| These notes are raw and not post-processed. They were all taken while the workshop was going on, and hence are not polished and not guaranteed complete or necessarily even balanced -- many scribes took extensive notes on only parts of the entire discussion. |
9:20 start
Lenny: Welcome to an experiment! [Describes format of session]
"A well caffienated workshop is a happy workshop!"
First item to tackle:
Replacing the Domain Name System
================================
What's broken?
- intellectual property and land grabs
- political chokepoint
- little guys
Len: rest of the network architecture would be untouched. [Is this possible?]
Dave: IETF shirt [check out Len's shirt].
Len: "If the network had been designed differently, THIS [pointing to
POLITICAL, at top layer] would have been very different." (e.g., if
network owned by MS from the get-go.
[2nd speaker: Rebecca Wright]
Rebecca: I'll identify several obstacles to our task.
- What to protect? (privacy, anonymity, etc.)
- Who should decide? (interplay between government, public interest groups,
voluntary industry standards, consumer-driven market forces, technology
itself) "De facto standards play a role, as we're using them."
- How to achieve? (not enough to design and implement solution -- need to
have it deployed [= adopted] widely) Users may not adopt for variety of
reasons, e.g., integration with existing systems ("Microsoft factor")
- Requirements: easy to use; fair (I generally don't favor market
approaches: should not be 2 ISPs, one that protects but charges, other
that doesn't but is free); backed by industry (either for direct
commercial reasons or in response to government and/or consumer pressure)
- Tools? Cryptography; open source software (= a grassroots technology?);
consumer/voter education ("but don't overwhelm them!").
[3rd speaker: Alma Whitten]
Alma: I'll try to provide overview of human factors
"WARNING: When trying to provide privacy and security via tech, do not
expect users to:
a) know what they need
b) read manuals
c) keep trying [after initial failure]
d) recognize success"
More true of privacy and security software than general software. User may
not know how to get privacy, nor recognize if privacy has been achieved.
"REGARD WITH SUSPICION: Proposals which assume:
- users manage key distribution
- users pay attention to digital signatures
- [...]"
Tools or appliances:
Tools: general, robust, need skill (e.g., hammer): but has higher usability
threshold;
Appliances: more fragile but generally easier to use, until it breaks down
(requires an expert to fix)
Automation guidelines:
Either system must always work, OR users must know how to compensate, OR
functionality must be critical.
Two different goals:
Are we trying to (1) Get solution in place for those who already want it
AND??? [OR?] (2) sell solution to those who don't necessarily know they
want it. Note (2) can help (1).
[me: are (1) and (2) in tension? Think more about this]
End of formal presentations: 9:45 => go to open discussion
Ian Brown: [at white board]
Good ideas. I'd like it to be slightly changed. I think DNS has some
useful functions.
I think this project is absolutely right. DNS has been subverted into
something it should never have been [i.e., typing in gobblelygook to get
to AOL.com.something]
Want to overlay something on top of DNS to add functionality.
I think it would be more productive to [...]
Anne Adams:
User perspective: very different tasks: email versus web: email is 1-1, web
is [widely available].
I think you need to make distinction between email and web thing.
Jon Weinberg:
[...] DNS is not going away. Lots of major e-commerce users are not going
to change.
ICANN supported DNS structure. [me: is ICANN another obstacle/veto point]
Len: So you're saying e-commerce has won.
Jon: Not necessarily that e-commerce has won, but possible for 2 systems to
coexistence. E-commerce strong enough to resist. We cannot force that
IBM or MS to stop using the legacy of DNS.
Len: What would we have to do to make system so attractive to everyone else
so that big players have to go along.
Gilmore: I think just has to do everything that DNS does but better. Like
how web grew up beside FTP and Gopher.
So not how to satisfy political constraints but just do better.
Confusion between goal and design.
Hierarchical structure is not necessarily bad, only bad if it leads to
[i.e., if someone can impose] hierarchical control.
[...]
Having unique names is a useful thing: allows anyone to talk to anyone,
which has led to the Internet's liberalizing effect.
Tad Hogg: privacy concern if users reluctant to reveal what they're
browsing for. So, how to engage users to participate if they see
themselves as not getting immediate benefit.
