[This file contains two summaries of CFP 1.] The First Conference on Computers, Freedom & Privacy March 26-28, 1991, SFO Airport Marriott Hotel, Burlingame, California Theme: Pursuing Policies for the Information Age in the Bicentennial Year of the Bill of Rights In planning this conference the organizers wanted to open channels of communication between diverse interest groups in the online community. There were about twelve organizations sponsoring the meeting including IEEE, Association for Computing Machinery, Apple Computer, Autodesk, Electronic Frontier Foundation, Cato Institute, Computer Professionals for Social Responsibility, Electronic Networking Assn., Portal Communications, Videotex Industry Assn., the WELL and numerous individuals who donated their time and energy over a six month period. Jim Warren (jwarren@well.sf.ca.us) was the conference chair and helped make everything run smoothly and on time. Given the extremely full agenda, it was an amazing feat. To give you an idea of the diversity that is not evident by the sponsoring organizations, youUd have to see the color codes each attendee could affix to his or her badge: fluorescent green: freedom of electronic speech, assembly and press green:freedom of information; library and information services fluor. yellow:computer security yellow: email, bulletin boards, computer conferencing fluor red: law enforcement, prosecution, criminal justice red: legislation and regulation fluor orange: personal information services; direct marketing orange: privacy of personal information light blue: Practice of civil law dark blue: Practice of criminal law pink: computing brown: computer hacker(and not a cracker) black: (former) computer cracker or phone phreaque Monday was devoted to tutorials on computer communications and the global matrix; computer related legislation in the U.S.; how computer crackers crack; impacts of the U.S. on European Privacy Initiatives. I arrived Tuesday morning, March 26. Professor Laurence Tribe of Harvard Law School spoke on "The Constitution in the Information Age". In this keynote he tried to 'map the text and structure of our Constitution onto the topology of cyberspace' by examining a number of cases involving computer intrusion, Prodigy electronic mail controversies, copyright issues, government control of information, and the way new technology changes our institutions. One of his axioms was that the "accidents of technology" should not affect constitutional principles because "the framers were not just clever; they were astoundingly wise." For some reason he allowed no questions from the floor and after a break, the first of eleven panels convened. There was only one formal track, but after a few hours people began choosing either to stay in the formal session or discuss hot issues in the halls. There was almost no digital component to the whole conference except for a few of us taking notes on portables. All presentations were verbal with a few overheads and slides; all of it was video and audiotaped for later sale, transcription, and archiving. The panels and a few highlights-- Trends in computers and networks: John Quarterman "The Matrix as Volksnet" David Farber "Will the Global Village be a Police State?" Peter Denning "Computers Under Attack" Martin Hellman "Cryptography and Privacy: The Human Factor" International Perspectives and Impacts Personal Information and Privacy (two panels) Janlori Goldman, ACLU Project on privacy and technology John Baker, Equifax (supplied Lotus with data for Marketplace) Baker discussed attitudes toward privacy by the American people of whom 25% can be called Privacy Fundamentalists, 58% Privacy Pragmatists, 17% who donUt care about the issues. Marc Rotenberg, CPSR (helped stop Lotus Marketplace) and Alan Westin, Pr. of Public Law and Govt. Columbia U. had an interesting debate "Should individuals have absolute control over secondary use of their personal information?" What is the correct secondary use of personal information? For instance, should ALA have the right to sell its mailing list to exhibitors, or should you have to opt in before they can use your personal information? Rotenberg said you should have absolute control; Westin said that for research you should not need to get an okay, but he did predict that by 2000 we will only use consensual databases and the subjects will be compensated for that use. Most people agreed that personal preferences are valuable, and this could include buying patterns, magazine subscriptions, or reading tastes. The fact that companies are buying the mailing lists mean that each piece does have value. The computer tools to analyze and massage this information are filtering down past the direct marketing firms and big companies. This will present the library community with some quandaries: how much of this do you use for library marketing, for justifying your spending patterns for resources and services? In a following panel Evan Hendricks of "Privacy Times" he recounted some abuses by government and industry including the secret Social Security matching program with TRW. They found that in two groups of names and SS numbers (150,000 and one million names) about 20% were inaccurate! He also detailed how the trend may be toward using human genetic information in hiring practices that will not focus on just you but also your ancestors. As a result of these panels and previous meetings the U.S. Privacy Council was born, and the first brief meeting was held at the conference. It will be an umbrella group of organizations concerned with privacy issues in the U.S. (which is lagging behind other industrial countries in privacy protection). Eli Noam, Columbia School of Business spoke that evening on "Reconciling Free Speech and Freedom of Association" saying that the model of a network as a common carrier would insure non-discrimination of content providers and greatly reduce censorship. The future problem for network users will be the absorption of information and how to get rid of unwanted information (filtering). We have about 11 million words per day flowing into homes, and there is much work to be done on the screening processes. Wednesday The law enforcement panel was chaired by Glenn Tenney, a computer programmer and organizer of the annual Hackers Conference. Participating were personnel from the Columbus, Ohio, computer crime unit; U.S. Secret Service, the New York State Police, and Don Ingraham, Alameda County (CA) D.A.'s office. Ingraham addressed the crowd and said "We're a bunch of lions being thrown to the Christians" which brought a big laugh, but then he said the inhabitants of Cyberspace ought to grow up and realize that inhabitants of the frontier are usually displaced by newcomers. He also noted that in spite of the diversity of the gathering, the victims of computer crime were not present (though many were, of course). The reports by the working cops were most interesting. Most are working without very strong support from the upper chain of command or without sufficient resources to become educated and support the growing number of reports or calls for help from other law enforcement agencies. However, Mike Gibbons (login id is 'gman') of the FBI said that Director Sessions considers computer crime extremely important and a very high priority. The next panel included civil libertarians