CFP'99
Personal Notes

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Revision of 13 April 1999

© Xamax Consultancy Pty Ltd, 1999

These are personal notes on the conference prepared (briskly!) by a conference committee-member and participant, An edited version is to appear in Privacy Law & Policy Reporter

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/CFP99Notes.html


Introduction

Computers, Freedom & Privacy, at http://www.cfp.org, is a dynamic community of people interested in and energised by the tensions generated by modern I.T. It's a crossroads meeting-place intended to complement the many meeting-spaces, and to address the many spaces (in the word's other sense of 'gaps'), between different interest groups.

The Conference is an intensive 3-day x 14-hours-per-day experience for 400-500 people, with a minimum of keynote speakers, brisk and focused plenary panel sessions with 5-10 minutes per speaker and 30 minutes of audience participation, and parallel birds-of-a-feather or working group sessions starting at 9:00 p.m. It's preceded by a day of Tutorials, and supplemented by as hectic a corridor meeting-place as any conference has ever achieved. (I guess it's only natural that people who spend so much time talking via computers have a lot to say to one another when they discover one another in meatspace. I had half-a-dozen greetings from people I'd never heard of who are avid users of my resource-pages, some of them with a lot more influence than I've got).

These are personal notes on the 1999 event by a repeat-delegate, programme-committee-member, and bit-player in one of the panels. The conference site is at http://www.cfp99.org. My own notes from my previous attendances are available for the 1993, 1994, 1995 and 1997 events.

I make no attempt at comprehensiveness, because the event is just too rich for anyone to fully appreciate. I make relatively few mentions of individuals' names, because there were scores of important contributions. See the programme for details.

Australia was represented by 4 people (all link list-members), plus an expatriate, and a Brit who spent important time in Australia. Apart from myself, the other three were Michael Baker, Irene Graham and Greg Taylor, all three EFA stalwarts; the expatriate was Jason Catlett (who runs the spam-killer site Junkbusters, out of New York); and the Pom was Simon Davies, Director of Privacy International. I'd never met Michael, Irene or Jason before, although I've probably exchanged a couple of hundred emails with them over the last 2-3 years ...


Theme

The main theme nominated for the 1999 event was 'The Global Internet'. A large proportion of the programme reflected that theme, and blessedly few sessions contained substantial slabs of U.S.-specific material. In addition, sessions were less dominated by lawyers than it usually is, and the First Amendment was mentioned far less often than in previous years.

The list of topic-areas defined to be inherent to CFP is:

The sessions of the 1999 event are outlined below under the following headings:

The Organising Committee have promised additional information on the conference site shortly, including links to news stories about CFP99, the daily conference reports (in PDF), RealAudio of conference sessions, Video clips, and the official CFP99 Conference Report.


GENERAL SESSIONS
Freedom and Privacy, and the Global Internet I (Tue pm)

Aryeh Neier of the Open Society Institute referred to Sarajevo and Chechnya as early examples of the Internet as a tool for sustaining information flows, both inwards and outwards from regions in turmoil; and to Kosovo and Indonesia as current instances. He highlighted the tension between the empowering and the threatening applications of information technology. His concerns focussed on the chilling effect on freedom rather than the moral concerns, i.e. the instrumentalist or political science justification rather than the psychological.

Sun's CEO Scott McNeely's memorable nonsense "There is no privacy. Get over it" came under predictable attack from Simon Davies. He argued that this casualness with other people's privacy represented a call for an approach more adversarial and confrontationist than before. Privacy advocates should 'out' privacy-invaders, and force them to confront their misdemenaours.

Justifications for law enforcement compromises to privacy have to be tested, and when tested they usually fail. Simon Davies said that when debating law enforcement agencies, he now resorts to calling them liars to their faces, because they never produce evidence of the risks that they assert. [Having gone through this same exercise recently in the context of the Privacy Commissioner's discussions about her so-called 'National Principles', I can confirm Simon's interpretation. Law enforcement agencies consider themselves above the need to justify their claims; they believe that incantation of the expression 'law and order' is enough].