Lance Cottrell: user expectations: e.g., users typing in query in one place
prob. expect to get same answer [find same person] regardless of where
they make query. [e.g., at hotel email]
Also, how much information we're expecting to guarantee uniqueness.
Thinking of both intentional and unintentional confusion.
Dave Kristol: raise idea of deployment: this particular proposal is not
well received by general commercial interests. If so, how do you get
software available to support this proposal. We're deceiving ourselves
if we think lots of users will download software, [etc].
So the problem I see is that unless some commercial interest is there, then
not going to get software out.
Alma: share aliases?
Ian: privacy issues [again]
Deirdre Mulligan: This is not just a surveillance issue -- seems like
concern about [?] from grassroots. I'm not so sure that the proposal [on
political chokepoint] can be addressed by technical solution.
Also not sure about little guy, whether little guy is really better off.
Also, not sure how land-grab problem is addressed by proposal.
Len: Little guys are people too, in the sense that they should be able to
get fairly simple [domain name], which they can't do right now.
John had excellent point about confusion between goals and means. [...]
Right now, [what domain name you get is decided as follows]: powerful
multinational wins, or else first-comer wins, or else its random.
Rebecca: [with overhead slide]
1. Expectations: if disambiguation is usually right, then users will expect
it will always be right, which is not true. (There will be goof ups.)
2. Users with common names may still need unusual names.
3. Privacy: proposal may make things worse. [Who do you give out
information to for disambiguation?]
How do you know when wrong site is reached?
Is there a diameter dichotomy?
Anne: from user's perspective, still need a handle. If lots of Freds then
would be a nightmare (blindfolded into the forest). Also, need to be
able to trust AT&T is AT&T.
Alma: [...]
John: how does this address the land-grab concern. People smoosh their
first and last names together because there are many more combinations of
that as opposed to
Deirdre: Price might be some incredibly high before some companies stop
land-grabbing.
Roger Clarke: let's tackle easy. I'm still waiting for user agent to sit
and do the heuristics for me. Can move up slowly. Can learn slowly,
figure out what heuristics apply to which community.
Phil Zimmerman: if we try to resolve the land-grab problem by letting a
1000 flowers bloom, then there's going to be confusion. And if .com is
the most important, then [there is implicit hierarchy] and Barnes and
Noble will want all the important suffixes.
Len: small Amazon was run-over by big Amazon: classic land-grab
Phil: as a consumer, I don't care, I want to find Barnes and Noble.
[...]
John: [...]
Ian: basic problem is, global unique identifiers are not what DNS was
designed for.
Jon: identify myself: I'm chair of the ICANN working group on top-level
domains. Think of smoosh system as an overlay, not replacement. Adding
suffixes by the hundreds would major address land-grab over time, but not
politically feasible right now.
Alma: distinguish between findable and between a name that's "good" in some
other sense.
Dave: Yahoo's classification system does have a way of doing other kind of
search.
Patrick Feng: [...]
Tomas Sander: How to make this happen? Not by talking -- people just go
out and found a company. So, my question is what is the killer app for
this thing? [...] I know the world is not fair. But people don't
really
[audience] Simson Garfinkel: the DNS *was* meant to be used by individuals.
People are saying it wasn't, but it was. The thing that wasn't meant to
be used by individuals was IP addresses.
The idea that we could use a content-based addressing system is
fundamentally flawed.
If we had several levels of hierarchy, and when you couldn't find at one
level, then you could go to next level up. Maybe do geographic systems.
Those who claim that if you have 100 or 1000 top-level domains it will
address the land-grab issue simply do not understand trademark law.
That's not going to happen.
I think the only solution will be to remove content from the address.
[Stanton McCallish, EFF (sp?)] ?: 2 different and separable goals? Over
here: privacy, anon, socio-political problems. Over there: copyright,
intellectual property, [etc.] that seem little to have to do with
technology. [...] As to Phil's "I just want to find Barnes and Noble,"
well that Yahoo's job, or RealNames' job. So there are some ways to
tackle IP issues without taking down DNS.
[break: resumes at 11:15]
Len: Reminder: goals versus means.
Adam Shostack: we're dealing with two problems: how to find stores and how
to find people.
Deirdre: [...]
Nick Demchuck (sp?): Sort of odd to think of smoosh names overlaying on DNS
instead of other way around. We trust NSI. [???]
