Ralf Bendrath

EU Fundamental Rights Agency: EU-PNR Directive not good

2011-06-15T23:11:00.002+02:00

The Fundamental Rights Agency of the European Union (FRA) has finished its opinion on the proposed directive for an EU-PNR system for the retention and mass analysis of flight passenger data. It had been asked by the Civil Liberties Committee of the European Parliament in March 2011, on initiative of the Greens/EFA group.

I provide a summary of the most important findings below. A summary in their own words is at page 20.

Further reading: In the meantime, the legal service of the EU Council has also shred the proposed directive into pieces (German version only, sorry!).

The FRA opinion criticises the proposed PNR directive on the following grounds:

1) Data Protection Violations
FRA shares the concerns published by the EUropean Data Protection Supervisor (EDPS) and the Article 29 Working Party. The FRA opinion therefore is seen as complementing it and only touches on issues that are not addressed by the data protection bodies:

"In general, the FRA shares these analysis and opinions and takes them as a point of departure. This FRA opinion complements and adds to the opinions of the EDPS and the Article 29 Working Group by focusing on topics from a broader fundamental rights perspective." (p. 5)

2) Ban of Discrimination not sufficiently respected

a) Discriminatory Profiling based on sensitive Data: The directive would have to exclude many more categories than the ones listed in articles 5 and 11. The Commission did not cover the following categories in its proposal, though they are protected under EU law:

"[I only list the ones not covered by the proposed directive, RB] sex, colour, social origin, genetic features, language, any other opinion (beyond political views), membership of a national minority, property, birth, disability, age” (p. 7)

b) Indirect Discrimination based on Profiling for Other Data: This would also be prohibited and is not by the proposed directive. It includes all data categories that are not covered by a) (p. 9). To me it reads like a cautiously written general ban on profiling, because any data category can be used for discrimination. Surveillance studies scholars have called profiling "digital discrimination" years ago.
An example by anaologue: Discrimination based on language or nationality or religion is banned, but if someone travels from Islamabad to Mekka once a year, you can assume he or she is Muslim. This would be prohibited.

3) Clarity of the law is not given:

"Individual passengers may be generally aware that their flight details are being recorded and exchanged but will typically know neither the assessment criteria applied nor whether or not they have been flagged by the system for further scrutiny. Therefore, any measure giving the authorities power to interfere with fundamental rights should contain explicit, detailed provisions" (p. 12)

This clarity is lacking because of

a) Generic clauses such as “general remarks (...) such as" in the description of the data transmitted, retained and analysed (item 12 in the annex to the proposed directive, see p. 13 of FRA opinion). The types of data are also not limited:

"The explanatory text within the brackets also indicates solely what kind of information is included, but does not limit the data to be collected. This might possibly permit unlimited information gathering and transfer and, therefore, might not be justified by the purpose of the PNR system" (p. 13)

b) Purpose Limitation is lacking:

"The definition of serious crime included in Article 2 (h) includes an open formulation: (...) the discretion the proposal grants Member States to decide which crimes are covered and which are not seems unnecessarily broad." (p. 14)

c) Data Matching is unspecified:

"Article 4 (2) (b) states that “the Passenger Information Unit may compare PNR data against relevant databases, including international or national databases or national mirrors of Union databases, where they are established on the basis of Union law, on persons or objects sought or under alert, in accordance with Union, international and national rules applicable to such files.” This provision allows for matching PNR data ‘with undetermined databases’. Because the databases are not specified, the use of PNR data might not reach the required level of foreseeability" (p. 14)

4) No Proof of Necessity:

"The FRA is aware that further evidence proving the necessity of a PNR system might exist beyond what was disclosed." (p. 15)

In plain English: Do your homework! (Fun fact: The Commission currently has the same problem with regards to the evaluation of the data retention directive 2006/24/EC, where they were not able to prove the necessity based on hard data.)

5) False Positives / Repression against Innocent People

"The examples provided by the European Commission relate only to cases in which PNR data were successfully used in the course of investigations. For a more complete picture, it would also be necessary to analyse those cases in which the use of data proved to be misleading and led to the investigation of innocent people. Such a case is included by the European Union Committee of the UK House of Lords in its 2007 report on the EU/US Passenger Name Record (PNR) Agreement: the case of Maher Arar." (p. 16)

6) Proportionality of Applying the Measures to all Passengers: The FRA quotes at length from rulings by the German Constitutional Court etc., and then concludes:

"The FRA suggests for proportionality reasons to include an explicit obligation in the proposal to make every reasonable effort to define assessment criteria in a manner which ensures that as few innocent people as possible are flagged by the system. This aspect could also play an important role for the review envisaged in Article 17 of the proposal which states that special attention should be given in the course of the review to “the quality of the assessments”. (p. 18)

7) Effective Oversight unclear: Any data protection oversight must be fully independent and must have powers of investigation and binding rulings, which apparently is not clear from the proposed directive draft. (p. 19f)

Conservative hardliner admits: lack of data retention has no impact on crime clearance rate

2011-06-07T23:38:00.005+02:00

Uwe Schünemann, conservative home affairs minister of the German Land of Lower-Saxony, admits in a reponse to a parliamentary question:

Erhebliche Auswirkungen im Hinblick auf die Aufklärungsquote bei Straftaten, die im Zusammenhang mit dem Tatmittel Internet begangen wurden, sind für das Jahr 2010 nicht festzustellen.

English translation:

Significant impact in terms of the clearance rate for crimes that were committed in connection with the Internet for the year 2010 can not be determined.

After a constitutional court ruling, Germany has had no data retention in place since 2nd of March 2010.

Fun fact I: Schünemann just received a Big Brother Award in Germany for the second time. German laudation here.

Fun fact II: The question came from Social Democrats. This is the party that was crucial for adopting data retention in the EU in 2005 and then later in Germany. They have been losing so many votes in recent years (of course also for factors not related to privacy) that they seem to move into the right direction again. Hopefully.

Battle over Passenger Data is heating up

2011-06-07T22:33:00.002+02:00

In late May 2011, the new draft agreements on the transfer and retention of air passenger data between the EU and the United States and between the EU and Australia respectively have leaked to the public. The re-negotiation of the agreements from 2007, which have since then been provisionally applied, had become necessary after the European Parliament refused to vote on them in May 2010.

The new agreements do not substantially improve the situation with regards to the old ones. They both require that data of air passengers is transferred to public authorities (DHS in the US, Customs and Border Protection in Australia) ahead of a flight; they allow for profiling, i.e. the use of data for sorting assengers into risk categories based on pre-defined and secret criteria without an initial suspicion or criminal lead; and they allow for retention of the data up to 5.5 (Australia) and 15 (US) years. There are also provisions for onward transfer of the data to third agencies and countries.

The agreement with the US met heavy criticism both among EU member states as well as among Members of the European Parliament and from civil society, and provoked an emergency reaction from the UK Justice secretary as well as the US ambassador to the EU. At the moment, there are talks with the negotiator (DG Home Affairs of the European Commission) to re-open the text, though improvements have been made very unlikely by a recent resolution of the US Senate that rejects European privacy demands.

The agreement with Australia is less prominent, but still highly relevant. There is a small blocking minority in the Council, consisting of Germany, France, Belgium, Czech Republic, Ireland, Austria and Portugal, that is mainly concerned about the provisions on transfer to third countries, and sometimes about the retention periods (Germany, France). The Commission is not willing to re-negotiate, though. The Council of Justice and Home Affairs Ministers on 9th/10th June might overcome the blocking minority and the parliamentary reservations from some countries, and adopt the agreement. At the moment, a veto in the European Parliament is unlikely. In the worst case, the Australia agreement may be concluded before the summer break and open the floodgates for other such agreements, and for the first time accepting profiling and preventive policing.

Privacy activists from EDRi members Mensenrechten.be, Digitale Gesellschaft and FoeBuD, as well as from EDRi observer AK Vorrat and other groups, met in Brussels from 27th to 30th May to do a legal, technical and political analysis, coordinate their short-term work and plan for long-term collaboration with others. A mailing list will be set up shortly.

Comprehensive PNR Wiki: http://wiki.vorratsdatenspeicherung.de/Passenger_Name_Record

Reding asks the "Kissinger question" on Data Protection Agreement with US

2010-12-22T11:26:00.003+01:00

The preparations for a comprehensive data protection framework agreement between the EU and the US for cases where personal data is exchanged in the context of criminal law enforcement have been finalized - in Brussels. The Council of EU Justice and Home Affairs Ministers approved the negotiation guidelines for the Commission on 3rd December.

The US government, unfortunately, is reluctant to move forward. They seem to prefer to agree on the new Passenger Name Records (PNR) deal quickly and postpone the data protection framework - which would cover PNR, TFTP/SWIFT bank data, as well as other data exchanged between the EU and the US.

Now, Viviane Reding came up with one of her unique quotes again:

European Justice and Fundamental Rights Commissioner Viviane Reding criticised the US for having shown little interest in negotiating with the EU a deal to protect the private data of European citizens during terrorism probes.
In what appears as a remake of the so-called "Kissinger question" ('what is the EU's telephone number'?), Reding lamented that Washington had not yet appointed a negotiator for the data protection agreement.

"I certainly can wait for a few days. But I expect to be given the telephone number of the US chief negotiator before the end of the year and seriously start the talks," she said, cited by AFP. [emphasis added]

The Guardian has more info on Reding's recent trip to Washington.

I am collecting all publicly available documents on the data protection agreement here.

UK sued at European Court of Justice over Deep Packet Inspection

2010-09-30T13:57:00.004+02:00

The United Kingdom has just been sued by the European Commission because of the lack of data protection enforcement over companies that do Deep Packet Inspection. The trigger that had started the infringement procedure was the Phorm case around DPI-based targeted advertising, but the Commission seems to be annoyed in general by the lack of rules and enforcement on telecommunications privacy. Phorm has already closed its operations in the UK as far as I know.

So this is the first case at the European Court of Justice that involves DPI, and the first time a whole county has been sued over being too lax about DPI - as far as I am aware.

European Commission press release from today

Update: More links to legal aspects at JURIST Paperchase.

APSA Paper on Deep Packet Inspection

2010-08-24T16:11:00.003+02:00

As a result of my previous research project at TU Delft, my former supervisor Milton Mueller and I have co-authored a paper on Deep Packet Inspection for the upcoming convention of the American Political Science Association (APSA):

The End of the Net as We Know it? Deep Packet Inspection and Internet Governance

I will not be able to attend the meeting because of the duties in my new job in the European Parliament, but Milton will be there and present our work. For those of you at APSA or in Washington DC next week, it should be an interesting panel in general: "Global Information Technology Issues: Policy, Politics, & Methods", 2nd September, 14:00 to 15:45, Marriott Wilson Hotel, room B.

Side note: Because APSA is now using the Social Science Research Network (SSRN) as their paper repository, you get all kinds of information on the usage of your papers. Ours, it turned out, made it to the top ten downloads for the SSRN e-journal "Journal of Entrepreneurship, Innovation, & Growth" under whose umbrella the paper was posted. Interesting, though I have to confess I had never heard of that journal before.

New SWIFT / TFTP Agreement still has Massive Weaknesses

2010-06-30T10:15:00.004+02:00

The new agreement on the transfer of banking data from the EU to the US Department of Treasury's Terrorist Finance Tracking Programme (TFTP), informally called "SWIFT agreement", was adopted by Council on Monday 28 June 2010 at 10:00 in written procedure. Minor details: Even the German liberal Minister of Justice, who had fought the agreement wildly in November, gave in. So now, even Germany did not abstain (what they normally do when the coalition can not agree), but instead voted in favour. France abstained in Council, but only because they did not get the required consent from the national assembly in time.

The agreement was signed on the same day at 12:30 by the Spanish Homeland Minister Alfredo Pérez Rubalcaba, the EU Home Affairs Commissioner Cecilia Malmström, and the US Ambassador to the EU, William Kennard. Spain had pushed hard to achieve this during the last days of their EU Council presidency.

The agreement will now be rushed through the next EP plenary session in Strasbourg (5-8 July) with an extraordinary session of the LIBE committee there on Monday and the plenary vote on Wednesday or Thursday. EPP was long planning to accept it, and over the last few days S&D and ALDE have completely given in. They even try to sell it as a success, though there are no real substantial improvements compared to the agreement from November which the EP voted down in February. Only the Green and Left groups in the Parliament still stick to their principles and to previous EP resolutions on this matter and will vote against it.

All documents are already on Statewatch:

Council Decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program (EU doc no: 11222/1/10, dated 24 June 2010, pdf);
Declarations to be adopted upon the adoption of the Council Decision on signature of the TFTP Agreement (pdf): referring to the EU developing its own system for monitoring financial transaction related to terrorism
Corrigendum (pdf).

Main points of critique still remain:

Bulk data transfers of unsuspicious EU citizens still systematically built-in (the "tailored as narrowly as possible" is a joke, because they can only filter the data by a few criteria, such as country & day).
Retention periods still 5 years (probably in breach of the German Constitutional Court's decision on data retention inn march)
There is no clear sunset clause or conditioning of the agreement on data extraction on EU soil. The clause "EU shall consider whether to renew the agreement" if there is no extraction on EU soil after 5 years is a joke, because it automatically extends for one year each if nothing happens. It does not have to be renewed, it has to be actively terminated.
There is no binding legal redress mechanism. The US government guarantees that they will treat EU citizens equally in administrative procedures, but there is still a hole in the juridical redress, because the US Privacy Act court clauses only apply to US citizens and legal residents. The agreement is not conditioned upon the US changing their law here.
The role of Europol is a total mess on several levels:
a) Europol is supposed to authorize data transfer requests from the US. This derogates from the demand of the EP in its May 2010 resolution to have a judicial authority do this.
b) Europol can now itself request data searches from the US, which reduces their incentive to limit the transferred amount of data in the first place to exactly zero.
c) UK, Ireland and Denmark have opt-in clauses on Europol. If they don't participate here, the whole agreement will not apply to their "territory". It's totally unclear what that means: Can SWIFT (based in BE, servers in NL and CH) still transfer data, even if it concerns citizens of these three countries? Is this happening with or without Europol then? Who would do the autorization instead if Europol would not do it?
d) The consent of the EP to the agreement extends the mandate of Europol and might therefore imply a "Lisbonization" of the agency - which of course should be done under ordinary legislative procedure, not just by saying "yes" or "no". The Council explanations ("no Lisbonization") are not necessarily convincing. There may be a legal challenge based on this.
The fundamental issue of proportionality is still not solved: Just seeing the data as useful for police and intelligence work does not suffice to legitimate these massive data transfers. Instead, there has to be facts-based evidence that there is a clear and imminent danger to the lives and limbs of people or to the existence of the state which can not be fought with less intrusive and much narrower means. A general risk of terrorist activity is not sufficient to give up our civil liberties.

For the old agreement from 2009, see: SWIFT Agreement Not in Line with European Parliament 's Demands.

I try a dialogue with EU Commissioner Cecilia Malmström on Internet Filtering

2010-03-30T19:33:00.011+02:00

The EU Home Affairs Commissioner and former Swedish Minister for Europe, Cecilia Malmström, has yesterday presented the "Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on combating the sexual abuse, sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA". This includes a paragraph that would require member states to set up mechanisms for filtering out websites with such material.

We have had the exact same debate with - it seems so far - the exact same arguments on sexual abuse websites in Germany last year, and it took us 134.000 signatories under an e-petition to the parliament as well as 2% for the Pirates in the German election to finally get listened to. Now, with the new German government, the blocking law is still officially in force, but will not be applied. So much for the backgrund and why internet liberty people from Germany are furious that this comes back from Brussels now.

There are several reasons why blocking is a really bad idea. A good summary of the arguments is here. Other arguments and facts, provided by a group of victims of child abuse, are here. EDRi recently sent an open letter on this to Cecilia Malmström and her colleagues for Justice, Viviane Reding, and for the Information Society, Nellie Kroes. Reding herself is against the blocking proposal and has been fighting internally with Malmström. Joe McNamee from EDRi has some background info here.

The twitterverse has already come up with a nickname for Cecilia Malmström: #Censilia, and internet and civil liberties activists are busy networking across borders now. I thought I try the direct way and leave a comment in Mrs. Malmström's blog. Here is a copy:

Dear Mrs. Malmström,

I'd be interested in hearing how your former boss, prime minister Reinfeldt, can go to China with a straight face and tell them that unfiltered internet is important for human rights and democracy, as he did according to news reports yesterday. The Chinese government has already used the filtering infrastructure in place in a few Western countries as an excuse for their own "Green Dam" censorship system.

You can again reply "But we will only filter child abuse". Two of the many problems are: The filtering lists have to be secret by definition. So how can concerned citizens be sure that nothing else ends up on these lists? And how can you be sure that the next government is also run by people who only have best intentions?

Karl Popper wrote wisely on the open society: We have to build our political institutions in a way that neither evil nor incompetent rulers can do too much harm. The same principle now has to be applied to our technological infrastructures. This is why people are so concerned about your proposal - not because they think you or the current European governments are evil (well... maybe except for the Italian one), but because of the inherent risks such technologies of information control create.

On a more empirical note: The Danish filtering list from 2008/2009, according to the German Federal Criminal Police Agency, has websites from these countries blocked:

USA: 1148
Germany: 199
Netherlands: 79
Canada: 57
Russia: 27
Japan: 20
Korea: 19
Czech Republic: 15
UK: 14

Maybe you should mention this to the US secretaries of Justice and Home Affairs when you next talk to them about access to European SWIFT and PNR data - before you start setting up a dangerous technology in Europe.

Best regards, Ralf Bendrath

Google in Italy: Brandeis in New England 2.0

2010-03-10T01:59:00.002+01:00

Marc Rotenberg from EPIC has an interesting commentary on the Google court case in Italy:

I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States.

After a comparison of how the right to privacy was born in the U.S. and first endorsed by a New York Court in 1905, Marc goes on to set the record straight on the current case in Italy:

It is significant also in the Italian case that defamation charges against the Google execs were dropped. That was an appropriate recognition of the freedom of expression interests in the case and tracks the distinction between the Google execs being responsible for the content of the speech (they were not) and the Google execs deriving commercial value from the continued display of the video (they did). That distinction, which has been missed by virtually every commentator on this case, makes clear that the Italian court had a good understanding of the freedom of expression concerns. He just didn't believe that absolved Google of all liability.

(via Bruce Schneier)

European Parliament rejects Bank Data Transfer to U.S.

2010-02-12T19:15:00.004+01:00

The decision yesterday on the so-called "SWIFT-Agreement" was historic, as even the EP's vice-president who was chairing had to admit. MEPs rejected the transfer of bulk data from Belgian bank telecommunication service provider SWIFT to U.S. authorities for its lack of legal and privacy protection by a large majority of 378 to 198 votes. Also take note of the report and the explanatory statement by the civil liberties committee's rapporteur, Dutch liberal Jeanine Hennis-Plasschaert - well worth a read. EDRi.org had helped a bit with an FAQ that was distributed to MEPs before the vote.

Next on the EP's privacy agenda:

The transfer of Passenger Name Records (PNR) to the United States. Edward Hasbrouck has the links between PNR and SWIFT.
The public consultation for the planned comprehensive data transfer and data protection framework between the EU and the US for law enforcement purposes. The deadline 12 March - please submit strong statements there!
The review of the data retention directive (Commission document expected this fall).
The review of the data protection directive 46/95/EC for the internal market.
Europol access to other EU databases such as the fingerprints of asylum-seekers.

So let's keep rockin'. The victory yesterday was worth the bottle of champagne we had afterwards, but we have more serious work ahead of us. We also need better transatalantic exchange among privacy defenders on these matters. Who is willing to help?

Bank data deal under heavy fire from EU Parliamentarians

2010-02-02T02:40:00.004+01:00

The debate on the bank data ("SWIFT") agreement in the European Parliament's Committee on Civil Liberties, Justice and Home Affairs last week showed a clear conflict between parliamentarians on the one side and the EU Council as well as the European Commission on the other side.

The EU Justice and Home Affairs Ministers had signed an agreement with the US government on the transfer of bank data from the EU to the US for the Department of Treasury's "Terrorist Finance Tracking Program" (TFTP) on 30 November last year. It would legalize the use of bank data, including inner-European transactions, by US security agencies, which had been going on since 9/11 2001 and only became public in 2006. The new agreement had only been only possible because Germany abstained after a heavy fight between conservative and liberal parties in the Berlin coalition. Members of the European Parliament furiously criticized this move, because one day later, on 1st December, the Lisbon Treaty entered into force and gave the Parliament full veto powers in the area of justice and home affairs. Only later it turned out that because some national parliaments had announced reservations to the signature, the deal was not concluded and now has to be dealt with under codecision procedures.

The President of the European Parliament since December repeatedly had asked the Council and Commission to refer the agreement to the EP as soon as possible, without getting any reply. Only two weeks ago, the Spanish presidency told MEPs that the delay was caused by translation problems and that the EP would get it on 25 January. When MEPs found out that the text of the agreement had already been published in the Official Journal on 13 January, they immediately suspected a foul play by Council and Commission. The agreement has entered into force provisionally on 1st February, but the EP can only vote on it in the next plenary session (8 to 11 February). The Council has turned down a formal request by the EP to postpone the provisional application by two weeks. SWIFT itself has in the meantime announced that they will not turn over data unless there is a legal basis for it, including a parliamentary vote.

In the 27 January 2010 committee session, Commission representative Johnathan Faull revealed that there will also be a new, confidential, report by French anti-terror judge Jean-Louis Bruguière, when the committee will already have its vote on the agreement. MEPs from both Liberal and Green groups demanded that all such background documents be made public immediately, including an opinion of the Council's legal service and the secret annex that lists the financial service providers affected by the agreement. MEPs from all groups also criticized the substance of the agreement, citing numerous articles that are not in line with EU or Council of Europe data protection regulation or the EU charter of fundamental rights.

The EP's rapporteur on this dossier, Dutch liberal Jeanine Hennis-Plasschaert, also rejected the Council's and Commission's repeated claim that without the provisional application of the agreement, we would have a "security gap". Austrian Conservative MEP Ernst Strasser stated that "if there was a security gap, we would have it now - from 1st January to 31st January," referring to the fact that the global bank transaction provider SWIFT has already changed its architecture on 1st January. SWIFT is now routing inner-European transactions only within Europe, thereby cutting off direct access by US agencies.

The discussion became fully absurd when commission representative Faull suggested that we would even get a "privacy gap" if the agreement is vetoed by the EP. Vice European Data Protection Supervisor Giovanni Buttarelli quickly debunked such assertions, citing a new legal analysis done by his staff which also revealed several privacy and legal protection flaws in the agreement.The group of EU data protection commissioners had produced a similar analysis.

The next week before the EP plenary vote will now be decisive not only for privacy protection for EU citizens in the fight against terror, but also for transatlantic relations in this field and for the role of the European Parliament with its new powers under the Lisbon Treaty. Left, Liberal, and Green MEPs are willing to kill the agreement and protect privacy rights, while conservatives seem to be split. The decisive group will therefore be the Social Democrats. The committee vote is set for Thursday, 4 February, 15:00 CET.

(This is an updated and slightly edited version of an article I wrote for EDRi-Gram on 27 January 2010.)