Stephen Lau, the Data Protection Commissioner for Hong Kong, pointed out that until very recently there was no word in Chinese for privacy. The Hong Kong Data Protection law was passed during the dying phases of British administration in 1996, and derived from European origins. A compound Chinese word is now in use, built from 'self' and 'hide'. Stephen has issued guidelines relating to Internet privacy, for both consumers and ISPs. A sweep of web-sites has shown low compliance with requirements for privacy statements on locally hosted web-sites, and action is under way to address that problem. The decision has been taken not to regulate content. Intend application of consumer protection laws within the electronic context.

George Vradenburg of AOL asserted that self-regulation works, through mechanisms such as the Privacy Alliance and TRUSTe. He preferred to focus on freedoms, rather than on privacy and regulation. He referred to both Microsoft and AOL having been significantly impacted by a single voices documenting and attacking a privacy-abusive practice. He argues that market pressures are real, and that regulatory regimes of the past are not the only approach needed. He stressed that AOL, like any other corporation, is required to comply with the law of jurisdictions in which it operates. He raised the instance of prosecution of an AOL manager in Germany.

Barbara Simons, President of the increasingly policy-oriented U.S. Association for Computing Machinery (ACM) expressed concern that the washup of the Melissa virus incident may be a movement to expand surveillance and traceability of messages, and to suppress anonymity. [I suspect I may be re-joining ACM ...].

The European Directive can be read as requiring that subject access be permitted to a wide range of identified data-holdings, both computer-readable and otherwise. The question was raised of access by neo-Nazis to information held about them by anti-neo-Nazi organisations. Media commentators are also concerned about subject access to media organisations' files. AOL's Vradenburg agreed that there were significant potential impacts of the EU Directive's unqualified expression and the resulting tendency to establish an absolute right. Simon Davies disputed the suggestion of there being any absolutist expression in the EU Directive.

The 5-minute presentation format successfully avoided any one person dominating the agenda; but it also limited speakers who wished to structure an argument, and provided scope for a couple of speakers who wished to hide to fill their time with platitudes.


Electronic Frontiers Foundation (EFF) Awards

A few awards are made by EFF at each year's CFP Conference. This year three names were added to what is now a very impressive list:


Keynote by Director W3C, Tim Berners-Lee: The Web, Freedom and Privacy' (Thu am)

Tim spoke briefly on:

Generally, he said, there's currently a great deal of fluidity. Technology and policy people must continue to meet. Consumers need legal protection, especially in the default case, Miminalist standards are a basis for decentralised systems.

The common theme of questions (which I'd prevailed on him to leave time for, and which he was pleased to do) was the lack of public interest involvement in the work of W3C. (A couple of years ago, I was one of the first people who was not an employee of a member-organisation to be granted a userid/password pair for the large closed part of the site. There is now a modest number of such people, such as CDT's Dierdre Mulligan; and Tim has at least tacit, and probably formal, approval for what he terms 'invited experts'. The need right now is to established a couple of beachheads at the organisational level as well. I spent some time urging a CPSR Director who is resident on the East Coast to negotiate that entree).

I tackled Tim after the session on the question of whether W3C should establish a standard for state-maintenance, to replace the flawed cookies design (which is a Netscape add-on adopted also by Microsoft, not a web standard). Tim didn't realise that the IETF Draft had expired in January this year, and that there is therefore no current proposal to define a suitable solution to state-maintenance. He said someone could propose that it be a work-item, and that at the very least W3C could mirror the now-lapsed draft; but someone (presumably meaning a paid-up member) would have to bring forward a proposal.

I'm at the extremities of my technical competence on this one, so if someone is prepared to do some work with me on this, perhaps we should do something about it. Otherwise all those dreadful net-marketers will be justified in saying that netizens haven't worked up the energy to get a better solution in place, so it can't be all that important to them, can it??


Self Regulation Reconsidered (Thu pm)

A panel considered the credibility or otherwise of self-regulatory approaches. My own position on this is unequivocal, and documented at Clarke (1999).

The highlight was a remarkable paper from a business-conservative organisation, the Cato Institute, written by someone called Solveig Singleton. This sought to define the public interest as being either irrelevant, or, alternatively. whatever business delivers to consumers. It appears that parliaments are an anachronism, and Adam Smith's invisible hand will look after us all. I didn't realise that there were people left with such simplistic worldviews as economically rational decision-makers, information symmetry, zero-cost transactions and frictionless markets ... Or perhaps the speaker doesn't actually believe the rubbish she presented, but does hope that the public is silly enough to believe it.

