Computers, Freedom, and Privacy 2000 Challenges the Assumptions: The Audiotaped Proceedings

Computers, Freedom, and Privacy 2000 Challenges the Assumptions: The Audiotaped Proceedings

Computers, Freedom, and Privacy 2000 Challenges the Assumptions:The Audiotaped Proceedings

Mary Meernik and Barbara Glover,with an introduction by Mary Meernik

Introduction

This year Computers, Freedom, and Privacy (CFP) celebrates its tenth anniversary, and the conference started by Jim Warren to encourage communication and ease tension between law enforcement agencies and the computer/hacker communities continues to thrive. Each year computer professionals, academics, lawyers, government officials, business people, journalists, librarians, social scientists, consumer advocates, and industry watchdogs converge to explore the intricacies and complexities of privacy and freedom in the online environment. Considering that this year's theme is "Challenging the Assumptions," it seems appropriate to look back at the assumptions and predictions made at previous conferences and see how they jive with today's realities.

Ten years ago, the Internet was characterized by a frontier mentality and there was real excitement about a network "rich in voice, data, and video" that would empower citizens with free access to all types of information. But even at the first CFP conference, there was the specter of encroachment by the commercial sector. While some participants expressed belief that industry was acting in a responsible manner, others were extremely pessimistic about the ability to control the private sector's collection and use of information. John Gilmore idealistically expressed hope that we could build a society that never collects information in the first place. Gary T. Marx's observation that "information is gathered with both laser-like specificity and sponge-like absorbency" was especially prophetic in light of the surveillance technologies employed today. Sadly, it's no longer true that, on the Internet, "no one knows you're a dog." Cookies that monitor our movements at a particular site have become ubiquitous, and now we are faced with new privacy incursions in the form of such software programs as Zbubbles and Surfmonkey that are capable of tracking all our online connections and activities.

The second CFP had a mock debate about a fictitious shoppers' club that linked supermarkets in an extensive point-of-sale system. Today many of us are forced to sign up for and use special cards, instead of the anonymous coupon, in order to obtain discounts on many items. In 1992, the US Congress was considering legislation to create a Federal Data Protection Board. Eight years later, we are still the only industrialized country without such a watchdog agency. Open access policies were being promoted for libraries; today librarians are being pressured to install filtering devices. Bruce Sterling satirized the computer community's worst fears, playing the role of the "truly malicious hacker" who is obsessively intent on wreaking havoc by breaching security systems holding sensitive, confidential data. We saw that persona come to life numerous times this past year, overwhelming the Internet with destructive viruses and denial of service attacks.

At the time of the third CFP, the USA was developing an agenda for a national information infrastructure. President Bill Clinton's proposed reform of the nation's health-care system raised concerns about protecting the confidentiality of medical records. In the session "Digital Individual," one speaker remarked that "as records are accumulated, disseminated, and coalesced, each of us is shadowed by an ever larger and more detailed data alter-ego." Concerns about women being subjected to harassment online led to a lively debate on whether content and behavior should be regulated and foreshadowed upcoming worldwide censorship controversies. Broadband access to the Internet received more attention and there was still the hope that the USA would develop a long-range privacy policy.

By the fourth CFP, the National Information Infrastructure (NII) legislation had passed and the phrases "information superhighway" and "universal access" were on everyone's lips. There was fear, however, that the Internet was being dominated by entertainment and advertising interests. Data encryption was a hot topic in 1994 because of Clipper Chip, the controversial encryption standard being pushed by the US government. In the session "Can Market Mechanisms Protect Privacy?" Mark Rotenberg argued that industry self-regulation would work only if "individuals own information about themselves and can control commercial transactions." The problem then and now is the difficulty and complexity of determining ownership. The threats posed by hackers and crackers were examined. Panelists in the session "Guarding the Digital Personal" warned that business transaction mechanisms were increasingly designed to gather information as opposed to simply conducting the transaction.

The atmosphere at the fifth CFP was dominated by the debate over the Communications Decency Act (CDA) in the USA. The image of the Internet was severely tarnished by numerous cyberporn incidents. Even many opposed to the CDA seemed willing to tolerate filtering and ratings systems if it would prevent government regulation. The debate over regulation centered on whether the Internet was a broadcast medium, which would put it under tight control by the Federal Trade Commission (FCC), or a publishing media, subject to fewer restrictions. Two sessions on "Freedom and Responsibility of Electronic Speech" used both fictitious scenarios and real-life incidents (i.e. the Jake Baker case) to debate the fine line between online advocacy of illegal acts and incitement to commit crime. There was stepped-up examination of technological threats to privacy, including the proposed Digital Telephony legislation that would require telephone companies to make their lines and equipment wiretap ready. Another session examined "exciting new tools" for privacy protection, including intelligent agents that do leave audit trails, anonymous remailers, cryptography, and anonymity. Use of these tools is even more important today considering the amount of online surveillance, but how many of us are savvy enough to locate and install these programs and utilize them every time we log onto the Internet to make a purchase or research a medical question. Copyright issues were also at the forefront, with much criticism directed at the draft proposals of the NII Working Group on Intellectual Property Rights. Recognizing that the "Net has the power to either democratize or divide our society," there was also increasing concern about the digital divide between the information haves and have-nots.

The Philadelphia trial on the constitutionality of the Communications Decency Act was underway when the sixth CFP was held. Conference chair Hal Abelson observed that "the electronic frontier town has become downtown." There was a session on "International Developments in Cryptography," but this topic moved to the background once the US government started allowing export of strong encryption in August 1995. "Privacy and the Global Information Infrastructure" discussed the European Commission's Data Protection Directive that was adopted in October 1995. The session on copyright warned that existing laws could "turn copyright into a monster on the Internet." Legislation was being considered that would prohibit transmission of electronically copyrighted material and tampering with copyright protection schemes. Today, the Digital Millennium Copyright Act imposes even more restrictive measures to prevent the distribution and use of circumvention tools. Sessions on the regulation of controversial content on the Internet, the liability of service providers for offensive material, and the responsibility of universities to control student behavior online also reflected the strong emphasis on free speech and censorship at the 1996 conference.

The theme of CFP 97, "Commerce and Community," gave tacit recognition to the dominance of e-commerce interests on the Internet. The sessions painted a "disturbing picture of individual freedoms and privacy being sacrificed to the freedoms demanded by the corporate sector, aided and abetted by laissez-faire government policies." The panel on "Social Issues Raised by the Commercial Development of the Net" reinforced the divergence of opinion over market self-regulation versus government controls to protect consumer privacy. There was a moot court session on the Communications Decency Act, which was declared unconstitutional by the Supreme Court in June 1997. In the session on "Cypherpunks and Cybercops," Phil Zimmerman ominously predicted that future CFP sessions would focus on "ubiquitous microphones and tiny cameras, things that would pervade our society, that would allow the integration of data between all these microscopic sensors, transaction databases, pattern-recognition algorithms, and expert systems giving the government or other powerful institutions ... near omniscience." Likewise, the session on "Infowar" reminded us that cyber-threats can originate anywhere and be nearly impossible to trace. The "Creeping Propertization of Information" stressed that the shift from a "copyright regime to a contract-based regime" was seriously interfering with the free flow of information and jeopardizing the first sale doctrine and the fair use principle. Increasing congestion on the Internet and the development of Internet2 were the focus of "The Coming Collapse of the Net."

