Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Final version of 11 April 2000
© Xamax Consultancy Pty Ltd, 2000
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP2K.html
Computers, Freedom and Privacy has run each year for the last decade, and attracts about 500 on-site delegates. The interest around the world is enormous, to the extent that my 1999 document, announced initially on a couple of lists with a few hundred members, was mentioned on many more lists, and attracted some 20,000 hits. This year's event justifies the same level of interest.
Most sessions at CFP feature multiple speakers, presenting very briefly on a fairly tightly defined topic, followed by interaction among panel-members, and active questioning from the floor. There is a small number of invited speakers, mostly during opening sessions, lunches and dinners; and there are several events that are held within the context of the conference.
These are personal notes prepared, on the fly, by a conference committee-member and participant, who has been long involved in privacy issues and in the community that is CFP. Because they reflect my own interests, and which sessions I attended, they vary from reasonably deep treatment of some topics to mere mention of others; and - be warned - there's a fair bit of me in this.
I also published my notes from my previous attendances in 1993, 1994, 1995, 1997 and 1999.
CFP starts with a day of Tutorials. This year, a new kind of event was run for the first time. A Workshop was held on the topic of 'Freedom and Privacy by Design'. It examined a couple of particular ways in which Internet infrastructure could be enhanced in order to be more privacy-protective. Notes on the outcomes are to be available from the conference site, and the discussion in intended to continue in electronic form.
CFP was opened by Conference Chair Lorrie Cranor the morning after the Canadian Parliament passed into law a privacy protection statute regulating the private sector. This directly addresses federally regulated sectors such as banking and telecommunications, but it also sets in train a process whereby all sectors will be covered in a few years' time.
Brief welcomes were offered by the Privacy Commissioners of Ontario (Ann Cavoukian) and of Canada (Bruce Phillips). This was the first occasion on which a CFP had been held outside the U.S.A., and hence it was also the first opportunity for the event to be launched by the local Privacy Commissioners. The sub-text was (with apologies to Scott McNeely):
Privacy-protection laws and privacy watchdogs are not only alive but they're even normal. America, get used to it.
The opening address was by Austin Hill, CEO of Montreal-based Zero Knowledge Systems (ZKS).
ZKS's Freedom product provides the user with multiple electronic identities, each of which they refer to as a 'nym'. For background to these ideas, see:
Freedom operates transparently alongside the user's normal applications (i.e. web-browser, email-client, news-reader, IRC-client and telnet-client). At present, it's available under Windows 95 and Windows 98 (so I'm not using it yet ...).
The Freedom product wraps outgoing Internet traffic in several layers of encryption, and sends it through a series of at least three ISPs that participate in what ZKS call 'the Freedom network'. Each server knows only which ISP the data came from and which ISP it went to, and not the previous or subsequent ISPs in the chain. Hence no single party knows the IP-address of both the source and the destination.
The product provides a couple of ancillary services, including separate 'cookie jars' for the cookies associated with each of the person's nyms; cookie-management capabilities; and scanning of outgoing text to assist in detecting possible breaches by a user of his or her own privacy (in particular, including their own name, personal email-address, phone-number, etc. in a communication that is being submitted via a nym).
ZKS has structured the product in such a manner that the company does not have personal information about its customers, and hence cannot be a privacy risk to them.
The speaker at the Conference Dinner was Neal Stephenson, author of cyberpunk sci-fi classics 'Snow Crash' (1992), 'The Diamond Age' (1994) and 'Cryptonomicon' (1999).
Neal Stephenson is intense, in the way he writes, and also in the way he looks, and the way he talks. His novels cover enormous geographical and intellectual space, and do so at a gallop that leaves his readers breathless. Fortunately, he didn't try to write a novel in front of his audience, nor do a novel-reading. Instead, he took the opportunity to run an argument and support it with some anecdotal evidence.
[Neal has given me some reactions to these notes, and I need to revise it accordingly!]
