TL: Computers, Freedom, Privacy Trip Report Date: Mon, 1 Apr 91 22:56:31 EST [not an April Fool's joke] From: mercuri@grad1.cis.upenn.edu (Rebecca Mercuri) Subject: Computers, Freedom, Privacy Trip Report The following constitutes my trip report for the Computers, Freedom and Privacy Conference held March 26-28, Airport Marriott Hotel, Burlingame, California. Although I have made a sincere attempt to relate the events of the conference in a fair and unbiased manner, the nature of the material covered entails a certain amount of emotion and it is difficult, if not impossible, to separate one's own feelings from the subject matter. I therefore apologize for any inadvertent mistakes, omissions, or philosophical commentary. Readers are encouraged to send corrections to me at the email address below. No flames please! Respectfully submitted, R. T. Mercuri mercuri@gradient.cis.upenn.edu No portion of this document may be copied or distributed for commercial purposes without the prior express written permission of the author. Non-commercial uses are permitted, but the author and source must be credited. Copyright (C) 1991 R. T. Mercuri. All Rights Reserved. [Edited lightly by PGN and included in RISKS with permission of the author.] This work was partially supported by the University of Pennsylvania's Distributed Systems Laboratory as a part of its promotion of the professional activities of its students. Matching funds were also provided by Election Watch, a division of the Urban Policy Research Institute, a non-profit organization. ====================================================================== The First Conference on Computers, Freedom and Privacy was organized and chaired by Jim Warren, and sponsored by the Computer Professionals for Social Responsibility (CPSR). Numerous other organizations also lent their support to the conference, which was attended by approximately 400 individuals (described by Terry Winograd as ranging >from the sandals of Silicon Valley to the dark suits of Washington) covering the fields of law, investigation, programming, engineering, computer science, hacking, industry, media, academics, government, law enforcement, and civil rights. The crowd was about 75% male, with very few minorities in evidence (only ~10% of the speakers were female, and none were minorities). Attendees formed a veritable who's who of hacking with key figures such as Captain Crunch, Phiber Optik, Steve Jackson, Craig Neidorf, and other notables there, some accompanied by an entourage of defense and prosecuting attorneys. Cliff Stoll and Ted Nelson (separately) took the opportunity to distribute copies of their books and give autos. (Cliff was fond of playing with a brightly- colored yo-yo and writing memos to himself on his hand, Ted appeared to be creating a video record of the conference by filming each speaker with a small hand-held camera for a few seconds as each talk began.) A list of attendees was distributed, providing all information that each participant marked as "open". The vast majority of participants provided their name, company, address, phone number and email address. Some people remarked privately that had they been more aware of the manner in which such information is currently being used, they likely would have "closed" more of their own data. (The list was printed in name-alphabetical order so it was unfortunately possible to derive the names of individuals who elected not to be listed.) Jim Warren, who described himself as a self-made multi-millionaire, entrepreneur, futures columnist, and member of the board of directors of MicroTimes and Autodesk, Inc., took a severe loss on the conference. He had estimated break-even at 500 participants, but had only achieved around 300 paid admissions as most of the media and some staff members attended for free. To his credit, he organized a fast-paced, well-run (on-time) conference which allowed many of the key figures in this field to present their thoughts and ideas. Audio and videotapes, as well as the conference proceedings (published by Springer-Verlag) will be available shortly [write to CFP Proceedings, 345 Swett Road, Woodside, CA 94062]. The conference was preceded by a day of tutorial sessions, but I was unable to attend those activities. My major criticism regarding the conference was that the sheer volume of speakers (over 20 per day) allowed little time for questioning from the audience. Many of those who were not wearing red speaker's badges began feeling like second-class citizens whose opinions were neither wanted nor recognized. If someone managed to obtain a microphone and used it to make a statement rather than to ask a question, they were routinely hissed by a large portion of the audience. The unresolved tension became most obvious on the last day of the conference when, during the panel discussion on Electronic Speech, Press & Assembly, a loud altercation broke out in the front of the room. This panel had a representative from Prodigy Services, but the person who was supposed to give opposing commentary (apparently regarding the email privacy issue) had been unable to appear. Certain attendees were prepared to present their views, but were informed that they would not be permitted to do so. A private meeting was arranged for those who wished to discuss the Prodigy matter, but many found this to be unacceptable. An oft-heard word describing the material revealed during