CFP 2003 In Review


April 2, 2003

I’m at Computers, Freedom, and Privacy at the New Yorker Hotel in New York City. The hotel is, well, funky, with a checkered history. And the conference attendance is very clearly down, due to the economy and the war (some overseas attendees couldn’t get visas in time). I intend to blog as much of the conference as my energy (both personal and battery) will allow.

The hotel also has an interesting policy — they not only want an imprint of your credit card when you check in, and not only do they want to see a photo ID, but they also copy your photo ID (in my case, my drivers license). I’ve never seen this done at a hotel before — I would have objected, but I realized that negotiating that particular issue with the check-in clerk was not going to be successful, and I really wanted to have a place to stay.

I don’t necessarily agree or disagree with the speakers’ statements which I’m blogging, by the way — consider these notes an aide-memoire rather than an editorial.

Bruce Schneier’s Opening Keynote

Right now, Bruce Schneier is giving the opening keynote speech (“Security, Liberty, and Trade-Offs: With Diverse Terrorism Examples”); he is discussing his five-point scheme for evaluating security trade-offs:

Step 1: What assets are you trying to protect?

Step 2: What are the risks to those assets?

Step 3: How well does the security solution mitigate those risks?

Step 4: What other risks does the security solution cause?

Step 5: What costs and trade-offs does the security solution impose?

Finally, is the trade-off worth it?

Far too often, we focus on step 3 and ignore many of the other steps — so we solve the wrong problem or introduce new problems.

In the end, all security decisions come from a negotiation between players (including the “bad guys”, though they don’t negotiate directly). Understanding how to be more secure involves understanding these negotiations. And getting a bigger say in the negotiations requires having more power.

“History teaches us one thing about mercenaries: pay them! It’s the only way to keep their interests aligned with yours.”

Peter Swire says there’s a missing step: “Can the risks and costs be mitigated?” (in other words, can we find a cheaper/less risky answer than the one being proposed?) Bruce agrees.

Bruce’s final remark: Agenda is important. You need to know your agenda, and you need to know about the other parties’ agendas.

Plenary 1: A Moment in Time

Dan Gillmor is now moderating a panel: “A Moment in Time, Putting Computers, Freedom, and Privacy in Context” with Ed Tenner and Ira Glasser. Dan also commented about the incongruity of the hotel’s ID policy, especially for this conference, and said he will be taking the issue up with the management (he, too, decided getting a room was more important than making a point at check-in).

Ira Glasser: During Bruce’s talk, the questions started raising the “non-security” issues in the security debate; I believe that this is the dominant factor, especially in the civil liberties realm. These are the central paradigms behind the “security issues” which are being used to drive the “security measures” such as “no bottles or cans at Yankee games” (great for beer sales!).

People don’t pay attention to the details, so they can easily fall for willful lies or manipulation from the top. But even the people at the top can believe their own stories — hence the surprise that there has been resistance in Iraq.

All governments (everywhere, at every time) use war and the fear of war to expand their powers and advance their own policies. “You don’t have to provide safety; you only have to provide the appearance of safety.” The fear may, indeed, be real — that’s not the question. The question is, “what are you doing about it?” And the interests of government is to claim a tradeoff between liberty and security, and as Hamilton said, people will always choose security — but what they get is the appearance of security. You cannot argue that privacy is important when people are afraid. You cannot argue that the government shouldn’t be watching everyone when they’ll claim that no one knows where the enemy is. The only successful argument is that the measures aren’t providing any actual safety — that they are illusionary. And in the past, when liberty has been reduced, safety has never been increased.

“When you’re looking for a needle in a haystack, the last thing you want to do is grow the haystack.”

Ed Tenner: In his experience in Germany and in doing research on German history, what appeared important was not actual security issues but giving the appearance of security and knowing about the problem (including all of the participants). Technology has not been necessary to monitor people — even in the middle ages, the King of France was able to round up all of the Jews in France on one day (see http://www.jewishvirtuallibrary.org/jsource/vjw/France.html or http://www.fordham.edu/halsall/jewish/1182-jewsfrance1.html) because they knew where they were. Computer technology was not necessary; nor was it necessary in Nazi Germany — society had already made it possible.

Plenary 2: Computers, Freedom, and Privacy after 9/11

Now it’s the third panel (moderated by Peter Swire): “Computers, Freedom, and Privacy after 9/11”. Peter points out that the changes in the laws after 9/11 are basically in two areas: technology and immigration. Governments have historically had broader power in the area of immigration than in other areas — but is the government “trying out” measures on immigrants to see what protests might happen if they were applied more broadly?

Anthony Romero of the ACLU is the first speaker. He is talking about the ACLU’s “Safe and Free” campaign — safety without freedom is dictatorship, while freedom without safety is impossible. And one of the areas of concern is profiling and discrimination. President Bush’s initial statements (and later ones) called for non-discrimination, but the actions of the government use race and religion as a proxy for suspicion, and they have been moving more in that direction over time, as well as adding additional restrictions (for example, giving the government access to library records). He blames Ashcroft.

