These notes are raw and not post-processed. They were all taken while the workshop was going on, and hence are not polished and not guaranteed complete or necessarily even balanced -- many scribes took extensive notes on only parts of the entire discussion. |
Workshop on Freedom and Privacy by Design 4/4/2000 Computers, Freedom, and Privacy Conference, Toronto, Canada Send notes to cfp-wfpd-notes@media.mit.edu Lenny Foner - Overview: Schedule, philosophy. Description of Replacing DNS proposal. Rebecca Wright - Obstacles to Freedom and Privacy by Design Alma Whitten - Usability issues Discussion of DNS project: Can we come up with a replacement for DNS that is better for the little guy? Potential solution is "Smoosh", which is rough cut as originally described by Lenny. Ian Brown: thinks DNS is not so bad as is? Likes idea of it as lower level, above which we build SN's. Anne Adams: Web vs. e-mail very different from user's point of view, especially for desire of accessibility. Jonathan Weinberg: needs to grow along side of DNS, rather than wholesale replacement. DNS is not going to go away. Jon Gilmore: SN will just have to do it better, so people will switch to it. Better and more functionality. Hierarchical names is not itself a problem, rather hierarchy of control. Distributed database technology has improved significantly since original inception of DNS, so can be taken advantage of. Tad Hoag: likes distributed search nature. Looking at local community of users. But: users may not be willing to reveal what they know for privacy reasons, and may be reluctant to participate because they don't see what they gain. Lance Cotrell: user expectations: users expect to have different computers that they use behave the same way Dave Kristol: average user doesn't care about these issues. Web is widely used because newly purchased computers have Web browsers already installed. Alma Whitten: consumer is familiar with bookmarks in Web browsers, so we can use a similar solution Ian Brown: privacy aspects of storing and sharing everything you know (even if not shared, available to hackers and subpeonas) Deirdre Mulligan: questions about political chokepoint and anonymity. Regardless of system(s), consumers are concerned about authenticity of knowing what business they are dealing with. Are little guys really better off? Proliferation of names makes things harder. How does it address land grab issue? Lenny Foner: regarding land grabs: (credit for original idea goes to Eric Hughes). Little guys are people too. Even individuals should be able to make easy to find addresses. Search engines may or may not help. Confusing goals and means: distributed approach seemed good way to break political hierarchy, but any other way would be fine, too. In fact, another solution may be a better technical solution. Want to avoid biggest multinational is winner or firstcomer is winner solutions. Rebecca Wright: use expections - if disambiguation is usually right, users (including software designers) will come to think it is always right. How do you know when the wrong site is reached? Anne Adams: again, authenticity and recognizing when you get to the right site. Alma Whitten: attacks can become more possible in this anybody registers system, and solutions that use public keys return this back to being unusable. John Gilmore: problem is really that there are only three suffixes, so there aren't enough names. What if you could just choose your own suffix, or choose from more suffixes? Deirdre Mulligan: large companies would still register many names. Roger Clarke: let's look for a simpler problem. I want a product that will let me put "acme" only, and it will try all the heuristics. Then we can make this extensible. Different heuristics for commercial context, activist context, http vs. e-mail vs. newsgroups... Phil Zimmerman: authentication - wants to know that typing Barnes and Noble gets to Barnes and Noble. Won't help if everyone else can grab it! If .com is "better", then it doesn't help. If others are available and just as good, Barnes and Noble will want them, and consumers will want Barnes and Noble to have them. Lenny Foner: what about previously existing little guy? Little amazon in Minneapolis didn't get amazon.com even though it existed longer, because big amazon sued to get the name. Phil Zimmerman: but I still want to find Barnes & Noble. Injustice needs to be addressed orthogonally. John Gilmore: rather than focusing on wrongs of DNS, focus on rights of what we want to provide. Netscape actually provided the www.