Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 17 March 1997
© Xamax Consultancy Pty Ltd, 1997
This paper is at http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP97.html
Computers, Freedom & Privacy, at http://www.cfp.org, is a dynamic community of people interested in, and energised by, the tensions generated by modern I.T. It's a crossroads meeting-place intended to complement the many meeting-spaces, and to address the many spaces, in that word's other sense of gaps, between different interest groups.
The Conference is an intensive 3-day, 13-hours-per-day experience for about 400 people, with a minimum of keynote speakers, brisk and focused plenary panel sessions with 12 minutes per speaker and 30 minutes of audience participation, parallel lunchtime sessions over sandwiches, and parallel birds-of-a-feather sessions starting at 9:00 or 10:00 p.m. It's preceded by a day of well-attended Tutorials.
These are personal notes on the 1997 event by a repeat-participant. Notes from some of my previous attendances are available for 1993, 1994 and 1995 (I didn't attend the 1996 event). Those earlier documents are structured by session. This document, however, analyses the proceedings by 'theme' and 'threads'.
I make no attempt at comprehensiveness, because the event is just too rich for anyone to fully appreciate. I make few mentions of individuals' names, because there were scores of important contributions. See the programme for details.
The theme for the 1997 Conference was 'Commerce and Community'. The intention was to deal with the swathe currently being cut through Internet communities by profit-oriented, netiquette-flouting marketeers. I've been working on aspects of this problem for some time. See, in particular, Netiquettecases, Encouraging CyberCulture, Spam and Cookies.
CFP was a perfect place in which the debate could be engaged; but unfortunately the report-card was mixed. Many key players were present, and a vast amount of information was presented, in authoritative and understandable format.
The disappointment was that the session that most directly addressed the theme failed to conform with CFP's requirement that panels internalise the tensions by containing representatives of the various points of view. It was chaired by a marketing academic (the formidable and very fast-speaking Donna Hoffman), and comprised two shameless net-marketers, an I.T. provider who was marketing the excusatory eTrust trademark, and a captive regulator. The pro-marketing arguments were clearly put, and the 'American way' of nil interference by government was explained one more time, but the legion of counter-arguments had to be mounted from the floor by questioners.
Unlike many other conferences, however, the theme recurred many times in various sessions.
The Electronic Frontier Foundation presented richly-deserved EFF Awards to Marc Rotenberg of Washington-based Electronic Privacy Information Center (EPIC), and Johan Helsingius of Finland (famed as the long-time operator of the first anonymous remailer). An EFF award was also presented to Heddy Lamar. It's a lovely story, but this isn't the place to go into it ...
It's almost an impossibility to grasp the richness of the streams of thought flowing past you at CFP, and even harder to analyse them; but here goes anyway.
The 'P' of CFP, privacy, is a bundle of interests in individuals having private space, free from interference with their person, their behaviour, their data and their communications. Some participants want absolute protections; others would be satisfied with qualified protections. Previous CFPs have dealt with a lot of the main issues; and hence privacy was implicit in most of the sessions at CFP'97, rather than being the foreground topic.
The 'F' of CFP, freedom, is also multi-faceted. Those that I perceive CFP'97 to have focussed on were:
There are many inherent tensions between these various interests. Some people (especially marketers and their agents) maintained the simplistic view that the tensions could be reconciled, and a 'right' or 'balanced' solution (Donna Hoffman's words) negotiated.
Most participants were highly sceptical about that proposition. There's scope for 'win-win' solutions in some contexts, but in others the interests are diametrically opposed. Marketing interests appear to be hopeful that the lack of organisation of consumer interests, and the lack of any power or commitment among U.S. regulatory agencies, will ensure that their interests continue to dominate those of individuals.
The fundamental motivation for the conference is the rights of people.
A session dealt with the question of how readily governments could suppress dissident thought and expression on the net. Americans enjoy considerable feeedoms in this regard, so the focus was on other countries. These included China (which appears to be trying to establish a 'national Intranet', in order to ensure that foreign materials are not available to its citizens), and Germany (which seeks to preclude neo-Nazi propaganda and denials of the Holocaust, and has been particularly clumsy in its handling of the pornographic materials issue).
There was (regrettably limited) discussion of the ways in which suppression can be implemented (the generic term is now 'censorware'), and of the key experiment currently being conducted in Singapore. Declan McCullagh suggested that 100-200 sites may be being blocked by the Singapore government's proxy-servers, although which sites, but whether they were only pornographic sites or also political sites, remains unclear. [During the conference, a report appeared on the net that Vietnam has now committed to Singapore-style proxy-server censorship).
