thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Wednesday, September 27, 2006

Privacy Workshops at the UN Internet Governance Forum in Athens

The founding of a new United Nations Internet Governance Forum was one of the main outcomes of the World Summit on the Information Society process that ended last year. It is meant to be a global inclusive policy forum for all things related to the governance of the internet - from the the root master file and the control over ICANN to WHOIS privacy and international interconnection costs. The inaugural meeting of the IGF will take place in Athens from 30 October to 2 November, with an academic symposium on 29 October.

I was pretty much involved in the World Summit since 2002 and among other things have been coordinating the civil society working group on privacy and security. Together with Privacy International and the London School of Economics, we submitted a proposal for two workshops on privacy to the IGF secretariat. Now we formally got the confirmation that indeed both were accepted. The workshops will take place on 31 October, so that folks who want to visit the international data protection commissioners' conference in London on 1 and 2 November can even do that. We will have two consecutive workshops:
I. Privacy and Identity Matters: The emerging digital identity infrastructures that to date have received little public scrutiny and attention. We will highlight the increasing importance of identity and authentication systems, and discuss the challenges and legal implications.
II. Privacy, Development, and Globalisation: The pressing issues surrounding cross-border data flows. We will address the links between privacy, economic development, and good governance, and map out the likely landscape of future policy issues.
The people who have confirmed participation so far are from entities as diverse as the OECD, the OSCE, APC, Microsoft, at least one official Privacy Commissioner's office, and of course Privacy International. We are currently finalizing the programme, so stay tuned.

Of course I am excited that both workshops were accepted, and I look forward to the discussions there (Here is a kind of preview from a run-up event our colleagues had in London in July).
I am also happy that I'll see many of the other folks from the world summit again, as some of them were the brightest and most committed people I have ever met. By the way: Participation in the whole four days of interesting and high-level global internet governance discussions and politicking is free.

Online Campaign against Data Retention started in Germany

The German Working Group against Data Retention (Arbeitskreis Vorratsdatenspeicherung) has started an online campaign against the mandatory storage of all communications data. Through a special web portal, concerned citizens can send electronic open letters to all 448 parliamentarians of the ruling grand coalition and raise their concern and protest against data retention. The letters are also anonymized and published on the portal website. There is no fixed text for the letters, which the senders have to write themselves, so the measure does not count as spam. The working group is only giving advice on how to frame the arguments in the letter on its main website

With this campaign, the working group wants to raise pressure on the German government and make it postpone the implementation of the EU data retention directive until a decision has been made by the European Court of Justice. The Irish government has already challenged the directive in the ECJ, and EDRi member Digital Rights Ireland is currently preparing a lawsuit at the Irish constitutional court as well as the ECJ. German groups are also preparing court challenges, should the grand coalition ignore the protests and enact national legislation for data retention.

Reactions for the online campaign are very good. Within the first two hours after it was reported on the German news ticker, campaign supporters already had sent 120 individually formulated letters of protest. Within two days the news has spread pretty wide among online media and blogs.

Friday, September 22, 2006

Anonymous browsing

At last year's Chaos Communication Congress, Frank Rieger and Rob Gonggrijp gave a widely discussed keynote speech in which they basically stated that "We lost the war" against the surveillance state. Their main conclusion:
Anonymity will become the most precious thing.
It seems both camps - the liberty faction and the surveillance faction - have listened closely, as we have two antagonistic streams of activities focusing on anonymity at the moment. On the one hand, mandatory data retention, criminalizing anonymous internet access in Germany, or the current spy and wiretapping bills in the US Congress put a lot of pressure on anonymous internet use, and the same is done as a side-effect by wifi-sharing business models such as FON.

On the other hand, recent weeks have seen a number of techie initiatives to protect our identity and anonymity while living the online part of life. The "Trackmenot" browser extension to hide your web searches in a constant stream of noise has been ridiculed by some uber-geeks, but still is better than nothing and has been significantly upgraded twice in two weeks. Then we saw "Browzar", a shell for the Internet Explorer which promised to delete all browsing history and related data, but turned out to be more an adware scam, according to the reviews. But even here, the interesting thing is: Someone beyond the geek world thought they would meet some significant demand with anonymous browsing. A good sign, in this regard at least. Of course, we also have had TOR and AN.ON for a while, two onion routing traffic mixer networks that have risen in poularity, but are not really known or used among the normal population yet.