In his keynote address at CFP 98, Brian Kahin, from the White Office of Science and Technology, stressed that the Clinton administration still supported industry self-regulation, believing that "highly competitive markets will enable users to express their privacy preferences." However, in the session on "Privacy: Where We Are and Where We Are Likely to Go Next," former Federal Trade Commissioner Christine Varney departed from her long-held support of privacy as market commodity, arguing that self-regulatory efforts had not been successful and that the government should be involved in privacy protection. In "Privacy versus Free Speech," Solveig Singleton from the Cato Institute opposed such industry controls as mandatory opt-in models that would restrict the private sector's ability to collect and use information. Instead, she took the stance that consumers should be responsible for protecting their own privacy by negotiating contracts and using such technological tools as firewalls. Privacy was also the focus of sessions on biometrics, cryptography, and medical records. Access to information, freedom of speech and censorship concerns were targeted in sessions on archiving the Web, library filtering, and the Platform for Internet Content Selection (PICS). The vulnerability of the Internet to various types of attack was the subject of "How to Choke the Net," with the panelists warning of the damage that could be inflicted both intentionally and accidentally because of the Net's open architecture.

At last year's CFP, keynote speaker US Representative Ed Markey garnered much attention with his proposal to introduce legislation that would create a privacy bill of rights. (The Electronic Privacy Bill of Rights, H.R. 3321, was introduced in November 1999 and subsequently referred to various House Committees.) The panel on "Freedom and Privacy and the Global Internet" explored the continuing debate over industry self-regulation versus government-imposed privacy protections. In "The Creation of a Global Surveillance Network," the speakers described not only the monitoring and blocking activities being carried out by such traditionally repressive governments as Russia and Austria but also the development of surveillance systems in France, Germany, the UK and the USA. The importance of using such digital tools as Anonymizer to protect one's privacy was stressed in "Anonymity and Identity in Cyberspace." Two sessions on "Free Speech and Cyber-Censorship" reinforced the divergence of opinion over the definition and regulation of "illegal and harmful content" and the use of censorship and filtering tools. "Copyright and the Law" generated a lively debate over the rights of Internet users to have unrestricted access to MP3 audio files versus the rights of the recording industry to prevent piracy through the use of such mechanisms as SDMI (Secure Digital Music Initiative). In "Privacy and Profiling," the panelists discussed the convergence of commercial and government databases and how easy it had become to identify individuals even with personal identifiers stripped from the data.

This year's conference, sponsored by the Association for Computing Machinery, was held 4-7 April 2000 in Toronto, Ontario. The four-day event featured one workshop, six tutorials, 21 panel discussions, and seven speeches, including three keynote addresses. All the panel discussions and speeches are available as Real-Audio recordings at the CFP Web site (www.cfp2000.org). Audiocassettes of these same sessions and videocassettes of 18 sessions can be purchased from Audio Archives and Duplicators, 100 West Beaver Creek, Unit 18, Richmond Hill, Ontario L4B 1H4; (905) 889-6566. An order form is provided at the CFP Web site. In addition to the Real-Audio recordings, the excellent Web site also provides program schedules and information, speaker biographies, conference newsletters, and links to papers by the presenters and to numerous media articles about the conference.

Domain Names under ICANN: Technical Management or Policy Chokepoint?

Michael Froomkin, University of Miami School of Law (moderator)Jerry Berman, Center for Democracy and TechnologyKarl Auerbach, Cisco SystemsRichard Sexton, VRxAmadeu Abril I Abril, ICANN board member

Trying to manage any component of the free-wheeling Internet is bound to be a thankless, virtually impossible job, and that is exactly the position in which the Internet Corporation for Assigned Names and Numbers (ICANN) finds itself. This independent, non-profit corporation was founded in 1998 to oversee the assignment of globally unique names, addresses, and protocol parameters. Although this mandate would seem to be well circumscribed and harmless, the technical management of domain names has become inexorably intertwined with controversial intellectual property and trademark issues. As if anticipating the harsh criticisms of the panel, moderator Froomkin suggests that "ICANN is a better thing than some of us think."

Berman's organization, the Center for Democracy and Technology (CDT), has focused on ICANN's lack of a democratic electoral process. The CDT and other online advocacy groups were instrumental in pressuring ICANN to have direct election of its five at-large board members. In fact, anyone with an e-mail and a fixed postal address is eligible to vote for the at-large members. Currently the CDT is seeking clarification of ICANN's charter and bylaws to insure that the corporation limits itself to technical management issues.

Sexton claims that "big business and trademark lobbyists" have controlled ICANN from its beginnings. Criticizing ICANN's "Byzantine structure" and its "policy stranglehold," he advocates establishment of rival domain name systems. Even without any opposition or competition, Sexton predicts that "ICANN will implode like a black hole."

Stressing that the important policies have already been decided, Auerbach contemptuously characterizes ICANN as a "faux democracy" that "fails to meet even rudimentary democratic standards of openness, transparency, and accountability." He points out that the network has the capacity to support several million top-level domains, but that hoarding and speculation are rampant because ICANN refuses to create more than a few new names. Because "DNS can be offered by many distinct providers," he like Sexton advocates making ICANN "irrelevant." Berman, although stressing that ICANN should steer clear of policy and content issues, prefers to "legitimize" ICANN rather than be faced with the confusion of alternative systems.

Abril I Abril also urges the Internet community to work within the system to "make it evolve in the direction we want." ICANN is in the difficult position of trying to reconcile the "roles and voice of governments and many other interests." Although conceding that its bureaucratic structure is an "exaggeration of the reality," he insists that ICANN is doing a better job than its predecessors did. He strongly supports the self-governance and internationalization of ICANN, expressing concern that the United States government is exercising too much control over the corporation's policies and procedures.

New Justice Information Technologies: Does Existing Privacy Law Contemplate These Capabilities?

Paul F. Kendall, US Department of Justice (moderator)James Dempsey, Center for Democracy and TechnologyPaul George, FBITom Cecil, Superior Court Judge, Sacramento, CaliforniaGeorge Tomko, Photonics Research Ontario

Will privacy protections vanish with Big Brother's implementation of new surveillance and database technologies? The panel grapples with this issue and the challenges of striking a reasonable balance between privacy and security. As moderator Kendall points out, however, many practices and concepts that we have long associated with privacy protection such as individual consent and notice, voluntary participation, reasonable use, and accountability become quite nebulous and difficult to enforce in the online environment.

Dempsey focuses on FBI telecommunication initiatives Digital Storm, which will facilitate collection of wiretap data, and Casa de Web, which will improve linkage of FBI databases. He predicts a 300 percent increase in wiretaps over the next decade because of technologies linking systems together. When the courts have denied only three out of more than 10,000 wiretap requests from 1989 to 1999, Dempsey is obviously concerned about the potential for future abuse. Pointing out that many of the records currently in the National Crime Information Center database are inaccurate or incomplete, he questions whether the "privacy standards for the initial collection of information are strong enough." There is also more and more "intermingling between commercial databases and government databases"; in fact, the FBI relies heavily on private sector databases such as Lexis-Nexis.

George counters that there are so few wiretap denials because the FBI must thoroughly document all requests before submitting them to the Justice Department. He also stresses that the FBI's current focus is on international terrorism and international organized crime which require sophisticated methods of investigation such as Internet tracking. In response to concerns about increased domestic surveillance, he points out that the Privacy Act of 1974 stipulates that collection of information by federal law enforcement agencies must be related to criminal investigations.

Cecil makes the interesting observation that we have a "de facto privacy policy"; we are protected simply because current methods of information gathering are expensive, time-consuming, and inefficient. He argues for the integration of justice information systems, but insists that unless privacy protections are built into the system the project does not deserve to be funded. Although digitizing criminal information has distinct advantages, Cecil is concerned about the potential for abuse when such records become publicly and permanently accessible in private sector databases making the process of rehabilitation difficult or even impossible.

