These notes are raw and not post-processed. They were all taken while the workshop was going on, and hence are not polished and not guaranteed complete or necessarily even balanced -- many scribes took extensive notes on only parts of the entire discussion. |
9:20 start Lenny: Welcome to an experiment! [Describes format of session] "A well caffienated workshop is a happy workshop!" First item to tackle: Replacing the Domain Name System ================================ What's broken? - intellectual property and land grabs - political chokepoint - little guys Len: rest of the network architecture would be untouched. [Is this possible?] Dave: IETF shirt [check out Len's shirt]. Len: "If the network had been designed differently, THIS [pointing to POLITICAL, at top layer] would have been very different." (e.g., if network owned by MS from the get-go. [2nd speaker: Rebecca Wright] Rebecca: I'll identify several obstacles to our task. - What to protect? (privacy, anonymity, etc.) - Who should decide? (interplay between government, public interest groups, voluntary industry standards, consumer-driven market forces, technology itself) "De facto standards play a role, as we're using them." - How to achieve? (not enough to design and implement solution -- need to have it deployed [= adopted] widely) Users may not adopt for variety of reasons, e.g., integration with existing systems ("Microsoft factor") - Requirements: easy to use; fair (I generally don't favor market approaches: should not be 2 ISPs, one that protects but charges, other that doesn't but is free); backed by industry (either for direct commercial reasons or in response to government and/or consumer pressure) - Tools? Cryptography; open source software (= a grassroots technology?); consumer/voter education ("but don't overwhelm them!"). [3rd speaker: Alma Whitten] Alma: I'll try to provide overview of human factors "WARNING: When trying to provide privacy and security via tech, do not expect users to: a) know what they need b) read manuals c) keep trying [after initial failure] d) recognize success" More true of privacy and security software than general software. User may not know how to get privacy, nor recognize if privacy has been achieved. "REGARD WITH SUSPICION: Proposals which assume: - users manage key distribution - users pay attention to digital signatures - [...]" Tools or appliances: Tools: general, robust, need skill (e.g., hammer): but has higher usability threshold; Appliances: more fragile but generally easier to use, until it breaks down (requires an expert to fix) Automation guidelines: Either system must always work, OR users must know how to compensate, OR functionality must be critical. Two different goals: Are we trying to (1) Get solution in place for those who already want it AND??? [OR?] (2) sell solution to those who don't necessarily know they want it. Note (2) can help (1). [me: are (1) and (2) in tension? Think more about this] End of formal presentations: 9:45 => go to open discussion Ian Brown: [at white board] Good ideas. I'd like it to be slightly changed. I think DNS has some useful functions. I think this project is absolutely right. DNS has been subverted into something it should never have been [i.e., typing in gobblelygook to get to AOL.com.something] Want to overlay something on top of DNS to add functionality. I think it would be more productive to [...] Anne Adams: User perspective: very different tasks: email versus web: email is 1-1, web is [widely available]. I think you need to make distinction between email and web thing. Jon Weinberg: [...] DNS is not going away. Lots of major e-commerce users are not going to change. ICANN supported DNS structure. [me: is ICANN another obstacle/veto point] Len: So you're saying e-commerce has won. Jon: Not necessarily that e-commerce has won, but possible for 2 systems to coexistence. E-commerce strong enough to resist. We cannot force that IBM or MS to stop using the legacy of DNS. Len: What would we have to do to make system so attractive to everyone else so that big players have to go along. Gilmore: I think just has to do everything that DNS does but better. Like how web grew up beside FTP and Gopher. So not how to satisfy political constraints but just do better. Confusion between goal and design. Hierarchical structure is not necessarily bad, only bad if it leads to [i.e., if someone can impose] hierarchical control. [...] Having unique names is a useful thing: allows anyone to talk to anyone, which has led to the Internet's liberalizing effect. Tad Hogg: privacy concern if users reluctant to reveal what they're browsing for. So, how to engage users to participate if they see themselves as not getting immediate benefit. Lance Cottrell: user expectations: e.g., users typing in query in one place