CFP2000 WFPD: Rebecca Wright's raw notes

These notes are raw and not post-processed. They were all taken while the workshop was going on, and hence are not polished and not guaranteed complete or necessarily even balanced -- many scribes took extensive notes on only parts of the entire discussion.

Workshop on Freedom and Privacy by Design 4/4/2000
Computers, Freedom, and Privacy Conference, Toronto, Canada

Send notes to cfp-wfpd-notes@media.mit.edu

Lenny Foner - Overview: Schedule, philosophy.  Description of
Replacing DNS proposal. 

Rebecca Wright - Obstacles to Freedom and Privacy by Design
Alma Whitten - Usability issues

Discussion of DNS project:

Can we come up with a replacement for DNS that is better for the
little guy?  Potential solution is "Smoosh", which is rough cut as
originally described by Lenny.

Ian Brown: thinks DNS is not so bad as is?  Likes idea of it as lower
level, above which we build SN's.

Anne Adams: Web vs. e-mail very different from user's point of view,
especially for desire of accessibility.

Jonathan Weinberg: needs to grow along side of DNS, rather than
wholesale replacement.  DNS is not going to go away.

Jon Gilmore: SN will just have to do it better, so people will switch
to it.  Better and more functionality.  Hierarchical names is not
itself a problem, rather hierarchy of control.  Distributed database
technology has improved significantly since original inception of DNS,
so can be taken advantage of.

Tad Hoag: likes distributed search nature.  Looking at local community
of users.  But: users may not be willing to reveal what they know for
privacy reasons, and may be reluctant to participate because they
don't see what they gain.

Lance Cotrell: user expectations: users expect to have different
computers that they use behave the same way

Dave Kristol: average user doesn't care about these issues.  Web is
widely used because newly purchased computers have Web browsers
already installed.

Alma Whitten: consumer is familiar with bookmarks in Web browsers, so
we can use a similar solution

Ian Brown: privacy aspects of storing and sharing everything you know
(even if not shared, available to hackers and subpeonas)

Deirdre Mulligan: questions about political chokepoint and anonymity.
Regardless of system(s), consumers are concerned about authenticity of
knowing what business they are dealing with.  Are little guys really
better off?  Proliferation of names makes things harder.  How does it
address land grab issue?

Lenny Foner: regarding land grabs: (credit for original idea goes to
Eric Hughes).  Little guys are people too. Even individuals should be
able to make easy to find addresses.  Search engines may or may not
help.  Confusing goals and means: distributed approach seemed good way
to break political hierarchy, but any other way would be fine, too.
In fact, another solution may be a better technical solution.  Want to
avoid biggest multinational is winner or firstcomer is winner
solutions.

Rebecca Wright: use expections - if disambiguation is usually right,
users (including software designers) will come to think it is always
right.  How do you know when the wrong site is reached?

Anne Adams: again, authenticity and recognizing when you get to the
right site.

Alma Whitten: attacks can become more possible in this anybody
registers system, and solutions that use public keys return this back
to being unusable.

John Gilmore: problem is really that there are only three suffixes, so
there aren't enough names.  What if you could just choose your own
suffix, or choose from more suffixes?

Deirdre Mulligan: large companies would still register many names.

Roger Clarke: let's look for a simpler problem.  I want a product that
will let me put "acme" only, and it will try all the heuristics.  Then
we can make this extensible.  Different heuristics for commercial
context, activist context, http vs. e-mail vs. newsgroups...

Phil Zimmerman: authentication - wants to know that typing Barnes and
Noble gets to Barnes and Noble.  Won't help if everyone else can grab
it!  If .com is "better", then it doesn't help. If others are
available and just as good, Barnes and Noble will want them, and
consumers will want Barnes and Noble to have them.

Lenny Foner: what about previously existing little guy?  Little amazon
in Minneapolis didn't get amazon.com even though it existed longer,
because big amazon sued to get the name.

Phil Zimmerman: but I still want to find Barnes & Noble.  Injustice
needs to be addressed orthogonally.

John Gilmore: rather than focusing on wrongs of DNS, focus on rights
of what we want to provide.  Netscape actually provided the www.*.com
feature, and later made it a pay to be in service.

Ian Brown: domain names were not intended this way.  Remembering IP
address of everything you've encountered before.

Jonathan Weinberg: think of Smoosh as a DNS overlay rather than a DNS
replacement.  Adding a whole bunch of new top-level domains would be a
tremendously successful approach to solving land grab problem.  Even
with SN, IBM might still sue anyone who registers ibm.anything.  Many
little guys are happy to sell a preexisting name for a large fee.