Nawar Shora of the American-Arab Anti-Discrimination Committee is the second speaker. He says that using race and religion as a factor in determining suspicions is legitimate — using race and religion as the only factor is not. ADC’s website and e-mail systems are under constant attack (as are other civil rights organizations).

Jim Dempsey of the Center for Democracy and Technology is the third speaker. He points out that people seem to gravitate to creating dichotomies (for example, freedom versus safety) even when the two are not incompatible. And people who care about civil liberties should never cede the effectiveness issue — the first question should always be “does this actually work? How will it be effective?” At times, the police don’t want some of the technology and powers that they’re being given because they know that they won’t actually affect crime.
Jim also says that current case law says you don’t have privacy interests in data collected about you which is not actually under your control…so that third-party data collection can be freely mined without violating your privacy interests (though it does violate your privacy). He also calls for corporations to take higher ground than their current view that immunization is sufficient — we need to rebuild the view that trust is required. In earlier battles, corporate and civil liberties interests were aligned; can this happen again?

Box Lunch with Robert O’Harrow

Lunch time at CFP is not time off — instead, they put out box lunches and run parallel sessions. I have mixed feelings about this, because it crowds out time for unstructured discussions (and because I am sure I could find better things to eat in New York City than a box lunch from the hotel), but it also offers the chance for small-group structured discussions. Today, I went to lunch with Robert O’Harrow of the Washington Post. His particular beat has been privacy, and so it was unsurprising that most of the discussion centered around data mining, which has both good and evil applications, even in the hands of the press.

George Radwanski – second keynote

George Radwanski, the Privacy Commissioner of Canada, is now giving the second keynote. He, unsurprisingly, considers privacy to be very important, and considers many of the measures taken in the US since 9/11 to be terrible. “When it comes to sacrificing a fundamental right such as privacy, you don’t have to take my word for it. Osama bin Laden said, a month after 9/11, ‘freedom and human rights in the US are doomed.'”

Plenary 3: Total Information Awareness – A Debate

Now we’re in the Total Information Awareness debate; apparently the
conference was unable to get anyone from the TIA office to
participate.

Herb Lin from the National Academy is presiding, and he’s opened the
discussion by asking the panellists to concentrate on the program, not
the personality of the
director. And he is bringing up reasonable questions for the panel to consider (technical as well as policy); it’ll be interesting to see if the panel pays any attention.

Heather McDonald of the Manhattan Institute is first up; she’s an advocate for TIA. She says she is puzzled by the reactions from both the civil rights left and the libertarian right to the government’s measures since 9/11, and that the opponents to TIA are “defending the status quo which led up to 9/11”. She’s written an article which seems to sum up her position, and I suggest you read that (since I can’t type fast enough to do her justice).

Katie Corrigan from the ACLU is the second speaker; she’s against TIA. She asks whether the goal of the TIA is to “connect the dots” or to find the dots to connect. She suggests that, unless TIA can be shown to be effective, there is no reason to deploy it, and no need to consider whether it is more invasive to privacy than necessary. But if it is effective, then the questions about trade-offs on privacy need to be asked.

Michael Scardavilleof the Heritage Foundation is another proponent. He recommends that the audience read his paper on the TIA, because he’s sure that five minutes won’t be long enough to make his case. And he was right.

Finally, Barbara Simons of USACM is making her case against TIA (which is covered by the USACM’s letter to the Senate Armed Services Committee).

The Q&A has begun. Heather McDonald is first up, asking whether the TIA opponents would object to the government being able to query databases about a known individual (to which Katie’s answer is “no”, but that she would object to searching for patterns with no probable cause in hopes of finding individuals to treat as suspects).

My verdict: Neither side carried the day; all of the speakers except Heather McDonald made good points (she expressed lots of emotion but backed it up with very few if any facts — she dismissed anyone opposed to TIA as a Luddite, to which Barbara Simons took good-natured and accurate objection). Michael Scardaville put it better: “reasonable people can — and do — disagree.”

It would have been good to have had more light than heat, though.

Plenary 4: The Moral Maze

After a too-short break (they keep us busy here, boss!), we’re back for a role-playing exercise (“Role Play the Moral Maze– Security and Freedom in A Dangerous World”), chaired by Simon Davies of Privacy International. The exercise is set in Podunk, Texas, in a very unhappy 2005 (during W’s third term)…a town which wants to maintain its stability, despite the unpleasant environment. Simon is directing the discussion by providing bits of information to the characters and asking them what they think or do — it’s interesting, but it doesn’t lend itself to writing down as it happens, so I’ll take a bit of a break from blogging the conference.

Plenary 5: Patriot II and Electronic Survelliance

The final panel for today (before the EFF awards ceremony, which will be held on the 80th floor of the Empire State Building) is devoted to a discussion of electronic survelliance and Patriot II. I suspect that most, if not all, of the panel will be against it.

David Sobel is the first speaker; he is general counsel at EPIC, and his talk is entitled “From ‘Root Canal’ to PATRIOT II: Government Acccess to Electronic Communications”. It was a straightforward description of the laws, regulations, and attempts for laws and regulations over the past twelve years or so, and it included some documents received under FOIA (all of which, interestingly, were completely blacked out when provided to EPIC).

