An mp3 (recorded at 64 kbps) of the entire night (17.8 MB):
http://cfp2004.org/blogs/files/eff_pioneer_awards_2004.mp3
Here are some AVI's:
Kim Alexander (23.9 MB)
David Dill (1 of 2) (24.4 MB)
David Dill (2 of 2) (10.5 MB)
Avi Rubin (1 of 2) (24.0 MB)
Avi Rubin (2 of 2) (23.2 MB)
Avi Rubin (3 of 2) (19.5 MB)
The Gmail Plenary at CFP. Nicole Wong, the Chief Compliance Officer for Google, was a great sport to show up amid the recent controversy. It was also great to get David Link from Sen. Figueroa's office. Note, thanks to Ms. Wong, I know have a Gmail account... email joehall at GMail plus the dot com part to reach me. From left to right: Chris Hoofnagle, Electronic Privacy Information Center; Sunil Paul, Brightmail; Sonia Arrison, Pacific Research Institute; Nicole Wong, Senior Compliance Counsel for Google; Ari Schwartz, Center for Democracy & Technology; J.C. Cannon, Microsoft; David Link, Technology Counsel, Cal. Sen. Liz Figueroa; Amalie Weber, UC Berkeley Boalt Hall School of Law.
The ChillingEffects concurrent session. From left to right: Agnes Li, J.D. Candidate, Harvard Law School; Jennifer M. Urban, Visiting Acting Clinical Professor, University of California Berkeley School of Law (Boalt Hall); Wendy Seltzer, Intellectual Property Attorney, Electronic Frontier Foundation.
Stanford professor and Verified Voting founder David Dill kicks things off in the mock election. The idea was to mimic having two states (California and Florida) where only one state had an verifiable audit trail.
Recenly tenured professor from Johns Hopkins University Avi Rubin votes. I didn't get a good shot to see if he voted for himself or not (he was one of the two candidates for "CFPer of the Year").
EFF staff technologist Seth Schoen votes.
Verified Voting director Will Doherty recording the vote.
EFF chairman Brad Templeton prepares to vote.
The election attracted a lot of attention from people around the Claremont... inlcuding that of Ping Yee (center).
It also attracted the CBS evening news and the News Hour with Jim Lehrer.
Douglas Kellner, Commissioner, New York City Board of Elections (center left) and Aaron Swartz prepare to vote.
Avi Rubin and Barbara Simons of USACM.
Deirdre Mulligan, newly elected "CFPer of the Year (for California)", with Lorrie Cranor's baby girl.
SIMS students Parker Thompson, Dave Schlossberg and Me (Joseph Lorenzo Halll).
The ceiling of the Empire Ballroom at the Claremont was covered with mirrors. The other face looking up is that of Aaron Perzanowski (Boalt).
]]>Where most of us would be overwhelmed by the sheer size of the task, Brewster sees a challenge to be categorized and attacked systematically: Why can't we as a society share with all of our members the learning we've produced? What does that mean? Well, let's say there are 26 million books in the Library of Congress; 2-3 million sound recordings; maybe 100,000-200,000 theatrical releases and as many more video ephemera; 50 million websites; 1000 channels of television. For each chunk, the Internet Archive has a project: The Internet Bookmobile and million book project; live music archive; moving image collections; and, of course, the Wayback machine.
In his closing keynote for CFP, Brewster asked three questions about this universal access to all human knowledge: "can we?" "may we?" and "will we?" He expressed little doubt on the first -- technology can get us there if we have the will. As for the "may we?", to Brewster's credit, he's not willing to let the law block his vision. So he starts with public domain and permission-granted works, and builds. Perhaps that takes us to the point where the archives speak for themselves, begging to be filled first with orphan works, then classics, then ....
May we all share Brewster's will.
]]>Rest of the week has been interesting, RFID, voting issues, awards to the likes of Avi Rubin, a big vote off between Avi and Deirdre Mulligan (one computer voting system said Avi won, one said Deirdre won -- who can tell, no paper trail), ethics of online data collection, privacy statements, the FCC and DRM, music distribution. All the usual folks. And guess what, in the midst of the issues they can laugh at themselves. Like John Gilmore today, at lunch doing a low hiss at one thing the keynoter, Rachel Brand from the DOJ said, and when I turned around and peeked at how serious that was, he giggled.
Honestly, I'm kind of tired and don't have anything interesting to say about these things right now. But still the conference was well put together, had humor and the folks that care about this stuff and doing interesting things.
Brewster just finished with a story: a man who had a bookmobile on a camel, and the answer to he gave to the problem of stability in his system? Have two camels.
As Mike Godwin said later over drinks with the cfp crowd, best cfp in 10 years.
Also blogged this on napsterization.
