Computers, Freedom and Privacy (CFP '98)

Austin Texas, USA, February 18-20 1998

by Danielle Gallo

Computers, Freedom and Privacy '98 was held February 18-20 at the Austin, Texas Hyatt Regency Hotel. Although there have been eight in total, this is the first CFP I attended. The program featured daily single-track sessions, lunch breakout sessions, and several concurrent tutorials.

I attended the Wednesday morning tutorial entitled, "An Introduction to Copyright and Trademark Law." This tutorial, given by David J. Loundy ( http://www.Loundy.com) of Davis, Mannix and McGrath, was a comprehensive and enlightening overview of the workings of copyright and trademark law. An interesting question of public display was addressed. If an image is displayed on a Web page that does not belong to the owner of the image's copyright, are display rights violated? Using several case studies as examples, Loundy suggested that the answer depends on the type of browser being used. Is it a text-based browser that will not display the image? If an image is present but not displayed, is there a violation? If so, who is at fault, the Internet Service Provider or the Web designer? This tutorial also discussed trademark law, especially as it applies to metatags. Search engines use metatags to help index Web sties. For example, the playboyxxx.com site contains the keywords "playboy", "playmate", and "centerfold" in its metatags. However, this is deceptive because the surfer believes he is accessing a site supported by Playboy.

The remainder of the Wednesday session featured a keynote speech by Brian Kahin of the White House Office of Science and Technology Policy ( http://www.whitehouse.gov/WH/EOP/OSTP/html/OSTP_Home-plain.html). Kahin addressed the future of Internet policy and discussed the effects on employment and productivity. He presented basic principles focusing on recognizing the unique qualities of the Internet and creating policy that will facilitate international commerce. One of Kahin's last points was the need for industry self-regulation. Kahin suggests that self-regulation creates more efficient markets. Kahin also cited the need for well-defined principles and international agreements as fundamental to success. International agreement appears to be a difficult process, as all parts of the world do not necessarily agree on major issues, such as privacy. Although Kahin strongly urged the private sector to lead such a movement, it seemed doubt surfaced among some attendees as to whether this is possible.

Anne Beeson of the ACLU, attorney Lance Rose, and UCLA school law professor Eugene Volokh discussed the Communications Decency Act decision. Volokh) argued that although the CDA was a victory for free speech, the decision should be examined with scrutiny. Volokh felt the CDA decision suffered from poor fact finding. Volokh's documentation regarding the Reno v. ACLU decision is worth accessing ( http://www.law.ucla.edu/Faculty/volokh/index.htm). Ann Beeson (http://www.aclu.org) claimed that celebration for the CDA was significantly well justified. Beeson also stated that the architecture of the Internet promotes freedom of expression, and threats to this right lie in Senator McCain's bill, ratings/private censorship (including PICS), and library filtering. One interesting example Beeson cited was a student whose individual homepage was removed after people complained about it. As expected, this raised a strong reaction from the crowd.

A panel on 'Privacy Implications of Biometrics and Behavioral Identifiers' outlined the implications of the use of biometrics (thumbprints, retinal scans, etc) for identification purposes. Dr. Ann Cavoukian, the Ontario Information and Privacy Commissioner, presented the idea that biometrics are a threat to individual privacy when not used carefully. Dr. George Tomko of Mytec Technologies discussed combining biometrics with encryption in an effort to reduce privacy concerns and increase security.

The last panel for the Wednesday session addressed Net Vengeance. The "Kashpureff incident" was addressed and discussed in great detail. The basic conclusion was that significant collateral damage resulted from his offense; however, he accepted responsibility and offered regret. This was not the highlight of the panel. Richard MacKinnon of the University of Texas at Austin ( http://bertie.la.utexas.edu/depts/gov/home.htm) sparked a discussion on the proper procedure when disciplining an offending online user. Since people from all nations participate in computer-mediated offenses, where and how should they be disciplined? The logical answer appears to be in their country of residence. MacKinnon suggests, though, that the offender may be judged by the standards of the group the offense occurred in. This apparently promotes preservation of the environment's integrity through punishment based on the environment and its members.

Wednesday closed with dinner and live music at the Austin Music Hall.

The Thursday general session began with a panel on 'Pragmatism and Principle in Online Advocacy." Danny Weitzner from the Center for Democracy and Technology ( http://www.cdt.org) joined Donald Haines from the American Civil Liberties Union in a friendly discussion. Even though the panelists were supposed to be arguing different points of view there was much agreement. They agreed on the need for involvement in the political process but differed on what approach to take.

