Privacy, censorship, and freedom
Privacy issues in public policy — commercial data privacy, government repression, internet censorship, national ID cards, RFID issues of various kinds, data retention, etc.
Fighting internet censorship
As I’ve written previously, fighting web and other internet censorship is getting urgent. Amnesty International* has started a project at irrepressible.info, to take censored web content and spread it around as many different web sites as possible. In principle, this is a great idea, and I’m participating, which is why you will shortly be able to see ugly yellow/green boxes with random article snippets on most of my blog pages.
Edit: When I redesigned my blogs, I gave up on irrepressible.info. I plan to explain why in another post.
What does worry me is the technology. Simply put, it would be very easy for the Chinese to filter out any web pages with that content, both the “framing content” (e.g., the Amnesty International and irrepressible.info links) and the news content itself. Thus, I see the program in its current form as just a transition measure, to buy time until a more sophisticated approach is devloped.
The US government wants web surfing to be 100% trackable
According to The Register (which on this matter I find credible), the US department of justice wants to be able to track all web surfing. The reason — possibly even sincere — is to fight kiddie porn.
But many other possible uses of that data come to mind. I say again:
We need to strengthen our legal defenses against government (and private sector) use of data. Opposing the collection of data is a worthy tactic, but will only delay the inevitable. The ultimate solution has to be one that works even assuming near-infinite data collection and integration.
Technorati Tags: privacy, pornography, data retention
| Categories: Online and mobile services, Privacy, censorship, and freedom, Public policy and privacy | Leave a Comment |
Flash drives and security — a modest proposal
I’ve argued that Flash-based “diskless” PCs would offer major improvements in security. On the other hand, evidence from US military installations in the Middle East suggests than Flash drives are actually a major security hole.
Can these views be reconciled? I think so. The answer, simply, is that Flash drives need embedded RFID chips (or some substitute technology) so that their movements can be detected and controlled.
“But wait!”, you cry. “Doesn’t that mean anybody who legitimately carries a secure Flash drive around can have her movements nefariously tracked?” Well yes, it does, but that genie is out of the bottle anyway. We just have to deal with it on another level.
Technorati Tags: Flash, security, privacy, RFID
| Categories: Diskless PCs, Hardware, Privacy, censorship, and freedom, Public policy and privacy, Security and anti-spam | Leave a Comment |
How to beat Chinese Censorship — Operation Peking Duck
I argued in a previous post that, as individuals and webpage publishers in the West, we have the solution to Chinese censorship in our own hands. While I can’t have been the first person to think of this, a quick search isn’t turning up other references to the idea. So here is the outline of what I’ll call “Operation Peking Duck.”
(The name comes from my favorite Chinese dish, which unlike other most Chinese dishes is made by wrapping several disparate things up in the same tortilla-like flatbread. It’s also a bit of wordplay on “peek” and/or “duck.”)
The problem is not that Chinese residents are cut off from most outside information. Rather, they’re cut off from information on selected topics, commonly associated with keywords such as “democracy,” “Taiwan,” “Tibet,” etc. Thus, things would be much improved if a fairly limited and slowly-growing set of documents were freely available in China, presenting news about and balanced views of these subjects. 10 gigabytes of reference plus a 1 gigabyte/year of new material doesn’t sound like a lot, but if it were text-only that would actually be a great deal of material to start with. Even a much smaller amount would be highly worthwhile.
The plan (and this is just an idea, but I’m confident that the technological parts are straightforward) would be this:
1. For coordination, there would be a central repository of material to get to the Chinese people. It should be kept somewhere that is pretty well secured against denial-of-service attacks and the like, since the Chinese can play hardball.
2. Ideally, material would be donated by news services and the like. Otherwise, it would have to be written by volunteers.
3. Large numbers of volunteers would each embed some of the material in web pages, at least those being served to Chinese IP addresses. It would be cloaked in a way that makes it hard to filter.