Tomko discusses biometrics, the encoding of personal attributes such as finger, iris, and voice prints for the purpose of creating a unique identifier. Although proponents argue that the technology would reduce identity fraud, Tomko insists that what is the "Holy Grail for public safety and security is the Chernobyl of privacy disasters." He is concerned that biometric data, entered into databases for one purpose, such as welfare or financial identification, will eventually be linked to law enforcement databases. Tomko does not believe legislation alone can prevent abuse; he advocates building controls into the software, hardware, and system architecture. One solution would be to use a biometric as a personal encryption key; a fingerprint pattern could be used to code a PIN which would then be decoded for authentication purposes using the fingerprint pattern.

Security and Privacy in Broadband Internet Services

Robert Ellis, ACM (moderator)Simson Garfinkel, consultant and journalistJacques Desroches, Bell CanadaDermot O'Carroll, Rogers Cable, Inc.John Denker, AT&T Labs-Research

Broadband services are becoming more available and affordable, but these high-speed cable and DSL (Digital Subscriber Line) connections come with a high price ­ compromised security and privacy. These types of connections are virtually "always on," making the user's files more vulnerable to hackers as well as to inadvertent file and printer sharing with other users. Moderator Ellis questions the panelists about the threats, the solutions, and whose responsibility it is to resolve the problems. Garfinkel criticizes security flaws with the Windows 95 operating system and characterizes home firewall security programs as "a real sham." He is equally concerned about the potential for abuse by common carriers and Internet service providers (ISPs), stressing that most do not have policies governing such practices as reading customers' e-mail and tracking the sites they visit. Desroches contends that security and privacy problems will become much more serious when the uneducated "mass market" adopts broadband. O'Carroll concurs, stressing that the biggest problem is not hackers but the "behavior of customers." His company does employ various tools and filtering techniques to enhance security, but it cannot prevent its 200,000 customers from carelessly downloading files that have viruses and Trojan horses. In addition, computer users frequently compromise their privacy and security by conducting personal business at public terminals. While Denker argues that there are many security and privacy threats from governments, hackers, Trojan horses, data mining entities, and others, he emphasizes that these problems are not unique to broadband access. He contends that "the biggest threat to privacy is unrestricted data mining." Each time users furnish personal data to obtain a product or service, they are building extensive profiles about themselves piece by piece.

In response to Ellis' question about solutions, O'Carroll discusses how providers and carriers can enhance security by blocking "promiscuous" protocols such as NetBIOS, encrypting traffic from the user to the system, offering different levels of user access, and packaging firewall protections with modems. Desroches also favors different access levels based on the type of user and urges manufacturers to offer more user-friendly security devices. Garfinkel argues that users should not have to assume the burden of protecting their privacy and security, pointing out that consumers are not expected to be fully knowledgeable about foods and drugs. He wants companies held liable for poorly designed software with security flaws. Garfinkel also believes that competition among carriers and ISPs will force them to be more responsive to privacy and security concerns. Denker favors software and hardware options that give customers control over "setting security policy at a high level," but he admits that such technology is a "future solution." In the meantime, he recommends using security devices to protect all hardware components. Denker disagrees with Garfinkel's liability solution, citing his experience that "liability is very low on the list of things that don't work for ensuring airline safety." When asked whether competition would help resolve security and privacy problems, three panelists agreed that security is a product differentiator for customers. Garfinkel, however, argues that most users are not knowledgeable enough to assess the security capabilities of the services or products they use.

The last question concerns the proper role for the players involved ­ governments, consumers, manufacturers, carriers, and ISPs. While all the panelists agree that the government must guarantee personal privacy, they also expressed concern that lawmakers and regulators do not possess the necessary expertise in privacy and security matters. Garfinkel proposes creating an organization that could serve as a resource for both government and industry while Desroches suggests that ISPs educate the government concerning appropriate policies. Denker and O'Carroll support a strong role for industry, believing that competition will result in security and privacy protections. While O'Carroll believes industry self-policing will be adequate, Garfinkel calls for strong regulations. All the panelists urge consumers to be more responsible and to recognize the tradeoffs between security and functionality.

Privacy Commissioners: Powermongers, Pragmatists or Patsies?

Colin Bennett, University of Victoria, Canada (moderator)Ann Cavoukian, Information and Privacy Commissioner/Ontario, CanadaStephen Lau, Privacy Commissioner for Personal Data, Hong KongMalcolm Crompton, Federal Privacy Commissioner of AustraliaHansjuergen Garstka, Data Protection and Information Commissioner of the State of Berlin

Every advanced industrialized country, with the notable exception of the USA, has a governmental department or office to oversee privacy/data protection issues. Privacy commissioners from Ontario, Germany, Hong Kong, and Australia discuss their responsibilities and their relationships to their governments, the media, special interest groups, and the public. Although each must function within a different political culture and the constraints of specific legislation and regulations, there are many similarities among the four. They serve as ombudsmen for their governments' citizens, looking into complaints of privacy and freedom of information violations. With the exception of Hong Kong's Lau, these commissioners do not have real power bases, but must instead rely on public education and good relationships with other government agencies to accomplish their missions. Garstka must function within Germany's "complicated system of data protection enforcement" with confusing divisions of power between federal and state agencies. His office monitors compliance with privacy laws, investigates complaints, and makes recommendations for improvement. The only formal power he has for enforcement is to send a "statement of infringement" to the offending authority. The upcoming implementation of the European Data Protection Directive, however, "will give data protection entities much more power." Crompton's mission is "to promote an Australian culture that respects privacy." His office investigates complaints and utilizes a dispute resolution process, but like Garstka he cannot force compliance. Instead he relies heavily on educating the public and convincing the private sector that "good privacy is good business." Ontario's Cavoukian also places primary emphasis on educating the public and promoting the Commissioner's mission through the media and speaking engagements. Although her office has extensive investigative and enforcement powers in freedom of information requests, she has extremely limited jurisdiction in privacy matters. Nevertheless, she feels her office has been very effective simply by employing "moral suasion and the potential for public embarrassment." Hong Kong's commissioner has the strongest investigative and enforcement powers of the four officials; the country's Personal Data Ordinance covers the purpose, accuracy, use, security, access, and retention of automated and manual data in both the public and private sectors. Given the many gray areas in the law, however, Lau stresses the importance of being a pragmatist.

Bennett then asks the commissioners how they would respond to a scenario in which their government proposes to issue a national ID card. The commissioner is invited to a meeting to discuss any concerns and is informed that the government plans to make a public announcement of the initiative in two weeks. Bennett also asks how the commissioners might involve the media and special interest groups in this situation. Cavoukian would attend the initial meeting to express her concerns and her opinion that the two-week timeframe is unworkable. However, she would not want to be present at the public announcement in order to maintain a "perception of independence." She would not immediately involve the media or other groups, preferring to work with the government to find a solution. Ironically, Lau has recently been faced with such a situation in his own country. He reads the letter he sent to his government that expresses his reservations and requests a privacy impact assessment study, to which his government did agree. After the government issues this report, he sees using the media as a forum for debate. Crompton would prefer to work behind the scenes to reach a solution. If the initiative did move forward, he would focus on "making sure Parliament keeps control to prevent function creep" (use of the data for other purposes) and to minimize the "bureaucrats' discretionary power." As far as involving other groups, Crompton stresses the importance of being "sensitive to your environment" and to not be perceived as manipulative. Garstka and his counterparts in Germany would write a circular letter emphasizing that under current law such a card is illegal and unconstitutional. He also sees no immediate need to go to the media, preferring to work with lawmakers to influence the outcome.