Alma Whitten: telephone books work well for finding things that you
know enough about to look up, even if the name isn't good.  Good names
and findable names aren't the same thing.

Dave Kristol: Yahoo's classification system of categories allows good
distinguishing between things in different categories.

Patrick Feng: some background assumptions: implicitly, infrastructure
needs to support global economy and global uniqueness of merchants.
Compare to when you want to find your local bookstore?  Plays an
important role in how infrastructure is designed.  Different
communities need different heuristics.  Can be learned in slow,
incremental steps?

Tomas Sander: trivial solution for local is Yellow Pages.  How can we
revolutionize; just do it!  **What is the killer app for this stuff?**
Being able to find what I want is not it, because it's not really a
problem.  Distributed domain systems have been done before.  Meeting
new people in specific communities?

Simson Garfinkel from audience: DNS was meant to be used by
individuals.  Majority of issues raised here have not been issue for
telephone system because numbers have been used.  Problems do arise
when companies all want 1-800-MATTRESS.  Content-based addressing
system was never really discussed and is fundamentally flawed.
Problem isn't necessarily DNS, but rather hierarchical searching of
DNS.  Several levels with checking at next level up when not found at
current level would be a big help.  Any system that has been proposed
here could be folded into current DNS just be changing server search
algorithms.  Trademark issues really won't go away by allowing more
people to register related-seeming names.  Solutions is to remove
content

Stanton McCandlish: from audience: goals are dividable into two
themes: protecting free speech, privacy, etc are policy and political
goals.  Intellectual property issues are global system problems
independent of the Internet.  Perhaps better to look at them
separately.

BREAK

Adam Shostak: two very different problems in the context of one name
space.  1: I want to find a well-known entity. 2: I want to find a
friend.  Different solutions and methods are appropriate for the
different problems.

Deirdre Mulligan: proposal suggests proliferation and confusion that
gives breathing room for diversity, but on small guy vs. big guy side,
gives breathing room by adding complication, which underestimates
power, influence, and money available to those who which to enforce
the rules.

Nick Nimchuk from audience: odd to overlay SN over DNS, when DNS could
be overlayed on SN.  Now, most computers trust only NSI for names.
NSI could continue to provide names to people who trust them.

John Gilmore: DNS was not designed for finding things, it was designed
for naming things.  A system that is good at naming without existing
political issues would be useful even without solving the finding
problem.

David Phillips: circle of friends being commodified?  Preformed
communities with institutional brokerage, which is not changed here.

Tomas Sander: revolutionizing naming system is too big for us to
accomplish.  Highly flexible solution is highly suspicious.  More
interesting to talk about proposal like Freenet, specific to anonymous
speech.  Question assumptions?  What do we want to protect?

Karl Auerbach from audience: can we put DNS genie back in the bottle?
Use it for what it's good at, and not for everything.  (For example,
Akamai already does some of this.)

Ed Gould from audience: need to agree on goals before we can hope to
design something, since many of them are in conflict with each other,
and appropriate for different contexts.

Carl Page from audience: a lot of these a pretty well solved.  Can
always find "most important" Web site by a search engine.  Home pages
plus search engines already solve finding individuals problem.

Karl Auerbach from audience: even with DNS, shouldn't trust result
without authentication.

Rohan Samarajiva: large companies will always fight to the death for
unique.  Communities of interest are sometimes geographical, but also
sometimes other focus.  Defining communities of interest separately
may be more tractable.

John Larsen from audience: DNS is primarily useful for the system.
Humans need another layer.  Would like to see policy statements on
search engines about how they choose results presented (especially
where commercial interests are involved.)

Lance Cottrell: seconds that AOL is a good way to find individuals.
Most individuals do not (and should not) have a unique domain name.

Karl Auerbach from audience: need to differentiation between
presentation of results when it is to humans and when it is to
machines.

Carl Page from audience: already a couple of opportunities to do
things with naming outside of DNS.

Dave Del Torto: keep in mind that in other parts of the world, lots
of people are on the same machine or even the same e-mail address.

Lenny Foner: comments to focus.  1) finding people is different from
finding companies. 2) finding is different from naming.  3) whatever
we come up with, how to we prototype it and incrementally deploy?

Fen Labalme: build in search engine to browser input line?

Lisa Kamm: this already exists as add-on, but doesn't fully solve
problem because of existing search engine algorithms (ibm.com comes
above ihateibm.com).