The second speaker is Kate Martin of the Center for National Security Studies, talking about FISA, its effect on civil liberties, and possible broadenings of its reach in the near future.

And the third speaker, Ann Beeson of ACLU is talking about the activities around the filing of the brief with the secret FISA court. The decision of the FISA court is not appealable to the Supreme Court (because the government is the only party to the case), but ACLU filed a petition with the Supreme Court asking them to intervene anyway, which the court denied. So the only way to litigate the expansion of surveillance under FISA is if there is a criminal case where the evidence was obtained under FISA (and this rarely happens; most of the time, there is no case).

So, to sum up the first day:

Not much controversy. Only one issue. Even though there is no question that CFP really does need to focus on the big issue of the day, I miss the old CFP, where there were many topics and people from all sides of the issues.

Life after the last session

I had a nice Glatt Kosher dinner at Abigaels on Broadway, a few blocks from the hotel, along with a fellow IBMer; we chatted about the conference and a bit about work. I picked Abigaels because they’re a participant in AAdvantage Dining and I wanted more miles and for the novelty of eating in a Glatt Kosher restaurant outside of Israel, but I’d happily go back even without collecting miles (and since they had to manually process my credit card, I may not have collected the miles this time anyway!).

Following dinner, we hiked to the Empire State Building for the EFF Pioneer Awards reception and ceremony; since it turned out to be a dessert reception, I was glad I’d had dinner first. All of the honorees were deserving of the honor, but I have to admit to getting a bit impatient during their speeches.

I then walked back to the hotel, planning to skip the BOFs and call it an evening, but ran into yet another attendee who wanted to get a bite to eat and convinced me to walk down to Penn Station with him (a block away). As long as I was there, I had a very small Sedutto ice cream cone — it wasn’t nearly as good as I remember it to have been back when I spent ten weeks in Manhattan at IBM’s Systems Research Institute. And then we walked some more — up Eighth Avenue to 42nd Street, then over to Broadway, then up to 50th, then over to Sixth Avenue (Avenue of the Americas, if you want to be picky about it!), down to 42nd, over to 7th, down to 34th, and back to the hotel — just under two miles. That was a good way to finish the evening and work off the chocolate — now it’s time to call it a night, because tomorrow, the conference starts early again!

April 3, 2003

Morning dawned awfully early today, and my alarm clock followed it all too soon. I’d set it to give me enough time to go down to the fitness center and work out, but I couldn’t bring myself to spend time in front of a TV watching endless repetitions of the same few facts, so I went outside and jogged instead. Up 8th to Central Park, through the park to 7th, to Broadway at the first red light, back to 7th at Times Square, down to 34th, and back to the hotel (with a short detour via Capstone Cafe to pick up lox and bagel for breakfast). I didn’t realize how cold it was till I was well on my way — when I got back to the room, I turned on the TV and found out that it was 42 degrees out. No wonder I was chilly when I stopped!

The conference also began early today, with the first session at 8:15. And today, we’re not going to be all-war, all-the-time; instead, we start with:

Plenary 6: Internet Architecture and Free Speech

The panelists are Jeff Chester of the Center for Digital Democracy, Paula Boyd of Microsoft, and Mike Schooler of the National Cable & Telecommuniations Association.

Jeff’s up first; he is talking about the need for ISPs to be able to use broadband pipes to reach customers, in the same way that ISPs can offer service on dial-up. And he is decrying the recent FCC decisions allowing cable and DSL companies to deny ISPs such access, and to provide differential access to preferred sites and vendors. He pointed out Ellacoya Networks and their “Total Service Control” offering as an example of the dangers ahead.

Paula Boyd says that Microsoft believes that the broadband networks should remain a level playing field, as narrowband is. Consumers should have unrestricted access to services, sites, and devices within the limits of their bandwidth and without allowing theft of service or harm to the network. Their reasons are not entirely altruistic — they worry about a provider blocking or reducing their access to the consumer, both on the MSN side and on the sales side (they expect people to buy less shrink-wrapped software in the future and more online; given the size of Office, they really need broadband!). They also had to do significant negotiation with cable and broadband companies to launch Xbox Live, and they don’t want to have to do that again (they also say that they want to ensure that smaller developers without Microsoft’s clout can get to the network). And they believe that consumers need access to lots of content to make them want broadband in the first place.

Here’s an interesting quote to hear from a Microsoft spokesperson: “We worry that there is not enough competition in the marketplace to discipline the network folks.”

Microsoft is part of a coalition (the “Coalition of Broadband Users and Innovators”, website to come) on this issue but doesn’t agree with the coalition in all respects; they focus on edge-of-network access for consumers, not for ISPs. They want network managers to address issues in terms of network management, not shaping the kinds of bits which flow through the network.

Mike Schooler of NCTA began his talk by pointing out that Microsoft, of all people, should be able to create a gloom-and-doom scenario about monopolization. He didn’t get many laughs from the audience, and I’m pretty sure he thought he was making a joke.