Other speakers argue that self-regulation can have back-end controls, by means of existing laws regarding misrepresentation. The key to this, they argue, is that what's essential is to ensure that all organisations communicate statements of their privacy policies to their clientele.

Now for the admission: I was in the cab on the way to the airport, so I couldn't actually attend this session ...


Freedom and Privacy and the Global Internet II (Thu pm)

Same problem there too. So if there was some grand outcome, I missed it ...


Non-Governmental Organisations (NGOs) (Tue am, pm)

Deborah Hurley (Director, Information Infrastructure Project, Kennedy School of Government) organised a meeting of NGOs that address public interest issues arising in relation to the information infrastructure. Examples include Electronic Frontiers Foundations in various countries, Computer Professionals for Social Responsibility, and Public Interest Advocacy centres. About 20 such organisations, including about 10 non-North American organisations, were represented.

The purposes of the meeting were to facilitate communications among such groups, and to ensure enhanced representation of public interest perspectives in international fora. The intention was to leverage off the success of a meeting organised by Deborah in conjunction with the OECD Ministerial Conference on Electronic Commerce, held in Ottawa in October 1998. This culminated in a jointly signed submission to the Ministers, available at http://www.gilc.org/speech/oecd/ngo-oecd-letter-1098.html. This proposed to the Ministers the establishment of a Public Interest Advisory Committee to the Ministers, to parallel existing Committees for 'Business Industry' and 'Trade Union' groups. Other international bodies such as WTO need to be targetted as well.

Contact with this emergent peak body can be achieved via the Global Internet Liberty Coalition (GILC) at http://www.gilc.org/. Because of the nature of the conference, some categories active in the October meeting were under-represented on this occasion, particularly consumer associations.


Other Working Groups

I did not participate in any of the following:


PRIVACY
The Creation of a Global Surveillance Network (Tue pm)

This session considered surveillance of electronic messaging (voice and other traffic on such networks as PSTN and GSM). These are generally exempt from domestic privacy and other laws, on the grounds that they are conducted by various countries' spy-agencies. It is far from clear that the purposes are restricted to the formal responsibilities of those agencies. It is clear that a proportion of the effort relates to industrial espionage, and likely that a proportion is relevant to the monitoring of individuals whose activities are not espionage.

Presentations from people from the United Kingdom, Austria, Russia and France, identified the available information about surveillance activities of:

A great deal of information was of the nature of informed speculation, because little or nothing is formally published, and governments routinely refuse to confirm or deny reports; but significant portions of the reports were based on hard information gleaned from official sources.

The argument was made by speakers that these schemes are being substantially undertaken by agencies, without any purview by the executives of nations, let alone parliaments; and they need to be brought back under democratic control.

The sole representative of surveillance agencies who accepted an invitation to participate was from the U.S. Department of Justice's Computer Crime Unit. He argued the need for surveillance, acknowledged the need for democratic control, but appeared to believe that that control existed, at least in respect of the U.S. scheme(s).


Anonymity and Identity in Cyberspace (Tue pm)

This panel comprised mainly technologists, plus a law enforcement officer and a business lobbyist. It was chaired by AT&T Research's Lorrie Faith Cranor.

Lance Cottrell of Anonymizer Inc. addressed the needs that his company perceives its customers to have. Anoymizer's normal orientation is towards commercial products, but the Kosovo crisis has affected that during the last 10 days. The reason is that people within Jugoslavia have been using the net to transmit information in clear. In some cases, that information may be prejudicial to their safety, because it may be, or be perceived to be, harmful to the interests of the Yugoslav government or people. Anonymizer, encouraged by EFF, have quickly flung together an anonymization service for the Kosovo crisis. This mechanism needed to be low-tech and could afford to be of relatively low-level security (because the Yugoslav government does not have significant decryption capability). Above all, it needed to be usable. (No information appeared to be available at this stage on the degree of usage).