*.com feature, and later made it a pay to be in service. Ian Brown: domain names were not intended this way. Remembering IP address of everything you've encountered before. Jonathan Weinberg: think of Smoosh as a DNS overlay rather than a DNS replacement. Adding a whole bunch of new top-level domains would be a tremendously successful approach to solving land grab problem. Even with SN, IBM might still sue anyone who registers ibm.anything. Many little guys are happy to sell a preexisting name for a large fee. Alma Whitten: telephone books work well for finding things that you know enough about to look up, even if the name isn't good. Good names and findable names aren't the same thing. Dave Kristol: Yahoo's classification system of categories allows good distinguishing between things in different categories. Patrick Feng: some background assumptions: implicitly, infrastructure needs to support global economy and global uniqueness of merchants. Compare to when you want to find your local bookstore? Plays an important role in how infrastructure is designed. Different communities need different heuristics. Can be learned in slow, incremental steps? Tomas Sander: trivial solution for local is Yellow Pages. How can we revolutionize; just do it! **What is the killer app for this stuff?** Being able to find what I want is not it, because it's not really a problem. Distributed domain systems have been done before. Meeting new people in specific communities? Simson Garfinkel from audience: DNS was meant to be used by individuals. Majority of issues raised here have not been issue for telephone system because numbers have been used. Problems do arise when companies all want 1-800-MATTRESS. Content-based addressing system was never really discussed and is fundamentally flawed. Problem isn't necessarily DNS, but rather hierarchical searching of DNS. Several levels with checking at next level up when not found at current level would be a big help. Any system that has been proposed here could be folded into current DNS just be changing server search algorithms. Trademark issues really won't go away by allowing more people to register related-seeming names. Solutions is to remove content Stanton McCandlish: from audience: goals are dividable into two themes: protecting free speech, privacy, etc are policy and political goals. Intellectual property issues are global system problems independent of the Internet. Perhaps better to look at them separately. BREAK Adam Shostak: two very different problems in the context of one name space. 1: I want to find a well-known entity. 2: I want to find a friend. Different solutions and methods are appropriate for the different problems. Deirdre Mulligan: proposal suggests proliferation and confusion that gives breathing room for diversity, but on small guy vs. big guy side, gives breathing room by adding complication, which underestimates power, influence, and money available to those who which to enforce the rules. Nick Nimchuk from audience: odd to overlay SN over DNS, when DNS could be overlayed on SN. Now, most computers trust only NSI for names. NSI could continue to provide names to people who trust them. John Gilmore: DNS was not designed for finding things, it was designed for naming things. A system that is good at naming without existing political issues would be useful even without solving the finding problem. David Phillips: circle of friends being commodified? Preformed communities with institutional brokerage, which is not changed here. Tomas Sander: revolutionizing naming system is too big for us to accomplish. Highly flexible solution is highly suspicious. More interesting to talk about proposal like Freenet, specific to anonymous speech. Question assumptions? What do we want to protect? Karl Auerbach from audience: can we put DNS genie back in the bottle? Use it for what it's good at, and not for everything. (For example, Akamai already does some of this.) Ed Gould from audience: need to agree on goals before we can hope to design something, since many of them are in conflict with each other, and appropriate for different contexts. Carl Page from audience: a lot of these a pretty well solved. Can always find "most important" Web site by a search engine. Home pages plus search engines already solve finding individuals problem. Karl Auerbach from audience: even with DNS, shouldn't trust result without authentication. Rohan Samarajiva: large companies will always fight to the death for unique. Communities of interest are sometimes geographical, but also sometimes other focus. Defining communities of interest separately may be more tractable. John Larsen from audience: DNS is primarily useful for the system. Humans need another layer. Would like to see policy statements on search engines about how they choose results presented (especially where commercial interests are involved.) Lance Cottrell: seconds that AOL is a good way to find individuals. Most individuals do not (and should not) have a unique domain name. Karl Auerbach from audience: need to differentiation between presentation of results when it is to humans and when it is to machines. Carl Page from audience: already a couple of opportunities to do things with naming outside of DNS. Dave Del Torto: keep in mind that in other parts of the world, lots of people are on the same machine or even the same e-mail address. Lenny Foner: comments to focus. 1) finding people is different from finding companies. 2) finding is different from naming. 