prob. expect to get same answer [find same person] regardless of where they make query. [e.g., at hotel email] Also, how much information we're expecting to guarantee uniqueness. Thinking of both intentional and unintentional confusion. Dave Kristol: raise idea of deployment: this particular proposal is not well received by general commercial interests. If so, how do you get software available to support this proposal. We're deceiving ourselves if we think lots of users will download software, [etc]. So the problem I see is that unless some commercial interest is there, then not going to get software out. Alma: share aliases? Ian: privacy issues [again] Deirdre Mulligan: This is not just a surveillance issue -- seems like concern about [?] from grassroots. I'm not so sure that the proposal [on political chokepoint] can be addressed by technical solution. Also not sure about little guy, whether little guy is really better off. Also, not sure how land-grab problem is addressed by proposal. Len: Little guys are people too, in the sense that they should be able to get fairly simple [domain name], which they can't do right now. John had excellent point about confusion between goals and means. [...] Right now, [what domain name you get is decided as follows]: powerful multinational wins, or else first-comer wins, or else its random. Rebecca: [with overhead slide] 1. Expectations: if disambiguation is usually right, then users will expect it will always be right, which is not true. (There will be goof ups.) 2. Users with common names may still need unusual names. 3. Privacy: proposal may make things worse. [Who do you give out information to for disambiguation?] How do you know when wrong site is reached? Is there a diameter dichotomy? Anne: from user's perspective, still need a handle. If lots of Freds then would be a nightmare (blindfolded into the forest). Also, need to be able to trust AT&T is AT&T. Alma: [...] John: how does this address the land-grab concern. People smoosh their first and last names together because there are many more combinations of that as opposed to Deirdre: Price might be some incredibly high before some companies stop land-grabbing. Roger Clarke: let's tackle easy. I'm still waiting for user agent to sit and do the heuristics for me. Can move up slowly. Can learn slowly, figure out what heuristics apply to which community. Phil Zimmerman: if we try to resolve the land-grab problem by letting a 1000 flowers bloom, then there's going to be confusion. And if .com is the most important, then [there is implicit hierarchy] and Barnes and Noble will want all the important suffixes. Len: small Amazon was run-over by big Amazon: classic land-grab Phil: as a consumer, I don't care, I want to find Barnes and Noble. [...] John: [...] Ian: basic problem is, global unique identifiers are not what DNS was designed for. Jon: identify myself: I'm chair of the ICANN working group on top-level domains. Think of smoosh system as an overlay, not replacement. Adding suffixes by the hundreds would major address land-grab over time, but not politically feasible right now. Alma: distinguish between findable and between a name that's "good" in some other sense. Dave: Yahoo's classification system does have a way of doing other kind of search. Patrick Feng: [...] Tomas Sander: How to make this happen? Not by talking -- people just go out and found a company. So, my question is what is the killer app for this thing? [...] I know the world is not fair. But people don't really [audience] Simson Garfinkel: the DNS *was* meant to be used by individuals. People are saying it wasn't, but it was. The thing that wasn't meant to be used by individuals was IP addresses. The idea that we could use a content-based addressing system is fundamentally flawed. If we had several levels of hierarchy, and when you couldn't find at one level, then you could go to next level up. Maybe do geographic systems. Those who claim that if you have 100 or 1000 top-level domains it will address the land-grab issue simply do not understand trademark law. That's not going to happen. I think the only solution will be to remove content from the address. [Stanton McCallish, EFF (sp?)] ?: 2 different and separable goals? Over here: privacy, anon, socio-political problems. Over there: copyright, intellectual property, [etc.] that seem little to have to do with technology. [...] As to Phil's "I just want to find Barnes and Noble," well that Yahoo's job, or RealNames' job. So there are some ways to tackle IP issues without taking down DNS. [break: resumes at 11:15] Len: Reminder: goals versus means. Adam Shostack: we're dealing with two problems: how to find stores and how to find people. Deirdre: [...] Nick Demchuck (sp?): Sort of odd to think of smoosh names overlaying on DNS instead of