In the second scenario, a Berlin bank employee, who wishes to remain anonymous, informs his Privacy Commissioner that personnel data is being transferred from the Berlin branch to the bank's headquarters outside Germany. Garstka believes that the international transfer of personally identifiable data would be illegal in most circumstances and that the bank should be making this type of data pseudonymous. If the bank's headquarters were in Hong Kong, Lau would investigate whether the amount of information being transferred is excessive, how the data are being used and what security and retention policies are being followed. Cavoukian stresses that such situations can often be resolved informally; companies frequently just "lack awareness of data protection privacy principles" and are eager to comply once they are educated. Crompton points out that employee records are often exempt from privacy protection provided that the use and disclosure of the records is related to their original purpose. All the panelists agreed that the whistleblower had the right to remain anonymous.

Intellectual Property and the Digital Economy

Pamela Samuelson, UC Berkeley (moderator)Yochai Benkler, NYU Law SchoolDavid Post, Temple Law SchoolRandall Davis, Massachusetts Institute of Technology

The evolving digital environment seems to continually elude attempts to overlay it with any meaningful framework of intellectual property policies. In her introductory remarks, Samuelson talks about legislative efforts to strengthen copyright laws in order to promote the growth of the digital economy. She is concerned that recent developments in licensing laws and technical protection systems are "displacing public policy balances in intellectual property law." It is now possible to patent "anything that can be described as a method," such as systems of organizing, analyzing and presenting data, and unfortunately as Samuelson points out there is "no fair use defense in patent law."

Benkler discusses two restrictive legislative proposals, HR354 and HR1858, which he says would result in a "political economy of enclosure." The legislation, which "effectively creates a property right in raw data," will make it illegal to collect and store what has previously been freely available information. Copyright laws typically favor industries with lobbying power at the expense of individual rights. He warns that restricting access to information will severely limit "democratic discourse" and "personal autonomy."

Post, an expert in trademark law, focuses on domain name issues, in particular the cybersquatting controversy. The Cybersquatting Protection Act makes it illegal to register a domain name that is identical to a trade name when it is done in "bad faith" with the intent to profit from the trademark But how can it be determined what constitutes "bad faith" versus legitimate acquisition of a domain name? Post is critical of how disputes are handled under both this Act and the uniform dispute resolution process utilized by the Internet Corporation for Assigned Names and Numbers (ICANN). Patent law in cyberspace also presents many challenges with the Patent Office, policy makers and the courts struggling to determine when software represents "something new, innovative or non-obvious."

Davis' digital dilemma is "the collision of the information infrastructure and intellectual property." With digital information, "access means making a copy," so we are forced to consider whether the copyright model is workable in cyberspace. Suggesting that "leasing" rather than "owning" information makes more sense, he observes that we are already beginning to see the "substitution of contract law for intellectual property law." In the digital environment, publications are "becoming experiences rather than artifacts."

Negotiating the Global Rating and Filtering System: Opposing Views of the Bertelsmann Foundations's Self-regulation of Internet Content Proposal

Jean Camp, professor, Kennedy School of Government, Harvard University (moderator)C. Dianne Martin, professor, computer science, George Washington UniversityBarry Steinhardt, associate director, American Civil Liberties UnionChristopher D. Hunter, PhD candidate, Annenberg School for Communication, University of PennsylvaniaJordan Kessler, Anti-Defamation League

Panelists in this session describe and react to the voluntary Internet content rating and filtering system proposed by the Bertelsmann Foundation in September 1999. This system has been described as a multi-layer cake. Resting on top of the basic content layer would be content labeling voluntarily assigned by the content provider. Internet users could select filtering templates produced by trusted organizations to rest on top of the labeling layer. Other components of the system are red, white, and green lists (presumably to fine-tune labeling), help hotlines for users to direct questions to independent rating organizations, and law enforcement hotlines for users to report globally illegal activities. Martin claims the Bertelsmann proposal grew out of earlier projects sponsored by the Recreational Software Advisory Council and explains its reliance on PICS (Platform for Internet Content Selection) technology developed by the World Wide Web Consortium. She praises the Bertelsmann system because content labeling is totally separated from content rating, allowing users to design their own filters based on personal value systems. Kessler of the Anti-Defamation League praises the system for being "a more inclusive and more flexible model than we have seen," one that "allows input from the industry, from third parties, from users themselves, and it's accessible and free of charge." He is hopeful that more people will come online when they gain confidence that their families will not be exposed to objectionable content on the Internet.

To put it mildly, the other two panelists are not so favorably impressed with the Bertelsmann proposal. In fact, Hunter likens the system to the sixteenth-century Catholic Church's Index of Banned Books. He views Bertelsmann as a "massive media conglomerate" acting in its own interest to limit freedom of expression on the World Wide Web. He believes Bertelsmann's "call for universal rating and filtering will drive idiosyncratic speech to the edges of cyberspace where few will venture. God, apple pie, and commercialism will thrive!" Neither he nor Steinhardt think most people will have the time and ability to learn the complex layer cake system or to locate and apply filtering templates and white lists matching their personal moral values. Steinhardt also worries that self-rating will be too burdensome for many content providers, citing as an example the 26,000-page Web site managed by a group of artists. He predicts that most users would set their systems to shut out unrated sites and that governments would be tempted to step in to challenge misleading content labels. While Martin hopes this open source template system will cause "a thousand flowers to bloom," Hunter and Steinhardt seem convinced that many more thousands of flowers would perish when they are censored or overlooked by template users.

Circumvention: Tool for Freedom or Crime?

Alex Fowler, Electronic Frontier Foundation (moderator)Robin Gross, Electronic Frontier FoundationBarry Steinhardt, American Civil Liberties UnionPaul Schwartz, Brooklyn Law SchoolDeclan McCullagh, Wired News

This debate reinforces how very difficult it will be to balance intellectual property interests and free expression/ fair use rights. Moderator Fowler keeps this engaging discussion interactive between the panel and audience. To provide background information, Gross is asked to discuss the DVD/DeCSS case and how it relates to the Digital Millennium Copyright Act (DMCA). DeCSS is a program that breaks the DVD encryption code; there are currently lawsuits not only against the developer of the utility but also against Internet sites that hosted the software. The DMCA criminalizes both the act of circumvention (although that portion of the law will not go into effect until October 2000) and the creation and distribution of tools that enable circumvention (that portion of the law went into effect October 1998). Gross foresees "reasonable justifications for why someone would need to circumvent," but the DMCA only provides for a few extremely limited exceptions. There is disagreement among the panelists and audience over whether providing access to circumvention tools is an act of free expression or one that facilitates "the potential for piracy." The DMCA has generated much controversy and Congress has ordered the Copyright Office to study its adverse impact and to identify classes of works that should be exempt from the law.

Steinhardt is asked to discuss the CyberPatrol case and the ACLU's involvement. CyberPatrol is a blocking/ filtering program developed by Mattel, and two foreign nationals have written a software utility, Cphack, which allows the user to view the blocked sites and administrator's passwords. Mattel sued not only the foreign nationals, who did settle that lawsuit, but also three mirror sites, represented by the ACLU, that posted the Cphack utility. Steinhardt stresses that this case never involved piracy of the original software. He argues that Cphack simply constitutes "fair use" of CyberPatrol and that reverse engineering of a program to make it "useful for your own purposes" should be legal.

Even though the DMCA contains a circumvention exception for privacy purposes, Schwartz contends that the legalese makes it virtually uninterpretable. The exemption is only allowed if the copyright owner does not provide the user with notice and opportunity to opt out of the collection of personal data. The act of circumvention must also not violate any other laws pertaining to the software's use, such as the shrink wrap license. Even though the act of circumvention may be legal, it is unclear whether the circumvention tools themselves would be.