John: Part of problem is people expect DNS to help naming things, not
finding things. If we could just come up with a system that was really
good at naming things that was not subject to political [hijack], then
that would be great.
David Phillips: I'm sort of concerned about this circle-of-friends idea at
the heart of this proposal. Don't think that's how people
Tomas: Revolutionizing the DNS is a little bit too big. I'm a little
suspicious of highly flexible systems. [too flexible is not good]
Also would be good to question some of the assumptions. When I saw (?) I
was scared because you don't want to post things forever without taking
down.
Karl Auerbach (sp?): put genie back in bottle so that DNS is only naming
session. If one controls the namespace, then you can put content closer
to user. Killer app might be the app in the eyes of the ISPs (e.g.,
less/shorter traffic).
Audience [?]: Multiple goals: (1) making sure you get what you think you're
looking for; (2) circle of friends.
Carl Page (sp?): I think two very separate problems. Match.com, AllPlanet,
AOL as example
Karl: is DNS [...] [???]
Rohan Samarajiva: I think it would be useful in terms of virtual or global
space. I would suggest that . And then to speak of the communities of
interest. But in proposal, communities of interest seemed geographically
based. [...]
I believe at the global level, the big players *will* grab 100 or 1000
names [and fight to the death]. Carve out the possibility that within
the community of interest you have disambiguity.
Because of all the work I've done on design, one of the central issues is
how to prevent big guys from smashing your design.
Audience [?]: Policy disclosure on how search engines display/rank hits in
response to your query. [Did someone pay search engine for higher
ranking?]
Carl: 2 opportunities to replace DNS. (1) DNS really sucks, really slow;
(2) we have a lot of spaces now that are outside of DNS (e.g., music
spaces). So, opportunity to make changes exist.
[...]
Len: Try to focus. Naming problem and finding problem. Public perception
that DNS is for finding; can't change this easily. Then the issue of how
to incrementally implement.
[Audience]: DNS still exists, but (like Roger's suggestion) a find tool on
browser would help make ibm.com less important.
[...]
Karl: I encourage experimentation. Let me posit that the DNS is only *one*
way of resolving addresses. [...]
Jon: People have been talking about integrating search engines into browser
(and people have pointed out that add-ons do exist). But there are
limitations to adding on search engines to browsers -- too big a task.
Let's consider SmooshNames as a means of finding people (which we have to
disambiguate already.
John: I want to focus back on design. We're sort of talking around design.
Suppose we came to consensus. How would we do this in the real world.
Audience [?]: [...] non-keyword means of searching might be a better way of
searching.
Other side of capitalism: if you look at the number of who are looking for
ibm.com, it outnumbers others looking for some other ibm, so there is
utility in making ibm.com high in ranking.
[Audience] [sam?]: to what extent can extensions solve problem? (e.g.,
searching for ibm(TM) instead of just ibm.
Len: won't find little people. So that's why I suggested bottom-up of
local to global.
Karl: politically difficult to change DNS. Let's go for a multiplicity of
systems.
Wendy: Seems to me that we're running into similar problems of ICANN
because we can't agree on the problem.
John: so define the problem
Wendy: I'm attracted to fighting proprietary control of the Net.
John: so...?
Wendy: Don't want to have MS own whole Net, nor government.
[...]
[Audience]: we're not getting at designing privacy.
Len: This morning session was not aimed at privacy, but to bring up freedom
and computers issues.
John: let me try and focus. Problem seems to be getting around centralized
control of naming. Do I hear any objections.
Deirdre: [clarify?]
John: centralized control...
[Audience]: I want to name my electronic freehold. What the conflict comes
from is the behavior
[Audience]: I think we have a classic engineering trade-off here. On one
hand DNS has to be fast, reliable, .... On other hand, want flexibility,
natural learning, .... And that will not be fast.
Lance: maybe we should punt back to the courts question of trademarks and
let that be the enforcement mechanism.
Karl: [...]
Adam: Using the courts is good thing, but problem when big guys
John: but if you can't trust the courts then who can you trust? Ian
Goldberg, maybe? [laugh]
[Audience]: Using (*) or some other character to distinguish
Jon: Just one caution, no one in this room has control over the law...