Lucent's LPWA and AT&T Research's Crowds products were briefly overviewed by Mike Reiter. LPWA has similarities with Anonymizer, in that it provides a proxy, which ensures that the sender is not visible to the receiver. LPWA goes further, however, in that it provides a consistent set of capabilities across multiple protocols (email and web). Reiter drew attention to the risk of simple designs having a 'choke point'. It has a single point-of-failure that will destroy the service; and it is a pseudonymity service: the central site contains an index, which may be hackable, and is accessible by court order. Crowds overcomes this by enabling multiple multi-point paths.

Paul Syverson of the Naval Research Laboratory, presented the Onion Routing project. It does not have a commercial business model, and costs very little to maintain. Onion routing utilises nested addressing to use a succession of participating nodes across the net, in order to establish an untraceable path. Some or all Internet protocols may be run through the scheme.

Austin Hill of Zero Knowledge Systems outlined his Freedom product. This is another privacy-enhancing technology that enables the origin of a message to be hidden, but persistence to be sustained not only across a session, but also over a long succession of episodes. Multiple pseudonyms may be acquired by a single person, which they can use to sustain independent personae, e.g. for different roles that they play. The design effectively precludes the personae from being related with one another, or with a person. Being Montreal-based, the cryptography used in strong. Freedom provides consistent, untraceable pseudonyms, and supports profiles for each pseudonym, and a warrant doesn't help. Hence it is fully anonymous, not pseudonymous. The technology is transparent to the user.

Austin's position is that accountability is not a function that the infrastructure should address. Each nym needs to establish its own credibility. One way is to establish a track record of reliability (performance-based reputation). Another approach is to use identity-escrow. This is a declaration deposited with, say, a law firm, which associates the nym with the underlying person.

Philip Reitinger, Legal Counsel for the Computer Crimes Unit of the Department of Justice, argued that it's hard to put pseudonyms in gaol. He acknowledged the value of anonymity in some circumstances, and the degree of [U.S.] constitutional protection that exists for anonymity. A problem is, however, that 'crimes from a distance' can be significant, e.g. extortion, fraud. Two key techniques for law-enforcement agencies are to establish the physical source or destination of a message ('traffic analysis'), and to analyse content of a message. These are readily defeated on the Internet, especially if the nature of the investigation requires that it be done in real-time. [There are, of course, some celebrated instances where it has been successfully performed (e.g. the arrest of Kevin Mitnick, and a few days before the conference, the arrest of the alleged perpetrator of the Melissa worm)].

Kaye Caldwell, Policy Director for CommerceNet, discussed the often-overlooked interest of local government being able to identify purchasers, in order to collect local and State taxes. The issue is the basis on which the tax is levied: the location of the buyer, the seller, or the sale. There are considerable privacy implications of any of these options, most particularly should the location of the buyer be selected.

Chair Lorrie Faith Cranor asked how these new forms of electronic anonymity compare with existing scope for anonymity in real-world transactions. By and large, they were argued by the services providers to deliver much the same capabilities as we already enjoy. Phil Reitinger felt that real-world anonymity was qualified, because of the existence of additional cues (e.g. people's memories of what the purchaser looked like): and these are absent in the electronic environment. The danger is that the primary use of untraceable electronic anonymity will be used by people with criminal intent. Austin Hill argued that the electronic world creates new threats (such as databases of everything we ever said on newsgroups and e-lists - Deja News), and hence the level of anonymity available in the electronic world actually needs to be higher than that which has applied in the real world.

Paul Syverson was asked why his employer supported the work. One reason was that the military needs to be able to work covertly too. As do all law enforcement and national security agencies, added someone.

Mike Reiter provided examples of organisational interests in anonymous communications, such as avoiding their accesses to a patents database being detected; avoidance of traffic analysis making an organisation's intentions apparent; enablement of whistleblowing within an organisation; Microsoft email being subject to sub poena; headhunters who communicate with employees of other organisations; and overseas employees who need protection against local incursions into privacy.

In some jurisdictions, there appear to be some forms of right to anonymous political speech, subject to some forms of qualification (e.g. donors to political parties or causes).


Keynote by U.S. Federal Trade Commissioner Mozelle Thompson (Wed am)

The Federal Trade Commission (FTC) has been driving industry to place privacy statements on their web-sites. It continues to be concerned about the low percentage of sites that carry appropriate statements, and has commissioned a second-round survey from a team at Georgetown University. "Self-regulation is not no regulation", he said. It was difficult to see, however, in what way his assertion could be true.

