MONTREAL -- Remember the fable about the scorpion and the frog? The scorpion can't help himself from stinging the frog: "I could not help myself. It is my nature."
Keep that in mind when reading a new 400-page government report from the National Research Council, which is called "Engaging Privacy and Information Technology in a Digital Age" and has been in the works for seven years. Its availability was announced on Friday afternoon here at the 2007 Computers, Freedom and Privacy conference.
If this sounds a little tedious, you're right, but NRC reports tend to be cited by members of Congress and the press. So this could end up being pretty important. (An earlier NRC report in the 1990s played a role in loosening encryption restrictions.)
The NRC report says the United States should follow the European model of creating Yet Another Federal Bureaucracy (YAFB) that would supposedly rein in the excesses of the Feds and, eventually, probably be handed the power to impose new regulations on U.S. businesses. To wit: "The committee recommends... that a national privacy commissioner or standing privacy commission should be established to provide ongoing and periodic assessments of privacy developments."
The report isn't listed on the home page of the National Academies Press Web site or the site of the Computer Science and Telecommunications Board, which actually organized the committee that created it. But if you poke around, you can find it and the executive summary on their site.
The primary problem with creating YAFB is the obvious one: Can a federal privacy commissioner appointed by President Bush be expected to criticize the National Security Agency's warrantless surveillance program? Will a commissioner appointed by President Clinton have sufficient independence to say that the Clipper Chip and encryption restrictions are just plain stupid ideas? Why do we think that a Republican-appointed commissioner would not look more favorably on Intel (which gives plenty of money to the GOP) and a Democratic one would not whitewash issues with Google (which had only one employee give money to a Republican candidate in the first quarter of 2007).
After hundreds of years of attempting to find ways to secure judges who are insulated from bias and partisanship, and still coming up short, it seems unlikely YAFB will be all that useful. The so-called Privacy and Civil Liberties Oversight Board has been mostly useless. In fact, a YAFB for privacy could be actively harmful in two ways: First, its bureaucrats would have a strong incentive to expand their own power and budget by inventing new and economically onerous ways to impose unnecessary data collection and use regulations on private firms. Second, by endorsing harmful government privacy practices, it would provide a useful political shield for future administrations.
Other recommendations:
* "Principles of fair information practice should be extended as far as reasonably feasible to apply to private sector organizations that collect and use personal information."
* "The U.S. government should undertake a broad systematic review of national privacy laws and regulations. Second, the committee recommends that government policy makers should respect the spirit of privacy-related law."
* "Governments at all levels should take action to establish the availability of appropriate individual recourse for recognized violations of privacy."
To be sure, the report is extensive -- even the executive summary is 37 pages -- and I haven't had enough time yet to even begin to digest it. There are certainly may laudable sections, such as recognizing that many privacy regulations involve tradeoffs and insisting that politicians and bureaucrats take the issue seriously.
Because it's the product of a committee, many areas are relatively bland and general. "There are too many recommendations," said Susan Landau of Sun Microsystems. "There was far too much waffling."
Lee Tien of the Electronic Frontier Foundation added: "It suffers from not having enough civil liberties practitioners on the board and too many academics."
Representatives of the committee who spoke at the Montreal CFP conference defended the report by saying it was necessarily a consensus, which meant that it avoided taking strident positions. They added that it took seven years because it was a hard problem that took a lot of discussion and negotiation, plus updates as events overtook the report.
MONTREAL -- Florida's decision this week to dump touch-screen voting machines is a good start, computer scientists said at the Computers, Freedom and Privacy conference here on Friday.
The controversial ATM-like machines, which have been plagued by reports of bugs and vulnerabilities, will be replaced with optical-scan balloting, accorfding to a Florida legislature vote this week.
A panel of respected computer scientists -- including Peter Neumann of SRI International, Barbara Simons of the Association of Computing Machinery, and Ron Rivest of MIT (the "R" in the RSA algorithm) -- painted a dismal picture of the current state of the art of electronic voting.
"The entire process is rife with vulnerabilities," Neumann said in an interview after the panel. "It's weakness in depth. Everything in the entire process is a potential source of vulnerability. The technology we live with is riddled with security flaws. It's riddled with people who don't know what they're doing. It's riddled with problems caused by poor human interfaces. There's no easy answer. People are always looking for easy answers. They want simple systems."
The biggest objection among computer scientists is that many e-voting machines don't have audit trails, so voting totals can be quietly manipulated either through a software bug or by a malicious attacker. Paper trails would be a big step toward fixing that.