Alma Whitten: hearing widespread assumption that users guess
addresses.

Lisa Kamm: has data that this does happen for IBM.

Karl Auerbach from audience: encourages experimentation.  Adding on
new naming systems is not going to break the Internet.  DNS is only
intended as one way to find names.  Don't be afraid.  Could go in
routers, hostnames, searching, above DNS, below DNS.  He recommends
using as high as possible above DNS.

Jonathan Weinberg: integrating search into browser is that there are
problems with existing search engines.  Both existing implementations
and current technologies are inherently limited.  Enormous resources
required make it expensive and difficult.  Suggests focus on SN:s as a
finding engine: possibly valuable new approach.

John Gilmore; would like to focus on how to build in the features that
we decide on?  That is, even if we reach a consensus, how would we be
able to build it in to the infrastructure.

John Brockman from audience: initially there was a proliferation of
browsers, users chose what they liked best.  Compuserve has
content-free naming, and that's why nobody likes them.

[note taking break from 11:50 to after lunch]


Afternoon session: 

Lenny Foner: Overview of afternoon.  Business strategies, cash project.
David Phillips: Activist analogies
John Gilmore: Free software and business

Lenny Foner: Business make money from violating privacy: data mining,
spam.  Many consumers don't realize what's going on.  How do we
motivate business adoption?

David Phillips: contours of privacy as a political issue.  Compare to
anti-nuclear movement.  Phase 1: Local actions regarding nuclear
safety.  Phase 2: organizational alignment with existing organizations
to share in their resources, structured with similar/related ideology.
IDEA: create a populace that is cognitively prepared and socially
resourceful to understand and react to "Chernobyl event".  Can we make
linkages between privacy and other important, deep, social themes.

John Gilmore: if you don't like the way businesses are doing it now,
make your own.  Use free software: reduces cooperation costs, allowing
relationships to build that can be useful later.  Advantages to
public: gives user community choice in what they want in the product.
No central point of control.

Deirdre Mulligan: there have already been some social connections
between privacy and other social issues.  Thoughts on how to better
continue them?

Colin Bennett: Chernobyl may not be right analogy.  Could come from
either low-tech or high-tech disasters.

John Gilmore: doesn't like idea of waiting for, or trying to create,
Chernobyl opportunity.

Tad Hogg: would like to see discussion of technological techniques.
For example, secure function evaluation as a tool that can help here.

Anne Adams: people tend to trust technology, and when it fails often
completely reject it

Ari Schwartz: we see privacy problems every day.  We've found it more
important to work proactively with companies that ask for help in
advance with privacy.  Need to engage them and figure out how to do
it.

Patrick Feng: wouldn't characterize position as trying to encourage
Chernobyl, but rather want to make sure that we are in a position to
react to it if it does arise, since users may not respond on their
own.

Roger Clarke: how do privacy and freedom activists get action: must
know the abstract field, the legals, the interest groups and their
interest, ongoing background pressure on relevant committees and press
coverage.  When opportunities arise, must be ready.  Sustained
linkages with other organizations must be maintained, and new linkages
formed when opportunities arise, even with uncommon bedfellows.

David Phillips: did not mean to say he wishes for a Chernobyl, but
rather that we should be ready for any such event.

Ken Ash ??  from audience: difficult to articulate privacy threat to
the public.  What concrete message should we being trying to deliver
to the public to get them to understand the problem?

Deirdre Mulligan: Give a quick opportunity for people to take action
in response to an event.

Charles Raab from audience: example of unexpected alliance - privacy
advocates and businesses joined together against key escrow.  Also
important to know where in government there are pressure points and
possible alliances.

Ellen ?? from audience: people will sell their information for very
little goods and services in exchange.

Rohan Samarajiva: business vs. activist methodology.  How do you
design technology or institutions that in themselves encourages
businesses to do the right thing?  Recognize that ongoing
relationships do require some divulging of information, with some
development of trust.

Jonathan Weinberg: two cautions on Chernobyl.  1).  Look back on
history of privacy activism so far.  Somewhat depressing because
entirely reactive, e.g. Doubleclick.  2).  What are we trying to
achieve?  Legislation?  Adoption of privacy-protecting technologies?

Deborah Pierce: 30+ bills in California legislature.  Reactive mode is
not helpful.  Better to build relationships with businesses up front
and help them to build in privacy features from the start.  Also, too
late to respond after disaster, because once data is out, you can't
get it back.