discussing the same issues facing the police. Mitchell Kapor said the frontier has NOT been settled, and that we still don't know how to extend the First Amendment to bulletin board systems. He noted that the law enforcement world is a lot more black and white than his world. He does not think that hackers fit into this set world. Protecting the rights of hackers is the same as protecting the rights of any individual, no matter who they are. In another session Kapor announced two new initiatives for the Electronic Frontier Foundation: --Beyond NREN: involvement in the discussion about public policies about the national information infrastructure: cost, control, governance, and access issues. --THE BIG DUMMY'S GUIDE TO THE NET, a guide for the non-expert who wants to master the net. Part Whole Earth Catalog; part John Muir guide to Volkswagen repair manual (a classic in the 60's). Computer-Based Surveillance of Individuals There were a handful of librarians present from LITA, U.C. Davis, a U.C. Berkeley student, Freedom to Read Foundation, Berkeley Public Library, and Judith Krug, Office of Intellectual Freedom. She pinch hitted for another panelist and did a very persuasive re-telling of the various surveillance projects that have been directed at libraries especially the FBI Library Awareness Program. Gary Marx from MIT discussed the technology which had "laser-like proficiency and sponge-like absorbency' and was being used in a variety of disturbing ways. The words 'chilling effect' were used far too often, but, indeed, that's what it is. One example that drew gasps from the audience: a kid's TV show has the clown asking the little viewers to hold the phone receiver up to the set. His program delivers signals to all an 800 number and the automatic number identification used on all 800 numbers, generates a database of interested children! Instant marketing! While I am listing panel after panel, my time was spent sitting and listening, taking long breaks to drift in and out of interesting and bizarre discussions between writers, hackers, cops, anarchists, and lawyers. I talked about book preservation with Bruce Sterling the author of various good books published on bad paper, about data havens where rogue databases would be generated in places like Haiti or SE Asia and re-sold back to the developed world. There were libertarians skeptical of government involvement in NREN, in research, in supporting libraries. There were law enforcement people dealing with the same information management problems that many of us have. Each night I went home exhausted with no time to do anything but sleep and compost some of the ideas and get ready for the next intellectual onslaught. Thursday began with a very lively session on Electronic Free Speech, Press & Assembly. One of the Prodigy protesters who did not have a seat on the main panel disrupted the session (which included George Perry, general counsel for Prodigy Services Co.). He was told to shut up and sit down, but a separate meeting room was provided for people who wanted to discuss that issue only. During the panel session many people talked about Prodigy, but it did not dominate the threads of discussion. Jack Rickard, Editor, Boardwatch Magazine, 5970 S. Vivian St., Littleton, CO (303-973-4222) impressed me with his knowledge of the grass roots electronic publishing scene: electronic bulletin boards. His magazine is print and electronic and well worth following if you are tracking trends and innovative use of small systems for delivering information. He calls the people running these systems "native librarians" because they have an incredible amount of information about narrow subjects whether it is child abuse, Superman ephemera, cockatiels, or any other subject. He estimates that there are 32,000 systems and these will increase to 60,000 by the end of 1991. Most are self-funded and not protected in the way librarians are when we make available all sorts of information to our clients. Rickard said the costs of defending innocence were becoming so great that BBS liability is discussed by most system operators. David Hughes, Old Colorado City Communications, Colorado Springs, CO gave a rousing call to modems that brought a standing ovation and cheers. His thoughts may be shared this summer at the LITA president's program in Atlanta, so I won't give it all away in this report. Don't miss it! Access to Government Information included Harry Hammitt, Editor of Access Reports; Katherine Mawdsley, U.C. Davis Library (kfmawdsley@ucdavis.edu) discussed the depository library model and access issues. She outlined the ALA statement of principles in her fine presentation. Robert Veeder, OMB, substituted for Ken Allen of the Information Industry Association. He discussed how difficult it was to develop a dissemination policy for government. The OMB used to reflect the pro-privatization bias of the Reagan administration, but now it is more neutral. The current policy will be framed within the Paperwork Reduction Act negotiations. Note that there was a March 4 Federal Register notice about information dissemination bills, and that by the end of May there will be a proposal. He said he would make sure that it is disseminated electronically on the networks represented in the room. He has been telling the agencies to stay in touch with the user communities. Veeder was surprised at how many people in the audience went to the library to get government information, about 150 out of 200 present, yet all of them want to get it electronically from a node in the library or from their home. David Burnham, Transactional Records Access Clearinghouse, 666 Pennsylvania Ave SE, #303, Washington, DC 2003 (202 544 8722) talked about the use of very large data sets from different government agencies (IRS, DEA) and the kinds of information that is generated by the skillful massaging of data. It is still a major effort to get the data, work with it, and come out with something an interested party can understand. After talking with him in his office and at this conference I am convinced that once we have the structured and free text database retrieval interfaces usable by average users, it will be time to tackle the same thing for large data sets. The final panel was on Ethics and Education and included a very strong speech from John Gilmore, one of the founders of Sun Microsystems and now a partner in Cygnus Support (gnu@cygnus.com). He believed that personal privacy and an open society were attainable, and he believes that an open society outperforms a closed one. He felt our society was being 'nibbled to death by ducks' and implied that there were too many laws and regulations seeking to control this or that behavior. When he asked who, in the past month, had not broken a law, the only person to raise a hand was a librarian! Gilmore said we needed true financial privacy and anonymity when we interact. His talk will be available electronically after he transcribes it. I'll post a pointer at that time. In the Where-do-we-go-from-here wrap-up it was stated that a second conference will be held in 1992 in Washington, DC, and will be chaired by Pr. Lance Hoffman, EE/CS Dept., George Washington U., Washinton, DC. Everyone went back with different action items for various communities. Law enforcement people were revising search and seizure laws; computer