That leads to the unusual case of some of the world's most esteemed technologists insisting on an analog backup mechanism. "We were called Luddites," said Simons. "Which I thought was funny coming from people who don't understand technology."
A good summary of the topic, including recommendations for next steps, is in Johns Hopkins professor Avi Rubin's testimony before Congress earlier this year.
MONTREAL -- The theme of this year's Computers Freedom and Privacy conference here is autonomy, and an unexpected subtext were left-of-center activists fretting about whether data-mining will let online businesses charge customers different prices.
Usually this is expressed as: Will Amazon.com charge me more for certain products based on what it knows as my purchasing history?
In September 2000, reports said that Amazon.com was offering the same DVDs to different customers at discounts of 30, 35 or 40 percent. Amazon said it was a random price test, but after criticism, it decided to refund the difference to anyone paying the higher price and pledged not to do it again.
This week at CFP in Montreal, Jeff Chester and Chris Hoofnagle both warned about the privacy implications of price discrimination becoming widespread. (Chester runs the Center for Digital Democracy, which joined in a complaint against Google and DoubleClick last month, and Hoofnagle is a former activist at the Electronic Privacy Information Center who now works at a law clinic at the University of California, Berkeley.)
"Why can't we have something in the laws of identity that says you can't ask for identity for some stupid purpose, such as 'Serving You Better,'" Hoofnagle asked after a panel on Friday, referring to a set of best practices rather than government regulation. Chester told me that he believes that price discrimination will become a real threat.
But is price discrimination really so worrisome? In general, it's legal unless it's based on certain legal categories as race, religion, national origin or gender. There's also a federal law called the Robinson-Patman Act that's relevant.
That said, price discrimination is commonplace. Economist David Friedman points out that it happens frequently, for instance charging less for children than for adults at movie theaters. A child takes up the same sized seat as an adult, but price discrimination happens either because minors are less able to afford the cost themselves, or that parents won't bring multiple children if the full price is charged.
Price discrimination happens in terms of Slashdot subscriptions for advance article viewing, youth fares for trains, paperback vs. hardcover books, advance purchase vs. last-minute airline fares, and even Book of the Month Club selections, which are cheaper than the same title purchased at a bookstore. Haggling at bazaars and car dealers is price discrimination. So is ladies' night at bars and charging different prices for men's haircuts vs. women's when similar work is involved. And it happens when retailers send coupons to their best customers but ignore occasional ones.
But it doesn't always work. For one thing, a business needs to be able to figure out who will pay the higher price; if it makes the individual price too high it will lose a sale. Second, customers that buy something at a low price can turn around (if the difference makes it worthwhile) and profit by selling it at the market price.
And there are excellent reasons to think it won't work that well online when Internet retailers try to use a customer's purchase history to generate individualized prices that are higher than prices charged to new customers.
That's because for two reasons: First, online shoppers are very price-sensitive, and second, they talk. A lot. It's easy enough to use two different Web browsers -- one logged into your account and one that's not -- to check prices on Amazon.com. And it's even easier to post your findings online to one of scores of Web sites that specialize in price tracking.
So is price discrimination a worry? Do we need new laws banning Amazon.com from doing it? Probably not. In fact, the most common type of price discrimination that happens online is retailers giving out coupons to existing customers, something that's wildly popular. But that won't stop privacy activists from trying to make an issue of it anyway.
MONTREAL -- Ontario government employees will no longer be able to visit Facebook and YouTube at work.
Premier Dalton McGuinty said Thursday that he couldn't see the justification for permitting employees to continue to access the sites. They're now banned like gambling and porn sites.
There is some justification for taking this step, of course. Ontario government workers (it's the country's most populous province, so there are a lot of them) can waste lots of time checking their Facebook accounts and browsing video clips on YouTube. Cracking down on time-wasting by bureaucrats paid for by tax dollars is a reasonable thing.
But so is allowing government officials to access information about businesses they may eventually end up regulating, as University of Ottawa law professor Michael Geist pointed out while in town for the Computers, Freedom and Privacy conference this week here. There are two dueling objectives, in other words.
In the private sector, market mechanisms would sort out what are good or bad policies. Companies that block too many sites would be viewed as a less desirable place to work and, at the margin, would lose employees. Firms that underblock sites might find that too many people are watching cat videos when they should be at work. The process isn't perfect, but it works.
But government agencies are monopolies by definition, which mean they're outside the normal market process of finding best practices by experimentation and competition. There are more political overtones, too, because employees at a for-profit business are just wasting the owner's money, not money forcibly extracted by taxpayers.
MONTREAL -- Canada currently is relying on a secret and sometimes problematic U.S. government database to identify people who are supposed to be barred from flying or subjected to greater screening.