the conference was "chilling". After the second day of the conference I became aware of how invasive the monitoring systems have become. As I returned to my room within the hotel, I realized that my use of the electronic pass-key system could alert the hotel staff of my entry and exit times. People could leave messages for me, which would be reported on my television screen, all of this being recorded in some database somewhere, possibly not being erased after my departure. My entire hotel bill, including phone calls and meal charges could also be displayed on my television screen, along with my name, for anyone to access (without a password) if they were in my room. Chilling indeed. Pondering all of this, I left the room, lured to the hotel lobby by the sound of what I assumed to be a cocktail piano player. When I located the baby grand piano I realized that, through the high-tech wonders of Yamaha, no human sat at the keyboard. A sophisticated computerized unit rendered a seemingly- endless sequence of expertly arranged tunes, with no requests allowed from the audience. This ghostly image reemphasized, to me, the silent pervasion of computers into our daily lives, and the potential erosion of personal freedom and privacy. Throughout the conference, many problems were posed, few answers were given. Factions developed --- some people felt we needed more laws, some people felt we needed fewer laws, some felt that all data (including program code) should be free and accessible to everyone, some felt that everything is personal property and should be specifically released by the owner(s) prior to general use. Certain people felt that all problems could be resolved by tightly encrypting everything at all times (the issue of password distribution and retention was ignored). What was resolved was to form an organization called the US Privacy Council which "will attempt to build a consensus on privacy needs, means, and ends, and will push to educate the industry, legislatures, and citizens about privacy issues." The first thing this organization did was form a newsgroup, called alt.privacy. I observed that at least 50 messages were posted to this newsgroup within the 3 days following the conference, most pertaining to privacy of emails. This was disappointing, to say the least. Presumably people will use the mailing list and the newsgroup to disseminate information, but whether this is merely a duplication of other existing newsgroups (such as RISKS), and whether the Privacy Council will have any impact at all, shall be left to be seen. The conference opened with a comment by Jim Warren that this meeting could be "the first Constitutional Convention of the new frontier". He then introduced Harvard Law Professor Lawrence Tribe who used the analogy of cyberspace to describe some of the problems of a "virtual constitutional reality". He quoted Eli Noam as saying that "networks become political entities" and that there could conceivably be "data havens", private networks much like Swiss bank accounts, which are virtual governments in themselves. He asserted that a bulletin board sysop is not a publisher, in the same way that a private bookstore owner is not a publisher. The individual merely makes the products available, and has the responsibilities of a seller, not a publisher. Tribe then went on to delineate five major points. First, there is a vital difference between governmental (public) and private actions. Second, ownership is an issue that goes beyond that which may be technologically feasible. Property encourages productivity. You have a constitutional right to inhabit your own body. Free speech may be a luxury we can't afford (like yelling "fire" in a crowded theater, or viruses roaming the network). Third, the government cannot control speech as such. Recently it was ruled that answers to very simple questions (such as your name, age) are considered testimonial, as they require the use of the human mind. Fourth, the Constitution was founded on a normative understanding of humanity, and should not be subject to disproof by science and technology. The words of the 4th Amendment apply to material things, it defends people, not places. It is the task of law to inform and project an evolutionary reading of the bill of rights to new situations. Fifth, Constitutional principles should not vary with accidents of technology. In conclusion, Tribe proposed an additional amendment to the constitution which asserted that "this Constitution's protection for freedom of speech, press, assembly...shall be construed as fully applicable without regard to the technological medium used." The first panel discussion of the conference was titled: Trends in Computers and Networks. Peter Denning of NASA Ames introduced the panel by stating that computers are now under attack due to security being added on as an afterthought. John Quarterman of Texas Internet Consulting then discussed the manner in which user/host names could be made more readable (accessable) on the network. Peter Neumann of SRI overviewed general issues surrounding the authorship of the "Computers at Risk" book, stating that the group involved with the text was primarily interested in motivating efforts towards evaluating safe, secure, reliable systems (and that they only proposed general guidelines in the text). He warned the listeners "don't wait for the catastrophe". Neumann also mentioned the issue of