote Address: Tim Berners Lee, W3C Director
The talk is available at http://www.w3.org/Talks/1999/0408-cfp-tbl/.

Lee outlined the Web itself, focusing on the major points:

He also outlined the World Wide Web Consortium and its mission: Roger Clarke's comments on the current concerns:
  • bias in information. But that risk can be coped with if people understand that bias exists, what it's nature is, that they have choice, and how to exercise that choice.
  • the right to link. But a link does not imply an a priori endorsement. Meta data should be free of constraints.
  • communications protocols. They are technical matters that do not change laws or create or destroy rights. They need a legal framework around them. In particular, Platform for Privacy Preferences (P3P) creates a technical framework that enables automated negotiation by agents; but it also needs consumer protection law around it.
Lee asserts that there is great fluidity on the Web, and technology and policy must continue to interact and make progress. W must work to protect the consumer and make the Web experience more enjoyable and secure.

Finally, I'd like to add comments from Roger Clarke's report on his conversation with Tim Berners-Lee following the talk.

I tackled Tim after the session on the question of whether W3C should establish a standard for state-maintenance, to replace the flawed cookies design (which is a Netscape add-on adopted also by Microsoft, not a web standard). Tim didn't realise that the IETF Draft had expired in January this year, and that there is therefore no current proposal to define a suitable solution to state-maintenance. He said someone could propose that it be a work-item, and that at the very least W3C could mirror the now-lapsed draft; but someone (presumably meaning a paid-up member) would have to bring forward a proposal. As for the mock trial, I attended it, but confess my attention was waning a little. Roger Clarke gave an informed summary, however, and I would suggest reading his take. It's about 3/4 of the way down on his site (URL listed at the top of this document).

Read more from the CNet News article on this panel.

Back to Top

I found this year's CFP to be enlightening and informative. Last year was my first CFP so I was a little overwhelmed by the amount of information that springs out of the panels. Not that I wasn't overwhelmed this year, as CFP packs a lot of panels, working groups, and keynotes into each day's session. I learned more about tools to achieve anonymity, something I didn't feel I knew enough about. It was also refreshing to hear the global views on censorship and content monitoring (especially for Asia and South America); being a netzien based in the US, I often don't consider the principles and procedures in regards to these issues (how selfish).

Random Thoughts...
Like everyone else, I still think self-regulation needs work...this year's CFP made a valiant effort at giving a global perspective... I think the SMDI is going to spark a huge music industry/independent explosion in the future (more than it currently has)...I don't think MP3 will die any time soon...still haven't gotten a pair of tie-dyed socks like the ones I saw John Gilmore wearing at last year's CFP...that's about it. See you next year.

By the way, the chair for CFP2000 is Lorrie Cranor.

Disclaimer: The views presented in this document are entirely my own and do not reflect the views of my employer, AT&T.  Any complaints, rants, or even compliments should come directly to me.