He used as a reference-point a section of an Arthur Conan Doyle story. In 'Copper Beeches' [?], Holmes opines that the pressure of public opinion [in a village] can impose more constraints on socially undesirable behaviour than law enforcement measures [in a city]. Switching to recent times, he argued that, during the Seattle anti-WTO demonstrations, the reason why there was so little actual harm done to people (on both sides of the riot-shields) was that all parties knew that every action was being observed, recorded and beamed, in many cases by multiple people and through multiple channels.
One of his concerns was that we've trapped ourselves into a single and non-adaptive 'threat model'. A threat model summarises what it is that a human or human society is scared of and spends its time preparing defences against.
Stephenson sees us (or maybe just us privacy advocates) as focussing on the Big Brother image to the virtual exclusion of everything else. He argued that we need to appreciate the notion of 'a domination system'. This derives from work by an American "Christian pacifist liberal" author by the name of Walter Wink. It refers to the day-to-day mechanics of subjugation experienced by the weak people within a society. The poor are subject to multiple powers (such as hospitals and families), each of which constitutes a network or web that the person has difficulty escaping from. Domination systems are built around some form of idolatory (by which Wink means the worship, whether nominal or real, of some artefact). The example that Stephenson used was the myth of a corporation's mission statement, when the real god is the enhancement of shareholder value.
Stephenson advocated the adoption of 'domination systems' as a threat model in replacement of the Big Brother image. He compared them as follows:
Big Brother Threat Model The Domination Systems Threat Model one threat many threats all-encompassing has edges personalised impersonal abstract concrete rare ubiquitous fictional empirical centralised networked 20th century 21st century irredeemable redeemable apocalyptic realistic
He provided an anecdote based on an employee's experience at the Hanford nuclear materials processing facility upriver from Portland, Oregon. The person managed to escape from the worst of the repression he was being subjected to, by finding the edge of the particular domination system, and playing off another power (the local police and justice system) against the U.S. Department of Energy and its special-purpose police.
In applying this model, Stephenson used a metaphor drawn from military strategy. You're in bad trouble if you're surrounded, and the smaller the island that you're trapped inside, the worse trouble you're in. So you need space and you need friends (or at least allies). You need to make sure you're not just in an enclave, but preferably in a city-sized zone, or some other larger area (physical or virtual). Switching the metaphor to the game of Go, this creates the possibility of at least finding the edge of the threatening domination system, and even of threatening to counter-attack and surround it.
Stephenson then picked up the theme that David Brin pursued in 'The Transparent Society'. Brin makes the (I believe, naive) assumption that ubiquitous video surveillance can somehow, magically, be applied equally by the non-powerful as well as the powerful. Stephenson's approach is similar, to the extent that he also argues for observation to be undertaken by everyone, such that countervailing power can be brought to bear by 'the good guys' against 'the bad guys'. His argument is not, however, for streams of video data to be monitored in real time. He suggests that the data be split, secured and stored, and only extracted and analysed retrospectively when justification is shown.
[As an aside, I was very surprised to discover that, although Stephenson was aware of John Brunner's 'The Shockwave Rider', he's never read it. The reason this is so surprising is that, from a literary critic's perspective, his style and even some of his settings have considerable similarities to Brunner's. That's a very positive comment, given that my family rates that as the quintessential book of the '70s, just as 'Neuromancer' was of the '80s, and 'Snowcrash' and 'Cryptonomicon' were of the '90s.]
[Background on the anti-utopian and cyberpunk genres, and their relevance to dataveillance and privacy are in Clarke (1993, 1999)]
The first panel session addressed the question of whether the administration of Domain Names under the new Internet Corporation for Assigned Names and Numbers (ICANN) regime is just a question of engineering management, or whether it is a policy-oriented organisation, and hence itself a political issue. The panel was chaired by law professor, Michael Froomkin, and featured two lawyers and two engineers, including an ICANN board-member participating by telephone-line from Spain.