crime consultants were rubbing their hands together in anticipation of more billable hours; information users understood the role of the library as part of the process; librarians understood that nobody was waiting for us to solve information dissemination problems, so it's time for us to mix even more with these disparate user communities to discuss the many issues raised at this landmark conference. Published proceedings from Springer Verlag will be available for $29.95, no later than 9/91. CFP Proceedings, 345 Swett Road, Woodside, CA 94062. fax: 415-851-2814. They may not be prepared to hand P.O.'s so ask before sending one. This will also be the address to inquire about videos of the sessions. Steve Cisler Apple Library sac@apple.com ************************************************************************ From: mercuri@grad1.cis.upenn.edu (Rebecca Mercuri) Date: Mon, 1 Apr 91 22:56:31 EST [not an April Fool's joke] Subject: Computers, Freedom, Privacy Trip Report The following constitutes my trip report for the Computers, Freedom and Privacy Conference held March 26-28, Airport Marriott Hotel, Burlingame, California. Although I have made a sincere attempt to relate the events of the conference in a fair and unbiased manner, the nature of the material covered entails a certain amount of emotion and it is difficult, if not impossible, to separate one's own feelings from the subject matter. I therefore apologize for any inadvertent mistakes, omissions, or philosophical commentary. Readers are encouraged to send corrections to me at the email address below. No flames please! Respectfully submitted, R. T. Mercuri mercuri@gradient.cis.upenn.edu No portion of this document may be copied or distributed for commercial purposes without the prior express written permission of the author. Non-commercial uses are permitted, but the author and source must be credited. Copyright (C) 1991 R. T. Mercuri. All Rights Reserved. [Edited lightly by PGN and included in RISKS with permission of the author.] This work was partially supported by the University of Pennsylvania's Distributed Systems Laboratory as a part of its promotion of the professional activities of its students. Matching funds were also provided by Election Watch, a division of the Urban Policy Research Institute, a non-profit organization. ====================================================================== The First Conference on Computers, Freedom and Privacy was organized and chaired by Jim Warren, and sponsored by the Computer Professionals for Social Responsibility (CPSR). Numerous other organizations also lent their support to the conference, which was attended by approximately 400 individuals (described by Terry Winograd as ranging >from the sandals of Silicon Valley to the dark suits of Washington) covering the fields of law, investigation, programming, engineering, computer science, hacking, industry, media, academics, government, law enforcement, and civil rights. The crowd was about 75% male, with very few minorities in evidence (only ~10% of the speakers were female, and none were minorities). Attendees formed a veritable who's who of hacking with key figures such as Captain Crunch, Phiber Optik, Steve Jackson, Craig Neidorf, and other notables there, some accompanied by an entourage of defense and prosecuting attorneys. Cliff Stoll and Ted Nelson (separately) took the opportunity to distribute copies of their books and give autos. (Cliff was fond of playing with a brightly- colored yo-yo and writing memos to himself on his hand, Ted appeared to be creating a video record of the conference by filming each speaker with a small hand-held camera for a few seconds as each talk began.) A list of attendees was distributed, providing all information that each participant marked as "open". The vast majority of participants provided their name, company, address, phone number and email address. Some people remarked privately that had they been more aware of the manner in which such information is currently being used, they likely would have "closed" more of their own data. (The list was printed in name-alphabetical order so it was unfortunately possible to derive the names of individuals who elected not to be listed.) Jim Warren, who described himself as a self-made multi-millionaire, entrepreneur, futures columnist, and member of the board of directors of MicroTimes and Autodesk, Inc., took a severe loss on the conference. He had estimated break-even at 500 participants, but had only achieved around 300 paid admissions as most of the media and some staff members attended for free. To his credit, he organized a fast-paced, well-run (on-time) conference which allowed many of the key figures in this field to present their thoughts and ideas. Audio and videotapes, as well as the conference proceedings (published by Springer-Verlag) will be available shortly [write to CFP Proceedings, 345 Swett Road, Woodside, CA 94062]. The conference was preceded by a day of tutorial sessions, but I was unable to attend those activities. My major criticism regarding the conference was that the sheer volume of speakers (over 20 per day) allowed little time for questioning from the audience. Many of those who were not wearing red speaker's badges began feeling like second-class citizens whose opinions were neither wanted nor recognized. If someone managed to obtain a microphone and used it to make a statement rather than to ask a question, they were routinely hissed by a large portion of the audience. The unresolved tension became most obvious on the last day of the conference when, during the panel discussion on Electronic Speech, Press & Assembly, a loud altercation broke out in the front of the room. This panel had a representative from Prodigy Services, but the person who was supposed to give opposing commentary (apparently regarding the email privacy issue) had been unable to appear. Certain attendees were prepared to present their views, but were informed that they would not be permitted to do so. A private meeting was arranged for those who wished to discuss the Prodigy matter, but many found this to be unacceptable. An oft-heard word describing the material revealed during the conference was "chilling". After the second day of the conference I became aware of how invasive the monitoring systems have become. As I returned to my room within the hotel, I realized that my use of the electronic pass-key system could alert the hotel staff of my entry and exit times. People could leave messages for me, which would be reported on my television screen, all of this being recorded in some database somewhere, possibly not being erased after my departure. My entire hotel bill, including phone calls and meal charges could also be displayed on my television screen, along with my name, for anyone to access (without a password) if they were in my room. Chilling indeed. Pondering all of this, I left the room, lured to the hotel lobby by the sound of what I assumed to be a cocktail piano player. When I located the baby grand piano I realized that, through the high-tech wonders of Yamaha, no human sat at the keyboard. A sophisticated computerized unit rendered a seemingly- endless sequence of expertly arranged tunes, with no requests allowed from the audience. This ghostly image reemphasized, to me, the silent pervasion of computers into our