CFP2000 WFPD: Roger Clarke's raw notes

These notes are raw and not post-processed. They were all taken while the workshop was going on, and hence are not polished and not guaranteed complete or necessarily even balanced -- many scribes took extensive notes on only parts of the entire discussion. 

Computers, Freedom & Privacy
Workshop on Freedom and Privacy by Design
4 April 2000

Notes on the morning sessions
Roger.Clarke@xamax.com.au
(On the move until 17 April and only sporadically reading email in that time)

### indicates things I thought were particularly important
@@@ indicates interpolations by myself (i.e. no-one said it during the session)


Obstacles - Rebecca Wright, AT&T Research Labs

Q:	What to protect?
A:	Privacy, free speech, anonymous speech
But:
-	different governments have different laws
-	different indivuals have different valuations
-	different and in part conflicting needs among players

Q:	Who should decide?
Interplay among interests

Q:	How to achieve?
design
construction
deployment / transition / integration 

Requirements
-	convenience
-	fairness / accessibility
-	backed by industry

Tools / Mechanisms
-	crypto (protects data in transit, less so at the ends)
-	open source software
-	consumer / voter education 

Usability - Alma Whitten, Carnegie-Mellon

Human Factors aspects / constraints
Don't expect users to:
-	know what they need
-	read manuals
-	keep trying
-	recognise success

Regard with suspicion any scheme that assumes that
-	users manage key distribution
-	pay attention to digital signatures
-	comprehend policies

Think tools?  They're general and robust; but need skills
Or think appliances?  They're specific and fragile;  but need lower skill
  (until they break)
  
Automation guidelines:
-	either the system must always work;  OR
-	users must know how to compensate for a failure;  OR
-	functionality must not be crucial

Two different goals:
-	get the solution in place for those that already want it;  and/or
-	sell the solution to those who don't yet know they need it

@@@INTERIM CONCLUSIONS [THESE ARE ROGER'S INTERPOLATIONS]:
-	maximise embedment in infrastructure
-	privacy-protective defaults
-	accessible explanations
-	simple interfaces to modify the defaults

DNS Replacement P Nominated Structure
Origins:  an Eric Hughes idea articulated by Lenny Foner

How does it work? ...
What's Broken?
-	I.P. and land grabs / cybersquatting (scarcity begets
          value-in-exchange)
-	political chokepoint delivers control to someone
-	little guys can't register their business name (first acme.com to
          register wins)
A Modest Proposal
-	throw away:
	-	the hierarchy/tree-structure
	-	the single instance of a name in the namespace
-	hence names no longer unique or even resolvable
-	land grabs are much more difficult
-	everyone can register multiple names for free
-	has no impact on the remainder of the infrastructure
Implementation
Sample Scenarios

Discussion Points

Brown:   

Adams:   Distinguish email from the web [@@@what about other protocols /
  services?]

?:  EC is predicated on certainty in the existing DNS structure, and
  business will stick with it
So an alternative approach must be able to go around the DNS

Gilmore:   ###A new scheme, to gain acceptance, must deliver everything the
  DNS does, and more besides, such that it's acceptable to all players

Gilmore:   It's not the hierarchy of *names* that's the problem;  it's the
  control that it enables

Gilmore:   The DNS is the world's largest distributed database, and was
  developed at a time when distributed database theory and practice were
  very young.  Contemporary distributed database theory and practice may
  enable hierarchy to be retained, but chokepoints that risk the exercise
  of political control may be able to be avoided

Cottrell:   ###Use would be heavily dependent on learned context, i.e. what
  your personal agent had learnt from your prior practices.  That will
  therefore need to travel with the user and be available to them from
  whatever device they may access the net

Cottrell:   There's great value in the certainty of a short(ish) string
  that can be printed on a business card and ensure the accessibility of
  one's site / mailbox

Kristol:  Encouraging download and installation is a serious challenge.
  How can user-driven / pull deployment be stimulated?

Whitten:  From bookmarks to aliases, and shared ones at that

Brown:   There are privacy risks of a personal agent, both in terms of
  penetration / disclosure, but also sub poena/warrant

Mulligan:   Suppression of free speech will be attempted by powerful
  interests, whether or not a hierarchical DNS exists to assist them.  Does
  this really help the little guys get the name they want?

Foner:   It's hard for the little guy to get their surname, and will soon
  be unable to get their firstname-surname either

Wright:
Expectations - if disambiguation is usually right, users will think it's
  always right
Common Name Problem - common names result in synonyms and synonym-breaking
Privacy - the wrong person may be the recipient of sensitive information
 - how do you know when you've got the wrong address?

