CFG summary for interesting-people (if you're interested)

[David Farber <farber () central cis upenn edu>]

Lorrie Cranor's CFP94 Conference Review


The following is my second annual Computers, Freedom, and Privacy
conference report.  Last year I wrote a report on CFP93 for my advisor
and friends and soon had requests to distribute it around the world
(followed by rebuttals from half the EFF board).  So this year I'll go
ahead and grant permission for reposting in advance.  If you do repost
or if you have any comments or corrections, please let me know.  I
have tried my best to accurately quote people and get the spelling of
speakers' names right.  However, I have not had the opportunity to
listen to a tape of the proceedings, double check with the speakers
themselves, or even carefully edit this report, so there may be some
(hopefully minor) errors.  Anyway, here is the CFP94 conference as I
experienced it.  All unattributed opinions are my own.


I flew into Chicago around noon on March 23 and took the train to the
Palmer House Hilton, the conference hotel.  I was impressed with the
way the train stopped almost right at the hotel entrance -- until I
realized that my room was almost directly above the train station.  At
CFP93 last year I was often tempted to skip a session, enjoy the
sunshine, and walk along the bay.  However, at CFP94, held in a high
rise hotel in the middle of a maze of very tall buildings and
elevated train tracks that prevented all but the most determined sun
beams from making their way down to street level, this was not a
temptation.


I missed the morning pre-conference tutorials, but arrived in time to
attend a three-hour afternoon tutorial session at the John Marshall
Law School (a few blocks away from the conference hotel).  The
election tutorial I had planned on attending was canceled, so I went
to a tutorial on cryptography instead.  Despite the hot stuffy air in
the room (as they wheeled in auxiliary air conditioners and draped air
hoses around the room the people from Chicago kept explaining that it
wasn't supposed to be 75 degrees in Chicago in March and that very
tall buildings don't adapt well to temperature change), the
cryptography tutorial was quite interesting and informative.  Lawyer
Mark Hellmann gave some good background information in his
introduction, but Matt Blaze of AT&T Bell Labs stole the show with his
presentation titled "Everything you need to know about cryptography in
just 60 easy minutes."  Blaze explained why cryptography is
useful/necessary, how some popular cryptosystems work, some
applications in which cryptography is used, and questions people should
ask before using a cryptosystem.  His conclusion was "Be realistic,
but be paranoid."  Douglas Engert of Argonne National Laboratory
followed with a rather rushed and confusing explanation and
demonstration of Kerberos, a "practical implementation of encryption."


Conference chair George Trubow officially opened the single-track
conference at 8:30 a.m. on Thursday morning.  He announced some
changes to the conference program and introduced John McMullen,
scholarship chair.  McMullen introduced the scholarship recipients
(including myself) and noted that three-time scholarship winner Phiber
Optik would not be in attendance because he is currently in jail.


The keynote address, originally scheduled to be delivered by John
Podesta, was delivered by David Lytel of the White House Office of
Science and Technology Policy.  Lytel first spoke about the
administration's plans for the National Information Infrastructure
(NII), explaining that the white house was attempting to lead by
example by accepting email correspondence (and maybe soon actually
responding to it properly) and making white house publications
available electronically.  (Look for a "welcome to the white house"
WWW server sometime soon.  Information from the II task force is
currently available via gopher from iitf.doc.gov.)  Lytel then put
himself in the line of fire by discussing the administration's
encryption policy.  He stated the goals of this policy as 1) to
provide a higher baseline security for everyone and 2) to maintain
the ability to do wiretaps.  Notably, he stated: "There will be no
restrictions on domestic use of encryption," and "If you don't think
Clipper is secure, don't use it."  Then the bombing began.  In the
following Q&A session, Lytel claimed ignorance on many points of the
Clipper proposal, but did make some interesting claims.  He stated
that (here I've paraphrased):


- Clipper will be a government procurement standard that agencies may
  choose to use in addition to other standards.


- The establishment of a public key registration system for all public
  key cryptosystems is important (this has not been officially proposed).


- Clipper-encrypted messages may be further encrypted with another
  cryptosystem.  However, messages may not be encrypted before being
  encrypted with Clipper.


