Computers, Freedom, and Privacy -- Live Blog Day 2

Hello and welcome to day 2 of CFP 2011. Thanks to the glorious DC Metro system, I arrived 30 minutes late and missed the keynote speech. I will be live blogging to the best of my ability today to provide those unable to attend a small window into the conference.  Be sure to check the CFP media page for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf

Please note: Live blogging is both for me and you.  These are my notes from the conference.  Nothing should be taken as a direct quote.  These are living posts.  Edits will be made.

Keynote Address: Mona Eltahawy

Missed it...*shakes first at metro system*

Cybersecurity Beyond the Kill Switch: Government Powers and Cybersecurity Policy

Panel organized by Joshua Gruenspecht: Cybersecurity Fellow, Center for Democracy and Technology.
Moderator: Greg Nojeim: Senior Counsel and Director of Project on Freedom, Security and Technology, Center for Democracy and Technology
Liesyl Franz: Vice President for Cybersecurity and Global Public Policy, TechAmerica (Industry Perspective)
Susan Morgan: Executive Director, Global Network Initiative (US Implications of tech policies)
Micah Sherr: Assistant Professor of Computer Science, Georgetown University (PETs, Surveillance, etc)
Michael Seeds: Legislative Director, Representative Mac Thornberry

GN - introduced the panel topics and put an emphasis on getting *away* from the idea of a kill switch. LF will provide industry perspective. SM will provide a review of the international implications of US tech policies and what foreign governments are doing within the US. MS will discuss PET, surveillance technology, and more.  Lastly, MSeeds will discuss Congressional actions.

LF - TechAmerica is an industry trade association. Briefly touching the kill switch idea, LF stated she thought that given the design of our infrastructure she thought the idea of a kill switch was not feasible. [Not necessarily true, if a few peering locations went dark at the same time it would be fairly effective (though not totally) in shutting off the internet]. Wants information exchange to be bolstered for industry to government sharing. To ensure there is no retribution for sharing cyber attack information, Don't restrict companies or internet in a way that constrains flexible & dynamic way. [Agreed. If we kill innovation, we kill the internet and the tech landscape in many ways]

MS -- Claimed Token Nerd status on the panel. Kill Switch: isolating a network is very difficult. With the way our networks are designed, there are too many access points to simply "pull a plug."  Following a checklist does not provide true security [Compliance is not security!  Amen.] Discussed how most attacks are hidden and obfuscated through the use of botnets and multiple attack locations.  Also discussed that a problem with packet filtering and analysis is problematic because the packets may contain PII. [Yes, this is true.  However, with automated tools and filters a lot of the PII can simply be ignored.  You can also use signatures and heuristics based analysis]. How can we share information safely between industry and government?  Use signatures, heuristics, and malware patterns [! hah].  Computer science as a discipline isn't advanced enough to collect data the way the govt wants it to. Micah would like to triple the investment in academic research on cybersecurity and computer science [Amen].

SM -- Business need to understand their role in the protection of human rights.  Professor John Ruggie developed the Protect Respect and Remedy framework (PDF).  The Framework has been incorporated into the OECD guidelines. Looking at the roll of business, industry, state in human rights.  Freedom of expression online and the roles of business in that.

MSeeds -- Where the house is in developing Cybersecurity legislation....Thornburry is looking at multiple buckets.  Including new legislation, updating current legislation, and looking at tools we have to protect our current critical infrastructure. ...More legislation updates that weren't new...Mentioned the Defense Industrial base (DIB) project where the DoD/NSA is sharing classified signatures with ISPs and major telecoms. 

GN -- for the DIB project, what is the flowback to the government after they share those classified signatures?  For example, the DoD/NSA could easily say "watch out for this signature" but what the signature could be doing is watching out for one person. I would be very concerned about the flow back to the government.  Susan -- foreign govt says to provide of secure communication system that we want you to design a system in thsi way because that would allow us to more easily wiretap within the confines of our laws. Is there any principle that a company could rely on to resist that?

SM -- In terms of principals that GNI has created within the last few years....something a company could do is look at these principals and say "we signed up for these principals, we can't fulfill your request." [But facing the loss of a huge government contract would a company really hold on to those principals or acquiesce to the request?]

GN -- question about sharing data in private manner

MS -- From a security stand point, what you're looking at and interested in may be one packet out of a trillion.  What we need to research is how to publish data about attacks while filtering out PII that may not be relevant or substantive to an investigation.  Dorothy Denning did research on this in the 80s at Georgetown.  There have been notable failures of when sharing data has failed...for example AOL's release of supposedly anonymized data.  [See I Love Alaska for a video based on the AOL search logs.]

