CFP2000 WFPD: Deborah Pierce's raw notes

These notes are raw and not post-processed. They were all taken while the workshop was going on, and hence are not polished and not guaranteed complete or necessarily even balanced -- many scribes took extensive notes on only parts of the entire discussion.

CFP Workshop Privacy by Design

Replacing the Domain Name System

What's broken?
IP and land grabs
Political chokepoint
Little guys

A modest Proposal
Throw away the hierarchy
Lets call the new system smoosh
Names no long e unique
Land grabs much more difficult
Everyone can register an unlimited number of names for free
Routing is unaffected

DNS  part 2

Implementation
Abundant local computation and storage
Clusters of cached relationship information
Mapping SN

Talk by Rebecca Wright
Replacing the domain name system

What to Protect?

Privacy, Free Speech, anonymous speech -- 

Different governments have different laws
Different individuals have different opinions
Different needs of governments, corporations, and individuals

Who should decide?

Interplay between:
Government
Public interest groups
Voluntary industry standards
Consumer-driven
Technology itself

How to achieve?
Not enough to design and implement solution
Difficult to influence users
Users may not understand - implications of their choices (on privacy, etc.)
Users choose convenience
Integration with existing systems - "the microsoft factor"

Requirements
Convenient
Fair - equally available to anyone, protects all users
Backed by industry - for direct commercial reasons or in response to
  government and consumer pressure

Tools

Cryptography - protects data in transit, does not protect ends
Open source software - pluses and minuses
Consumer/voter education - don't overwhelm them

Alma Whitten talk

Warning:
When trying to provide privacy and security via tech, do not expect users
  to:

Know what they need,
Read manuals,
Keep trying, or
Recognize success

When dealing with privacy these items become even more difficult

Regard with Suspicion

Proposals which assume:
Users manage key distribution
Users pay attention to digital signatures
Users comprehend policies

Tools or appliances???

Tools: general, robust, need skill

Appliances, specific, fragile, need less skill

Automation Guidelines

Either system must always work,
Or
Users must know how to compensate
Or
Functionality must not be crucial
(consider for DNS)

Two Different Goals

1. Get solution in place for those who already want it
And/or
2. Sell solution to those who don't yet know they need it.

(consider for the cash project)

Initial Comments

Ian Brown-DNS useful -- because it is at a lower level
Smoosh names - Distributed search provides relevance-
? - need to make a distinction between email and ___
Joel Reidenberg- planning for implementation - need a route around because
  DNS is not going away. Ecommerce sites will hate smoosh names because of a
  lack of certainty that when a user goes to AT&T they will get to AT&T, not
  something else.
Has ecommerce won? Too late for anything else? Not necessarily, but they are
  quite strong. He doesn't feel that the existing DNS will go away.  We will
  need a route around.
What can we do to make smoosh names more attractive.
John G. - smoosh names will have to grow up along with DNS. How to make the
  system do more than it was designed to do.
What is the goal here? What do we want the system to do that it doesn't
  already do? Don't need a hierarchy? But here, hierarchy is a good thing. 
  Easier to sort.
Lance Cottrell-users expect that if they have always typed in a certain
  name, that this will continue to work. Often you would want to broadcast
  info about yourself - biz cards. How can you be sure that people can find
  you?
Dave K. - Deployment and wide distribution? Will people actually download
  the software? Problem - unless some solution is sufficiently attractive in
  the biz community then the software might not be supported.
Alma - people comfy with bookmarks. Could they become comfortable with
  aliases?
Ian Brown - privacy interests? Database on your machine with all of your
  info on your machine.  Solution? You can act as a conduit? -- 
Deirdre- don't think that it addresses the issues --  Not sure it helps the
  little guy. Not sure if this proposal addresses this issue.  How does it
  address the land grab issue?
Lenny - replacing or overlaying -- He was trying to get away from a hierarchy.
  Would like a system with redundant or duplicate names. Ex. One name for IBM
  but a million John Smiths.
Rebecca-
Expectations -if disambiguation is usually right, users (incl. Software
  designers) will think it is always right.
Common name problem - uses with common names may still need to choose those
  unusual SN's to help disambiguation.
Privacy - may make things worse
How do you know when wrong site is reached.
__
Is there a "diameter dichotomy"? you go a few hops and get "friends" go a
  few more hops and you get the world.
Alma - if no hierarchy, then potential attacks. Disinformation possible.
John G. re land grabs. Make a large enough number of names available that it
  becomes unattractive financially for others to grab names. Can pick
  suffixes?
Roger Clarke-lets do the easy stuff first - commercial v. personal v.
  activists. Classify each?
Phil Z.-certainty issues. If I want barns & noble, I want barns & noble. If
  "dot com" is barns and noble, but other suffixes can be something else -
  then you create ambiguity. How can we satisfy this "requirement"?
John G. Comment to Roger - Netscape put a naming system in their browser.
Ian B. - tension between a globally unique address and ease of use.
Jonathan Reidenberg - chair of  ICANN working group. Utility of smoosh
  overlay? Pros and cons of this? Adding a lot of top level suffixes would
  really help. Not politically possible right now.  Trademark problems will
  still exist.  Not clear that if smoosh names would help with this.
Alma-wanting a name that is finable v. wanting a name that is "good". Think
  phone books. Doesn't matter if there are duplicates.
Patrick - background assumptions -- implications -  need to think about what we
  are doing. Are we assuming that the multinationals are the most important
  entities.  Communities -- 
?-for local stores, use web yellow pages. What is the killer app for this
  problem?
Public questions:
Simpson Garfinkle- DNS was meant to be used by people, but ip addresses was
  not. We never really meant to use a content based addressing system. Need to
  deploy new servers?? Top level domains - still will have trademark problems.
  His solution would be to remove content from the addressing system.
Stanton-goals- 2 severable ones - decentralization to protect privacy, etc. 
  - IP issues that have nothing to do with the tech solution.  Independent of
  the Net, but manifesting themselves here.  Which things can we do to solve
  each. Make it more like a phone numbering system.