Update: Now I can see he was the first to stand up. Also, Ann Brick of the ACLU of Northern California hopped up and got the first shot. Makes the good point about the difference between a grand jury subpoena and a Patriot Act section 215 one. With the grand jury, both sides get a hearing and it could be quashed, as happened with the NLG subpoena in Iowa in February. With the Patriot Act, the subject of the subpoena gets no hearing and the judge has no discretion to deny the request.
Brand won't talk about the FISA court with Kevin. So he tries to get the answer no one will offer: Under 216 of Patriot can the Feds collect URLs during a wiretap? Brand's not answering this really either. All we get is "It's my understanding that this hasn't happened yet." and "No court has ruled on that."
The unfortunate part of this is that the office of "Legal Policy" of the DOJ is here defending the Patriot Act. While Brand billed the talk as educational and as an attempt to correct factual misunderstandings of the Bill, that simply wasn't what we got. Besides, this is not a group that is suffering from misunderstandings of the Act. The problem with her defending the Act is that once we've set up the adversarial structure, in a discussion with lawyers, we've lost. I had hoped that the office of Legal Policy would be more interested in entering into a discussion of policy concerns, interested in listening. Once lawyers dig in, the discussion of policy choices is over.
]]>
The Trusted Computing plenary. (from left to right: Seth Schoen, Staff Technologist, EFF; David Safford, IBM; Danny Weitzner, W3C and Computer Science & Artificial Intelligence Laboratory, MIT (Moderator); Geoffrey Strongin, Platform Security Architect, AMD). Yes, that is John Gilmore in the foreground.
The "Open Source, Open Society" plenary. (Kenneth Neil Cukier, Fellow, Harvard's Kennedy School of Government (Co-moderator); Eric Makuli Osiakwan, Association of African Internet Service Provider Associations (http://www.afrispa.org/); Tom Kalil, Special Assistant to the Chancellor for Science and Technology for UC Berkeley; Bernard Benhamou, Director of Forecasting and Internet governance, E-Government Development Agency, Office of the Prime Minister, France; Jennifer M. Urban, Visiting Acting Clinical Professor, University of California Berkeley School of Law (Co-moderator); Jason Matusow, Microsoft; Tony Stanco, E-Government.)
The "The Next Drug War: Possession Statutes Target Technology" concurrent session. (from left to right: Christian Genetski, Partner, Sonnenschein, Nath & Rosenthal, Anti-Piracy Counsel for DirecTV; Jason Schultz, EFF; Fred von Lohmann, EFF; Albert Zakarian, Esquire, DTVDefense.com; Robert S. Apgood, Attorney at Law, AvantLaw PLLC). Yes, that is Dave Schlossberg's hair to the left and Parker Thompson's hair to the right.
Robert S. Apgood, modeling his gorgeous DeCSS tie.
]]>
The Datamining Panel (from left to right: Lara Flint, Center for Democracy and Technology; Stewart Baker, Steptoe & Johnson LLP (and former counsel at National Security Administration); Doug Tygar, Professor, University of California, Berkeley; Jeff Jonas, SRD; Peter Swire, Professor of Law, Moritz College of Law, Ohio State University).
]]>I've created an OPML file of all the RSS feeds for CFP 2004 blogs. It is here:
http://pobox.com/~joehall/nqb/archives/cfp2004.opml
If you use a newsreader (I like Bloglines), you should be able to easily import these feeds into your reader (you might need to change the file extension to ".xml").
Grosso is particularly troubled by the ways in which the public is encouraged to sacrifice their privacy rights--all of us have likely been idling in line to cross a bridge and felt the breeze of FastPass users whizzing by in their own special lane. Even more frightening is that many people seem quite willing to sacrifice lots of privacy for what the government continually insists is added security.
The key legal battle from Grosso's perspective is protecting the right to protect privacy. Protecting privacy directly, he contends, is difficult or impossible through legislation, but is more effectively accomplished in the "real world" by technological means. How? Pay in cash, turn off cookies, wear clothing that blocks infrared scans, etc. Law should focus on preserving rights to utilize these methods, preserving the market for privacy protection technology.
A question was raised--doesn't this scheme of focusing on technological rather than legal protections create problems for the vast numbers of people who might not have the economic resources to procure these protections? Importantly, it was said, "privacy is in numbers"--if you are the only person in the world using encryption technology in your e-mails, that protection is not much good. A question that remains open--might enforcement and auditing technologies be even more important than countermeasures?
]]>(I'll have pictures once they make their way through email!)