Obviously, any site serving this material is a prime candidate for winding up on a Chinese blocklist. So to make all this work, there are four hurdles to overcome:
- Technically, defeat censorware filters. This should be almost straightforward. The general idea is to encode the text in a way that in can be decoded by a VERY simple browser plug-in, and rely on the Chinese to write and circulate such plug-ins themselves. The simpler it is, the harder it would actually be for antivirus and other filtering software to stop the internal distribution of such plug-ins. Directly delivering the plug-in is of course a bit more problematic, because it’s easier for the “antivirus” software to target. I would be very interested in any discussion of the best implementation strategies for this part of the plan.
- Technically, defeat the blocklist. Unfortunately, while it should be possible to keep the Chinese government from filtering out the “offending” additions to webpages, they probably can create a unreliable filter (i.e., one with too many false positives) that flags a high fraction of all Peking Duck pages served for manual review. So they’ll get onto a blocklist fast. Thus, they need to be disposable pages. That aspect is easy, many minor sites now have 500,000 pages plus via the magic of automatic page generation. What’s more, they need to be on domains that China can’t afford to block in their entirety.
- Socially, get enough participants, especially participants of the right kinds. So a necessary condition for the success of Operation Peking Duck would be, it seems, significant participation from sites that China can’t afford to block. The list of such sites probably starts and ends with major universities. The good news is that universities are (at least in theory) committed to intellectual freedom, and to not being intimidated by retaliation for the expression of intellectual ideas. On the bad news side, they generally have a ton of static URLs, but not many dynamic ones. So getting around the blocklist would be a nontrivial effort for them. Whoops; this is an area in which some work needs to be done.
- Socially, get enough content. Whatever the obstacles here, this is not a dealbreaker. Why? Because even a little bit would be hugely beneficial. Indeed, a small amount would actually be easier to circulate (or at least circulate pointers to) in-country.
At this point Operation Peking Duck is just a personal brainstorm of mine. So before I get serious about trying to promote it — does anybody have thoughts about its feasibility? Specific ideas? Links to sites where these ideas have already been exhaustively discussed?
If so — thank you!!
NSA at AT&T: Universal monitoring apparently confirmed
An AT&T engineer has stepped forward, accusing the NSA of monitoring all AT&T internet traffic. EFF is suing the Feds accordingly.
Maybe this should be going on and maybe it shouldn’t, but one thing seems obvious to me — if it is going on, there should at least be a heckuva lot more transparency and disclosure.
Goodmail, Esther Dyson, Andrew Orlowski, etc.
Esther Dyson weighed in in the New York Times on Goodmail-like services. Andrew Orlowski of The Register responded with his usual clueless misogyny.
Orlowski doesn’t just gratuitously bash Esther; whenever possible, he goes after Ann Winblad too. One hilariously stupid instance is this one, in which he fabricated a marriage between Ann and her business partner John Hummer. Hmm, Mitchell Kertzman is there now too. My mind is reeling at the possible menage’-a-trois possibilities …
Esther’s opinion, which I first heard her express almost 20 years ago, is this: Senders should pay readers for the time they spend in looking at email. And you know what? She’s right. Advertisers in broadcast, web, and print media pay us for our attention, by subsidizing the content we consume. So do event sponsors. Almost everything you read or hear about the technology industry is subsidized in one way or another by somebody who would like to sell something. (E.g., if you’re reading this free blog, I may be interested in selling you consulting services.)
Now to Orlowski’s response. Most of it was the kind of ad hominem trash he loves to dish out, especially but not exclusively about smart women such as Esther Dyson and Ann Winblad. Besides that, the main substance I found was “Think of the poor people who can’t afford to pay to send email?!” Well, Andrew — who are they writing to? Whoever it is, those recipients do NOT have to charge them for sending mail, whether that recipient is their mother, their electric company, or you. If you want to open your mailbox to, say, everything that comes in from the poor country of Nigeria, there’s nothing stopping you. (And you can still apply spam filters if you like.) Personally, I find that I get email from the occasional Third-World businessman or professor, but no starving Guatemalan peasant has ever found the time or motivation to send me a personal letter.
So what would my fees be? Without thinking it over at great length, they might be something like this:
Free — friends, acquaintances, family, return mail from tech support, etc.