daily lives, and the potential erosion of personal freedom and privacy. Throughout the conference, many problems were posed, few answers were given. Factions developed --- some people felt we needed more laws, some people felt we needed fewer laws, some felt that all data (including program code) should be free and accessible to everyone, some felt that everything is personal property and should be specifically released by the owner(s) prior to general use. Certain people felt that all problems could be resolved by tightly encrypting everything at all times (the issue of password distribution and retention was ignored). What was resolved was to form an organization called the US Privacy Council which "will attempt to build a consensus on privacy needs, means, and ends, and will push to educate the industry, legislatures, and citizens about privacy issues." The first thing this organization did was form a newsgroup, called alt.privacy. I observed that at least 50 messages were posted to this newsgroup within the 3 days following the conference, most pertaining to privacy of emails. This was disappointing, to say the least. Presumably people will use the mailing list and the newsgroup to disseminate information, but whether this is merely a duplication of other existing newsgroups (such as RISKS), and whether the Privacy Council will have any impact at all, shall be left to be seen. The conference opened with a comment by Jim Warren that this meeting could be "the first Constitutional Convention of the new frontier". He then introduced Harvard Law Professor Lawrence Tribe who used the analogy of cyberspace to describe some of the problems of a "virtual constitutional reality". He quoted Eli Noam as saying that "networks become political entities" and that there could conceivably be "data havens", private networks much like Swiss bank accounts, which are virtual governments in themselves. He asserted that a bulletin board sysop is not a publisher, in the same way that a private bookstore owner is not a publisher. The individual merely makes the products available, and has the responsibilities of a seller, not a publisher. Tribe then went on to delineate five major points. First, there is a vital difference between governmental (public) and private actions. Second, ownership is an issue that goes beyond that which may be technologically feasible. Property encourages productivity. You have a constitutional right to inhabit your own body. Free speech may be a luxury we can't afford (like yelling "fire" in a crowded theater, or viruses roaming the network). Third, the government cannot control speech as such. Recently it was ruled that answers to very simple questions (such as your name, age) are considered testimonial, as they require the use of the human mind. Fourth, the Constitution was founded on a normative understanding of humanity, and should not be subject to disproof by science and technology. The words of the 4th Amendment apply to material things, it defends people, not places. It is the task of law to inform and project an evolutionary reading of the bill of rights to new situations. Fifth, Constitutional principles should not vary with accidents of technology. In conclusion, Tribe proposed an additional amendment to the constitution which asserted that "this Constitution's protection for freedom of speech, press, assembly...shall be construed as fully applicable without regard to the technological medium used." The first panel discussion of the conference was titled: Trends in Computers and Networks. Peter Denning of NASA Ames introduced the panel by stating that computers are now under attack due to security being added on as an afterthought. John Quarterman of Texas Internet Consulting then discussed the manner in which user/host names could be made more readable (accessable) on the network. Peter Neumann of SRI overviewed general issues surrounding the authorship of the "Computers at Risk" book, stating that the group involved with the text was primarily interested in motivating efforts towards evaluating safe, secure, reliable systems (and that they only proposed general guidelines in the text). He warned the listeners "don't wait for the catastrophe". Neumann also mentioned the issue of disenfranchization of the poor and lower class who will be unable to access the new technology, stating that "gaps are getting much bigger". Martin Hellman of Stanford University discussed cryptography. He stated that the 56 bit DES standard was set not by technology, but instead by economics. He mentioned a study at Bell Labs that indicated that 70% of all passwords there could be cracked using a dictionary technique. He believes that technology will not solve all of our problems, and that persons who are concerned about social responsibility are not (necessarily) anti-technical. David Chaum of DigiCash spoke about informational rights and secure channels with regard to electronic money transactions. He believes that with an adequately encrypted system there is no necessity for a central, mutually trusted party. The problem is in finding a practical encryption protocol, or a distributed, mutually-trusted tamper-proof box solution. David Farber of the University of Pennsylvania expressed the view that protection schemes might not be "retrofittable" and should be part of the fundamental design of computer architecture, protocols and technology, rather than being tacked on, but he worried that people may not be willing to pay for these design features. Farber also mentioned the possibility of retroactive wiretapping, where archived data could be obtained through invasive means. The second panel session was titled: International Perspectives and Impacts. Ronald Plesser of the Washington D.C. law firm of Piper & Marbury first mentioned that these issues impact on how international business is conducted. Many countries, particularly in Europe, have already established standards with which we must comply. Databases feeding Europe must be concerned with the processing of personal data of individuals. Certain directives have been authored that are so general in scope as to be difficult to apply ("to all files located in its territory" was one example). Tom Riley, of Riley Information Services in Canada, continued this discussion regarding data protection policies. He urged the authoring of a harmonized directive, similar to that for other exports. The United States, by lagging behind in establishing standards of its own, risks the possibility of losing the opportunity to affect these policies as they are being written. David Flaherty entertained the crowd with his "George Bush" speech, stressing that "privacy begins at home". Robert Veeder of the D.C. Office of Information Regulatory Affairs discussed the impact of the 30,000+ messages to Lotus which effectively stopped the production of their CD- ROM database. This electronic lobbying had never been used to such great effect prior to that time. He believes the electronic forum will provide larger access to public concerns. (The impression I was left with was that certain governmental agencies are not wholly enthusiastic about this powerful method of expression, and that they are monitoring the situation.) Next, we heard from a variety of speakers on the subject of Personal Information and Privacy. Janlori Goldman, of the