People so often pretend that the Internet's architecture is entirely distributed and non-hierarchical. This isn't true. Some elements are centralised, and some are highly structured. Particularly important elements of this kind are the Internet Assigned Numbers Authority (IANA) registries, databases of standards documents that underpin the net, the hierarchy of IP-address registries, and the DNS.
A simple introduction to Internet architecture, using the metaphor of a postal service, is at Clarke (1998), and a semi-technical primer is at Clarke et al. (1998).
Those centralised and hierarchical elements of the Internet are capable of being captured by some powerful organisation (or perhaps even a not-so-powerful one). Community processes, increasingly economic processes, and in the near future political processes, are enormously dependent on the Internet. It is therefore vital that these central elements of Internet architecture be subject to carefully balanced democratic control, and appropriately protected.
The domain name system (DNS) is the world's largest distributed database. It converts the domain-names that people use to identify servers on the Internet (e.g. xamax.com.au) into the IP-addresses (e.g. 203.37.30.53) that are the real means whereby software on the net identifies the relevant software running on the relevant devices. Use of the DNS is fundamental to the net's operation, and generates a whopping 10-15% of all net traffic.
Until the late 1980s, the DNS was centralised; but since then it has been geographically dispersed. The scheme is hierarchical, however, with a master or 'root' server, and tiers of subsidiary servers scattered around the world in order to achieve efficiency and robustness.
A semi-technical primer on DNS is at Clarke et al. (1998).
The DNS root-server determines what top-level domains exist. These are currently restricted to the generic Top-Level Domains (gTLDs, such as .com and .org) and the country-code Top-Level Domains (ccTLDs, such as .au, .ca and .us). The operators of the DNS have (to date) not agreed to create any new high-level domains, and it is very difficult (although perhaps not impossible) for anyone else to do so.
My own company is an example of the problem. I own xamax.com.au; but I cannot get xamax.com, because it's owned by a removalist in Connecticut. There's only room for one business to have that domain-name, even though the laws of most countries allow many companies to use the same name, by applying qualifiers (e.g. Xamax Consultancy Pty Ltd, Xamax Removalists Ltd, XYZ Corp. Ltd trading as Xamax Aerosols, Xamax Hairdressing Salon).
It is highly desirable that the structure of the DNS reflect the structure of the real world. This requires that either it support multiple values or synonyms (e.g. each domain-name could have multiple qualifiers, each of which points to an IP-address) or multiple TLDs (e.g. .com, .co, .corp, .inc, ...; plus, as a correspondent from Utah suggested during the conference, .xxx for porn sites).
A serious problem arising from the limitation of domain-names is that it has created scarcity, which has in turn created value, which has attracted large corporations and opportunistic investors, who all have lawyers. As a result, the heavy hand (maybe that should be the 'dead hand') of trademark law has come to be applied to domain-names.
The intrusion of lawyers has been most unfortunate, given that the intent of the DNS was to be valuable engineering infrastructure, not a tool of commerce.
For years, the DNS was administered on a largely ad hoc basis. For very good historical reasons, the control was exercised almost exclusively by American engineers. The legal basis of the operation was always unclear, and control gradually drifted out of the hands of engineers and into the orbit of a for-profit corporation (NSI) that had originally been, nominally, a contractor, but which gained effective control over key elements of the operation. Being a for-profit corporation, it sought to leverage advantage from its control, and this represented a serious threat to the interests of the millions of users. These concerns were felt by Americans, and perhaps even more keenly by non-Americans.
The 'root' server is now operated on behalf of a not-for-profit organisation called the Internet Corporation for Assigned Names and Numbers (ICANN). This was kicked off as a creation of the U.S. government, but always with the intention of it quickly becoming neither a government organisation nor an exclusively American operation. During the year 2000, it is undergoing democratisation, with a number of Board-members being elected by a large body of constituents.
ICANN has been criticised by some (and was attacked by one panel-member, long-standing Internet engineer, Karl Auerbach) as being a complex operation set up with a great deal of effort, to perform a simple task. The basic work used to be performed essentially by a single person, and yet now there is a whole organisation doing it. In any case, DNS is an 'optional extra' in net-operations. It is capable of being replaced, or gone around. So why bureaucratise it?