European Parliament on Privacy vs Security and the "Balance" Metaphor

2009-11-25T18:49:00.003+01:00

The European Parliament has adopted its resolution on the Stockholm Programme today. The Stockholm Programme is a political document that lays out the priorities for EU justice and home affairs policy for the years 2010 to 2014. It will be adopted by the Council of Ministers next Monday - therefore the Parliament's opinion on this was very timely. There were a lot of amendments, separate votes and split votes, so we have to wait a few days for the final consolidated text. Overall, it's a mixed bag, but that is a looong story.

What I want to point out here is only one amendment that was adopted - but it was an extremely crucial one:

The European Parliament

"... stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective"

I think this is one of the most important official contributions to the "freedom vs security" debate in the last few years. And it is the official opinion of Europe's directly elected representatives now.

Please help spreading the word and establishing this clarification firmly in the public discourse.

SWIFT Agreement Not in Line with European Parliament 's Demands

2009-11-18T16:46:00.006+01:00

Update, 25 January 2010: The agreement has been signed, but not yet concluded, by the Council on 30 November 2009. Here is the final text. It will be voted on in the European Parliament on 10 or 11 February 2010. The only change to my analysis below (beyond some re-numbering of paragraphs) is the transfer of data to third countries or agencies, which is now limited to "leads", not raw data. The remainder of the criticism still stands.

The draft agreement on bank data transfer between the EU and the US for anti-terrorism purposes ("SWIFT Agreement") was leaked on 11 November. It stirred a heavy debate in the media, even made front-page news in Germany, and resulted in members and staff of the European Parliament and of the Committee of Permanent Representatives of EU member states (COREPER) having hectic phone calls. Background on the SWIFT deal is available elsewhere.

I want to focus here on the conformity of the draft with the demands of the European Parliament. The EP adopted a resolution on the SWIFT agreement in September, which was not too strong, but clearly spelled out some substantial and procedural criteria.

There are rumours that the Council and the Commission are trying to get an informal confirmation (whatever that means) from the Parliament that the current draft meets the demands of the Parliament. The following quick analysis shows that this is clearly not the case.

1) Definition of Terrorism

The EP demands in paragraph 7(a)

"that data are transferred and processed only for the purposes of fighting terrorism (...), and that they relate to individuals or terrorist organisations recognised as such also by the EU".

The draft agreement has a definition of terrorism in article 2 and also refers to the EU definition on this, but spells out no procedure on who would make such a decision and how.

2) Judge Approval

The EP demands in paragraph 7(c) that data transfers have to be

"subject to judicial authorization".

The draft agreement does not mention this at all. It only describes a procedure in article 4 where requests by the US government are scrutinized by an ominous "central authority" in the EU member state where the financial service provider concerned is located. I assume this will be agencies like the Federal Criminal Police Agency (BKA) in Germany and the likes. Not exactly what is meant by an independent judge.

3) Judicial Review

The EP demands in paragraph 7(d) that

"legality and proportionality of the transfer requests should be open for judicial review in the US"

and in paragraph 7(e) that

"transferred data are subject to the same judicial redress mechanisms as would apply to data held within the EU".

The draft only has a meaningless clause on this in article 11(3). There is an annex to the draft that lists a number of U.S. laws and codes that allegedly provide for judicial redress, but none of these actually does so. In detail:

- The Administrative Procedure Act of 1946 only states that

"a person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action within the meaning of a relevant statute, is entitled to judicial review thereof".

The problem: The US Privacy Act offers protection against unlawful data processing by government agencies, but only for US citizens and residents.

- The Inspector General Act of 1978 only establishes the powers of inspector generals, of the various agencies and departments for auditing and investigations. There is no option for citizens to demand judicial review. Quite the contrary:

"the Secretary of the Treasury may prohibit the Inspector General of the Department of the Treasury from carrying out or completing any audit or investigation".

- The Implementing Recommendations of the 9/11 Commission Act of 2007 establishes the Privacy and Civil Liberties Oversight Board in the Department of Homeland Security. But the PCLOP is not really independent, has very few rights and can not pursue independent investigations. There is no option for citizens to demand judicial review. Quite the contrary - the act establishes even more possibiliites for data-sharing among government agencies, e.g. through the "State, Local, and Regional Fusion Center Initiative".

- The Computer Fraud and Abuse Act criminalizes unauthorizes and authority-exceeding use of computers. But this is not what the SWIFT agreement s about - the US government could theoretically send a carrier pidgin to the Europeans with the message demanding specific data. A computer is not abused or even broken into here - otherwise every corruption, libel or other white-collar-crime case where a computer was used would be sanctionable under this act, too. Ridiculous.

- Freedom of Information Act (FOIA): Any possible right to access information is immediately annulled by the exception clauses in article 11 of the draft agreement.

- Standards for Ethical Code for Employees of the Executive Branch: This code includes no option for citizens to demand judicial review. It only foresees the option of disciplinary measures in case of wrongdoing by executives.

4) Purpose Binding

The EP demands in paragraph 7(f) that transfers of data are limited to investigations about "terrorism financing". The draft agreement includes "prevention, investigation, detection, or prosecution of terrorism or terrorist financing". This means that the US can ask for data that is not related to terrorism financing at all, as long as they make the case that it is somehow related to terrorism or may help its "prevention" (which is a broad and unclear clause anyway).

5) Onward Data Transfers

The EP demands in paragraph 7(f) that

"the transfer of such data to third parties other than the public authorities in charge of the fight against terrorism financing is also prohibited".

The draft agreement allows the onward transfer of bank data to third countries, not just third parties within the US. The parliament clearly meant the latter in its resolution and did not foresee any transfer to third countries. This would be the major hole in the agreement where all the other criteria (judicial review, purpose binding etc.) would be annulled even if they existed.

6) Scope

The EP demands in paragraph 9 that

"batches and large files such as those concerning transactions relating to the Single European Payment Area (SEPA) fall outside the scope of the data".

The draft agreement in article 4(6) allows for the transfer of "bulk data" if the service provider can not identify the specific data requested. A slightly newer version of the agreement, according to German press reports, explicitly excludes SEPA data. But the parliament explicitly mentioned SEPA only as an example, as is clear by the word "such as". The draft agreement does not exclude all batches and large files.

7) Procedural Aspects

The EP demands in paragraph 13 that

"the European Parliament and all national parliaments will be given full access to the negotiation documents and directives".

This has repeatedly not happened. Neither has the parliament received the text of the draft agreement, not was it even informed about its very existence. It only learned about it from the press reports.

Conclusion

The current draft agreement on bank data transfers is clearly in breach of the criteria established by the European Parliament - on substance as well as on procedures.

It would be a clear affront by the Council of Ministers if they adopted and signed the agreement at their next meeting on 30 November - one day before the Lisbon Treaty will enter into force and the European Parliament will get full veto powers in the area of justice and home affairs.

"Freedom not Fear" 2009 - Protests Against the Surveillance Mania

2009-09-23T18:42:00.002+02:00

(I have not been bloggin much here lately because I took a new job and moved to Brussels. I hope I will find more time for regular updates soon.)

On Saturday, 12 September 2009, civil liberties activists in many countries again took it to the streets under the motto "Freedom not Fear - Stop the Surveillance Mania". It was the second time these activities took place after the first international action day on 11 October 2008.

The biggest event was held in Berlin, where more than 25 000 people marched through the streets and applauded the speeches and the bands. Frank Bsirske, chairman of the world's largest trade union ver.di, called for a comprehensive law for employee and workplace privacy protection. Patrick Breyer from the working Group against Data Retention (AK Vorrat), which again had initiated the protests, reminded participants of the democratic rallies and events of 1847 and 1989 and called for continuous resistance against the surveillance state. Other speakers included Franziska Heine from the Working Group against Censorship (AK Zensur), who had organized the most successful online petition ever to the German parliament against a recent German law that permits blocking of web sites by the federal police. The event sent a strong signal to the political parties and was widely reported in the context of the upcoming German federal election. At the end of the demonstration, activists from EDRi member Chaos Computer Club were able to film a police assault on a peaceful participant. Public pressure as a result of this has now led to an announcement of the Berlin police that all officers will get mandatory name badges in early 2010.

Other activities took place in Bulgaria, Finland, Italy, Macedonia, the Netherlands, Austria, Sweden, Switzerland, the Czech Republic, and the United Kingdom. Activists had organized a plethora of events, including a full week of activities in Prague; demonstrations in Amsterdam,
Stockholm and Sofia; public teach-inns in Skopje (co-organized by EDRi member Metamorphosis), Milano, and Helsinki (co-organized by EDRi member EFFi); privacy parties and film screenings, and much more. Activists in Vienna (from EDRi member Vibe.at) reported such big interest from the population that they had to print 1000 more leaflets on the same day.
Outside of Europe, privacy activists in Guatemala joined the action day this year with a reading event from a new volume of fiction stories about surveillance, titled "stop the surveillance mania".

Links

Overview of Freedom not Fear activities

Press center for the Berlin demonstration

Report from activities in Skopje - EDRi-gram: Macedonia: Activities for
citizen education about their privacy rights (23.09.2009)

Report from activities in Vienna (only in German, 12.09.2009)

International Action Day "Freedom not Fear" (11.10.2008)

This article was also published today in the EDRi-Gram newsletter, edition 7.18

What happens to your Online Identity when you Die?

2009-07-15T16:14:00.007+02:00

Lilian Edwards, a professor of internet law at Sheffield University and also a hard bloggin' scientist at Pangloss, is talking about this in a five minute video interview: "Death 2.0". Interesting.

The Dawning of Internet Censorship in Germany

2009-06-17T00:08:00.002+02:00

This post was written by Markus Beckedahl and published first at Netzpolitik.org. The Creative Commons license for it is CC-BY-NC, as the other posts here. RB

Germany is on the verge of censoring its Internet: The government – a grand coalition between the German social democrats and conservative party – seems united in its decision: On Thursday the parliament is to vote on the erection of an internet censorship architecture.

The Minister for Family Affairs Ursula von der Leyen kicked off and lead the discussions within the German Federal Government to block Internet sites in order to fight child pornography. The general idea is to build a censorship architecture enabling the government to block content containing child pornography. The Federal Office of Criminal Investigation (BKA) is to administer the lists of sites to be blocked and the internet providers obliged to erect the secret censorship architecture for the government.

A strong and still growing network opposing these ideas quickly formed within the German internet community. The protest has not been limited to hackers and digital activist but rather a mainstreamed effort widely supported by bloggers and twitter-users. The HashTag used by the protesters is #zensursula – a German mesh up of the Ministers name and the word censorship equivalent to #censursula.

As part of the public’s protest an official e-Petition directed at the German parliament was launched. Within three days 50,000 persons signed the petition - – the number required for the petition titled „No indexing and blocking of Internet sites“ to be heard by the parliament. The running time of an e-Petition in Germany is 6 weeks – within this time over 130,000 people signed making this e-Petition the most signed and most successful ever.

During the past weeks, protests became more and more creative – countless blogs and twitter-users followed and commented the discussions within governments and opposing arguments. Many mainstream media picked up on this and reported about the protest taking place on-line. A working group on censorship was founded and the protest coordinated with a wiki, mailing lists, chats and of course employing twitter and blogs. One website „Zeichnemit.de“ created a landing page explaining the complicated petitioning system and making signing the petition easier and more accessible for non net-experts.

Over 500 people attended the governments official press conference on the planed internet censorship – a number of whom used this occasion to demonstrate and voice their concerns. In fact, demonstrators began attending some of the Minister von der Leyens public appearances, carrying banners and signs to raise attention to the stifling of information freedom in Germany.

The net community did not only oppose the governments plans, but also made constructive suggestions how to deal with the problem of child pornography without introducing a censorship architecture and circumcising constitutional freedoms. The working group on censorship demonstrated the alternatives for instance by actually removing over 60 websites containing child pornographic content in 12 hours, simply by emailing the international providers who then removed this content from the net. The sites were identified through the black lists of other countries documented on Wikileaks. This demonstration underlines the protesters main arguments: instead of effectively investing time and efforts to have illegal content removed from the internet, the German government is choosing censorship and blocking – an easy and dangerous way out. The greatest fear of the protesters is that once in place, the infrastructure will be used to censor other forms of unwanted content, not only child pornography. German politicians already seem to be lining up with their wish-list of content to be censored in future – the suggestions ranging form gambling sites, islamist web pages, first person shooters, and the music industry cheering up with the thought of finally banning pirate bay and p2p.

You can find a detailed linklist of the zensursula-debate here (in german).
Thanks to Geraldine de Bastion for the translation.

UK introducing "Three Strikes and Your Traffic will be Censored"

2009-06-16T23:46:00.003+02:00

The UK government just produced a comprehensive "Digital Britain" report that lays out its strategy to improve broadband connectivity. While there has been significant media coverage of the proposed levy of 50 pence a month to fund better broadband rollout in rural areas, the really interesting part are the copyright enforcement ideas. The Hermes Project reports:

The government will give powers to Ofcom to put in place a system for repeat offenders that is known as "write and sue", and they will also work with the ISPs on technical measures against the problem - which is a eminently sensible response given the lack of scaleable technical solutions for such incredibly complex requirements - which is naturally not something that the people at the BPI agree with.

As the "write and sue" name suggests, ISPs will be required to work with Ofcom under the terms of a Code of Practice to write to those infringing copyright, followed by a court process of the release of identity information and civil action if users do not desist. The interesting part is the technical measures that may happen if this is still not effective. From the report:
"The Government will also provide for backstop powers for Ofcom to place additional conditions on ISPs aimed at reducing or preventing online copyright infringement by the application of various technical measures. In order to provide greater certainty for the development of commercial agreements, the Government proposes to specify in the legislation what these further measures might be; namely:

* Blocking (Site, IP, URL)
* Protocol blocking
* Port blocking
* Bandwidth capping (capping the speed of a subscriber’s Internet connection and/or capping the volume of data traffic which a subscriber can access);
* Bandwidth shaping (limiting the speed of a subscriber’s access to selected protocols/services and/or capping the volume of data to selected protocols/services);
* Content identification and filtering– or a combination of these measures."
And that's where things start to get incredibly complex and costly - although no doubt there are plenty of DPI vendors who won't complain if the need to undertake these measures is enshrined in law.

This is where the interests of ISPs (saving bandwidth) and the content industry (filtering copyrighted content and punishing file-sharers) finally align. The Deep Packet Inspection (DPI) industry will love this.

I am not a lawyer, but I guess there will be serious problems with the EU's e-Privacy directive and the human right to telecommunications privacy in the EDHR. The EU commission has already opened an infringement procedure against the UK because of their weak position on Phorm.

German Debate about Child Porn "Filters": Delete - don't Censor!

2009-05-28T18:33:00.007+02:00

In Germany, we are approaching the show-down in a heavy political battle around how to fight "child pornography" (correct: documentation of child sexual abuse) on the internet. The government, lead by family affairs minister Ursula von der Leyen, is proposing a filtering system based on DNS poisoning. The Federal Criminal Police (BKA) would maintain the block list and send it to the ISPs once a day. Domains on the list would then be re-directed to a "STOPP" website instead of the originnal IP address. The list of course would be secret (as long as it does not end up on Wikileaks like many such lists from other countries before), no judicial oversight is planned, and people visiting a site on the block list (Rickrolling and tinyURL, anyone?) would have to fear criminal investigations, because the law enforcement agencies would get access to IP addresses ending up at the "stopp" site.

The plan has met heavy opposition from the already politicized German internet community. An online petition to the German parliament to not adopt this law today broke the barrier of 100,000 signatures. A parliament hearing yesterday showed massive problems with the current draft. The crucial question in the next two weeks, before the parliament ends it's session and everybody is heading towards the election campaign, will be if the Social Democrats, who are ruling together with the Conservatives, will understand that it does not make sense to adopt a quick&dirty law around such a serious topic.

The German blogosphere and twitterverse are furiously analyzing the factual errors in data presented by the government to support their proposal, discussing the constitutional problems, and pointing to the massive overblocking on leaked lists from other countries. They are organizing most of the core work in the "Working Group against Internet Blocking and Censorship" (Arbeitskreis gegen Internetsperren und Zensur / AK Zensur), which is more or less modeled after the successfull Working Group against Data Retention (AK Vorrat).

But interestingly, a lot of things are also happening extremely decentralized, only glued together by hashtags on twitter and similar microblogging services. The most popular hashtag is "#zensursula", which is a play of words with the German word for censorship (Zensur) and the minister's first name (Ursula). Last Saturday, there were public readings of the German constitution and many other protests on the streets in around 30 German cities, all triggered just by a blogpost and a tweet.

I'll speak about these methods of "activism 2.0", among other things, next week at the "Computers Freedom and Privacy" conference in Washington DC.

Now, a member of AK Zensur has made an interesting experiment and showed that it is not even necessary to block sites, because you can easily take them down completely. Stefan Graunke was so kind to do an English version of the press release:

Delete, don’t block: It works!
This is the English version of a German press release on ak-zensur.de

Within 12 hours, 60 child pornography sites were removed from the internet

In the ongoing German dispute over the appropriate action against documented child abuse on the Internet(child pornography), the supporters of a mere blocking solution argued that it is often not or only with considerable effort possible to remove the illegsl content or to get hold of it’s originator.

Alvar Freude of the Working Group against Internet blocking and censorship (AK Zensur) put this argument to the test. He analyzed the various European blocking lists via automatic procedures and wrote to each provider on whose servers child pornography was located according to lists. He received an impressive response: Within 12 hours after sending the first e-mail 60 websites were already deleted.

Further results and insights:
The first reactions respectively deletions followed after a few minutes and came among others from the USA, Holland, Denmark, Russia and Germany.
Three of the the deleted websites were located on servers in Germany.
A total of 348 providers in 46 different countries were contacted automatically and informed of 1943 allegedly illegal websites. A previous individual analysis of the web sites content has not been made. (It is completely illegal in Germany to look at child pornographic content.)
250 providers have responded to the request, but they mostly found legal content. Samples that were taken afterwards confirmed the legal content.
Ten providers indicated that a total of 61 cases of illegal content had been removed. With a simple e-mail you can achieve a lot.
The examination through the providers showed that the vast majority of websites, including some from Germany, appeared to have no child pornographic content, some do not contain any objectionable material at all – therefore the websites were blocked in error. In Finland several domestic websites were blocked, that contain a critical examination of the blocking issue.
The providers have not been informed that some of their hosted websites were put on the blocking lists.
When made aware of this fact, the providers are more than willing to cooperate and remove illegal content as soon as possible.
A certain part of the illegal material was located on ‘hacked’ websites, ie sites that were exploited through security holes to spread external material. Here too the providers were very grateful for the supplied information.

The process to shut down websites with child pornographic content does not take longer than the transmission of a blocking list. This shows the absurdity of the reasoning behind simple blocking – there is no rational reason to just block criminal content and leave it on the Internet, still accessible for everyone who uses minimal effort to circumvent the block.

What was possible for a citizens’ initiative, such as the Working Group against Internet blocking and censorship, should be even easier for the German government and law enforcement agencies and their results should by far exceed the results of AK Zensur.

Delete, don’t block – the motto of AK Zensur – is possible!

Released by: Working Group against Internet blocking and censorship (AK Zensur)
Web: http://ak-zensur.de/ (in German)

Press Contact:
Alvar Freude
presse@ak-zensur.de
+49 179 13 46 47 1

About the Working Group against Internet blocking and censorship (AK Zensur):

The Working Group on Internet blocking and censorship (AK Zensur) speaks out against the Federal Government’s planned Internet blocking and promotes an effective fight against child abuse instead of ineffective symbolic politics that only promotes ‘looking the other way’, does not help the victims and establishes an infrastructure that restricts basic public rights. AK Zensur coordinates the work of Internet blocking opponents, but is also appreciates the many activities that are happening decentralized in the on- and offline world.

The members of AK Zensur are amongst others: Chaos Computer Club (CCC), FoeBuD, Association for Information Technology and Society (FITUG), Forum of Computer Scientists for Peace and Social Responsibility (FIfF), Victims Of Abuse Against Internet Blocks (MOGIS), netzpolitik.org, the online platform ODEM.org, Trotz Allem e.V. and numerous individuals.

Privacy International Position on Behavioural Targeted Advertising

2009-04-20T17:57:00.002+02:00

A lot of folks have been waiting for this. PI has been working with Google and other online marketers recently to enhance their privacy understanding and practices. But they never openly spoke about the dangers of Deep Packet Inspection and related tracking technologies. In my research paper, I took this as one reason for the fact that UK-based Phorm is still alive, while NebuAd and related US-based companies are more or less out of business, after American net advocacy groups heavily criticised the monitoring of customer traffic by ISPs.

But finally, PI has issued a statement on behavioural advertising, and Alexander Hanff from nodpi.org is even joining their team.

Online Behavioural Targeted Advertising – Privacy International’s position

Privacy International believes that online behavioural targeting for online commercial advertising using the technology of Deep Packet Inspection (DPI) is a dangerous and potentially unlawful technique that is fraught with unethical practice. This industry extends across multiple models and strategies including the use of Deep Packet Inspection, Flash Cookies, Tracking Cookies and other emerging technologies.

We believe that, particularly in the long term, the threat arising from these technologies is of such gravity that commercial organisations must not be permitted to adopt Opt-Out solutions. Without care, industry will within three years adopt a default opt-out platform upon which can be built a limitless spectrum of intrusive technologies. Governments need to legislate in a way that protects the rights of the general public. From any ethical standpoint such interception of web traffic must be conditional on the basis of explicit and informed consent.

We are concerned that almost all the major online commercial players worldwide are moving in this direction. This is not a model that will be limited to issues such as Deep Packet Inspection that has raised concerns in the UK. With Cloud Computing, 3g and 4g Mobile technologies and Public Wifi Networks the issue extends into all markets involved in data communications and increasingly voice communications due to the global take up of Voice Over IP. It is critical that we set the bar now, whilst these technologies are still developing, in order to prepare for the future.

There is an urgent need for the EU and US Congress to recognise that the entire online economy is shifting its business models in the direction of communications interception, almost always at the expense of privacy rights. Seismic shifts are occurring in the online advertising market, and these shifts are polarising on both sides of an economic fault line. Furthermore, globally governments must create and fund initiatives that engage all stakeholders. Care must be made to educate people with regards to what privacy is and why privacy is so important to quality of life. Whereas the commercial sector need to behave ethically and responsibly, society as a whole need to take more responsibility and care with the way they share their personal data. For this to happen education has to play a key role.

Legal protections with regard to these technologies must be enforced. Where organisations can be shown to have acted unlawfully action must be taken. The lack of action against BT Group in the UK with regard to covert trials of Deep Packet Inspection must never be repeated. Corporations that act unlawfully must be prosecuted. (...)

Essay Collection on Deep Packet Inspection

2009-04-07T16:07:00.002+02:00

The Privacy Commissioner of Canada has just published a nice collection of essays on deep packet inspection (french version). I am one of the authors, among the others are e.g. Roger Clarke, Richard Clayton, Susan Crawford, Danielle Citron, and Paul Ohm.

The website dpi.priv.gc.ca they set up for this also presents an opportunity for readers to comment, excerpt and even vote on essays that "interest or frustrate" them. A print version of the essays in the form of a small book is expected to be ready by the end of April.