This is an element in the silly game being played in the United States in an attempt to legitimise self-regulation, and avoid joining the rest of the world in providing a statutory framework for privacy protection in the private sector. The positive feature is that the FTC has actually threatened legislation should industry fail to perform. To be fair to the FTC, it may be that they will use sleight of speech to move the agenda from self-regulation to co-regulation. For my explanation as to why self-regulation is a non-option, and my specification of the elements of a co-regulatory scheme, see Clarke (1999).


Privacy and Profiling (Wed pm)

I arrived late, but understood Latanya Sweeney of Carnegie-Mellon University to be saying that there are challenges involved in drawing inferences using fuzzy logic, and a resulting tendency to seek more fine-grained data in order to support more accurate inferencing. [James Rule, who explained that tendency in his 1974 and 1980 books, was sitting alongside me ...]. During question time, Latanya reported on a matching she did between a de-identified database of Cambridge Mass. residents and the publicly purchaseable electorall roll, which resulted in a very high level of matching (even on date of birth alone), in a population of 50,000 people.

Andrew Braunberg of Data Mining News described data mining as comprising the steps of consolidating data sourced from multiple systems, scrubbing it, and searching for patterns, e.g. of customer behaviour, fraudulent behaviour (e.g. telecommunications fraud), risk management generally (e.g. in relation to credit, portfolio investment, and automotive insurance), and product affinities (the longstanding beer/diapers anecdote).

[Where identified data is involved, such activities are fundamentally in breach of 'purpose of collection' constraints inherent in Fair Information Practices Principles and l-a-w law. But we wouldn't let a little thing like that get in the way, now would we?!].

Steve Lucas, ex of Excite, spoke about profiling usage in the Internet industry, particularly in search-engine sites / portals. 'Advertorial content' (pseudo-content that is actually just an ad) and on-line advertising don't need identity as long as they have the person's profile, and many of them are in practical terms anonym ous. Some decisions result in some categories of advert not being sent to individuals evidencing particular profiles. There is little disclosure of practices. Secondary use is in many cases the most problematic aspects

Steve Kroll, U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN), the U.S. organisation that spawned Australia's Austrac, spoke about use of profiling in his agency's work. Generally, he suggests that there are two distinct senses of the term 'profile':

[Again, this is not new news, although it seemed to be for a lot of newbies in the audience. See Clarke (1993)].

But he assured the audience that his agency's usage is far less sophisticated than Procter and Gamble's, which could send him diapers the same day as his child was born.

A legal academic, Walter Effross argued that most people know that their transactions in air travel, and on state highways, and with cell-phones and credit-cards, are subject to monitoring and analysis. The interesting question he thinks is the extent to which an abstract profile can in practice be applied to databases to detect extreme instances, such as a kidnapper holding a child (and therefore needing to buy supplies he wouldn't normally buy. What powers do law enforcement agencies have in that regard? What about a generalisation of the (successful) Melissa virus investigation? [I think that was one of the more twittish suggestions made at the conference. The false positives arising from such a ham-fisted analysis would be both large and very dangerous. I hope it was a 'straw man' argument!].

Mark Budnitz of Georgia State University College of Law expressed scepticism about seals as a guarantor of privacy practices, and used as evidence the fact that the recent Microsoft breach of consumer expectations was not a breach of the contract with TRUSTe. He argued that the standards are set by industry, not consumers; and they are not independently audited; and they are not enforced. Moreover, some commercial profiling is taking advantage of government data (e.g. photos), and secondary use of data is a major concern.

A foreign national expressed concern about the lack of privacy in relation to financial transactions that trigger FinCEN threshholds, such as their use in visa decisions, coupled with the absence of due process in relation to visa decisions.

Chair Jason Catlett (who provided a session-framing paper) pointed out that the application of the EU Directive in the U.S. would force companies to make publicly available the criteria used in automated decision-making, including, for example, the use of zipcode/postcode as a discriminator in prices and service-levels.