Moreover, there is a risk that somebody, sometime might gain control of ICANN, and hence of the DNS. (To be fair, ICANN people have spent a great deal of effort trying to constitute the organisation so that this risk is minimised).
Another concern is that the process of bureaucratisation is likely to lead to ossification, by making change very difficult to achieve. But the DNS is an engineered artefact, and a foundation on which more complex engineered artefacts depend. It therefore needs to be dynamic, and capable of significant change over time (subject to forward compatibility to make sure that transitions from the current version to future versions are as easy and transparent as practicable).
It appears to be technically feasible for someone to do an 'end-run' around ICANN and the existing DNS. In principle, anyone could set up a new domain-name system, and create such new domains as they saw fit. The question would be whether anyone would use it, whether the relevant access tools (such as browsers and mail-senders) would be modified to enable the new DNS to be accessed in order to achieve the discovery of IP-addresses that correspond to the new domain-names, and how quickly the new tools would propagate around the net. If this modestly disruptive development is to be avoided, ICANN needs to provide more domain-names, and to do so quickly.
A further spectre is that ICANN's functions might be extended into additional areas, such as regulation of Internet content. That issue encapsulates the fear of some 'world government' someday exploiting, subverting or closing down the international information infrastructure.
The next session asked 'Does existing privacy law contemplate the capabilities of contemporary applications of information technology by the FBI and similar agencies?'.
Speakers outlined the nature of services that are being used by investigative agencies, law enforcement agencies and the courts. These were shown to move far beyond the capabilities that were once available. This has significantly changed the balance away from freedom and towards law enforcement. There has to date been very limited adaptation of legal protections to take account of these changes. Sustaining freedoms that were won long ago depends on that adaptation taking place.
A particularly interesting presentation was that by George Tomko, who addressed law enforcement applications of biometrics. He expressed serious concern about centralised databases of biometrics, and argued that privacy laws are a necessary, but not a sufficient, protection. Technical measures are needed too.
For background on biometrics, see Clarke (1994) and Tomko (1998).
The primary means whereby people will gain access to Internet services is broadband connections such as xDSL (the various forms of so-called Digital Subscriber Line, which runs over conventional twisted-pair copper cables), and cable. These tend to be permanent connections, and hence each personal workstation will tend to be consistently identified to the net, and in many cases will be specific to a person, or at least to a household. And because of the relatively high bandwidth, people will be using far more Internet services, and being much more dependent on them.
As a result of these developments, there are enormous threats to the security of people's personal devices, and of the data that is handled on those devices. There are many new privacy threats, and there are substantial increases in the seriousness of many existing privacy threats.
Speakers drew attention to the fact that little is being done about this in a technical sense, but that some technical defences are available, and more can be conceived; but that no momentum exists to ensure that security and privacy are appropriately protected by services providers.
Linked with this are the seriously inadequate standards of software product safety. Microsoft in particular, but software providers fairly generally, commonly deliver their products to market with defaults set to the least secure, most permissive options. As a result, personal devices are wide open to attacks of all kinds. If large corporate users are not prepared to force software providers to adopt responsible defaults, then class actions may be necessary.
The seriousness is exacerbated by the fact that existing privacy laws only address the threats of 1960s technology, not those of the highly sophisticated broadband present. In those countries that still do not have generally applicable privacy protection laws (among 'advanced western' nations, there are very few, but they include the U.S.A. and Australia), the discussions are still based around those same outdated frameworks. For an analysis of the specific inadequacies of those models, see Clarke (2000).
A panel chaired by political scientist and author Colin Bennett brought together Privacy Commissioners from four continents (Ontario, Germany, Hong Kong and Australia).