disenfranchization of the poor and lower class who will be unable to access the new technology, stating that "gaps are getting much bigger". Martin Hellman of Stanford University discussed cryptography. He stated that the 56 bit DES standard was set not by technology, but instead by economics. He mentioned a study at Bell Labs that indicated that 70% of all passwords there could be cracked using a dictionary technique. He believes that technology will not solve all of our problems, and that persons who are concerned about social responsibility are not (necessarily) anti-technical. David Chaum of DigiCash spoke about informational rights and secure channels with regard to electronic money transactions. He believes that with an adequately encrypted system there is no necessity for a central, mutually trusted party. The problem is in finding a practical encryption protocol, or a distributed, mutually-trusted tamper-proof box solution. David Farber of the University of Pennsylvania expressed the view that protection schemes might not be "retrofittable" and should be part of the fundamental design of computer architecture, protocols and technology, rather than being tacked on, but he worried that people may not be willing to pay for these design features. Farber also mentioned the possibility of retroactive wiretapping, where archived data could be obtained through invasive means. The second panel session was titled: International Perspectives and Impacts. Ronald Plesser of the Washington D.C. law firm of Piper & Marbury first mentioned that these issues impact on how international business is conducted. Many countries, particularly in Europe, have already established standards with which we must comply. Databases feeding Europe must be concerned with the processing of personal data of individuals. Certain directives have been authored that are so general in scope as to be difficult to apply ("to all files located in its territory" was one example). Tom Riley, of Riley Information Services in Canada, continued this discussion regarding data protection policies. He urged the authoring of a harmonized directive, similar to that for other exports. The United States, by lagging behind in establishing standards of its own, risks the possibility of losing the opportunity to affect these policies as they are being written. David Flaherty entertained the crowd with his "George Bush" speech, stressing that "privacy begins at home". Robert Veeder of the D.C. Office of Information Regulatory Affairs discussed the impact of the 30,000+ messages to Lotus which effectively stopped the production of their CD- ROM database. This electronic lobbying had never been used to such great effect prior to that time. He believes the electronic forum will provide larger access to public concerns. (The impression I was left with was that certain governmental agencies are not wholly enthusiastic about this powerful method of expression, and that they are monitoring the situation.) Next, we heard from a variety of speakers on the subject of Personal Information and Privacy. Janlori Goldman, of the ACLU, discussed the "library lending" project by the FBI. This was an attempt to track library usage habits of foreign nationals. The ACLU objects to this sort of surveillance as well as other similar broad-based methods. An audience member criticized the ACLU's own release of membership data, to which Janlori replied that she did not agree with her organization's policy to allow such releases, but was currently unable to do more than protest against it. John Baker, Senior Vice President of Equifax, described the benefits of information with regard to improved goods, services, prices, convenience and wider choices. (Equifax is an organization which supplies marketplace data with specific information about consumers.) He stressed that people need to understand their rights, responsibilities and opportunities with regard to their published data. He believes that the Lotus Marketplace product was flawed because of the delay involved when customers wanted to "opt-out" of the database. He portrayed a spectrum of controls over data usage, ranging from no restrictions (free speech), through some restrictions (based on impact, sensitivity, access, security and confidentiality), to absolute restrictions (where the available information would have little value). Equifax took a survey on consumer interest in availability of data for direct marketing purposes which revealed that 75% would find it acceptable as long as there is a facility to opt-out. An audience member raised the point that the default is opt-out rather than opt-in. These two speakers were followed by a debate between Marc Rotenberg, Washington Office Director of the Computer Professionals for Social Responsibility, and Alan Westin, Professor of Public Law and Government at Columbia University, with the subject "should individuals have absolute control over secondary use of their personal information?" Marc argued in favor of the statement, using an eloquent oratorial style, and Alan spoke in opposition with the demeanor of a seasoned litigator. Marc made such statements as "we are all privacy advocates about something in our personal lives", "it is the most fragile freedom" and "protect privacy, change the default", stressing that the individual should have the right to control the value and use of their personal information. Alan outlined