I spent Tuesday in the full-day workshop at CFP 2004 lead by Barbara Simons entitled, "Privacy and Civil Liberties Issues in Computer Science Research". It was simultaneously a blast and simultaneiously exhausting as we all realized how dark the future of privacy is. Here's a brief recap of the workshop (panelist Terry Winograd of Stanford University didn't present but did chime in quite a bit):
The first speacker was Susan Landau (Senior Staff Engineer, Sun Microsystems Inc.) with a talk, "Science -- and Thinking About Ethical Solutions". She spoke about a polish nuclear scientist, Joseph Rotblat who was involved with the development of the atomic bomb during the 1939-1943 period. His goal in the development process was to make sure that the U.S. got the bomb before Germany. When Germany surrendered, he went through quite an ordeal to sever himself from the atomic bomb development. This prompted others members of the development team to question their goal of buliding the bomb.
The discussion after Ms. Landau's talk was quite interesting. It started with a discussion about how the atomic bomb is quite distinct fromÑa bright-line caseÑthe issues we're dealing with in modern-day technology. That's what makes current ethical dilemas so hard... no one's necessarily going to die. The other part of the discussion centered around what the proper place for ethical education in computer science and engineering curricula. Some pointed out that people like Dave Farber, Terry Wingrad, and Prof. Kastenberg (Berkeley) have been teaching well-attended "ethics in copmuter science research" classes for years. Ms. Bajcsy and Barbara Simons pointed out that ethical education should be infused throughout engineering education. I personally feel that a combination of the two is best.
Nest up was [Ruzena Bajcsy][], the director of CITRIS from University of California, Berkeley who pointed out how difficult it is to get research professors to thing about the privacy implications of their research. A talkative guy from [Crytporights][] named del Tordo asked how hard would it be to require PIs to include a privacy implications statement in their proposals. Ms. Bajcsy seemed to think that this is something that the NSF could do and would be responsive to.
Next was Andrew Grosso Andrew Grosso & Associates. Mr. Grosso told a story of a typical day in the life of a modern American and how much we are tracked. His thesis seemed to be that further regulation of privacy rights other than HIPAA and the Privacy Act wouldn't do much.
Philippe Golle from Xerox Parc described some really interesting research that he and his team at PARC were involved with until the TIA funding was cut by congress. They were looking at a way of making sure that government analysts who don't have a warrant can not compromise an individual's privacy by requesting certain sets of information. That is, no one piece of data can pinpoit an individual but a few certain pieces can. There system (all on paper) would not allow analysts to request certain suites of data that would, in aggregate, pinpoint an individual uniquely. To do this, they would need a warrant. Unfortunately (and fortunately), funding dissappeared.
Marcia Hofmann from EPIC schooled us about CAPPS II, the new system proposed to screen American plane passengers. Two key take aways: 1) CAPSS II has taken 30 months to get 2/9 phases of development complete... at this pace it will be 2014 before it is done although the Transportation Security Administration says it will be "fully operational" (read: death star) in 2004 and; 2) Congress is very skeptical about CAPPS II and is dissapointed that the GAO found that only 1/8 of their concerns were addressed. What was that one concern that was adequatly addressed? They set up an oversight committee.
Finally, David Culler from University of California, Berkeley came to talk about privacy in sensor networks. This was the most scary and the most interesting talk of the day in my opinion. What does privacy mean when the world is blanketed with networked sensors? None of us knew... and there were many smart people in the room. Maybe confinement is the way to go... maybe some basic regulation is the way. It's totally unclear. The one clear thing is that this is set to become a whole new field: Sensor Network Policy.
The Battle for Accountable Voting Systems
1) Principles
- Elections are dispute resolution for social conflicts
* "The people have spoken ... the bastards!" -- Dick Tuck concession speech.
- Where should the burden of proof lie in elections?
* Now, losers have burden to prove election results are inaccurate.
* Dill proposes that burden should be on providers of elections. They have access to the information, technology, process, etc.
Audit: The ability to independently construct election results from original recortds.
For paper, you need:
* chain of custody
* locked ballot box
* voter makes permanent record
* transportation and counting of ballots are observed by officials and political parties.
- e.g. in California, two poll workers accompany each ballot box in transit
2) Trust and DREs
* "You have to trust somebody" Is this true?
* DRE = "Direct Recording Electronic"; does not necessarily include voter verifiable record.
* Consider a scribe system. You walk into a booth with a man behind the curtain. You tell him your vote and he writes it down but you never see him do this. This is essentially a DRE system.
* The only person who can check that the ballot is recorded correctly is The Voter. Any system that claims to be verifiable without the Voter is not really verifiable.
* Voting from a computer security scenario: pretty much worse case possible.
- Assets being protected: democracy
- Potential Attackers: Hackers, Candidates, Zealots, Foreign Gov'ts, Criminal Orgnaizations -- maximum number of attackers.