Adams:

Whitten:   

Gilmore:   

Clarke:
We're focussing on infrastructure, and that's hard
Let's do some easy things first
Any semi-structured problem requires some analysis, but also some prototyping
###Prototype by interposing a local agent at the browser
acme.org => http:// => with and without www. => acme.com, .net, .org.us
(okay, so Netscape does some of that too)
Develop heuristics
Enable extension and learning

Page:   ###Google has an 'I'm feeling lucky' button at the end of its
  search, to guess the most likely fit

Zimmerman:   ###We need to sustain reliability of discovering
  barnesandnoble [and eff]

Foner:   In Minnesota, there used to be a bookshop called Amazon, there for
  15 years before amazon.com, and since sued and squelched

Gilmore:   We can't afford to lapse into a critique of the wrongs of the
  current DNS;  we need to look for the positives

Gilmore:   He suggested to Netscape that they charge NSI for the
  favouritism.  Instead they came up with their own (charged) namespace.
  So there will be attempts to leverage commercially

Brown:   

Weinberg (ICANN Working Group on new Suffixes):   Following on from Clarke:
  ###think of this as a DNS overlay rather than as a replacement.  Multiple
  additional suffixes is a part-solution to the land-grab problem;  but
  there will be opposition from the owners of valuable domain-names
  (ibm.corp, ms.co, etc.)

Whitten:   Is the objective findability or certainty?  

Kristol:   Yahoo's menu-system/categories is an approach to disambiguation

Feng:   Can location be a qualifier, enabling amazon-in-Minneapolis to be
  found by a person in Minnesota either instead of or as well as amazon.com
  (e.g. with a pick-list being offered)?

Sander:   The normal approach in the Internet industry is "just start a
  company and do it".
So:  what's the killer app for this proposition?  With one, it can fly;
  and without one it won't

Garfinkel:   DNS *was* meant to be used by individuals;  it was
  IP-addresses that weren't.  The telephone-system uses meaningless codes,
  equivalent to IP-addresses.  So ###use corporation-id as the identifier,
  and get content out of the identifier

Garfinkel:   The problem is top-down searching of the DNS.  The Berkeley
  scheme which won was top-down;  the MIT search worked within, then up and
  down from the local domain

Garfinkel:   Use additional servers over the existing infrastructure

Garfinkel:   Trademark law creates the incentive and capability for
  lawsuits.  So ibm.vineyard.com could be sued by IBM, not just ibm.corp

McCandlish:   There are multiple motivations bound up in this, and they're
  legal system problems rather than technical ones

[10:45 - 11:15 Break]

Shostack:   There are two separate problems:  find something that is
  well-identified;  and find something only loosely identified (an old
  school-friend)

Mulligan:   There appears to be an inherent assumption that diversity will
  complicate enforcement, and hence assist the avoidance of repression.
  There are doubts that this will work.

Dimczuk?:   Should we be overlaying this scheme on DNS, or vice versa?  So
  there should be multiple trees, and NSI would only be one of them

Gilmore:   ###The DNS was designed for naming things, not finding them

Phillips:   The 'circle of friends' notion seems to be at the heart of this
  exercise.  But most people actually go to pre-formed communities, be they
  McDonalds or AOL channels

Sanders:   This idea has the same problem as things like autonomous mobile
  code:  it's trying to be all things to all men.  Consider freenet:  the
  ability to post things in such a way that they can't be taken down.
  That's attractive in one way, but very dangerous in others

Auerbach:   The presumption of there being a singular DNS isn't
  appropriate.  We *do* need multiples, but we also need certainty and
  hierarchy.  DNS is starting to change anyway, particularly in becoming
  dynamic

Auerbach:   ###If you're looking for a killer app, look at the people
  inside the system, e.g. ISPs are motivated to save bandwidth by storing
  close to demand (the concept of 'net-closest mirror' of a resource

Gould:   There are multiple sets of goals, and we're not being explicit
  enough about them, and about the contexts that they address.  

Page:   Google.com's 'I'm feeling lucky' button layers auto-choice over
  search-engine results

Auerbach:   ###Does DNS aim to deliver certainty, or should the user
  confirm where they've arrived before they make any commitments?!

Samarajiva:   To achieve a tractable problem, we may need to avoid the big
  problem of the economic/commerce-space, and focus on local economy and
  the community-space [@@@So we acknowledge that ecommerce rules the net?]

Larsen:   There are layers to this problem, because DNS is used at
  machine-levels as well as people-levels

Larsen:   ###Search-engine policies should be declared, because there are
  biases built in (that's the nature of *any* heuristic, let alone a set of
  heuristics designed as a means of making money)

Cottrell:   Most people don't have personal domain-names, and it wasn't
  designed to offer that facility.  Maybe some other facility should
  support person-discovery

Auerbach:  DNS is not just about the web.  You can reach [some] people by
  phone, through use of the DNS

Page:   ###DNS performance is a serious constraint on overall response-time

Page:  ###New spaces are emerging that are distinct from DNS, e.g. Napster for MP3

Del Torto:   Less developed countries have the inverse relationship - many
  people to a single domain-name rather than just one

Foner:   

Le Ball?:   ###Use of open source would enable the enhancement of the
  browser to incorporate an agent in the URL line

Kamm:   There are such tools;  but these agents need to be compatible with
  / aware of /  integrated with search-engine technology

Whitten:   Do people guess at URLs when they search?