As a journalist, McCullagh laments the difficulty of getting people, his publishers as well as the public, interested in copyright issues. He also makes the interesting observation that past copyright infringement cases involved persons engaging in piracy for financial gain; now the playing field has expanded to include not only developers of software utilities that provide access to a program's source code for customization or privacy purposes but also those individuals like himself who merely link to sites that post the utility.

Copyright law expert Pamela Samuelson, who is in the audience, agrees that the DMCA is "totally incoherent" and "rife with internal contradictions." If the act of circumvention is allowable to protect privacy, then there "has to be an implied right to make the tool" that enables the act. However, the legality of distributing such tools is more questionable which leaves the technologically challenged in a disadvantageous position in relation to those with the expertise to write and use their own programs. Samuelson also distinguishes between software access controls versus copy controls and states that fair use should be a legitimate circumvention of copy controls.

It is suggested that there are "constitutional defects in DCMA," and that the courts will have to determine whether fair use is a First Amendment right. In disagreeing with the suggestion that "widespread noncompliance" with DMCA is the solution, audience member John Denker stresses that authors and publishers must be fairly compensated. John Gilmore is critical of the practice of not implementing certain provisions of a statute like DMCA until some future point; it is more beneficial if "problems can be brought to light immediately."

Infomediaries and the Negotiated Privacy

Jason Catlett, Junkbusters Corp. (moderator)Beth Givens, Privacy Rights ClearinghouseAlexander Dix, Commissioner for Data Protection and Access to Information, Brandenburg, GermanySteve Lucas, Privaseek, Inc.Ray Everett-Church, AllAdvantage.comPaul Perry, Microsoft

The first half of the panel discussion examines the use of infomediaries, described as "brokers for consumer information." These personal agents supposedly protect consumers' privacy while also helping them to benefit financially from the sale of their personal information. In a rapidly changing marketplace, Givens questions the advisability of trusting such entities "for now and all of time." Although alarmed by the potential for secondary use, particularly court-ordered warrants in criminal cases, she agrees that infomediaries may offer advantages in such limited-use situations as buying cars or computers. Like Givens, Dix is skeptical of market forces and believes that, in order to remain commercially viable, infomediaries will likely resort to selling the information to questionable third parties. He is alarmed at the "considerable informational power" that infomediaries will amass from aggregating "very rich personal profiles." On the other side of the issue, Lucas points out that his company has extremely strict policies about providing information to third parties and that consumers always have access to and control over the data they provide. Everett-Church's company takes privacy concerns a step further by maintaining all member information internally. The company's customers install a viewbar on their computers which generates advertisements based on the customers' URL traffic; in return each member receives a monthly payment of $12.50. Perry discusses Microsoft's Passport technology, which enables a user to sign on only once per computer session, eliminating the need to provide additional passwords when visiting Web sites using Passport software.

The second half of the program looks at how technology, as opposed to human agents, can be used to protect privacy. P3P (Platform for Privacy Preferences) technology enables the user to establish a privacy profile and to be alerted when visiting a Web site with a policy that conflicts with the user's preferences. Givens, while applauding the goals of P3P, is concerned that the technology is being "used as an excuse to not pass strong laws to safeguard our privacy." She is also doubtful that P3P could accommodate the wide variability in people's privacy preferences. Dix is equally skeptical about P3P, characterizing the technology as "an empty shell." Lucas criticizes the inept management of the project by the World Wide Web Consortium, stating that "after three years of promises, we have nothing of real value at this point." Everett-Church argues that P3P is cumbersome and annoying; if it is not user-friendly neither Web companies nor consumers are likely to utilize it. It is left up to Perry, one of the technology's developers, to answer the criticisms. He mounts a spirited defense of the P3P project, claiming that management problems are in the past and that substantial progress is now being made with the advent of new software tools such as XML and RDF.

Human Subjects Research in Cyberspace

Bruce Umbaugh, director, Center for Practical and Interdisciplinary Ethics; professor, philosophy, Webster University (organizer)Amy Bruckman, Electronic Learning Communities Group; professor, Georgia Tech; founder, MediaMOOJulian Dibbell, writer, author of My Tiny Life: Crime and Passion in a Virtual WorldSanyin Siang, American Association for the Advancement of Science

Academic researchers using human subjects have long been cognizant of the following set of guiding principles that were affirmed by a June 1999 workshop sponsored by the American Association for the Advancement of Science in conjunction with the US Office for Protection from Research Risks:

• •

  respect for persons through the collecting of informed consent (disclosing the risks and benefits of the research);

• •

  beneficence (maximizing the benefits and minimizing the risks involved in the research); and

• •

  assurance that the risks and benefits of research are evenly distributed.

According to Siang, there is a pressing need for discussion as to how these guidelines should be applied when conducting human subject research in cyberspace, considering the following distinctive features of the online research environment: "the blurred distinction between private and public domains; the ease of anonymity or pseudonymity; the transcendence of spatial barriers which result in communities of geographically dispersed members; the suspension of temporal barriers with the recording and archiving of communications; the low cost, easy-to-use technological means to facilitate tracking of participants."

Brockman suggests that a new set of principles should be developed for each one of the online venues, including chatrooms, usenet, mailing lists, e-mail, MUDS, and online courses. Participants' expectations of privacy differ from one venue to another, so researchers need to take time to learn the particular rules of the group they are studying. Dibbel comments that journalists tend to make ethical decisions in an ad hoc fashion and that news value often overrides a subject's desire for confidentiality.

In addition to the principle of informed consent, Umbaugh proposes that researchers and system administrators seek to provide equal privacy protection to all research subjects by guaranteeing each individual control over his or her own personal information. In his words, we should be enabled "to reserve some things from most people and to share other things with most people and to share some things only with particular people."

Network Society as Seen by Two European Underdogs

Giancarlo Livraghi, Associazione per la Libertà nella Comunicazione Elettronica Interattiva (moderator)David Casacuberta, Fronteras Electronicas EspañaAndrea Monti, Associazione per la Libertà nella Comunicazione Elettronica Interattiva

The three men on this panel either have been or currently are chairs of their nations' equivalents of the Electronic Frontier Foundation, which works to promote freedom and privacy on the Internet. Italy and Spain are way behind the Nordic countries and the Netherlands in their use of the Internet, but they are gathering momentum as citizens discover the wealth of information and services that are available online. Although there is no Internet censorship in Italy, Livraghi discusses the infamous 1994 crackdown on bulletin board operators during which police seized a great deal of equipment whose owners were accused of copyright infringement. He claims the biggest challenges in Italy's online world involve legislation and bureaucracy, because "Italy has a lot of specially devised legislation that is poorly conceived, or old legislation that has been poorly interpreted, so there's unnecessary bureaucracy." Unfor-tunately, it is still illegal to exchange information about encryption systems.

Casacuberta talks about a couple of cases that indicate the growing power of the Internet in Spain. One involved a mailbombing that occurred after an online campaign urged such action. Another involved a boycott of the monopolistic telephone company initiated by a Web site in protest against very high rates and in favor of universal access. As a result, the telephone company is not a monopoly anymore and some sort of flat rate is available. According to Casacuberta, Spain's domain name system is "chaotic and corrupt and stupid at the same time." Except when influenced by power or money, the rules succeed in outlawing the use of generic terms (such as "books") or words under four letters long in new Web site names. Spain's new privacy protection law is being tested on a case involving the online posting of a list of policemen who have been convicted of torture and abuse toward prisoners. Although the organization removed the privacy-invading material from its Web site, the information remains available on a non-Spanish Web site. At this time, mirroring is a difficult tactic to combat. Casacuberta concludes that the main interests of Spain's online community are access and the flat rate, but more and more people share the hope that freedom of expression and privacy will be fostered. Livraghi feels that the freedom and privacy movement needs to develop a stronger presence throughout the European Union.