They first outlined their powers. The Australian Privacy Commissioner, Malcolm Crompton said that he regards his overall mission as being to promote an Australian culture that respects privacy. He stated that a Government Bill to provide technologically neutral private sector regulation is due for tabling. (An analysis of that Bill shows, however, that it is not a privacy protection instrument at all, but instead is designed to legitimise a vast array of privacy-invasive behaviour in the private sector, both existing and future. See Clarke 2000).
Although his Office conducts c. 20 investigations p.a., and handles c. 1,000 complaints p.a. (mostly involving a simple resolution process behind closed doors), he sees his most important role as being promotion and education. He is concerned to help the consumer be more clever, and to promote to the private sector that 'good privacy is good business'. He said he was pleased to be able to draw to the attention of Australian business that the American public fined DoubleClick $2 billion in one day, because that tends to capture their attention.
The Commissioners were asked to explain the processes involved in dealing with a specific scenario. The setting was that the government had just sent a confidential communication that it intended to announce the establishment of an id card in two weeks' time, that it sought a meeting with the Privacy Commissioner, and that it also requested the Commissioner's participation in the announcement.
The Hong Kong Commissioner was forthright about a government attempt to force a quick decision on a contentious matter (in his case, the question isn't just a hypothetical, but is actually a current issue). To him, a formal privacy impact assessment was a fundamental requirement. The Australian Commissioner appeared to be far less prepared to be confrontationist with the Government, to be very limited in the scope of the matters that he was prepared to consider, and to be concerned primarily with some controls over 'function creep'. Unlike the Hong Kong and Ontario Commissioners, he seemed to be prepared to appear on a platform with the relevant Ministers even with only a fortnight's notice.
A follow-on question related to whether and how the public would be involved by the Privacy Commissioner. The Australian Commissioner said he would work behind the scenes with the government, rather than becoming involved with the public, and would certainly not permit himself to be seen to be mobilising public sentiment. He mentioned the recent discussions he has co-ordinated concerning health privacy, where he believes that he has managed to get the agenda enhanced to include privacy as a more important factor. The other Commissioners were also careful about the extent to which they would inflame the government, but were far less timid about the use of the media and the public.
The other scenario related to international data flows. A whistleblower is concerned that his employer, a bank in Germany, is sending employees' personal data to other countries. He has requested that his identity not be disclosed to his employer.
It appears that handling the matter as an anonymous complaint would not be problematical in the circumstances in question, because it is a systemic matter, and no specific record is involved. For the Australian Commissioner, this is not within scope at present, and it may not be in scope even after the new Bill is passed (e.g. employee records are to be exempt anyway, and the Principles may well be phrased in such a way that the action concerned is in any case not an interference with privacy, or is a trivial matter merely requiring better communication by the employer to the employee in the first place). In addition, he would be concerned about resources, and would probably accord low priority to a request of this nature.
At every turn, the Australian Commissioner gave the answers that indicated the least activist position among the Commissioners on the dais.
I was the next in the queue, but time ran out. I wanted to ask the following:
Australian privacy advocates and public interest representatives have experienced a great deal of trouble gaining effective access to the Privacy Commissioner. Do you accord privacy advocates and public interest representatives the same standing as government officers and industry association executives? And what specific measures do you use in order to consult with your clientele, the public?
A panel chaired by law professor Pam Samuelson from Berkeley considered the strong push by corporations for even stronger legal protections for content and software. Speakers questioned the justification and advisability of doing this. One speaker suggested alternative business models that can be used to support the survival of organisations that traditionally supported themselves through the sale of materials protected by intellectual property law. There are more effective ways to incentivate innovation than increasing the scope for monopoly.
I was disappointed that too much of the time was spent on the basics. For a mature audience like this, the speakers could have offered less tutorial material, and instead to cut to the chase and provide more new information and penetrating comment on key issues. (Then again, I've done some work in this area and may have been a poor judge of what the audience already knew ...).
Background is in Clarke & Dempsey (1998). The negative impact on information access is examined in Clarke (1999). The scope for technology to be used to protect IP objects is examined in Clarke & Nees (2000).