Kamm:   In the case of IBM.com, yes;  but generally, maybe not

Auerbach:   ###Playing with DNS over-rides does *not* risk breaking the
  net.  It's an add-on, not a fundamental 

Weinberg:   Integrating a search-engine into the browser is very limiting
  and risky.  [They will change and develop, 'improve' in multiple
  directions, and gain embedded biases].  ###Maybe this initiative should
  be a particular approach to searching not naming

Gilmore [as Moderator]:  The Workshop's focus is 'how do we design this
  into infrastructure?'

Brockman:   The mid-90s Netscape flavour was attractive;  but it
  disappeared inside AOL.  Compuserve offered content-free ids, and look
  where it got them ...  

Brockman:   Autonomy in the U.K. (working with the Brit equivalent of the
  NSA?) developing context[-based?] searching to build personal profile
  into the disambiguation process

Gilmore (Dan):   This initiative, if it developed, would tend to become
  proprietary, wouldn't it?

?:   Can't we achieve the aim by just extending existing search-engines,
  e.g. via XML Meta-Tags?

Brown:   Multiplicity of namespaces helps, because it makes it harder for a
  corporation to monopolise a string

Foner:   If we're targeting finding rather than naming, search-engines
  aren't very good, because they don't cover the entire web (although maybe
  meta-search can)

Auerbach:   Build over DNS a set of systems, don't undermine the existing
  one

Wendy?:   Design depends on the objectives, and we haven't defined the
  problem and selected the objectives.  ###Defeating proprietary control
  over the net (governmental *or* corporate) is the aim she's most
  interested in

Cottrell:  Integration is necessary with whatever device and service is
  used, i.e. don't assume a web-browser

Audience?:  This topic is only part of the aim today.  It's mainly freedom,
  and quite specific.

Mulligan:  Is it the centralisation of control that's a problem?

Audience?:   ###My personal toys are freehold, and I should be able to name
  it as I see fit, qualified by context and behaviour

Audience?:   DNS has to be reliable and fast.  And that conflicts with the
  desire for flexibility

Cottrell:   Maybe let big business sue the people they want to, and
  everyone else can try to stay underneath their radar

Auerbach:   There's the idea of multiple DNS namespaces;  but then you need
  a single registration-point

Shostack:   So free speech depends on staying beneath the radar of the
  powerful institutions

Williams (Gail):   Use a special character as a qualifier on trade-names,
  e.g. #amazon

Weinberg:   Actions in the courts, and judicial interpretations as to
  whether the use of such a qualifier still breaches a trademark, and
  whether free speech is infringed, are outside the scope of this design
  exercise

Gilmore:   But we do have an influence over interpretations in the courts,
  because we create an expectation, which is admissible be means of expert
  witness evidence

Wendy?:   It would be nice if ccTLDs reflected the language [but
  Switzerland?!]

Auerbach:   Remember the power of 'code' (i.e. standards and
  implementations, incl. mistakes in RFCs)  - go forth and *do* it, and see
  if anybody adopts it

Page:   Metadata is evil because it can't be seen, and it gets used for
  spam ...

Feng:  We're not going to solve the DNS problem today.  We should get out
  and write code, and draft RFCs.  ###We should look for a forum in which
  this discussion could be pursued after the end of this Workshop, and
  co-ordination could be achieved

Foner:   We'll be consolidating documentation on the cfp2000 web-site, and
  can extend the existing e-list discussion-group beyond the present 35
  participants

Hogg:   

Audience?:   ###The ambiguity is *important*, and needs to be appreciated
  not bemoaned

Auerbach:   ###Even more broadly than that, we need to encourage human
  values on the net

[The serendipity implied by 'surfing' is an important element of
  web-behaviour]

Audience?:   Add more [key?]words

Gilmore:   The real progress has been made by small groups working in
  isolation, and producing something that other people later liked and
  adopted

Gilmore:   The Internet is much, much more than the latest, greatest
  protocol, incl. the web

Umbaugh:   People with far less technical sophistication than people in
  this room need incentives to adopt these facilities

Auerbach:   Getting these things deployed depends on adoption by companies
  and incorporation into products

Audience?:   Physical community-based activities are unusual on the net.
  Common interests are the primary rallying-point for people

Page:  Please support Chinese [i.e. 2-byte Unicode]

Gilmore:  DNS does it in principle [but mapping between character-sets is a
  problem, especially when one is character-based and the other
  ideographic]

Cottrell:   Avoid geographical limitations [i.e. *within* the name-structure]

Kamm:   User-testing has shown that geographical indicators *do* matter to
  users

Lenny Foner
Last modified: Sun Apr 23 15:46:35 EDT 2000