Privacy International Big Brother Awards

Privacy International's Simon Davies and Dave Banisar initiated a set of awards several years ago, which are usually announced at an annual London Conference. This was the first such set offered on the other side of the Atlantic. The highlight was a Microsoft employee who actually accepted the open invitation to give a brief speech in acceptance of the award. I think he regretted the decision.


Speech by Associate Director of UNESCO, Henrikas Yushkiavishus (Wed dinner)

It was great that a Lithuanian with long experience in broadcasting under the Communist regime, who is obviously revelling in the post-1989 freedoms, could present to the delegates. The ad lib comm ents in the lead-in were just right for the occasion, but the full paper was too heavy and too long for 8:30 at night.


Point - Counterpoint - Are There Limits to Privacy (Thu am)

I missed this session. I have the impression that author Amitai Etzioni is a well-respected thinker (and is certainly a pleasant person). But he's come rather late to privacy, and hence seems to be re-discovering some things that are pretty well-known.


Judging Privacy: What Is the Verdict? (Thu pm)

Billed as a 'mock trial', this panel involved privacy watchdog agencies from four countries outlining their privacy protection regimes, and being subjected to cross-examination from privacy specialists. UK Commissioner, Elizabeth France, provided a paper. So did judge Colin Bennett (co-authored with two others, including Australia's own Nigel Waters). The questions varied from interesting to a bit heavy. The Commissioners coped much better than I feared they might, reflecting the fact that there is now a considerable amount of experience around the world.

There are watchdog agencies in most civilised countries, and most of them have power of some consequence. As I've argued at places like Clarke (1999), however, there are serious inadequacies in the Fair Information Practices model on which their activities are based. Technological developments, and deft work by governments and industry sectors alike, have the effect of progressively increasing privacy-invasions, and undermining privacy-protections.

I was one of the privacy specialists on the panel, and my two questions were:

Scenario 1 (EYES): There's a new strategic partnership of companies offering financial services of all kinds. They including a telco, a cable-TV company, an Australian media and entertainment moghul, some direct marketers, some of the remaining portals (purchased very cheaply ...), some Harvard business professors, and, as point-man on privacy, an ex-Professor from Columbia University. The brand-name is 'Everything You've Ever Sought' (EYES).

Under the privacy-protection regime in your country, what requirements are placed on EYES? For example, do they need to let the public know what they're up to? Do they need to justify the privacy-invasive aspects of their schemes? Do they need to consult with the public, or perhaps even enable participation by public interest representatives in the design of the schemes? What can public interest advocates do about it? What can you, the privacy tsar, do about it?

Scenario 2 (STASI): There's been a government announcement to the effect that all benefits programmes are to be consolidated into a single agency, and the agency that's been selected is the Taxation Office (using the justification that pensions are just negative taxation). The cost/benefit analysis, all 1 page of it, makes totally clear that trillions of dollars will be saved, youth suicide will fall, the drug problem will be overcome, no child will live in poverty, and apple pie will taste better. The declared purpose of the new agency is "to administer the relationship between citizens and their government", and the agency's name is the State Taxation And Security Institute (STASI).

What constraints (if any) does your country's privacy protection regime place on the merger of the agencies, and the resulting consolidation of their databases?

The Commissioners found a couple of angles, but struggled a bit ...

A report arising from the panel was published in CNet News.


FREEDOM

CAVEAT
Any of Michael Baker, Irene Graham and Greg Taylor could do a much better job of this segment than I can! I know, 'cos Irene told me so (:-)}


Free Speech and Cyber-Censorship I (Tue pm)

This panel was concerned with the COPA (the U.S. Children's Online Protection Act), popularly referred to as CDA II, which has been struck down at the first level of the courts, on constitutional grounds, much as CDA (the Communications Decency Act) itself was. The Attorney-General is appealing the decision, however, so yet more precious public advocacy resources will be burnt up ensuring it loses in the Appeals Court and the Supreme Court as well. [Am I being unduly cynical in wondering if that might be the intention. After all, if those pesky public interest advocates are tied up doing something harmless, they're not causing trouble somewhere else].