four major issues: 1. Nature of the secondary use; 2. Society should decide on fair uses, not a nihilistic veto; 3. Underpinning of constitutional democracy; 4. Adequate control protects against potential misuse. He believes that the consumer benefits from the advantages of a knowledge society. No winner/loser of the debate was declared. Speakers continued on the subject of Personal Information and Privacy. Lance Hoffman, of the EE & CS department at George Washington University, mentioned that Japan will be instituting a system of personal phone number calling --- basically you can send and receive calls at your "own" phone number wherever you happen to be situated. This permits very close tracking of individual movements and is a potential further invasion of privacy. He noted that no one has ever received the ACM Turing Award for a socially responsible system, and encouraged positive recognition of achievements along these lines. He also recommended that a "dirty dozen" list of worst systems be compiled and distributed. Evan Hendricks, editor and publisher of Privacy Times, listed many records that are and are not currently protected by law from distribution. Interestingly, video rental records are protected, but medical records are not. He cited an interesting example of a circumstance where a man and woman living in the same home (but with different last names) were sent copies of each other's bills, urging them to encourage their "roommate" to pay. It turned out that the individuals were landlady and tenant. Another interesting fact that Evan revealed was that studies indicate ~30% of social security numbers in some databases are inaccurate. Lists of persons having filed Workmen's Compensation claims have, in some cases, been used to blacklist people from jobs. Hendricks urged people to ban the recording and distribution of human genome information --- some parents voluntarily provide cellular test results in case their child is later missing or kidnapped. There is no way to know how these records are likely to be used in the future. Tom Mandel, director of the Values and Lifestyles Program (VALS) at SRI, spoke in favor of the Lotus Marketplace product. He felt that the 30K response was not representative of the general public, and believes that a small percentage of "media sophisticates" can have apply greater leverage. He noted that VALS is currently involved with a joint venture with Equifax, who is currently involved with a joint venture with Lotus. Willis Ware, of the RAND Corporation, chaired the HEW committee that led to the 1980 privacy act (a reporter preparing materials for publication can not be searched). He felt that the government previously was considered to be a threat to privacy, not a protector, and considers the privacy issue as one of social equity. He indicated that personal information should not be considered to be private property, and should be shared in an equitable manner. To apply royalties for usage would place a tremendous impact on costs. He noted that the databases behind airline, pharmacy and point-of-sale systems may be open to access by various groups including the Internal Revenue Service and Drug Enforcement personnel. Simon Davies, a member of the law faculty at Australia's University of New South Wales, provided a sobering criticism of this conference and the United States' policy making processes, stating that the conference was too "nice" and "conciliatory" and that the "US is an embarrassment to the privacy issue". He used the term "pragvocate" (pragmatic advocate) to describe policy-makers who are well-trained, say the right things, and denounce extremes, giving environmentalists as an example. He reminded us that the basis of the US system is not to "opt-out" --- no one would write to the LA police asking "don't beat me up". Davies alerted us to the fact that Thailand, an oppressive military government, is currently purchasing US technology to provide smart ID cards for their citizens. He noted that the Smithsonian Institute awarded them a trophy for their use of technology. He stated that the United States is encouraging similar activities in the Philippines and Indonesia. A somewhat light-hearted after-dinner talk was delivered by Eli Noam, of Columbia University's School of Business, on the subject of "reconciling free speech and freedom of association". He suggested that phone systems be established whereby individuals can provide their friends and associates with special access codes so that they can dial them. Others can call, but at a higher rate. (Note that this would likely have an adverse impact on legitimate business and social calls as well as possibly reducing undesirable calls.) He stated that presently "no computer can write the 4-line plot capsules that appear in TV Guide", with regard to the failure of AI systems. Noam questioned the lack of policies concerning what happens to an information data base after an individual's death. He concluded with the statement that for "all digital systems --- 0's and 1's are created equal." The second day of the conference opened with a session on Law Enforcement Practices & Problems. Glenn Tenney, well known as the organizer of the Hacker's Conference, chaired this panel with little comment. Don Ingraham, Assistant DA of Alameda County, Calif. (who, during a tutorial earlier in the week, distributed information on the writing of search warrants), gave