The Media and Privacy: Friend, Foe or Folly?

Ann Cavoukian, Information and Privacy Commissioner, Ontario (moderator)Michael Geist, professor, University of Ottawa Law SchoolKen Campbell, columnist, Toronto Star; president, K.K. Campbell & CompanyDavid Flaherty, professor and consultant; former Information and Privacy Commissioner, British ColumbiaJohn Schwartz, staff writer, Washington Post

According to the conference program and moderator Cavoukian, the media are guilty of serious invasions of privacy at the same time as they are working to protect our freedoms of information and expression. During the CFP conference week, Canada passed Bill C6, e-commerce privacy legislation incorporating the model code for the protection of personal information which had been promoted by the Canadian standards association. Reviewing the law, Geist points out that it is based on ten principles, including "accountability, identifying purposes, consent provisions, security safeguards, as well as the ability to access your own private data and to challenge compliance." This law will be phased in over four years, affecting only federally regulated businesses in January 2001 and the medical community a year later. All other e-commerce participants have until January 2004 to comply. Although the law does exempt "any organization in respect of personal information that the organization collects, uses, or discloses for journalistic ... purposes," this exemption raises questions such as "Does this include subscriber databases?," "Who is a journalist?," "Does this bill permit a free-for-all for journalists?," and "What about information that obtains a journalistic purpose long after it is gathered for other reasons?" Many uncertainties will have to be clarified in regulations, worked out in court, or determined in provincial law. Flaherty speaks about the values he espoused and some of his accomplishments as British Columbia's Privacy Commissioner.

According to Schwartz, "the founders of the American Republic understood that this was going to be the first information-based economy, the first information society," when they listed freedom of the press rather than the right to privacy as one of the enumerated rights. He talks about the balancing act reporters constantly engage in as they approach the line dividing good taste from invasion of privacy. Despite frequent examples of journalists going too far, neither he nor Campbell would want to impose regulation in the field. Campbell expects the media to become ever more pervasive in the future, but he favors educating people to live with the realization that "we live on a permanent stage" subject to public scrutiny. He tells the audience to "learn to love" the fact that "we're all media personalities now!"

"Who Am I and Who Says So?": Privacy and Consumer Issues in Authentication

Deirdre Mulligan, Center for Democracy and Technology (moderator)Margot Freeman Saunders, National Consumer Law CenterCarl Ellison, IntelPhil Hester, IBMDavid Flaherty, University of Victoria

As more and more public and private sector activities take place online, technologies will have to be developed that not only authenticate the parties involved in the transactions but also guarantee the security and privacy of the data exchanges. Moderator Mulligan sets up a scenario to explore the challenges of conducting business in the online environment. A medical clinic has issued smart cards with biometric passwords to its patients; these cards not only hold the patients' medical IDs, data on blood type and allergies, and insurance information but also enable fund transfers to pay medical bills. Patients can also access and make changes to their online emergency record profiles. The clinics' doctors are issued identity certificates that allow them to issue prescriptions, request labs, and submit claims. Several patients have discovered that their Web site profiles have been changed and that they have been charged for treatments they did not receive. These patients are seeking reimbursement for the funds debited from their accounts.

Saunders has the sobering news that the patients are not entitled to reimbursement because current laws "assume that unauthorized use of a digital signature can only result from negligence of an individual." The fraudulent use of such electronic devices is not covered by any US law comparable to the Fair Credit Billing Act that protects a consumer from liability in credit card fraud. If these patients must prove they were not at fault, Saunders stresses that there would have to be a "technological trail to show what produced changes in the card." Hester claims that if the "system technology is properly designed, you would have a verifiable audit tool." However, he emphasizes that there are so many possible exposures, that it is critical to develop a "holistic view of the threat model." Ellison stresses that the smart card's biometric password is not secure and that a "digital signature is not necessarily bound to a particular flesh and blood person." So in reality the patient's smart card could be activated by anybody or even by a virus.

Saunders questions how the patients in this scenario or consumers in general can be confident that appropriate security measures are being employed by the institutions and businesses they are dealing with. However, she concedes that if businesses do not have to bear the loss, there is "no incentive to engage in the level of security that will prevent most of these losses." As the former Privacy Commissioner of British Columbia, Flaherty explains how that office would handle the patients' complaints by investigating both the technological and human interface issues. There is consensus that system security is often designed when access is limited to only a few individuals. As the business expands and a much larger community gains access to the network, the potential for security breaches, both intentional and accidental, increases commensurately. Ellison worries that people have too much faith in cryptography and are using one private key to access everything. Hester agrees that a single digital signature may not suffice, but that it is important to not go overboard and issue too many keys in the effort to compartmentalize access to data. Based on the other panelists' comments, Flaherty admits to an even greater degree of skepticism about technological solutions; he no longer believes digital signatures are a "Holy Grail." Saunders is adamant that companies should be forced to pay monetary damages for security breaches. Hester reminds everyone that the "strength of a system is no better than its weakest link" (i.e. human behavior). Ellison also concurs that it is essential to "check the reality of the system" because too many systems with huge online communities are still operating based on the small community model.

Building Diversity Online

Karen Coyle, California Digital Library (moderator)Greg Bishop, TheStreet.com

This session was held to address two concerns:

1. 1.

   that a majority of the people of the world are not connected and therefore are not part of the online community, and

2. 2.

   that CFP preaches to the converted rather than raising the consciousness of a wider populace to the significance of computer privacy issues.

After asking the question, "Are we doing enough to increase the diversity on the Net?," Coyle suggests that those of us who are up to speed technologically should adopt the philosophy "each one, teach one." An audience member proposes that CFP should establish committees to develop outreach activities, such as a series of short videos on social/technological issues that could be shown in schools and senior centers, as well as to the whole spectrum of community service organizations that are always looking for topics and speakers. Sessions on MP3 and other hot consumer topics might attract attention.

Audience members suggest that the Conference on Freedom and Privacy itself could become more diverse by scheduling a conference in Europe or Asia, by mounting some of the conference on the Web so that people around the world could participate, by offering scholarships, by offering free admission to students residing in each conference city, and by appointing more diverse program committees that would be more likely to introduce panel topics with appeal to more diverse audiences. A dissenting voice contends that it is more important to increase minorities in the technical areas and graduate schools rather than at the CFP conference.

Internet Voting: Spurring or Corrupting Democracy? ­ A Debate

Lance J. Hoffman, professor, computer science, George Washington University (moderator)Joe Mohen, CEO, Election.com, Inc.Hans von Spakovsky, Voting Integrity ProjectPaul Craft, Florida Dept. of State, Division of ElectionsBerry Schoenmakers, professor, Eindhoven University of TechnologyDavid Jefferson, Compaq Systems Research Center; chair, Technical Committee, California Internet Voting Taskforce

This session features a lively debate on the pros and cons of Internet voting. Joe Mohen is most enthusiastic on the pro side, coming to CFP only a few weeks after his company, election.com, offered Arizona citizens the opportunity to vote in the state's Democratic primary via the Internet. The high voter turnout (600 percent over 1996) leads him to predict that the convenience of Internet voting will reverse the 30-year decline in participation in all US elections. However, Spakovsky says to take those high turnout figures with a grain of salt, revealing that election.com spent over $1 million on a get-out-the-vote campaign. Speaking as a member of the advisory board of a national nonpartisan voting watchdog organization, he reminds the audience that Internet voting cannot yet provide three of the most important requirements of any voting system: equal access to the ballot box, ballot secrecy, and ballot security. Jefferson chaired the California Taskforce whose 1999 report opposed implementing remote Internet voting until voter authentication could be improved, multiple languages could be supported, handicapped access could be available, platform discrimination could be largely eliminated, and ballots could be secure. Schoenmakers is confident that 20 years' experience with public key cryptography will soon provide the ability to design election systems that guarantee ballot secrecy and auditability.