Free — some news mailing lists
$.01 — other commercial mailing lists, if I opted in
$.25 — unsoliticited email from commercial vendors I have relationships with
$.50 — everybody else
I imagine the cost to senders would be roughly double the prices quoted above, which is OK.
One beauty of this system is that it would immediately turn spam into a matter of pure financial theft. I.e., you wouldn’t be able to spam unless you got somebody else to pay the email delivery charges, presumably by hijacking their computer and/or identity. Most users would have safeguards in place that made them go through security hoops if they wanted to send true spammishly large volumes of mail. And just as online theft isn’t really that big a problem today, this new form of online theft would probably also be a much smaller problem than spam now is.
Implementation of course isn’t easy. The trickiest part would probably be assigning prices to different senders, then adjusting the prices for different senders, and having the senders be automatically notified of the price adjustments. There’s also an antifraud problem, of a sort; if people are paid to get junk mail, they might make efforts to get lots and lots and lots of it to pad their bank accounts. (Wouldn’t that be just a wonderful recreation for smart teenage boys?)
But the technical issues, while non-trivial, are all solvable (or at least controllable — this scheme would indeed add more complexity that could then annoyingly malfunction). So what about adoption? Here’s one scheme that might work — email service providers might compete on the basis of not only being free, but of actually rebating cash to their users. This gets around what could otherwise be a bottleneck, namely the reluctance of consumer service providers such as AOL to share revenue with their customers.
What about nefarious uses? E.g., the government of China is all too eager to control information coming into the country, and this could be another tool. Hmm. I don’t have a fast answer. But I have even less of an answer as to what good would be done is this regard by refraining from using the technology in the rest of the world. After all, they can adopt it themselves if they want.
OK. I’m on board. How do we make this happen?
| Categories: Online and mobile services, Privacy, censorship, and freedom, Public policy and privacy, Security and anti-spam | 14 Comments |
I promised a bunch of links on privacy issues
As promised in my column in today’s Computerworld, I’m throwing up a bunch of links on privacy issues. Let me confess that I’m finding these in the last moment by searching, and these are not necessarily articles I’ve carefully read through or analyzed myself. (It turns out I didn’t bookmark anything when I first read about these various subjects.)
1. Your Google searches can be used against you as evidence in court. Prosecutors won a murder conviction against Robert Petrick for killing is wife in part by showing that, using his computer(s), somebody had Googled on a lot of murder-related terms, and visited a series of websites that gave information potentially useful in a murder of the kind actually committed. This information was gathered from his hard drive; it was not turned over by Google. Here’s another article on the Petrick case.
2. Search Engine Watch has extensive discussion on actual search engine privacy. It was inspired by the Federal government’s requests to the major search engines for general data (nothing personally identifiable) about child porn in search results. Google refused; MSN and Yahoo complied. EDIT: Google and the Feds are going to court, as per a 3/13 USA Today article. FURTHER EDIT: They cut a deal, as per the Reg’s cynically funny (as usual) article.
3. David Brin’s 1998 book The Transparent Society — focused on video surveillance, actually — has been highly influential in my own thinking. It appears he has an extensive web site that grew out of that discussion, but the link EDIT: IS NOW WORKING AGAIN.
4. The Register writes extensively about the British government’s attempts to institute national ID cards, biometric drivers licenses, and such like. It also writes about a number of other privacy-related issues.
5. Perhaps the most extensive single site covering Internet privacy issues is the Electronic Freedom Foundation’s.
More later, but that should be enough to get you started.
EDIT: I’ll keep adding some here.
6. One issue that probably has gotten more hype than it urgently needs is the theoretical risk of tracking consumer good usage via their embedded RFID chips. Retailers and consumer packaged goods manufacturers are being held back somewhat — or at least are being sensitive to — political and activist pressure.
7. Even the CIA is easy to trace. Never mind government and large-enterprise databanks; even web searches and other techniques open to the general, law-abiding public produce a lot of information — including the identities of many covert CIA agents and facilities. While not exactly a repressive-goverment fear point (quite the contrary, if anything), this still serves to illustrate one of my core points — information will inevitably be gathered. Hence tighter controls on the USE of information are needed now than were necessary before.