ACLU, discussed the "library lending" project by the FBI. This was an attempt to track library usage habits of foreign nationals. The ACLU objects to this sort of surveillance as well as other similar broad-based methods. An audience member criticized the ACLU's own release of membership data, to which Janlori replied that she did not agree with her organization's policy to allow such releases, but was currently unable to do more than protest against it. John Baker, Senior Vice President of Equifax, described the benefits of information with regard to improved goods, services, prices, convenience and wider choices. (Equifax is an organization which supplies marketplace data with specific information about consumers.) He stressed that people need to understand their rights, responsibilities and opportunities with regard to their published data. He believes that the Lotus Marketplace product was flawed because of the delay involved when customers wanted to "opt-out" of the database. He portrayed a spectrum of controls over data usage, ranging from no restrictions (free speech), through some restrictions (based on impact, sensitivity, access, security and confidentiality), to absolute restrictions (where the available information would have little value). Equifax took a survey on consumer interest in availability of data for direct marketing purposes which revealed that 75% would find it acceptable as long as there is a facility to opt-out. An audience member raised the point that the default is opt-out rather than opt-in. These two speakers were followed by a debate between Marc Rotenberg, Washington Office Director of the Computer Professionals for Social Responsibility, and Alan Westin, Professor of Public Law and Government at Columbia University, with the subject "should individuals have absolute control over secondary use of their personal information?" Marc argued in favor of the statement, using an eloquent oratorial style, and Alan spoke in opposition with the demeanor of a seasoned litigator. Marc made such statements as "we are all privacy advocates about something in our personal lives", "it is the most fragile freedom" and "protect privacy, change the default", stressing that the individual should have the right to control the value and use of their personal information. Alan outlined four major issues: 1. Nature of the secondary use; 2. Society should decide on fair uses, not a nihilistic veto; 3. Underpinning of constitutional democracy; 4. Adequate control protects against potential misuse. He believes that the consumer benefits from the advantages of a knowledge society. No winner/loser of the debate was declared. Speakers continued on the subject of Personal Information and Privacy. Lance Hoffman, of the EE & CS department at George Washington University, mentioned that Japan will be instituting a system of personal phone number calling --- basically you can send and receive calls at your "own" phone number wherever you happen to be situated. This permits very close tracking of individual movements and is a potential further invasion of privacy. He noted that no one has ever received the ACM Turing Award for a socially responsible system, and encouraged positive recognition of achievements along these lines. He also recommended that a "dirty dozen" list of worst systems be compiled and distributed. Evan Hendricks, editor and publisher of Privacy Times, listed many records that are and are not currently protected by law from distribution. Interestingly, video rental records are protected, but medical records are not. He cited an interesting example of a circumstance where a man and woman living in the same home (but with different last names) were sent copies of each other's bills, urging them to encourage their "roommate" to pay. It turned out that the individuals were landlady and tenant. Another interesting fact that Evan revealed was that studies indicate ~30% of social security numbers in some databases are inaccurate. Lists of persons having filed Workmen's Compensation claims have, in some cases, been used to blacklist people from jobs. Hendricks urged people to ban the recording and distribution of human genome information --- some parents voluntarily provide cellular test results in case their child is later missing or kidnapped. There is no way to know how these records are likely to be used in the future. Tom Mandel, director of the Values and Lifestyles Program (VALS) at SRI, spoke in favor of the Lotus Marketplace product. He felt that the 30K response was not representative of the general public, and believes that a small percentage of "media sophisticates" can have apply greater leverage. He noted that VALS is currently involved with a joint venture with Equifax, who is currently involved with a joint venture with Lotus. Willis Ware, of the RAND Corporation, chaired the HEW committee that led to the 1980 privacy act (a reporter preparing materials for publication can not be searched). He felt that the government previously was considered to be a threat to privacy, not a protector, and considers the privacy issue as one of social equity. He indicated that personal information should not be considered to be private property, and should be shared in an equitable manner. To apply royalties for usage would place a tremendous impact on costs. He noted that the databases behind airline, pharmacy and point-of-sale systems may be open to access by various groups including the Internal Revenue Service and Drug Enforcement personnel. Simon Davies, a member of the law faculty at Australia's University of New South Wales, provided a sobering criticism of this conference and the United States' policy making processes, stating that the conference was too "nice" and "conciliatory" and that the "US is an embarrassment to the privacy issue". He used the term "pragvocate" (pragmatic advocate) to describe policy-makers who are well-trained, say the right things, and denounce extremes, giving environmentalists as an example. He reminded us that the basis of the US system is not to "opt-out" --- no one would write to the LA police asking "don't beat me up". Davies alerted us to the fact that Thailand, an oppressive military government, is currently purchasing US technology to provide smart ID cards for their citizens. He noted that the Smithsonian Institute awarded them a trophy for their use of technology. He stated that the United States is encouraging similar activities in the Philippines and Indonesia. A somewhat light-hearted after-dinner talk was delivered by Eli Noam, of Columbia University's School of Business, on the subject of "reconciling free speech and freedom of association". He suggested that phone systems be established whereby individuals can provide their friends and associates with special access codes so that they can dial them. Others can call, but at a higher rate. (Note that this would likely have an adverse impact on legitimate business and social calls as well as possibly reducing undesirable calls.) He stated that presently "no computer can write the 4-line plot capsules that appear in TV Guide", with regard to the failure of AI systems. Noam questioned the lack of policies concerning what happens to an information data base after an individual's death. He concluded with the statement that for "all digital systems --- 0's and 1's