Blogging about blogging
It's so bloggy to talk about blogging, but I have to say that blogging the terrific Yale cybercrime conference gave me new insights into the blogging process.
This was a truly enjoyable conference, made more so for me by the fact that I wasn't performing myself. I had no paper to sweat over and revise at the last moment. So, instead, I could work at absorbing what people were saying. For me, blogging forces me to focus on the themes being brought out in real-time. Then, when I've finished an entry, I can see it as a whole — beginning to end, introduction to triumphant conclusion. This not only helps me to grasp what's going on but also reveals to me what makes a presentation great.
What makes it great? Clarity, forcefulness, meta-ness. Many of the speakers at the Yale conference had all of these qualities. (Michael Froomkin has these things going for him too, and I was busily blogging his talk when my right fourth finger slipped and I pressed a mysterious “backwards” function button that wiped out my entry. Sorry, Michael.) A beginning, a middle, and an end. A strong voice. Not reading from notes. Conviction laced with a sense of humor. Awareness of time (great speakers never run short on time). And, most importantly, something to say that matters — and that the speaker deeply understands.
Sitting in the timeless classroom (literally — Yale's Room 127 has no clocks, but does have a lot of portraits on the walls), I felt that I was contributing in some way by writing about what was going on. I probably felt a little guilty about being there “just” as a participant rather than a speaker, but blogging gave me something to do. (Note to self: do not respond to IMs from two different people at the same time while attempting to record what's going on — this happened during Zittrain's talk, and I'm sorry. Sorry, Jon.)
So, although blogging means you DO sometimes have to say you're sorry (after all, if I'd gotten distracted while taking hand-notes no one would know), it adds a dimension to conferences that I enjoy.
Jack Balkin
Jack Balkin is up. He presents three problems:
first, what are the different forms of cyberprotest, and how do they relate to the freedom of speech?
second, what is the conflict between freedom of speech and other rights (let's clump those rights as “property”)?
third, why is cyberprotest difficult to do?
First, point of freedom of speech is to support democracy.
Think about different forms of cyberprotest as different forms of technologies; eg, sit-ins, hack-ins, allow small cells to do information-sharing (to get around filters), google-bombing (more). You can divide types of cyberprotest that enhance free flows of information (routing around) from those that block the flow of information. Both types can be disruptive — but in different ways.
But this is a rough cut: Although the idea of freeing information sounds “good,” and the kind of thing activists would be interested in, there may be times to limit the flow (viruses, worms, child porn). Central question is under what conditions is it a good idea to use code to free up the flow of information.
Second: You have a factory, people organize, decide to walk out. Is this freedom of association/speech or criminal conspiracy and destruction of expected profits. Beginning of 20th century, walkouts are seen as destruction of property. Then a big debate over what part of this we call speech and what part we call destruction of property.
This is the same problem we have with cyberprotest.
Three phases of protest: first, courts say this is conspiracy and destruction of profits; second, courts say this is freedom of association and speech (AFL v. Swing, eg). Labor unions have right to organize, even if action lowers profits. So we get to the third stage: now labor protest treated as a highly regulated subject, treated in labor law. Completely out of the First Amendment category.
Balkin is not saying these same three stages will happen. But boundary between speech and destruction of property is not a fixed line. It changes over time through social movements. So our view of what's “appropriate” for cyberprotest will inevitably change.
Back to the first rough cut: blocking v. facilitating. That's too simple. But there's no a priori way to divide what's cyberprotest and what's destruction. Dead cow (Oxblood Ruffin hacktivist group) focuses on routing around, which seems appropriate to Balkin. They also, interestingly enough, say that they don't want technologies to be used for ”illegal” speech (like child porn). But what's the baseline for determining what we think of as illegal speech? Dead cow seems to be working with US baseline re what's “illegal”. But that choice of baseline is worth talking about. An important question.
Third point: what produces the development of technologies of cyberprotest. Answer: The Temptations. Balkin will explain the link.
The key problem in cyberspace speech is proximity and attention. Have to get the attention of your audience, and have to get next to them (picket around them). Find some place where people interested in your speech will listen to you.