John: I would take issue with that: people in this room don't have control,
but we do have influence. [...] What courts tend to do is look at
experts and look at the subculture and respect the norms of that
subculture.
Karl: all the power is not in the legislature. There is a lot of power in
code. People will go out and write code.
Patrick: [what structure for coordinating the "just write code" idea of
Karl's]
[...]
Tad: [...] can we think about [???]
Jean Camp: I want to say a word in favor of ambiguity. Rather than
designing to remove ambiguity, we should value ambiguity (in certain
stituations).
Karl: Commerce is going to go ahead anyway. But don't want to lose human
values. Also, we should talk, but not So many different uses here;
don't want to end up mish-mashing too many things together.
John: Almost all the good ideas have been done by small groups of people
working in isolation. And then bursting on to the web and others picking
it up because we all realize "hey, that's exactly right!"
Another trap: thinking Internet and the Web are the same. Don't assume web
is be all and end all.
Bruce Umbugh (sp?): have to thing about incentives that will get users to
buy-in.
Karl: there's a huge marketing and sales project to get these things
deployed. Big companies will tend to put [good ideas] into products if
they're really good.
[...]
Carl: Make sure new DNS handles Chinese.
Ian: There is a working group (on internationalization?) for DNS.
John: The problem is at the user-interface level. [How do I send find
Chinese website.] The lower level was done correctly in the DNS.
Lisa Kamm: geographic hierarchy may/is still be important for many people.
[We're not typical users.]
[end morning session at 12:30]
Afternoon session I: business methodology
Send notes to cfp-wfpd-notes@media.mit.edu
[session starts at 2:15]
Workshop on Design Issues in Anonymity and Unobservability, at
International Computer Science Institute in Berkeley, CA. URL:
www.icsi.berkeley.edu/~hannes/ws.html.
Len: Here's the problem: a lot of companies make money by violating
people's privacy: data mining, etc.
Some possibilities:
- wait for a privacy Chernobyl: almost got one with DoubleClick, but not
quite
- ad campaigns
- completely new business whose aim is protecting civil liberties
David Philips: parallels with anti-nuke movement. Could privacy movement
learn from this?
- U.S. anti-nukes, phase 1: concerns over safety => NIMBYism
- Phase 2: anti-nukes joined with social movements (organizational
alignment): brought resources, media savvy, (etc.)
- Only within this context could TMI and Chernobyl become the nail in the
coffin.
Big idea: Creating an informed populace that can react when a Chernobyl
comes about.
Privacy threats: (elite literature) individual autonomy; intimate
relations; government/citizen power; .... On the other hand, popular
literature focuses mainly on individual: little talk about larger social,
systemic issues.
Can notions of intimacy, cultural autonomy, and social discrimination be
reattached to privacy. Looking for multiple cultural/ideological/social
hooks.
Possibilities for coalition: WTO, World Bank; biotech opposition; civil
rights.
John Gilmore: going to talk about free software. Running a free software
business turned out to be almost the same thing as running a "regular"
business. The main thing in making a business successful is not screwing
up your business in 1000+ ways.... Intellectual property is just 1 of
those 1000 things [that could go wrong]. It's not the be all and end all
of a business model.
If you think that current [situation] sucks, then go out and make your own.
If you can make your business run (= not screw up in 1000 ways), then
you'll have your way with privacy.
[me: strong libertarian assumption at work here. How many people are
really in a position to go out and write their own code?]
Free software reduces transaction costs of cooperation. By reducing the
cost of cooperation, then possibility for more creativity. Hope people
will say: "I've got a weekend free, let's see how hard this is".... [me:
what would it take to make more free time, to encourage more people to do
code for fun rather than do day job, etc.?]
[...]
Free software: "completely egalitarian system where popularity of the
software determines who has control."
[...]
The thing about Cygnus is that it was the only profitable free software
company. [me: doesn't this go against John's earlier assertion that
people can just go out and write free code?]
FreeS/WAN: an attempt to write free software to effect social change. You
get power over the world by being at the top of the chain of a
distribution pipeline.
FreeS/WAN is about: Automatically encrypting network traffic: all the
traffic between sites that use FreeS/WAN will be encrypted. The idea is
to go after the fax effect (i.e., network effects).
I think that if you understand the dynamics of the free software market --
how people follow excellence -- people will naturally take it up.