The potential for the PICS infrastructure to be used as a censorship tool was much-discussed. It appears that the PICS group may no longer be talking about it as a value-neutral protocol and focusing on its use at workstation level, but rather actively proposing and facilitating its use at corporate firewall, and ISP and national proxy-server levels.
This is bound to draw fire from libertarians, and result in W3C and the PICS group being perceived as servants of repression rather than deliverers of a valuable architectural add-on to Internet infrastructure. The article in the March 1997 issue of Scientific American, by PICS Committee chair Paul Resnick, adds fuel to the fire, because it projects PICS as being entirely for application by users at their own choice, rather than making clear its usability as a censorship tool at firewall and proxy-server levels.
A session addressed the U.S. Communications Decency Act, and the attempt that the Attorney-General is currently making before the Supreme Court to have the invalidity of that legislation overturned.
A weakness of the discussion, through foreign eyes, was the continual invocation of the First Amendment. Because of the existence of a (somewhat ambiguous) constitutional right in the U.S., the discussions are necessarily narrow and legalistic. On the other hand, the matter is of considerable import throughout the world, because the arguments presented will be re-used in various forms in many other jurisdictions that propose knee-jerk legislation to deal with the 'porn in kiddies' bedrooms scares.
It was clear that there was a common desire among participants that individuals be under no constraints as to the use of cryptographic measures to protect their communications and their data from prying eyes. This extends not just to the freedom to use crypto, but to the freedom to use 'strong' or 'robust' crypto, by which is meant schemes that (it is believed) no-one can crack.
The successive nonsensical positions adopted by the U.S. Administration have casused a great deal of time to be wasted, at successive CFPs, on Clippers I, II and III, and now 'key recovery/key escrow' matters. The situation is further discussed below, under 3.2 - Freedom of the Government to Intercept Communications.
I participated in a session on 'Social and Governmental Impacts of Digital Money', in which Michael Froomkin and Tim May argued that money is a form of speech, and should attract the same kinds of protections. The participants were:
A session on 'The Creeping Propertization of Information' discusseda number of measures that may lead to an extension of intellectual property protections to materials which would not previously have qualified. These include:
If they come to fruition, these measures would represent a boon to large corporations that assemble and maintain databases, but a constraint on people's freedoms to access, use, and excerpt data.
A session (that I missed due to other meetings) dealt with democracy on the net. A group called democracy.net has launched, intending to experiment with applications of the Internet to support and improve conventional democratic processes. This includes audio-feeds of meetings, and on-line submissions and questions. The group is expressly not experimenting with direct democracy.
The last session addressed the topic of 'The Coming Collapse of the Net'. No short-term concerns were expressed. On the other hand, the criticality of the Internet II Project was underlined: the present architecture will not be able to support some of the services that are being developed. The Director of the Project, in answer to my question, stated (as the very last words of the conference) that the Internet II Project does not at this stage extend beyond the borders of the U.S., but that it was inevitable that it would do so in some manner.
Several sessions related to the scope for ISPs and governments to impose constraints on netizens. Examples of threats to the freedom included proxy-servers blocking access to sites, and digital money services only being available under particular conditions.
Concerns were expressed about dysfunctional behaviour in cyberspace, including harassment of people by others. Criminalisation of such behaviour, and facilitation of the investigation and gathering of evidence, were generally considered to be desirable.
Against this, some people argue the possibility (even probability), and the desirability, of:
A session (which I didn't attend) raised the question of policing on the net. This investigated the questions of the need, and the level of netizen desire, for policing; and the extent to which such policing could be formal (whatever that might mean in cyberspace) or informal and community-based.
A lunchtime session addressed the question of developments in virtual communities.
A hypothetical on spamming rehearsed the issues arising from unsolicited emails, particularly of a marketing nature. There is a long-shot argument that spamming might be illegal in the U.S., but there is no test case is in the courts yet; and meanwhile net-marketing start-ups are running out of control.