Balkin student wrote a paper about cyberprotest. His conclusion was that internet didn't create spaces in proximity to other spaces. You can move easily around, but you can't interpose yourself between audience and person you're criticizing. Everyone is your neighbor but you can't get next to anybody. “I Can't Get Next To You, Babe” — that's The Temptations.
Virtual worlds allow this kind of proximity. Eg, Third Voice required that the audience join in, to get attention of people who agree with you AND disagree with you (and have no idea you exist). [what about Gator?] Interest in 1A is also to encounter people you don't know. Eg, parody sites! Will take creative minds to design these spaces that will solve problem of proximity and attention. When they arrive, let's not assume that they're destroying property, but decide whether they're promoting basic democratic values of routing around and glomming on.
Bravo!
Jonathan Zittrain
Jon Zittrain is up now to talk about filtering in China and circumvention of such filtering. And hacktivism.
Shows a DMCA notice received by Google for infringing search listing — threat is that Google will be sued unless it takes result down. Google even says that there are things you're not seeing. So Google is cooperating in taking things away from public view (supply side filtering).
If you're China, and you want to stop your citizens from seeing things, you stop people from even seeing google.com (shows search page from Beijing University). Shows lists posted of blocked sites. All of MIT and Brown blocked; and all US courts.
JZ did a dialup to Beijing (from his office in Cambridge) to see what could be seen — but that was expensive. Then Ben Edelman and JZ asked Chinese servers what was available (eg, search results on google.com for “Tibet” — top search results unavailable from Chinese servers). And people out in the world found many other additional sites blocked. Over 50K were blocked.
Doing this work is becoming more difficult. (And empirical research is hard!) Effort to do this entails assuming that China blocks sites for everyone (or not). Looks as if what's going on is more subtle. If you type political name into Google, suddenly you won't get access to Google any more.
Evolving towards a drivers license approach - eg, junior highs do this. Maybe countries may someday as well — AUPs for citizen use. We'll be taught what we should do and what we shouldn't.
Saudi Arabia also does this — and allows sites to be unblocked. Gave JZ two weeks to see what's blocked. Both SA and China block some common things (like Amnesty International).
Pennsylvania does this too. Discusses Pappert case statute. Order can go out to PA ISP saying don't allow Pennsylvanians to go out to particular sites. (JZ didn't mention that CDT is leading this litigation; see ABDavidson presentation.)
JZ is tracking all of this using the OpenNet Initiative. Accepting help.
Now: circumvention. OpenNet has a circumvention lab in Toronto. Internet offers opportunity to unhook civil disobedience from wrong being attacked — before maturation of social moment. [distracted for a few minutes]
Quick tour of JZ efforts. Thanks!
Lee Tien
Lee Tien: How does a user know when a device has been redesigned to limit what the user can do?
Deeply, this is a question about the nature of law. We have a legal sense that appeals to a sense of legitimacy and discourse. Where architectural regulation hides what it does, we're heading out of law and into instrumental control. We're leaving the realm of law and any moral dimension/legitimacy issue.
Cf. seatbelt regulation. Everyone knows about that and can see it. But when we talk about privacy we're talking about govt attempting to change the conditions of social experience. From a 4A standpoint the standard is reasonable expectation of privacy — and if we have no concern about govt steps to design things, we won't know what has happened to our privacy or what is reasonable. We won't have the opportunity to experience that privacy. (eg, never having had doors on phone booths would have changed the Katz result).
So rearchitecting network to expose information (creating an audit trail, as Nimrod suggests) may foreclose personal experiences that might inform expectations about privacy. Eg, zipcode plus birthdate is enough to re-identify 80-90% of data — triangulation is very easy. Yahoo! gets this information all the time from users. Do I know what the invisible consequences of my actions are? What do you need to know when you're on the internet or using DRM? How is that that you know you're being injured in some way?
Do users need to know design options (could it have been done differently so this wouldn't have happened)? Without knowing the harm, how can your expectations be shaped?
When you're dealing with systems, parts of these systems are in shadow — so we can't know how these work (eg, PCs, telephones). Metaphor of architecture means we only perceive in bits and pieces.