Break

Two problems - to separate
Finding B& N and finding John G.
Deirdre - underestimating the power and money of those in power -
  corporations plus governments.  She's not sure that complicating enforcement
  is going to solve the problem.
John G. - part of the complication is that people are using DNS for finding
  things rather than for naming things.
Dave Philips - Circle of Friends kinds of organizations.  Institutional
  brokerage.
Thomas-problem is too big. Something that he is afraid of - being able to
  post, but not being able to take down.  What do we want from our services?
? - We should agree on a set of goals in order to design a system. One goal
  - to reach a particular entity - the one that you want. Another one is to be
  able to find a community of friends.
Carl Page - finding people - match dot com, aol, homepages + search engines
  to use to find people.
?- how do we prevent the big companies from smashing the smaller ones.
John Larson - comments - DNS not useful for human searches. What humans need
  v. what machines need.  Right now the net works - if we replace DNS, will
  the Net still work.  He would like to hear some policy statements on the
  search engines - what info they present to us, b/c naming has to do with how
  you search and what you find.  Do you find the product of a search engine if
  the owner of that "hit" has paid the most money.
Carl - DNS in the context of web browsers
Carl Page - DNS performance sucks. Think about napster - distributed
Dave Del Torto-  -- 
Lenny - naming v. finding. How do we prototype it?  How do we incrementally
  deploy it?
Fen- Upper end of the tool bar being a "find engine". DNS still exits but
  people don't use it as much to find things.
Lisa-yes, but -- whatever we do has to integrate with the search engines.
Jon- integrating search engines into the browser, but problem - search
  engines are limited. Tech used by search engines is inherently limited.
  Smoosh names to be used for finding?? Not use it for naming??