Deep Packet Inspection: Reading List and Call for Papers

2009-03-20T22:45:00.011+01:00

When I started my research project about the governance of Deep Packet Inspection (DPI) almost a year ago, there was basically no social-scientific or even political science literature about it. Some political reporting about it was done by specialized online sources like Ars Technica (hat tip to Nate Anderson for covering the issue so well and early), but all the academic literature on DPI was from some geeks publishing in computer engineering journals. Don't get me wrong, I love geeks, but sometimes they just get lost in the amazing technology options and forget about the political implications.

Times seem to change, and part of the reason for this is a more general awareness of this new technology and its powers. So, for all of you who want to understand more of the DPI debate, and who would be curious to find out how bandwidth management, ad injection, government surveillance, and internet censorship belong together and still often get different rules and regulations, here is a little reading list, in chronological order:

Christopher Parsons has published a working paper as early as 2008 for the New Transparency Project overseen by surveillance studies guru David Lyon. The paper is called "Deep Packet Inspection in Perspective: Tracing its lineage and surveillance potentials". Parsons argues that DPI equipment "should be identified as surveillance technologies that can potentially be incredibly invasive". He argues that ISPs "implicitly ‘teach’ their customers norms about what are ‘inappropriate’ data transfer programs, and the appropriate levels of ISP manipulation of customer data traffic."
Paul Ohm of the University of Colorado Law School was the first to make the link between the network neutrality debate and the unavoidable privacy invasions that come with any traffic discrimination approach: "The Rise and Fall of Invasive ISP Surveillance". A lengthy, but recommended legal paper that is a good read even for non-lawyers like me.
Ben Wagner presented a paper titled "Modifying the Data Stream: Deep Packet Inspection and Internet Censorship" at the 3rd Annual Symposium of the Global Internet Governance Academic Network last December.
Joseph Noel, a stock market analyst, has recently published an interesting analysis of the still emerging market for DPI gear. He is guessing that the FCC's decision last year is slowly making clearer where the rules for network management are going, and that this will break the "Traffic Management Deployment Logjam". His recommendations: Cisco Systems - Hold; Procera Networks – Strong Buy; SandVine Corp. - Buy; Allot Communications - Hold. I wonder about all the other DPI vendors, but I also wonder if he knows that the FCC's decision is still being challenged at the U.S. Court of Appeals (DC Circuit).
My own paper I presented at the International Studies Association's 50th Annual Convention in February is now available in an updated version: "Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection". I go through different use-cases and a few countries and try to explain the variation in DPI governance with the strategic actor setting shaped by each use case as well as with the institutional framework in which the governance debates took place. I also try to lay the groundwork for a "technology-aware policy analysis"-approach to internet governance studies (yes, feedback is welcome!).
Chris Riley and Ben Scott of Free Press, not really an academic institution but a lobbying think tank, just published a nice paper about the impact of DPI on Net Neutrality and ISPs' revenue considerations: "Deep Packet Inspection: The end of the internet as we know it?". A good provocative piece that points out potential "winners and losers" in the traffic management arms race (but hell - why did they steal my title?).
Nate Anderson again has already written a good summary of the Riley/Scott paper and put it into perspective: "This is the way the Internet ends: not with a bang, but DPI".

Of course, there is a lot more literature around on Net Neutrality, Internet Privacy and other related issues. But the fact that so few researchers have yet even mentioned Deep Packet Inspection or even systematically addressed it is also a sign that many of them are not really aware of the underlying technology trends here.

I would love to see more social-scientific, legal, and philosophical studies on DPI, e.g.

from a governmediality or "code is law" perspective, analyzing how the injection of DPI in our technology-mediated environment shapes the way we as Internet users can behave and which choices we have;
from a discourse-analytical perspective, tracing the discoursive frames and public perceptions around DPI;
from a governance perspective, explaining the variations in DPI governance and regulation from perspectives other than the "interaction-oriented policy analysis"-approach I used for my paper - hey, what about regulatory capture, agenda-setting, new modes of government, or plain old economic pressure?
with empirical data from beyond the U.S. or the english-speaking Western world (Wagner tries this, but the sources from China are limited so far);
with quantitative data on DPI usage by different ISPs in different countries, linking it with the regulatory and market environment and showing statistically significant links;
from a human rights perspective, making clear the possible conflicts of DPI with freedom of speech, freedom of assembly and freedom from intrusion (a.k.a. privacy) online;
edited to add: from a legal perspective, analysing the regulations for DPI and related technologies in different countries;
edited to add: [fill in your favourite social sciences / humanities / legal and related perspective here].

So, here is my pledge: If I get enough feedback and ideas for possible papers in these or other interesting directions, I promise to you that I will take the task of organizing a workshop or a conference where we can all meet and discuss wildly. How does this sound?

Trusted Traveller or Trusted Bar-Crawler?

2009-02-23T08:10:00.003+01:00

The Wired national security blog "Danger Room" was celebrating its 2nd birthday on the weekend with a party at a bar in Washington DC. I was going there with a few friends and colleagues, and we had our share of fun. Unfortunately, one of my Canadian friends had trouble getting in: The bouncer would not accept his "trusted traveller" card, which is issued by the U.S. Government's Department of Homeland Security. It was only after a we convinced him that a national security party is the worst place to prevent someone with a DHS-issued ID from entering that my friend finally could join us. My friend clearly looks older than 21, needless to say.

Except for the fun we made of this afterwards, as a thought-experiment this was an interesting experience in identity and risk management. You could say that the bouncer's calculus seemed to be: Not everybody who is a certified non-terrorist is also a reliable and nice company at a bar. This is a clear and sensible separation of roles. But on the other hand: Why should a random 21-year-old with a state-issued driving license be a more reliable beer drinker?

Of course, the main problems were: The bouncer had not even heard of this trusted traveller program before, and he just checked the IDs of anybody who wanted to enter, no matter how clearly he looked over 21. This is what annoys me most, I guess: That people only follow dumb procedures without any idea of common sense. That certainly will not bring greater overall security, it will just cover the bouncer's ass.

Internet Governance Panel at ISA Convention tomorrow

2009-02-15T22:17:00.003+01:00

I have organized a panel on "Control and Governance of the Internet: Beyond Realism vs. Internationalism" for the International Studies Association 50th Annual Convention that has started today in New York City. Short description:

The debate about “who controls the internet” has recently been narrowed down to one between Realists and Internationalists/Transnationalists. The former see nation-states or big powers as the main regulatory forces; the latter point to the impact of international regimes and transnational forums as well as to processes of policy diffusion. What is often ignored is the influence of non-obvious political variables, such as technology trends and market developments, as well as the complex relationships between international regimes and national idiosyncrasies. This panel aims at broadening the view on internet governance and putting the realists-internationalists debate into perspective by addressing these larger issues. The general focus is still on the “control” question: Who controls the internet, and how? What exactly is being controlled, and what is beyond the traditional grasp of politics?

The panelists and their papers are:

Brenden Kuerbis, Syracuse University: "Securing critical Internet resources: Influence and control of Internet standards through delegation and social networks"
John Mathiason, Syracuse University: "Thinking Globally at the IGF and Acting Locally: the national-global nexus"
Konstantinos Komaitis, University of Strathclyde: "Internet Governance: Why Plato is still relevant"
J. P. Singh, Georgetown University: "What is Being Controlled on the Internet? Security implications of multilateral approaches to negotiating Internet governance"
Ryan Kiggins, University of Florida: "Wired World: U.S. Identity, Security, and Governance of the Internet"
Ralf Bendrath, Delft University of Technology: "Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection"
Discussant: Milton L. Mueller, Syracuse University and TU Delft.

Most of the papers are or will be available here.

Thanks to Derrick Cogburn and the Cotelco Lab at Syracuse University, we'll have remote participation options. The panel is taking place on Monday, 16 February 2009, 16:15-18:00 EST. If you want to join us, you find the link here about an hour before we start.

Ireland: Copyright Filtering Case Settles out of Court

2009-01-29T14:14:00.003+01:00

Over the last few years, the European music industry has tried to establish a secondary liability for ISPs whose customers share copyrighted material. The aim was to pressure ISPs into setting up filtering technology a.k.a. "censorware". What looked like a first quick success was the case in Belgium, where the music industry association (SABAM) demanded that ISP Scarlet (Tiscali) installs a filtering technology that would detect and block copyrighted material. The injunction from June 2007 in fact established exactly that obligation. After this initial success, the music industry moved on to Ireland in 2008 and sued its largest ISP, Eircom. EMI, Sony, Warner and Universal sought an injunction from the Dublin High Court which would have required Eircom to establish the same filtering system.

But in late 2008, the Belgian case turned out different than expected. ISP Scarlet convincingly demonstrated to the court that the technology suggested by SABAM as well as in Ireland (Audible Magic) - did not work and that the music industry even had deceived the court by falsely claiming it had already been used elsewhere. Therefore, the trial court in Belgium lifted the injunction against Scarlet. An interesting problem for the music industry in Ireland, right?

Now, just two weeks into the proceedings of the Irish case, the law suit has settled out of court, as the London Internet Exchange reports:

The parties have agreed that the music industry will hire (or continue to hire) Dtecnet, a investigation company that identifies copyright infringers by participating in P2P file-sharing networks. Eircom will then operate a three-strikes policy, the details of which is yet to be agreed.
Given the damage that would be caused by a filtering imposition, and despite ISPs’ understandable reluctance to adopt three-strikes policies, this can be seen as a significant victory for the ISP industry. However it does leave us without the court judgement (and legal precedent) that we all looked forward to with such interest.

As an aside, the case settled at the conclusion of the Plaintiff’s (EMI’s) case, before the Defense (Eircom) introduced their own witnesses.

The reason for the settlement is obvious: They wanted to avoid a precedent.

In essence, this means: Automatic filtering does not work, suing customers does not work (this was the reason the music industry tried to use the ISPs in the first place), and the only hope the content industry has left is the "three-strikes" policy currently under heavy discussion in the EU Telecom Package. I guess the latter will also be dead by the summer, considering the significant uproar and opposition these proposals sparked last year, and having the upcoming elections to the European Parliament in mind.

(via Monica Horten from Iptegrity, who provides the best coverage of the Telecom Package and related issues anyway)

Update: TJ McIntyre from Dublin has more details and analysis.

Privacy in Germany 2008: A new fundamental right, a privacy mass movement, and the usual surveillance suspects

2009-01-29T00:10:00.002+01:00

This is an article I wrote together with Annika Kremer from the German Working Group on Data Retention for today's EDRi-Gram. This issue has a special focus on privacy developments all across Europe, because today is international data protection day. Some links on further details can be found in the original version.

The year of 2008 can be marked as the year where privacy moved high on the public agenda in Germany. On 1st of January, the law on data retention went into effect, which made Germany drop from number one to seven in the country ranking published by Privacy International. At the same day, a constitutional challenge was submitted at the supreme court. The German working group on data retention and its allies managed to have more than 34,000 people participate in this case - the largest constitutional complaint ever seen in German history. The paperwork had to be brought to the constitutional court in huge moving boxes, which also offered a nice photo opportunity for everyone wanting to demonstrate how many people oppose data retention.

In February we saw the constitutional court decision on secret online searches of peoples' hard drives (the "federal trojan"). The court limited the use of this tool for cases where there are "factual indications of a concrete danger" in a specific case for the life, body and freedom of persons or for the foundations of the state or the existence of humans, government agencies may use these measures after approval by a judge. The decision was widely considered a landmark ruling, because it also constituted a new "basic right to the confidentiality and integrity of information-technological systems" as part of the general personality rights in the German constitution.

In March, the Chaos Computer Club published the fingerprint of the federal minister for the interior, Wolfgang Schäuble. This sparked high public attention and made frontpage news, and proved that biometric athentication as introduced in the German passport and identity card is not safe at all. Inspired by the recent successes, the growing number of privacy activists held a de-central action day in May. Different kinds of activities, like demonstrations, flash mobs, information booths, privacy parties, workshops, and cultural activities took place in all over Germany.

Over the summer, some of the biggest German companies helped in raising public awareness of the risks of large data collections. Almost every week, there were reports on a big supermarket chain spying on its employees, on cd-roms with tens of thousands of customer data sets from call centers - including bank account numbers - being sold on the grey market, on the largest German telecommunications provider using retained traffic data for spying on its supervisory board and on high-ranking union members, on an airline using its booking system to spy on critical journalists, on two large universities accidentially making all student data available online, or on a big mobile phone provider "losing" 17 million customer data sets.

The Federal Government, under building public pressure, introduced some small changes for the federal data protection law, but at the same time continued its push for more surveillance measures in the hands of the federal criminal agency (Bundeskriminalamt, BKA). These included the secret online searches the constitutional court had just cut down to very exceptional circumstances a few months earlier. The German public discussed these moves very critically, especially since journalists are exempted from special protections that are given to priests, criminal defense lawyers, and doctors.

Because of the public concern and debate about privacy risks, the call to another mass street protest was even more successful than ever before. The "Freedom not Fear"action day on 11th October was the biggest privacy event of the year. In Berlin, between 50,000 and 70,000 persons protested peacefully against data retention and other forms of "surveillance mania", making it the biggest privacy demonstration in German history. Privacy activists in many cities all over the world participated with very diverse and creative kinds of activities and turned this day into the first international action day "Freedom not Fear".

The anti-surveillance protests finally kicked off some serious discussion within the Social Democratic Party in a number of the German länder (states). This resulted in a loss of the majority for the law on the federal criminal agency (BKA) in the second chamber (Bundesrat) in the first vote. It only was passed weeks later, after some changes were introduced, and with heavy pressure from leading federal Social Democrats. The new law is still seen as unconstitutional by many legal and privacy experts and in January 2009 a case was submitted to the constitutional court.

Privacy activists in the fall of 2008 also campaigned against the retention on flight passenger name records, forcing Brigitte Zypries, the German minister of justice, to freeze her plans on the matter until after the federal elections in the fall of 2009. More recently, the working group on data retention attacked the "voluntary data retention" proposed in the EU telecom package, as well as the renewed data exchange agreements between the EU and the USA.

EU Proposal puts Confidential Communications Data at Risk

2009-01-28T05:54:00.007+01:00

Here is an international press release I was involved in creating. The negotiations at EU level are humming already, there is a trilogue about this on Thursday. We in Germany also greatly appreciate this help, because there is a similar draft bill underway on the fast-track in the German parliament right now.

Press release by La Quadrature du Net, European Digital Rights (EDRi), Working Group on Data Retention (AK Vorrat), and Netzpolitik.org, 2009-01-28:

EU proposal puts confidential communications data at risk

Civil liberties groups La Quadrature du Net, European Digital Rights (EDRi), AK Vorrat, and Netzpolitik.org are urging the European Parliament to heed advice given by the European Data Protection Supervisor Peter Hustinx and scrap plans dubbed "voluntary data retention".

"A proposal currently discussed in the European Parliament as part of the 'telecom package' would allow providers to collect a potentially unlimited amount of sensitive, confidential communications data including our telephone and e-mail contacts, the geographic position of our mobile phones and the websites we visit on the Internet", warns Patrick Breyer of German privacy watchdog AK Vorrat. "Apart from the creation of vast data pools that could go far beyond what is being collected under the directive on data retention, the proposal would also permit the passing on of traffic data to other companies for 'security purposes'. We must not let a potentially unlimited amount of confidential data be exposed to risks of disclosure or abuse in this way."

"This proposal is lobbied for under the guise of 'security', but what it really means is that users and citizens would have no expectation of privacy on the Internet anymore," adds Ralf Bendrath from EDRi. "This is a clear breach of the European tradition of considering privacy a fundamental human right."

In a paper published earlier this month, European Data Protection Supervisor Peter Hustinx joined the critics, warning the proposal would constitute a "risk of abuse" and "may be interpreted as enabling the collection and processing of traffic data for security purposes for an unspecified period of time." Hustinx reached "the conclusion that the best outcome would be for the proposed Article 6.6(a) to be deleted altogether" - a view firmly shared by La Quadrature du Net, EDRi, netzpolitik.org and AK Vorrat.

"A few months before the elections, citizens will have the opportunity to see if the Members of European Parliament are willing to protect their privacy", declares Jérémie Zimmermann, co-founder of the citizen's initiative La Quadrature du Net. "Every citizen should inform their MEPs and ask them to massively reject this article 6 (6a) of the ePrivacy directive. Other crucial issues about content and network neutrality are at stake as well. We must remind MEPs that they were elected to protect Europeans' fundamental rights and freedom rather than abolishing them in favour of particular interests."

In a letter of September last year, 11 German civil liberties, journalists, lawyers and consumer protection organisations "urgently" asked the Commission, the Council and Parliament to scrap the proposed article 6 (6a) and "maintain the successful regulation of traffic data" which they say has "proven to constitute the best guarantee for our safety in information society."

Background paper by Working Group on Data Retention

About us:

La Quadrature du Net (Squaring the Net) is a France-based citizen group informing about legislative projects menacing civil liberties as well as economic and social development in the digital age. It became well known in the summer of 2008 for putting the spotlight on draft provisions in the EU telecom package that would allow a private, unaccountable regime for cutting citizens off the internet for alleged copyright infringements. Home page: http://www.laquadrature.net

EDRi is an association of 29 privacy and civil rights organisations from 18 different countries in Europe, who have joined forces to defend civil rights in the information society. Among other activites, EDRi is well known for its bi-weekly EDRi-Gram newsletter with world-wide readership. Home page: http://www.edri.org

The Working Group on Data Retention (AK Vorrat) is a German association of civil rights and privacy activists and Internet users. Among other activities, it organized the biggest privacy protest in German history in October 2008 with more than 50,000 participants. Home page: http://www.vorratsdatenspeicherung.de

Netzpolitik.org is the most-linked political blog in German and a political plattform for digital rights. It has received several national and international awards. Home page: http://www.netzpolitik.org

What "the web" knows about him, online reporter finds out

2009-01-28T05:20:00.004+01:00

Robert L. Mitchell from Computerworld did a fascinating research tour on what he could find about himself in all these databases. He started with ones that are available publicly or for a small fee. He then spent some money on data brokers and paid sources. Here is what he got:

Source: Government records
Information discovered: Full legal name, address, Social Security number, spouse's name and Social Security number, price paid for home, mortgage documents, signature

Source: Free people searches
Information discovered: Employer name, job title, age, month and date of birth, phone numbers, wife's name and age, historical addresses and phone numbers, personal e-mail address, identifying photographs, employment history

Source: Search engines
Information discovered: Age, phone numbers, Computerworld affiliation, Computerworld stories, blog posts, identifying photos, social network and nonprofit affiliations, editorial award

Source: Image search
Information discovered: Computerworld publicity photos, Flickr photos

Source: Social network search engines
Information discovered: Computerworld stories, blog posts, social network friends and co-workers

Source: Paid searches
Information discovered: Address history to 1985; real estate purchase dates, assessed values and mortgagors; 2004 property tax bill; nonprofit affiliations; Flickr account details; published stories; parents' names, address, phone number and first five digits of Social Security numbers; current and past neighbors' names, addresses, phone numbers, dates of birth and first six digits of Social Security numbers

Mitchell has a very good point when he concludes that authentication with several factors does not really help if it is only based on "what you know", and he even did some social engineering based on his own data he found, e.g. with his bank. The other interesting thing he discovered, not to my surprise: Much of the data was wrong, outdated, or wrongly combined with other persons with the same name.

But with all the information on how local governments fail to protect court records or housing documents they put online, how Acxiom and other data brokers have much more than they would tell you, or how much "the internet" knows about you, it's a bit sad that Mitchell only gives his readers "12 tips for managing your information footprint".

This is a political problem, and it has to be dealt with politically, not individually.

Privacy Conferences, first half 2009

2009-01-13T17:57:00.004+01:00

Some interesting privacy-related conferences in the coming months:

16-17 January 2009, Brussels, Belgium: Computers, Privacy & Data Protection conference CPDP 2009: "Data Protection in A Profiled World?".
I'll be there and speaking at a panel on recent German developments.
3-4 February 2009, Victoria, British Columbia, Canada: 10th Annual Privacy and Security Conference "Life in a Digital Fishbowl: A Struggle for Survival or a Sea of Opportunity?"
Always an interesting mix of practicioners, academics and activists.
1-3 April 2009, Berlin, Germany: re:publica 2009 "Shift happens"
This popular blogger-run web2.0 festival is getting bigger and more international. This year, we have a full privacy-subconference, the 2nd European Privacy Open Space
24-28 May 2009, Venice, Italy: ICIMP 2009, The Fourth International Conference on Internet Monitoring and Protection
An interesting academic conference around deep packet inspection and other monitoring and intrusion-detection developments.
1-4 June 2009, Washington DC, USA: "Computers, Freedom, and Privacy" 2009.
This year with a focus on the new US adminsitration. The deadline for submissions has been extended to 23 January.
5 June 2009, London, UK: The Second Multidisciplinary Workshop on Identity in the Information Society (IDIS 09): "Identity and the Impact of Technology"
The deadline for the call for papers is 13 March 2009

The Digital Identity Superhero

2008-11-24T19:55:00.004+01:00

Patrick Harding somehow managed to convince some talented friends that the digital identity community needs a superhero. Now, the first episode of the "Golden Guardian" is ready for prime-time.

I only wonder what will be the next and more interesting dangers the Golden Guardian will protect us from. The "Russian Internet Mafia" is understandable for the first chapter, but too much of a cliché and too easy to be an interesting enemy. What about Google, the OpenID Foundation, the Department of Homeland Security or maybe the "Electronic Health Records Mafia"? A superhero like this could be a great way of explaining the dangers of linkable profiles and bidirectional identity tokens, and also illustrate the magic of zero-knowledge proofs, identity rights agreements, and more.

This was the Founding Moment of a Social Movement on Privacy

2008-10-13T19:18:00.003+02:00

The international privacy action day on Saturday was a total blast. I was speaking at the demonstration in Berlin, and you just can not imagine how it feels when 100 000 people are shouting "we are here, we are loud, because they steal our data!".

I don't have time for an exhaustive report right now, so I just quote the press release of the "Freedom not Fear" network from Sunday:

Yesterday, the first worldwide protests against surveillance measures such as the collection of all telecommunications data, the surveillance of air travellers and the biometric registration of citizens were held under the motto "Freedom not Fear - Stop the surveillance mania!". In at least 15 countries citizens demanded a cutback on surveillance, a moratorium on new surveillance powers and an independent evaluation of existing surveillance powers. "A free and open society cannot exist without unconditionally private spaces and communications", explains an international memorandum.

In Berlin the greatest protest march against surveillance in Germany's history took place: Participants in the 2 km long, peaceful protest march carried signs reading "You are Germany, you are a suspect", "No Stasi 2.0 - Constitution applicable here", "Fear of Freedom?" and "Glass citizens, brittle democracy".

Apart from related music tracks, loud chants of "Belittle it today, be under surveillance tomorrow" or "We are here and we are loud because they are stealing our data" could be heard. During the protests, which were supported by more than 100 civil liberties groups, professional associations, unions, political parties and other organisations, artists played parodies on surveillance society.