Jessica Litman is a copyright lawyer. She is aghast at the successive victories the content industries have achieved in relation to the expansion of intellectual property laws and of constraints on public access to materials. The context was such battles as the MP3 and the current explosion in distributed storage of MP3 objects.
Litman's lunchtime presentation was entitled 'The Demonisation of Piracy'. She traced the justification of copyright from compensation for work performed, via the provision of incentive for the distribution of works, to the provision of copyright-owners with control over the use of their works. This rapid path of development has been associated with the dominance of economic over social objectives.
[I believe that her analysis dropped short on one important aspect. Lawyers for big business have managed to get away with a conventional, but highly inadequate, neo-classical economic analysis. If and when information economics is applied to the question of incentives for innovation in the information economy, it will become very clear that even the copyright laws of the 1980s was inappropriate, and that the expansions of the last decade are completely against the public interest. See Clarke & Dempsey (1998)].
Jessica argued that the success of the publishing interests in the courts arose because their lawyers managed to have the cases associated with a metaphor useful to their cause. The term for the kinds of behaviour that the corporations sought to repress was 'piracy'. The battle was initially fought against foreigners (especially Asians) who were unfairly appropriating the product of American ingenuity.
After xenophobia had won the day on that score, the issue was launched on home turf. Lawyers exploited the technical accident that mere access to content on a workstation involves making successive copies. People who were merely reading or playing content were able to be characterised as 'pirates'. The publishing industries used the opportunity, and successfully lobbied for criminalisation of the development and distribution of devices that were able to be used to break protections ('circumvention technologies'). They won that too, on the basis that people were 'pirates', or at least 'burglars', effectively breaking and entering.
[Even though she was in Canada at the time, Litman was speaking about the U.S. context, and didn't mention the use by the U.S. of the international forum of WIPO to impose the same measures on vassal economies like Canada and Australia ...].
Litman was pessimistic about Congress being able to be convinced to reverse these inappropriate laws. The courts can be approached to place constructions on the statutory expressions that achieve outcomes in the public interest. In doing so, it is important that the dominance of the 'piracy' metaphor be broken.
A more constructive approach would be to convince originators that they should align themselves with their publics and not the publishers. To achieve this, they must be shown how they can gain compensation for their efforts without having control over access to the objects. That depends on an appreciation of both what the current business models are and what alternatives are available or can be devised.
[During question time, it was apparent that the speaker had been too polite to mention the most likely solution to the problem. Widespread non-compliance cannot be effectively constrained, and will demonstrate the irrelevance and inappropriateness of the law. The technology shift is too big for intellectual property law to cope with. Many content publishing industries will contract significantly in the coming years, and those that don't will survive through the fairly butal exercise of market power, or will be dealing with highly compulsive content over which they have a monopoly].
[Footnote: A case in Western Australia during the 1980s made clear how unreasonable the 'piracy' metaphor really is. A software company successfully sued someone who had appropriated its product. In celebrating the victory, the proprietor referred to the respondent as a 'pirate'. The copyright infringer sued in defamation; and won].
A panel chaired by CDT lawyer Deirdre Mulligan considered a scenario in which advanced identification and authentication tools were abused. The questions focussed on how things might have gone wrong, considering both legal and technical aspects.
The problems arise from complexity, from naive public key infrastructure design, and from poor mapping between the world of human beings and that of digital technologies. Carl Ellison's accompanying paper addressed the specific issues of the scope of the name-space used, the assumptions inherent in the prevailing technologies building on the X.500/X.509v3 standards, and the risks involved in a single public key.
Conventional PKI is undermined by its inherent assumption that a digitally signed message can only have been signed by the person who it 'belongs with' and/or is assigned to. In practice, the contexts of use of devices that can affix digital signatures lack means to ensure that that person and only that person can initiate the action. Examples of the massive gaps that exist include the generation of key-pairs other than under the direct control of the person whose signature it is going to produce, insecure workstations, unattended workstations, and short PINs that are readily observed and memorised yet that are meant to protect and provide convenient access to long keys.