other way around. We trust NSI. [???] John: Part of problem is people expect DNS to help naming things, not finding things. If we could just come up with a system that was really good at naming things that was not subject to political [hijack], then that would be great. David Phillips: I'm sort of concerned about this circle-of-friends idea at the heart of this proposal. Don't think that's how people Tomas: Revolutionizing the DNS is a little bit too big. I'm a little suspicious of highly flexible systems. [too flexible is not good] Also would be good to question some of the assumptions. When I saw (?) I was scared because you don't want to post things forever without taking down. Karl Auerbach (sp?): put genie back in bottle so that DNS is only naming session. If one controls the namespace, then you can put content closer to user. Killer app might be the app in the eyes of the ISPs (e.g., less/shorter traffic). Audience [?]: Multiple goals: (1) making sure you get what you think you're looking for; (2) circle of friends. Carl Page (sp?): I think two very separate problems. Match.com, AllPlanet, AOL as example Karl: is DNS [...] [???] Rohan Samarajiva: I think it would be useful in terms of virtual or global space. I would suggest that . And then to speak of the communities of interest. But in proposal, communities of interest seemed geographically based. [...] I believe at the global level, the big players *will* grab 100 or 1000 names [and fight to the death]. Carve out the possibility that within the community of interest you have disambiguity. Because of all the work I've done on design, one of the central issues is how to prevent big guys from smashing your design. Audience [?]: Policy disclosure on how search engines display/rank hits in response to your query. [Did someone pay search engine for higher ranking?] Carl: 2 opportunities to replace DNS. (1) DNS really sucks, really slow; (2) we have a lot of spaces now that are outside of DNS (e.g., music spaces). So, opportunity to make changes exist. [...] Len: Try to focus. Naming problem and finding problem. Public perception that DNS is for finding; can't change this easily. Then the issue of how to incrementally implement. [Audience]: DNS still exists, but (like Roger's suggestion) a find tool on browser would help make ibm.com less important. [...] Karl: I encourage experimentation. Let me posit that the DNS is only *one* way of resolving addresses. [...] Jon: People have been talking about integrating search engines into browser (and people have pointed out that add-ons do exist). But there are limitations to adding on search engines to browsers -- too big a task. Let's consider SmooshNames as a means of finding people (which we have to disambiguate already. John: I want to focus back on design. We're sort of talking around design. Suppose we came to consensus. How would we do this in the real world. Audience [?]: [...] non-keyword means of searching might be a better way of searching. Other side of capitalism: if you look at the number of who are looking for ibm.com, it outnumbers others looking for some other ibm, so there is utility in making ibm.com high in ranking. [Audience] [sam?]: to what extent can extensions solve problem? (e.g., searching for ibm(TM) instead of just ibm. Len: won't find little people. So that's why I suggested bottom-up of local to global. Karl: politically difficult to change DNS. Let's go for a multiplicity of systems. Wendy: Seems to me that we're running into similar problems of ICANN because we can't agree on the problem. John: so define the problem Wendy: I'm attracted to fighting proprietary control of the Net. John: so...? Wendy: Don't want to have MS own whole Net, nor government. [...] [Audience]: we're not getting at designing privacy. Len: This morning session was not aimed at privacy, but to bring up freedom and computers issues. John: let me try and focus. Problem seems to be getting around centralized control of naming. Do I hear any objections. Deirdre: [clarify?] John: centralized control... [Audience]: I want to name my electronic freehold. What the conflict comes from is the behavior [Audience]: I think we have a classic engineering trade-off here. On one hand DNS has to be fast, reliable, .... On other hand, want flexibility, natural learning, .... And that will not be fast. Lance: maybe we should punt back to the courts question of trademarks and let that be the enforcement mechanism. Karl: [...] Adam: Using the courts is good thing, but problem when big guys John: but if you can't trust the courts then who can you trust? Ian Goldberg, maybe? [laugh] [Audience]: Using (*) or some other character to distinguish Jon: Just one caution, no one in this room has control over the law... John: I would take issue with that: people in this room