Deirdre: what resonates with public-at-large has perplexed privacy
advocates in general. We've had some experiences lately.... (1) We
filed a suit against Intel. How do you deal with issues that don't quite
fit neatly into privacy, or discrimination, or....
E.g., civil liberties groups very concerned about profiling: they can be
brought into fold.
Concern about the discriminatory use of information has led to broad
coalitions to take up privacy as a social challenge.
Colin Bennett: Wanted to comment on Chernobyl analogy. There are a couple
of reasons why it's not an appropriate analogy. First, it suggests that
privacy disaster is a high-tech disaster, when it could be a
low-technology disaster.
Second, Chernobyl happened when technology + humans went wrong. I'm more
worried about when technologies work perfectly (e.g., surveillance). Not
the Chernobyl situation.
John: I also didn't like the Chernobyl analogy. Maybe it's because I'm a
libertarian, or perhaps because I don't like disasters. Sounded like
David was saying "how can we get a Chernobyl?" [...] Which doesn't
sound like a sound basis for public policy.
[...]
Anne: technology optimists generally, but then reaction (after privacy
disaster) is emotive: suddenly reject all technology.
[...]
Roger: lots of background work in advocacy. Have to do your homework.
Because when those opportunities arrive you have to be ready to move.
Have to have coalitions already built-up. And in opportunistic
situations you do have to get your hands dirty, make strange bedfellows.
Net action guidelines. How do you get public [mobilized].
[...]
[Audience]: I've had trouble explaining the privacy threat to others. (At
least Chernobyl was clear/easy to explain.)
Deirdre: Try to give members of the public to react. Regardless of what
they see the risk as, give them a way of acting.
[audience]: Problem I have is taking it one step beyond that. How to
explain [...?].
Roger: I always identify four separate aspects of privacy. There are few
people in the real world. Highly situational: quite specific, and that's
what . The general public has no interest in privacy.
Charles Raab: example of alliances: electronic communications bill going
through the UK. Privacy advocates and business community worked together
to get key escrow kicked off that bill. (Maybe an alliance, maybe
strange bedfellows.) Sometimes government portrayed as
[audience]: more than just what people will lose. It's that people will
give away a lot [of personal information] for free computers, money,
etc.
Rohan: I'm hearing a lot about activist methodology. Which I'm sympathetic
to, but.... [...] Are there ways for institutional or technological
design to encourage businesses to do right, right there?
[...]
Deborah Pierce: pure reactive mode is not helpful. (Spawns 30+ bills that
are not well-thought out.) Need something else.
Lorrie Cranor: If you want to motivate business, if you can work with them
from the beginning, then how can you get [designers] to take privacy into
account early on? Unintended consequences often occur (e.g., electronic
toll collection). Systems were never designed for that, but they were
never designed *not* to do that either. Have to think about: how to get
designers to think about privacy upfront?
Craig Hubley [audience]: [...] Seems like 3 different theories of
economics/value: liability theory; labor theory; and price theory of
value. Basically boiled down to ontology problem -- what we named the
data schema. And there was one data category that was originally named
"secret-[blah]," that became "billing address". A year-and-a-half later,
someone had decided to add a "feature" to allow users to [check
identities across interest groups], and this compromised people's
privacy.
Karl: shrink-wrap your name.
Roger: other models besides EU. Legislation does not imply EU.
Adam: how to motivate business? (1) Fear or (2) greed. See this month's
issue of Wired: survey on privacy as obstacle to e-commerce.
[...]
Colin: to be provocative, international management standards will be
inevitable (along the lines of ISO 9000 standards)
[...]
Roger: get with the language: need to talk in business lingo.
[audience]: the anti-virus software industry provides an example to learn
from: instead of calling the same virus 26 different names, companies
agreed to [common industry standard for cooperation].
[activism: _Toxic Sludge is Good For You_: get authors/site]
Session II: Cash
================
Len: what's cash?
- universal acceptance
- assured anonymity
- ease of use: (a) bounded liability; (b) everyone's a merchant
[me: note that cash is not exactly universal, since cash is still tied
(loosely) to governments, geographic regions, etc.]