3) whatever we come up with, how to we prototype it and incrementally deploy? Fen Labalme: build in search engine to browser input line? Lisa Kamm: this already exists as add-on, but doesn't fully solve problem because of existing search engine algorithms (ibm.com comes above ihateibm.com). Alma Whitten: hearing widespread assumption that users guess addresses. Lisa Kamm: has data that this does happen for IBM. Karl Auerbach from audience: encourages experimentation. Adding on new naming systems is not going to break the Internet. DNS is only intended as one way to find names. Don't be afraid. Could go in routers, hostnames, searching, above DNS, below DNS. He recommends using as high as possible above DNS. Jonathan Weinberg: integrating search into browser is that there are problems with existing search engines. Both existing implementations and current technologies are inherently limited. Enormous resources required make it expensive and difficult. Suggests focus on SN:s as a finding engine: possibly valuable new approach. John Gilmore; would like to focus on how to build in the features that we decide on? That is, even if we reach a consensus, how would we be able to build it in to the infrastructure. John Brockman from audience: initially there was a proliferation of browsers, users chose what they liked best. Compuserve has content-free naming, and that's why nobody likes them. [note taking break from 11:50 to after lunch] Afternoon session: Lenny Foner: Overview of afternoon. Business strategies, cash project. David Phillips: Activist analogies John Gilmore: Free software and business Lenny Foner: Business make money from violating privacy: data mining, spam. Many consumers don't realize what's going on. How do we motivate business adoption? David Phillips: contours of privacy as a political issue. Compare to anti-nuclear movement. Phase 1: Local actions regarding nuclear safety. Phase 2: organizational alignment with existing organizations to share in their resources, structured with similar/related ideology. IDEA: create a populace that is cognitively prepared and socially resourceful to understand and react to "Chernobyl event". Can we make linkages between privacy and other important, deep, social themes. John Gilmore: if you don't like the way businesses are doing it now, make your own. Use free software: reduces cooperation costs, allowing relationships to build that can be useful later. Advantages to public: gives user community choice in what they want in the product. No central point of control. Deirdre Mulligan: there have already been some social connections between privacy and other social issues. Thoughts on how to better continue them? Colin Bennett: Chernobyl may not be right analogy. Could come from either low-tech or high-tech disasters. John Gilmore: doesn't like idea of waiting for, or trying to create, Chernobyl opportunity. Tad Hogg: would like to see discussion of technological techniques. For example, secure function evaluation as a tool that can help here. Anne Adams: people tend to trust technology, and when it fails often completely reject it Ari Schwartz: we see privacy problems every day. We've found it more important to work proactively with companies that ask for help in advance with privacy. Need to engage them and figure out how to do it. Patrick Feng: wouldn't characterize position as trying to encourage Chernobyl, but rather want to make sure that we are in a position to react to it if it does arise, since users may not respond on their own. Roger Clarke: how do privacy and freedom activists get action: must know the abstract field, the legals, the interest groups and their interest, ongoing background pressure on relevant committees and press coverage. When opportunities arise, must be ready. Sustained linkages with other organizations must be maintained, and new linkages formed when opportunities arise, even with uncommon bedfellows. David Phillips: did not mean to say he wishes for a Chernobyl, but rather that we should be ready for any such event. Ken Ash ?? from audience: difficult to articulate privacy threat to the public. What concrete message should we being trying to deliver to the public to get them to understand the problem? Deirdre Mulligan: Give a quick opportunity for people to take action in response to an event. Charles Raab from audience: example of unexpected alliance - privacy advocates and businesses joined together against key escrow. Also important to know where in government there are pressure points and possible alliances. Ellen ?? from audience: people will sell their information for very little goods and services in exchange. Rohan Samarajiva: business vs. activist methodology. How do you design technology or institutions that in themselves encourages businesses to do the right thing? Recognize that ongoing relationships do require some divulging of information, with some development of trust. Jonathan Weinberg: two cautions on Chernobyl. 1). Look back on history of privacy activism so far. Somewhat depressing because entirely reactive, e.g. Doubleclick. 