For now, that is. But a Canadian government representative signaled this week at the 2007 Computers, Freedom and Privacy conference that this may change.
Stephen McCammon from the Ontario Information and Privacy Commissoner's Office said that Canada may develop and maintain its own lists that would not be as problematic. Constitutional law professors, dead people, and the president of Bolivia have reportedly appeared on the U.S. lists. The political flap over a Canadian computer engineer sent to Syria and tortured can't have helped either.
"The inevitable byproduct of (the current system) is false positives," he said. "It's going to err on the side of caution."
McCammon referenced how secret lists of undesirable people have their "origin in recent memory in the HUAC blacklist of Hollywood" and cited "the experience of Japanese-Canadians and Japanese-Americans in World War II." He also noted that "transgendered people face particular ID concerns."
The Transportation Security Administration, part of Homeland Security, administers two lists: a "no fly" list and a "selectee" list (which mandates additional screening). They're given to airlines and stored on their computers and used to identify passengers who have names matching someone on the list, which can of course be a problem when a popular name appears on it.
They've been overinclusive, with TSA officials acknowledging that about 30,000 airline passengers over roughly a year were mistakenly matched with those appearing on federal watch lists.
CBS News obtained a copy and called it "incomplete, inaccurate, outdated and a source of aggravation for thousand of innocent Americans."
U.S. government representatives at the Montreal CFP conference responded that procedures were in place to identify and fix errors, and suggested that Canada should stick with the United States' system.
Lyn Rahilly, privacy officer for the FBI's Terrorist Screening Center, said that "we provide TSA with the names" and "we do a very deep scrub of any complaint we receive when the person is actually on the watch list."
However, she said, "we cannot confirm or deny to any individual whether they are on or are not on the consolidated terrorist watch list... Obviously that provides some challenges to us in terms of providing redress. That person is on the list for a legitimate reason." (Or, that is, a person with a similar name.)
Tim Edgar, the deputy civil liberties protection officer at the U.S. Office of the Director of National Intelligence, said there's a "fairly soft trigger" to get on the watch list.
"But there's a higher standard, a higher bar, for getting on the no fly list," Edgar said. He described the procedures in place to respond to complaints.
In response to a question saying that courts should oversee who gets on the list, Edgar responded that "Congress and the public and the president have made a decision to have this kind of system, which obviously has significant costs... Your right to travel does not necessarily mean your right to travel by airplane."
Addendum on May 14: McCammon emailed us to take issue with this article. First, he said, he was not necessarily speaking on behalf of the Canadian government: "I neither work for the Ontario nor indeed the Canadian government; I work for an independent officer of the Legislative Assembly of Ontario whose mandate includes commenting on proposed government programs that affect privacy rights."
Second, he said he's worried that the Canadian passenger profiling lists could be as buggy as the American experience: "My concern is that the Canadian approach may be no less problematic. In referring to recent Parliamentary testimony by Transport Canada officials to the effect that the Canadian and U.S. systems are "conceptually" similar (see the Hansard from the Senate of Canada's Standing Committee on National Security and Defence of February 12, 2007, as well as the House of Commons Standing Committee on Public Safety and National Security of March 1, 2007), I made the case that both the U.S. and the Canadian approaches suffer from the same basic flaws - a lack of legal constraints, too much secrecy, and worrisomely inadequate remedial and oversight machinery."
In addition, the conference program had incorrectly listed the Terrorist Screening Center's affiliation inside the U.S. government, an error we unintentionally reproduced. We've since fixed it: TSC is part of the FBI.
MONTREAL -- President Bush is backing a proposed law that would pull the plug on lawsuits alleging telephone companies illegally cooperated with the National Security Agency in its warrantless wiretap program.
We've written about this before, such as when the House Judiciary committee approved the measure last year as part of a bill to rework the 1978 Foreign Intelligence Surveillance Act.
At the time, last September, one backer of the measure said it would effectively "eliminate the 60 or more lawsuits filed because companies complied with government orders," such as the one brought by the Electronic Frontier Foundation against AT&T. Rep. Chris Cannon, the amendment's sponsor, said that without such protection in place, "an individual or company will be reluctant to cooperate with any government authorized surveillance program, which will severely undercut government's efforts (to prevent terrorist attacks)."
But it's worth noting again now for two main reasons. First, EFF's lawsuit is at a crucial stage right now before the 9th Circuit, as EFF attorney Lee Tien described at the 2007 Computers Freedom and Privacy conference here on Thursday afternoon. Second, the bill is back in play this year and now's the time to pay attention to it again.
- prev
- 1
- next