Deirdre: Table on current legal standards for access to papers, records,
and communications (see p. 84 of Proceedings)
- privacy pitfalls to leaving email on servers
- server-side versus client-side storage of info
Phil: Why are crypto keys in red boxes?
Deirdre: I'm looking at the legal protections.
Ian: in UK, proposal to make not giving away giving away
Ian Goldberg: 7-11 cash card. This exists already: company is called
SpendCash. It's *not* the case that the cash card is tied to something
like VISA, so you do have problem of merchant acceptance.
Unfortunately it seems like governments are moving into business of making
cash less anonymous. E.g., Netherlands: barcoded cash. Raises legal
liability issues. Which is really bad.
Rohan: GPS/cell phone is disaster-in-the-waiting: lots of locational
information. [...?]
Bryce Wilcox [audience]: why e-cash has failed: fax effect (i.e., network
effects). Want almost everyone to accept your cash. Therefore, it's a
critical mass issue.
Lance: to the extent that we can make it walk like a credit card and quack
like a credit card, we're in good shape
Deborah: try not to get too hung up on credit card model, since credit
cards not used as much in Asia and elsewhere,
[...]
Adam: _The Credit Card Catastrophe_ (Matty Simmons)
Dave Kristol: The people who are offering debit (credit) cards would be
encouraged if there was demand. And that would be if people wanted
anonymity. And that would be if people wanted to buy their favorite
sins. So, not clear that governments are going to like debit card idea.
Otherwise if you're getting something tangible then anonymous payment
doesn't help since you have to provide an address anyway.
Deborah: Is anonymous payment only for bits? No, newspapers, etc.
[audience]: I don't send cash in the mail, why send digital cash over Net?
Phil: There are cryptographic protocols to ensure [non-repudiation].
Deirdre: You can build it, but if the people don't come...
[...]
Alma: I read something about what a headache credit card fraud was for
merchants. Is it possible to be make it less of a risk to accept digital
cash instead of credit cards?
[Yes]
[...]
Jon: one of the disincentives for anonymous cash is that money doesn't go
out until I see the goods: protection against fraud. Another
disincentive is that there's a float; with debit cards, the float is in
the other direction.
Deborah: don't you think that the float will tighten up?
[...]
Jason Cattlett: _Paying With Plastic_ On point of porn driving anonymity,
unfortunately it's gone the other way because having a credit card is
seen as proof of age, so anonymous payment is not catching on.
Phil: if we could just get one anonymous cash system going, at *any* price,
and hold on to this (i.e., by creating social expectation that anonymous
cash is OK), then we can build on it with market forces. [The idea being
that competition will start and slowly drop price of anonymous cash
option.]
[...]
Tomas: what would drive things forward is functionality, e.g., being able
to email money to your friends.
Austin Hill: from my experience, there are a lot of people out there who
want to do the right thing [in terms of protecting privacy]. Companies
like VISA [etc.] are getting put into undesirable position of enforcement
-- U.S. government wants them to not pay for offshore gambling, porn,
etc. So, those credit card companies are looking for ways to do
anonymous cash.
[...]
Ian G: Just has to be a card with 16 digits such that it is compatible with
the current clearing system. We should be focusing on the clearing
mechanism. [...] And, of course, if we have anonymous cash we need an
anonymous communication mechanism.
Rigo Wenning: European smart cards as anonymous? [German data commissioner
to my right says no.]
Jean Camp: reliable, anonymous payment is possible.
Len: (1) barcoding digital cash is not anymore scary than serial numbers on
cash; (2) citation for porn driving VCR market? [yes]; (3) Fedex
subpoenas because they collect data on shipping -- they'd prob. be happy
if they didn't have to serve up information, another reason for having
anonymous cash.
Deborah: [summary/wrap up]
[after word: comments from audience]
- how to get privacy-centric design now? Developers have clients wanting
this stuff now, how do developers figure out what's going on in terms of
privacy?
- pcix.org as discussion forum
- get beyond cash (which is a social construction) and think about more
fundamental ways of restructuring [social interactions]
- focus on other areas before the Internet (more pressing concerns?)
- central back-and-forth between being alone (disconnecting) and being part
of a community (re-engage) is also central to debates over privacy and
cryptography
[workshop ends at 5:30]
Lenny Foner Last modified: Sun Apr 23 17:16:19 EDT 2000