What Prof. Dill is worried about:
- Programmer adds hidden vote-changing code
- Code concealed from inspection
- Code only triggered during real election using cues (date,voter behavior) or explicitly by voter, poll worker, wireless network
- Changes small % of votes in plausible ways.
- Election outcomes can be changed without detection. No way to challenge results.
- No DRE can give us verfiable elections without paper.
- Local election officials are helpless to intervene -- they have no access to the electronic election process.
- Voting systems are especially vulnerable because they discard vital information for verfication -- the identity of the voter. In other secure transactions, we count on the identity of the transactors (e.g. bank transactions). ATMs have videocameras and three separate paper trails.
- What software are we running?
* open source does not solve the problem. Can still be hacked.
3) Voter Verifiable audit trail
* Voter instructs machine to fill out ballot
* Machine shows ballot to Voter
* Voter verifies that vote is correct via "trustworthy technology", e.g. paper printout.
* Record of verfication can be audited later by local officals.
Options:
* Manual ballots with manual counts
* Optically scanned paper ballots
* Touch screen mahcines with voter verifiable printers
* maybe crypto-based systems?
* Bottom Line: Paper is the only current option
4) Conclusion
- Before we adopt any radical new election technology, burden of proof should be on providers that elections are verifiable.
]]>Traditionally government regulation of communications has acknowledged two categories of services for the end user: basic and enhanced services. Whereas the regulation for these two types of services differ substantially (basic services are heavily regulated as common carriers), changes involving how technologies underlying these services work have fueled a continuing debate concerning which services fall under which of the two titles.
Specifically, Cannon and Savage discussed the status of VoIP services, which remove voice transmission from the network’s physical layer and instead incorporate those services into the network’s application layer.
]]>Abstracted views of underlying technology mask complexity which may confuse us as users. However, they also hide how an underlying machine may be behaving on one’s behalf to execute user’s delegated tasks. One prominent example of this, which set the stage for, Palmer, Schoen and Silverstein’s eventual demonstration was the broadcast nature of most network traffic. When users surf the web, or download email on a networked machine, one might implicitly assume that request emanate from one machine to another, and responses return in a similar fashion. However, both Ethernet and commonly used wireless protocols (802.11b, 802.11g) broadcast all messages to all nodes connected to the network. It might shock users to realize that there are no functional barriers to third party monitoring on all network activity. It is only the programmed good behavior of systems to ignore data packets address to others and only view those addressed to them. Palmer put it simply quoting a 19th century statesman who, in response to a proposal to construct an NSA like agency, said “Gentlemen do not read each other’s mail.”
Palmer, Schoen, and Silverstein demonstrated the how snooping software could be produced with only slight modification to existing and standard computer system software tools. The speakers setup a small local area network and activated one machine to monitor the traffic of another as it requested a web page. An abundance of data was readily available as the HTTP request was broadcast over common wire in plain unencrypted text. Any machine connected to the network could view the web page requested, the IP address from the issuing host, the operating system that host was running, as well as a globally unique machine identifier called a MAC address, in addition to many additional explicit and inferable facts.
There are cryptographic ways to prevent network snooping. Secure Socket Layer is commonly used for secure World Wide Web transactions. Diffie Hellman cryptography is also commonly used to protect information produced by applications prior to network transmission.
But communication channels are not the end of network security woes. Computer networks are composed of end systems (computer) and network medium (wires). In many cases, it is the common assumption that communications channels are vulnerable to snooping (as in the Ethernet example) but less so the computer systems which they connect. The speakers were emphatic about pointing out that although transmission security may be strong, end systems are not, as some assume, inherently safer than communication channels. Schoen stated that using SSL to deliver HTTP is like:
“using an armored car to deliver a package to someone on a park bench.” With the installation of malicious software such as a Remote Access Trojan or RAT on a networked computer, an attacker can essentially take complete control of another individual’s computer.
To demonstrate this end system attack, a RAT (SubSeven v.2.1.5) was installed on a victim machine. This Trojan allowed the attacker to view the victim’s current screen, record and insert keystrokes, download and upload arbitrary files, as well as activate the PC’s microphone to record audio from the surrounding environment. Schoen stated that “when malicious code infects a computer all bets are off … It may do anything.”
End system and communications attacks are increasingly sophisticated. One computer science professor at UC Berkeley has devised a system to break SSL by analyzing the timing of encrypted data packets emanating from a computer over a network. Moreover, less malicious but equally invasive monitoring software (sometimes called spyware or adware) is commonly found on computers where users have no idea they exist. A recent BBC news report found that an average 29 spyware applications were installed on computers it studied as part of a survey.
The best ways to fight these security compromises are to update virus definitions regularly, scrutinize the source of information including Verisign certificates before accepting files, and to configure network software (including operating systems) to disallow things like automatic software download and execution.
]]>