This inability of conventional PKI to assure all stakeholders that the signature is reliable gives rise to serious issues in several areas:
I slipped in a question/statement from the floor. Identification is really difficult. Authentication of identity is really, really difficult. Public key infrastructure, especially of the conventional variety, has massive problems. There will be very serious legal and practical difficulties in implementing it.
We should look for opportunities to dissolve problems wherever we can, and not just solve them. Such opportunities do exist. The first thing we need to appreciate is that authentication is not inextricably inter-linked with identity. Authentication is:
the process of establishing confidence in an assertion
We should focus on authentication of assertions other than that a particular piece of data is associated with or originated by a particular person. In particular, we should pursue the following:
[The privacy issues are identified in Greenleaf & Clarke (1997). The requirements of a privacy-sensitive PKI are listed in Clarke (1998). The current status in Australia is documented in Clarke (2000)].
A panel chaired by Canadian academic Jim Tam considered the varying approaches to privacy protection adopted by the diverse countries on the western rim of the Pacific. The panellists were:
Stephen highlighted the recency of the emergence of privacy as a social policy issue in Hong Kong. Yet it has reached the same level of importance as health services and environmental hygiene.
He offered the following rough classification of the countries' current approaches to privacy:
The Australia Card debate of the mid-1980s resulted in a Privacy Act (and no card). The Coalition Government promised privacy legislation for the private sector in 1996, then withdrew the promise, and subsequently reversed its position. She believes that the primary driver for the reversal was the furore over the Packer/Acxiom announcement that they were building a database about Australian consumers in the U.S. (See Clarke 1999). A further factor is the need to be seen to be satisfying the EU Directive. [My own interpretation is that the back-flip pre-dates the Acxiom issue, and that the biggest single factor has been the appreciation by industry associations that public confidence cannot be achieved without legislation].
The Bill is still pending. It seeks to establish a co-regulatory regime [I express that differently. It started out with a promise of being co-regulatory; but it has been utterly subverted, and rendered ever more complex, and is now a Bill to legitimise virtually all existing and future business practices]. The Bill embodies the Privacy Commissioner's Principles [although it has further garbled and further qualified them]. It is as yet unclear what the specific details of the sanctions are. It has some serious deficiencies, including outright exemptions (employment records and media), limited sanctions, and the possibility of Codes without sanctions. There are deficiencies also in public participation in the formation of privacy policy. On top of that, the Privacy Commissioner's funding has been progressively falling, and it is not clear that the additional funding to perform the additional functions will be anything like adequate.
Debate is due shortly. (Parliament resumes next week). The Senate is not controlled by the Government, and amendments are to be anticipated. The outcome could therefore be substantially different from the initial Bill. [The privacy advocacy movement may well call for the complete gutting of the Bill, or its defeat].
Recent political change has focussed attention on the privacy threats inherent in the application of information technology. Chinese culture has always had an emphasis on the skills of reading and interpreting people's behaviour.
He applied Hofstede's dimensions of cultural difference, viz.:
- risk (avoidance v. taking);
- 'gender' (masculine vs. feminism);
- time-horizon;
- individualism vs. collectivism.
Chinese culture is strongly collectivist. The term coined to correspond to 'privacy' is 'invisible self' (roughly, yin s). It has some negative connotations, because public (gong) is a good thing.
A data protection law was passed in 1995, along the lines of the OECD Guidelines; but it does not include the word privacy.
Recent privacy issues that have arisen have included:
There is a need for public awareness, and IT professional ethics need to be raised in relation to privacy.
The first question from the moderator asked the panellists about Nigel Waters' notion of the legislation in Hong Kong and New Zealand being the third wave of (the first being the European style of hard legislation, the second being American-style self-regulation, and the third being co-regulatory). Stephen Lau considered that it's all a question of attitude, and partnership is a positive way to do it. Kate Lundy was very concerned about the risk in some co-regulatory appriaches of corporate power resulting in inadequate sanctions, and the loss of parliamentary and even governmental oversight.
