Computers, Freedom, and Privacy -- Live Blog Day 1

Good morning from CFP 2011. I will be live blogging to the best of my ability today to provide those unable to attend a small window into the conference.  Be sure to check the CFP media page for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf

Please note: Live blogging is both for me and you.  These are my notes from the conference.  Nothing should be taken as a direct quote.  These are living posts.  Edits will be made.

Keynote Address
Cameron Kerry: General Counsel, Department of Commerce and privacy leader within the Obama administration:

Cameron Kerry discussed the information economy being built. How data has been used for both good -- economic opporunity and social and political change -- but acknowledged the risks associated with this increased data flow.  Touched on the administration's Comprehensive International Strategy for Cyberspace (PDF) to build out a cyberspace and internet environment that expands trust and the economy while denying criminals and terrorists the ability to exploit that info.

Discussed legislative draft that had uniformed breach reporting requirements to consolidate 46 state laws. The Administration's proposal would impose a new federal obligation on any business entity--with exemptions for certain health-care entities--in possession of personally identifiable information on more than 10,000 individuals to provide prompt notice to affected individuals about security breaches of certain personal data. See:

Kerry touched on NSTIC, encouraging and facilitating a more secure internet.  Green papers on commercial data privacy, free flow of info for businesses, and more.  Commerce green paper series seek comment from individuals and industry to ensure they are capturing needs and way forward that is good for business. 

Commerce released a Cyber Security green paper last week with the goal of responding to threats while remaining dynamic and innovative:

Discussed recent breaches and the need to protect industries.  Highlighted Sony data breach and recent breaches targeting economic data flows (IMF, world bank, etc).  Mentioned attacks at Westboro Baptist Church, PBS, etc. He discussed the sophisticated attacks on RSA and subsequent downstream attacks at Lockheed Martin.

Discussed Department of Commerce's creation of a privacy officer position in response to data breaches internal and external to the agency.

In March, the DoC announced support of a Consumer Bill of Rights.  Based on Fair Information Practice Principles.  Commerce's policy will flush out what those principles will be.  They will not be a depature from the HEW principles or OECD but, rather, seeking to adapt them to the interactive and interconnected world of today.

What will it mean to do business under this dynamic privacy framework?  Privacy policies and notice of choice will still be fundamental building blocks.  Everyone recognizes that notice and choice by itself is not enough.  Everyone here is deeply concerned about data privacy --Kerry polled the crowd to ask who read privacy policies for personal use (not for work).  The crowd barely made a sound. 

Businesses must enter into a new partnership not defined by static privacy policies...but into a dynamic privacy framework that characterizes the regulatory approach and how the businesses deal with their customers and customer data.

Businesses need to enter into a conversation with their customers that will enable their customers to make appropriate trade offs on the use of their privacy through active choices and not through a one time click.  One example is the Just in Time approach.  These need to be contextualized so that they don't lose their functionality.

Mentioned Do Not Track and Privacy by Design.

We are entering a "Darker Scenario" -- breaches and risks and undermining the free flow of information.  As we move to a cloud computing world, the research shows that the barrier to entry is confidence in security and privacy.  It harkens back to the days of e-commerce.  But today if the CC companies themselves cant keep info security, if the gatekeepers to the system cant keep it secure (heartland data payment systems).  The response cant wait for legislation or regulation, it must begin yesterday.  What course the internet takes is in the hands of all stakeholders.  We cant afford to let this moment pass...the future is now.

Panels notes and more after the jump...
Plenary Panel: A clash of Civilizations: The EU and US Negotiate the Future of Privacy
Moderator: Barry Steinhardt: Founder, Friends of Privacy USA; Senior Advisor and Trustee, Privacy International; Member of the DHS Data Privacy and Integrity Advisory Committee
Jan Philipp Albrecht: Member of the European Parliament from the German Greens
Mary Ellen Callahan: Chief Privacy Officer, Department of Homeland Security
Edward Hasbrouck: The Identity Project
Viviane Reding (via pre-recorded message): Vice President, European Commission
Frank Schmiedel: First Secretary, Washington D.C. Delegation of the European Union, Political, Security & Development Section

Jan -- Shared fundamental values across the Atlantic: privacy & rule of law - EU/US class of civilizations.Huge difference between private and public sector. A relationship between people and state, based on fundamental rights and checks and balances.  There are reasons for this.  I can chose to not be part of facebook or e-commerce but I cannot choose to not be part of a state. I don't think there is a problem of fundamental confliuct of both sides of the atlantic, I do see conflict in policy making.  We are in favor of law enforcement and in favor of security but the question arises of what is an effective law enforcement?  What is effective to lower crime rate?  When it comes to terrorism, what is effective? Criminal research shows more surveillance measures never led to lower crime rates. This surveillance debate has taken place in Europe in the last five to ten years.  We dont want to be a policy on fear, we want a secure society without burden of arbitrary surveillance. [analysis: Jan went on to discuss more about surveillance and used an analogy between nazi policies and the US policy toward]

