|These notes are raw and not post-processed. They were all taken while the workshop was going on, and hence are not polished and not guaranteed complete or necessarily even balanced -- many scribes took extensive notes on only parts of the entire discussion.|
CFP Workshop Privacy by Design Replacing the Domain Name System What's broken? IP and land grabs Political chokepoint Little guys A modest Proposal Throw away the hierarchy Lets call the new system smoosh Names no long e unique Land grabs much more difficult Everyone can register an unlimited number of names for free Routing is unaffected DNS part 2 Implementation Abundant local computation and storage Clusters of cached relationship information Mapping SN Talk by Rebecca Wright Replacing the domain name system What to Protect? Privacy, Free Speech, anonymous speech -- Different governments have different laws Different individuals have different opinions Different needs of governments, corporations, and individuals Who should decide? Interplay between: Government Public interest groups Voluntary industry standards Consumer-driven Technology itself How to achieve? Not enough to design and implement solution Difficult to influence users Users may not understand - implications of their choices (on privacy, etc.) Users choose convenience Integration with existing systems - "the microsoft factor" Requirements Convenient Fair - equally available to anyone, protects all users Backed by industry - for direct commercial reasons or in response to government and consumer pressure Tools Cryptography - protects data in transit, does not protect ends Open source software - pluses and minuses Consumer/voter education - don't overwhelm them Alma Whitten talk Warning: When trying to provide privacy and security via tech, do not expect users to: Know what they need, Read manuals, Keep trying, or Recognize success When dealing with privacy these items become even more difficult Regard with Suspicion Proposals which assume: Users manage key distribution Users pay attention to digital signatures Users comprehend policies Tools or appliances??? Tools: general, robust, need skill Appliances, specific, fragile, need less skill Automation Guidelines Either system must always work, Or Users must know how to compensate Or Functionality must not be crucial (consider for DNS) Two Different Goals 1. Get solution in place for those who already want it And/or 2. Sell solution to those who don't yet know they need it. (consider for the cash project) Initial Comments Ian Brown-DNS useful -- because it is at a lower level Smoosh names - Distributed search provides relevance- ? - need to make a distinction between email and ___ Joel Reidenberg- planning for implementation - need a route around because DNS is not going away. Ecommerce sites will hate smoosh names because of a lack of certainty that when a user goes to AT&T they will get to AT&T, not something else. Has ecommerce won? Too late for anything else? Not necessarily, but they are quite strong. He doesn't feel that the existing DNS will go away. We will need a route around. What can we do to make smoosh names more attractive. John G. - smoosh names will have to grow up along with DNS. How to make the system do more than it was designed to do. What is the goal here? What do we want the system to do that it doesn't already do? Don't need a hierarchy? But here, hierarchy is a good thing. Easier to sort. Lance Cottrell-users expect that if they have always typed in a certain name, that this will continue to work. Often you would want to broadcast info about yourself - biz cards. How can you be sure that people can find you? Dave K. - Deployment and wide distribution? Will people actually download the software? Problem - unless some solution is sufficiently attractive in the biz community then the software might not be supported. Alma - people comfy with bookmarks. Could they become comfortable with aliases? Ian Brown - privacy interests? Database on your machine with all of your info on your machine. Solution? You can act as a conduit? -- Deirdre- don't think that it addresses the issues -- Not sure it helps the little guy. Not sure if this proposal addresses this issue. How does it address the land grab issue? Lenny - replacing or overlaying -- He was trying to get away from a hierarchy. Would like a system with redundant or duplicate names. Ex. One name for IBM but a million John Smiths. Rebecca- Expectations -if disambiguation is usually right, users (incl. Software designers) will think it is always right. Common name problem - uses with common names may still need to choose those unusual SN's to help disambiguation. Privacy - may make things worse How do you know when wrong site is reached. __ Is there a "diameter dichotomy"? you go a few hops and get "friends" go a few more hops and you get the world. Alma - if no hierarchy, then potential attacks. Disinformation possible. John G. re land grabs. Make a large enough number of names available that it becomes unattractive financially for others to grab names. Can pick suffixes? Roger Clarke-lets do the easy stuff first - commercial v. personal v. activists. Classify each? Phil Z.-certainty issues. If I want barns & noble, I want barns & noble. If "dot com" is barns and noble, but other suffixes can be something else - then you create ambiguity. How can we satisfy this "requirement"? John G. Comment to Roger - Netscape put a naming system in their browser. Ian B. - tension between a globally unique address and ease of use. Jonathan Reidenberg - chair of ICANN working group. Utility of smoosh overlay? Pros and cons of this? Adding a lot of top level suffixes would really help. Not politically possible right now. Trademark problems will still exist. Not clear that if smoosh names would help with this. Alma-wanting a name that is finable v. wanting a name that is "good". Think phone books. Doesn't matter if there are duplicates. Patrick - background assumptions -- implications - need to think about what we are doing. Are we assuming that the multinationals are the most important entities. Communities -- ?