John G.- How to build these things in? Suppose we came to a consensus?  How
  would we do this in the real world?
John Brockman- ..
Dan Gilmore- leads to make it all proprietary. How will we find a way to
  prevent that from happening.
Stan- what about using xml, using corporate tags or trademark tags?  Can
  this be used so that we don't have to get rid of DNS.
Ian Brown - that's why distributed systems should work better.
Lenny - search engines, but, people who may not be easy to find because
  their web presence may not be very big.
Wendy - we are having the same problem as ICANN b/c we can't decide what the
  goal is --  reaching an impass.
John G. - Define the problem
Wendy - don't want microsoft or the government to own the whole Net.
Lance - need to integrate email, palm devices, etc.  Our solution needs to
  be able to function in all of those environments.
Stanton - finding and naming, but we need to design privacy in -- that's why
  we're here.
Lenny - privacy not a big part of the DNS issues.
John G. - focus. Getting around centralized naming (centralized control).
? freehold w/o interference to use in the appropriate context.
Ellen Olman- hierarchy =3D fast. Naming isn't.
Adam-using the courts seems like a good thing, but freedom of speech
  shouldn't have to rely to be "under the radar".
Gail Williams- confusion between naming and finding. Use a special character
  in front of the name and that doesn't =3D trademark.
Wendy - weird geographical thing. Useful if the url could reflect the native
  language of the site.
Carl - all of the power is not in the hands of the legislature. Power of
  code.
Carl Page - metadata is evil.  If we rely on metadata, we need to rely on an
  organization that can be used to go and check the metadata.
Patrick - What can we do? 1. Go out and do it - go write code. 2. Construct
  a dialogue that continues after this workshop - having a continuing
  conversation with people who write the code.
Jean - don't build out ambiguity. Shouldn't hold everything up to the
  ecommerce standard.
Carl - second the previous speaker.
? - think about incentives for unsophisticated users so that we don't have
  to go to a proprietary system or end up with tyranny of the majority.
Stanton - geography may not be all that important.
Lance - another vote against geographical resolving of names.  Shouldn't tie
  it down that way.
Lisa -  she disagrees. More trust --  Doesn't make sense from a technical
  standpoint, but if we want people to use it -- 

Cfp-wfpd-notes@media.mit.edu - send notes here.

Afternoon

Papers- anonymity and unobservability. Design issues. July 25, 26th in
  Berkeley.  More technical. Extended deadline for papers =3D 5/1/00. 
  www.icsi.berkeley.edu/~hannes/ws/edu

Business Methodology

How do we motivate business adoption?
Biz makes money from data mining
Consumers don't realize what's going on

Some possibilities
Data chernobyl
Advertising campaigns -who pays?
New biz whose purpose is protecting civil liberties

Which comes first, tech or biz?

David Phillips
Contours of privacy as a political issue.

Nuclear issues-anti nuke
Historical perspective
Resources:
Oppositional expertise
NIMBY
2nd phase
media savvy
attractive cultural norms
anti nuke ideology. Socialist movements. Peace, ecology. Strong links to
  those.
This brought in a lot of already mobilized groups.

Big idea
How do we create a populace that is cognitively prepared and socially
  resourceful
To understand and react to Chernobyl event. He would like to make
  fingerprinting on driver's licenses a chernobyl event.

Possible ideas of privacy threats

Individual autonomy
Intimate relations
Government and citizen
Merchant and consumers
Cultural autonomy
Demographics, profiling

In the Popular literature
Enemies are governments, hackers and advertisers
Individuals is victim and hero
Little discussion of intimacy and cultural autonomy and discrimination

Can notions of intimacy , cultural autonomy and social discrimination ///

Privacy memes linked to racism sexism economic justice globalization
  cultural displacement - looking for links. Need to be able to make linkages,
  and be able to form coalitions.  He recognizes that this means moving a bit
  away from the libertarian ethic.

Possibilities for coalitions
WTO, World Bank, IMF opposition, biotech, civil rights

John G.
Free software - getting biz to use and do the right thing.
Cygnus co-founder
Don't screw up the biz on the practical stuff - pay your employees, ect.
Biz resistance to free software
"If you don't like the news, go out and make your own." If you don't like
  biz on privacy go start your own that can protect privacy.
John just started "Free$/WAN - used to protect civil liberties? Tries to
  implement automated privacy. Encrypts network traffic - get the "fax"
  effect. Use the software, Those who use it have encryption among them. 
  Makes the net more secure.  Not structured as a biz - yet.

General discussion

Deirdre-profiling - =3D gap in privacy law. Not quite an invasion of privacy,
  or discrimination. Coalition building - but it's a challenge.
Colin Bennett - doesn't like the privacy chernobyl. Doesn't like that it
  implies a high tech problem.  He sees it as tech with human error. He's
  concerned with surveillance - when surveillance works perfectly.