Kraft, a Florida election administrator, agrees that Internet voting is definitely on the way but insists that we need standards to address all of the issues mentioned by panelists. Hoffman announces that the Internet Voting Technology Alliance is already working to develop standards and the Voting Integrity Project is presently drafting model legislation. Mohen remains convinced that Internet elections will save money for election authorities while increasing accessibility and therefore fairness.

Hot Topics: Health Privacy

Ari Schwartz, Center for Democracy and Technology (moderator)Peter Swire, Chief Privacy Counselor, US Office of Management and BudgetAngela Choy, Georgetown Health Privacy ProjectGreg Miller, MedicaLogic, Inc.Rebecca Daugherty, Reporters Committee for the Freedom of the Press

The proliferation of online databases is of particular concern in the medical field because "of all the records that are maintained by third parties, health records are the most widely circulated." Schwartz briefly reviews the proposed US health-care information regulations that address such practices as notice, security, use limitations, and consent. Swire continues this discussion, stressing the efforts the Clinton administration has made to "get privacy built into our new structures." The proposed rules cover health-care providers, clearinghouses, and health insurance plans but do not regulate such entities as law enforcement agencies, researchers, public health officials, and the press. However, the regulations do attempt to limit the "minimum necessary data to third parties." Choy argues that the regulations need to be more comprehensive, particularly with respect to third-party access. She insists that "people will be afraid to participate in their own health care unless they are convinced that medical information will be handled with some degree of confidentiality." Health care could be severely compromised if patients withhold information, fearing that disclosure could result in denial of employment or insurance benefits.

Miller characterizes health care in the USA as a "train wreck," pointing to the inefficiencies caused by over reliance on paper files which still represent 90 percent of medical records. His company, MedicaLogic, which works with outpatient clinics and physicians in private practice, creates electronic medical records. He details the advantages of such records, citing ubiquitous access, reduction in medical errors, cost reductions, workflow improvements, and enhanced quality of care. Daugherty examines the proposed regulations from a reporter's perspective. If implemented, she anticipates significant legal difficulties for the media in gathering and providing information. Citing how the media publicized the government's plutonium injection and Tuskegee syphilis experiments, she insists that "we can't leave oversight to the doctors and the government." She argues that the regulations would prevent the media from gaining access to "truthful, non-stigmatizing information that has always been protected by the First Amendment." While there is consensus among the panelists and audience that the public does have a legitimate interest in many cases, there is also the concern, expressed by Anne Cavoukian, that too often curiosity is the reason personal health information is sought by the media.

Broadband and Speech

Andrew Clement, University of Toronto (moderator)Myles Losch, Association for Computing MachineryJohn Morris, Center for Democracy and TechnologySheridan Scott, attorney, Bell CanadaChristopher Taylor, attorney, Canadian Cable Television AssociationDavid Colville, vice-chair of communications, Canadian Radio, Television and Telecommunications CommissionLiss Jeffrey, adjunct faculty, McLuhan Program, University of Toronto

Losch and Morris submitted papers (available at http://cfp2000.org/papers/losch.pdf and http://cfp2000.org/papers/morrisberman.pdf) that were to be read by panelists in preparation for this discussion. Scott summarizes their main points as follows:

• •

  High-speed access is coming soon, bringing access to richer information.

• •

  Only people with a lot of resources will be able to afford the geographically dispersed servers that will be necessary to provide quality content (this is called the "distributed content model").

• •

  Those providing content rich in multimedia and graphics will have more influence than those who do not.

• •

  There will be greater consolidation of Internet service providers (ISPs), which could adversely influence freedom of expression.

Although she is somewhat worried that gatekeepers will proliferate along with set-top boxes, she thinks it possible that changes in the technology will eliminate the need for geographically dispersed servers. Morris remains deeply concerned that, along with the consolidation in the Internet service provider business brought about by the broadband rollout, "we risk eliminating one of the most valuable and dynamic aspects of the Net ­ the ability of small speakers to compete on a relatively level playing field with the big speakers."

Taylor foresees more and more ISPs offering a "walled garden," partly because so many customers wish to avoid full access to everything on the Internet. Colville speaks about Canadian legislation that has opened the local telephone markets to innovation with the goal of providing broadband network access to every home in the country. Active for many years as a citizens' advocate on telecommunications issues in Canada, Jeffrey works to "build bridges between the technical and the social sides to ensure that democracy is what we get out of access to the technology." She has conducted online hearings about the new media for the Canadian Radio, Television, and Telecommunications Commission and is currently leading a conference that is developing the architecture for an "ecommons," an electronic public space.

Is Technology Neutral? Space, Time and the Biases of Communication

Leslie Regan Shade, Dept. of Communication, University of Ottawa (moderator)Paulina Borsook, journalist, author, Cyberselfish Reg Whitaker, author, The End Of Privacy; professor, political science, York University, TorontoMarita Moll, Canadian Teachers' Federation

This panel is charged with discussing how "digitization has influenced our socio-economic, cultural, and political landscapes." The topic was suggested by consideration of the theories of Canadian political economist Harold Innis who, long before the era of the Internet, analyzed how the communications media affected the political environment. According to Moll, "he identified the time-binding media which supported decentralized politics and the space-binding media which supported centralized politics."

Whitaker provides an unequivocal negative answer to the question in the title of this session, "Is technology neutral?" While admitting that "its bias is not readily predictable and its consequences are often unanticipated," he observes that "technologies are inherently double-sided; they empower at the same time as they impair and control." His thesis is that, as digitization has become increasingly pervasive, we are shifting from "the surveillance state to the surveillance economy." The state's surveillance power has been weakened by the fact that digitized communication jumps in real time over territorial boundaries. Furthermore, there is no longer a need for centralized information gatherers since surveillance technology is available throughout the network knowledge economy. Whitaker is concerned that, as privacy and personal information has become a product to trade or sell, individuals are increasingly defined in their role as consumers. Moderator Shade concurs when she states that "increasing corporatization and commercialization" have resulted in "e-commerce values (replacing) e-commons values."

Strangely enough, Moll was cured of her "technoeuphoria" when she participated on Canada's Board of Industry Schoolnet project intended to quickly wire up the nation's schools. She became critical of the prevailing view when it struck her that "the agenda to connect schools didn't seem to be very concerned with learning, but more with getting the economy into the new millennium." Not only is she concerned about the commercial emphasis of the project, but she worries about losing distinctive cultures around the world because of the predominance of the English language and North American corporations on the globalized media streaming into classrooms around the world.

Indirect Threats to Freedom and Privacy: Governance of the Internet

Fred Baker, chair, Internet Engineering Taskforce, CiscoTimothy Schoechle, International Center for Standards Research, University of ColoradoJean-Francois Abramatic, World Wide Web Consortium

According to Schoechle, Internet standards bodies are increasingly being forced to deal with issues with much broader social implications than the technological concerns that preoccupied them in the early days of the Internet. It is therefore appropriate that these bodies, namely the Internet Engineering Taskforce (IETF) and the World Wide Web Consortium (W3C), operate in a sphere of public discourse that exists somewhere in between the public and private sectors and that they seek ever wider participation, not only from technical experts.