Now, there was a new browser released yesterday that seems to be the real killer application. It is called "Torpark", and it is
an anonymous, fully portable Web browser based on Mozilla Firefox. Torpark comes pre-configured, requires no installation, can run off a USB memory stick, and leaves no tracks behind in the browser or computer. Torpark is a highly modified variant of Portable Firefox, that uses the TOR (The Onion Router) network to anonymize the connection between the user and the website that is being visited.
On top of that, it is not only free software, but also has the best street credibility you can imagine. It was developed by Hactivismo, which operates under the aegis of the Cult of the Dead Cow, one of the oldest "white hat" hacker groups in the world.

Thursday, September 21, 2006

At which image resolution does your privacy begin?

Private satellite imagery has been lauded as a counter-balancing force to intelligence agencies' secret knowledge. John Pike from has used it for years to debunk e.g. the myth of North Korea having their intercontinental missiles ready (as he could show, the tracks in the alledged launching base were not even paved). Before Google Earth went online and basically took over the market, similar products had already been developed, even as small handheld gadgets. This has not made everyone equally happy. The Indian military had a public discussion about the dangers of Google Earth's imagery intelligence, and others surely are doing the same behind the scenes.

But this is not just about national security installations. It is about you and me, too, who are being watched from above now - with a new twist. While it is one thing to be seen on a street (a surveillance camera still has a much better resolution than a photo satellite), it is another thing to be photographed on your private premises. In Germany, a recent constitutional court decision made clear that it's illegal for reporters to fly over the houses of famous people and take air photos from helicopters. The pictures can not be published, as the right to privacy overrides free speech. This in fact brings us back to the origins of the "right to privacy" in the famous 1890 article by Samuel Warren and Louis Brandeis, which was prompted by pictures taken by reporters.

If you're not a celebrity, you don't have to fear the paparazzi. But if you want to be alone on your rooftop or in your fence-shielded garden, you now might have to fear your neighbors who have Google Earth helping them. Google sightseeing just found this picture of a woman sunbathing topless on a rooftop. You can not tell the face (yet), but if you know which address it is, it can be easy to find out who this is. This is not just about the picture itself (you get high-resolution pics of topless women all over the net), but about the information it contains: There is a topless person on this specific rooftop - welcome peeping toms!

So, where does your privacy zone begin? When your face can be identified? Or much earlier? And how do we do enforcement of national privacy laws in cyberspace and outer space? Google Earth is using pictures from the American "Keyhole" satellites, and the pictures are stored on a server in the United States. Should they have to block these pictures to German visitors, as they do with government-critical content in Chinese? Or should Google reduce the resolution in general? How do you do sunbathing with a canvas cover?

Oliver Morton wrote about this new development for Wired Magazine as early as six years ago, and his conclusion was:
"Watch for the next big First Amendment battle over who can see what. And if you look up, smile."
Or would you rather give them the finger? I myself prefer the First Amedment battle.

Wednesday, September 20, 2006

Data Retention in the US and Europe - the state of politics

Sometimes it is interesting to watch how politics work differently on both sides of the Atlantic. While the US government had long refused to establish a mandatory retention scheme for communications data, the EU agreed on a directive to do so in February. Now, the EU member states have to implement it until September 2007, and suddenly they hestitate, and domestic opposition is growing:
The fact that opposition against this mass surveillance scheme has been growing so slowly in Europe is based on (at least) two sets of factors: The complexities of EU policymaking, which tend to bury imortant processes until they hit the national level for implementation; and the lack of a large-scale privacy scandal in Europe. Without a large public discussion, politicians can therefore often push legislation through the EU institutions, but then get hit by implementation problems and opposition at home.

In the United States, this is different. They have had quite a few privacy scandals, the last being the big AOL search data exposure, not to mention the NSA domestic phone surveillance programme. These have hit the mass media, so not only tech journalists and expert bloggers, but also the general public and politicians are aware of the dangers. Therefore, you could expect wide opposition against a data retention proposal in Washington. If you want to get any legislation approved that regulates what private corporations have to do (which data retention would imply), you have to basically bring them on your side (or at least silence them), or you need a policy window that normally only appears after a scandal or a catastrophe. Now, after some press statements earlier this year, attorney general Alberto Gonzales has officially asked Congress to enact data retention legislation. Besides from the fifth anniversary of 9/11, I don't really see a policy window at the moment. But Gonzales did this after having spoken about this with some of the major companies in July, so he can use a two-fold strategy. He can refer to the agreement or at least divided opinions among the ISPs, and he can point to Europe, where we already have a data retention directive.