Finally, in the world of enforcement — we don't talk much about the way automated enforcement changes things. Rules can have a normative career; enforcement of rules is an entrepreneurial event. You make a decision, using your discretion, that has cost. That's not the case in architectural decisions to enforce. Additionally, architectural enforcements are private and unseen. We can't work on the social meaning of a rule.
Excellent, thoughtful talk by Lee.
Paul Ohm
Paul Ohm gets up and confesses that his boss is John Ashcroft. Gets a laugh (post John Podesta talk last night about Ashcroft as destroyer of civil liberties).
Technology in the courtroom: Too much of it, and not enough of it (”hyperlinks are typically blue”).
Digital evidence review: we look at hard drives for things (what will they do when hard drives go away?).
But question is: is the person looking at hard drive an expert? Do we need a Daubert hearing? Usual answer is “yes.” If we're going to have someone saying child porn is there, we need to be able to say that person was an expert. Certification as an expert is viewed as needed.
But it shouldn't be that everyone talking about a hard drive file has to be qualified as an expert. Eg, if someone pulls fibers on behalf of the FBI, we don't need to say that person is an expert. This high hurdle won't change Ohm's job — there are plenty of resources there. But for small-time prosecutors, it creates enormous costs.
Second: Court opinions in the surveillance/seach and seizure field are rare. And they describe technology clumsily. Where statutory construction depends on this, we're in trouble. It's not that judges can't understand technology, but analogies don't work well, and litigants don't help them, and labels for things change rapidly. Eg, arguing to the court that “the internet is like a giant tube, and if you put too much into it it will burst” (for distributed denial of service). Doesn't help people understand things.
And even use of “email” as a term, without further description or definition, doesn't help people much. Over time, things change. So we can't understand the scope of the precedent.
Eg, under Stored Communications Act, what does “electronic storage” mean? defines line between search warrants (storage) and subpoenas (if not storage). Kozinski focused on “backup protection” element — all email systems are in backup protection. But what's he talking about? POP, IMAP, webmail? entire logic turned on this distinction, but we can't tell what's going on.
In CDA case: Stevens says web pages “generally also contain 'links' to other documents created by that site's author”… “typically, the links are either blue or underlined text”
He gets a big laugh and applause.
Nicolai Seitz
One of the paper-writing winners (Nicolai Seitz) is standing up to talk about the problems of transborder enforcement of requests for information.
In 80% of all German cases, access to data located abroad is necessary for criminal investigations inolving the internet, he says. Usually, people ask for letters rogatory, but this takes an enormous amount of time. And evidence is often deleted. There have been some improvements in the EU cybercrime convention, but these are inadequate often.
The solution? Transborder search might do it. But this might violate the international principle of territoriality. And, such efforts might make changes on foreign soil.
He points to cybercrime convention. Article 32(b) doesn't cover transborder search without consent (does cover search with consent). There's a case (Ivanov-Gorhskov) that does touch on this issue, but FBI has overreached and we're worried (FBI accessed password-protected servers in Russia and downloaded evidence in form of data). Terrorism may be seen by FBI as a good enough reason to trigger transborder searches and create admissable evidence.
This Russian case is an egregious example of overreaching by US, and we would be outraged if they did it here. But it underscores the need for some transnational cooperation agreements about this subject. We have no standardized international practices. Seitz thinks foreign retrieval of not-freely-accessible data should be illegal.
Marc Rotenberg
Richard Clarke is the Washington personality of the week. Marc Rotenberg testified in early December 2003 before the same Commission on a separate issue re security/privacy issues for going forward in preventing attacks.
Four key points he made then:
1. long tradition of privacy protection for communications and records stored by governments. Established during times when US faced nuclear weapons, unrest, assassinations — but Congress went ahead and set them up.
2. Sept. 11 provides major challenges, and the people involved in coordinating in govt. efforts completely changes the Terry landscape. Checks and balances have been changed.
3. Our understanding of privacy enhancing technologies following 9/11 has changed. We thought there were tools that could enhance privacy — TIA bothersome because message was that it would protect privacy, because govt surveillance under it would be less intrusive than other alternatives.