Baker discusses how issues of security and privacy were recognized and afforded extremely open discussion on a mailing list named "Raven" shortly after several engineers proposed new protocol specifications that would have facilitated wiretapping. As chair of the IETF, he spends more and more time talking with governments that have opposing viewpoints on issues, even though he claims the Internet itself is "not really international but anational because it ignores the existence of nations."

Abramatic mentions the four domains that are the primary concerns of W3C (architecture, user interface, technology and society, and Web accessibility initiative) and discusses W3C's need to function in a manner reflecting the networked, decentralized, and quickly evolving nature of the Internet itself. He proudly depicts W3C as an open and democratic meeting place of all who could be impacted by its decisions.

Personal Data Privacy in the Pacific Rim: A Real Possibility?

Jim Tam, Ryerson Polytechnic University (moderator)Jim T.M. Lin, National Central University, TaiwanKate Lundy, Senator, Parliament of AustraliaStephen Lau, Privacy Commissioner for Personal Data, Hong Kong

In order to support his claim that the modus operandi of governments in the Asia Pacific region involves surveillance and control, Moderator Tam offers the facts that the Singaporian government once scanned 200,000 computers under the pretext of searching for a virus, that the Japanese government approved a wiretap bill last year, and that the Chinese government is empowered to obtain lists of customers' long distance calls from that country's telecommunications providers. On the other hand, Hong Kong Privacy Commissioner Lau prefers to focus on the diversity in this vast region. Although the notion of privacy is fairly recent in some countries, it is already being viewed as a basic human right in others. He gives a quick overview of the region, emphasizing the variety of personal data privacy models throughout the Pacific Rim. China, Singapore, Malaysia, Philippines, and India have no specific regulations to date, while Japan, South Korea, Thailand, and Australia have laws that mainly cover the government sectors. Fairly comprehensive legislation can be found in Taiwan, Hong Kong and New Zealand.

In Australia, the public has been calling for privacy legislation to be extended to the private sector ever since the 30 November 1999, news story about Packer, Australia's biggest media company, collaborating with the US company Acxiom to develop an enormous database about Australian consumers. Australian Senator Lundy details the provisions of proposed legislation that would create a co-regulatory system. All stakeholders, including business, the community, and the government, would participate in the development and application of rules and regulations. Professor Lin discusses Taiwan's Data Protection Act, which follows OECD guidelines but, interestingly, never mentions the word "privacy" because it is not a well-recognized concept in the Chinese vocabulary and culture.

During the moderated discussion period, Lau applies quotations to the three types of data privacy models as follows: the European Community model seems to work by saying, "You can't do this; you can't do that"; the self-regulatory model employed in the USA has been likened to "the rabbit looking after the lettuce" or "Dracula looking after the blood bank"; while the co-regulatory model gives the message, "How can we work together to make it a win-win situation?"

Campaign Finance Law and Free Expression

Matt Grossman, Center for Democracy and Technology (moderator)Zack Exley, www.gwbush.comKarl Sandstrom, commissioner, Federal Election Commission

The Internet is playing an increasingly large role in American political discussion. Not only are political parties and official candidates mounting Web sites, but more and more private individuals are either creating Web pages promoting their favorite candidates or adding links on their personal Web pages to candidates' home pages. A total of 25 percent of American citizens expect to obtain some political information from the Internet during the 2000 election. Senator John McCain raised millions of dollars over the Internet. All of this activity led the Federal Election Commission (FEC) to perform some investigation and inquiry in order to determine how existing laws could be applied in the online environment. The FEC has ruled that Compuserve may not supply free home pages to all candidates because that would be considered a prohibited corporate contribution. However, the Commission has backed off its original position, which stated that any individual who creates a Web site in support of a candidate would need to register with the Commission and report related expenses as campaign contributions, including a share of the cost of computer equipment and Internet connectivity.

This panel would have been more contentious if FEC Commissioner Sandstrom had not stated the positions that "the present Commission does not consider the Internet a threat to the continuing vitality of our election laws," and that the Internet actually "holds great promise for enhancing democracy." His main reservation at this point in time concerns possible threats as the broadband environment expands. Sandstrom's open-minded positions seemed to wilt the fervor of Zack Exley, founder of a George W. Bush parody Web site (www.gwbush.com), who said he was actually "hoping that Karl (Sandstrom) would be the evil authority (on the panel)." He claims that personal Web sites should be given the press's exemption from charges of "express advocacy" because "No one goes to Web sites unless they want to, so they're like newspapers or magazines."

The Center for Democracy and Techology (CDT) considers the Internet to be a new and different sort of medium that, if left unregulated, will actually foster the stated goal of the Federal Election Campaign Act, "to broaden the diversity of groups that can have input on the election process and return our election process to the people." The CDT has requested that the Federal Election Commission postpone all decision making until after the 2000 election, at which time it will be able to assess whether or not political campaigns have abused the law and to evaluate the creative ways individuals have chosen to express themselves online.

Ten Years of CFP: Looking Back, Looking Forward

Larry Abramson, National Public Radio (moderator)Barbara Simons, ACMStewart Baker, Steptoe & Johnson LLPBen Smilowitz, Washington UniversitySimon Davies, Privacy InternationalRonald Plesser, Piper Marbury Rudnick & Wolfe LLPJessica Litman, Wayne State University

In this last session of the conference, panelists offer their perspectives on the issues covered at CFP. Moderator Abramson stresses the "importance of setting up a stable Internet society." As people perform more and more activities online, he sees a merging of the public and private sectors. While conceding that privacy protections are necessary, Abramson cautions against isolating ourselves, stressing that "people also owe something to the community." Simons' concern is that "people do not want to be confronted with hard problems," especially problems that create "ethical dilemmas." Baker contends that "where freedom has butted up against privacy, freedom ... is losing and privacy is winning." He cites the Microsoft Universal ID Number and the Intel Processor Serial Number cases as examples of how the government successfully pressured corporations that overstepped the privacy boundary. Ironically, however, demands for more privacy protections could actually force companies to link up more databases in order to comply with requests by individuals to see all the collected data about them. Smilowitz, a student activist, stresses that, although his generation may be extremely knowledgeable about the technology, it is not particularly interested in political and social issues. Davies, the most vociferous of the panelists, argues that the "core dynamic is still them versus us." He harshly criticizes the "them" groups who have used their wealth and influence over the past ten years to create and lubricate a culture of surveillance. Frustrated by the naivete and lack of anger in the rest of us, he foresees a "clear ethical divide" occurring within the next five to ten years. In stark contrast, Plesser congratulates industry for taking responsibility and adopting ethical positions. In his opinion, it is no longer a question of whether the Internet will be regulated but who will do it and in what manner. He urges consumers, industry, and governments to work together to solve problems. Litman decries our natural tendency to want to keep control, which can be very destructive in a changing world. In trying to build an online environment that conforms to our values, we must guard against making "it unsafe for people unlike us."

In response to Plesser's comments about Internet regulation, Simons stresses that the "Internet was originally designed to not have regulation." We are experiencing so many problems now as a result of trying to superimpose values on a system that was not designed to handle that kind of structure and control. And since these issues are technologically complicated, most people have no idea of the decisions being made for them with the result that "we're losing our rights." Panelists and audience members agree that there is a lack of gender and racial diversity in conference participants and attendees. This undoubtedly is a reflection of cultural, financial, and educational inequities in society as a whole. There is consensus that future CFPs should focus on these digital divide issues and how to use technology to solve social problems.

Mary Meernik is Cataloging Librarian, lib_meernik@online.emich.edu, and Barbara Glover is Cataloger and Federal Depository Librarian, lib_glover@online.emich.edu, Bruce T. Halle Library, Eastern Michigan University, Ypsilanti, Michigan.