It will therefore be necessary for the interested public in the U.S. to be aware of the opposition against and looming inconstitutionality of data retention legislation in the EU. It is also important to not fall into the "child porn" trap. We are already seeing quite some mission creep for the use of the data in Europe. Data retention was originally marketed as only being targeted at terrorists. Now it will also be used against school kids who use filesharing networks, for libel cases, and more.

On top of that, EU commissioner Franco Frattini has now officially declared that the U.S. government will have access to data retained in Europe. After passenger records and financial data, this will just make it even more easy for US intelligence services to conduct economic espionage in the EU. How handy, as the Echelon system is allegedly getting too old to fulfill this task much longer...

Wednesday, September 13, 2006

License to hack: domestic internet intelligence powers growing in Germany

The domestic intelligence agency (Verfassungsschutz) in the German state of North-Rhine Westfalia (NRW) will be allowed to hack into the computers of "terrorist" suspects, if a bill currently under discussion in the state parliament is adopted. According to the bill, the agency will get the new competence for
"clandestine observation or other reconnaissance of the Internet, in particular the hidden participation in its communication facilities or the search for them, and clandestine access to information technology systems by technical means" (my translation).
The ruling conservative-liberal coalition is arguing that this is only a clarification of existing competences for communication interception. The social democratic party is opposing the bill. Karsten Rudolph, spokesperson for domestic affairs of the SPD in NRW, called the new regulation "governmentally organized trespassing".

The public justifications for this enlargement of intelligence powers are in fact questionable. Liberal domestic affairs minister Ingo Wolf refers to the fact that the alledged suitcase bombers, who were caught in Germany recently after a futile attempt to blow up two trains, had found the plans for building their bombs on the Internet. But he did not explain how intelligence service hackers could have detected or even prevented this, given the fact that the assassins had not attracted any attention before.

Another change in the NRW intelligence agency act, according to the bill, would be the duty of banks, telcoms and other industries to give information about their customers to intelligence agents if asked by them. This obligation, introduced after the attacks of 11 September 2001, so far only applied if the perceived threat to the constitution and the state were a foreign power or an international terrorist organization. Now, corporations would also have to give information about their customers in cases of
"efforts which are directed against the liberal democratic fundamental order, the existence or the security of the federal republic or a state, or which aim at an illegal interference with the administration of the constitutional powers of the federal republic or its members" (my translation).
Publicly, this is referred to as "terrorism", but in the German past has on various occasions also hit political opposition movements as well as religious groups.

The new bill seems to be part of a conservative campaign to establish extensive domestic surveillance powers for the Internet. Federal domestic affairs minister Wolfgang Schäuble announced further plans for widening intelligence powers on the Internet, and the German government recently decided to raise personell and spending for Internet activities of the federal domestic intelligence agency. In the state of Schleswig-Holstein, the conservative government is planning to establish a mandatory data retention scheme for web anonymizer services, which would go much further than the EU data retention directive envisages. The federal crime agency (BKA) is currently working on a central database for Internet investigations. German law enforcement agencies are already "patrolling" the public parts of the Internet without initial suspicion, and have established a coordination agency for this as early as 1998.

While the Internet gets more and more into the focus of law enforcement and intelligence agencies, other sectors have lost their attractiveness. The new bill in NRW upholds the information duty for companies about their customers only for the financial services sector and for telecommunications providers. The regulations that so far had also established this duty for postal services and airlines will be cancelled. If they don't want airline passenger data anymore, why are the European governments so keen on legalizing the PNR agreement with the USA?

(This article also appeared in EDRi-gram no. 4.17 which was published half an hour ago.)