To understand this issue, three dimensions:
1. What do we mean by privacy enhancing.
2. What's relationship between federal govt and legal obs to safeguard privacy
3. How does this all work in practice.
First, definitional problem. What is a privacy enhancing technology? Prior to 9/11, we all thought definition was an electronic world where transactions could occur that were verifiable and authenticated, but personally identifiable information wouldn't be necessary. So these techniques would limit use of this personal information.
In the physical world, we can imagine cash, postage stamps etc. — forms of value that allow transactions without personally identifiable information. How translate this to the online world? This was our core concept prior to 9/11.
No one proposed in Florida in 2000 that there should be an availability to check that vote had gone through. Why? Because concept of anonymity at that point, and recognition of need to sever transaction from surveillance is a core part of our democratic society.
This concept of a privacy enhancing technology was derailed by two processes: first, in the private sector, the view that we wouldn't provide legal obligations to collection and use in the digital world. it's just notice and choice. So we saw P3P emerge to translate rights and obligations into a market-based transaction where anything goes.
Post 9/11, law enforcement said we need to enable surveillance that respect privacy — but what they meant by privacy was “within the context of a larger scheme that anticipates surveillance.” So, when a vote is cast, it becomes possible to link transaction back to the identified individual. That's a principle without a boundary.
Rotenberg thought this idea died in the Clipper chip era. People then said to open the door to this form of storage would create unlimited opportunities for abuse.
Now our challenge is: where do we stop? If you assume all information might be useful in some investigation, where do we draw the line?
Go back to Brandeis dissent in Olmstead v. US. What would be the appropriate 4A standard to apply to the conduct of telephone surveillance? Was this warrant-based, or just out there in the ether? Court said no physical entry has occurred, it's just information out there in the ether; if you are concerned, go to Congress.
Holmes dissented (”a dirty business”). Brandeis said: look at surveillance in electronic space — this is far more invasive than what would happen in physical space. In electronic space, we're unbounded by space and time. Could be lots of people talking, on many different subjects. He argues for a higher standard of oversight, because oppty to obtain information is so vast.
When you go to wiretap statute of 1968, it's a “super warrant” when compared to what you get in physical space. Constitutional response is based on fear that govt will overreach.
So answer about incorporation of techniques to protect privacy post 9/11 is to keep in mind: to the extent actors seek to comply with legal obligations and claim that they are “privacy enhancing,” then technologies must incorporate auditing, transparency, all other requirements – because of the enormous risk of government misuse.
Sonia Katyal
Sonia Katyal is up, reminding us that it's important to think about the relationships among public/private law enforcement and surveillance. Cyberspace allows us to contemplate the limits and possibilities of architecture and law.
Focusing on piracy surveillance: monitoring users. Convergence between modes of consumer surveillance and law enforcement — but quite distinct from both. An extrajudicial regime of copyright enforcement that poses serious complications for privacy, security, and anonymity.
Basic premise of the paper is an architecture of p2p transmissions. Rise of piracy surveillance in cyberspace is attributable to this type of architecture. In property, we have bricks for architecture; in cyberspace, architecture is permeable, allows facilitation of surveillance. As consumer surveillance rises, we see rise of piracy surveillance. (By piracy surveillance, she means monitoring that encompasses private notions of infringement; done privately; extralegal — outside of ongoing litigation).
Interesting from an IP perspective, because this kind of surveillance alters understanding of IP rights in cyberspace, by giving copyright a predatory and invasive and panoptic dimension. Speech-based judgments as well. Enables a copyright owner to determine whether or not an individual is engaging in fair use (and raises substantial due process concerns).
Three major forms of surveillance: raise similar issues. Eg, monitoring, using smart agents or bots that search for files. Key problem raised by that is seen in Verizon case (challenge to 512(h)). Disclosure of identity with very little real judicial oversight.
Also, problem that similar (but noninfringing) files will be caught up in this.
And how do we protect anonymous speech.
Two other forms of surveillance: DRM collecting consumer information. And interference (self-help).
Normative conclusions: This modes raise complicated questions about the intersection of privacy and identity. We shouldn't avoid enforcement, but should do it to fit freedom of speech and informational privacy. Don't force tradeoff between privacy and protection of property.