After that, he talked about the cable companies’ huge investments in improving their facilities; he asked the audience who has cable or DSL broadband service (most hands went up) — throughout this part of his talk, he continued to conflate cable and DSL services. His basic message is that there’s no problem now, so there’s no reason to regulate us to keep it from happening in the future. And anyway, any issues in the past (such as restrictions against VPN use) have been intended to keep a user from using more than his or her share of bandwidth so that’s OK. Of course, VPNs don’t necessarily use more bandwidth…but they are used for business services, and the cable companies would rather be able to charge more in such a case.

The Q&A was not particularly enlightening (and as usual at CFP, there weren’t many questions…mostly rants).

Plenary 7: Human Rights and the Internet

The panelists are Patrick Ball of the AAASScience and Human Rights Program, Dinah PoKempner of Human Rights Watch, Bobson Wong of Digital Freedom Network, and Elisa Munoz of the Crimes of War Project.

I am expecting this to be an advocacy panel. In fact, they distributed a handout from Human Rights Watch entitled “Internet Dissidents: A Plan For Action”, asking attendees to write letters on behalf of the prisoners profiled in the handout. They even provided the audience members with paper and envelopes and asked us to write letters NOW.

Patrick Ball’s talk was slightly different; he talked about the need to make encryption and data backup transparent — because users don’t take the extra steps to use them, even when it is literally a matter of life and death. He also talked about work to make encryption and protection easier, including the Martus project.

Plenary 8: The Great Firewall of China – Internet Filtering and Free Expression

Kimberley Heitman of Electronic Frontiers Australia started, discussing Internet Filtering in Australia, as required by the Broadcasting Services Act. The default position is that ISPs are supposed to block R and X rated content, but adhering to a code of conduct allows the ISP to not filter — the ISP must make approved filters available to users. But less than 1% of the users use a filter, so the government is considering stronger methods. Becuase there is no constitutional right of free speech in Australia, filtering is not neutral as it is in the US.

Benjamin Edelman from the Berkman Center for Internet and Society at Harvard Law School then discussed “Internet Filtering Worldwide: The Technologies of Filtering and their Unanticipated Consequences”. He’s written a paper on the issue.

Saudi Arabia blocks porn, discussion of religions (all religions, even Islam), and sensitive political content (human rights and Israel). China blocks Western news (sometimes), politics, and porn (half-heartedly (Playboy and Penthouse get blocked, but not Hustler or whitehouse.com)).

Today, blocking is generally fairly granular. Proxy-based filters allow specific URLs to be blocked, while router-based filters block entire servers, causing overblocking. In Saudi Arabia, they use proxies; in China, they use routers and see overblocking (and underblocking) as a result.

So China, for example, blocks all of blogspot.com (over a million blogs) as a result of wanting to block a smaller number of blogs on that site.

Kijoong Kim of JinboNet in South Korea then discussed the Internet Content Regulation System in South Korea. The Korean Ministry of Information and Communication proposed requiring a PICS rating system for all web content in 2000, but the proposal was defeated after activists unleashed DoS attacks on the MIC website. The 2001 version of the law includes a provision prohibiting online protests, which the activist community does not like.

Arturo Quirantes of the Universidad de Granada discussed Spain’s 2002 law requiring web publishers to register sites with the government or pay large fines. 415 Spanish webmasters responded by replacing their websites with a protest page.

[Ahh…I’ve just discovered that Henry Farrell is also blogging CFP2003, in far more detail than I am. Thanks to Cory Doctorow for the link!]

Lunchtime Activites

The conference offered many lunchtime activities again today. The most technically-interesting choice was a session on ENUM and privacy; I went there just long enough to grab a copy of the paper that CDT is preparing and to eat the box lunch provided by the conference (today’s was better than yesterday’s, but I’m sure I could have done better on the free market). The most interesting alternative was a Video Surveillance Tour of Manhattan by the Surveillance Camera Players; from what I heard, it was a very eye-opening experience.

But I hadn’t been in Manhattan since July, 2001. We’d most of that day in the Financial District, largely atop the World Trade Center, and I felt the need to go back. So I took the E train to the end of the line (Chambers Street) and went up to the street. And of course, there was something missing. I walked down the street to the Ground Zero viewing ground itself. I passed places we’d seen 21 months ago (like the Century 21 Department Store); I passed markings on buildings which said things like “9-17-01 — ash and glass”; I passed people taking pictures; and, of course, I passed T-shirt vendors. I didn’t find it necessary to buy a T-shirt to remember my visit.

Then I walked over to Broadway and walked back to the hotel. It was a long walk (about 3.5 miles), and I was glad to get back and rest; I can’t imagine what it must have been like to have done such a trip on 9/11.

Plenary 9: Data Retention in Europe and America

Even though I was in the room in time for the beginning of the panel, I had a hard time following the speakers, so I’m hoping that Henry Farrell took good notes despite being on the panel.