Question from the audience about Deep packet Inspection (DPI)

MS -- As an internet user and a security research, I am not a big fan of DPI. We need to build something that doesnt have such a huge false positive rate...

GN -- Follow up: if I am a verizon or ATT providing huge bandwidths aren't I doing DPI to find those signatures?

MS -- Depends on the size of the pipe and processing power.

Question from audience about the next generation of internet. The current architecture is very client-server with the client side having as much power as it does would it be possible to create networks where the information resides on the client devices?

MS -- There need to be Confidentiality, Integrity, and Availability controls in place to protect data put in the cloud.  And they are in place.  We could do the same on the client side but these cloud services work...[and the controls are centralized and implemented uniformly vs. potential disparate implementations on client side]

Question from audience about international reciprocity of filtering and the efficacy of filtering.

MS -- Filtering systems are not effective for individuals who really want to get around them. Law Enforcement is also not great at this either.  Cited an example of DHS accidentally shutting down 84k wedbsites by taking down FreeDNS as part of a larger childporn takedown.

LF - GNI assessments of member co's planned for Q1 2012, results will show effectiveness.

Question from audience about data breach notification law...we have laws that protect consumers from identity theft, etc.  Is there any consideration being given to laws that would extend reporting time to advanced threat investigations?  Even if PII is only one or two percent of the compromised information.

MSeed -- There is consideration into that. There is a markup session on Mary Bono Mack's breach bill.

GN -- There are specific sections in the Leahy bill and the Whitehouse proposal that speak to Law enforcement and intelligence activities.


More panel notes below


Panel Topic: The Effect of Domestic Airport Security Policies on Minority Communities, Freedom of Movement, and Privacy

Panel organized by Hansdeep Singh: Staff Attorney, United Sikhs.
Moderator: Daniel Mach: Director of Freedom of Religion and Belief, ACLU
Congresswoman Judy Chu (introduction)
Kimberly Walton: Special Counselor to the Administrator, TSA (invited)
Paul Uppal: Member, UK Parliament
Chris Calabrese: Legal Counsel on Technology and Liberty, ACLU
Ginger McCall: Open Government Counsel, EPIC
Nadhira Al-Khalili, Esq.: Legal Counsel, Council on American-Islamic Relations (CAIR)

DM - Primary focus of today's panel discussion will focus on domestic issues, as the panelists are all largely focused on domestic issues.  All panelists have prepared remarks.  Introduced Ms. Walton and thanked her for walking into a potential lions den.

KW -- Prepared Remarks: Policies and procedures of TSA do not have disparate impact on minorities. 2M pass through 450+ airports across the nation.  TSAs goal is to make sure none of those 2M people become victims of attacks like those on 9/11. TSAs roll is to restore that sense of security. As the threat has evolved, TSAs screening has evolved including the technology -- AIT and advanced patdowns.  While the media the reports on these issues, what they dont report is the intelligence TSA and DHS uses to assess threats.  The banned and illicit items confiscated at check points.  People believe TSA is just for flying, that is not true.  TSA is involved in risk mitigation for all modes of transportation. Note risk mitigation, not elimination. The only way to eliminate the risk is to not travel, which is not a feasible solution.  SecureFlight allows us to effectively deploy certain resources from those who we know to be a potential threat to aviation.  TSA has a bulky clothing policy that includes headware. Bulky clothing can hide threats. Regarding non-form fitting headware, TSA does have a screening policy that allows headware to stay in place; however, it will be inspected further. DHS has reviewed this policy and concluded that it passes constitutional muster. Both TSA and DHS have offices for civil rights and liberties whose job is to review these policies. AIT main privacy protections are designed with the FIPPS in mind.  Anonymity is the main method of privacy protection and is achieved through separation of image operator and passenger -- the image operator cannot see the passenger who is screened and there are also facial blurs in place.  Choice -- individuals can opt-out.  Notice -- all lanes with AIT have signs describing what the machines do and what sort of images they approve.  We do care about modesty and we invited many religious representatives to our facilities to have a discussion.  Our overall hope is that ATR will be deployed this year.  ATR is a generic outline of a human form. Patdowns are used to resolve detection issues on AIT machines OR if an individual opts-out of AIT.  Patdowns resulting from detection are highly targeted only to resolve whatever the AIT machine detects.  Overview of behavior detection officers...dual confirmation is important factor.  Both BDOs must agree on observed behavior.  Future of TSA: Risk Based Screening.  Can't get into many specifics as they are on going changes. One thing that can be discussed is the new crew member vetting system using a risk based approach for those who are responsible for flying a plane. 