Orin Kerr
Orin Kerr is up. His suggestion is that computer-related crimes will end up with a different set of procedural rules – “network” criminal procedures. Even if crimes remain the same, they're committed in different ways. New facts will trigger needs for new laws.
Start with physical world crime — bank robbery. Fred will walk in, go to teller, hands note, teller gives money, goes to car, runs away.
Cop will show up — what does he do? He looks for eyewitness testimony. He also observes what the bank is like and whether there are trace materials of the crime. He will collect physical evidence tying the crime to Fred. Eg, the threatening note.
Fred gets out of prison, says he'll be an online bank robber. He'll hack into the bank. Logs onto ISP and passes through intermediaries to hide his tracks. Sets up account, fills with money, sends money offshore.
Now you're the police officer called to investigate this crime. You'll notice a really different crime scene. No physical evidence, no eyewitnesses. Just zeros and ones. Have to trace evidence back to attacker, but can't do it in traditional ways.
So you start from bank victim, track back through intermediaries. Hope that system admin has these records. Trace back to Fred's ISP, and hope that ISP will help you. But you don't have proof beyond a reasonable doubt — you only have electronic evidence from third parties. You have to get a search warrant and go to the target's home — then forensically analyze Fred's computer. Fred might keep notes (”I'm looking forward to hacking into the bank tonight.”) You seize the drive and image it, then run a string searcdh for that account number. Takes weeks.
Different set of processes. What does this mean for law? Means that we need new rules to regulate these processes. 4th Amendment and 5th Amendment are tailored to the physical world. Eg, search rules are about “the entry of the place.” Also, collecting physical evidence is about 4th Amendment seizure rules. So how do those rules map on to facts of investigations of online crimes?
They don't map well. You either get extraordinarily expansive rules or rules that are too narrow (where there are no real threats). We need a relatively balanced set of rules.
Eg, if you want to get records from a third party, you have to get a subpoena. No privacy protection there. Traditional 4A doesn't apply to third-party stored information. This just isn't a problem in the offline world. So we have new facts where the information is collected and stored in a different way. Old rule doesn't help.
Last stage — forensics. Bunch of interesting problems. If you map what has to happen to 4A rules, you have big issues. For a warrant, you have to describe things and only take that. But in online crime, might be lots of other evidence involved. Can't get a pinpointed warrant — have to seize more than you have probable cause to seize. What about making a bitstream copy? Is that a seizure of a person's computer? Traditionally, no — not a seizure, just making a copy. So govt could run off a copy and search that! But intuitively that seems like a problem.
So what will happen in response to this problem? We've begun to see a new field of network criminal procedure evolving. Eg, ECPA, and 18 USC 2703, regulates process of going to third-party provider and asking for information. So it's more than a mere a subpoena. Statute recreates warrant requirement from the physical world.
Similarly, for forensics, courts are creating new rules to cover these last-stage searches. So, eg., in a home, the police can't look for physical information that hasn't been described. But electronically there's no restriction. So courts have changed rule that governs whether intent matters when you're searching a computer. Outside scope of warrant/inside distinction doesn't matter. Subjective intent, though, does matter. We'll ask agent “what were you thinking when you accessed this file.” Courts are responding to changed set of facts by looking at intent.
We'll see more and more computer-specific set of rules. A new body of law to study.
Great presentation. Good work, Orin!
Beryl Howell and Alan Davidson
Beryl Howell, formerly counsel to the Senate Judiciary Committee, is up talking about real-world problems caused by crimes on digital networks. Moral for all three stories: specific laws directed to specific problems are very important. So we need to keep updating these laws to fix mistakes and keep up with changes in technology.
First — leak of many staffers' memos. Two Republican staffers had taken thousands of documents and zipped them up with passwords. Taken from common server. No staffers were supposed to look at other staffers' memos, but permissions were set incorrectly and the files were wide open. Appalling breach of custom. Was a crime committed under the CFAA? Or just an immoral action? What does “authorized access” mean?