The one point I did take from the panel is that, in the US, there is no government requirement that ISPs (and similar businesses) retain traffic data about their subscribers unless there is an order concerning a specific active investigation; such an order can be issued for 90 days (with a possible 90-day renewal) to give the government time to request a court order to examine such records, but it applies only to traffic data created after the order is issued. Absent such an order, ISPs are free to save or discard data as their business needs require. In contrast, there is a “data retention” regime in the EU. Providers can be forced to preserve all traffic data in case the government might be interested in it at a later date.

Plenary 10: Moot Court — Beyond LICRA v. Yahoo: Free Speech in a World Without Borders

Interesting session, but nothing I can summarize and blog. In the after-court discussion, I found it interesting that several non-US participants didn’t see why the US courts might consider maintaining the ability of US-based persons or companies to be able to speak freely

Plenary 11: Terrorizing Rights: International Cooperation and
International Anti-Terrorism Policies

The panel:
David Banisar,
Tracy Cohen,
<a
href=”http://is.lse.ac.uk/staff/hosein/”>Gus Hosein, Toshi
Ogura and
John Wadham.

Gus started, and here’s the big problem he pointed out: Definitions of
terrorism vary.
And it’s not always clear what the facts are (journalists, for example,
have been known to fabricate quotes).

Tracey discussed the Algiers convention on anti-terrorism (which does not appear to be available online). There are major problems when dictators (such as Zimbabwe’s Robert Mugabe use anti-terrorism laws against their opposition, even when that opposition is not using what would generally be considered terrorist tactics). Interestingly, the Bank of England considers his family and colleagues to be subject to anti-terrorist financial sanctions.

Toshi discussed the use of anti-terrorism regulations and laws in Japan.

David Banisar tried to summarize the situation in Europe in 10 minutes. He pointed out that many countries in Western Europe have had terrorism laws for decades, because they’ve had terrorist groups for decades (think IRA or Red Brigades); this is unlike the situation in the US, where terrorism is recent. But there have been new laws since 9/11 — for example, introducing an EU-wide arrest warrant and coming up with a common definition of terrorism.

Finally, John described the situation in the UK. Liberty was set up in 1934 and they produced their first report on terrorism two years later (relating to Northern Ireland). There was already significant new legislation before 9/11, but after 9/11, stronger regulations were introduced. For example, it is a criminal offence not to tell the police about any information you have about possible terrorist activities. Membership in some political groups is a criminal offence — in fact, even claiming membership in some groups is a crime (even if it’s not true).

Dinner at Macy’s

Somehow, that doesn’t have the same ring to it as “Breakfast at Tiffany’s”, does it? And it wasn’t where I wanted to have dinner, but time was short and no one had a better idea (well, I did, but I wasn’t quite sure where I was really trying to take the group), so that’s where we wound up. And it wasn’t a bad idea, really — I wanted to have a New York pizza in the worst way, and that’s pretty much what I accomplished (memo to self: don’t order BBQ Chicken pizza in New York again). But the company was good and so were the shared desserts.

After dinner, we returned to the hotel for the Brandeis/Big Brother Award ceremony. Details will be available sometime; the winners were well-chosen (Osama bin Laden won the Lifetime Menace award; his “acceptance” speech was rather chilling, even though it was intended to be funny).

And now I’m going to call it an evening; we start a bit later tomorrow morning, which will be quite welcome.

April 4, 2003

CFP started an hour later this morning, and I had grand plans to use that hour. I intended to walk up to Zabar’s for breakfast and bring back some H&H Bagels to take home. But when the clock went off, I found a better use for the hour; I went back to sleep.

Plenary 12: Auto ID

The technology has been around for years, but now it’s gotten
inexpensive enough to use pervasively. The panel wants to increase
awareness of the uses and abuses of the technology.

Mark Roberti of RFID Journal is the first
speaker. RFID technology begain in WWII with the British RAF’s IFF
(Identify, Friend or Foe) system. The US military started using it at
Los Alamos to track trucks carrying nuclear materials — that system has
evolved into EZ-Pass and similar automated toll systems. In the
meantime, the USDA developed a passive transceiver (“tag”) to track
cattle — the system had to be passive and unpowered because cattle
don’t come with AC outlets. Currently, a tag costs 40 cents; three
years ago, it was $10. And experts see tags costing less than five
cents in the next few years — which would make it possible to “extend
the Internet to objects” (MIT Auto-ID lab). The benefits include
reduction in theft (2% shrinkage is common in stores) and efficiency
because you can find your inventory and assets (P&G has a billion
dollars in “unfindable assets” at any time!).

Another use is maintaining authenticity — pharmaceutical companies want
to tag drugs to deter counterfeiting. A pharmacist would use the RFID
tag to verify that the drug about to be dispensed was real.

And companies have announced “smart appliances” which would use RFID
tags of items you’ve purchased to automatically set washing machines or
reorder products.

Katherine Albrecht of CASPIAN got
interested in the area by looking at grocery store loyalty cards and the
database infrastructure behind them. TIA has expressed interest in
using such databases (and every commercial database) as part of their
tracking in the interests of national security. Of course,
companies such as grocery stores and A. C. Nielsen are very
interested in creating detailed dossiers of their customers
(and have been for years). Her concern here is that RFID tags in
consumer products will extend those dossiers into the home.