a fantastically humorous presentation. He spoke of the "pernicious myth of cyberspace" and declared "you ARE the country". He mentioned that systems exist with "the security built in of a sieve" and that people have their information on these systems, but not necessarily because they want it to be there. He feels that the attitude of "don't worry, we don't need standards" is a poor one, and that laws should be written to let the people know what the rules are. He would rather see an organization formed called Sociable Professionals for Responsible Computing (instead of CPSR). He finished his talk by saying "if you don't do it, who will -- if not now, when" (a Talmudic quotation that he used without citation). Robert Snyder, of the Columbus Ohio Police Department, presented the view of the "cop on the street". He spoke of his naivete when first entering the field of computer law, and how much evidence was destroyed at first by listening to suspects who told him to type things like "format c:" in order to access the hard disk. He has encountered situations where the suspect actually does not know what is on the system --- some of these are cases where a parent is running a business and a child is using the machine for illicit hacking purposes. In these cases, even though he has a warrant to obtain all of the computer equipment, he often will not shut down a legitimate business. He brought up the issue of unregistered software sitting on a confiscated system. There are liability problems dealing with the return of such materials. Basically he stated that the law enforcement personnel require further education and training, and should operate within guidelines but with prudence. Donald Delaney, Senior Investigator with the New York State Police, began his talk by relating how when his home was burglarized in 1985, he experienced a feeling of violation. This feeling is much the same with computer crime. Many firms experience a loss of income from such activities. In his experience, many of the people caught are engaged in more crimes than the ones they are charged with. Dale Boll, Deputy Directory of the Fraud Division of the U.S. Secret Service, spoke of the various forms of access device fraud (credit card, ATM, passwords, phone access, frequent flyer numbers, etc.). He stated that it is illegal to posses counterfeit access devices and that if you have 15+ illegal access devices or numbers in your possession, you may be a subject of federal investigation. They have a 96% conviction rate. ATM cards can be manufactured illegally using cardboard and regular audio tape. The credit card industry is now losing $1 Billion per year. An audience member asked if they are using programs like Gofer (grep for UNIX hackers) to search for information they want on bulletin boards and networks. He replied that although they own this program, they use it personally and not for investigation purposes. The next session, on Law Enforcement and Civil Liberties, had seven participants, none of whom were given much time to present their views. I will briefly highlight what they said here. Sheldon Zenner, the Attorney for Craig Neidorf said that the prosecutors had originally sought a 2-year sentence, and that thanks to many of the people at this conference who rallied to Craig's support, they were able to get him off. Mark Rasch who defended the internet worm case stated that the expectation of privacy is changed because of the technology employed -- - technology affects behavior. Cliff Figallo, manager of the WELL (Whole Earth 'Lectronic Link, popular among many Bay Area participants as an alternative means of accessing the Internet) addressed his concerns about overuse of law enforcement. He wants his users to feel safe. Sharon Beckman, Litigation Council to the Electronic Freedom Foundation (EFF) and Attorney for Steve Jackson Games (whose computers were seized, when one of his fantasy games was perceived as being capable of training users to "hack" into computers) stated that underlying values of the constitution should be interpreted in terms of today's technology. Ken Rosenblatt, a District Attorney covering the Silicon Valley area, stated that he is charged with upholding civil liberties and feels that the laws are presently adequate. Mike Gibbons, Special Agent for the FBI, mentioned that he worked various white collar cases, including the 75 cent case (described in Cliff Stoll's book), and the Robert Morris case. He feels that there are various classes of computer crime, including impairment, data theft, and intrusion. Mitch Kapor, founder of EFF, stated that the "electronic frontier hasn't been settled yet" and that we should not stifle the "network petri dish inventing the future". He questioned the nature of reasonable search, stating that there haven't been enough cases yet to establish a meaning for this in computer law. Everyone should be protected from tyranny, not only hackers. He looks at the EFF as a means of civilizing cyberspace. The matter of free speech was discussed in the questioning session with the panel -- much speculation was directed towards the legality of discussions of bomb-making, system hacking, and the publication of other potentially lawless activities on the net or in technical papers. Other comments included the fact that law enforcement cannot seize an entire post office, their search must be limited to the mailbox of the suspect. This