-for local stores, use web yellow pages. What is the killer app for this problem? Public questions: Simpson Garfinkle- DNS was meant to be used by people, but ip addresses was not. We never really meant to use a content based addressing system. Need to deploy new servers?? Top level domains - still will have trademark problems. His solution would be to remove content from the addressing system. Stanton-goals- 2 severable ones - decentralization to protect privacy, etc. - IP issues that have nothing to do with the tech solution. Independent of the Net, but manifesting themselves here. Which things can we do to solve each. Make it more like a phone numbering system. Break Two problems - to separate Finding B& N and finding John G. Deirdre - underestimating the power and money of those in power - corporations plus governments. She's not sure that complicating enforcement is going to solve the problem. John G. - part of the complication is that people are using DNS for finding things rather than for naming things. Dave Philips - Circle of Friends kinds of organizations. Institutional brokerage. Thomas-problem is too big. Something that he is afraid of - being able to post, but not being able to take down. What do we want from our services? ? - We should agree on a set of goals in order to design a system. One goal - to reach a particular entity - the one that you want. Another one is to be able to find a community of friends. Carl Page - finding people - match dot com, aol, homepages + search engines to use to find people. ?- how do we prevent the big companies from smashing the smaller ones. John Larson - comments - DNS not useful for human searches. What humans need v. what machines need. Right now the net works - if we replace DNS, will the Net still work. He would like to hear some policy statements on the search engines - what info they present to us, b/c naming has to do with how you search and what you find. Do you find the product of a search engine if the owner of that "hit" has paid the most money. Carl - DNS in the context of web browsers Carl Page - DNS performance sucks. Think about napster - distributed Dave Del Torto- -- Lenny - naming v. finding. How do we prototype it? How do we incrementally deploy it? Fen- Upper end of the tool bar being a "find engine". DNS still exits but people don't use it as much to find things. Lisa-yes, but -- whatever we do has to integrate with the search engines. Jon- integrating search engines into the browser, but problem - search engines are limited. Tech used by search engines is inherently limited. Smoosh names to be used for finding?? Not use it for naming?? John G.- How to build these things in? Suppose we came to a consensus? How would we do this in the real world? John Brockman- .. Dan Gilmore- leads to make it all proprietary. How will we find a way to prevent that from happening. Stan- what about using xml, using corporate tags or trademark tags? Can this be used so that we don't have to get rid of DNS. Ian Brown - that's why distributed systems should work better. Lenny - search engines, but, people who may not be easy to find because their web presence may not be very big. Wendy - we are having the same problem as ICANN b/c we can't decide what the goal is -- reaching an impass. John G. - Define the problem Wendy - don't want microsoft or the government to own the whole Net. Lance - need to integrate email, palm devices, etc. Our solution needs to be able to function in all of those environments. Stanton - finding and naming, but we need to design privacy in -- that's why we're here. Lenny - privacy not a big part of the DNS issues. John G. - focus. Getting around centralized naming (centralized control). ? freehold w/o interference to use in the appropriate context. Ellen Olman- hierarchy =3D fast. Naming isn't. Adam-using the courts seems like a good thing, but freedom of speech shouldn't have to rely to be "under the radar". Gail Williams- confusion between naming and finding. Use a special character in front of the name and that doesn't =3D trademark. Wendy - weird geographical thing. Useful if the url could reflect the native language of the site. Carl - all of the power is not in the hands of the legislature. Power of code. Carl Page - metadata is evil. If we rely on metadata, we need to rely on an organization that can be used to go and check the metadata. Patrick - What can we do? 1. Go out and do it - go write code. 2. Construct a dialogue that continues after this workshop - having a continuing conversation with people who write the code. Jean - don't build out ambiguity. Shouldn't hold everything up to the ecommerce standard. Carl - second the previous speaker. ? - think about incentives for unsophisticated users so that we don't have to go to a proprietary system or end up with tyranny of the majority. Stanton - geography may not be all that important. Lance - another vote against geographical resolving of names. Shouldn't tie it down that way. Lisa - she disagrees. More trust -- Doesn't make sense from a technical standpoint, but if we want people to use it -- Cfpfirstname.lastname@example.org - send notes here. Afternoon Papers- anonymity and unobservability. Design issues. July 25, 26th in Berkeley. More technical. Extended deadline for papers =3D 5/1/00. www.icsi.berkeley.edu/~hannes/ws/edu Business Methodology How do we motivate business adoption? Biz makes money from data mining Consumers don't realize what's going on Some possibilities Data chernobyl Advertising campaigns -who pays? New biz whose purpose is protecting civil liberties Which comes first, tech or biz? David Phillips Contours of privacy as a political issue. Nuclear issues-anti nuke Historical perspective Resources: Oppositional expertise NIMBY 2nd phase media savvy attractive cultural norms anti nuke ideology. Socialist movements. Peace, ecology. Strong links to those. This brought in a lot of already mobilized groups. Big idea How do we create a populace that is cognitively prepared and socially resourceful To understand and react to