Although many ideas and issues were raised in the panel on 'Privacy and Encryption Law in France', there are only a few I would like to touch on. Professor Joel Reidenberg of the Fordham University School of Law ( http://www.fordham.edu/law/faculty/reidenberg/main.htm) cited the territorial impact of data protection. He suggested trans-border data flows enable data passing to places with inferior protection. This is of utmost concern to the French, who hold strong views on privacy. The French position on data protection issues prevents sensitive data such as political or religious beliefs to be transmitted without consent. Reidenberg concedes that there is not full respect for data privacy laws; therefore, organizations have been created to supervise enforcement -- for example, the CNIL (Commission Nationale Informatique et Libertes) in France. This part of the discussion relates to Brian Kahin's keynote address, which cited the need for international agreements and well-defined principles. I think that compromise on these issues will be difficult because the French are very stringent on privacy issues and may not agree with the rest of the world.

The lunch breakout sessions offered a decent variety in subject topics. I attended 'How to Do a Wiretap' with Shabbir J. Safdar from The Voters Telecommunications Watch. This was an entertaining session because the information was relayed in the form of a mock wiretap involving lawyers, government agents, and snowboarders. The snowboarders possessed illegal drugs and the FBI wanted to set up a wiretap to monitor their conversations. Safdar outlined the process of obtaining a wiretap, focusing on the necessary requirement, predicate offense, and probable cause. He also outlined minimization, which is the capture of material relevant to the investigation only. For example, the wiretap was shut off when the snowboarders began discussing the 'killer slopes, dude'. When the snowboarders began using snowboarding lingo as code words for drug lingo, the taping was resumed. Finally, a few interesting tidbits: computer fraud is not a valid predicate offense; 8 out of 10 offenses involve gambling and the Mafia; rules for data interception are less stringent when dealing with equipment such as pagers.

Matt Blaze and Steve Bellovin from AT&T Labs Research ( http://www.research.att.com) discussed ways to 'Choke the Net.' Blaze and Bellovin cited the Net's structure as the cause of vulnerability. In addition, the technical characteristics of HTTP are a mismatch with what the Internet was designed for. To choke the Net, certain computers such as endpoints or central routers can be brought down. The Net is not just susceptible to intended takedown, however. Circumstances such as real-time multimedia and high bandwidth data will disable the Net. Routing problems, specifically misconfigured routers, were cited as a final threat. I agree with the panelists' contention that protocols for secure DNS will decrease the risk of malicious attacks, though it is questionable by what fraction the risk will be decreased.

Thursday closed with a controversial panel on 'Crypto and Privacy at the Fringes of Society' moderated by Michael Froomkin from the University of Miami School of Law ( http://www.law.miami.edu/). Patrick Ball of the AAAS Science and Human Rights Program outlined security problems and provided crypto solutions for human rights organizations. He stated that human rights groups need encryption and digital signatures for protection. Ball finds traffic analysis a major threat to privacy, and suggests the use of anonymous remailers. Peter Toren from the United States Department of Justice took the opposing view (big surprise there). Toren outlined the law enforcement perspective on crypto and privacy. He stated that unbreakable encryption will threaten public safety because it can be used to conceal criminal activity. He said, "advances in technology should serve society not rule it." Furthermore, Toren suggests that privacy and liberty must be protected without leaving a harbor for criminality. Toren's comments created strong response from the attendees and consequently, the question and answer session was lengthy.

In addition to the many thanks to Toren for actually attending, the Q & A featured predictable responses from each side. Matt Blaze expressed an interesting analogy in describing a paper shredder that created a digital copy of a document and sent it off to a central database. When a document was accidentally shred, the user could contact the database and have a copy faxed. Also, Toren was pressed about the encryption issue and repeatedly cited the significant increase in cases that involve unrecoverable evidence due to encryption. The government's case is made at http://www.fbi.gov/congress/encrypt/encrypt.htm . Audience members complained that the government repeatedly gives misleading information about the difficulty of cracking various encryption schemes.

Following the Thursday evening dinner reception and entertaining speech by Nicholas Johnson, there were a number of BoFs held. I attended the GILC (Global Internet Liberty Campaign) BoF. This informal discussion group featured Mark Rotenberg from GILC and Barry Steinhardt, counsel to the EFF (Electronic Frontier Foundation. Among other things, GILC has argued against PICS (Platform for Internet Content Selection). The BoF had a surprise element in the attendance of Paul Resnick, a professor at the University of Michigan School of Information. Resnick is one of the developers of PICS. The discussion became a preview of the panel on the neutrality of technology and the question of 'is PICS the devil?'.