analogy applies to computer networks as well, although the volatility (ease of total destruction of evidence) of computer data is of concern to investigators. As I had an extended and quite insightful conversation with Russ Brand over lunch, I returned a tad late to the next session, on Legislation and Regulation, and was only able to catch two of the speakers. Elliot Maxwell, Assistant Vice President at Pacific Telesis stated that it is "difficult to have simple and specific rules". Paul Bernstein, whose LawMUG BBS and Electronic Bar Association is well known among the legal community, stated that one should "use mediums that exist -- participate in fashioning the laws." The most eye-opening session of the entire conference, in my opinion, was the following one on Computer-Based Surveillance of Individuals. It opened with Judith King describing the FBI Library Surveillance Program, where the reading habits of foreign nationals were investigated. She stated that many librarians want laws to protect the confidentiality of users, and some statutes have been passed. Karen Nussbaum, Executive Director of 9 to 5 (on which the film was based), gave an accounting of the monitoring of employees in the workplace. Currently over 26 Million employees are having their work tracked electronically, and over 10 Million have their pay based on computer evaluations. The personal habits of the worker can be monitored, one can look into a user's screen and see what they are doing or even send them messages. She described the "corporate plantation" as a place of stress, humiliation and harassment. Gary Marx, Sociology Professor at MIT, gave a whirlwind assessment of the importance of privacy, some technofallacies (like the Wizard of Oz "pay no attention to the little man behind the curtain"), and steps you can use to protect privacy (the bulk of these useful lists are published in the proceedings). He related how a telephone can be made "hot on the hook" so that you can silently monitor your babysitter, your children or your spouse, when you are not at home. Most devices, such as this one, are perfectly legal within your own house. David Flaherty spoke again, this time in a more serious vein, saying "we are living in a surveillant society" and "you have to make daily choices about what you are willing to give up about yourself." The second day's after-dinner speaker was William Bayse, Assistant Director, Technical Services Division of the FBI, who discussed a newly created national system called the NCIC-2000, under the topic of "balancing computer security capabilities with privacy and integrity". He began by asserting that crime has become more mobile and that conventional crime-tracking methods are inadequate. For example, he said, many missing persons actually want to remain missing. He feels that the accuracy of records is imperative. Various information bases have been formed, including lists of stolen items, vehicles, and wanted persons. Presently 65,000 officers are using this system, with 360M transactions annually, at a cost of 3 cents a transaction. For an example of effectiveness, over $1.1 Billion in vehicles have been recovered. Proposed, but not yet implemented is the portion of the system which provides a live scan of fingerprints at the scene of an arrest (or when someone is stopped for a motor vehicle violation) [with the intended purpose of considerably reducing false identifications... PGN]. Much criticism was generated from the audience regarding the potential misuse of this system for harassment, and the retention of fingerprints for future use. Marc Rotenberg addressed Bayse questioning why documents requested under the freedom of information act from his agency have still not been supplied, and stating that currently a lawsuit is pending to obtain their policies regarding monitoring of computer bulletin boards. Bayse refused comment. The final day of the conference opened with a session on Electronic Speech, Press and Assembly. Jack Rickard of Boardwatch Magazine mentioned that bulletin boards are highly specialized, primarily funded by individuals, and are in their embrionic stage. David Hughes, Managing General Partner of Old Colorado City Communications, added some color to the conference with his western garb (10-gallon hat, bolo tie) and use of his laptop for the notes of his speech. He described himself as a "Citizen of the Western Frontier of the Information Age" and drawled, "Read my Cursor". He described electronic speech as "fingers of the tongue with the ear for the eye --- but it is still speech". In describing US history, were it to have occurred today, Jefferson would have used a Macintosh, Adams would have used a PC, but "Tom Paine would have put Common Sense on a private BBS with a Commodore 64". "Don't tread on my cursor!" he cried. George Perry, Vice President of Prodigy, began by saying that he did not want to engage in discussion on the dispute, but then stated that "Prodigy does not read private email". Prodigy is a privately owned and operated company which believes that the market should be allowed to decide what services need to be provided. The Constitution regulates free speech with respect to the government, Prodigy thinks of itself as a publisher. Lance Rose, a NY Attorney, enumerated the types of rights afforded to individuals and companies with regard to ownership, including trade secrets, confidentiality, trademark, copyright