are created equal." The second day of the conference opened with a session on Law Enforcement Practices & Problems. Glenn Tenney, well known as the organizer of the Hacker's Conference, chaired this panel with little comment. Don Ingraham, Assistant DA of Alameda County, Calif. (who, during a tutorial earlier in the week, distributed information on the writing of search warrants), gave a fantastically humorous presentation. He spoke of the "pernicious myth of cyberspace" and declared "you ARE the country". He mentioned that systems exist with "the security built in of a sieve" and that people have their information on these systems, but not necessarily because they want it to be there. He feels that the attitude of "don't worry, we don't need standards" is a poor one, and that laws should be written to let the people know what the rules are. He would rather see an organization formed called Sociable Professionals for Responsible Computing (instead of CPSR). He finished his talk by saying "if you don't do it, who will -- if not now, when" (a Talmudic quotation that he used without citation). Robert Snyder, of the Columbus Ohio Police Department, presented the view of the "cop on the street". He spoke of his naivete when first entering the field of computer law, and how much evidence was destroyed at first by listening to suspects who told him to type things like "format c:" in order to access the hard disk. He has encountered situations where the suspect actually does not know what is on the system --- some of these are cases where a parent is running a business and a child is using the machine for illicit hacking purposes. In these cases, even though he has a warrant to obtain all of the computer equipment, he often will not shut down a legitimate business. He brought up the issue of unregistered software sitting on a confiscated system. There are liability problems dealing with the return of such materials. Basically he stated that the law enforcement personnel require further education and training, and should operate within guidelines but with prudence. Donald Delaney, Senior Investigator with the New York State Police, began his talk by relating how when his home was burglarized in 1985, he experienced a feeling of violation. This feeling is much the same with computer crime. Many firms experience a loss of income from such activities. In his experience, many of the people caught are engaged in more crimes than the ones they are charged with. Dale Boll, Deputy Directory of the Fraud Division of the U.S. Secret Service, spoke of the various forms of access device fraud (credit card, ATM, passwords, phone access, frequent flyer numbers, etc.). He stated that it is illegal to posses counterfeit access devices and that if you have 15+ illegal access devices or numbers in your possession, you may be a subject of federal investigation. They have a 96% conviction rate. ATM cards can be manufactured illegally using cardboard and regular audio tape. The credit card industry is now losing $1 Billion per year. An audience member asked if they are using programs like Gofer (grep for UNIX hackers) to search for information they want on bulletin boards and networks. He replied that although they own this program, they use it personally and not for investigation purposes. The next session, on Law Enforcement and Civil Liberties, had seven participants, none of whom were given much time to present their views. I will briefly highlight what they said here. Sheldon Zenner, the Attorney for Craig Neidorf said that the prosecutors had originally sought a 2-year sentence, and that thanks to many of the people at this conference who rallied to Craig's support, they were able to get him off. Mark Rasch who defended the internet worm case stated that the expectation of privacy is changed because of the technology employed -- - technology affects behavior. Cliff Figallo, manager of the WELL (Whole Earth 'Lectronic Link, popular among many Bay Area participants as an alternative means of accessing the Internet) addressed his concerns about overuse of law enforcement. He wants his users to feel safe. Sharon Beckman, Litigation Council to the Electronic Freedom Foundation (EFF) and Attorney for Steve Jackson Games (whose computers were seized, when one of his fantasy games was perceived as being capable of training users to "hack" into computers) stated that underlying values of the constitution should be interpreted in terms of today's technology. Ken Rosenblatt, a District Attorney covering the Silicon Valley area, stated that he is charged with upholding civil liberties and feels that the laws are presently adequate. Mike Gibbons, Special Agent for the FBI, mentioned that he worked various white collar cases, including the 75 cent case (described in Cliff Stoll's book), and the Robert Morris case. He feels that there are various classes of computer crime, including impairment, data theft, and intrusion. Mitch Kapor, founder of EFF, stated that the "electronic frontier hasn't been settled yet" and that we should not stifle the "network petri dish inventing the future". He questioned the nature of reasonable search, stating that there haven't been enough cases yet to establish a meaning for this in computer law. Everyone should be protected from tyranny, not only hackers. He looks at the EFF as a means of civilizing cyberspace. The matter of free speech was discussed in the questioning session with the panel -- much speculation was directed towards the legality of discussions of bomb-making, system hacking, and the publication of other potentially lawless activities on the net or in technical papers. Other comments included the fact that law enforcement cannot seize an entire post office, their search must be limited to the mailbox of the suspect. This analogy applies to computer networks as well, although the volatility (ease of total destruction of evidence) of computer data is of concern to investigators. As I had an extended and quite insightful conversation with Russ Brand over lunch, I returned a tad late to the next session, on Legislation and Regulation, and was only able to catch two of the speakers. Elliot Maxwell, Assistant Vice President at Pacific Telesis stated that it is "difficult to have simple and specific rules". Paul Bernstein, whose LawMUG BBS and Electronic Bar Association is well known among the legal community, stated that one should "use mediums that exist -- participate in fashioning the laws." The most eye-opening session of the entire conference, in my opinion, was the following one on Computer-Based Surveillance of Individuals. It opened with Judith King describing the FBI Library Surveillance Program, where the reading habits of foreign nationals were investigated. She stated that many librarians want laws to protect the confidentiality of users, and some statutes have been passed. Karen Nussbaum, Executive Director of 9 to 5 (on which the film was based), gave an accounting of the monitoring of employees in the workplace. Currently over 26 Million employees are having their work tracked electronically, and over 10 Million have their pay based on computer evaluations. The personal habits of the worker can be monitored, one can look into a user's screen and see what they are doing or even send them messages. She described the "corporate plantation" as a