In their final speeches in front of the Brandenburg Gate, the organisers called for political consequences: padeluun of civil liberties group FoeBuD said that in view of the mass protests politicians needed to react now and repeal the blanket retention of all telecommunications data introduced in 2006. Patrick Breyer of Arbeitskreis Vorratsdatenspeicherung presented a five point plan according to which surveillance should be reduced, existing laws should be evaluated and plans for new surveillance measures should be halted. In the course of a "new, freedom-loving security policy" specific preventive measures such as youth projects should be invested in and the "real problems" of people such as poverty and education should be focused on. Ricardo Cristof Remmert-Fontes of Arbeitskreis Vorratsdatenspeicherung announced further action and invited participants to join parties held in seven participating clubs in Berlin under the motto "The long night of surveillance".

In other countries, the following events took place in the course of yesterday's "Freedom not Fear day": Protest event with music and several art performances in Den Haag, lectures in Rome, surveillance camera mapping in Madrid, art performances in front of Parliament in Vienna, protest rallies in Paris, Prague, Sofia and Stockholm, the distribution of privacy software in Kopenhagen, informative events in Guatemala City and Buenos Aires as well as a light projection onto Toronto's Town Hall. In London, the construction of a surveillance state was protested by creating a massive collage of photos on Parliament Square showing the prime minister and the action day's motto "Freedom not Fear".

Before the action day, Arbeitskreis Vorratsdatenspeicherung had warned of a "surveillance avalanche in Germany": According to the group, the German parliament has tightened surveillance and control over citizens at least 21 times in the past 10 years. At least 18 more surveillance proposals are presently on the political agenda, for example the blanket collection of air traveller's data and the transfer of personal data to the US.

More reports, videos etc. are here.

Expect the Sarah Palin E-Mail Privacy Act of 2009

2008-09-18T12:58:00.004+02:00

As you probably all have read, U.S. vice-presidential candidate Sarah Palin's private email account has been broken into and some of the contents posted at wikileaks (the server seems to be over capacity at the moment, so I save you the link). I won't get into the content of this personal communication, because I agree with Lauren Weinstein that

"we shouldn't be doing to others that which we wouldn't want done to ourselves. Palin's truly personal e-mail and photos have no bearing on the political situation, yet they've been posted along with everything else. There's simply no justifying this from an ethical standpoint."

Of course, for persons running for an important public office, we have different expectations of privacy than for the everage John Doe, but what is going too far is just going too far.

But apart from these ethical considerations, there will be practical consequences of this event, Here, the opinions are very diverse even among the liberal crowd. Lauren Weinstein fears that "this chain of events plays into the hands of the Palin/McCain campaign". I tend to agree more with Paul Ohm that this event may trigger the preparations of a federal email privacy act in the United States. Ohm argues rightfully:

Congress often enacts privacy protecting legislation only in the wake of salient, sensationalized, harmful privacy breaches. Thus, Judge Bork's video rental records begat the Video Privacy Protection Act and the murder of actress Rebecca Schaeffer by a stalker with DMV records led, eventually, to the Drivers' Privacy Protection Act.

Similar things also happened last year in Canada, when the mobile phone records of the Canadian Privacy Commissioner Jennifer Stoddart were obtained by a reporter through data brokers in the U.S.

Paul Ohm goes on with a prediction I would certainly bet something on:

If I am right about this, expect the E-mail Privacy Act of 2009, and expect it to be a blockbuster. If you're an activist, government lawyer, e-mail provider, or scholar with an interest in information privacy, I advise you to start putting together your statutory wish lists.

Conference "Privacy in Social Network Sites"

2008-09-15T21:06:00.003+02:00

Onother interesting conference here at TU Delft which I am looking forward to: "Privacy in Social Network Sites" on 23 and 24 October 2008. Registration and participation is free, and Delft (right between The Hague and Rotterdam) is always worth a visit. The conference is organized by David Riphagen, who is affiliated with the Electronic Privacy Information Center (EPIC) and currently is finishing his M.A. thesis at our department on the same topic. His blog on the same theme is also worth a look.

Laws of Identity Iterations - or: The Nexus Between Morality, Subjectivity, and Empirical Knowledge

2008-08-27T23:58:00.006+02:00

Kim Cameron has recently tried to shorten his "Laws of Identity". This started an interesting semantic process, which I will address at the end. But first, let's have a look at the iterations.

Here are Kim's original laws:

User Control and Consent: Digital identity systems must only reveal information identifying a user with the user’s consent.
Limited Disclosure for Limited Use: The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.
The Law of Fewest Parties: Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.
Directed Identity: A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
Pluralism of Operators and Technologies: A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers.
Human Integration: A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications.
Consistent Experience Across Contexts: A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies.

Here are the new and shortened ones:

People using computers should be in control of giving out information about themselves, just as they are in the physical world.
The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necesary.
It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.
We need choice in terms of who provides our identity information in different contexts.
The system must be built so we can understand how it works, make rational decisions and protect ourselves.
Devices through which we employ identity should offer people the same kinds of identity controls - just as car makers offer similar controls so we can all drive safely.

Pamela Dingle still thinks this would not "resonate with people like my Mom". So she came up with the laws in even more colloquial terms:

Don't do anything with my data unless I say so.
Don't ask for or keep my data unless you have to.
Don't let anyone see my data unless there is a good reason.
I get to choose whether my data in one place is connected to my data everywhere else.
I get to choose who speaks for me and I reserve the right to change my mind.
If the easiest way to use the tool isn't the safest way to use the tool, the tool isn't built right.
Agree on one way to do things so that I can be successful everywhere regardless of the tool I use.

But Pamela has more.

"If I could use any terms I wanted and assume that everyone understood them, I could get even shorter":
Don’t share my information behind my back.
Don’t take more information than you need.
Don’t expose my information unnecessarily.
Don’t link me or allow others to link me unless I want to be linked.
Don’t lock me into silos.
Don’t tell me to RTFM in order to be secure.
Don’t let the product interfere with the ceremony.

The interesting thing I noticed is how the meaning of the laws changes along the way.

Kim's original laws have the remainders of empirical laws in them. This important aspect is much clearer in the very long version, but you can still see that the laws are meant as something that is based on observation, like the laws of physics: If you don't keep them in mind, stuff just won't work.

Kim's short version has exchanged a lot of the "must" wording with "should", which makes it sound much more like a moral statement.

Pamela's "for my mum" version goes further down this road. It takes a radically subjective perspective and tells the world what she wants to happen to her data, and how the systems she deals with should be built.

Her "favourite" version again changes the attitude and only works with "don't", which is clearly directed to the technology community from a user perspective, implicating the annoyance with many current systems.

So in the end, we have arrived full circle at the start, but know a bit more about the whole thing:

If the users don't want it, it just doesn't work. And there is even some morality behind it.

Videos from IdentityCamp Bremen: Caspar Bowden and Gerrit Hornung

2008-07-12T20:31:00.007+02:00

Caspar Bowden, Microsoft's Chief Privacy Advisor for Europe, the Middle East and Africa, gave a presentation at the Identity Camp in Bremen. He talked about U-Prove, a zero-knowledge technology Microsoft recently bought from Dutch-Canadian cryptographer Stefan Brands who now works with Kim Cameron in the identity and access group. Caspar explained how U-Prove will be streamlined with Microsoft’s identity strategy and Cardspace.

Another interesting presentation was given by legal expert Gerrit Hornung from Kassel University's Project Group on Constitutional Technology Design. He explained the recent German Consitutional Court's ruling on secret online searches, which established the new basic right to the "integrity and confidentiality of information-technological systems". Gerrit also discussed how this may apply to other circumstances beyond searching hard-drives.

Lars Klatte was so kind to record some sessions and even do some video post-production. Watch the videos.

Direct download (m4v) of Caspar's lecture.

Social Networking with Enemies

2008-06-12T01:25:00.004+02:00

Have you ever wondered why you can only make "friends" in social networks? At best, you are able to neutrally "connect". Everything about people you don't like is politely ignored - they normally don't even get a message when you turn down their friendship request.

This thinking that the world only consists of nice people being friendly to each other is of course very childish. From the early philosophers over the founders of modern sociology to Karl von Clausewitz's writings on war, we have learned that society is as well structured by conflicts and less nice attitudes towards each other. So, if we really want to build a social graph that represents all relationships among all people*, we have to model enemies and antagonistic relations as well.

So, I was glad to read that humankind has made big progress. Based on XFN (XML Friends Network), we now have a list of specifications for XEN (XML Enemies Network):

XEN is an extension of XFN. Negative relationship terms have been omitted from XFN by design. (...) XEN values can be used in conjunction with microformats such as hCard, rel-nofollow and vote-links, specifically rev="vote-against". (...)
The interesting byproduct of asserting these relationships correlates to the ancient proverb, "Any enemy of my enemy is my friend". By merging the XEN lists, it should be possible to generate XFN relationships on the fly based on shared enemies.

This feature actually might be nice for political activism. You are looking for people who might want to protest with you against the much hated surveillance-enhancing interior affairs minister? No problem, just look for his enemies.

A few examples:

evil-twin: An evil twin is the concept in fiction of someone equal to a character in all respects, except for a radically inverted morality. Symmetric. If the evil twin is literally a twin brother or sister, it should be combined with the XFN value of sibling.

rival: Someone in the same field of study/activity with whom you are vying for recognition and/or advancement. Often symmetric.

nuisance: Someone who annoys you but not to the point of antagonism.

Of course, you sensed it:

XEN is not a microformat. It is a joke.

But like any good joke, XEN tells us a lot about the difficulties of modeling social relations. It even reflects the fact that there can be several different versions of yourself being represented online - think the drunk yourself at the proverbial facebook picture:

The evil twin value can be applied to a version of yourself from an alternate universe or timeline.

You can now - thanks to XEN - tell everybody, and especially your boss, that you hated what you did and even regret the fact that were at that party in the first place. And you can do it with microformats! Now, that is identity management at its current peak.

*The social graph is an idea I don't particularly like, but that is a different story.

IdentityCamp: Lessons Learned in Bremen

2008-06-10T18:19:00.009+02:00

The IdentityCamp in Bremen on the weekend was a blast: Focused discussions, energized participants, great weather, a relaxed atmosphere, and interesting interdisciplinary exchange. It seems to have been the first time that the Identity 2.0 crowd really discussed in an open and in-depth way with the privacy people, which was exactly what we hoped would happen. It’s impossible to summarize all the sessions, but here are some interesting observations that I took away from it:

"The buzzword of the day seemed to be OpenID." (Sid Arora). But at the same time, the OpenID community to me left the impression that they are a bit desperate. A number of big players have become OpenID providers, but nobody except for a few blogs and some platforms is consuming OpenIDs issued by other parties. So the session on "Killer Applications for OpenID" left me with the feeling that OpenID is still very much a solution looking for a problem. A way out may be using OpenID not only for authentication, but also for attribute exchange. There are some active attempts into this direction. Dennis Blöte is currently developing a system which uses OpenID for the different online services at Bremen University (e-learning, exams, administration, etc.). Here are his slides.

Convergence of Standards: Infocards and OpenID are moving closer to each other. The best known case for this is using ~~CardSpace~~InfoCards for authenticating towards the OpenID provider. But there is more going on, e.g. in creating mobility: The Higgins InfoCards selector stores Infocards online, so you don’t depend on your own machine all the time – which used to be a big plus for OpenID. Johannes Feulner showed the gateway OpenIDbyCard.com he built, which you can use for logging into an OpenID relying party directly with the ~~CardSpace~~ InfoCards interface. One of the problems in building this system was that the attribute semantics were not 100% equivalent to each other. Another approach, which Dick Hardt is working on, is to “tunnel” OpenID Tokens with Infocards. According to Johannes, the latter approach can not translate claims and does not work with self-issued cards, and the relying party needs an upgrade. In the gateway approach, you have to trust the gateway; in the tunnel approach, you have to trust the OpenID provider. Johannes also has a nice OpenID phishing demo online at IDTheft.fun.de.
Update: There is also convergence between ~~CardSpace~~InfoCards and Shibboleth, as Tobias Marquart reports.

We now know what "Identity 3.0" officially means. Caspar Bowden presented on the recently acquired U-Prove technology and how Microsoft plans to integrate it into the Identity Meta-System. Christian Scholz has a good summary. Caspar provided a typology of the generations of identity management:

Identity 1.0: centralized IdM like Passport. The problem was that one IdM is way too powerful.
Identity 2.0: SAML or OpenID like. The problems here are that all IdMs are too powerful, and you have the extra-problem of phishing.
Identity 3.0: smart client-side crypto. Using minimal disclosure tokens, you achieve multi-party security and privacy. By this, you get more independent of the identity provider, which is a good thing from a privacy perspective. The problems here are unresolved patent issues.

Data portability is a complex topic with a number of issues unresolved. Aside from competition issues and the big players not really pushing a standard here for obvious reasons, there is also no common vision on what exactly should be portable, and by whom. In general, the Data Portability Working Group seems not to be too active, especially not on the policy front. I learned at the camp that it depends on your normative perspective on identity. If you want your identity to be coherent and all the different facets open to all of the members of your social environment, you want full portability. This seems to be the case for those folks who are friends with their co-workers anyway. If you want your different roles not connected to each other and prefer a strict division between the private and the public life, you want less portability. At least you want to be able to control who gets to see what, and even when. The general focus is moving from single sign-on to data synchronization. Most people agreed that it would be nice to be able to update your contact data on all platforms you are a member of with one click. The more difficult issue is relationship data, which in the end is not identity management, but societal management. One more reason to get more social scientists in this discussion. But you also need a ton of lawyers, because if company X relies on the IDs provides by company Y, this creates a business relationship between them, too.

"The topic least understood by the participants (at large) seemed to me to be national identity (and their respective cards)." (Sid Arora). This is understandable, as OpenID, Cardspace, and other instances of Identity 2.0 are not really part of most developments around governmentally issued electronic ID cards. This camp was a nice opportunity for people who work on these different corners to meet and exchange views. This is especially important when discussions are starting about the possible use of OpenID in e-government contexts, which happened in Bremen. A lot of scepticism was raised towards this idea, though, mainly because of security issues and the too central role of the identity provider. Caspar Bowden got applause for his question:

"Why use the lowest standard (OpenID) for the most security-relevant use case (government authentication)?"

There was a huge interest in trust online. Which mechanisms generate trust in the offline world, and what is different in online environments? Tina Guenther’s presentation sparked such a lively discussion with her attempt to break down the research questions and get some first insights that she even offered a well-attended second session on Sunday for getting deeper into this.

You can reduce the need to trust with data minimization. A lot of the open questions discussed in the other sessions also boil down to "Who do you trust"? Your government? A corporation like Yahoo? The members of your social network? If the idea of a loosely coupled identity meta-system is that you do not need high trust among all parties, then I see two possible solutions:

Everyone becomes his or her own identity provider and does not have to worry about IdPs collecting their digital traces.
The amount of exchanged data is reduced in general, so you don’t have to trust all kinds of parties. This is where Identity 3.0 with minimal disclosure tokens and zero-knowledge proofs is very promising.

Semantics is the big challenge, not technology. Once Microsoft and IBM sort out the patent issues between U-Prove and Idemix, and the protocols and libraries are available for the public, the technology problems are more or less solved. Most of this (except for the minimal-disclosure crypto) is not rocket science anyway, but normal protocol plumbing. The problem is the translation of the complex social and legal issues around identity into these protocols. How to come up with a reference list of identity tokens for age, location, contacts and all kinds of other issues? How to organize the management of relationship data? Which contractual relationships are implicitly or explicitly involved that need to be sorted out? The idea of having Creative Commons-like licenses for your personal data, which then can be described in a lawyer-readable, a human-readable, and a machine-readable form met quite some interest. But this is mainly a usability issue. The different use cases you want for this are much more complex and diverse than the few standard types of re-using text or music.

This leads to the conclusion by many participants: An interdisciplinary perspective is really needed on the issue of identity. We came pretty close to the ideal, but some perspectives were still missing:

"There was a healthy mix of disciplines represented, including computer scientists and programmers, lawyers, sociologists, social media / web developers and even a few curious students from the Bremen University of Arts, where the event was hosted. A couple historians and policy makers mixed in would have been nice, but considering the method in which such an IdentityCamp was organised (or lack thereof), it was brilliant." (Sid Aora)

There is a great interest in follow-up. People are eager to have the next IdentityCamp and go into the issues more in depth and even develop a common vision. Check the IdentityCamp page regularly to see how we will stay in touch.

A big "thank you" goes to our sponsors: University of the Arts Bremen, big Bremen, Kuppinger Cole + Partner, artundweise, hmmh Multimediahaus, Mister Wong, Spreadshirt, and Pure Tea.

"Machine-Readable Government" from 1987 to 2008

2008-06-03T16:28:00.008+02:00

At a brainstorming session about future research issues at our section today, I mentioned the term "machine-readable government", which met a lot of interest. I did some quick research on where the term came from. Interesting outcomes:

German hackers in the 1980s

Surprise: The term seems to come already from 1987. First time I could find it was mentioned in the media was in 1988, in an article in the German weekly magazine Der Spiegel about the mailbox and hacker communities in Germany. The term "maschinenlesbare Regierung" was attributed to Chaos Computer Club co-founder Klaus Schleisiek, but it seems to have been a common concept for the first generation of German hackers, as the book about CCC founding father Wau Holland by Daniel Kulla tells us.

It is unclear to me if there was more detailed conceptual thinking about this, or if it was just an ironic catch-phrase.

More recently, the term was again used in the context of the German introduction of Freedom of Information Acts, see e.g. this 2003 CCC congress lecture by CCC co-founder Gerriet Hellwig.

Barack Obama / Lawrence Lessig in the U.S.

More recently, the term has been used for describing some ideas of the Barack Obama campaign in the United States. Obama has quite progressive plans for a more transparent government and the use of open standards for this, see his "technology and innovation" concept paper.

Obama does not say "machine-readable government", but the idea is roughly the same:

"Making government data available online in universally accessible formats to allow citizens to make use of that data to comment, derive value, and take action in their own communities. Greater access to environmental data, for example, will help citizens learn about pollution in their communities, provide information about local conditions back to government and empower people to protect themselves."

Larry Lessig's interpretation and endorsement of this does not use the term "machine-readable government" either, but was interpreted as such by a number of bloggers. Lessig says about Obama's ideas:

"the big part of this is a commitment to making data about the government (as well as government data) publicly available in standard machine readable formats. The promise isn't just the naive promise that government websites will work better and reveal more. It is the really powerful promise to feed the data necessary for the Sunlights and the Maplights of the world to make government work better. Atomize (or RSS-ify) government data (votes, contributions, Members of Congress's calendars) and you enable the rest of us to make clear the economy of influence that is Washington."

This interpretation of course is strongly related to Lessig's current interest and work on a more transparent and less corrupt government. He also announced a first practical project last year in the field of legal texts and decisions:

"Legal Commons (beta): Taking inspiration from the liberator and manumitter of government documents and legal cases, Carl Malamud, Creative Commons will enter into a joint venture with public.resource.org to collect and make available machine readable copies of government documents and law. Carl and I have committed to freeing all federal case law by the end of 2008. Importantly, this effort will not set up competing systems to the emerging ecology of great free law services (Cornell's LII, or Columbia's Altlaw.org). We instead will help gather and make available the resources those services use to provide their amazing service. So look for a tarball of all federal cases by the end of 2008, in parsable and usable plain text."

What's next?

Of course, freeing government information on public spending, on environmental or health data, or on government and parliament decision-making (voting records, contacts with lobbyists etc.) is great, and making this available in machine-readable standardized form is even better. But as we have learned from Creative Commons: "machine-readable" does not automatically translate into "human-readable" or "citizen-readable".

I see two upcoming challenges in this field:

1. Developing tools that make this information digestible by normal citizens. It should be fairly easy for plain environmental data like "compare air pollution over time in all states and tell me if there is a relation to power plants nearby". But social and relational data, such as data on the policial process, is much harder to digest in standardized forms. A contact with a lobbyist can mean a whole range of things, for example. It will be tough to come up with the semantics for this in the first place.

2. Even if this should be possible, the interpretation of such complex datasets is not really easy. This is a challenge for activists and political groups that will want to build tools around this data, and others who will do mash-ups from those. I certainly see the danger of mistaking correlation for causality here, as well as other reasons for blaming the wrong person or factor. In general, I am not sure if this in the long term will lead to better quality of political debates and decisions. You can also imagine a future where the political opponents only throw statistics at each other, and where the discourse over values and social visions gets even more marginalized.

That said, of course I totally agree that more transparency of government is better than less. And if machines can help us aggregate and digest the information, we should really give it a try.

PS: If anybody knows more comprehensive literature around these ideas, please let me know!

Update: The broader term for this (which is also much more common in the english-speaking world) is "open government". This also includes citizen wikis on government and parliament people and activities as well as similar approaches, where the data is not necessarily in standardized - i.e. machine-readable and digestable - formats.

Some sources on this:

Ethan Zuckerman: Towards the principles of open government data
O'Reilly Radar on the Open Government Summit
David Robinson, Harlan Yu, William Zeller and Edward W. Felten: Government Data and the Invisible Hand (pre-print)
Ed Mayo and Tom Steinberg: The Power of Information: An independent review
Ellen Miller: Case Study. Why Transparency is a Good Thing
Jerry Brito: Hack, Mash, & Peer: Crowdsourcing Government Transparency
The Sunlight Foundation has a long list of available government data from the U.S., including links to APIs and XML-formatted data.

Thanks to Markus Beckedahl for the helpful hints and links.

German Students Break CardSpace Security

2008-05-28T17:43:00.004+02:00

Three students from the Ruhr-University Bochum in Germany were able to intercept the security token and, based on that, ~~read the plain text of the cards' content, e.g. name, credit card number and other things~~ impersonate the legitimate user during the lifetime of the security token. They basically did this by means of an extended man-in-the-middle attack through DNS manipulation:

We study the security of Cardspace and show that the browser-based protocol is susceptible to attacks, where the adversary steals the security token. Consequently, we prove evidence that users are impersonatable and the one who potentially suffer from identity theft. We confirm the practicability of the attack by presenting a proof of concept implementation. Finally, we discuss countermeasures, addressing both the CardSpace identity metasystem and the protocol.

See the short description and the full report (pdf).

Heise Security tried to reproduce the attack without success, though. Microsoft is already working on a solution.

Deep Packet Inspection: Technology vs Lawyers?

2008-05-13T18:16:00.004+02:00

Lots of interesting things have been happening in the last few weeks in the field of real-time Internet traffic "inspection" a.k.a. monitoring or surveillance. This is just a small summary of the most important developments:

On the technology front, the DPI equipment available on the market is getting more and more sophisticated, as Ars Technica reported yesterday:

Procera Networks will announce today a new standard in deep packet inspection (DPI) gear: an 80Gbps monster called the PacketLogic PL10000 that is targeted at tier-1 network operators. At up to $800,000 a unit, these aren't cheap, but when you want to throttle, inspect, and shape traffic in real-time on a major network, this is now the fastest thing on the market (and by a large margin).

Procera's own press release phrases this in more business-oriented language, actually quite tellingly:

[S]ervice providers now have a platform that will support millions of subscribers while giving them the business intelligence, service creation, network visibility and control required to successfully roll out new revenue-generating services and optimize network performance. Generally available now, the PacketLogic PL10000 already has four service provider customers from around the world and is currently operating in production networks.