A further question related to data transfers from the public to the private sector. Kate was concerned about the effects of outsourcing on protections, which are merely subject to an advisory from the Privacy Commissioner that contracts should contain provisions carrying over the provisions to the provider; but the contracts are commercial-in-confidence. And anyway, privity of contract means that the approach reduces protections by precluding individual access. There are also possibilities of off-shore storage of personal data about Australians.
Privacy International's 1999 Survey of Privacy and Human Rights
For background to the situation in Australia, see Clarke (1998) and Clarke (1999). For an analysis of the emergent Bill in Australia, see Clarke (2000).
Whitfield Diffie was the co-inventor of public key cryptography. His declared motivation for that work was to enable security without dependence on other people. (In fact, he acknowledges, it succeeds in reducing that dependence, but it doesn't remove it). A theme of his presentation was that the deployment of a technology is a function not merely of invention and technical innovation, but also, quite vitally, of social systems that value the technology's features.
He briefly reviewed the succession of computing and networking technologies, from the perspective of the capacity that they embody to support the surveillance of the people using them. The following table summarises the phases of development.
Technology Time Surveillance Characteristics Mainframe 1960 fully centralised, closed system Time-Sharing 1965 fully-centralised, star network MiniComputers 1970 fully-centralised, but more of them, so less invasive Micros / 'PC' 1980 widely dispersed, unconnected, least invasive LAN 1985 PCs connected, scope for local control WAN 1990 PCs widely connected, scope for remote control Thin-Client/'NC'1995 Network-dependent PCS, inherently controlled New NCs 2000 Appliances with personal profile on a smart-card, enabling close control [Mobile NCs 2000 Mobile appliances, personalised, and with inherent location and tracking, e.g. GPS]
[He omitted the last line, which I think is very important. See Clarke 1999].
[Whit's focus was on the use of the surveillance potential by employers in relation to their employees; but this analysis is just as relevant to employer surveillance of contractors, and of corporate surveillance of anyone who is attracted into using the technology in a manner that makes data available to the corporation. That includes the employee at home, using company-subsidised infrastructure; and of course customers doing the same thing. And ISPs that provide such devices at cheap rates to their customers also have these surveillance capabilities available to them in relation to the public-at-large].
Whit speculated that contractual arrangements were in the process of undermining employee protections that have been embodied over the years in labour law. He referred back to the discussion the previous day about the need for society to ignore 'bad law', and 'bad technology' as well. He hoped that CFP'ers would be active in the search for mechanisms that counter the trends towards re-centralisation that he had identified in his paper.
Dan Gilmour from the San Jose Mercury wanted to know whether Whit had given a copy of his paper to his boss, Scott McNeely (Sun's CEO - he of the renowned and very silly statement 'Privacy is dead. Get over it').
I did not attend the following sessions (sorry: it's called exhaustion'):
CFP has always been a single plenary stream. On this occasion, two sessions were given over to five parallel panels. The topics were:
Here are the other speakers who were invited to provide plenary presentations.
The 2000 Orwell Awards organised once again by Privacy International (PI). This years awards were announced at the Conference. They went to:
PI also sends some positive signals, and gave Brandeis Awards to:
Each year, the Electronic Frontier Foundation (EFF) provides awards to individuals and organisations that have made significant contributions to the advancement of rights and responsibilities in the information society. This years awards were made to:
CFP is a hard-working conference. After dinner each night, clusters of people with common interests gather to swap notes in a semi-structured environment. There were about eight of these running at once, on topics as diverse as book-launches, net-activism, net-democracy, informediaries, and a current, highly repressive Bill in the U.K. that would criminalise measures by individuals to prevent their encryption and signature keys being acquired by law enforcement agencies.
Go to Roger's Home Page.
Go to the contents-page for this segment.
Created: 5 April 2000
Last Amended: 11 April 2000
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax Consultancy
Pty Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, 6288 6916 |