place of stress, humiliation and harassment. Gary Marx, Sociology Professor at MIT, gave a whirlwind assessment of the importance of privacy, some technofallacies (like the Wizard of Oz "pay no attention to the little man behind the curtain"), and steps you can use to protect privacy (the bulk of these useful lists are published in the proceedings). He related how a telephone can be made "hot on the hook" so that you can silently monitor your babysitter, your children or your spouse, when you are not at home. Most devices, such as this one, are perfectly legal within your own house. David Flaherty spoke again, this time in a more serious vein, saying "we are living in a surveillant society" and "you have to make daily choices about what you are willing to give up about yourself." The second day's after-dinner speaker was William Bayse, Assistant Director, Technical Services Division of the FBI, who discussed a newly created national system called the NCIC-2000, under the topic of "balancing computer security capabilities with privacy and integrity". He began by asserting that crime has become more mobile and that conventional crime-tracking methods are inadequate. For example, he said, many missing persons actually want to remain missing. He feels that the accuracy of records is imperative. Various information bases have been formed, including lists of stolen items, vehicles, and wanted persons. Presently 65,000 officers are using this system, with 360M transactions annually, at a cost of 3 cents a transaction. For an example of effectiveness, over $1.1 Billion in vehicles have been recovered. Proposed, but not yet implemented is the portion of the system which provides a live scan of fingerprints at the scene of an arrest (or when someone is stopped for a motor vehicle violation) [with the intended purpose of considerably reducing false identifications... PGN]. Much criticism was generated from the audience regarding the potential misuse of this system for harassment, and the retention of fingerprints for future use. Marc Rotenberg addressed Bayse questioning why documents requested under the freedom of information act from his agency have still not been supplied, and stating that currently a lawsuit is pending to obtain their policies regarding monitoring of computer bulletin boards. Bayse refused comment. The final day of the conference opened with a session on Electronic Speech, Press and Assembly. Jack Rickard of Boardwatch Magazine mentioned that bulletin boards are highly specialized, primarily funded by individuals, and are in their embrionic stage. David Hughes, Managing General Partner of Old Colorado City Communications, added some color to the conference with his western garb (10-gallon hat, bolo tie) and use of his laptop for the notes of his speech. He described himself as a "Citizen of the Western Frontier of the Information Age" and drawled, "Read my Cursor". He described electronic speech as "fingers of the tongue with the ear for the eye --- but it is still speech". In describing US history, were it to have occurred today, Jefferson would have used a Macintosh, Adams would have used a PC, but "Tom Paine would have put Common Sense on a private BBS with a Commodore 64". "Don't tread on my cursor!" he cried. George Perry, Vice President of Prodigy, began by saying that he did not want to engage in discussion on the dispute, but then stated that "Prodigy does not read private email". Prodigy is a privately owned and operated company which believes that the market should be allowed to decide what services need to be provided. The Constitution regulates free speech with respect to the government, Prodigy thinks of itself as a publisher. Lance Rose, a NY Attorney, enumerated the types of rights afforded to individuals and companies with regard to ownership, including trade secrets, confidentiality, trademark, copyright and patent. There is currently a great diversity of laws which service providers must adhere to, making the provider, in some instances, a law enforcement agent. During the open comment section, Hughes noted that very few legislators are currently on-line, and he thanked Prodigy for preparing the NAPLPS market (for his products). The notable talk in the Access to Government Information session was David Burnham's (Co-Director and Writer with the Transactional Records Access Clearinghouse [TRAC] in D.C.). He stated that "badly administered agencies are more damaging than rogue operations". The objectives of TRAC are to obtain transactional data >from federal enforcement agencies, such as the IRS, NRC, and Justice Department. He demonstrated how the raw statistics could be combined with additional figures regarding inflation, population, and margin of error, showing that the so-called "trends" of increasing crime, or increased non-compliance with tax law, were actually flat lines when the mitigating factors were added in. The final panel discussion was on Ethics and Education. Richard Hollinger, Sociology Professor with the University of Florida, asserted that the "same officers who are investigating computer crimes are the ones who are protesting computers in their patrol cars because they feel it would be oppressive." He is concerned with the industry's encouragement of the use of computers in schools, before rules for their ethical use have been written. Donn Parker with SRI stated that laws are needed in order to convict hackers. Convictions have a "very good effect on our whole problem", he said. He referred back to the 60's when the ACM and IEEE drafted codes of conduct, and said that these should be popularized. He believes that one can not teach ethics, that it comes from interpersonal relationships, and (for him) the Christian religion and the Bible. One can teach, he believes, the application of ethics, beyond the golden rule. He delineated three rules: 1. The Owner's Rule - you choose to issue your property into the public domain, or not; 2. The User's Rule - you assume everything belongs to something else, unless otherwise informed; 3. The Hacker's Rule - systems are free, everything should go to the people (which he rejected as childish, not worth considering). He suggested that we consider the dilemma of Descartes -- if it is OK to start by stealing pencils, where then can we draw the line? Dorothy Denning spoke briefly regarding the network uses by children (Kids Net). She speculated that we should teach them something about hacking in order to take the mystery out of it. She compared telephone fraud by children as a more sophisticated version of the "is your refrigerator running" prank. The Education and Ethics panel continued with the softspoken John Gilmore, a "generalist" with Cygnus Support. He warned that we are losing the larger open society. The US is currently #1 in percentage of population in jail. He spoke of drug usage as a victimless crime. John asked the audience "who has not broken a law in the past month?" Only a few raised their hands. He then asked "who here has all their disks clean -- free from something you would not want them to find if you were investigated?" About 15% raised their hands, but after pondering it, a number of them lowered them (the person behind me muttered that he had some shareware for which he had not paid). Gilmore said "privacy is a means -- what is the end we are looking