They are nice enough to also quote one ISP who uses their gear:

"As a Procera customer since 2004, we are extremely pleased with our experience with PacketLogic, and as our business has grown to the point where we needed larger PacketLogic systems, it was an easy decision to start upgrading to PL10000,"," said Jens Persson, vice president of R&D at Com Hem, Scandinavia's largest cable operator.

Com Hem might not be so happy anymore in the near future if the internet lawyers in Sweden are anywhere close to their Canadian and British colleagues in terms of action:

In Canada, privacy lawyers have filed an official complaint with the federal privacy commissioner's office against Bell Canada because of its DPI usage for traffic shaping:

The Canadian Internet Policy and Public Interest Clinic, a University of Ottawa legal clinic specializing in internet- and other technology-related law, has joined the assault on Bell Canada Inc. and its traffic-shaping practices, urging an investigation by the country's privacy commissioner. The group says Bell has failed to obtain the consent of its retail and wholesale internet customers in applying its deep-packet inspection technology, which tells the company what subscribers are using their connections for. Bell is using DPI to find and limit the use of peer-to-peer applications such as BitTorrent, which it says are congesting its network.

Here is the full complaint. From the introduction:

[W]e understand that Bell is engaging in internet “traffic management” practices that involve the inspection of internet traffic headers and content, both of which contain information that can be linked to internet subscribers, purportedly to classify traffic for purposes of network optimization. Such practices – i.e., those involving the collection and use of personal information - are not necessary to ensure network integrity and quality of service. Moreover, subscribers whose traffic is being inspected have not consented to the inspection and use of their data for this purpose. Finally, Bell does not make readily available to individuals specific information about these practices.

We submit that Bell is violating Principles 4.3, 4.4, and 4.8 of PIPEDA, Schedule 1 by failing to:
a. Obtain informed consent from affected individuals to the collection and use of their personal information for the purpose of traffic management (Principle 4.3);
b. Limit the collection of personal information to that which is necessary for its stated purposes (Principle 4.4); and
c. Make readily available to the public specific information about its traffic management policies and practices insofar as they involve the collection and analysis of personal information (Principle 4.8).

In the UK, the Foundation for Information Policy Research (FIPR) has done a tremendous job in analyzing the technical and legal issues around Phorm's "Webwise" system for inserting adverts into ISPs' customers' traffic. Richard Clayton comprehensively describes how the system, which was already tested at BT (formerly British Telecom), works. The summary sounds rather dry:

The basic concept behind the Phorm architecture is that they wish to take a copy of the traffic that passes between an end-user and a website. This enables their systems to inspect what requests were made to the website and to determine what content came back from that website. An understanding of the types of websites visited is used to target adverts at particular users.

Read the full paper! This is scary stuff, including deep packet inspection, forged cookies, multiple re-routing and other techniques.

Nicholas Bohm from FIPR then added a legal analysis based on Clayton's work. His judgement:

This paper concludes that deployment by an ISP of the Phorm architecture will involve the following illegalities (for which ISPs will be primarily liable and for which Phorm Inc will be liable as an inciter):
interception of communications, an offence contrary to section 1 of the Regulation of Investigatory Powers Act 2000
fraud, an offence contrary to section 1 of the Fraud Act 2006
unlawful processing of sensitive personal data, contrary to the Data Protection Act 1998
risks of committing civil wrongs actionable at the suit of website owners such as the Bank of England.

Of course, this is not "Technology vs. Lawyers", as the headline suggests (just teasing). Technology can be used to enhance as well as circumvent these DPI surveillance tools, and law can be used to allow or prohibit their deployment. More on this in a later posting.

Deep Packet Inspection, or: The end of the net as we’ve known it?

2008-04-16T02:30:00.003+02:00

My new research project that just started at the TU Delft and is supervised by Milton Mueller and Harry Bouwman has produced a first short description:

"Like a daydreaming postal worker, the network simply moves the data and leaves interpretation of the data to the applications at either end. This minimalism in design is intentional. It reflects both a political decision about disabling control and a technological decision about the optimal network design."
(Lawrence Lessig: Code and other Laws of Cyberspace,
New York: Basic Books 1999, p. 32)

Technological advances in routers and network monitoring equipment now allow Internet Service Providers (ISPs) to monitor the content of TCP/IP packets in real-time and make decisions accordingly about how to handle them. If rolled out widely, this technology known as deep packet inspection (DPI) would turn the internet into something completely new. Lawrence Lessig almost ten years ago reminded us that its design is not a natural given, but the outcome of political and technological decisions and trends. DPI therefore has the potential to affect the fundamental properties of the internet as a global public infrastructure and therefore also to alter the capacity of global internet governance.

DPI is reportedly motivated by three considerations on the ISPs’ side:

They are under regulatory or public pressure by intellectual property owners and government agencies to control and filter the flow of illegal content.
They pursue a strategy of vertical integration with specific content providers by slowing down their competitors’ content or by inserting ads into content served by third parties;
They try to allocate bandwidth more efficiently and fairly among users, especially in the more bandwidth-constrained last mile and in the mobile internet.

The research project will examine the deployment of DPI by internet service providers and its actual and prospective impact on Internet users and internet governance. It will proceed in four steps:

Empirical phase: It will examine the technological and design trends and true scope of implementation of DPI capabilities by ISPs, and the economic and regulatory drivers and barriers promoting as well as constraining its use. The data for this phase will be gathered in several case studies (different countries and ISPs) through desk research and interviews. Relevant indicators will include: design and deployment of DPI technologies; design, availability and deployment of DPI circumvention technologies such as encryption; bandwidth supply and demand for backbone and mobile internet; regulatory and other legal obligations for ISPs; economic indicators like ISPs’ market development and revenue trends.
Explanatory phase: It then will attempt to assess how these empirical developments can be explained. Drawing on political, economic, and socio-technological theories, it will derive more specific hypotheses and models and test them with the data.
Normative phase: The project will then assess the implications of DPI on human rights, such as the privacy and freedom of expression of internet users; on market failures and competition policies; and on norms of good infrastructure governance such as the “common carrier” concept or “network neutrality”.
Praxeological phase: Based on the explanatory models developed before, it will derive recommendations on how to most efficiently rectify the normative problems identified.

Any comment and feedback is welcome, especially on the theory/explanatory part, and where to get the relevant data.

Privacy, Forgetting and Information Ecology

2008-04-02T11:29:00.003+02:00

I am at the re:publica conference in Berlin this week, just listening to Viktor Mayer-Schönberger's keynote on forgetting and remembering. His speech is about "information ecology", and he reminds us that in human history, forgetting has always been the norm, while remembering was the exception that took an effort and was costly. This is changing with computers and hard drives, creating new problems in terms of privacy and out-of-context judgements based on outdated information. He is suggesting an expiry date for personal information. Read his full argument here.

A similar idea was developed by the Identity Futures Working Group last year. If forgetting is so difficult nowadays, we should at least display which information is older and may therefore be less relevant:

The Older Posts By And About People Appear More ‘Aged’ When Viewed. 2010±. It is now the norm for ‘digital aging’ to be visually displayed on documents as they age. Usenet posts from 20 years ago although still viewable have a grey age spots and cracks by default when first viewing them. Myspace posts from 2 years ago are yellow tinged.

Ed Felten at Freedom to Tinker has a new idea on how to create incentives for forgetting, based on the idea of a market for carbon dioxide emissions:

We all want more and bigger hard drives, but what is going to be stored on those drives? Information, probably relating to other people. The equation is simple: more storage equals more privacy invasion. That’s why I have pledged to maintain a storage-neutral lifestyle. From now on, whenever I buy a new hard drive, I’ll either delete the same amount of old information, or I’ll purchase a storage offset from someone else who has extra data to delete. By bidding up the cost of storage offsets, I’ll help create a market for storage conservation, without the inconvenience of changing my storage-intensive lifestyle.

German Hackers publish Fingerprint of Interior Minister Schäuble

2008-03-29T21:14:00.002+01:00

The German hacker association Chaos Computer Club has published a fingerprint of the federal minister for the interior, Wolfgang Schäuble. The new issue of the club's magazine "Datenschleuder" even has a prepared foil in it that can easily be used to create a fingerprint dummy that people can stick to their own fingers (instructions). The CCC aims at forcing a more public and critical debate about the false sense of security when using biometrics. The European Union is already requiring every passport holder to give his fingerprints to the authorities. The German hackers now plan a whole collectors' series of fingerprints from politicians who push for more surveillance.

Dangerous Moves: OpenID and Government-Issued ID tokens

2008-03-11T17:35:00.008+01:00

As I wrote in my last post: "The identity management systems that are being developed and rolled out right now are laying the foundations that may be used to end online anonymity." This is becoming especially relevant with the development of e-government identification tokens that are issued by more and more governments around the world. I consciously said "may", because a cruicial question is how the systems are designed.

This is a very crude ranking:

U-Prove and related zero-knowledge technologies can really help securing privacy by offering untraceable and unlinkable tokens based on an existing ID.
CardSpace only offers some privacy protection in specific use cases (self-issued cards, non-auditing mode), but has general problems with unlinkability.
OpenID offers basically no privacy if you don't run your own OpenID server and thereby authenticate yourself, because the OpenID provider can always see what you do.
Using CardSpace for logging into your OpenID provider only secures the login process, but does not protect you against the OpenID provider seeing what you do.

So what happens if OpenID and government-issued identification tokens are combined? It depends.

If my government would be my OpenID provider, they could basically track all instances where I log into a web site. Very bad, and luckily nobody is thinking of this (yet). But a number of big companies have already started giving their employees an OpenID identity, which is not much better. The company can track what people do, and the relying party can be sure that John.Doe.OpenID.CompanyXYZ.com is a real person namend John Doe who works at CompanyXYZ. I wonder when we see the first suggestion to do this for government authorities.

If the government-issued ID token is used for logging into your OpenID provider (what CardSpace can also be used for), it may secure the login process here. But the OpenID provider still can see all instances when you log in anywhere. But now, because you identify yourself with a government-issued ID token, the OpenID provider can link the activities of your (maybe pseudonymous) OpenID account to a real person.

This is exactly what is happening in Finland right now:

TrustBearer Labs, a leading authentication solutions company, has announced support for the Finnish National Electronic Identification Card (FINEID) with its OpenID service. With this support, the FINEID smart card can now be paired with the OpenID online authentication standard, enabling FINEID cardholders to use their cards for logging in to any website that accepts OpenID. (...)

As far as I can tell from the press release and the little background info, it only works with an OpenID provided and managed by TrustBearer themselves.

So how does the FINEID technology work? The FINEID smart card is carrying a "Citizen Certificate". This citizen certificate is not allowing stable pseudonyms or even transaction-specific pseudonyms:

The Citizen Certificate is standardized personal data, an electronic identity based on Public Key Infrastructure. It contains, among other information, a citizen’s first name, family name and an electronic client identifier.

The legislators in Kentucky who want to force everybody to use his or her real name for even the smallest online publications will be happy if they see this. The TrustBearer press release praises it:

"We believe that our OpenID service complements national identification programs, like Finland’s ID card. National ID card holders can now securely and efficiently manage many of the things they do on the Internet using a central and secure identity," says David Corcoran, Chief Executive Officer of TrustBearer Labs.

This is a very dangerous development. We have a technology here that allows the tracking of your online activities (OpenID) combined with a technology that always identifies you with your real, legal persona (FINEID). The only firewall between this and a fully-fledged government surveillance system for online activities is that

it is not mandatory (yet) and
the Finnish government can't (yet) directly peek into TrustBearers database.

These are only legal restrictions, and they can change over time, as history has proven many times. On the infrastructure side, identity management technologies are slowly moving us towards more online surveillance if we stick with the current ones and don't quickly develop, integrate and roll out the most secure products. Otherwise we have to abandon the whole idea that identity management for the web is a good thing.

When I started writing and speaking about the privacy problems connected with OpenID and similar Identity 2.0 projects, many people replied: "Yes, but it is only meant for blog comments and harmless stuff like that. Of course you can always use a pseudonym, and you will never use it for serious stuff like e-government." Well...

(Thanks to Kai Raven for the link to the TrustBearer story.)

Pressure Against Online Anonymity - or: Towards Online Identification

2008-03-11T02:09:00.006+01:00

Online free speech is increasingly under attack. Not just by classical censorship, but by laws and regulations that would prohibit anonymity and establish mandatory identification systems.

The People’s Republic of China is working on a “real name verification system” for bloggers, but also for online gamers. South Korea is developing a similar “internet real-name system” for bloggers that they would have to use for posting blog entries and comments.

In the US, conservative senators McCain and Schumer introduced the "Keeping the Internet Devoid of Sexual Predators Act of 2007" (also called "KIDS Act", Bill No. S.431) in January 2007, which would force all convicted sexual offenders to register all their online identities with the authorities. They are dead serious about this: If people fail to register, they will face up to ten years of imprisonment. This is not for raping anyone; this is just for not telling the government all their online user names and pseudonyms. The bill has even attracted democratic co-sponsors, including Barrack Obama, John Kerry, Patrick Leahy and Dianne Feinstein.

Now, Kentucky is making the news with a proposal similar to the Chinese and Korean ones:

Kentucky Representative Tim Couch filed a bill this week to make anonymous posting online illegal. The bill would require anyone who contributes to a website to register their real name, address and e-mail address with that site. Their full name would be used anytime a comment is posted.

Digg alerts its readers that the story was "reported by diggers as possibly inaccurate". Well, it is accurate. Here is the relevant part of the bill:

SECTION 2. A NEW SECTION OF KRS CHAPTER 369 IS CREATED TO READ AS FOLLOWS:
(1) An interactive service provider shall establish, maintain, and enforce a policy to require information content providers to register a legal name, address, and valid electronic mail address as a precondition of using the interactive service.
(2) An interactive service provider shall establish, maintain, and enforce a policy to require information content providers to be conspicuously identified with all information provided by, at a minimum, their registered legal name.
(3) An interactive service provider shall establish reasonable procedures to enable any person to request and obtain disclosure of the legal name, address, and valid electronic mail address of an information content provider who posts false or defamatory information about the person.

SECTION 3. A NEW SECTION OF KRS CHAPTER 369 IS CREATED TO READ AS FOLLOWS:
An interactive service provider that violates any of the provisions of Section 2 of this Act shall be fined five hundred dollars ($500) for the first offense and one thousand dollars ($1,000) for each subsequent offense.

What is the reasoning behind it? National security? Preventing online stalking and insults? No - bullying! Local tv station WTVQ reports:

Representative Couch says he filed the bill in hopes of cutting down on online bullying. He says that has especially been a problem in his Eastern Kentucky district.

Because Tim Couch gets all the fire now, it is fair to mention that his republican party colleague Jimmy Higdon is co-sponsoring the bill.

Ryan Radia has a good post about the background for these developments at the Technology Liberation Front:

The Kentucky bill comes on the heels of controversy over the growing popularity of JuicyCampus.com, a "Web 2.0 website focusing on gossip" where college students post lurid—and often fabricated—tales of fellow students’ sexual encounters. The website bills itself as a home for "anonymous free speech on college campuses," and uses anonymous IP cloaking techniques to shield users’ identities. Backlash against the site has emerged, with Pepperdine’s student government recently voting to ban the site on campus. (...)

Despite the appeal of combating defamation by banning online anonymity, lawmakers should be wary about restricting anonymous speech in the name of fighting libel. The same laws designed to deter defamation can also be used to target political dissent or silence whistleblowers for whom the option of remaining anonymous is critical.

But there is hope, at least for the moment. WTVQ from Kentucky again:

Couch says enforcing this bill if it became law would be a challenge.

At the moment, he is absolutely right.

But what happens if, in ten years from now, we all have government-issued IDs that function as smart cards and together with the OpenCardSpace technology (or whatever it is called then) can be used to authenticate us before we can post anything online? The identity management systems that are being developed and rolled out right now are laying the foundations that may be used to end online anonymity. I certainly hope that U-Prove or similar technology is built into every identity system and operating system by then. But what if legislation forces the technologists to disable the anonymity for certain uses? That's why the struggle for free speech and anonymity also has to be a political and legal one, not just a technological one.

Spam and Governance in Facebook

2008-03-10T03:44:00.004+01:00

Facebook recently had a porn chain letter from Slide, who are running the Facebook "fun wall" application. Mary Hodder explains how it worked:

[I]magine you get some sort of email message from a friend in Facebook. This is a real friend, someone you do business with and/or socialize with and maybe have known for a long time (...). The message asks you to click into Facebook, at which point, you are asked to "install an app" (...). Then, once installed, you are taken to Slide's Fun Wall App, which shows you some porn, and says, "Click Foward to see what happen."(...) Turns out, if i'd clicked the "forward" button, Slide would have forwarded that spam to EVERYONE I KNOW in Facebook. All 500+ of them.

This event is interesting from the governance side of social networks: How do you establish and enforce norms in these new environments?

Mary sent complaints to Facebook and Slide, and after not hearing back, she called people in both companies she knew. She was

appalled at the responses I got. Now, these are people I know socially, and they gave me the real answers, but with the expectation that I would not attribute to them. However, I am confident that their answers reflect the culture and real value sets within these companies.
Facebook pointed the finger at Slide (the app maker in this case), and said, "There is nothing we can do. We have no control over the apps people make or the stuff they send." Oh, and if I wanted Facebook to change the rules for apps makers? I'd have to get say, 80k of my closest Facebook friends to sign on a petition or group, and then they might look at the way they have allowed porn spam to trick people into forwarding, but until then, there would be no feature review. (...)
Also both companies told me that blogging doesn't affect them, because they don't read blogs. The only thing they pay attention to are Facebook groups. Because they don't look at problems that a single person discovers.

Somehow, this reminds me of real existing democracy: If you don't get enough people on the streets or as participants in a class action law suit, politicians just won't listen. But apart from democratic considerations, in real government arrangements, you should also have the right to legal redress. Remember, in history, rule of law and democracy were not necessarily connected.

Slide, on the other hand, replied, according to Mary:

Facebook was the problem, because as the "governing" body, Facebook makes the rules and "Slide wouldn't be competitive if they changed what they do, and their competitors weren't forced to as well." In other words, Slides competitors use the same features to get more users (or trick more users as the case may be) and Slide didn't want to lose out on getting more users with similar features, regardless of the effect the features have on us and our relationships.

This sounds like real existing free market with a lack of regulatory oversight. For dealing with these kinds of problems, you normally need some authority that does not have a vested interest and at the same time has the power to regulate market failures and externalities. Facebook clearly has the power, as they control the technology and can decide what applications can and cannot do. If you conceive of Facebook as the government of the relationship space, Facebook does not have this division of powers and arms-length agencies governments normally have. And at the same time, as mentioned above, they lack a legal system the would enable individual users to claim their rights.

So, how do you change Facebook's attitude towards application providers? You develop a loud voice, which seems to be a large Facebook group. Or you leave. These are the textbook examples of Albert O. Hirschman's "Exit, Voice, Loalty" trias.

Leaving is what Mary Hodder and a lot of other people did:

For now, the answer for me is to use Facebook minimally and Slide not at all. Interestingly, at recent social gatherings I've mentioned these issues. At almost every one, people have said they are getting off Facebook and not going back, for precisely the reasons I mention above.

But the voice option also had some effect:

Facebook did recently force apps makers to default turn "off" the checked names in forward (as far as I can tell from my own analysis of Facebook and via other blogs explanations). But I have yet to receive replies to my original support notes to these companies, and feel confused about an unspoken, barely there response. It's as though after barely changing one thing aspect of a feature, in order to mitigate the problem, they want to sweep it all under the rug.

Maybe Facebook finally has started reading blogs? Remember, another important feature of modern democracy, beyond the rule of law and the division of power, is the existence of a public sphere.

Note that my argument has been an institutional one. There is also the cultural-sociological aspect, which is mentioned in Mary's post. In this view, the hope is that younger generations (here: including Marc Zuckerberg and the Slide guys) learn from older people about how to behave:

[I]t seems logical (and has happened in cultures around the world for millennia) that older, wiser men would advise young, clueless hormone driven boys how to act in the community.

Which approach would you take?

via

Microsoft buys Privacy-Friendly Identity Technology

2008-03-10T00:26:00.006+01:00

Microsoft has acquired Montreal-based privacy technology company Credentica. While that probably means nothing to most of you out there, it is one of the most important and promising developments in the digital identity world.

My main criticism around user-centric identity management has been that the identity provider (the party that you and others rely on, like your credit card issuer or the agency that gave you your driver's license) knows a lot about the users. Microsoft's identity architect Kim Cameron explains it very well:

[W]ith managed cards carrying claims asserted by a third party authority, it has so far been impossible, even for CardSpace, to completely avoid artifacts that allow linkage. (...) Though relying parties are not able to collude with one another, if they collude with the identity provider, a set of claims can be linked to a given user even if they contain no obvious linking information.

This is related to the digital signatures involved in the claims flows. Kim goes on:

But there is good news. Minimal disclosure technology allows the identity provider to sign the token and proof key in such a way that the user can prove the claims come legitimately from the identity provider without revealing the signature applied by the identity provider.

Stefan Brands was among the first to invent technology for minimal disclosure or "zero knowledge" proofs in the early nineties, similar to what David Chaum did with his anonymous digital cash concept. His technology was bought by the privacy firm Zero Knowledge until they ran out of funding and gave it back to Stefan. He has since then built his own company, Credentica, and, together with his colleagues Christian Paquin and Greg Thompson, developed it into a comprehensive middleware product called "U-Prove" that was released a bit more than a year ago. U-Prove works with SAML, Liberty ID-WSF, and Windows CardSpace.

The importance of the concept of "zero knowledge proofs" for privacy is comparable to the impact public key infrastructures (PKIs) described by Witfield Diffie and Martin Hellmann had on internet security. The U-Prove technology based on these concepts has been compared to what Ron Rivest, Adi Shamir and Leonard Adleman (RSA) did for security when they were the first to offer an algorithm and a product based on PKIs.

When I was at the CFP conference in Montreal last May, I was meeting Kim and Stefan, and a colleague pointed me to the fact that Kim was being very nice to Stefan. "He has some cool patents Microsoft really wants", my colleague said. Bruce Schneier recently also praised U-Prove, but questioned the business model for companies like Credentica. He added, "I’d like to be proven wrong."

Kim Cameron is now bragging about having proven Bruce wrong (which is hard to imagine, given the fact that "Bruce Schneier feeds Schrödinger's cat on his back porch. Without opening the box"), while admitting that he still has no business model:

Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash. That will be worth billions.

Stefan Brands is also really happy:

For starters, the market needs in identity and access management have evolved to a point where technologies for multi-party security and privacy can address real pains. Secondly, there is no industry player around that I believe in as much as Microsoft with regard to its commitment to build security and privacy into IT systems and applications. Add to that Microsoft’s strong presence in many of the target markets for identity and access management, its brain trust, and the fact that Microsoft can influence both the client and server side of applications like no industry player can, and it is easy to see why this is a perfect match.

A good overview of other reactions is at Kim's latest blog post. The cruicial issue has, again, been pointed out by Ben Laurie, who quotes the Microsoft Privacy Team's blog:

When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments, and consumers all stand to benefit from the enhanced security and privacy that it will enable.