8. Lauren Gelman seems to be teaching a course on law/technology/privacy, and raises a number of specific issues in one of her blog posts.
The inevitable breaches of privacy, and what to do about them
Let’s continue the discussion of infomation privacy. Basically, governments and other large enterprises will be able to track almost everything about you — purchases, movements, medical details, communcations, even the things you think about (if you think about them long enough to search the Web for a bit of information). This trend can realistically be slowed, but it probably can’t be stopped.
Other than surrendering to 1984ish oversight, what is to be done? I see only one practical choice — the laws regulating use of information must be greatly strengthened. For example:
1. In the United States today, it is illegal to discriminate on the basis of an employee’s, job applicant’s, loan applicant’s, etc. race or sex or religion or national origin. This information is often available to companies (e.g., just by looking at the person). But even though companies have the information, they’re not allowed to use it.
2. Many safeguards against overzealous police and prosecutors take the form of limiting what information is admissible as evidence in court. If the police didn’t follow proper search procedure (in the US), tough on them; they can’t use what they found.
Indeed, it’s an almost universal myth that the Fifth Amendment to the US Constitution precludes a person being forced to give testimony. Actually, the government can very easily compel testimony. But if it does, it has to give a grant of immunity so that that testimony can not be used against the person in court — and if that means the person can’t be tried at all for a specific crime, so be it. Once again, the law allows the government to gather information which it is then precluded from using.
I think the ultimate solutions to the dangers of privacy invasion will have to in large part follow this model. For example, I’d like to see a prohibition on the legal use of “state of mind” information such as web searches, library research, and so on. If there must be exceptions to such a prohibition, they should be explicitly and narrowly carved out.
Issues in privacy
My March Computerworld column is an exhortation to IT workers to get involved in IT-related public policy issues. Probably the most complex and serious ones are in the area of privacy. Options I posed include:
• Do nothing.
• Maintain sharp limits on government acquisition and retention of information.
• Mandate that the government keep its information in separate silos.
• Create strong rules about how governments can use information once acquired.
• Hamstring corporate acquisition, retention, or use of information. (Much of the government’s potential data comes through private channels.)
• Various mixes and matches of the above.
My own view, which I plan to lay out and defend in a series of posts, is a complex one. Historically, protections such as the Fifth Amendment to the US Constitution have focused on limiting the government’s access to information. And this has been wise. As was shown for example by the misuse of FBI information under J. Edgar Hoover and the misuse of IRS information in the Nixon Administration (which Nixon claimed he didn’t innovate), once information gets into government hands its use is hard to control.
I see no good alternative to preserving these safeguards as long as possible. Maybe the Bush Adminstration should have gotten legislative permission for its data mining adventures and maybe the permission should have been denied, but the fact that they pursued them while circumventing the legal safeguards is utterly deplorable. That few people have suffered from the violationof these safeguards, or the worrisome provisions of the Patriot Act, merely proves that our multiple layers of safeguards are strong. It does not justify chipping away at them illegally, and I’m not real thrilled about legally undermining them either.
On the other hand — many of those safeguards are eroding fast. The amount of information the government can or potentially could obtain legally from credit card records, electronic auto toll tracking, etc. is staggering. National ID cards and passports are going electronic. The US Constitution apparently doesn’t prevent sensitive devices snooping into your house from the outside. Web surfing behavior is being submitted as criminal evidence. The government WILL have access to a very complete dossier on your activities, rather soon. Legislation to mandate this data be maintained in independent silos, while worthy, is just a stopgap.
And so in the US (and other developed countries, I would think), it is not just enough to fight government information acquisition. That’s a losing battle, especially since the most absolute safeguards can not be maintained in the face of the terrorist threat. Thus, I think we also need some reaffirmation — in principle, at least, if not in actual law — that “thou shalt not be hassled.”
I’m not yet sure what form(s) I think that needs to take.