“Authorized access” was intended to be a case-by-case inquiry. [note that civil liability requires damage as well, so a higher standard than the criminal part.] Seems to be “you know it when you see it.”
Second case: FBI agents arrive at a suburban house, say computer being used to distribute child porn. Teenager there had downloaded Kazaa, downloaded files that contained child porn, then had become a supernode, being used as a pointer. Teenager had enough files for a felony. Had he been emailing images to his friends? going to specific sites and downloading them beyond Kazaa? Son said he wasn't aware of anything. Child porn is strict liability; hard to do forensic exams because examiners don't want to be in possession of it either. Happy ending: prosecutor declined to prosecute. But signals that technology can take you over a line. Is the user at fault, or the technology?
Third case: Company target of embarrassing emails with sexually explicit attachments (sexually explicit patents) sent on their behalf; clients took business elsewhere. Company seemed incapable of stopping it. Insecure wifi points and student internet accounts used to send these messages; couldn't track spoofer down. Howell's company did an investigation. Complaining emails about these attachments were also spoofed (from “wounded grizzly”). Started talking to wounded grizzly; got an extortion demand for 17million. Suspect surveilled; able to pinpoint him as spoofer. Arrested him two weeks ago; found ricin and guns in his house. Threats you think you're aware of are just the tip of the iceberg.
So we have a problem: limits of CFAA. Couldn't go after “wounded grizzly” because act unclear; stymied legitimate self-help efforts.
Alan Davidson from CDT is up. Why does criminal law only seem to expand? Does it ever go the other direction? “how many laws have you broken today?” There's a disconnect between social norms and the laws we have on the books. Why can't we allow rulesets to evolve — and why can't we have different views about what's wrong online v. what's wrong offline? A lot of policy FUD here. Will rote application of offline law lead to unintended consequences.
Three quick examples: the case of the nation of felons. How do we think about criminal copyright? Has changed dramatically in the last ten years? We've have criminal copyright for a long time on the books. Was a misdemeanor for a long time. With 1997 NET act, we got rid of “commercial profit” requirement; instead said if you distribute works of greater than X value over Y days, you're guilty.
And in 1998, DMCA creates new crimes for circumvention and removal of information.
So we're responding to a felt need to protect material, but what's wrong with this picture? Millions of people regularly violate this law. And this is likely to get worse. Expectations offline (first sale, fair use) drive us to use works online. Technology that precludes these kinds of uses will be counter-intuitive for a lot of people. Seems odd from morality perspective — “criminal” activities may not be felt as wrong. And from deterrence/utilitarian perspective; these laws aren't having a large effect. What does it mean for the rule of law if millions of people routinely ignore it?
Two approaches: House Judiciary committee; maybe problem is that it's too hard to bring these cases (so eliminate wilfulness, make a single copy made a available on a P2P network trigger wilfulness). Second, give govt civil enforcement powers here. This seems to resonate with online social norm. A speeding ticket and not a felony. We may be overreaching in our expansion of criminal law.
Second: case of culpable carrier. Creating criminal liability for ISPs. Challenge in Pappert case: DA can get ex parte order from judge based on showing that child porn is there; gets order saying “you must block material from this source.” Make sure they can't see this web site. Couple things wrong with that. ISPs block bluntly — by blocking IP address. This blocks all other things hosted there. We discovered over a million blocked based on 500 blocking orders coming out of PA. Well-intentioned law leads to incredible overbreadth. Trend is to look to ISPs to hold liable. Begins to jeopardize end-to-end model.
Third case: case of the aborted Koogle family vacation to France. Tim Koogle subject of criminal action in France based on larger Yahoo! case. So he can't go there. This was ultimately resolved just last year when charge dismissed [is that true?], but leaves open question about how to deal with criminal laws. US govt will certainly do this (eg, Elcomsoft). Calls into question relationship between individuals and govt.
In DC, legislators only expand laws — don't contract them.
Five modest suggestions:
1. go slow re cybercrimes
2. revise defs of crimes and access
3. prefer civil enforcement (things less harmful in the online context)
4. issues of international prosecution
5. tie to social norms more carefully
this was the best presentation on this panel. Very substantive and thoughtful — great job, Alan.