- The public is more at risk from criminal activity (which Clipper may be
  able to prevent) than from government abuse of power.


- Clipper was designed by the government for it's own use.  But they
  wouldn't mind if it becomes popularized as a commercial product.


- Clipper was only designed to catch "dumb criminals."


- Clipper does not make it easier or harder for law enforcement to get
  permission to do a wire tap.


After a short break, Lytel took the podium again as one of six
panelists in a discussion of "The Information Superhighway: Politics
and the Public Interest."  The panelists generally agreed that the
information superhighway should provide "universal access" and two-way
communication.  They all seemed to fear a future in which the
information superhighway was simply a 500 channel cable television
network in which two-way communication only occurred when consumers
ordered products from the home shopping network.  Jeff Chester of the
Center for Media Education stressed the need for public activism to
prevent the form and content of the information superhighway from
being determined only by cable and telephone providers.  In the
following Q&A session the "information superhighway" was dubbed a bad
metaphor ("The vice president's office is the department of metaphor
control," quipped Lytel.), and subsequently used sparingly for the
remainder of the conference.


Thursday's lunch (all lunches and dinners were included in the price
of admission) was the first of many really bad meals served at CFP.  I
requested vegetarian meals and winded up eating plate after plate of
steamed squash.  My meat-eating friends claimed not to enjoy their
meals either.  Fortunately the lunch speaker was much better than the
lunch itself.  David Flaherty, Canada's Information and Privacy
Commissioner, explained what his job entails and gave some
interesting examples of privacy cases he has worked on.


The first panel discussion after lunch was titled "Is it Time for a
U.S.  Data Protection Agency?"  The panelists agreed that with all the
information currently being collected about people, it is time for the
U.S. to institute an organization to help protect privacy.  Currently,
litigation is the only way to force compliance with the "patchwork" of
privacy laws in the U.S.  However, the panelists disagreed on what
form a privacy protection organization should take.  The most concrete
proposal came from Khristina Zahorik, a congressional staffer who
works for Senator Paul Simon.  Simon recently introduced legislation
to form a five-member independent privacy commission.  Martin Abrams
of TRW objected to the formation of a commission, but supported the
formation of a "fair information office."  Law professor Paul Schwartz
then discussed the European draft directive on data protection and
stated that once the Europeans approve this directive the U.S. will
have difficulty doing business with Europe unless a U.S. data
protection board is formed.


In the next panel discussion, "Owning and Operating the NII: Who, How,
and When?"  Mark Rotenberg of Computer Professionals for Social
Responsibility (CPSR) played talk show host as he questioned four
panelists.  The panelists stressed the importance of universal access
and privacy for the NII.  Barbara Simons, chair of ACM's new public
policy committee USACM, was particularly concerned that the NII would
be viewed as an electronic democracy even though large segments of the
U.S. population would be unlikely to have access to it.  "I worry that
when people talk about electronic democracy they might be serious,"
she said.  She added that NII discussions are exposing all of the
major problems with our society including poverty and poor education.
Her comments were interrupted by a call to the podium phone, which
turned out to be a wrong number.  Jamie Love of the Taxpayer Assets
Project pointed out problems that could occur if NII providers do not
have flat rate fees.  For example, listservers, which are often used
as organizational and community-building tools, would not be able to
exist unless somebody volunteered to pick up the tab.  Somebody from
the audience pointed out that throughout the day panelists had been
opposing plans for carrying entertainment on the NII, despite the fact
that most Americans want entertainment, especially shows like Beavis
and Butthead.  Love explained that the panelists were not opposing
entertainment plans, just plans that only include entertainment.  He
noted, "I personally like to watch Beavis and Butthead."


After the panel discussion, conference organizers scurried to hook up
a teleconference with Senator Patrick Leahy, author of the 1986
Electronic Privacy Act.  Jerry Berman acted as moderator, speaking to
Leahy through the podium phone as audience members watched and
listened to Leahy on a projection TV.  The teleconference began with
some technical difficulties during which the audience could see Leahy,
but only Berman could hear him.  Berman reported this problem to Leahy
and then told the audience, "Senator Leahy may hold his speech up in
front of his face."  Once the technical difficulties had been worked
out, Leahy discussed the NII and problems with the Clipper proposal.


