These notes are raw and not post-processed. They were all taken while the workshop was going on, and hence are not polished and not guaranteed complete or necessarily even balanced -- many scribes took extensive notes on only parts of the entire discussion. |
Computers, Freedom & Privacy Workshop on Freedom and Privacy by Design 4 April 2000 Notes on the morning sessions Roger.Clarke@xamax.com.au (On the move until 17 April and only sporadically reading email in that time) ### indicates things I thought were particularly important @@@ indicates interpolations by myself (i.e. no-one said it during the session) Obstacles - Rebecca Wright, AT&T Research Labs Q: What to protect? A: Privacy, free speech, anonymous speech But: - different governments have different laws - different indivuals have different valuations - different and in part conflicting needs among players Q: Who should decide? Interplay among interests Q: How to achieve? design construction deployment / transition / integration Requirements - convenience - fairness / accessibility - backed by industry Tools / Mechanisms - crypto (protects data in transit, less so at the ends) - open source software - consumer / voter education Usability - Alma Whitten, Carnegie-Mellon Human Factors aspects / constraints Don't expect users to: - know what they need - read manuals - keep trying - recognise success Regard with suspicion any scheme that assumes that - users manage key distribution - pay attention to digital signatures - comprehend policies Think tools? They're general and robust; but need skills Or think appliances? They're specific and fragile; but need lower skill (until they break) Automation guidelines: - either the system must always work; OR - users must know how to compensate for a failure; OR - functionality must not be crucial Two different goals: - get the solution in place for those that already want it; and/or - sell the solution to those who don't yet know they need it @@@INTERIM CONCLUSIONS [THESE ARE ROGER'S INTERPOLATIONS]: - maximise embedment in infrastructure - privacy-protective defaults - accessible explanations - simple interfaces to modify the defaults DNS Replacement P Nominated Structure Origins: an Eric Hughes idea articulated by Lenny Foner How does it work? ... What's Broken? - I.P. and land grabs / cybersquatting (scarcity begets value-in-exchange) - political chokepoint delivers control to someone - little guys can't register their business name (first acme.com to register wins) A Modest Proposal - throw away: - the hierarchy/tree-structure - the single instance of a name in the namespace - hence names no longer unique or even resolvable - land grabs are much more difficult - everyone can register multiple names for free - has no impact on the remainder of the infrastructure Implementation Sample Scenarios Discussion Points Brown: Adams: Distinguish email from the web [@@@what about other protocols / services?] ?: EC is predicated on certainty in the existing DNS structure, and business will stick with it So an alternative approach must be able to go around the DNS Gilmore: ###A new scheme, to gain acceptance, must deliver everything the DNS does, and more besides, such that it's acceptable to all players Gilmore: It's not the hierarchy of *names* that's the problem; it's the control that it enables Gilmore: The DNS is the world's largest distributed database, and was developed at a time when distributed database theory and practice were very young. Contemporary distributed database theory and practice may enable hierarchy to be retained, but chokepoints that risk the exercise of political control may be able to be avoided Cottrell: ###Use would be heavily dependent on learned context, i.e. what your personal agent had learnt from your prior practices. That will therefore need to travel with the user and be available to them from whatever device they may access the net Cottrell: There's great value in the certainty of a short(ish) string that can be printed on a business card and ensure the accessibility of one's site / mailbox Kristol: Encouraging download and installation is a serious challenge. How can user-driven / pull deployment be stimulated? Whitten: From bookmarks to aliases, and shared ones at that Brown: There are privacy risks of a personal agent, both in terms of penetration / disclosure, but also sub poena/warrant Mulligan: Suppression of free speech will be attempted by powerful interests, whether or not a hierarchical DNS exists to assist them. Does this really help the little guys get the name they want? Foner: It's hard for the little guy to get their surname, and will soon be unable to get their firstname-surname either Wright: Expectations - if disambiguation is usually right, users will think it's always right Common Name Problem - common names result in synonyms and synonym-breaking Privacy - the wrong person may be the recipient of sensitive information - how do you know when you've got the wrong address? Adams: Whitten: Gilmore: Clarke: We're focussing on infrastructure, and that's hard Let's do some easy things first Any semi-structured problem requires some analysis, but also some prototyping ###Prototype by interposing a local agent at the browser acme.org => http:// => with and without www. => acme.com, .net, .org.us (okay, so Netscape does some of that too) Develop heuristics Enable extension and learning Page: ###Google has an 'I'm feeling lucky' button at the end of its search, to guess the most likely fit Zimmerman: ###We need to sustain reliability of discovering barnesandnoble [and eff] Foner: In Minnesota, there used to be a bookshop called Amazon, there for 15 years before amazon.com, and since sued and squelched Gilmore: We can't afford to lapse into a critique of the wrongs of the current DNS; we need to look for the positives Gilmore: He suggested to Netscape that they charge NSI for the favouritism. Instead they came up with their own (charged) namespace. So there will be attempts to leverage commercially Brown: Weinberg (ICANN Working Group on new Suffixes): Following on from Clarke: ###think of this as a DNS overlay rather than as a replacement. Multiple additional suffixes is a part-solution to the land-grab problem; but there will be opposition from the owners of valuable domain-names (ibm.corp, ms.co, etc.) Whitten: Is the objective findability or certainty? Kristol: Yahoo's menu-system/categories is an approach to disambiguation Feng: Can location be a qualifier, enabling amazon-in-Minneapolis to be found by a person in Minnesota either instead of or as well as amazon.com (e.g. with a pick-list being offered)? Sander: The normal approach in the Internet industry is "just start a company and do it". So: what's the killer app for this proposition? With one, it can fly; and without one it won't Garfinkel: DNS *was* meant to be used by individuals; it was IP-addresses that weren't. The telephone-system uses meaningless codes, equivalent to IP-addresses. So ###use corporation-id as the identifier, and get content out of the identifier Garfinkel: The problem is top-down searching of the DNS. The Berkeley scheme which won was top-down; the MIT search worked within, then up and down from the local domain Garfinkel: Use additional servers over the existing infrastructure Garfinkel: Trademark law creates the incentive and capability for lawsuits. So ibm.vineyard.com could be sued by IBM, not just ibm.corp McCandlish: There are multiple motivations bound up in this, and they're legal system problems rather than technical ones [10:45 - 11:15 Break] Shostack: There are two separate problems: find something that is well-identified; and find something only loosely identified (an old school-friend) Mulligan: There appears to be an inherent assumption that diversity will complicate enforcement, and hence assist the avoidance of repression. There are doubts that this will work. Dimczuk?: Should we be overlaying this scheme on DNS, or vice versa? So there should be multiple trees, and NSI would only be one of them Gilmore: ###The DNS was designed for naming things, not finding them Phillips: The 'circle of friends' notion seems to be at the heart of this exercise. But most people actually go to pre-formed communities, be they McDonalds or AOL channels Sanders: This idea has the same problem as things like autonomous mobile code: it's trying to be all things to all men. Consider freenet: the ability to post things in such a way that they can't be taken down. That's attractive in one way, but very dangerous in others Auerbach: The presumption of there being a singular DNS isn't appropriate. We *do* need multiples, but we also need certainty and hierarchy. DNS is starting to change anyway, particularly in becoming dynamic Auerbach: ###If you're looking for a killer app, look at the people inside the system, e.g. ISPs are motivated to save bandwidth by storing close to demand (the concept of 'net-closest mirror' of a resource Gould: There are multiple sets of goals, and we're not being explicit enough about them, and about the contexts that they address. Page: Google.com's 'I'm feeling lucky' button layers auto-choice over search-engine results Auerbach: ###Does DNS aim to deliver certainty, or should the user confirm where they've arrived before they make any commitments?! Samarajiva: To achieve a tractable problem, we may need to avoid the big problem of the economic/commerce-space, and focus on local economy and the community-space [@@@So we acknowledge that ecommerce rules the net?] Larsen: There are layers to this problem, because DNS is used at machine-levels as well as people-levels Larsen: ###Search-engine policies should be declared, because there are biases built in (that's the nature of *any* heuristic, let alone a set of heuristics designed as a means of making money) Cottrell: Most people don't have personal domain-names, and it wasn't designed to offer that facility. Maybe some other facility should support person-discovery Auerbach: DNS is not just about the web. You can reach [some] people by phone, through use of the DNS Page: ###DNS performance is a serious constraint on overall response-time Page: ###New spaces are emerging that are distinct from DNS, e.g. Napster for MP3 Del Torto: Less developed countries have the inverse relationship - many people to a single