The [U.S.] Direct Marketing Association (DMA), in March 1997, issued a set of 'Privacy Principles and Guidance for Marketing Online'. Unfortunately they contain no URL for the on-line version, and no fax number ... Nor is the document (or any other form of privacy assistance) visible at http://www.the-dma.org/. The only email address provided on the document is that of the membership department, at firstname.lastname@example.org. They can be telephoned in New York at +1 212 768 7277 or Washington at +1 202 955 5030. Generally, the document is quite a useful first cut, but as a means of showing concern about the issue, it's poorly implemented.
The DMA Guidance states that "Online solicitations should be posted to newsgroups, bulletin boards and chat rooms only when consistent with the forum's stated policies". This is being largely ignored by large numbers of spammers.
It further states that addresses "collected [or 'harvested'] from the online activities of individuals in public or private spaces should see to it that those individuals have been offered an opportunity to have this information suppressed". This appears to be seldom honoured, except by way of an offer within the first spamming message to remove people from the list on request.
The Guidance states that "marketers should have systems in place that will honor consumer requests to not receive future online solicitations ... or ... to have their e-mail addresses removed from their lists or data bases that are made available for rental, sale, or exchange for online solicitation purposes". (The drafting appears to contain a drafting error, in that the "or" should be "and"). It is against the interests of spammers to implement this measure, because they charge per thousand addresses, with limited quality controls, and because it costs them almost nothing to send to a non-existent or non-accepting address whereas it costs them money to remove people from lists, to maintain an off-list and to check new spam against the off-list.
The Guidance also states that solicitations should:
The DMA's code assumes that any address a marketer can find is at their disposal, subject to affinity of the message to the purpose of the forum, and maintenance and checking of the off-list. This is an opt-out rather than an opt-in solution, and hence not in the interests of the majority of consumers who don't want non-relevant unsolicited emails. On the other hand, if implemented, it would provide some controls.
Other inadequacies of the DMA Guidance are that:
John Gilmore of EFF (and long-time provider of the email@example.com e-list) argues that the principle of free speech demands that spam not be banned, but that social countermeasures be used to motivate spammers to act responsibly rather than dyfunctionally. On the other hand, the use of non-existent reply-to addresses he regards as fraudulent, and hence grounds for interception and suppression.
Lance Hoffman, role-playing the absent grand-spammer himself (Sanford Wallace of Cyber-Promotions), identified a number of further opportunities for spammers. These included going off-shore, using sub-contractors, and offering airline-mileage points to recipients of spam, with bonuses for people who respond.
Freedoms for people might be expected to be more important freedoms for business. The economic and marketing imperatives are so dominant in the U.S., however, that business freedoms seem to have attained standing at least as high as human rights.
Businesses argue that they should be unfettered by law and by regulatory agencies, because the market can be trusted to regulate behaviour. The faith in neo-classical economic tenets is touching.
The remarkable thing is that American society generally seems to actually believe those propositions nearly as fervently as business does. Government generally avoids regulation. Regulators are generally toothless and business-friendly. Surveys of the public's attitudes suggests that few perceive a need for taxpayer-funded regulatory measures (e.g. Alan Westin's latest Equifax survey showed only 25% support for a privacy body. This contrasts with strong support in most other countries in the U.S.A.'s reference group. See, for example, a recent survey I managed for MasterCard).
Business further asserts that data about people is theirs to use, irrespective of source or original purpose. That this is in direct violation of the OECD Data Protection Guidelines, to which the U.S. has long ago acceded, is simply ignored.
The current issue is the appropriation by spammers of email addresses used in the Internet community, for the purposes of Internet commerce. Business asserts that because it is possible to appropriate them, and efficient (for them) to appropriate them, therefore they should appropriate them.
One (unbalanced) session dealt with business's perspective. Another dealt with spamming. For my own analysis of the matter, which reflects most of the points raised in the discussions, see Spam.
A session discussed 'information warfare'. This is a recent consultants' buzzphrase that replaces earlier phrases such as 'business risk analysis/management', and 'business continuity planning'. It is concerned with attacks on data content and information technology as a means of undermining an organisation's value or viability. Sources of threat include competitors, would-be purchasers, governments and crackers.
Government may be nominally the servant of the people, but it is a vast machine that demands rights of its own. Despite the image of being a free society, the U.S. has enormous respect for national security, and hence for its aero-space-defense industry. The result is claims by at least some government agencies for freedoms that compete directly with freedoms of individuals and businesses.
The U.S. Administration has asserted the need, and the legal power, to intercept any message, and to be able to understand any message that it intercepts. The need is based on the importance to law enforcement agencies of gaining access to communications that may provide intelligence or evidence relating to actual and intended offences.