for? Tolerance." He urged real privacy of personal communications, financial transactions, things should be as "private as that thought held in our minds." He demanded that we stop building fake systems -- laws that dictate that you "can't listen to cellular phone calls" -- and instead build real protections into your systems and buy them from others. His talk received a standing ovation from the vast majority of the audience members. The remaining panel speaker, Sally Bowman, a Child Psychologist with the Computer Learning Foundation, stated that her organization is working to raise awareness and solve a number of problem areas. The problems she outlined were: 1. Lack of awareness of the magnitude of the problem. Software industry is being hurt by piracy; 2. Many misimpressions -- confusion, lack of information; 3. Lack of teeth in software copying policies; 4. Lack of strategies in teaching ethics; 5. School budgets are too small to allow legal procurement of software. Her organization is presently educating parents as to the "tell-tale" signs which indicate whether a child is "abusing" computer systems. The concluding session, entitled "Where Do We Go From Here" was staffed by a number of the conference speakers. They overviewed their feelings regarding the issues raised during the sessions and made general comments with respect to what they might do to raise awareness and resolve some of the problems. Throughout the conference many pamphlets, brochures and newsletters were distributed. Although it is infeasible for me to provide copies of this literature, interested parties can contact me or Jim Warren (jwarren@well.sf.ca.us) to provide source names and addresses. Some of the more interesting items (in no particular order, just how they happened to come out of my briefcase) included: - Brochures from the Cato Institute "Toward a Moral Drug Policy", "America's Counter-revolution", "The Semiconductor Industry and Foreign Competition", "The Promise of High-Definition Television: The Hype and the Reality", and their publication catalog. - Matrix Information and Directory Services Newsletter. - The Manifesto of Militant Humanism. - "Are you a Hacker?" by Robert Bickford, reprinted from MicroTimes. - Call for formation of a World Privacy Network. - An advertisement for SafeWord Software (password checking/protection). - Condom distributed by Anterior Technology (they market a system whereby you can retrieve the first 80 characters of emails while out of town). - "The Bill of Rights is Under Attack" from Committee for the Bill of Rights. - Hollywood Hacker Info, reprinted from Computer Underground Digest. - Calif. State Assembly Bill #1168 on Personal Information Integrity. - Computer Learning Month - from the Computer Learning Foundation. - The Equifax Report on Consumers in the Information Age - A reprint of John Barlow's article "Crime and Puzzlement" from Whole Earth Review, Fall 1990. - Various brochures from the First Amendment Congress, an organization providing educational materials on the First Amendment. - Policy papers from the League for Programming Freedom including "Against Software Patents", "Lotus Disinformation Forewarned is Forearmed", and the Effector (its newsletter). - CPSR reprints of newsarticles regarding the Lotus database. - Promotional literature for Ted Nelson's Xanadu. - Brochure for the Community Memory BBS, and its newsletter. - Brochure for the Art Com Electronic Network. - Brochure for the International Society for Individual Liberty. - Various copies of MicroTimes. - Application forms for CPSR and the League for Programming Freedom. - Rel-EAST, the east-west high-tech business report. - Suggested reading on how computer crime is investigated from Don Ingraham. - Book promotional literature including: "Rogue Programs" edited by Lance Hoffman, Van Nostrand Reinhold "Protecting Privacy in Surveillance Societies", David Flaherty, University of North Carolina Press "Spectacular Computer Crimes", Buck Bloombecker, Dow Jones-Irwin "Using the Public Library in the Computer Age", Westin & Finger, ALA. Directions & Implications of Advanced Computing, Vol. 1 and Proceedings >from 88 and 90, CPSR. - Flyer announcing "The Privacy Project" an NPR series (for which I was interviewed) to be broadcast in the Fall of 1991. - Flyer advertising "Your Expanding Infosphere" an NPR ComputerTalk Program. - Reason, a magazine for "free minds and free markets" whose cover story was on cryogenics. - Flyer on the National Apple Users Group Conference, June 7-9, 1991. - Flyer on the Silicon Valley Networking Conference, April 23-25, 1991. - Flyer on the third Chugach Conference, University of Alaska, Oct. 3-5, 1991. Plus Center for Information Technology News from U. Alaska. - Flyer on the Calif. Forum of the First Amendment Congress, May 6, 1991, Stanford University (free to the public). - Flyer for the Electronic Democracy Conference, Sept 4-5, 1991. - Calls for Papers from: The National Conference on Computing and Values (Aug. 12-16, 1991) Directions & Implications of Advanced Computing (May 2-3, 1992) I returned home with a broader idea of the many facets of the computer freedom and privacy issue. I must now admit to being more worried than I was before I attended this conference, as to the lack of solutions being offered by my colleagues. Perhaps this meeting of the minds is a first start. More work needs to be done. R. Mercuri mercuri@gradient.cis.upenn.edu The following are some addenda & corrections to my trip report on the Computers, Freedom and Privacy Conference, with thanks to the individuals who provided additional details and insights. 1. A second CFP conference has been scheduled for Spring 1992 in Washington, D.C. -- the general chairman will be Lance J. Hoffman. 2. Later figures for the first conference indicate that Jim Warren's losses may not have been as severe as he had indicated when I spoke with him. 3. Although the formation notice for alt.privacy indicated that the US Privacy Council was created AT the CFP conference, Lance Hoffman has informed me that this organization was actually formed PRIOR to the conference. Its first public meeting was held during the conference period but otherwise had no official conference involvement. 4. Robert Veeder works at the Office of Information Regulatory Affairs IN D.C., a branch of the federal Office of Management and Budget. 5. Mark Rasch prosecuted (not defended) the internet worm case. 6. Dorothy Denning wrote to me, mentioning that "the main point I tried to make in my talk was that we are letting our young people down by not taking responsibility for bringing them into the computing and network community as responsible users." My brief comments of her talk could lead a reader to believe that she was somewhat cavalier about the issue, which was certainly not the case. 7. The "sandals of Silicon Valley to the dark suits of Washington" quote should be accredited to Terry Winograd. 8. Judith Krug (not King) spoke in behalf of the American Library Association. 9. In Dave Hughes' talk, he had Franklin using an Apple and Jefferson using Word Perfect running under Windows (far more comical than what I had recalled). Considering the length of the conference and quantity of speakers, I am relieved that my errors and omissions were so few. Yours in good journalism, R. Mercuri mercuri@gradient.cis.upenn.edu --