I did not attend the Friday morning session in its entirety, so I will glaze over these panels. 'Archiving the Web' was a rather uneventful session that discussed online archives and their implications for privacy and copyright. Among the services highlighted was Deja News, a USENET archive.

I attended the lunch breakout session on video surveillance, "Is Big Brother Watching You?" The answer is yes. Donald Haines of the ACLU addressed the rise in usage of surveillance equipment due to decreases in cost. An example is the ITS, or Intelligent Transportation System. The ITS is designed for traffic analysis and management, yet it is commonly used to facilitate the mass and routine surveillance of crowds. Another example is E-Z Pass, a toll collecting service used in New Jersey and New York. When a driver passes through the gate, his account number is scanned and posted on a screen. Haines suggests that any particular car can be monitored each day based on the account number scanned when the driver passes though. Time lapses between measurements can be used to observe the driver's speed and possibly result in a speeding ticket. Hashing the account number so it was not available at the second monitoring position would give the driver anonymity. Haines concluded with an emphatic need to increase the amount of privacy protection. He referred attendees to the Electronic Privacy Information Center.

The Friday afternoon session featured a lively panel on library filtering. Susan Getgood was the first speaker; she is a representative for The Learning Company, the makers of Cyber Patrol filtering software. Getgood stated that the makers of Cyber Patrol will not market to libraries but will definitely sell to them. I accept this point as the Learning Company is in a business that wants to make a profit along with helping children surf safely. I think, though, that if librarians are going to purchase the product they need to know what limits filtering has. Charles Harmon presented the opposing view and argued that filters are against the library's mission of providing access to information. Harmon said, "the use of filtering software to block sites is against ALA (American Library Association) amendments." Harmon stated that NO software will ever meet the standard for libraries, and filters impose the producer's viewpoint on the community. For criticism of Cyber Patrol, see http://www.spectacle.org/cwp/ada-yoyo.html. Many attendees lined up to disagree with Susan Getgood during the question and answer period. One attendee raised a good point in stating that many library software users don't have a technical background, thus they are not fully aware of how to use software products. Library users need to be informed of how the technology works, its limitations, and how to use it successfully. Finally, I felt Susan Getgood did an admirable job defending her product despite the heated comments directed at her by libertarians. She stated that she believes Cyber Patrol is a product worth purchasing, and 68% of the parents in California who use technology to monitor their children's surfing agree with her. And no, they aren't going to publish the list of blocked sites.

Now, for the $64,000 question. Is PICS the devil? I dont think a definite answer surfaced. Panelists included Paul Resnick and Andrew Shapiro. Shaprio was highly opposed to PICS because it can be used to facilitate censorship. Resnick rebutted by stating that tools for censorship already existed before PICS. This question and answer period was also lively, including many comments directed at Resnick. Personally, I feel that PICS has provided a useful starting point and foundation for the selection of Internet content.

Bruce Sterling's "Thoughts on the Future" was an entertaining speech that contained a great deal of ranting. The part I found interesting was when Sterling addressed the Monica Lewinsky scandal. He stated that she poses no real threat to the country, is not a terrorist, and there is no need to observe her. Following the speech, Sterling hosted a party at his house for CFP attendees.

As a final note, I think that next year's conference should feature a panel on taxing electronic commerce. President Clinton endorsed no-new-Net-taxes legislation in his recent remarks to the Technology 98 Conference in San Francisco, but the future on this issue is unclear. Although this area does not relate directly to privacy or free speech, it is an interesting issue to examine within the realm of e-commerce.

*Random notes by the author: I liked the hotel but was disappointed to learn that the pool was outside. Could anyone tell me where to score a pair of John Gilmore's cool tie-dye socks? Bruce Sterling throws a good party. On Thursday, Richard Stallman explained that free software is like free speech and not free beer, but CFP seemed to do well in both departments. By Friday I felt like I had eaten my weight in tortillas. You're all checking out Crowds ( http://www.research.att.com/projects/crowds/), right? Lastly, as this was my first visit to Texas, I was strongly encouraged by my cab driver to get a tattoo and eat a steak. I did not do either of these things, but enjoyed myself anyway.