Benetton, Prada, Michelin, and Gillette have already announced plans to
put RFID tags on consumer products. In response, CASPIAN is calling for
a boycott of Benetton. Benetton has responded by saying the read range
of the tags is only a couple of feet, but CASPIAN counters by pointing
out that doorways (for example) provide a choke point where RFID tags
could easily be read and tracked. CASPIAN also wants a world-wide
moratorium on consumer applications of RFID technology until regulations
are put in place.

Richard Smith of
ComputerBytesMan was
next. He began by asking the audience how many people use EZ-Pass (a
few) and pointed out that by using it, we make the trade-off of
convenience for trackability; users depend on the data only being used
for its proper purposes. But there’s already some overflow — for
example, you can pay for gas or parking with your EZ-Pass; in Boston,
they use EZ-Passes to get information on traffic flow and speeds (but
they don’t issue speeding tickets based on the data). He sees RFID
being added to license plates in the future (not optionally), creating
more and more opportunities for database entries and tracking for all
of our travel.

The next step is using RFID for people tracking instead of object
tracking — for example, RFID-enabled building access badges (such as
the one I used to have before I lost it!). After that, he sees
RFID-enabled shopper loyalty cards, which offer significant tracking
opportunities.

The ultimate use of RFID is
Verichip, which will inject an RFID chip into people (it’s been done for dogs and cats for a while). After 9/11, interest in “chipping” people increased significantly, but this is still a radical-edge application.

In the panel discussion, both Mark and Richard mentioned that the current announced plans for the technology are limited to the supply chain, but Richard pointed out that the danger is that once the tags are in the world, there will be huge temptations to use them for marketing and security uses and become people trackers.

The Auto-ID Center at MIT has plans to add “kill switches” to tags, so that they can be permanently turned off at the point of purchase of the consumer product. That would improve privacy, but would prevent the tags from being used downstream, for example in assisting in recycling when items are discarded.

Then there was a debate about whether the Auto-ID Center and the companies supporting it are seriously interested in privacy. It’s amazing how reading a neutral statement in a snide voice can color its contents. Katherine claims that there are no actual privacy advocates involved in the Auto-ID Center.

Stimson Garfinkel was first at the mike — he is a member of the Auto-ID Center’s advisory board (one of those non-existant privacy advocates). He said that all-out attacks against RFID chips (which already exist) are not going to be successful; there needs to be intelligent use of the technology. And, for example, the “kill” technology should only kill part of the ID, so that the waste stream information might stay active while the serial number would go away. Saying “it’s bad and we should stop it” is not going to work (unless you can make it illegal, which seems unlikely) — the question is “how do we use it responsibly”.

An audience member made a very good point: “it’s not a technology problem — it’s a data policy problem”.

Several people didn’t get to make their points (err, ask their questions), which is a first at this CFP. Good panel, and one which reminds me very much of the CFPs of old.

Stupid Security Awards

As if the EFF Pioneer Awards, the Brandeis Awards, and the Big Brother Awards weren’t enough, this CFP has added the Stupid Security Awards. Again, Simon Davies of Privacy International is the MC (this time in his own persona, unlike last night, when he presided over the Big Brother Awards as Her Majesty The Queen).

He gave the New Yorker Hotel a Dishonorable Mention, not only for demanding (and copying) photo ID at check-in, but also for refusing to loan a conference attendee a pair of scissors because they were a “security risk”!

Delta Airlines won the “Most Egregiously Stupid Security” award for requring a mother of a four-month-old to drink a bottle of her own breast milk to demonstrate that it wasn’t a threat to the staff on the plane.

The “Most Counterproductive Security” award went to a policeman who checked a pair of shoes out for explosives by slamming them down — apparently if they didn’t explode, they were ok.

“Most Inexplicable Security” went to San Francisco General Hospital, which treats many homeless people. After 9/11, they started requiring ID of people entering through the front door — but all side entrances were left completely unguarded. The staff and patients started using those side entrances, and the corridors filled with people desperately looking for the emergency room!

“Most Intrusive Security”: a lot of security measures seem to focus on attractive young women, and many security guards take great care in carefully checking out such individuals. The Michigan State Prison demands that any woman entering the prison (as a visitor) must wear a bra “for security”. One woman who could not wear a bra due to irritation needed medical certification to be able to visit her husband.

There is much more at the website; visit it.

But the real point is not the stupdity of these examples — it’s the danger in having the illusion of security and winding up with less real security, not more.

Plenary 13: Keynote from the Right and the Left

The speakers were former Rep. Bob Barr (R-GA) and Rep. Jerry Nadler
(D-NY).
Rep. Nadler was first elected to Congress in 1992; he represents New
York’s
8th District (includes the WTC, the ACLU office, and this hotel —
he says his district “goes from Nathan’s to Zabar’s”).
Rep. Barr is now a consultant to the ACLU; he was in Congress
1995-2003.