don't have control, but we do have influence. [...] What courts tend to do is look at experts and look at the subculture and respect the norms of that subculture. Karl: all the power is not in the legislature. There is a lot of power in code. People will go out and write code. Patrick: [what structure for coordinating the "just write code" idea of Karl's] [...] Tad: [...] can we think about [???] Jean Camp: I want to say a word in favor of ambiguity. Rather than designing to remove ambiguity, we should value ambiguity (in certain stituations). Karl: Commerce is going to go ahead anyway. But don't want to lose human values. Also, we should talk, but not So many different uses here; don't want to end up mish-mashing too many things together. John: Almost all the good ideas have been done by small groups of people working in isolation. And then bursting on to the web and others picking it up because we all realize "hey, that's exactly right!" Another trap: thinking Internet and the Web are the same. Don't assume web is be all and end all. Bruce Umbugh (sp?): have to thing about incentives that will get users to buy-in. Karl: there's a huge marketing and sales project to get these things deployed. Big companies will tend to put [good ideas] into products if they're really good. [...] Carl: Make sure new DNS handles Chinese. Ian: There is a working group (on internationalization?) for DNS. John: The problem is at the user-interface level. [How do I send find Chinese website.] The lower level was done correctly in the DNS. Lisa Kamm: geographic hierarchy may/is still be important for many people. [We're not typical users.] [end morning session at 12:30] Afternoon session I: business methodology Send notes to cfp-wfpd-notes@media.mit.edu [session starts at 2:15] Workshop on Design Issues in Anonymity and Unobservability, at International Computer Science Institute in Berkeley, CA. URL: www.icsi.berkeley.edu/~hannes/ws.html. Len: Here's the problem: a lot of companies make money by violating people's privacy: data mining, etc. Some possibilities: - wait for a privacy Chernobyl: almost got one with DoubleClick, but not quite - ad campaigns - completely new business whose aim is protecting civil liberties David Philips: parallels with anti-nuke movement. Could privacy movement learn from this? - U.S. anti-nukes, phase 1: concerns over safety => NIMBYism - Phase 2: anti-nukes joined with social movements (organizational alignment): brought resources, media savvy, (etc.) - Only within this context could TMI and Chernobyl become the nail in the coffin. Big idea: Creating an informed populace that can react when a Chernobyl comes about. Privacy threats: (elite literature) individual autonomy; intimate relations; government/citizen power; .... On the other hand, popular literature focuses mainly on individual: little talk about larger social, systemic issues. Can notions of intimacy, cultural autonomy, and social discrimination be reattached to privacy. Looking for multiple cultural/ideological/social hooks. Possibilities for coalition: WTO, World Bank; biotech opposition; civil rights. John Gilmore: going to talk about free software. Running a free software business turned out to be almost the same thing as running a "regular" business. The main thing in making a business successful is not screwing up your business in 1000+ ways.... Intellectual property is just 1 of those 1000 things [that could go wrong]. It's not the be all and end all of a business model. If you think that current [situation] sucks, then go out and make your own. If you can make your business run (= not screw up in 1000 ways), then you'll have your way with privacy. [me: strong libertarian assumption at work here. How many people are really in a position to go out and write their own code?] Free software reduces transaction costs of cooperation. By reducing the cost of cooperation, then possibility for more creativity. Hope people will say: "I've got a weekend free, let's see how hard this is".... [me: what would it take to make more free time, to encourage more people to do code for fun rather than do day job, etc.?] [...] Free software: "completely egalitarian system where popularity of the software determines who has control." [...] The thing about Cygnus is that it was the only profitable free software company. [me: doesn't this go against John's earlier assertion that people can just go out and write free code?] FreeS/WAN: an attempt to write free software to effect social change. You get power over the world by being at the top of the chain of a distribution pipeline. FreeS/WAN is about: Automatically encrypting network traffic: all the traffic between sites that use FreeS/WAN will be encrypted. The idea is to go after the fax effect (i.e., network effects). I think that if you