MEC -- Mary Ellen filling in for a DHS DepSec, total win for the audience. Mary Ellen is double booked and had to run out early.  She wanted to stress it wouldn't be the forthcoming questions that ran her out but another speaking engagement.  [Always lead with a good joke...] Raising different Gov't structures influences implementation of shared privacy principles between US/EU.  Discussed checks and balances within US government -- MEC investigating other offices, other offices investigating MEC.  One thing MEC wanted to differ about was data sources: commercial vs. private.  PNR are, indeed, commercial data sets.  Much of the other Law Enforcement Information (LEI) are government records and sharing this information is critical.  US is looking to the leader in government to government sharing.

EH -- Why is there no debate in the US regarding this data transfer and there is in the EU?  Because it is being designed as an Executive Agreement, it won't be binding, and it won't be put to Congress for ratification.  In the EU, it will be binding and will require an act of Parliament. This is very asymmetrical way of doing business. A further asymmetry in the rights, while it is true that the same principals are expressed in the EU and US but there is a fundamental difference in the enforcement.  ICCPR is moot in the US and unenforceable. Neither DHS or other agencies need this agreement -- there is no commercial data bill of rights and the ICCPR is not binding.  They can also already get this data without having to go the European Government and simply get it from the Patriot Act authority of FISA warrants. Privacy Advocates have nothing to gain from this.  The US wont change any fundamental rights.  In Europe nothing is being proposed that would change.  Who needs it / wants it?  1. Businesses that already transferring data between EU/US in violation of existing EU law. They are at least at risk of liability against the EU data law. 2. Would get businesses and regulators off the hook for not enforcing EU Data Protection law. What is needed? Make it a treaty, impose sanctions on companies violating the EU Data Protection Policies. The only reason to gain access to non-suspect data is for dragnet searches. Discussed threats to embedding surveillance into commercial IT infrastructure.  Mentioned a book by Susan Landau, "Surveillance or Security?: The Risks Posed by New Wiretapping Technologies."

FS -- Read with interest the letter sent to President Obama about signing away EU privacy rights.  Not as cynical as Edward. Creative thinking is needed on both commercial and law enforcement privacy.  How we can improve protection for our citizens and overcome differences.  In EU there is a perception that data transfers are one-way, with the US taking more information that the EU gets.  We need more transparency.  US Government is making efforts in that direction.  More protection of rights of Europeans and US.  More sharing of derived intelligence form this data to counter security threats. Sooner or later, we will come to your door and ask for your data and would expect reciprocity. I don't always ask what Europe can do for you but what you can do for Europe to assuage our fears.

MEC -- Rebuttals and thoughts
1. Frank said US gov't may know its citizens more than the EU member states.  As Privacy Officer, I have gotten to know the EU system and one difference I see is the EU use of wiretapes, which is 1000s of times more than US.  That's a great way to get to know your people.  ... When you go to a hotel in the EU, your info is likely transmitting to the police.  We dont know why or how long its kept or where to go inquire about it.

Jan -- There is a huge difference between looking face to face with a police officer vs. being analyzed without knowing about it and being judged by it.  I think we need to talk about all of these analysis techniques we are using.

EH -- We are talking about a lot of data protection rules but we need to talk data use.  Data will be used in ways that will impact peoples rights.  We need to recognize that there are other fundamental rights impacted by uses of this data and have conversations about that.

Viviane Reding -- Our systems our different but we need to agree on how to share and protect that data. Essential for transatlantic data transfers. The conversations are not easy as the issues are linked to constitutional issues on both sides. The conference is a great platform discussing these items.

MEC -- It is the US' intent to have the Umbrella agreement cover case-by-case and program sharing.

One concern about this agreement and the transatlantic transfers in general is that, once transferred into the US and into the hands of the government, that there are insufficient protections for future sharing with other agencies or private sector. 

MEC -- I have heard this before and do not believe it is valid. There is a myth in the EU that there is one giant database in the US.  We take the responsibilities very seriously and the statements made in our SORNs, etc., are very accurate.

Jan -- In EU there is very strict use limitations and in some cases we have forbidden links.  In Germany we had separation between intelligence and policy. There is concern about who is deciding if data needs to goto other institutions.  Europeans would insist on having the originator of data (i.e. the EU) approve and onward transfers. Otherwise I think our systems and principles between the US and EU would erode. 