and patent. There is currently a great diversity of laws which service providers must adhere to, making the provider, in some instances, a law enforcement agent. During the open comment section, Hughes noted that very few legislators are currently on-line, and he thanked Prodigy for preparing the NAPLPS market (for his products). The notable talk in the Access to Government Information session was David Burnham's (Co-Director and Writer with the Transactional Records Access Clearinghouse [TRAC] in D.C.). He stated that "badly administered agencies are more damaging than rogue operations". The objectives of TRAC are to obtain transactional data >from federal enforcement agencies, such as the IRS, NRC, and Justice Department. He demonstrated how the raw statistics could be combined with additional figures regarding inflation, population, and margin of error, showing that the so-called "trends" of increasing crime, or increased non-compliance with tax law, were actually flat lines when the mitigating factors were added in. The final panel discussion was on Ethics and Education. Richard Hollinger, Sociology Professor with the University of Florida, asserted that the "same officers who are investigating computer crimes are the ones who are protesting computers in their patrol cars because they feel it would be oppressive." He is concerned with the industry's encouragement of the use of computers in schools, before rules for their ethical use have been written. Donn Parker with SRI stated that laws are needed in order to convict hackers. Convictions have a "very good effect on our whole problem", he said. He referred back to the 60's when the ACM and IEEE drafted codes of conduct, and said that these should be popularized. He believes that one can not teach ethics, that it comes from interpersonal relationships, and (for him) the Christian religion and the Bible. One can teach, he believes, the application of ethics, beyond the golden rule. He delineated three rules: 1. The Owner's Rule - you choose to issue your property into the public domain, or not; 2. The User's Rule - you assume everything belongs to something else, unless otherwise informed; 3. The Hacker's Rule - systems are free, everything should go to the people (which he rejected as childish, not worth considering). He suggested that we consider the dilemma of Descartes -- if it is OK to start by stealing pencils, where then can we draw the line? Dorothy Denning spoke briefly regarding the network uses by children (Kids Net). She speculated that we should teach them something about hacking in order to take the mystery out of it. She compared telephone fraud by children as a more sophisticated version of the "is your refrigerator running" prank. The Education and Ethics panel continued with the softspoken John Gilmore, a "generalist" with Cygnus Support. He warned that we are losing the larger open society. The US is currently #1 in percentage of population in jail. He spoke of drug usage as a victimless crime. John asked the audience "who has not broken a law in the past month?" Only a few raised their hands. He then asked "who here has all their disks clean -- free from something you would not want them to find if you were investigated?" About 15% raised their hands, but after pondering it, a number of them lowered them (the person behind me muttered that he had some shareware for which he had not paid). Gilmore said "privacy is a means -- what is the end we are looking for? Tolerance." He urged real privacy of personal communications, financial transactions, things should be as "private as that thought held in our minds." He demanded that we stop building fake systems -- laws that dictate that you "can't listen to cellular phone calls" -- and instead build real protections into your systems and buy them from others. His talk received a standing ovation from the vast majority of the audience members. The remaining panel speaker, Sally Bowman, a Child Psychologist with the Computer Learning Foundation, stated that her organization is working to raise awareness and solve a number of problem areas. The problems she outlined were: 1. Lack of awareness of the magnitude of the problem. Software industry is being hurt by piracy; 2. Many misimpressions -- confusion, lack of information; 3. Lack of teeth in software copying policies; 4. Lack of strategies in teaching ethics; 5. School budgets are too small to allow legal procurement of software. Her organization is presently educating parents as to the "tell-tale" signs which indicate whether a child is "abusing" computer systems. The concluding session, entitled "Where Do We Go From Here" was staffed by a number of the conference speakers. They overviewed their feelings regarding the issues raised during the sessions and made general comments with respect to what they might do to raise awareness and resolve some of the problems. Throughout the conference many pamphlets, brochures and newsletters were distributed. Although it is infeasible for me to provide copies of this literature, interested parties can contact me or Jim Warren (jwarren@well.sf.ca.us) to provide source names and addresses. Some of the more interesting items (in no particular order, just how they happened to come out of my briefcase) included: - Brochures from the Cato Institute "Toward a Moral Drug Policy", "America's Counter-revolution", "The Semiconductor Industry and Foreign