Chernobyl event. He would like to make fingerprinting on driver's licenses a chernobyl event. Possible ideas of privacy threats Individual autonomy Intimate relations Government and citizen Merchant and consumers Cultural autonomy Demographics, profiling In the Popular literature Enemies are governments, hackers and advertisers Individuals is victim and hero Little discussion of intimacy and cultural autonomy and discrimination Can notions of intimacy , cultural autonomy and social discrimination /// Privacy memes linked to racism sexism economic justice globalization cultural displacement - looking for links. Need to be able to make linkages, and be able to form coalitions. He recognizes that this means moving a bit away from the libertarian ethic. Possibilities for coalitions WTO, World Bank, IMF opposition, biotech, civil rights John G. Free software - getting biz to use and do the right thing. Cygnus co-founder Don't screw up the biz on the practical stuff - pay your employees, ect. Biz resistance to free software "If you don't like the news, go out and make your own." If you don't like biz on privacy go start your own that can protect privacy. John just started "Free$/WAN - used to protect civil liberties? Tries to implement automated privacy. Encrypts network traffic - get the "fax" effect. Use the software, Those who use it have encryption among them. Makes the net more secure. Not structured as a biz - yet. General discussion Deirdre-profiling - =3D gap in privacy law. Not quite an invasion of privacy, or discrimination. Coalition building - but it's a challenge. Colin Bennett - doesn't like the privacy chernobyl. Doesn't like that it implies a high tech problem. He sees it as tech with human error. He's concerned with surveillance - when surveillance works perfectly. John G - whipping people into a frenzy doesn't seem like sound public policy. Ann-Chernobyl. People trust the tech, but when privacy is invaded they want the privacy advocates to do their jobs. Ari- engaging companies about how to build in privacy. Xxxxxxx - gap Deirdre- wrote letters to many biz - like Intel - explaining that there is a problem re: privacy - what are you going to do about it? Businesses wrote back to let her know what they were going to do. Roger- still: What positive things can we do to incent business. Profit? Will that help? Permission based marketing? ?Anti-virus software folk may help. We have identified this many viruses, here's what we've done. At some point the vendors formed a consensus - can we get biz to form a consensus that privacy should be protected (in a general way), can we move forward that way? Read book like "Toxic sludge is good for you". Marginalize and discredit those who biz disagrees with. This will preserve the status quo that biz wants. Break Cash What's cash? Universal acceptance Assured anonymity Ease of use Bounded liability Everybody is a merchant Why we don't have it on the net yet IP fights Cryptographic export restrictions (historical and current) Government resistance Lack of consumer interest Cash, part II How about prepaid cash cards? Like a metro pass Sell them in 7-11 Unlinkability via cash-for card and tossing refills Problems Credit card companies are obvious players, but want to data mine. Requires physical infrastructure Still not peer to peer Can we fix it? Deirdre Your place or mine - where you store data - whose server? Security - changes depending on which server its on. Ian Goldberg-prepaid cash card-spendcash Bar codes on paper money in the Netherlands. Not anonymous anymore! Rohan-many people use prepaid cellular cards outside the US. ?why ecash systems have all failed so far? Critical mass issue. Not widely used by large numbers of people. Some payment systems are gaining critical mass. Ian Brown-prepaid "anything"- he's worried that prepaid cards will quickly become non-anonymous because of the war on drugs and money laundering. Adam- credit cards ubiquitous in US even though they have only been around for about 50 years. ? for a lot of transactions, cash is used because its easy in meatspace. And why would I use ecash over the net if there is no enforcement mechanism. Phil-cryptographic protocols for sending and receiving ecash. Deirdre-bleed over on confusion between debit cards and credit cards, particularly surrounding liability. Alma-credit card fraud is a headache - any way that ecash can be like cash- merchants can accept it and not worry that they can't accept it. Carl Page-CPSR - rocket cash -- .for teenagers Joel-consume motivations -- disincentives - floats, and the $ doesn't leave your account until you get the goods. ?You get things when you use your credit card. You get frequent flyer miles, etc. Phil- can we get a toehold into cc infrastructure to use as scaffolding for anonymous ecash structures. Market forces can then take over to lower the price of anonymous cash. Creeping erosion of privacy - makes it harder to make arguments for our privacy. But if we can gain this toehold, then we can create privacy expectations. Deborah H/ Is cash on the net desireable? Ian Goldberg- we need to worry about the clearing system. Remind people that its useful to have anonymous commerce on the net, but we need to be able to have a way to deliver the anonymous cash via an anonymous way - ie no tracking of IP addresses. ?Mondex...(turns out it isn't anonymous) Deirdre - small steps we can take -- should we have the ability to not have a transaction recorded but then not have the ability to context that particular transaction. Lenny- re: barcoding cash - we have serial numbers on cash --.re: porn getting VCRs accepted - citations? Re:cc companies - citataion for FedEx gets numerous subpoenas every day - particularly at the height of the tobacco litigation. Banks - if you don't want subpoenas don't collect the information. Wrap up. Re: DNS, biz, cash - theme: incremental change. How do we prototype these systems so that we can figure out what to do with them. Mailing list to talk about these issues on the CFP pages.
Lenny Foner Last modified: Sun Apr 23 15:27:47 EDT 2000