Rep. Nadler: Privacy is not a left/right issue. Without the
right
to be secure from governmental intrusions, all other rights are at risk.
Our system of constitutional liberties is not a danger, it has secured
us from dangers into which other nations have fallen. In wartime, we
often restrict liberties — then apologize 25-30 years later (and the
historians say that the restrictions don’t help anyway), and it appears
that we’re doing it again. When people ask questions, the answer is not
a reasoned argument, it’s an ad hominem attack or an attack on the
questioner’s patriotism.

In the run-up to the PATRIOT Act, the Judiciary Committee agreed
unanimously on a bill; it never came up. The Administration supplied a
substitute 278-page bill on Wednesday at 10am; the vote happened at 1pm.

PATRIOT II, drafted in secret by the Justice Department, may soon be
considered by Congress. Congress has not seen it, and the Justice
Department denied that any such bill existed, but then it was
leaked. He thinks that the plan was to keep the bill secret, to wait
until something happens, and then to introduce the bill and claim that
it has to be passed instantly for national security — but that the
person who leaked the bill derailed that plan.

Some of the more important issues being considered now:

  • TIA: Would involve the Defense Department in domestic law
    enforcement
    (not barred by law); no requirement for warrant — it would be
    investigate first, probable cause later. The Wyden Amendment put
    restrictions on the deployment of TIA and its use against American
    citizens; Feingold and Nadler said that
    TIA couldn’t be developed without explicit Congressional authorization.
    Wyden Amendment passed.
  • CAPPS II: The government would classify individuals based on secret
    information as red, yellow, or green — you would not have access to the
    information used to classify you.
  • Information sharing between law enforcement and Defense Department.
    Military agencies are not restricted to acquring info pursuant to a
    search warrant, but they can’t use that information for law enforcement
    purposes.

Nadler wants to require a privacy impact statement for every new federal
regulation, much as an environmental impact statement is required today.

Government’s unprecedented claim of the power to detain someone with no
charges, no habeas corpus, no lawyers, no judicial review, no recourse,
forever.
The Justice Department says the courts have no jurisdiction to review a
declaration that someone is an “enemy combatant”. Magna Carta
required the King to have justification to hold someone — this is the
first attempt to go against that precedent since then. Nadler is
drafting legislation which will extend the judicial power of the US to
anyone held by the US (so the “no jurisdiction in Cuba, even though
we’re holding people there” argument
will not work), and that the writ of habeas corpus shall not be denied
without a showing of probable cause (except a prisoner of war). “We
rebelled against George III for far less than that….I am not
advocating
rebellion but we must remember the core concepts of liberty.”

Rep. Barr: Even though the right to privacy does not appear
explicitly
in the Constitution, it is fundamental. In a tribe, there is no privacy
— no private property, no private decisions. In a civilized society,
the concept of privacy arises — individuals have the right to private
information and private property. If you look at the wording of the
Bill of Rights, it’s obvious that they presume the notion of privacy.
If there is no right to privacy, why would you need the Fourth
Amendment’s restrictions against the government’s ability for search and
seizure? The First Amendment incorporates privacy in affirming the
right to have ideas. Privacy is fundamental to freedom.

Information is fundamental, too. It is the currency of power in the
21st Century. Access to information, the ability to accumulate
information, is key — it’s the way you get things done and have the
power to influence events. The ability to protect information, to keep
it private, is important to freedom.

When you look at the legislative process, you need to keep in mind some
immutable laws of government.

  • Government always wants more
    power.
  • Government never surrenders power once granted (or seized). So you
    need to get things right the first time because you rarely get a second
    chance.
  • Privacy is finite; when government gets the power to access
    information, they keep it and use it — they take that power from we,
    the people.
  • Executive branches hate oversight (Republican or
    Democratic); they will not voluntarily expose themselves to oversight.
    Congress needs to ensure that oversight mechanisms are in place and
    used.
  • The Executive Branch never admits error. They never say that
    “we had the power; we just didn’t use it correctly” — instead, they
    say “we need more power or money, so Congress needs to give us more”,
    and that almost always happens. The root cause is never examined. As
    an example, after TWA Flight 800, there was a rush to give the
    Government more power to “fight terrorism” — luckily, cooler heads
    prevailed and no legislation was passed, but that was the initial
    reaction (and of course, the problem was not related to terrorism at
    all).

He believes that CAPPS II and TIA throw the Fourth Amendment away.

The only way to prevent such intrusions is to stay in contact with our
Representatives and Senators and keep them aware of our concerns. Most
Representatives and Senators don’t track these issues as closely as
Nadler does,
so the only way that they’ll care is if their constituents tell them how
important they are. Without such, we’ll continue to see the knee-jerk
reaction to incidents and the government will continue to acquire more
power and citizens will have less privacy.

Q&A: (again, there were people waiting at the mike when time
ran out)

Katherine Albrecht of CASPIAN asked whether there are
plans to
add RFID to cash (she claims that will happen in Europe by 2005). Both
Nadler and Barr said that they have never heard anything about such
plans.