Ben sarcastically reads it like "the Microsoft we all know and love", implying market domination based on proprietary technology. But the Microsoft we all know in the identity field is not the one we used to know with Passport and other crazy proprietary surveillance stuff. They have released the standards underlying the CardSpace claims exchange under an open specification promise, and Kim assures us that they will have their lawyers sort out the legal issues so anybody can use the technology:

I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo. Like, it’s 2008, right? Give me a break, guys!

Well. Given the fact that U-Prove is not just about claims flows, but involves fancy advanced cryptography, they really should do everybody a favour and release the source code and some libraries that contain the algorithm under a free license, and donate the patent to the public domain.

First of all, because yes - it's 2008, and "free is the new paid", as even the IHT has discovered in January 2007.

Second, because yes - it's 2008, and there has been an alternative product out there under a free license for more than a year. IBM Research Labs Zurich have finished their Idemix identity software that works with zero-knowledge proofs in January 2007. It is part of the Higgins identity suite and will be available under an open source license. (The Eclipse lawyers seem to have been looking into this for more than a year, though. Does anybody know about the current status?)

Third, because yes - it's 2008, it's not 1882 anymore, to quote Bruce Schneier again:

A basic rule of cryptography is to use published, public, algorithms and protocols. This principle was first stated in 1883 by Auguste Kerckhoffs.

Statement on "Identity Management and Reputation" for OECD Ministerial Meeting

2008-03-05T15:55:00.008+01:00

The OECD is preparing a ministerial conference on "The Future of the Internet Economy" in Seoul in June. Civil Society groups have been working together for a few months in order to coordinate their input and activities. The executive summary (well, more a shortened version) of our joint statement has just been sent to the OECD secretariat. I happened to draft and revise the chapter on "Identity Management and Reputation", which is copied below. Comments and ideas are more than welcome and may end up in the long version, which will be finished in the next 2 weeks.

OECD Ministerial Meeting
Civil Society Background Paper, Version 1.0, March 5, 2008

EXECUTIVE SUMMARY

The Future of the Internet Economy
‘Fueling Creativity, Ensuring Consumer Protection and Building Confidence, and Benefitting from Convergence’

(...) 3.4 Identity Management and Reputation

The Internet is part of consumers’ and citizens' daily lives and shops, banks, insurance companies and governments expect consumers to contact them online for services, advice, information, online payments and online banking. In an environment of increasing online fraud and identity theft, identity management and authentication is closely linked to security, privacy and consumer confidence online. The challenges posed by effective identity management include ever increasing use of massive consumer database systems and their integration, user profiling, complex relationships between companies and subsidiaries, and cross-border data flows.

Systems for electronic identification and authentication have been in place in a number of countries for a few years now, and the experiences clearly show a strong link between privacy and identity. The failure of large-scale singlesign- on services in the nineties has shown that citizens and customers are only accepting identification technologies and services if they are sure their privacy is respected at the same time.

The 2006 OECD Guidance on Electronic Authentication includes two principles that are particularly important from the consumer perspective: the one of proportionality, and the right of privacy.

While this is a good first step, latest research in online identity management has shown that there are more issues that need to be addressed. Technological development has made significant steps recently that allow for greater security while maintaining individual anonymity. Such systems should be encouraged. Important elements include:

Minimal disclosure: Identity and authentication systems must only provide the information that is needed for the actual transaction. Instead of transferring individualized claims and ID-tokens, it is very often sufficient to transfer anonymous credentials or group credentials that only prove the individual has certain properties, e.g. belonging to a university or being an adult. The foundation for this principle is that full anonymity must be the default option, and single information bits are then added consciously and sparingly, according to the actual need. Regulation must ensure that user and citizen data is not collected if it is not needed. at all for the transaction or service in case.

Non-Linkability: Digital identifiers have to be constructed in a way that they are only relevant in the specific context they are generated for and can not be linked across contexts. and transactions (context sensitivity, directed identity). This will protect users from cross-site and cross-transaction profiling and at the same time significantly shield against identity theft. Identity systems must therefore allow the use of non-linkable and context-specific pseudonyms.

Non-Traceability: Increasingly, online authentication of individuals towards third parties like businesses or government agencies is done by identity providers. Identification systems that are based on this model must ensure that the identity provider can issue context-specific and non-linkable credentials, but can not at the same time trace and track the services the user has used.

User Control: All identifying information about an individual, especially if transferred in the context of authenticating towards a third party, must flow through the individual’s hands, and it must be readable by the individual. This concept of “user-centric identity” has already matured among technology developers and identity architects. This concept must become the basis for general identification and authentication systems in the public and private sector. As opposed to recent developments in ITU-T Focus Group on IdM, OECD should take a lead in encouraging this privacy-enhancing approach on the international level.

Application to Government-issued Identity Tokens: The above-mentioned principles are especially relevant when moving towards government-issued identity tokens. In the offline world, we can show an ID card or a drivers’ license without the issuing agency knowing about this. The same amount of privacy has to be built into online identity systems.

Persistence of Paper-Based Identification: Especially when dealing with egovernment services, legislation must ensure that citizens are not forced to use these and can still use paper-based documents as a valid and significant option.

Relationship Information Belongs to Both Parties: Social networking platforms and other services that enable the online management of relationships like friendships or relations to schoolmates and colleagues have to take into account that information about a relationship belongs to both parties. Therefore, services allowing users to describe, publish, process and transfer information about these relationships have to ensure this can only be done when both parties have agreed to it under the same conditions.

For these reasons, OECD member countries should:

actively engage in informing society and the public at large about the dimensions and possible problems of digital identity solutions.

implement the OECD Recommendation on Electronic Authentication.

encourage the development and deployment of identity management systems that fully adhere to the principles of user control and usercentricity.

encourage research and knowledge transfer about identity-solutions that incorporate the principles mentioned above.

investigate what kind of redress processes individuals should have at their disposal for information about them.

enact legislation that offers reasonable, effective and inexpensive means of redress for individuals whose reputation is endangered by automated and user-generated rating and reputation systems, or by the publication of information about them.

To vendors:

Companies who implement stronger authentication practices for online payment systems should not require consumers to accept more responsibility or liability (e.g. lesser chargeback rights) than is reasonable in the circumstances.

To developers:

Designers of authentication and ID management systems, as well as businesses, who require consumers to use particular systems, should be held liable for losses incurred as a result of deficiencies of, or failures in their systems.

Data Portability? Portable People!

2008-03-04T03:20:00.006+01:00

Drama 2.0 has a great guest comment at Mashable on the concept of "data portability", which means that people may be able to take their identity and social graph data from one Web2.0 platform and move it to a new one. There's been a lot of hype around this recently, but he says: "Data portability is boring":

I think the name reveals what’s wrong with the concept: “data.” Yes, data is important, but the data collected by Web 2.0 services isn’t what makes those services compelling- it’s the fact that real people you have some connection to are using them too. I could take my Facebook “data” with me to another Web 2.0 service, but if the friends “contained” within that data aren’t using that service, what’s the point?

Obviously, data portability goes beyond simple lists of friends, but in the context of consumer Web 2.0 services, I think technologists who now consider the addition of “social” features to existing applications to be innovation ironically overlook the fact that data and technology don’t drive the popularity of Web 2.0 services – people do.

Without active, engaged and passionate users who perceive some value in using the Internet as a platform for social interaction, a Web 2.0 service probably isn’t going anywhere, regardless of data portability.

The great British blues-rock band Ten Years After had a track on their 1979 album "Alvin Lee & Company" which was called "Portable People":

See them at the airport with their cases in their hand
Got a ten day package in another land
They're the jet age gypsies with a super-sonic sound
They're the portable people, and they take themselves around

The cases, airports and super-sonic jets nicely illustrate how much effort people take in order to work with or meet other people. Real people, not their de-contextualized data representations.

Drama 2.0 also points out the privacy problems of data portability, but I've blogged about those before.

(Mashable story via)

Germany: New Basic Right to Privacy of Computer Systems

2008-02-28T02:27:00.007+01:00

The German Constitutional Court on 27 February 2008 published a landmark ruling about the constitutionality of secret online searches of computers by government agencies. The decision constitutes a new "basic right to the confidentiality and integrity of information-technological systems" as derived from the German Constitution.

The journalist and privacy activist Bettina Winsemann, the politician Fabian Brettel (Left Party), the lawyer and former federal minister for the interior Gerhart Baum (Liberal Party), and the lawyers Julius Reiter and Peter Schantz had challenged the constitutionality of a December 2006 amendmend to the law about the domestic intelligence service of the federal state of North-Rhine Westphalia. The amendmend had introduced a right for the intelligence service to "covertly observe and otherwise reconnoitre the Internet, especially the covert participation in its communication devices and the search for these, as well as the clandestine access to information-technological systems among others by technical means" (paragraph 5, number 11). Parts of the challenges also addressed other amendmends which are not covered here.

The decision of today is widely considered a landmark ruling, because it constitutes a new "basic right to the confidentiality and integrity of information-technological systems" as part of the general personality rights in the German constitution. The reasoning goes:

"From the relevance of the use of information-technological systems for the expression of personality (Persönlichkeitsentfaltung) and from the dangers for personality that are connected to this use follows a need for protection that is significant for basic rights. The individual is depending upon the state respecting the justifiable expectations for the integrity and confidentiality of such systems with a view to the unrestricted expression of personality." (margin number 181)

The decision complements earlier landmark privacy rulings by the Constitutional Court that had introduced the "right to informational self-determination" (1983) and the right to the "absolute protection of the core area of the private conduct of life" (2004).

Information-technical systems that are protected under the new basic right are all systems that

"alone or in their technical interconnectedness can contain personal data of the affected person in a scope and multiplicity such that access to the system makes it possible to get insight into relevant parts of the conduct of life of a person or even gather a meaningful picture of the personality." (margin number 203)

This includes laptops, PDAs and mobile phones.

The decision also gives very strict exceptions for breaking this basic right. Only if there are "factual indications for a concrete danger" in a specific case for the life, body and freedom of persons or for the foundations of the state or the existence of humans, government agencies may use these measures after approval by a judge. They do not, however, need a sufficient probability that the danger will materialize in the near future. Online searches can therefore not be used for normal criminal investigations or general intelligence work.

If these rare conditions are met, secret online searches may only be used if there are steps taken to protect the core area of the private conduct of life, which includes communication and information about inner feelings or deep relationships. These protections have to include technical measures that aim at avoiding the collection of data from this core area. The Court goes on:

"If there are concrete indications in the specific case that a certain measure for gathering data will touch the core area of the conduct of private life, it has to remain principally undone." (margin number 281)

If data from this core area is accidentially collected, it must be deleted immediately and can not be used or forwarded in any case.

Reactions to the decision were mixed. The opposition parties and many civil liberties groups acclaimed the birth of the new basic right with constitutional status and the high hurdles for any future use of governmental spyware. Others, among them many bloggers, were sceptical about the exception clauses and how far they can be stretched by the government in future legislation and practice.

Secret online searches of personal hard drives and other storage media had been subject to intense political debate in Germany over the last year after the federal government had to admit it had already tried online searches for criminal investigations without legal grounds and was stopped by the Federal High Court. The federal government as well as several states plan to enact similar possibilities for their intelligence and law enforcement agencies, while the opposition parties and parts of the ruling Social Democrats are strictly against it. Privacy activists have called the plan "Federal Trojan" ("Bundestrojaner"). A real-life sized model of a trojan horse in Germany's national colors which was built by activists from the Chaos Computer Club (CCC) and used at several protest marches will soon be exhibited in the Museum of German History in Bonn.

The "Federal Trojan" in front of the Constitutional Court during its hearing on the case on 10 October 2007. Picture by Leralle, licensed under Creative Commons BY-NC-SA 2.0 Germany.

Federal Minister for the Interior Wolfgang Schäuble (Christian Democrats) said he expects that the coalition will soon agree on a bill to give the Federal Criminal Agency (BKA) the legal possibility to use online searches in the fight against international terrorism. Privacy advocates pointed out that Schäuble now at least has to stick to a very narrow definition of fighting terrorist dangers and can not use this as a disguise for introducing general and far-reaching surveillance of personal computer systems.

Links:

Constitutional Court Press Release (in German, 27.02.2008)
Constitutional Court Decision (BVerfG, 1 BvR 370/07) (in German, 27.02.2008)
Video from the announcing of the decision
Comprehensive press and background coverage (in German)
Deutsche Welle: Germany's Highest Court Restricts Internet Surveillance (27.02.2008)

This article also appeared in the "EDRI-gram" newsletter by European Digital Rights (EDRi), number 6.4, 27 February 2008.

Data Collection, not Data Handling is the Problem

2008-02-26T04:29:00.002+01:00

Gerry Gebel from the Burton Group points out the relevance of the principle of data minimization. Nothing exactly new, but nicely phrased:

Typical privacy policies have two sections: the first section expresses the sincere concern of the internet property when handling your personal data and they share at least some of their intended uses of your data. The second part of the policy then goes on to say exactly how the internet property is going to violate your privacy by evaluating traffic patterns, sharing data with partners, etc. (...)

[I]t's not the privacy policy that is at issue. It's the data collection policy that must be examined - especially as it relates to transaction metadata. Now is the time to think about new data models that are better suited to 21st century commerce.

IdentityCamp Bremen, 7-8 June 2008

2008-02-21T18:15:00.002+01:00

We* are organizing IdentityCampBremen, the first German BarCamp that specifically focuses on issues like Identity 2.0, Single-Sign-On, reputation management, relationship management, Privacy 2.0 and related stuff. It will take place in the nice town of Bremen in Northern Germany on the weekend of 7th and 8th June 2008.

We just decided about this last night, so we are now looking for participants and thematic ideas, for a location, for sponsors and for volunteers. It is a bit unusual to go public with an event that not even has a venue and a programme yet, but hey, this is the whole idea of BarCamps.

So: Please spread the word and participate. The wiki page is where everything is collected. At the moment it is planned as a German-only event. If a significant number of non-German speaking people are intererested, we may think about a solution for that.

(*) Who is "we"? The idea emerged out of an interdisciplinary network of people interested in Identity 2.0 with a privacy perspective. We had three substantive workshops over the last few months and were looking for something more public to do next. Fortunately, the Bremen Agency for Innovation has offered support now, and we decided to prepare a BarCamp right away.

Facebook sceptical about Data Portability

2008-02-19T19:22:00.004+01:00

Chris Kelly, Facebook's chief privacy officer, says:

We joined the Data Portability Workgroup because we want to show that we're serious about having that conversation. But to just say that you can have a completely open system ignores that there are serious privacy and security challenges about that.

You can now say that they understand the privacy problems of linking the silos and building interfaces for exchanging what is essentially personal information. You can also say that they just want to protect their business model and not share the Facebook user base with others. Or you can say that these arguments are not mutually exclusive. Bob Blakley has developed a similar privacy business argument around his model of an Identity Oracle last year.

The Economist on e-Identity and e-Government

2008-02-19T18:54:00.004+01:00

The Economist has a special section on e-government around the world in its latest issue. One article is about e-identity in this context. Subtitle:

It's best for governments not to know too much.

Kim Cameron is quoted at length, but they also cover experiences from the UK and elsewhere about how little citizens trust their governments to handle their data with care.

The hard lesson for governments is that citizens will adopt technology when it is both optional and beneficial to them, but resist it strenuously when it is compulsory, no matter how sensible it may seem.

They also have intersting lessons from other experts:

Ross Anderson (...) argues that local systems are far more secure than national ones. Patient data held at a GP practice may be vulnerable to a security lapse on the premises, but the damage will be limited. “You can have security, or functionality, or scale—you can even have any two of these. But you can't have all three, and the government will eventually be forced to admit this.

And an interesting analogy to environmental protection:

Richard Clayton (...) says that personal information should be treated like plutonium pellets: “Kept in secure containers, handled as seldom as possible and escorted whenever it has to travel. Should it get out into the environment, it will be a danger for years to come. Putting it into one huge pile is really asking for trouble.”

Privacy in Social Networks: It's contextual, Stupid!

2008-02-18T01:59:00.003+01:00

Moli is a new Social Networking Site that allows users to maintain different personae with different profiles, while still providing the ease-of-use of a single login and user name. I am happy to see that that companies are starting to experiment with the concept of privacy as contextual awareness, and Moli even has "control your privacy" as their corporate motto in the logo. This shows a growing awareness among SNS that (at least a significant portion of the) users get increasingly impatient witht the "give all information, share all, and with everybody" approach that many of the sites incorporate.

Michael Zimmer on the other hand points at a number of serious issues:

Moli, while pitching themselves as privacy-friendly, might actually pose a greater threat to user privacy than Facebook. Given that I have less control over who can see my profile at Facebook, there is some information I’m simply not willing to share on that platform. But since Moli provides me a simple way to manage multiple personae, it is perhaps more likely that I would divulge more personal information. If I can create 4 different personae (say, one highlighting my professional life, one detailing my music and cultural interests, one focusing on my sexual fetishes, and one for my family members), I certainly will be disclosing much more personal information than my single Facebook profile. And while I can set the privacy levels for each profile, Moli gets to see it all.

The general idea here is to have many silos on the same platform. Why can't we just maintain the silos un-linked? Part of the problem is not the front-end and what other users can see (there are already a number of SNS that allow me to fine-tune what each individual user can see about me), but the fact that all the different personae are linked by a single sign-on ID. And by the way: Nobody keeps me from setting up different personae at MySpace or Facebook anyway. The only difference seems to be the ease-of-use argument, and this will soon be non-existent if technologies like CardSpace with self-issued cards become more widely accepted.

More on this in Technology Review and a follow-up post by Michael, who was immediately contacted by Moli executives.

Webwide Reputation System seen as Killer App - but is it?

2008-02-13T01:13:00.001+01:00

Techcrunch is holding an online survey to prepare for the upcoming Future of Web Apps conference in Miami.

If you could gather together some of the smartest Web developers and ask them to brainstorm a killer app for you, what would you ask them to build? Oh, and they will only have 45 minutes to do it.

Among the first roughly 1800 votes cast so far, a clear (relative) majority of readers was interested in a "webwide reputation system".

I also think managing your online reputation is one of the major challenges at the moment, and I recommend anybody interested in this to read Daniel Solove's book on "the future of reputation" and other literature around this. But I am not sure it can be addressed by hacking together some PHP scripts in 45 minutes. In fact, I am not sure the reputation problem can be "solved" like this at all. Reputation is much more complex to model than e.g. identity, which already has driven furious debates among developers, architects, users and privacy advocates.

The idea behind a webwide reputation system seems to be like this: "Wouldn’t it be cool to take my high reputation I earned on eBay and use it for Amazon? Or transfer my Slashdot karma to MySpace?" But you quickly figure that while some of these social networking and IdM platforms already have APIs, there is no real standard for interchanging reputation. In the end, it is because your reputation on MySpace does say as much about your reliability as an eBay seller as my reputation among the hacker community can convince my banker to raise my credit line. It's not a technology problem, but one of semantics and context-sensitivity.

The problem is similar to the "social graph" idea. My friends and social relations on Myspace are different than my professional contacts on XING or LinkedIn, and they are for a good reason. And so is my reputation in these different spheres, because reputation is also a relationship property. You don't have a reputation on your own, but only as a member of a more or less defined group of others. As you behave and move in different social groups and contexts, your reputations are very different across them. It does not make much sense to link these, I think. Insofar, the term "killer app" might be right: It would kill all social differentiation.

Update: Daniel Solove's book "The Future of Reputation" is now available online for free.

Profiling, Surveillance Societies, and Privacy Advocacy Networks

2008-02-09T20:03:00.000+01:00

This sounds like a lot of different things, but these topics were all covered by the presentations I was involved in at the Privacy&Security conference in Victoria/British Columbia over the last few days.

Colin Bennett and I shared a keynote on "Surveillance Societies and the emerging Anti-Surveillance Movement". I covered the "society" part, while Colin presented findings from his upcoming book on the privacy advocates. The slides are here.

I also introduced and moderated a panel with the nice title "Data Profiling - Do 'Where You Go' and 'What You Do' Become 'Who You Are'?". The slides are here.

The rest of the conference was pretty cool, with Lawrence Lessig and Simon Davies as featured keynote speakers, and other great folks like Daniel Solove also speaking. Biggest fun was the closing panel, where Richard Purcell grilled Chris Kelly, the chief privacy officer of Facebook. The conference attracts more than 1000 people nowadays, making it twice as big as the legendary "Computers, Freedom and Privacy" conference (to be fair, it is directed towards a slightly different audience - less geeks, more end-users in the government and private sector). I always like to come back here, even though it is quite a stretch from Europe. The weather could have been better this year, though.

Oh, and because so many people have asked me where to get the "Stasi 2.0" T-Shirts: You can order them here.

Privacy and Surveillance in the EU

2008-02-05T20:30:00.000+01:00

I am in Victoria this week at the Privacy & Security 2008 conference that starts tomorrow.

Today, I am also updating the Canadian privacy commissioners on EU developments in this field. They asked my to address the latest developments in public sector and national security surveillance plans and projects, but also to give a short overview on the European privacy advocacy networks and the growing anti-surveillance movement.

Here are the slides. Feedback is of course welcome.

Data Portability or Context Control?

2008-01-25T01:27:00.000+01:00

There has been a lot of chatter about users being entitled to take their data from social networking sites and carrying them somewhere else. While Google's OpenSocial has not gained much traction yet, the Data Portability Working Group is the talk of the town these days. Their "Philosophy" isn't one, but more a collection of metaphors:

As users, our identity, photos, videos and other forms of personal data should be discoverable by, and shared between our chosen (and trusted) tools or vendors. We need a DHCP for Identity. A distributed File System for data.

And not to forget: We can do it, so we should:

The technologies already exist, we simply need a complete reference design to put the pieces together.

Unfortunately, with Yahoo, MySpace, LinkedIn, Google, Plaxo, Facebook already on board and now Microsoft joining, it looks like there will be even more personal data going around and being used out of context pretty soon.

Robert Scoble has tried this manually: He was running a Plaxo script which exported his Facebook contact information via the Facebook API. As a reaction, his Facebook account was suspended. I think this was a very wise decison, and I am not the only one. Bob Blakley has it right:

When you accepted Scoble’s friend request in Facebook, you did it in the context both of a relationship with Scoble and in the context of the rules of a particular social environment (Facebook).

Michael Arrington has a similar take on it:

Robert Scoble may be perfectly fine with having my contact information be easily downloaded from Facebook, but I may not be. Ultimately it should be me that decides, not him.

I think it is funny that finally everybody seems to notice that relational information is not a property of just one party. But good to see they finally understand. I guess this will be the most rewarding challenge in the next few years: Being able to decide where your personal and relational information is used, making sure it stays in the context it was published, and by this establishing audience control. Whoever still works on context-blind portability of personal information will not be part of this next big thing. Ben Laurie has more on the technical and conceptual issues.

Update: Chris Soghoian has a great extensive discussion of "The next Facebook privacy scandal" at CNet.

What have we learned on Identity?