FS -- Onward transfers are, indeed, problematic and need careful attention.  When we created the privacy directive for private sector we had this adequacy requirements that you could transfer data to other countries only if their privacy policies and adequate.  It is still a concern to which countries our data goes to and how they can protect that data.

Jan -- The existence of the Patriot Act in the US is a big stumbling block for adequacy status from EU

MEC -- completely agree that the originating country should have a say in onward sharing to other countries.

Q&A Session:

Where can find more about this Agreement?

Do Not Track: Yaaay or Boooh?
Moderator: Jim Harper: Director of Information Policy Studies, CATO; Member, Data Privacy and Integrity Advisory Committee of the Department of Homeland Security
Ryan Radia: Associate Director of Technology Studies, Competitive Enterprise Institute
Berin Szoka: Founder, TechFreedom
Chris Soghoian: Graduate Fellow, Center for Applied Cybersecurity Research; Ph.D. Candidate, School of Information and Computing at Indiana University
Harlan Yu: Ph.D. Student, Department of Computer Science, Center for Information Technology Policy at Princeton University
Andy Zeigler: Program Manager, Microsoft's Internet Explorer Engineering Team
Dr. Ed Felten: Chief Technologist, Federal Trade Commission

[Note: I was a bad blogger on this, too wrapped up in the panel and most of my notes are probably biased negatively against the business side and biased positively against the hacker side.]

JH -- We are going to embrace a stupidly partisan tone and set aside ego to discuss Do Not Track.

CS -- Highlighted his Taco FF plugin and how it was co-opted and cloned by the Ad industry.

BS -- Yes, Chris did a good thing.  That's it.

JH --"Chris S you're a market actor, whether your want to be or not. Ha-Ha" (best line of the conference so far)

CS -- Discussed multiple tracking options including device fingerprinting.  He noted it is important to know that device fingerprinting cannot be opted out of. With Do Not Track headers, it could be. 

RR -- There are no silver bullets.  The technologies being used to block tracking are imperfect, that is because there is a huge benefit to using your information online.

BS -- Lets be clear here, we're talking about use specification of information.  Do Not Track is really do not use my information for certain purposes (advertising).

AZ -- Explained how websites work.  You goto WSJ, the address bar says but the page pulls in information from tens to hundreds of other websites.  When you load that content, you transmit information to those tens or hundreds of other websites. 

HU -- Arms race analogy between consumers and companies.  Consumers should not be experts in online security and privacy, they simply should be able to check a box.  The browser would then signal to tracking companies -- via the HTTP DNT Header -- that the user does not want to be tracked.  The onus then goes to the advertising company NOT to track.

CS -- The nuclear option or the reasonable options...block all ads or allow delivery of ads without tracking and profiling.

BS -- I'm very happy that we're talking about user empowerment tools.  I want to see many user empowerment tools.  My point is not that we should do nothing or make it difficult for users.  I think chris is setting up a strawman...the real question is do we set this up via internet standards setting organizations (W3C) or through Congress and legislation.

EF -- Explaining the Do Not Track Header. Discussed how its being created -- lots of buzz words about stakeholders and debate.

BS -- I think a no-cost opt out is not scalable for business.

CS -- scalable for who?  The ad networks?!

BS made a strawman argument using P3P and lack of FTC enforcement with that platform as a means to highlight that FTC is not currently doing enough.

...missed a bunch of notes here paying attention...

This panel reminds me of a few themes from the movie Thank You For Smoking...

RR -- there is an implicit quid-pro-quo when you visit a website...

ED -- What is that quid-pro-quo? Is it arbitrary information collection? Arbitrary tracking?

CS -- When you visit YouPorn -- top 100 website -- are you agreeing for them to exploit a browser flaw and mine your browser history?

Harlan Yu brings it back to the users.  Users want more control.

AZ -- I dont think a lot of consumers think about these issues.  They simply want to visit the website for the content, they dont care about the ads, the search box, and the extraneous fluff.

EF -- one reason there is not a lot of furor over current practices is that a lot of people already think current practices are illegal.
Ed threw down the old hot dog analogy...

...missed lots here...

BS -- We dont user empowerment tools that want block everything with one check box.  What we (biz) wants is to give users a diversity of options that reflect peoples privacy options.

CS -- My question back to baren -- how much time should users have to invest to assert their preferences.

BS -- What we're talking about is creating a market, there is no explicit can only use tools to opt-out. The flip side of opt-put is "i prefer to pay." We want to give them an incentive not to turn the dial all the way to block. [analysis: BS wants to make people pay if they want total blocking]

BS -- I'm not arguing that Mozilla should stop, I just want them to do it in a different and better way.