The primary means used by the U.S. Government is prohibition on export of products embodying strong crypto. (The purpose appears to be to prevent Americans using strong crypto to protect their communications. But to express that would be politically unpopular. The Administration is therefore relying on the economic incentive for U.S. suppliers to produce only one version of each product, for both export and domestic use, which embodies only weak crypto).
The U.S. Administration also seeks to implement secondary measures. The first attempt was to introduce a special-purpose cryptographic algorithm, called Skipjack, and implement it in the Clipper chip (for telephones) and the Tessera chip (for data transmissions). Under assault from all sides, that attempt failed.
The current secondary attempt is to demand 'key recovery' techniques be implemented, comprising escrow of private keys, or substantial parts thereof. Law enforcement agencies would be able to gain access to the escrowed materials, in order to decrypt messages.
Both the need, and the power, are contested by public interest advocates. The I.T. industry is also very concerned that the U.S. Administration's prohibitions on export of strong cryptography products will harm their export prospects.
A special U.S. 'ambassador' has been touring the world trying to convince other governments of the need for strong crypto to be controlled by all governments. The signs are that a few governments, such as that of the United Kingdom, may be supportive, but that generally these attempts are failing. An OECD Report, due for publication shortly, appears very likely to effectively reject the U.S. position as too being extreme.
David Brin, sci-fi author, has further developed his argument that visual surveillance is a 'done deal', and that video-cameras will appear in all manner of public and even relatively closed places. He further argues that the constructive response is to ensure that the watchers are watched, and that therefore (a) the output from all cameras should be fed onto the open Internet, and (b) cameras should also be installed in all law enforcement monitoring centres. A local TV station was interested in this matter. In the absence of anyone else who appeared knowledgeable on the topic, they interviewed me.
An intended session on national ID cards failed to eventuate. This has been a continual inadequacy in CFP programmes. It reflects the U.S. preoccupation with commercial privacy invasiveness rather than government repressiveness. That in turn reflects the considerable protections U.S. residents enjoy against government, and the relative incompetence of U.S. government agencies in their application of I.T.
It appears to be necessary for ID card issues to be discussed in other venues. (A session is scheduled for a conference in Montreal in September).
The session on 'information warfare' was primarily concerned with national security, and its susceptibility to attacks on data content and information technology. To an outsider with little interest in the topic, it was largely a pleading for everyone to believe that, after the collapse of the Soviet Union, there are still enemies out there sufficiently serious to warrant the continuing expenditure of vast sums of money on the ability to conduct warfare. There was also an unspoken sub-text to the effect that "and of course we need the ability to wage information warfare against the enemies of our wonderful country".
This panel was also seriously unbalanced, with all parties being self-interested in the promotion of 'information warfare' as a viable concept.
In addition, the Chair of the U.S. Administration's 'President's Commission on Critical Infrastructure' had a special evening session that was "intended to solicit the opinions of the conference attendees". In fact, he started with a policy statement, took no notes, showed no interest in comments made, and sought no follow-up. It was difficult to see it as anything other than a closed club, processing yet another round of special funding and tax-breaks for selected commercial organisations.
The opening session and the two dinners featured the only full-length addresses.
The opening Keynote was by Ira Magaziner, a senior apparatchik - sorry senior policy adviser to Bill Clinton. He provided delegates with a bath in warm water, assuring us that everything would be all right in the end. The story was far removed from the reality of Washington government agency politics, and either it was disingenuous, or Magaziner is wet and irrelevant. Either way, the speech was.
Paul Soffo, of The Institute for the Future, reviewed recent and near-future discontinuities in technology. He referred to micro-processors in the 1980s, and laser-technology in the 1990s. He sees nano-technology as still being science fiction.
The current breakthrough he considers to be in sensor technologies, analogue-to-digital converters, and tightly-linked effector technologies, many of them minituarised. These have enormous consequences for real-time location of things and people, and real-time assessment of and reaction to actions and events. (As an aside, he considered that they may even lead to a reversion from digital to analogue computing).
The argument is available on the net, at http://www.iftf.org/sensors/sensors.html. This was one of the most valuable and genuinely new offerings of the entire conference.
The other after-dinner speech was by John Hagel, of McKinsey's, who gave a review of his new book, 'Net Gain' (Harvard Business School Press, 1997, 227 pp., $US24.95). I bought a copy at the airport on the way out, and read it in the plane. The current (March/April 1997?) issue of Harvard Business Review contains a paper expressing some of the argument.