domain-name rather than just one Foner: Le Ball?: ###Use of open source would enable the enhancement of the browser to incorporate an agent in the URL line Kamm: There are such tools; but these agents need to be compatible with / aware of / integrated with search-engine technology Whitten: Do people guess at URLs when they search? Kamm: In the case of IBM.com, yes; but generally, maybe not Auerbach: ###Playing with DNS over-rides does *not* risk breaking the net. It's an add-on, not a fundamental Weinberg: Integrating a search-engine into the browser is very limiting and risky. [They will change and develop, 'improve' in multiple directions, and gain embedded biases]. ###Maybe this initiative should be a particular approach to searching not naming Gilmore [as Moderator]: The Workshop's focus is 'how do we design this into infrastructure?' Brockman: The mid-90s Netscape flavour was attractive; but it disappeared inside AOL. Compuserve offered content-free ids, and look where it got them ... Brockman: Autonomy in the U.K. (working with the Brit equivalent of the NSA?) developing context[-based?] searching to build personal profile into the disambiguation process Gilmore (Dan): This initiative, if it developed, would tend to become proprietary, wouldn't it? ?: Can't we achieve the aim by just extending existing search-engines, e.g. via XML Meta-Tags? Brown: Multiplicity of namespaces helps, because it makes it harder for a corporation to monopolise a string Foner: If we're targeting finding rather than naming, search-engines aren't very good, because they don't cover the entire web (although maybe meta-search can) Auerbach: Build over DNS a set of systems, don't undermine the existing one Wendy?: Design depends on the objectives, and we haven't defined the problem and selected the objectives. ###Defeating proprietary control over the net (governmental *or* corporate) is the aim she's most interested in Cottrell: Integration is necessary with whatever device and service is used, i.e. don't assume a web-browser Audience?: This topic is only part of the aim today. It's mainly freedom, and quite specific. Mulligan: Is it the centralisation of control that's a problem? Audience?: ###My personal toys are freehold, and I should be able to name it as I see fit, qualified by context and behaviour Audience?: DNS has to be reliable and fast. And that conflicts with the desire for flexibility Cottrell: Maybe let big business sue the people they want to, and everyone else can try to stay underneath their radar Auerbach: There's the idea of multiple DNS namespaces; but then you need a single registration-point Shostack: So free speech depends on staying beneath the radar of the powerful institutions Williams (Gail): Use a special character as a qualifier on trade-names, e.g. #amazon Weinberg: Actions in the courts, and judicial interpretations as to whether the use of such a qualifier still breaches a trademark, and whether free speech is infringed, are outside the scope of this design exercise Gilmore: But we do have an influence over interpretations in the courts, because we create an expectation, which is admissible be means of expert witness evidence Wendy?: It would be nice if ccTLDs reflected the language [but Switzerland?!] Auerbach: Remember the power of 'code' (i.e. standards and implementations, incl. mistakes in RFCs) - go forth and *do* it, and see if anybody adopts it Page: Metadata is evil because it can't be seen, and it gets used for spam ... Feng: We're not going to solve the DNS problem today. We should get out and write code, and draft RFCs. ###We should look for a forum in which this discussion could be pursued after the end of this Workshop, and co-ordination could be achieved Foner: We'll be consolidating documentation on the cfp2000 web-site, and can extend the existing e-list discussion-group beyond the present 35 participants Hogg: Audience?: ###The ambiguity is *important*, and needs to be appreciated not bemoaned Auerbach: ###Even more broadly than that, we need to encourage human values on the net [The serendipity implied by 'surfing' is an important element of web-behaviour] Audience?: Add more [key?]words Gilmore: The real progress has been made by small groups working in isolation, and producing something that other people later liked and adopted Gilmore: The Internet is much, much more than the latest, greatest protocol, incl. the web Umbaugh: People with far less technical sophistication than people in this room need incentives to adopt these facilities Auerbach: Getting these things deployed depends on adoption by companies and incorporation into products Audience?: Physical community-based activities are unusual on the net. Common interests are the primary rallying-point for people Page: Please support Chinese [i.e. 2-byte Unicode] Gilmore: DNS does it in principle [but mapping between character-sets is a problem, especially when one is character-based and the other ideographic] Cottrell: Avoid geographical limitations [i.e. *within* the name-structure] Kamm: User-testing has shown that geographical indicators *do* matter to users
Lenny Foner Last modified: Sun Apr 23 15:46:35 EDT 2000