Keynote by U.S. Congressman Ed Markey (Electronic Bill of Rights Act) (Wed am)

Congressman (member of the U.S. House of Reps.) Ed Markey is a favourite among the Internet community because he is in tune with netizen sentiments in relation to such issues as cryptography policy, application of censorship law, and Wintel identification architecture. While enthused about privacy-enhancing technologies such as P3P, he actively supports statutory intervention to ensure privacy protection in the private sector. In March 1999, he introduced a private member's Bill in the House to address medical privacy, and he promised more to come shortly.

With regard to self-regulatory measures such as TRUSTe-'certified' privacy statements, he queried the value of privacy statements that are difficult to find, difficult to read, and/or difficult to understand. More fundamentally, he likened a privacy statement to a note left by a burglar explaining what he will and will not do with the goods he has stolen.

A report arising from Markey's address was published in CNet News.


Copyright on the Line: Blame it on Rio? Or Title 17? (Wed am)

This is a particular context in which the tensions between interests of freedom of information and protection of information are especially severe. [The Rio is the inexpensive MP3 player. MP3 is a compression technique which, although tedchnically 'lossy', delivers CD-quality music in a sufficiently condensed form that singles and even LPs can be downloaded, even with current bandwidths on the net. Title 17 is the U.S. Copyright Act].

The Chair, Jonathan Zittrain from the Berkman Center for Internet Law & Society raised once again the scope for behaviour to be affected by 'code' (Larry Lessig's mistaken term for 'architecture') as well as by formal law and regulations. He drew attention to the following elements of the debate:

The speakers were asked to speak briefly to their best dreams and worst nightmares about the music industry future in the new context set by MP3 and other technologies.

Michael Robertson of mp3.com argued that digital music distribution is compelling and inevitable, and is, what's more, a test-case for other media-forms in the future. His brief points were:

Scott Moskowitz, whose corporate persona is Blue Spike, is the originator of digital watermarking for audio. He was much more subdued in front of several hundred people than he was one-on-one after a few beers ... The trend for musicians is from being packaged media-businesses treated as objects by powerful publishing companies towards being themselves powerful publishing companies. (He'd made far more complicated claims on the bus the previous night).

Henry Cross, an artist/producer working under his own Tribal Pop brandname, said he was appalled by the music industry's heavy-handed attempts to crush MP3 technology. This technology gives artists direct access to the market. It seriously scares the large corporations that presently control the distribution, and hence the selection of materials, that reaches the public. The Internet in general, and MP3 in particular, is a great force for freedom. He also expressed serious concern about the use of legislation to protect the powerful.

Carol Risher of the American Association of Publishers pursued the conventional line with vigour, using the piracy word, and invoking the old myth about invention (as distinct from innovation) being nurtured by tight protection a la the Statute of Anne. She asserted the conventional defence that there was a large amount of value added by specialists in the value-chain, especially in marketing, even in the online environment. She signally failed to address the key question about whether the industry value-chain could be greatly trimmed, and could provide a larger proportion of the revenue-stream to the originator.

Carey Sherman, General Counsel for the Recording Industry Association of America (RIAA), says record companies have no problem with 'MP3'. But it's become synonymous with 'MP3 piracy'. He agrees that 'niche artists' can use it effectively. He just doesn't want it done in a way that fails to distinguish the illegal from the legal. So the technology shouldn't be permitted to become standard if it undermines the conventional industry. If that occurs, the artists won't earn an income from their work.

He referred to the SDMI initiative, which is an attempt to produce a standard that will have the (to RIAA) desirable characteristics, and oust MP3. It's intended to include micro-payments. He asserted that SDMI is a consensual process (although it appears to be an entirely major-player club). Michael pointed out the artists are excluded from the process, and are being 'looked after' by the major record companies. Moreover, the pre-decision is that SDMI will not support MP3, and hence artist choice is not supported.

Sherman signally failed to consider whether the technology-genie was out of the bottle. He was confusing about whether alternative business models were possible under the threat of MP3. The worst nightmare is the Internet being taken over by piracy, because "it ain't possible to compete with gratis copies of your own work". (But then he failed to work out what the implications of that statement were).

The Chair asked Henry his reaction to the proposition that optional licensing information could be contained in the header of the file. Henry did have a problem with it, because he regards it as intrusive an unnecessary; and he objects to remaining stuck in the old frameworks when there's a new technology. The old paternalism is no longer tenable.