Lonelygirl15 and amateur data-mining

Update: The identity of the actress behind Lonelygirl15 has been revealed. The NYT has the story, more is here, and a lot of pictures have been found here. This is how it was revealed:
I was surfing the article on Lonelygirl15 on when I came across a comment that linked to a private MySpace page that was allegedly that of the actress who plays Lonelygirl15. As the profile was set to “private,” there was no real info one could glean from the page. However, when I queried Google for that particular MySpace user name, “jeessss426,” I found a Google cache from the page a few months ago when it was still public.A lot of the details of the girl’s background clicked for me: She was an actress from a small city in New Zealand who had moved to Burbank recently to act. The name on the profile was “Jessica Rose.” When next I happened to query Google image search for “Jessica Rose New Zealand” I was instantly rewarded with two cached thumbnail photos of Lonelygirl15, a.k.a. Jessica Rose, from a New Zealand talent agency that had since removed the full size versions. A later search on Yahoo on “jeessss426” also turned up a whole load of pictures from her probably forgotten ImageShack account.

This shows how much information about us is already available in google caches, internet archives, user accounts and the like. If face-recognition services like Riya (also see here) were more popular (which I hope they never will), we could have found out about the true "identity" of this person much earlier. But at the same time, we can do this datamining about everybody else, at least about the ones among us who are a bit active online. Folks like Robert D. Steele have for a long time been preaching about "open source intelligence", which is a nice equalizer and gives us some power to counter-balance (secret) information from the intelligence services our governments base some of their decisions on. But if we speak about personal information, it is a pretty scary development. But no, privay as a social value is not dead yet, as even Scott McNeally has recognized recently.

Via Michael Zimmer

Monday, September 11, 2006

What "lonelygirl15" tells us about identity and web2.0

A teenage girl who goes under the pseudonym "lonelygirl15" has become pretty famous on Youtube in the last three months. Now it turns out the whole thing was made up by some film-makers. They registered a dotcom domain for her a month before the first video was posted, and in a recent message "to our incredible fans" call it a new form of interactive art and storytelling. Fans and Youtube celebrities are outraged, about 20 per cent of them still won't believe it, the wikipedia community can not agree on anything yet, and the web watching mass media go crazy.

Of course, this reminds me of two similar video internet hypes: The Blair Witch project, where the web frenzy about some footage alledgedly found in the woods was part of the marketing plot for a cinema movie. The other one is Snakes on a Plane, where the web-based fan community even became part of the movie development and helped to re-write the screenplay. Lonelygirl15 combined both in the sense that the story started as a fake like BWP, and it reacted to fans like SOAP.

But beyond the marketing implications, Lonelygirl-gate can tell us a bit about online identities. After all, this whole thing perfectly illustrates the mantra of the Identity Gang that "the Internet was built without a way to know who and what you are connecting to" (source).

While this argument is normally made in the context of ID-theft and phishing, the story here is different. There was no fraud involved, no pretexting, no rip-off in the usual sense. It was just a story that too many took for too real. But why in the world would anyone expect that everything people post on Youtube is real? If there are Alternate Reality Games, why should there not be something like alternate reality storytelling or vlogging? So, do we really have a problem here? Maybe the biggest problem is that many online users are too naive and mistake their screen for reality - but this is something we already had with TV series before the internet was invented.

In fact, the story reveals how short the memory of the web community is. Blog commentator Kyle wrote in response to the Lonelygirl15-gate report in the NYT, "we’re exploring the territory between script and spontaneity". Yes, exactly, but we've already been there as early as 1995. Can't anybody remember the cartoon "on the Internet, nobody knows you're a dog" or the books about "identity in the age of the internet" that made up much of the social science research output on the internet back then? We are seeing a similar development now with games like SecondLife (for good reflections on that visity my friend Rik Panganiban's blog). So, nothing new under the sun - only that Web2.0 for a short while made some people think everybody's MySpace or Youtube account was a reflection of reality.

Still - is it good or bad that "the Internet was built without a way to know who and what you are connecting to"? It depends on the kind of relations and transactions people have and make, and it does so online as well as offline. A few examples: There is a fake profile of our chancellor on MySpace. So what? As long as she can't command our troops from there, I don't care. If Lonelygirl15 sang songs in front of her webcam and sold the cd online like Youtube popstar Terra Naomi, I might even buy the music. The quality of the songs or the story is independent of a real person behind it. Of course, a lot of people feel betrayed because they expect to be connected to a real person, someone who is the "same" online and offline. This might be important for people like Terra Naomi who plays concerts, or for me who teaches and gives speeches, in short: for people whose public life also happens offline, at least every once in a while. But still, "Terra Naomi" could as well be a pseudonym as "lonelygirl15" (or "Bree", which is her "real name" in the story). So far, none of the people who invited me to speeches have asked for my passport to check if "Ralf Bendrath" is really my name. Also, Madonna has a MySpace account, but would anyone believe she is personally reading and replying to all the stuff people write to her there? In that case, "Madonna" is not the person, but a pseudonym of a whole enterprise behind that person. What about potential presidential candidate Mark Warner, who appeared and spoke in Second Life, but had an aide handle his avatar walking down the stairs? For most of the transactions, we only need to be able to reliably exchange opinions, money and goods, which can perfectly be done anonymously. For developing reputations and more long-term relationships, we need pseudonyms. These of course also exist in offline spaces. I mean - who ever thought Suzanne Vega was a real name? Or the other way around: Why could Superman not have his videoblog on Youtube? The confusion starts when people think that what they see on Youtube or in Second Life is real.