Competition", "The Promise of High-Definition Television: The Hype and the Reality", and their publication catalog. - Matrix Information and Directory Services Newsletter. - The Manifesto of Militant Humanism. - "Are you a Hacker?" by Robert Bickford, reprinted from MicroTimes. - Call for formation of a World Privacy Network. - An advertisement for SafeWord Software (password checking/protection). - Condom distributed by Anterior Technology (they market a system whereby you can retrieve the first 80 characters of emails while out of town). - "The Bill of Rights is Under Attack" from Committee for the Bill of Rights. - Hollywood Hacker Info, reprinted from Computer Underground Digest. - Calif. State Assembly Bill #1168 on Personal Information Integrity. - Computer Learning Month - from the Computer Learning Foundation. - The Equifax Report on Consumers in the Information Age - A reprint of John Barlow's article "Crime and Puzzlement" from Whole Earth Review, Fall 1990. - Various brochures from the First Amendment Congress, an organization providing educational materials on the First Amendment. - Policy papers from the League for Programming Freedom including "Against Software Patents", "Lotus Disinformation Forewarned is Forearmed", and the Effector (its newsletter). - CPSR reprints of newsarticles regarding the Lotus database. - Promotional literature for Ted Nelson's Xanadu. - Brochure for the Community Memory BBS, and its newsletter. - Brochure for the Art Com Electronic Network. - Brochure for the International Society for Individual Liberty. - Various copies of MicroTimes. - Application forms for CPSR and the League for Programming Freedom. - Rel-EAST, the east-west high-tech business report. - Suggested reading on how computer crime is investigated from Don Ingraham. - Book promotional literature including: "Rogue Programs" edited by Lance Hoffman, Van Nostrand Reinhold "Protecting Privacy in Surveillance Societies", David Flaherty, University of North Carolina Press "Spectacular Computer Crimes", Buck Bloombecker, Dow Jones-Irwin "Using the Public Library in the Computer Age", Westin & Finger, ALA. Directions & Implications of Advanced Computing, Vol. 1 and Proceedings >from 88 and 90, CPSR. - Flyer announcing "The Privacy Project" an NPR series (for which I was interviewed) to be broadcast in the Fall of 1991. - Flyer advertising "Your Expanding Infosphere" an NPR ComputerTalk Program. - Reason, a magazine for "free minds and free markets" whose cover story was on cryogenics. - Flyer on the National Apple Users Group Conference, June 7-9, 1991. - Flyer on the Silicon Valley Networking Conference, April 23-25, 1991. - Flyer on the third Chugach Conference, University of Alaska, Oct. 3-5, 1991. Plus Center for Information Technology News from U. Alaska. - Flyer on the Calif. Forum of the First Amendment Congress, May 6, 1991, Stanford University (free to the public). - Flyer for the Electronic Democracy Conference, Sept 4-5, 1991. - Calls for Papers from: The National Conference on Computing and Values (Aug. 12-16, 1991) Directions & Implications of Advanced Computing (May 2-3, 1992) I returned home with a broader idea of the many facets of the computer freedom and privacy issue. I must now admit to being more worried than I was before I attended this conference, as to the lack of solutions being offered by my colleagues. Perhaps this meeting of the minds is a first start. More work needs to be done. R. Mercuri mercuri@gradient.cis.upenn.edu The following are some addenda & corrections to my trip report on the Computers, Freedom and Privacy Conference, with thanks to the individuals who provided additional details and insights. 1. A second CFP conference has been scheduled for Spring 1992 in Washington, D.C. -- the general chairman will be Lance J. Hoffman. 2. Later figures for the first conference indicate that Jim Warren's losses may not have been as severe as he had indicated when I spoke with him. 3. Although the formation notice for alt.privacy indicated that the US Privacy Council was created AT the CFP conference, Lance Hoffman has informed me that this organization was actually formed PRIOR to the conference. Its first public meeting was held during the conference period but otherwise had no official conference involvement. 4. Robert Veeder works at the Office of Information Regulatory Affairs IN D.C., a branch of the federal Office of Management and Budget. 5. Mark Rasch prosecuted (not defended) the internet worm case. 6. Dorothy Denning wrote to me, mentioning that "the main point I tried to make in my talk was that we are letting our young people down by not taking responsibility for bringing them into the computing and network community as responsible users." My brief comments of her talk could lead a reader to believe that she was somewhat cavalier about the issue, which was certainly not the case. 7. The "sandals of Silicon Valley to the dark suits of Washington" quote should be accredited to Terry Winograd. 8. Judith Krug (not King) spoke in behalf of the American Library Association. 9. In Dave Hughes' talk, he had Franklin using an Apple and Jefferson using Word Perfect running under Windows (far more comical than what I had recalled). Considering the length of the conference and quantity of speakers, I am relieved that my errors and omissions were so few. Yours in good journalism, R. Mercuri mercuri@gradient.cis.upenn.edu --