The final panel discussion of the day was titled, "Data Encryption:
Who Holds the Keys?"  The discussion began with a presentation from
Professor George Davida, whose 1970s crypto research brought him some
unwanted attention from the National Security Agency (NSA).  Davida
explained the importance of cryptography for both privacy and
authentication.  The Clipper proposal, he said, was a bad idea because
it would attempt to escrow privacy.  He pointed out that the bad
guys have a lot of money to hire hackers to write encryption schemes
for them that the government does not hold the keys to.  Furthermore,
he opposed the idea of the NSA being responsible for an encryption
scheme that many people would use to guard their privacy.  "Asking the
NSA to guarantee privacy is kind of like asking Playboy to guard
chastity belts," he explained.  Next, Stewart Baker of the NSA took
the podium to deliver an ultra-slick presentation on the "Seven Myths
about Key Escrow Encryption."  His main points (here paraphrased)
were:


- If you think key escrow encryption will create a "brave new world" of
  governmental intrusion, ask yourself how bad governmental intrusion
  is today.  If won't be any worse with key escrow encryption.


- If you think unreadable encryption is the key to our future liberty,
  you should be aware that the beneficiaries of unreadable encryption
  are going to be bad guys.


- If you think key escrow encryption will never work because crooks
  won't use it if it's voluntary and therefore there must be a secret
  plan to make key escrow encryption mandatory, you're wrong.


- If you think the government is interfering with the free market by
  forcing key escrow on the private sector, remember that nobody is
  forcing the private sector to use Clipper.


- If you think the NSA is a spy agency and thus has no business worrying
  about domestic encryption policy, you should realize that the NSA also
  designs encryption technology for government use.


David Banisar of CPSR followed Baker with more anti-Clipper arguments.
Banisar pointed out that communication systems are designed to
communicate, not to provide intelligence information.  If we build
communications systems as intelligence systems, we are treating
everyone as a criminal, he said.  He pointed out that there were about
14 million arrests in the U.S. in 1992, but only about 800 wire taps.


The encryption panel was followed by the annual EFF awards reception
and the conference banquet.  (Incidentally, I can't complain about the
EFF board the way I did last year because most board members were not
present this year.  Seriously, though, I have been much more impressed
with the way EFF has been reaching out to its members this year.)
During dinner (more squash) Ben Masel of NORML lectured my table on
how to legally harvest marijuana.  After dinner, the lights dimmed,
choir music played, and Simon Davies walked through the banquet hall
garbed in pontifical robes.  The founder and Director General of
Privacy International, Davies told the audience he would read from
"The Book of Unix."  Davies read a witty parable about privacy in the
U.S. and then urged the audience to "get off their computer screens
and start lobbying ordinary people."  He said efforts like CPSR's
anti-Clipper petition only reach people on the net, not the general
public.  Unless the public becomes aware of privacy problems, there
will be no privacy in the U.S.  within 15 years he stated.


Following Davies' talk, conference participants went to
Birds-of-a-Feather sessions, some of which ran until almost midnight.
I stopped by a BOF for scholarship winners before attending a lively
discussion on "Censorship of Computer-Generated Fictional
Interactivity."


The second day of the conference began at 9 a.m.  Many participants
had not gotten enough sleep the night before, and many skipped the
first session on health information policy.  Congressional staffer Bob
Gellman discussed a bill in the U.S. House of Representatives that
would provide for comprehensive rules for using health information,
patient rights for access to and correction of their health
information, and security of health data.  He said the bill was
important because health reform will increase the use of medical
information.  (The bill is available via gopher from cpsr.org.  An OTA
report on privacy of computerized medical information is available via
FTP from ota.gov.)  Janlori Goldman of the ACLU added that privacy has
been an afterthought in health care reform proposals.  All panelists
agreed that if the privacy problem is not dealt with, patients will
withhold important information from their doctors so that it does not