Lorrie Cranor: If you want to motivate business to stop doing
something they are already doing, that is much harder than influencing
them beforehand.  So how do you get businesses to think about privacy
up front, especially given that it is not always clear in advance
which technologies will have negative privacy implications.

Craig Hubley: from audience: Simply can not solve problems on
limits of relationships with legislation.  Positive business models:
contrast between three theories of value.

Karl Auerbach: Congress does not care about property.  Suggests you
view your name as intellectual property and create a shrinkwrap
license for it.

Roger Clarke; don't identify legislative solutions only with EU.
Think of New Zealand instead.

Adam Shostak: huge untapped market for those worried about privacy.
Greed is a powerful motivator.

Colin Bennett: reminder that most advanced industrial states have some
kind of privacy legislation.  US is a notable exception.  Adoption of
privacy policies: note that it is not only an Internet problem, and
can't have only Internet solution.  What does it mean for a business
to adopt privacy-friendly practices?

John Gilmore: privacy problem on the Internet is caused by inability
to use cash on the Internet.  Therefore relies on advertising, which
wants to invade privacy.

Deirdre Mulligan: some positive stories regarding proactive work with
business that CDT has done.

Roger Clarke: how can we engage businesses in positive ways: greed is
the wrong word to use.  Find the right language, even if that is the
right concept.

Ken Ash ?? from audience: sometimes businesses will cooperate to
mutually agree to do something that is good for customers.  Can we do
this for a strong privacy framework?

Lenny Foner: final comment - resource for activism: book "Toxic Waste
is Good for You".

FINAL SESSION: cash project

Deirdre Mulligan: your place or mine?  Data storage at server
vs. client.  Phil Zimmerman: crypto keys should be stored close to
user rather than at servers (i.e. your own laptop or your own smart
card).

Ian Brown: what is legal threat to passphrase?  In Britain, 2 years
jail for not giving up your pass phrase if requested, 5 years for
telling anyone that you did.

Ian Goldberg: Spendcash company exists and has 7-11 cash card solution
for pre-paid cash cards.  Has problem that very few merchants accept
it.  Would be better to have as Visa/MC, so already acceptable
everywhere.  Also, note that governments are moving towards making
cash less anonymous by reading bar codes and serial numbers of cash
bills.

Rohan Samarajiva: who would provide such cards?  In telecom, cell
phones plus GPS give tremendous amounts of locational data that can be
used to violate privacy.  However, prepaid disposable phones/cards can
be used to limit this.  Can latch cash idea on to that?

Bryce Wilcox from audience: why all e-cash systems have failed so far.
The fax effect.  You will not want to use a payment system that is not
accepted by most of the places you want to do business with.  Any
peer-to-peer Internet payment system can exchange with any other, so
even one of these gaining critical mass with help others.  Paypal has
1/4 million users that have made at least one transaction.

Lance Cottrell: two points.  1) adoption issue.  Early acceptance is
difficult.  Try to make it look like a credit card.  2).  Prepaid
phone cards: some merchants can now bill things to your phone bill.

Deborah Hurley: reminder to not focus too much on credit cards, which
are not as highly used in some countries.

Ian Brown: both phone and credit card industries are highly regulated.

Adam Shostak; credit cards have only been generally accepted
instruments for about ?? years.  Book recommendation: the Credit Card
Catastrophe, describes history.

Dave Kristol: why would people want to use anonymous payments?  Where
is demand coming from?  Gambling, porn, ....  Recall that VCR's were
driven by demand for porn.  Also, on-line cash only remains anonymous
if a shipping address is not needed, so for bits.

?? from audience: cash works because it is easy.  Anonymity is not the
main advantage to people who use it.

Phil Zimmerman: delivery problem for cash can be solved by
cryptography.

Deirdre Mulligan: consumer community - liability of credit cards vs.
debit cards, not always clear what difference is to consumers.
Consumers choose convenient and familiar solutions.

?? Stadler from audience: float on credit cards is an issue.  No
demand for e-cash?

Dave Del Torto: from audience: who will underwrite anonymous e-cash
systems?  Without the float, what is the incentive to back the system?
May be in order to break privacy?

Alma Whitten: Can e-cash be made as a lower risk alternative to credit
cards from merchants' perspective?

?? from audience: Rocketcash system allows teenagers who have no
credit cards to use their credit card instead.  They take all kinds of
cash, plus referral points.

[note break 4:45pm until end of day]

Lenny Foner
Last modified: Sun Apr 23 17:12:38 EDT 2000