The lack of a fully fledged online identity-proof system even is good, I would say. The more we can do anonymously, the better privacy we have. The more we then use pseudonyms only if needed for long-term relations, and even have a variety of them for different contexts, the less can our actions be combined to a full profile of our personality. Identity - which in the end is linking actions and properties to one single physical person - is only needed in cases where the government interferes: Voting, speeding, paying taxes, running for an official office, etc.

This relates closely to the human body as the bearer of a person's identity. The government in the end is the only agent that has the power to take the body of a person and punish it by imprisonment or death penalty. The interesting question that follows - which, again, has already been discussed thirteen years ago - is: Is deleting a user pseudonym in an online space at all comparable to imprinsoning a person? Many Youtube users who felt betrayed now have demanded that Lonelygirl15's account be deleted. Youtube is of course not even thinking about this, as these are exactly the stories the company wants in the mass media.

Last question: In which way would an "identity metasystem" help us here? Or would it spoil all the fun, because we knew in advance what the real identity of Lonelygirl15 was?

Biometrics and "what you have" vs. "what you are"

Kim Kameron at Identityblog picked up on Jerry Fishenden's post on the problems of biometrics (by the way: Jerry will speak at our privacy workshop in Athens, see below). He again brings up the story from Malaysia, where some brutal car thieves cut off the index finger of a Mercedes owner in order to circumvent the biometric engine lock. First of all, the thieves could have had it much easier, also without having to carry around a rotting finger. With a bit more high-tech, in the future they could maybe just read the fingerprint out of the car owner's passport.

But more important, this case shows the problems with identity and how hard it is to proof to a machine who you are. It is often based on the classic trinity of authentication, which either can be done by something you have (a key, a USB dongle, a chipcard), something you know (a password, a PIN, your mother's maiden name), or something you are (your fingerprint, your retina). There are of course other possible authentication factors, but these are the most common.

This story makes clear that "what you have" is much clearer than "what you are". I would prefer saying "I have ten fingers" instead of "I am ten fingers". "What I am" relates more directly to my personality / identity than "what I have" or "what I know". It is a story, a flowing amorphous thing, changing from context to context and over time. Of course, you can break it down to some extent to single pieces of data (address, date of birth, employer, email, favourite mp3s, ...) - but this is all not good for authentication purposes, as most of it is not really secret. "What I know" can be secret, and as Jerry Fishenden points out in his post, could be linked to "what I have" in order to have multi-factor authentication. But it again is not the same as "what I am".

Biometrics therefore is more about what I have than what I am. The only difference is that it can't be stolen as easily as a car key or a passport. Fingers can be cut off, but faces? Ok, Hollywood was always ahead of us.

Last open question: Can "what you have" also be said about the way you walk? Probably not. But is that really what you are?

Sunday, September 10, 2006

Jigsaw and the economy of personal information

The reports (and slashdot entry) on Jigsaw made me think again about economies of personal information. The company collects information people get about others from business cards or email signatures. For each data set you enter, you get two in return. You can also get points by correcting or updating information. Reportedly, they already have information on 3 million contacts at 150 000 companies. There are two aspects of information economy here: The institutional information exchange model, and the way personal information is conceptualized in the first place.