The thesis is that the Internet is giving rise to a new model of consumer-supplier interaction, which he calls 'the virtual community business model'. In particular, he perceives a shift in market power to intermediaries ('info-mediaries'). Their primary affinity needs to be to consumer-members, and they deal with suppliers on their members' behalf.
He referred to the shift as 'reverse markets' (which sounded like an inversion of J.K. Galbraith's 'revised sequence' of 30 years ago, which documented the shift towards marketer manipulation of consumers' perceptions of their needs). Naturally all examples were, of course, expressed in terms of upper-demographic communities.
The engine underpinning this new order of things is information capture, to support profiling of both consumers and suppliers. As a result, 'trust' is essential. The concept of 'trust' was considerably less than the existing concept of 'privacy', but did include some key elements, such as opt-in rather than opt-out. The catch-phrase was 'community before commerce'. It sounded a bit more like 'commerce exploiting community', but the theory is certainly more balanced than the conventional rape-and-pillage model.
I'm a well-practised complainer, so here's my negative feedback.
Those who were significantly represented at CFP'97 included:
Those inadequately represented included:
Almost entirely unrepresented were minorities of all kinds, particularly the information- and I.T.-poor (e.g. those living in impoverished inner-city and remote rural locations), and ethnic groups.
From a marketing viewpoint, CFP needs to attack the government policy-maker and regulator markets, and the community relations executives of corporations and industry associations.
From a community perspective, CFP needs to construct an outreach arm that will provide the disenfranchised with some spin-off benefits, and provide conference participants with some meatspace input.
The convention at CFP is to internalise the tensions within each panel, such that no one point of view dominates to the exclusion of others, and multiple sides of the issue are surfaced by the panellists rather than having to be raised from the floor during 'question' time.
Two sessions failed to comply with that norm, one of which was blatantly biased towards the interests of marketing companies, and the other of which was an open invitation to the aero-space-defense complex to justify expenditure on information warfare and countermeasures thereto.
It's a truism of American life-forms that they have great difficulty remembering that the U.S. is responsible for [these are quick guesses, not statistics!!] maybe 60% of the world's technological innovation, 30% of the world's GDP, and 5% of the world's population: 'world-view' means about the same as 'World Series'.
To be fair, several U.S. participants drew attention to this. The most telling was the questioner who expressed disappointment that the session on 'Comparative International Perspectives on Politically Controversial Speech' was actually 'Comparative American Perspectives on the Dangers of Politically Controversial Speech in Other Countries'.
It was notable that a non-American, Johan Helsengius, of Finland, was honoured at the EFF awards session. But the few non-Americans on panels were either U.S.-educated and coming back to their second home, or curiosities with odd views that didn't need to be taken too seriously.
The Proceedings of CFP continue to be provided, on arrival, in conventional hard-copy, and to be available, shortly after each session, in the form of audio-cassettes. I've no complaint at all about that!
With the exception of the papers in Michael Froomkin's session on 'Digital Money', however, none carried a URL. (And, as is commonly the case at CFP, many of the papers were short or extended abstracts, or off-prints of media articles). There is no commitment at this stage to an electronic set of conference proceedings. This is inadequate exploitation of the technology that CFP is meant to be knowledgeable about. I've offered my personal notes before, as a hot-link for the host web-pages, and hereby offer them again.
There is also no e-list. I find this remarkable, because, of all the communities on the net, surely CFP is aware of the marketing potential, for both the ideas and the event, of using the net as a conduit. CFP should either run an e-list, or nominate to delegates the most important lists and newsgroups that deal with each of the issues that are within the CFP scope. This could be an additional CFP web-page, and would represent a standing promotional channel for CFP.
The delegates, most of whom provided email addresses, would doubtless welcome an email relating to such matters, and would probably not object greatly to being auto-subscribed to a CFP list.
As always, I had things to complain about. And, as always, I came away intellectually refreshed, and with a bagfull of new ideas to apply to my work on electronic commerce, information infrastructure, and dataveillance and privacy.
Go to Roger's Home Page.
Go to the contents-page for this segment.
Send an email to Roger
Created: 13 March 1997
Last Amended: 17 March 1997
|These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).|
| The Australian National University|
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Pty Ltd, ACN: 002 360 456|
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916