The Chair asked Carey whether he opposed the survival of fair use. He answered that if technology can support it, they're all for it (but, by implication, if it can't, then it will have to be let go). Carol deflected the discussion onto the first sale doctrine, but I couldn't quite get the point. She argued that copyright protects against distortion as well as providing the scope to earn money.

There were question from the audience as to what is the impact of downloads, and is there any empirical evidence of losses? Carey acknowledged that there is potential for promotion; but the record company, I mean the artist, should be able to choose. Carol said that when enforcement of photocopying payments on printers and libraries was achieved, there was a $40 million increase in revenues. [In the U.S. economy, when compared with, say, tips paid in restaurants, that looked to me like it paled into insignificance].

Another question from the floor was 'will open-source licensing be precluded by an RIAA scheme'? Carey said that SDMI would be a voluntary-compliance scheme. [But of course that's nonsense, because the stated intention is to oust MP3, and that can only occur if SDMI is exclusive]. Michael disagreed with Carey (again), arguing that the closed nature of SDMI would inevitably preclude open-source. Henry still can't see the relevance of the record-company in the chain. Carey sees promotion as the expensive part of the chain, and that's invested in by the record-companies. Scott agreed that the three rules of the music industry are are "recognition, recognition, recognition", but said that any channel to audience will do. Digital watermarks will benefit both labels and artists in informing then how their materials came to turn up where they did.

Wired News published Declan McCullagh's report on the panel.


Chemical Databases on the Internet: Risk to Public Safety or Government Accountability? (Wed pm)

This panel I understand discussed a specific instance of public access to information, in this case concerned with government reports identifying the locations at which chemicals of various kinds are stored, or which chemical residues of various kinds affect. The tension is between people's right to know that they're living alongside a potential Bhopal (the Union Carbide factory in India that poisoned a region), or building their house on contaminated land, on the one hand; and the risk of providing possible terrorists or extortionists with useful information, on the other.


Free Speech and Cyber-Censorship II (Wed pm)

Under the influence of prolonged jet-lag, including 4 successive nights in which I'd had 3 hours' sleep, I missed this. I have no doubt that Irene Graham, Greg Taylor and/or Michael Baker would be pleased to fill you in.


Keynote by Vint Cerf, President of the Internet Society (Wed dinner)

Vint gave a disappointingly high-school-student rendition of how great the Internet will continue to be, provided that we do everything right from now on. Fortunately the questions, and his interaction with the questioners, led to some much more relevant and interesting material.


Access and Equity and the Global Internet (Thu am)

I had to skip most of this, which was a pity, because it's a topic I'm interested in. Fortunately, it was the sole panel for which every single speaker provided a paper. See the Program page, two-thirds of the way down.


Is Escrow Dead? And What is Wassenaar? (Thu am)

The presentation by Michael Baker (co-author Greg Taylor, both link list-members and EFA stalwarts) was quite valuable. But the position is depicted is most unsatisfactory, and convinced me that I do indeed need to be less complimentary about Australian national security agencies behaving better than their U.S. counterparts. The German Government's position was also of interest, and Bruce Schneier's '1998 in review' was valuable.


Some Vague Conclusions

A couple of concerns were:

On the 'plus' side, this was easily the most international of all of the nine CFPs to date. That was a tribute to Chair Marc Rotenberg's strategy and his and others' efforts to identify, attract, and arrange some travel support for non-governmental organisation representatives from a dozen countries. It was also not dominated by any one of the sub-communities (such as lawyers).

In my Notes on the 1997 Conference, I asked "Why Isn't CFP a Virtual Community?". For 1999, many of the papers were hot-linked to the appropriate part of the programme, in advance of the conference. Summaries of each session were provided in print the following morning; but they're not on the web-site; or at least they weren't by the time I'd flown back from the U.S., rough-edited these notes, and published them. Moreover, there's still no e-list to support persistence of the CFP community (even though the program committee list was very active during the process of getting the sessions together).

As always, I had things to complain about. And, as always, I came away intellectually refreshed, and with some of my current ideas clarified (this year primarily in the anonymity/pseudonymity area).


CFP2K

Chair for the event next year is Lorrie Faith Cranor, who would be pleased to received suggestions of all kinds.


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 3 April 1999

Last Amended: 15 April 1999


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916