understand the dynamics of the free software market -- how people follow excellence -- people will naturally take it up. Deirdre: what resonates with public-at-large has perplexed privacy advocates in general. We've had some experiences lately.... (1) We filed a suit against Intel. How do you deal with issues that don't quite fit neatly into privacy, or discrimination, or.... E.g., civil liberties groups very concerned about profiling: they can be brought into fold. Concern about the discriminatory use of information has led to broad coalitions to take up privacy as a social challenge. Colin Bennett: Wanted to comment on Chernobyl analogy. There are a couple of reasons why it's not an appropriate analogy. First, it suggests that privacy disaster is a high-tech disaster, when it could be a low-technology disaster. Second, Chernobyl happened when technology + humans went wrong. I'm more worried about when technologies work perfectly (e.g., surveillance). Not the Chernobyl situation. John: I also didn't like the Chernobyl analogy. Maybe it's because I'm a libertarian, or perhaps because I don't like disasters. Sounded like David was saying "how can we get a Chernobyl?" [...] Which doesn't sound like a sound basis for public policy. [...] Anne: technology optimists generally, but then reaction (after privacy disaster) is emotive: suddenly reject all technology. [...] Roger: lots of background work in advocacy. Have to do your homework. Because when those opportunities arrive you have to be ready to move. Have to have coalitions already built-up. And in opportunistic situations you do have to get your hands dirty, make strange bedfellows. Net action guidelines. How do you get public [mobilized]. [...] [Audience]: I've had trouble explaining the privacy threat to others. (At least Chernobyl was clear/easy to explain.) Deirdre: Try to give members of the public to react. Regardless of what they see the risk as, give them a way of acting. [audience]: Problem I have is taking it one step beyond that. How to explain [...?]. Roger: I always identify four separate aspects of privacy. There are few people in the real world. Highly situational: quite specific, and that's what . The general public has no interest in privacy. Charles Raab: example of alliances: electronic communications bill going through the UK. Privacy advocates and business community worked together to get key escrow kicked off that bill. (Maybe an alliance, maybe strange bedfellows.) Sometimes government portrayed as [audience]: more than just what people will lose. It's that people will give away a lot [of personal information] for free computers, money, etc. Rohan: I'm hearing a lot about activist methodology. Which I'm sympathetic to, but.... [...] Are there ways for institutional or technological design to encourage businesses to do right, right there? [...] Deborah Pierce: pure reactive mode is not helpful. (Spawns 30+ bills that are not well-thought out.) Need something else. Lorrie Cranor: If you want to motivate business, if you can work with them from the beginning, then how can you get [designers] to take privacy into account early on? Unintended consequences often occur (e.g., electronic toll collection). Systems were never designed for that, but they were never designed *not* to do that either. Have to think about: how to get designers to think about privacy upfront? Craig Hubley [audience]: [...] Seems like 3 different theories of economics/value: liability theory; labor theory; and price theory of value. Basically boiled down to ontology problem -- what we named the data schema. And there was one data category that was originally named "secret-[blah]," that became "billing address". A year-and-a-half later, someone had decided to add a "feature" to allow users to [check identities across interest groups], and this compromised people's privacy. Karl: shrink-wrap your name. Roger: other models besides EU. Legislation does not imply EU. Adam: how to motivate business? (1) Fear or (2) greed. See this month's issue of Wired: survey on privacy as obstacle to e-commerce. [...] Colin: to be provocative, international management standards will be inevitable (along the lines of ISO 9000 standards) [...] Roger: get with the language: need to talk in business lingo. [audience]: the anti-virus software industry provides an example to learn from: instead of calling the same virus 26 different names, companies agreed to [common industry standard for cooperation]. [activism: _Toxic Sludge is Good For You_: get authors/site] Session II: Cash ================ Len: what's cash? - universal acceptance - assured anonymity - ease of use: (a) bounded liability; (b) everyone's a merchant [me: note that cash is not exactly universal, since cash is still tied (loosely) to governments, geographic