This kind of crowdsourcing is creating a monopoly supply and demand system with fixed prices. It is not a market like Ebay, where the prices are set according to supply and demand, and it is neither a public domain system with the accompanying gift economy. While Jigsaw CEO Jim Fowler tries to sell it as the wikipedia of business information, by restricting access to the database to people who pay or submit new information (and only very few pay), it directly contradicts the open and public domain model of wikipedia and related projects. By the way: It also creates additional personal data on who submitted how much information (probably also on who submitted what) needed for earning the exchange points - a bit like the "Linus" and "Bill" models in the FON wifi exchange social network. This would not be necessary if people just donate their wifi broadband to the neighbours, like wikipedians donate their knowledge to the world. The institutional setting - with many participants, but Jigsaw as the monopoly information broker between them - therefore creates additional privacy problems, which are not really reflected in the economy applied here.

The underlying principle or paradigm of course is the idea that information about persons can be owned by someone else. We Europeans normally see privacy as an unalienable human right, therefore we have some problems with the idea that personal data can be owned, sold and given up totally in exchange for some money or other commodities. Of course, if I give my business card to colleagues, they own the physical card and can use the information on it. That is the whole purpose of these things. But I normally have an expectation that they keep the card for themselves. I have met them in person or have sent an email to them, therefore I know they have my information, and I want them to. If they now give it to third parties without my knowledge, they violate what Helen Nissenbaum from NYU has called the "contextual integrity" of my personal information. Now, I can try to complain that someone violated my human right to informational privacy. Or I can use the property concept and put a copyright note on my business card. This is what David Batstone, an ethics professor at the University of San Francisco, predicts:
"People are going to start putting on their business cards a copyright or a privacy statement -- 'I explicitly copyrighted this information'," said Batstone, the ethics professor. "It could very well be that we head in that direction."
I am not sure this is the best solution, but it certainly is a consistent approach. On the other hand, if I don't have a copyright note, can people assume that my information is in the public domain? There is already an example for this confusion in the Web2.0 world: The guys at ClaimID want to be nice and therefore put all the information they have about you under a creative commons licence. Now others can not only use it out of context and without your knowledge, but may even remix it, ain't that cool?

The other extreme would be to have empty business cards, as Bob Blakley suggests tongue-in-cheek. He is also describing a more common-sensical way: Only let these systems give my information to others if they have asked me before. But then, you leave the property model and end up with privacy as a rights claim again.

Saturday, September 09, 2006

Privacy Workshop at ECPR Joint Session 2007

Andreas Busch and Charles Raab, two of the few political scientists who do research on the governance of privacy, organize a workshop on "Privacy and Information: Modes of Regulation" at the Joint Session of Workshops of the European Consortium for Political Research in Helsinki in May 2007:
The workshop invites both empirical and theoretical work on privacy and information policy in modern societies. Much has already been contributed on these issues by legal and computer science scholars, and we hope that the workshop will help to establish this topic more firmly on the political science research agenda as well.
We would particularly like to encourage contributions that focus on the politics of information policy, governance and regulatory aspects, and policy processes in this area, in either single country studies or comparative perspective, and contributions that test already existing theories of regulation, institutions and action with empirical material about privacy and personal information.

The deadline for applications is 1 December 2006. Proposals should be sent to the two organizers. All needed information is here (look for workshop number 26).

Call for Proposals: Academic Conference on Internet Governance

For the last few months, I have been involved in an effort to start a more systematic academic discussion on internet governance. The outcome is a scholarly network with a pretty posh name: Global Internet Governance Academic Network (GigaNet). The first symposium will be held in Athens on 29 October, right before the first meeting of the UN Internet Governance Forum. The call for proposals (pdf) is just out. The deadline is pretty soon, but the good thing is you don't have to deliver a written paper. This academic meeting will hopefully also become a place to discuss issues that will be neglected by the official IGF for political resons.
I have also submitted a proposal for two workshops on privacy for the official IGF programme, together with colleagues from the LSE and Privacy International. Chances to get at least one of them accepted look good, as we put quite some effort into getting speakers from all stakeholder groups. Hope to see many of you in Athens!

My English blog - and my own one

I've been blogging for a while on the award-winning German collaborative blog, which has been fun and rewarding. Unfortunately, a lot of the discussions I am interested in take place in English, and most of the folks there don't read German. So, in order to have a more international voice, I will now post my thougts and musings here, too. Main themes will still be privacy, internet policy, and other things related to my research and activism on global governance in the information society. In a way it is the second English blog I am having, the first one being, where I was editor-in-chief for three years. But that one was not running on a blogging platform and did not even have a feed.
Anyway, happy to be here now. Feel free to comment. Also, drop me a line if I miss important things.