Where do I fall on the DNT debate?  As a consumer, I want it. I dont want to be tracked and profiled by advertising agencies -- I hardly click on advertisements now because I find it creepy that they are either very tailored to me OR way off base, which begs a question about data accuracy. As someone who understands how the internet works, I am terrified of what it could actually mean.  Does DNT mean, for example, Do Not Log?  Does it preclude the collection of web logs? Does it completely fracture the advertising industry that enables many sites to provide services for free or does it simply allow delivery of non-targeted ads? You can still target ads based on the site's content vs. the users preference. 


CS Tim Wu on Agency Threats (PDF)

Question and Answer Session

A PERFECT example of the confusion of HTTP headers..someone, I think Lillie C, just got up and explained what the HTML header instead of an HTTP Header.

Q: Do we want to move to an opt-out frame of mind? Psych studies showing that tracking actually removes choice from the user.  If a left-leaning person using google, he will only see left leaning results.

A: nothing serious...just a joke from CS...

Q: Is regulation really wanted?

A: CS, i think DNT is, actually, really good for business. It moves the onus back to the browser and the companies to respect it vs. the user. It also shifts enforcement issues off of businesses, i.e. the company that FTC just settled with for the 10 day cookie.

Keynote: Privacy in Public: How Teens Navigate Social media
Danah Boyd, Microsoft. @zephoria

I didn't capture ANY of this.  Danah was too engaging.  She did explain the "private by default, public through effort" idea (one of her famous quotes) in person, which was fantastic.

During Q&A...she noted something interesting regarding the different thinking in different socio-economic classes.  The less affluent kids would not rely on the technology to provide privacy, they would manipulate the technology for privacy.  The affluent kids trust the technology to solve protect their privacy.

Shocking discovery: kids first exposure to sexting came from picking up their parents phones and finding naked pictures of their parents.

The privacy norms for sexting are being worked out on the peer-to-peer vs. the parent-to-child.

Kids are using twitter very privately, the privacy controls are very easy to understand and protected accounts are actually protected.

How Private are Electronic Health Records and Health Information Exchanges?

Tuesday, June 14, 2011; 3:45 PM - 5:15 PM
Hart Auditorium
This plenary will "draw back the curtain" to examine how electronic health records (EHRs) and data exchanges will affect privacy in the US. The federal government is actively promoting untested systems for biosurveillance, research, use and disclosure of every American's health data, both inside and outside the healthcare system.
Moderator: Dr. Deborah Peel: Executive Director, Patient Privacy Rights
Michael Stearns, M.D., CPC, CFPC: President and Chief Executive Officer, e-MDs
Mark Frisse, M.D.: Professor of Management, Vanderbilt Owen Graduate School of Management; Accenture Professor of Biomedical Informatics, Vanderbilt University
Carl Gunter, Ph.D.: Director, Illinois Security Lab; Center for Health Information Privacy and Security; Strategic Advanced Research Projects on Security (SHARPS)
Stephanie Perrin: Manager, Values and Ethics at Treasury Board Secretariat; Officer, Office of the Chief Human Resources
Deven McGraw: Director of the Health Privacy Project, Center for Democracy and Technology
Dave deBronkart: "e-Patient Dave" deBronkart, Cancer patient, blogger, speaker, health IT advocate, co-chair, Society for Participatory Medicine

Sadly, I missed a good part of this in conversation with Shaun Dakin and and Monique Altheim. Caught some of the Q&A session and was too enthralled to take notes. 

Keynote Address: Edith Ramirez: FTC Commissioner

Edith will focus on privacy in the mobile environment. Highlighted how the Kodak Snap camera kicked off the privacy fear that lead to the Warren and Brandeis "The Right to Privacy" paper. It wasn't the first camera but it was cheaper, more widely available and much more portable than other cameras of its time.  Mobile devices are the same -- mobile devices are highly personal items always with you.  Your desktop computer -- possibly used by many people -- never move.  But your smart phone is used only by you and always on you.

When you factor that our smart phones are always on and collecting data constantly, this can reveal highly detailed logs of our personal movements. The current landscape of privacy includes many bills -- see post here: -- discussing Do Not Track, kids privacy, etc.  The most privacy bills ever seen.

The FTCs recommendations for companies include Privacy By Design -- engineering privacy into the product development.  Do Not Track, Robust Notices, Transparency, etc.  The same things covered in the FTC Proposal.  The FTC supports Do Not Track and want it implemented in the mobile landscape.

FTC took google and Twitter to task for Buzz and poor security.  FTC lumps these two players as mobile enforcement wins.


That's it for today.  Back tomorrow!