2). What are we trying to achieve? Legislation? Adoption of privacy-protecting technologies? Deborah Pierce: 30+ bills in California legislature. Reactive mode is not helpful. Better to build relationships with businesses up front and help them to build in privacy features from the start. Also, too late to respond after disaster, because once data is out, you can't get it back. Lorrie Cranor: If you want to motivate business to stop doing something they are already doing, that is much harder than influencing them beforehand. So how do you get businesses to think about privacy up front, especially given that it is not always clear in advance which technologies will have negative privacy implications. Craig Hubley: from audience: Simply can not solve problems on limits of relationships with legislation. Positive business models: contrast between three theories of value. Karl Auerbach: Congress does not care about property. Suggests you view your name as intellectual property and create a shrinkwrap license for it. Roger Clarke; don't identify legislative solutions only with EU. Think of New Zealand instead. Adam Shostak: huge untapped market for those worried about privacy. Greed is a powerful motivator. Colin Bennett: reminder that most advanced industrial states have some kind of privacy legislation. US is a notable exception. Adoption of privacy policies: note that it is not only an Internet problem, and can't have only Internet solution. What does it mean for a business to adopt privacy-friendly practices? John Gilmore: privacy problem on the Internet is caused by inability to use cash on the Internet. Therefore relies on advertising, which wants to invade privacy. Deirdre Mulligan: some positive stories regarding proactive work with business that CDT has done. Roger Clarke: how can we engage businesses in positive ways: greed is the wrong word to use. Find the right language, even if that is the right concept. Ken Ash ?? from audience: sometimes businesses will cooperate to mutually agree to do something that is good for customers. Can we do this for a strong privacy framework? Lenny Foner: final comment - resource for activism: book "Toxic Waste is Good for You". FINAL SESSION: cash project Deirdre Mulligan: your place or mine? Data storage at server vs. client. Phil Zimmerman: crypto keys should be stored close to user rather than at servers (i.e. your own laptop or your own smart card). Ian Brown: what is legal threat to passphrase? In Britain, 2 years jail for not giving up your pass phrase if requested, 5 years for telling anyone that you did. Ian Goldberg: Spendcash company exists and has 7-11 cash card solution for pre-paid cash cards. Has problem that very few merchants accept it. Would be better to have as Visa/MC, so already acceptable everywhere. Also, note that governments are moving towards making cash less anonymous by reading bar codes and serial numbers of cash bills. Rohan Samarajiva: who would provide such cards? In telecom, cell phones plus GPS give tremendous amounts of locational data that can be used to violate privacy. However, prepaid disposable phones/cards can be used to limit this. Can latch cash idea on to that? Bryce Wilcox from audience: why all e-cash systems have failed so far. The fax effect. You will not want to use a payment system that is not accepted by most of the places you want to do business with. Any peer-to-peer Internet payment system can exchange with any other, so even one of these gaining critical mass with help others. Paypal has 1/4 million users that have made at least one transaction. Lance Cottrell: two points. 1) adoption issue. Early acceptance is difficult. Try to make it look like a credit card. 2). Prepaid phone cards: some merchants can now bill things to your phone bill. Deborah Hurley: reminder to not focus too much on credit cards, which are not as highly used in some countries. Ian Brown: both phone and credit card industries are highly regulated. Adam Shostak; credit cards have only been generally accepted instruments for about ?? years. Book recommendation: the Credit Card Catastrophe, describes history. Dave Kristol: why would people want to use anonymous payments? Where is demand coming from? Gambling, porn, .... Recall that VCR's were driven by demand for porn. Also, on-line cash only remains anonymous if a shipping address is not needed, so for bits. ?? from audience: cash works because it is easy. Anonymity is not the main advantage to people who use it. Phil Zimmerman: delivery problem for cash can be solved by cryptography. Deirdre Mulligan: consumer community - liability of credit cards vs. debit cards, not always clear what difference is to consumers. Consumers choose convenient and familiar solutions. ?? Stadler from audience: float on credit cards is an issue. No demand for e-cash? Dave Del Torto: from audience: who will underwrite anonymous e-cash systems? Without the float, what is the incentive to back the system? May be in order to break privacy? Alma Whitten: Can e-cash be made as a lower risk alternative to credit cards from merchants' perspective? ?? from audience: Rocketcash system allows teenagers who have no credit cards to use their credit card instead. They take all kinds of cash, plus referral points. [note break 4:45pm until end of day]
Lenny Foner Last modified: Sun Apr 23 17:12:38 EDT 2000