regions, etc.] Deirdre: Table on current legal standards for access to papers, records, and communications (see p. 84 of Proceedings) - privacy pitfalls to leaving email on servers - server-side versus client-side storage of info Phil: Why are crypto keys in red boxes? Deirdre: I'm looking at the legal protections. Ian: in UK, proposal to make not giving away giving away Ian Goldberg: 7-11 cash card. This exists already: company is called SpendCash. It's *not* the case that the cash card is tied to something like VISA, so you do have problem of merchant acceptance. Unfortunately it seems like governments are moving into business of making cash less anonymous. E.g., Netherlands: barcoded cash. Raises legal liability issues. Which is really bad. Rohan: GPS/cell phone is disaster-in-the-waiting: lots of locational information. [...?] Bryce Wilcox [audience]: why e-cash has failed: fax effect (i.e., network effects). Want almost everyone to accept your cash. Therefore, it's a critical mass issue. Lance: to the extent that we can make it walk like a credit card and quack like a credit card, we're in good shape Deborah: try not to get too hung up on credit card model, since credit cards not used as much in Asia and elsewhere, [...] Adam: _The Credit Card Catastrophe_ (Matty Simmons) Dave Kristol: The people who are offering debit (credit) cards would be encouraged if there was demand. And that would be if people wanted anonymity. And that would be if people wanted to buy their favorite sins. So, not clear that governments are going to like debit card idea. Otherwise if you're getting something tangible then anonymous payment doesn't help since you have to provide an address anyway. Deborah: Is anonymous payment only for bits? No, newspapers, etc. [audience]: I don't send cash in the mail, why send digital cash over Net? Phil: There are cryptographic protocols to ensure [non-repudiation]. Deirdre: You can build it, but if the people don't come... [...] Alma: I read something about what a headache credit card fraud was for merchants. Is it possible to be make it less of a risk to accept digital cash instead of credit cards? [Yes] [...] Jon: one of the disincentives for anonymous cash is that money doesn't go out until I see the goods: protection against fraud. Another disincentive is that there's a float; with debit cards, the float is in the other direction. Deborah: don't you think that the float will tighten up? [...] Jason Cattlett: _Paying With Plastic_ On point of porn driving anonymity, unfortunately it's gone the other way because having a credit card is seen as proof of age, so anonymous payment is not catching on. Phil: if we could just get one anonymous cash system going, at *any* price, and hold on to this (i.e., by creating social expectation that anonymous cash is OK), then we can build on it with market forces. [The idea being that competition will start and slowly drop price of anonymous cash option.] [...] Tomas: what would drive things forward is functionality, e.g., being able to email money to your friends. Austin Hill: from my experience, there are a lot of people out there who want to do the right thing [in terms of protecting privacy]. Companies like VISA [etc.] are getting put into undesirable position of enforcement -- U.S. government wants them to not pay for offshore gambling, porn, etc. So, those credit card companies are looking for ways to do anonymous cash. [...] Ian G: Just has to be a card with 16 digits such that it is compatible with the current clearing system. We should be focusing on the clearing mechanism. [...] And, of course, if we have anonymous cash we need an anonymous communication mechanism. Rigo Wenning: European smart cards as anonymous? [German data commissioner to my right says no.] Jean Camp: reliable, anonymous payment is possible. Len: (1) barcoding digital cash is not anymore scary than serial numbers on cash; (2) citation for porn driving VCR market? [yes]; (3) Fedex subpoenas because they collect data on shipping -- they'd prob. be happy if they didn't have to serve up information, another reason for having anonymous cash. Deborah: [summary/wrap up] [after word: comments from audience] - how to get privacy-centric design now? Developers have clients wanting this stuff now, how do developers figure out what's going on in terms of privacy? - pcix.org as discussion forum - get beyond cash (which is a social construction) and think about more fundamental ways of restructuring [social interactions] - focus on other areas before the Internet (more pressing concerns?) - central back-and-forth between being alone (disconnecting) and being part of a community (re-engage) is also central to debates over privacy and cryptography [workshop ends at 5:30]
Lenny Foner Last modified: Sun Apr 23 17:16:19 EDT 2000