JC -- Focused on Sikh religious discrimination due to headware.  Described how treatment of Sikh's turbans were often outside of policies and how the experiences left many feeling discriminated. JC asked Pistole to ensure that policies were followed uniformly by all TSA agents. Mr. Pistole also agreed to meet with Sikh community leaders to hear their complaints in person.  This is the first such meeting to take place.

NAK -- It seems complaints have increased since the rollout of AIT.  CAIR receives many calls from individuals who went through the metal detector and were then sent to AIT or enhanced patdown without setting off the metal detector. Read multiple stories of complaints CAIR received about TSA. Would ask that TSA revisit their policies to find the least restrictive means necessary to make our airports safe. For those in the audience, please support the organizations that are fighting for change of these policies.

CC -- Read stories about people feeling violated by AIT or enhanced pat downs. Believes that AIT/enhanced pat down was a political move -- based on stimulus money -- that provided no real security. 

GM -- Has some factual disputes between what TSA has said and responsive documents from FOIA requests. Complaints about notice on AIT security areas.  Noted that signs only indicate what sort of machines you are about to go through and the images they produce -- no notice about opt-out procedures. Walked through the EPIC lawsuit against TSA and all of the laws EPIC is suing TSA over.

DM -- Does TSA keep track of how many people are pulled over to secondary screening, complaints, etc?  What are the auditing measures and can the public have access to this data?

KW -- Only if local law enforcement is called. There is a way to capture the number of people who opt out but she cannot speak to detailed statistics based on race, location, etc.

All panelists mentioned what they would like to see TSA do, including sniffing dogs, less intrusive images, better policies, less discrimination.

KW -- Agreed with all points.  Dogs are great but many wash out.  Explosive Detection Testing is critical.  After 9/11 the threat evolved from box cutters and knives to other items. ATR technology does not store images. I do want to make one point for Chris -- we are not implementing a CAPPS II system.

Edward Hasbrouck Question: If you are going to have an identity based screening program, are you going to seek administrative authority to require people to have ID in order to fly or claim administrative authority? [Note: question did not have a third option that included not requiring ID]. 

KW -- not the right person to ask.

Question from audience: The underlying threat model was not challenged at all.

GM -- We would agree with that. The threat at airports is greatly overestimated.

Intermediary Immunity under Section 230

Panel organized by Paul Levy: Attorney, Public Citizen Litigation Group.
Moderator: Paul Levy: Attorney, Public Citizen Litigation Group
Eric Goldman: Law Professor, Santa Clara Law School
Maria Crimi Speth: Shareholder, Jaburg & Wilk, P.C.
Gavin Sutter: Queen Mary Law School (London)

What is Section 230?  I had to ask it myself...see wikipedia for a brief summary:

MCS -- provided background on legal landscape of Section 230 and some of its controversies. 

EC -- 230 was necessary component in allow consumer review sites to exist. In the online world whether or not you exercise editorial control you are not liability.  It allows for a the growth of many different editorial styles. In the offline world, publishers are very worried about their editorial risk. 230 allowed the online world to experiment and grow.  230 protects truthful, negative, information.

GS --Let's take this back to brass tacks...why the intermediary has a role to play in internet content and how I see the way forward in a UK/European approach. Are there legitimate reasons to limit free expression?  For example, protecting reputation. Because the internet is a global infrastructure, it is very difficult to regulate as many countries and even states have differing laws.

MENA Beyond Stereotypes: Technology of Good and Evil Before, During and After Revolutions

Panel organized by Meryem Marzouki: Senior Researcher in Political Sciences, CNRS/UPMC (France).
Moderator: Meryem Marzouki: Senior Researcher in Political Sciences, CNRS/UPMC (France)
Amira Al Hussaini: MENA Regional Editor, Global Voices (Bahrain)
Moez Chakchouk: CEO, Tunisian Internet Agency (Tunisia)
Deborah Hurley (USA)
Jillian C. York: Director of Internet Freedom of Expression, EFF (USA)
Nasser Weddady: Outreach Director, HAMSA; American Islamic Congress (USA)