2007-11-28T01:19:00.000+01:00

Kaliya "Identity Woman" Hamlin and Johannes Ernst are doing a survey on the questions we don't have to ask anymore in the digital identity field:

What are the questions we are no longer asking ourselves.
maybe we figured out the answer,
maybe we figured out we couldn’t answer it,
maybe we figured out it was a question we asked to soon and will surface again.
would anybody think this is useful? [question in the past, not any more]

What are the questions we are asking ourselves now?
How do identity providers make money? [question now]
What will be be thinking about 6-18 months from now?
How to aggregate claims from multiple identity sources? [question 12 months from now]

Facebook as a Government

2007-11-26T21:41:00.000+01:00

Fred Stutzman has a very thoughtful post on the recent "innovations" at Facebook and what they do to the relationship between the brand and the users:

Facebook's brand represents a place, that place being a virtual community made up of our friends, family and contacts. To put it more bluntly, at the macro level, we're brand agnostic when it comes to social network sites - we go where our friends are. Over the years, we've reified the commodity nature of these networks, migrating every few years. (...)

So if we really imagine Facebook as a collection of our friends, what does the brand entity of Facebook represent? The brand entity of Facebook is governmental; the only time one interacts with Facebook as entity is when they are being controlled or punished. Facebook as brand represents surveillance and domination.

Read the rest here. And read his other pieces on Facebook's "Beacon":

Users will be forced to realize that their Facebook identity "follows" them through the web. As a result, Facebook users will be forced to reevaluate all of their activities on the social web. (...) Terrell Russell summed it up nicely: The social web now has landmines. When we browse sites, we're forced to wonder "Will this show up in Facebook."

Privacy and Internet Governance in Rio

2007-11-10T20:21:00.000+01:00

I have arrived in Rio de Janeiro last night to attend the second Internet Governance Forum, a massive multi-stakeholder global policy dialogue organized by the United Nations. I am mainly doing field research for a study on NGO participation I am about to finish this year. But I am also involved in a couple of events here which I am very much looking forward to:

a workshop "Security and Privacy Challenges for new Internet Applications: A Multi-stakeholder approach" I have organized together with colleagues from the LSE and the French Government
a workshop "Privacy in Internet Identity Management: Emerging Issues and New Approaches" I have organized together with a colleague from Harvard and the Identity Commons
the meeting of the Dynamic Coalition on Privacy, a kind-of multi-stakeholder working group on privacy issues that must not be called a working group in UN terminology
the main IGF session on security, where I was asked to be a panelist
the scholarly annual symposium of the Global Internet Governance Academic Network (GIGANet), where I served in the programme committee this year.

And all this (and more) will happen in just one week. I am afraid I won't have any time to go to Copacabana or Ipanema at all, though this is my first time in Rio. But the conference will be fascinating enough, as there are so many smart people from all parts of the world and with so many different backgrounds. Even last night, after an 18-hour trip and pretty tired, I got stuck in an inspiring discussion with a Hungarian hacker about how to develop a materialist critique of human rights discourses (privacy etc.) under conditions of social networking technologies. Wow.

Keysigning Parties with Barbie Dolls

2007-11-05T23:11:00.000+01:00

This is too ridiculous:

Sally brings her Barbie Girl over to her friend Tiffany's house, and sets it in Tiffany's docking station -- which is plugged into a USB port on Tiffany's PC. Mattel's (Windows only) software apparently reads some sort of globally unique identifier embedded in Sally's Barbie Girl, and authenticates Sally as one of Tiffany's Best Friends. Now when Sally gets home, the two can talk in Secret B Chat. (If Sally's parents can't afford the gadget, then she has no business calling herself Tiffany's best friend.)

And what is the added value of doing this? Believe it or not: The Barbie owners can then exclusively use Mattel's chat system Secret B that limits their expression to a white list of approved words. Oh yes, and as all these dolls seem to have a globally unique identifyer, Mattel can probably track who is chatting, when, and with whom (the authentication software is proprietary and runs only on Windows).

Who on earth still believes that todays' kids don't know how to use standard IM and social networking software?

The Social Graph, Google, Privacy, and Usability

2007-10-31T21:31:00.000+01:00

The discussion about developing open standards for social networking has accelerated drastically since Brad Fitzpatrick's piece on the "Social Graph" was published (more correct would be "social network", as Dave Winer reminds us monkeys). The idea is to have a set of common standards and interfaces for exchanging data across platforms. The usual reasoning in favour of this has two variants:

"I don't want to have to connect to all my friends again when I enter a new social networking platform." (usability argument)
"We have to move beyond the 'silos' and 'walled gardens'. Open standards will level the playing field for smaller companies and users alike." (moral argument)

When Brad got hired by Google in August, other companies like Facebook became nervous. Facebook had been leading social networking innovation with the possibility for everybody to develop applications that run on top of their system. For a while, Google has been leaking bits and pieces on their competing project dubbed "Maka-Maka" ("friend"), which was said to "out-open" facebook.

Now, John Batelle has published a draft press release on this which Google intended to publish tomorrow. Maka-Maka is now - more soberly - called "OpenSocial", and it consists of a set of application programming interfaces (APIs) that are supposed to work across platforms:

The release of OpenSocial marks the first time that multiple social networks have been made accessible under a common API to make development and distribution easier and more efficient for developers. (...)

The OpenSocial APIs give developers access to the data needed to build social applications: access to a user's profile, their friends, and the ability to let their friends know that activities have taken place.

Brian Oberkirch gives a short summary:

Think of it as a social network data roaming agreement.

Marc Andreessen has a more detailed description of how OpenSocial works, and he also informs us that the partners that are already on board with Google in this project include Google's own Orkut, LinkedIn, Hi5, Friendster, Salesforce.com, Oracle, iLike, Flixster, RockYou, and Slide.

As far as I understand this from the technical side, it is not about overcoming the silos, but just making access to them from other silos easier. So it is kind of in the middle between closed platforms like MySpace on the one hand and social networking standards that work completely out in the open like XFN or FOAF. It will also make life easier for identity aggregators like Spock or ClaimID. And of course it will make life hard for those startups that have already been working on a protocol for more fully decentralized social networks, like the German NoseRub.

There are a number of things that need more in-depth consideration here.

Soren G. asks:

1) What is Google getting out of this, besides slowing down Facebook and MySpace by giving developers a larger field to develop for? Is there information they will be gathering on my activities at all the various sites that they will use in their ad program?
2) Do all these groups have to update their user agreements for this to take place? Do they all already cover this kind of thing for happening, or are there lots of behind the scenes changes to user agreements going on?

Good questions, indeed. Mike Masnick at Techdirt has already answered the first one:

If it works well, Google could conceivably then build a similar ad offering on top of multiple networks of information, and it would also serve to protect Google somewhat from the faddish nature of social networks, as it wouldn't matter if one particular network declined as another gained prominence -- as long as they're all using these standards.

Both questions also point at the privacy implications of this development, but the second one is especially relevant for this. But as I already mentioned in my previous post, the real issues do not lie in the individual users giving consent to the platforms they use to share (some of) their data with the outside world. The real issue is: If this data is about social relations - friends, colleagues, contacts etc. - everybody of their friends would have to agree to have the information shared, as it is also about them. I illustrated this in a few talks I gave with the example of XFN. If Alice and Bob are a couple, Alice could link to Bob's website with some meta-information:

href="http://www.bob.name" rel="sweetheart"

While this looks ok at first sight, I would want Alice to to ask Bob before she does this, as he might not want everybody in the world to know that they are friends. It of course becomes more obvious if you consider Eve linking to Bob like this:

href="http://www.bob.name" rel="affair"

Until the issue of consent by both ends of a social link is not adequately addressed in any open social networking platform, it will be a serious problem. Pamela Dingle puts it more bluntly:

Call me crazy, but isn’t a “master social graph” without any reference to consent or control from the user really just internet-scale involuntary identity aggregation? I don’t care whether the “social graph” is in fashion or not, I sure as hell hope that I can opt out if I so choose.

JG comments on an even more important structural problem with linking the walled gardens or silos:

[M]aybe the walls around the gardens are not just there to enrich the owners of the garden. Maybe the walls are there to preserve the quality of the garden itself. Sometimes I want a clean separation to exist between various social networks in which I participate. Not because there is anything that goes on in one network that I am afraid of folks finding out on another network. It's just that, when I log on to LinkedIn, I really do not want to be bitten by a Facebookian "zombie" application. Nor do I want to start giving $1 icon gifts to my professional contacts (or getting them, either, for that matter).

This is basically what the idea of privacy as "contextual integrity" is about. Professional networks are built at LinkedIn or Xing, party and music related networking happens at MySpace, and students connect to each other at StudiVZ. While most of the information in these platforms may not be secret or sensitive, there is a reason people do different things on different platforms. I mean, when I go out for a beer with my friends, I also dress in a different way than at a professional conference. Nothing is secret about this, but we play different roles in different contexts, and the kind of relations we build or the ways we express ourselves are different. This is in fact a good thing for society, because it allows functional differentiation and thereby more complex societies than people used to be able to develop when everbody lived in small villages. This goes against the "moral argument" for open social networking data exchange and the assumption that openness is always good.

But there is also a buried "usability" issue with this, because connecting previously separate contexts can make your life much harder. This is nicely illustrated by efforts similar to OpenSocial, but for 3D virtual worlds. The NYT blog reported a few weeks ago:

I.B.M. and Linden Lab, the creator of Second Life, think it’s time to free the avatars. (...) The two companies are announcing plans to develop open standards that will allow avatars to roam from one virtual community to the next. The goal is let a person create a digital alter-ego that can travel to many virtual worlds, keeping the same name, look and even digital currency. The companies speak of “a truly interoperable 3D Internet.” Think of it as passports for avatars. So that pink-headed cutie you made for Second Life can also take up residence in There.com, The Lounge, Virtual Laguna Beach and Entropia, for example.

Nicholas Carr had a great reply titled "Can I bring my flame thrower into Second Life?":

I'm not sure that IBM and Linden have fully thought through the consequences of bringing the globalization ethic to the virtual realm. About five minutes after the gates come down, all the residents of Second Life will have been made the slaves of powerful Warcraft clans. Peace-loving cyber-utopias will see their unnatural resources strip-mined by invading tribes. Economies will collapse, currencies turn to dust. Corporate headquarters - like the one IBM has in Second Life - will be looted and burned.

The funny part he is missing is of course this one: The Warcraft warriors looting the IBM headquarters in Second Life may be played by first-life IBM employees, and their co-warriors can find out about this because of OpenSocial. Now, that opens up a whole new avenue of social research on what happens if social contexts are conflated!

Security and Privacy Issues in Social Networks

2007-10-27T01:58:00.000+02:00

The European Network and Information Security Agency (ENISA) has released its first issue paper with the very timely title "Security Issues and Recomendations for Online Social Networks". The authors distinguish four groups of threats: privacy related threats, variants of traditional network and information securitys threats, identity related threats, social threats. They give a number of recommendations for governments (oversight and adaption of existing data protection legislation), companies that run such networks, technology developers, and research and standardisation bodies. Most of the text looks pretty thought-through and very up to date at first glance. For example, they recommend to not ban social networking sites at schools, but to make sure that pupils are adequately educated to use them.

What concerns me is the recommnendation to use automated filters against "offensive, litigious or illegal content". This brings potential freedom of speech issues. European Digital Rights has just started a campaign against a similar recommendation by the Council of Europe.

The text also addresses the issue of portability of profiles and the recent discussion around the social graph. But the authors, like many others, fail to address the central point: Information about social links is not about only one user, but also the others which he is linked to. They have to agree if this information is moved to different platforms.

Netaveillance

2007-10-11T22:06:00.000+02:00

The privacy field is currently in the hot phase of a paradigm shift. You can tell this from the multitude of new conceptional terms that pop up almost weekly. I already wrote about "wikisurveillance" and the concept of "Limited Liability Personae", and the identity management folks currently have a hot debate about the "Identity Oracle".

Now, Michael Zimmer has coined the term "netaveillance". It is based on Helen Nissenbaum's theory of "privacy as contextual integrity". He is trying to grasp the information flows among users of web 2.0 platforms, and he does this based on a thoughtful discussion of other terms:

What seems to be emerging is a new form of voyeuristic surveillance of people’s everyday lives, fueled by Web 2.0. This has been referred to varyingly as “lateral surveillance,” “peer-to-peer surveillance” or even as a new kind of “participatory panopticon.” Yet these terms – and the theories embedded within them – seem insufficient to fully grasp the significance of the emergence of this new voyeurism of the mundane. Surveillance, via its etymology, implies the “watching over” of subjects from above, with an explicit power relationship between the watchers and those placed under its gaze. Trying to describe surveillance as “peer-to-peer” suggests a flattening of the power relationship that is counter to its very definition. Similarly, the notion of a “participatory panopticon” is at the same time redundant and contradictory. Foucault revealed how panoptic power becomes internalized by the subjects, thus, they necessarily “participate” in their own subjugation. Yet the top-down power relationship within the panoptic structure remains. The participation by the subjects in their own surveillance does not make them equal with the watchers in a panoptic model. Yet the informational voyeurism associated with Web 2.0 seems to imply a balance between the users: one shares their data streams in order to improve the overall worth of the network, coupled with the presumption that they’ll be able to observe and leverage others’ streams as well.

This notion resembles that of “equiveillance,” a state of equilibrium between the topdown power of surveillance, and the resistant bottom-up watching of sousveillance. Yet, these concepts imply merely a balance in access to surveillance information, and is focused more on how to reach some kind of harmonious relationship with our rising surveillance society. With the informational voyeurism of Web 2.0, however, the goal isn’t to resist or come to terms with the power yielded by traditional surveillance, but rather to participate in a widespread and open sharing of the mundane details of one’s daily life. To give one’s peers a glimpse into one’s own personal universe.

These snapshots of the minutia of people’s lives have been compared to the Japanese concept of “neta”, the tidbits of people’s lives that are shared with family and friends as a kind of social currency.

The full manuscript is here, the accompanying slides are here.

I rate this as a "must read" for everybody interested in Web 2.0 and privacy. (Now, how do I put this into a facebook minifeed?)

Wikisurveillance, or: Big Brother is "You"

2007-10-03T02:01:00.000+02:00

From the lexicon of new surveillance terms. Michael Arntfield writes this on the Identity Trail:

I define wikisurveillance as the manner in which the community at large has been seduced by, or at the very least summarily acceded to, the idea of watching, recording, reporting, and even the expectation, or exhibitionism, of being watched, as the new de facto social contract for the post-industrial age.

On a related note, one of the Dutch Big Brother awards winners is "You". It apparently took a while until the 1984 phrase "Big Brother is you, watching" by Mark Crispin Miller gained enough salience.

I still don't buy this hype and over-simplification. When the person of the year was declared "you" last year by Time magazine, this also met solid criticism. And cultural studies have shown on and on that people don't just give everything away in Web 2.0 and elsewhere, but instead are really conscious about what they publish and how they shape their public identities. Instead of throwing privacy out of the bathwater, we should think about control or informational self-determination as its new paradigm, instead of zero knowledge or anonymity as the normal expectation in the old one. But of course, if you want to give users / citizens control, they have to have the possibility of anonymity in the first place.

And yes, the last paragraph was full of references, but blogs are not academic articles, after all.
Look them up yourself. And then put them in the comments, please.

Identity Trends: Possible Futures

2007-10-03T00:03:00.000+02:00

Kaliya Hamlin has posted a very interesting presentation "The Future of the Convergence of Internet-scale Identity Systems" from a recent workshop at Digital Identity World. It shows the most important outcomes of a a scenario planning exercise organized by the Identity Commons Working Group on Future Trends. They tried to look into the future a bit further than the next takeover by Oracle or the next interconnectivity demonstration between OpenID and XYZ. It really makes you think.

Some bits from the presentation as a teaser:

Anonymity in even indoor “public” places (coffee shops) has been destroyed by cheap and portable face recognition tools.

Government-issued becomes meaningless as millions of fake ids circulate - illegal immigrants driver forgery market.

DNA on Dating sites prevents potentially bad genetic matches before you start dating.

Networks of Trusted Individuals Compete with Corporations as Players in Identity Dependent Transactions.

Keep in mind that they only speak about a "range of possible futures", so if you don't like any of these, try to create a different one. As Alan Kay said: "The best way to predict the future is to invent it."

Here are many more potential future scenarios and more info on the full process they used.

How to Build a Privacy Movement

2007-09-28T00:56:00.001+02:00

We had a demonstration against the surveillance mania in Berlin last Saturday which attracted 15000 people, making it the biggest demonstration against surveillance for the last 20 years. The German Working Group Against Data Retention - which was the main organizer - is still discussing how to move on from this big success. Our feeling is that this was the founding moment of a wider privacy movement. An English news report is here, and there are pictures and videos and our English press release.

I have been at the annual Privacy Commissioners' conference in Montreal since Monday, so I did not really have time to blog about it here. But a lot of people at this conference wanted to know how we did it, and on short notice they put me on a panel today to talk about it. So here are my speaking notes and the accompanying slides - see it as a quick and dirty version of a "privacy-movement howto".

(In the notes, "Tuesday" refers to a pre-event organized by a number of civil society groups before the official conference started on Wednesday.)

Update: Because people keep asking me and don't seem to look into the slides: The "Stasi 2.0" t-shirts are available at dataloo.spreadshirt.net. I just noticed the site has no English version, but you should be able to understand it. It's a generic web shop.

Update 2: The shirts shop now has an english website.

The Liberal Journalists Strike Back

2007-09-25T04:21:00.000+02:00

The Economist has started a series of articles on the erosion of civil liberties in the so-called "war on terror":

As we intend to show in a series of articles starting this week (see article), the past six years have seen a steady erosion of civil liberties even in countries that regard themselves as liberty's champions.

This echoes similar series about new surveillance powers and other uncilvil means that have already been published in big liberal German papers and magazines like Die Zeit or Der Spiegel. A clear sign that the almost unconditional support for more executive powers and secrecy in the name of security that was so prevalent after 9/11 has massively eroded.

Think Global, Act Local

2007-09-21T02:03:00.000+02:00

This blog has been quiet over the summer - partly because I had some problems with blogger.com which I did not want to deal with, but partly also because there were a lot of offline activities going on for me. First of all, I re-discovered the beauty of being active at the local level.

The Bremen branch of the Chaos Computer Club, which had mostly been a fortnightly open meeting of nerds and privacy and free software activists for the last year, has suddenly turned into a buzzing cloud of activity. In the run-up to the big German demonstration against the surveillance state in Berlin on Saturday, we organized a series of events in Bremen under the label "summer of privacy". The flyer looks like this.

The kick-off was a party in a new alternative club, which featured several electro DJs, but also dating phones connected by a mechanical switch from the sixties, a pong version on a projector with our interior minister Wolfgang "Stasi 2.0" Schäuble instead of the ball, powerpoint karaoke, and of course a lot of vintage computing in the chillout area. We partied until seven in the morning, had our share of fun, and discussed our ambitions with a lot of interested and nice people on the side.

Then, we had invited Constanze Kurz, spokesperson of the CCC in Berlin and in the news almost every day at the moment because of our government's plans to secretly spy on our hard drives. She gave a lecture titled "Kafka, Orwell, Schäuble. Surveillance in the Information Society". Because our marketing powers were a bit exhausted after the party, we did not expect too many people to show up. But when the event took place, the crowds were so massive that many had to stand in the hallway or even on the stairs. There really has developed a significant feeling of unease in the general population because of these ever more and introsive proposals for more surveillance in the name of security. One person had even driven more than two hours by car to join us. Wow.

Two days ago, we had a workshop on how to protect yourself against surveillance, titled "Firewall of Love". A bit less people showed up, mostly political activists ranging from the anti-G8-groups to the old peace movement. But they all listened closely for a few hours, even to the more technical aspects of public-key cryptography or the problems of personal firewalls. We are now compiling a help page in our wiki.

And finally, coming Saturday we have chartered a whole bus and will go to Berlin with at least 50 persons to join the other protesters at the demonstration "Freedom instead of fear - stop the surveillance delusion" (German: "Freiheit statt Angst - Stoppt den Überwachungswahn!"). The list of supporting groups has grown over the last few weeks and now includes the whole spectrum from the radical left to the liberal party, from physicians and journalists associations to the gay community or the word's largest trade union. I am really looking forward to it, especially because have been helping to organize the federal-level protests against data retention for the last two years, and the demonstration and lots of other activities have developed out of this network of activists called working group on data retention.

My main point was: I really enjoyed being involved in global and European political processes and activities like the World Summit on the Information Society or European Digital Rights for the last four years, but it is such a difference between having to rely on email lists most of the time and working with real people most of the time.

Critique of OpenID

2007-09-21T01:53:00.000+02:00

Stefan Brands from Credentica has compiled an impressive collection of criticism against OpenID recently. And Kim Cameron of Microsoft goes nuts. I don't really understand Kim here, as Microsoft's CardSpace is much more privacy-friendly than OpenID. Maybe the summer of interoperability-hugging has created too much of a "we're all in this together" atmosphere.

Privacy & Identity White Paper

2007-07-02T18:52:00.000+02:00

The Privacy and Identity Management for Europe (PRIME) consortium has published a new White Paper that is recommended reading for everyone working on ID management.

I especially like their design principles on page 15. They could effectively be called the "Laws of Privacy-Enhancing Design":

Design must start from maximum privacy
Explicit privacy governs system usage
Privacy rules must be enforced, not just stated
Privacy enforcement must be trustworthy
Users need easy and intuitive abstractions of privacy
Privacy needs an integrated approach
Privacy must be integrated with applications

Privacy in Online Games - from ID Cards to Tinfoil Hats

2007-06-05T02:40:00.000+02:00

As you will have read by now, Linden Labs is trying to introduce a government-issued identity token in Second Life in order to get rid of adults playing young-looking avatars (hint: in Second Life, "playing" seems to mean "having sex" nowadays, at least according to most journalists and of course the security politicians). Now everybody wonders how they want to do this - at least if you read the announcement:

The verification system will be run by a third party specializing in age and identity authentication. No personally identifying information will be stored by them or by Linden Lab, including date of birth, unless the Resident chooses to do so. Those who wish to be verified, but remain anonymous, are free to do so.

There seem to be some problems with finding such a vendor, but identitfication as a means of control of virtual worlds is certainly seeing growing interest. But resistance against this has also been vocal.

Now, for the more funny part: World of Warcraft recently launched “The Armory”,

a vast searchable database of information for World of Warcraft - taken straight from the real servers, updated in real time, and presented in a user-friendly interface. Since the Armory pulls its data from the actual game servers, it is the most comprehensive and up-to-date database on the characters, arena teams, and guilds of World of Warcraft in existence.

But the privacy warriors are fighting back. You now can get a tinfoil hat with some very nice specs:

Besides keeping the wearer safe from mind spies and the thought police, it also removes the wearer's character profile from the World of Warcraft Armory to further guarantee that no one will be able to divine all of the wearer's tightly held secrets. Furthermore, wearers of the Tinfoil Hat will not show up in /who listings, and they will also be immune to inspection from other players.

Look at this hilarious picture. It's of course a joke, but a nice one.