Jim Casper of the North Dakota legislature: Why didn’t the
36 members of
the Judiciary Committee stand up to stop the passage of the Patriot Act?
Nadler:
Both he and Barr were…he voted against it, both because of the issues
and the process. The rules of the House provide that you cannot vote on
a bill which has not been in print for 24 hours, but the Rules Committee
routinely suspend those rules and they did that for the Patriot Act as
well. 66 Members of the House voted against the bill, some because of
the process. Barr: He happened to notice a provision tucked
into an
airport security bill last year which would have given security officers
the power of arrest and got it deleted, but if he hadn’t happened to see
it, it might well have become law. This happens all the time (not just
in security issues) and it’s a terrible way to legislate. The budget
left out many projects because a page fell out on the way to the
printer and it wasn’t discovered in time!

Henry Farrell: I didn’t hear any mention of the effect that US
laws
have on the privacy of individuals outside the US. Examples: EU and
Canada have been forced to share information on travellers with the FAA
without even the CAPPS II safeguards, and the requirement that
biometrics be added to passports if the holder ever wants to enter the
US (which means all passports). Nadler: I believe that privacy
is a fundamental human right. The Constitution says “no person”, not “no
citizen” shall be deprived of life, liberty, etc, without due process.
The bill he and Feingold introduced on the TIA says you can’t do it at
all; Wyden’s only affects US citizens. I was not aware of the
particular instances you cited, and very often, we’re not aware of the
implications until someone brings it to your attention, and if the
implications are not on citizens, no one may bring it to our attention.
Barr: We’d have better legislation and law enforcement if we
operated
in an international context, if we coordinated with other countries and
developed international protocols and consistency. That said, there are
things that a nation may need to do on its own initiative, such as
requiring manifests for flights entering the US. Nadler: The US has a
right to protect its citizens and borders; there is no human right for
anyone else to come to the US. We need to balance security concerns
with privacy and liberty concerns — not in haste, but they do have to
be addressed.

Lunchtime Concurrent Session: Authentication

This session was held in a long, noisy room, with no mikes or projector.
It wasn’t very easy to follow, but Steve Bellovin gave a good talk about
the differences between authentication, identification, and
authorization, and the need to collect only the necessary information
for the purpose, rather than collecting all possible information “just
in case”. He referred to an National Research Council study on the
subject which is currently available on their
website, as well as
a
post-9/11 report called “ID’s not Easy” which discussed what problems
a national ID card might actually solve and implications which would
follow depending on what information was collected.

Plenary 14: What are the New Intellectual Property Regimes, and do they threaten or advance free expression?

In 1998, Congress enacted the DMCA. It has several components. One concerns the liability or non-liability of ISPs in the communication of possible infringing material on the Internet. This sets up a dual regime — “mere conduit” ISPs have no liability, while “host service providers” (ones who rent space) will not be subject to liability if they comply with the notice and takedown procedure set forth in the statute. The next piece is the provisions on legal protection of technological measures which provide copy-protection (in other words, making hacking copy protection a criminal offense). And there is a portion which deals with copyright management information, making it illegal to remove or tamper with the identification of the work, its author, or conditions of use and sale in a way which would encourage or enable copyright infringement.

There has been judicial activity since the DMCA was passed.

The two speakers gave presentations which hit rather different issues; neither of them led to an easy summary (at least not by me!).

Brief Interlude

There was a wonderful “Carabella versus CAPPS” animation (which may show up on the Carabella page of Privacy Activism‘s website some day.

And CFP 2004 was announced, with Deirdre Mulligan as chair and Berkeley as the venue, probably in mid-May of 2004.

Closing Keynote: Larry Lessig

And now we approach the end of the conference. I will have to leave before the end of this session, so I will urge you in advance to listen to the MP3 recording of the session (and all of the main tent sessions), available at http://www.cfp2003.org/cfp2003/program.html (today’s sessions won’t be up quite yet, of course).

Larry talked about criticism through creative work; he says that it was once free but is being increasingly controlled. The message which lawyers miss is that “criticism is effective when it speaks the language which the culture understands.” This kind of criticism is the hallmark of a sane culture.

The question is not “what makes these freedoms possible?”, but “what made these freedoms possible?”, because the situation is changing. There is a great increase in concentration of media ownership — and that has changed the culture that people see and live in. That didn’t happen because of the magic hand of the market, but because of governmental action making concentration more favorable.

For example, in 1994, the FCC eliminated the FinSyn rule, which meant a change from 70% of prime-time TV being independently produced to today’s situation, where 75% of prime-time TV is owned by the networks.

Larry then drew a distinction between Walt Disney creativity (taking themes from the culture and remixing them) and Disney, Inc., creativity (extending copyright terms into the indefinite future). And he said that part of us is due to one meme from computer culture has crept into the rest of the culture — binary thinking, which results in people thinking only in extreme terms.
Instead, we need to demonstrate non-extreme points (such as the Creative Commons license options).

Larry’s final message: Free culture by resisting control and concentration.

And now, as the Q&A begins, I need to fold my tent, claim my luggage, and bid the hotel and the conference adieu. Cheers!