John G - whipping people into a frenzy doesn't seem like sound public
  policy.
Ann-Chernobyl. People trust the tech, but when privacy is invaded they want
  the privacy advocates to do their jobs.
Ari- engaging companies about how to build in privacy.
Xxxxxxx - gap
Deirdre- wrote letters to many biz - like Intel - explaining that there is a
  problem re: privacy - what are you going to do about it?  Businesses wrote
  back to let her know what they were going to do.
Roger- still: What positive things can we do to incent business. Profit?
  Will that help? Permission based marketing?
?Anti-virus software folk may help. We have identified this many viruses,
  here's what we've done. At some point the vendors formed a consensus - can
  we get biz to form a consensus that privacy should be protected (in a
  general way), can we move forward that way?
Read book like "Toxic sludge is good for you". Marginalize and discredit
  those who biz disagrees with. This will preserve the status quo that biz
  wants.

Break

Cash

What's cash?
Universal acceptance
Assured anonymity
Ease of use
	Bounded liability
	Everybody is a merchant
Why we don't have it on the net yet

IP fights
Cryptographic export restrictions (historical and current)
Government resistance
Lack of consumer interest

Cash, part II
How about prepaid cash cards?
Like a metro pass
Sell them in 7-11
Unlinkability via cash-for card and tossing refills

Problems
Credit card companies are obvious players, but want to data mine.
Requires physical infrastructure
Still not peer to peer
Can we fix it?

Deirdre

Your place or mine - where you store data - whose server?

Security - changes depending on which server its on.

Ian Goldberg-prepaid cash card-spendcash
Bar codes on paper money in the Netherlands. Not anonymous anymore!
Rohan-many people use prepaid cellular cards outside the US.

?why ecash systems have all failed so far?
Critical mass issue. Not widely used by large numbers of people.
Some payment systems are gaining critical mass.
Ian Brown-prepaid "anything"- he's worried that prepaid cards will quickly
  become non-anonymous because of the war on drugs and money laundering.
Adam- credit cards ubiquitous in US even though they have only been around
  for about 50 years.
? for a lot of transactions, cash is used because its easy in meatspace. 
  And why would I use ecash over the net if there is no enforcement mechanism.
Phil-cryptographic protocols for sending and receiving ecash.
Deirdre-bleed over on confusion between debit cards and credit cards,
  particularly surrounding liability.
Alma-credit card fraud is a headache - any way that ecash can be like cash-
  merchants can accept it and not worry that they can't accept it.
Carl Page-CPSR - rocket cash -- .for teenagers
Joel-consume motivations -- disincentives - floats, and the $ doesn't leave
  your account until you get the goods.
?You get things when you use your credit card. You get frequent flyer miles,
  etc.
Phil- can we get a toehold into cc infrastructure to use as scaffolding for
  anonymous ecash structures.  Market forces can then take over to lower the
  price of anonymous cash. Creeping erosion of privacy - makes it harder to
  make arguments for our privacy. But if we can gain this toehold, then we can
  create privacy expectations.

Deborah H/ Is cash on the net desireable?
Ian Goldberg- we need to worry about the clearing system. Remind people that
  its useful to have anonymous commerce on the net, but we need to be able to
  have a way to deliver the anonymous cash via an anonymous way - ie no
  tracking of IP addresses.
?Mondex...(turns out it isn't anonymous)
Deirdre - small steps we can take -- should we have the ability to not have a
  transaction recorded but then not have the ability to context that
  particular transaction.
Lenny- re: barcoding cash - we have serial numbers on cash --.re: porn getting
  VCRs accepted - citations? Re:cc companies - citataion for FedEx gets
  numerous subpoenas every day - particularly at the height of the tobacco
  litigation.  Banks - if you don't want subpoenas don't collect the
  information.

Wrap up.

Re: DNS, biz, cash - theme: incremental change.  How do we prototype these
  systems so that we can figure out what to do with them.

Mailing list to talk about these issues on the CFP pages.

Lenny Foner
Last modified: Sun Apr 23 15:27:47 EDT 2000