(The part on WoW via Kaliya Hamlin)

Privacy Self-Regulation and the Changing Role of the State

2007-05-24T13:20:00.000+02:00

My new working paper is just out. I have looked at the changes in the regulation (or "governance") of data protection, with a special focus on the different forms of new governance mechanisms. Building on Lawrence Lessig's work on "Code and Law" and also on previous research on the governance of privacy done by Colin Bennett and Charles Raab, I distinguish between social codes (contracts, self-regulatory schemes etc.) and technical codes (privacy-enhancing technologies). This is the abstract:

Privacy Self-Regulation and the Changing Role of the State. From Public Law to Social and Technical Mechanisms of Governance

This paper provides a structured overview of different self-governance mechanisms for privacy and data protection in the corporate world, with a special focus on Internet privacy. It also looks at the role of the state, and how it has related to privacy self-governance over time. While early data protection started out as law-based regulation by nation-states, transnational self-governance mechanisms have become more important due to the rise of global telecommunications and the Internet. Reach, scope, precision and enforcement of these industry codes of conduct vary a lot. The more binding they are, the more limited is their reach, though they – like the state-based instruments for privacy protection – are becoming more harmonised and global in reach nowadays. These "social codes" of conduct are developed by the private sector with limited participation of official data protection commissioners, public interest groups, or international organisations. Software tools - "technical codes" - for online privacy protection can give back some control over their data to individual users and customers, but only have limited reach and applications. The privacy-enhancing design of network infrastructures and database architectures is still mainly developed autonomously by the computer and software industry. Here, we can recently find a stronger, but new role of the state. Instead of regulating data processors directly, governments and oversight agencies now focus more on the intermediaries – standards developers, large software companies, or industry associations. And instead of prescribing and penalising, they now rely more on incentive-structures like certifications or public funding for social and technical self-governance instruments of privacy protection. The use of technology as an instrument and object of regulation is thereby becoming more popular, but the success of this approach still depends on the social codes and the underlying norms which technology is supposed to embed.

Identity and the Government - the missing link 2.0

2007-05-18T04:35:00.000+02:00

Update: Phil Windley notified me that I misunderstood him (corrected below). I still wonder where the links between governments' activities around online identification and the internet identity developments from the geek and corporate communities are being discussed and thought through. Any hints?

The identity 2.0 folks don't think about government-issued identity cards and the developments going on in Washington and other capitals. At the end of the Internet Identity Workshop that just took place in Mountain View (California), its organizers Kalyia Hamlin and Phil Windley gave an interview to the video podcaster Eddie Codel from LunchMeet ("meeting geeks over lunch"). With one question, he hit the mark of what I as a political scientist am interested in:

How do the identity issues that are being adressed here and are being worked on related to the national level - government, passport control, national id card, that kind of stuff? Can what we do here influence that?

The answer from Phil:

Conceptually, there are certain relationships. And certainly, if you ask people here, they would [not: don't, RB] have opinions on that. What tends to be worked on here tends to be fairly specific to the user-centric identity.

If we agree there is a conceptual link, then people might want to start thinking about this a bit deeper. I mean, has anybody ever heard of code and law and all the rest? It seems that there still is too much of a distance between the West coast geeks and the East coast politicos, at least in the identity field. I am waiting to see what happens when the U.S. congress starts enacting laws that regulate online identity, like this one. Will Identity Commons open an office in Washington like the EFF did last year - finally?

Icons of Privacy

2007-05-16T23:19:00.002+02:00

Analogue to the Creative Commons licenses that use lawyer-readable, machine-readable and human-readable formats, there has been some movement towards developing a similar approach for data privacy. The P3P protocol already combined the lawyer-readable plus machine-readable approaches, and the privacy bird browser extension was a first raw attempt to graphically display if a web site's P3P privacy policy is conform with your own privacy preferences.

More recently, there have been attempts to design more meaningful icon sets that symbolize the different uses of personal data by web services. The first example I am aware of was presented by Mary Rundle from the Identity Commons Working Group on Identity Rights Agreements last year at the UN Internet Governance Forum (see the pdf of her presentation here, the icons and the idea are on slides 7 and 8).

Now (apparently inspired because I told him about this), Matthias Mehldau from the popular German blog netzpolitik.org has designed a whole set of private data usage symbols. It's spreading heavily in Germany's blogosphere at the moment, and he calls for designers and privacy experts to develop this version 0.1 further. It's licensed under a creative commons by (not: nc) license. Click on the picture to enlarge.

Disclaimer: I also blog at netzpolitik.org

Update, 6 November 2009: Christopher Parsons from the University of Victoria is now also thinking about this. Worth a read.

Update, 14 January 2010: Now some folks around Mozilla.org in Washington, DC are also working on this.

CardSpace's Privacy Problems - now confirmed at OECD

2007-05-15T02:01:00.000+02:00

Ben Laurie reports this interesting exchange of opinions on how Cardspace is breaking the (privacy-enhancing) "Laws of Identity", developed by Microsoft's Cardspace architect Kim Cameron:

At this OECD workshop on identity management, Fred Carter, of the Office of the Information and Privacy Commissioner, Ontario, spoke on “Functional Requirements for Privacy Enhancing Systems”. At one point he listed privacy protecting identity management systems, which he broadly defined as those following Kim’s seven laws. The list was short, just PRIME and Credentica … note the absence of CardSpace. So, I just had to ask: “does this mean that you believe CardSpace does not obey the seven laws?”. His reply? “Yes”. Chris Bunio, a Senior Architect for Microsoft, was present. He did not dispute the claim.

More detailed explanations are in Ben's new paper on selective disclosure.

I would add: While Cardspace, if implemented in a specific way, can be privacy-enhancing (much better than the Liberty stuff), the recent moves towards convergence with OpenID will weaken the privacy features of the system. And it will make the normal users think that one ID system is just like the other, so they can directly pick the totally privacy-unfriendly OpenID, which gets much more and broader attention at the moment.

Privacy and Identity debate gains more traction

2007-05-15T01:47:00.000+02:00

A few nice things happened in the last weeks that make me hope the privacy and identity camps are converging. Maybe not on common positions yet, but in common discussion spaces at least:

First, Dick Hardt from Sxip Identity was in Germany and says:

Identity is a hot topic in Germany. The first European Identity Conference started today, and I am giving a keynote tomorrow morning. The Germans seem very sensitive to invasion of privacy (...).

In a video interview the Elektrischer Reporter did with him, the latter raised some concerncs I had voiced the week before. Nice to see this is being picked up.

Then, Udo Neitzel and I went to Montreal to the Computers, Freedom and Privacy conference, where we spoke on two panels about privacy and identity, together with folks from the privacy world (Gus Hosein from Privacy International, Caspar Bowden from Microsoft) and the identity crowd (Paul Madsen from Liberty, Cristian Pacquin from Credentica). Kim Cameron from Microsoft was giving a keynote, and "Identity Woman" Kaliya Hamlin was actively taking part (she should have sat on at least one of the panels herself - Wired by the way calls her a "privacy activist"). We had interesting discussions on OpenID as "Baby SAML" or how Microsoft's moves towards OpenID and using Cardspace for federation will make their system even less privacy-enhancing. Kim seemed not convinced, but at least we got him thinking. More importantly, the old privacy and crypto gurus at CFP finally seem to understand that identity management is something they really, really should care about more.

Stefan Brands is again on the forefront of this development. He just published a new research paper that attempts to bridge the privacy and identity camps. This is from the conclusion:

Contrary to popular misbelief, identification and privacy are not opposite interests that need to be balanced. Advances in modern cryptography allow for the construction of compact user identifiers that combine all the benefits of noncertified self-generated identifiers with those of certified user identifiers while eliminating all of their respective drawbacks. It may be too much to ask that legislators, systems designers, and privacy activists intimately familiarize themselves with these modern technologies for user identification. However, it is important that they take note of their capabilities, in order to avoid stretching preconceived notions about identification and privacy that hold true in the physical world into the electronic world, where they no longer hold.

Identity 2.0 in TV 2.0

2007-05-01T06:51:00.000+02:00

The great German video podcaster Mario Sixtus a.k.a. "The Electrical Reporter" did an interview with me on digital and analogue identity management and the problems I see with recent developments in this field. Only German, I'm sorry.

Surveillance plans and the growing privacy movement in Germany

2007-04-20T17:00:00.000+02:00

There are some very interesting developments in Germany at the moment. First the bad news (the rise of the surveillance state), then the good news (the rise of an anti-surveillance movement):

Data retention and more surveillance plans

The German government has endorsed the draft bill on telecommunications data retention two days ago. This project, implementing a EU directive that is already being challenged at the European Court of Justice, had been under heavy criticism for years. At the same time, the federal minister for the interior, Wolfgang Schäuble, has presented a new "list of horror" (liberal weekly DIE ZEIT). On top of the surveillance apparatus built up in the 1970s and heavily expanded after 9/11, he wants to

do "preventive" dragnet investigations (i.e. data mining in private databases without suspicion),
store fingerprints and other biometric data of all Germans who have passports in a networked database,
use traffic toll data for law enforcement (when the "toll collect" system was started, everybody involved promised that the movement and camera data would never be used for repressive means),
secretly hack into citizens' computers,
do "preventive" phone interception,
eavesdrop into the most private talks of citizens at home,
use military force with German territory,
shoot down airplanes that are hijacked by suspected suicide attackers, even when full of passengers,
connect all databases of the state and federal police and intelligence agencies,
give the US and others basically unlimited access to passenger data,
re-establish the "principal witness" regulation (giving freedom to major criminals if they squeal on their former collaborators),
and of course enact the data retention bill which would mandate ISPs and phone companies to store all traffic data of everybody in Germany for 180 days, with the police (after court approval) and intelligence agencies being able to access it.

Almost all of these projects have been either turned down by the constitutional court or the European Court of Justice in the past, or there are clear precedents in previous rulings that make clear they are unconstitutional. Because of that, Schäuble wants to change the constitution. This leads us to the good news:

Political resistance and the growing anti-surveillance movement

The working group on data retention, a network of civil liberties organizations and other groups and individuals, has been organizing the resistance over the last year. They had two demonstrations last year which gained little attention and attracted lesst than 300 persons, partly due to short notice planning because of a parliament ruling and other circumstances. But now, the issue seems to have gained enough salience. It is reported on the front pages now, not in the "computer&internet" section where it used to be hidden.

Last saturday, we saw the result: More than 2000 people gathered in Frankfurt on a nice sunny day for the biggest demonstration for privacy since the 1980s. Supporters have been very wide-ranging, from radical anti-fascist groups to the opposition parties and the federation of women's emergency call centers. The ISP associations did not officially support this, but a lot of them helped with logistics behind the scenes. Many of the ISP workers from Frankfurt also took part in the demonstration.

The working group against data retention has also gathered more than 12 000 supporters for a constitutional court challenge against data retention since November. It will be submitted on the day the bill is enacted. This will be the largest constitutional court case in Germany ever.

The adoption of the data retention bill a few days after the demonstration, as well as Schäuble's plans, combined with an unclear statement by him on the presumption of innocence, have led to an outcry in the last few days.

The said-to-be-non-political German blogosphere discussed these developments at a large gathering in Berlin last week and, as a follow-up, has issued a call for creative resistance. Many people had nice ideas. Above all, blog posts that contain "Stasi 2.0" (a reference to East German secret police) with a picture of minister Schäuble are spreading quickly at the moment. Some have taken it to the offline world, too. Examples are here and here. T-Shirts will be available soon.

A pledge to donate 5 Euros per month for the fight against data retention has also attracted a number of people.

Technorati has seen an exponential growth of "Stasi 2.0" in the blogosphere.

For a short while, "Stasi 2.0" even was the most popular search term that came out of the German language space (technorati ranking #13).

This week might be remembered as the moment in history where German bloggers noticed their power for distributed and creative political campaigns. At least, they have found a common enemy now.

Reactions from outside the internet community

The journalists' and publishers' organizations saw the secrecy of their sources under attack by the data retention bill, and most mass media have more or less openly positioned themselves against the plans.

Leading Social Democrats are openly moving away from Schäuble, and some have even compared his attitude to Guantanamo. Even a few prominent conservatives have tried to slow him down (one even said he has to think of Orwell), and the police union has openly questioned the necessity of these measures.

The activist movement is already discussing the next demonstration and setting up local and regional groups. The working group on data retention now calls for chapters and members of the ruling parties SPD, CDU and CSU to sign an open letter against data retention. The "virtual local chapter", the internet branch of the Social Democrats is already supporting it.

It will be crucial how the Social Democrats position themselves in the mid-term. The polls still show support for the current domestic security policy (no questions about recent plans yet), but Schäubles popularity has dropped (from 0.8 to 0.5 on a scale from -5 to +5). With the whole opposition, the majority of the media, large parts of the relevant industry, the churches and most societal groups against surveillance in this debate, it is likely that this will become an even hotter topic and a potential breaking point for the grand coalition in the coming month.

"Privacy and Identity" presentation at re:publica conference

2007-04-12T13:04:00.000+02:00

I am in Berlin this week for the re:publica07. My presentation on "Privacy and Identity" last night met a lot of interest, so here are the slides. The video will be made available later at the conference website. (It's in German this time.)

OpenID - next big thing with lots of problems

2007-04-03T19:11:00.000+02:00

OpenID is becoming the standard for decentralized identity management and single-sign-on, this was clear after Microsoft announced they would make it interoperable with CardSpace. A short while ago OpenID even made it to the the mainstream press when it was featured on the front page of USA Today's business section. I have looked into it a bit closer now, and I just can say it sucks.

Your identity provider is able to track all websites you log into. They even tell you it's a feature. User profiling made easy! This reminds me of the data retention plan in Europe, but here it is done voluntarily. Try to think of what can happen if this data falls into the wrong hands?
You have a unique identifyer (your OpenID uri) for all relying parties, so you can't choose between different cards or identites for different sites. Cross-sites profiling made easy!
The latter of course can be worked around if you use many different IDs. But then you run into the usability problems that OpenID was meant to overcome in the first place - having to remember several logins, passwords and so on. The relation between usability and traceability seems to be proportional : If you have only one OpenID, usability is high, but traceability is equally high. If you have many different OpenIDs, you can not be traced across sites, but usability also goes down the drain!
It is open to the very easy kitten-phishing attack, and eavesdropping is no problem, as the identity tokens are posted through the http "post" command. Who in Web2.0 uses https?

Compared to Microsoft's InfoCard/CardSpace, this is an interesting example of how a big evil monopolist was outfoxed by the crowd / web2.0 community, though the former had the better product and the crowd was naive in believing their A-bloggers. I will be speaking about digital ID management on a few occasions in the coming weeks (here and here), and I look forward to interesting discussions.

Latest news: There is already a campaign against openID in Germany:

The text on the banner means "For Security: OpenID - No, thanks! For Independence". Interesting how some people have understood the surveillance infrastructure that is building up here. Remember Lawrence Lessig: A system of perfect identity is a system of perfect control.

Update, 24 May 2007: The campaign has been taken offline. I am hosting the logo here now for documentation.

Presentation on "Privacy and Social Software" online

2007-03-15T14:28:00.000+01:00

I was in Vienna two weeks ago at a workshop on social software, organized by ProLearn, an EU-funded "network of excellence" on e-learning. The workshop was interesting and had a nice international crowd. I got some new ideas for thinking theoretically and analytically about privacy (especially in terms of visibility and invisibility, and under which conditions this is a reward or a punishment), which is really the best you can expect at meetings like this.

The organizers have uploaded the slides and podcasts of the presentations now. Mine on "Privacy and Social Software" is here (ppt, mp4).

"Privacy and Identity" Presentations at 23C3 and CFP

2007-03-10T21:34:00.000+01:00

The video of the presentation on "Privacy, Identity, and Anonymity in Web 2.0" I gave with Udo Neitzel and Jan Schallaböck at the recent Chaos Communication Congress in Berlin in finally online. There are several mirrors for downloading the video - just search for "identity" in the filename on any of them. The audio and video are not exactly synchronized (I'll ask them to fix this), but you get the idea.

I am also happy to announce that our proposal for a similar session at the upcoming "Computers, Freedom and Privacy" conference in Montreal in May has been accepted. We are currently trying to get a few more speakers on it, Caspar Bowden from Microsoft is already on board. And it looks like I'll also be on a related plenary panel there, together with people from Microsoft, Liberty, Privacy International, and Credentica. I hope to see many of my North American readers and colleagues there!

Digital Security and Privacy for Human Rights Defenders

2007-03-10T16:31:00.000+01:00

Privacy advocates in liberal Western democracies often face the problem of explaining the existential value of being able to hide and act anonymously. Many people have this intuitive "I have nothing to hide" attitude, which seems to be growing among the young generation. The trust in governments, legal protection and human rights has certainly taken some punches recently because of the expanding surveillance programmes being set up under the guise of the "war on terror/child porn/whatever-fits-public-opinion", but to most people, it is not an existential problem but rather an abstract concern that maybe goes in line with a general frustration about politics.

There are people in this world who actually risk their lives for a great cause, and who desperately need effective privacy for their protection. These are the human rights activists, researchers, and lawyers that work in openly oppressive countries and dictatorships. While many of them use computers, the practical problems and risks related to this are not widely understood. Privaterra, the Toronto Citizen Lab and others have been working on this for the last couple of years with capacity-building workshops and technical help. One of the most active groups here has been Front Line, group based in Ireland that gives grants and also has its own operational activity.

Front line has just released a large manual titled "Digital Security and Privacy for Human Rights Defenders". The 164-pages book (pdf) contains systematic descriptions of privacy and security risks human rights defenders may face (and have faced), and has detailed and hands-on instructions for all kinds of protections, including computer setting and tools, but also workflow management, physical office security, and so on. The volume includes rich material and examples on the state of surveillance and oppression online, making it also worth a read for those not directly working in this field. Kudos to Dmitri Vitaliev who did all the work in pulling this together and writing most of the text.

CardSpace's Privacy Problems

2007-02-19T15:35:00.000+01:00

From Ben Laurie:

If Microsoft are really serious about providing “non-audit” (i.e. unlinkable) modes for CardSpace, then they need to get with the program and stop trying to pretend that they can do this with RSA signatures. Its a shame that they’re going to such lengths to make CardSpace good but can’t quite seem to go the last mile and make their claims actually true. Perhaps they don’t want to?

ID standards war is over - but what now?

2007-02-16T23:24:00.000+01:00

So the heated exchange of "mine is safer" arguments between Kim Cameron from Microsoft and Dick Hardt from Sxip was just the PR prelude to the great romantic ending in heightened public attention: Microsoft will be using OpenID and CardSpace together. It was announced like the next big thing at the RSA conference, and Verisign (the usual suspects for identity provision aka "I tell others about you, and they pay for it") as well as JanRain also signed the joint announcement. Everybody was keen to ensure that this is not some buy-out by Microsoft. Scott Kveton from JanRain announced:

"Microsoft did not cave in to the OpenID community and the OpenID community is giving nothing up to Microsoft."

Interestingly, just a day before that, some folks from Higgins, Bandit and Novell had demonstrated open source identity services that are interoperable with Microsoft's Windows CardSpace system and enable Liberty Alliance-based identity federation via Novell Access Manager. Microsoft CardSpace and Liberty specifications interoperating. Wow. But they were not Bill Gates, so it was not as widely reported. But the effect is that now, the three biggest players in the field cooperate (or "coopete", as some call it).

Today, AOL announced that they also will use OpenID for AIM. It looks like the standards wars are over. But what will follow from this?

The core problem with CardSpace will remain: It may help against phishing, but it can also be used for tracking your movements through the web through the identity provider. At least our governments won't have such a difficulty anymore to decide which identity technology to use foryour online "show your ID please" experience. I have not looked into OpenID enough to really see what the problems are, but my computer science friends tell me it's a big hole, and you can read about man-in-the-middle attacks as well as phishing possibilities. A recent white paper by Ping Identity therefore concludes:

"While not necessarily a concern for the use cases that initially motivated OpenID, such a privacy risk will limit OpenID’s success in more sensitive use cases (e.g. Internet banking, eCommerce, health care, etc)."

Gerry Gebel from the Burton Group also has a very sober perspective on the convergence fuzz and the visions of an internet-wide identity system:

"In his keynote, Bill Gates described a world in which every device, person, and datum will have a unique identifier, the network address space will vastly expand, and policies will be much more granular and specific than they are today. The scale of the policy management problem in that world will be orders of magnitude larger than it is today; where are the models which will support a solution?"

One thing that gives me hope is this here: Credentica has just released its "U-Prove" ID management kit, which works with SAML, Liberty ID-WSF, and CardSpace while, according to the press release, massively enhancing the privacy of its users. Among other things, it allows for "sharing information without revealing source data". While I am not cryptographer enough to really understand zero-knowledge proofs and related fancy (and fuzzy) algorithms, Stefan Brands and his colleagues certainly know their stuff. Hopefully this or similar technology will also find widespread adoption.

Criteria for Privacy-Enhanced Security

2007-02-03T00:18:00.000+01:00

I was at a workshop in Copenhagen this week, organized by the EU-funded PRISE project (Privacy and Security in Europe). It is an interesting beast. The EU commission has asked them to develop privacy criteria for the heap of "security technology" funding it will give out in its 7th research framework programme. When I got the invitation, I first thought "ok, they take us as a fig leaf" but at least I get to Copenhagen". But then, the workshop really turned out interesting, open-minded, and even creative.

After the keynotes, I participated in the interactive session on "criteria for privacy enhancing security technologies". Their idea was to develop some criteria for privacy impact assessments of future technologies, a bit similar to what is already being done for federal IT procurement in Canada, and even partially in the US, under the "e-Government Act" of 2002. The latter also tells you why these approaches are not really working. The general flaw is to first design the technology (even if only the rough architecture) and then see if it's good or bad in terms of privacy.

What we came up with in Copenhagen was to implant privacy considerations very early on in the process of developing the system - at best when developing the rough vision. This is conventional wisdom among sociologists of techology, who moved from technology impact assessments to technology development as early as the 1980s. So we moved from criteria for the technology to criteria for the process of designing technology. This also should include institutional checks and criteria, like "were any privacy experts continously involved in this process?"

But it went even further. We agreed that if you want to start building "privacy enhanced security technologies", you should first check if they are actually security-enhancing technologies at all. Much of the stuff rolled out since 9/11 2001 is just "security theater", as Bruce Schneier calls it. It does not enhance security, but it often infringes on privacy. The criteria should be designed in such a way that in cases like this, they trigger a clear"no". So, we had again moved from designing technology to assessing if it is really an adequate security solution.

But there are security problems out there, sure. But the "solutions" (more correct: the security strategies) can be quite diverse. One participant told us of a big company that had thought about ordering a grand identification scheme for access controls or something like that. In the end, they gave it up, because it was cheaper, easier, and even more privacy-friendly to just buy an insurance. So, we had moved from criteria for working security solutions to criteria for assessig a security strategy.

But in the end, somebody mentioned that you still have so many security problems (or perceptions of them, at least), and only so little money. The same amount of money that is currently being spent on huge surveillance and dataming systems with very little hope to maybe find 40 terrorists in the EU could also be spent on significantly reducing the number of traffic casualties (car accidents still kill ten thousands annually in Europe) or HIV victims. The decision about what to focus on with your security strategy, and which strategy to take in the first place, is a political decision. It will always be a bit arbitrary (that is what makes it political by definition), but it is important to have the costs, benefits, and alternatives in mind when making these decisions. How do you make sure this is done, and it is even done in a way people are explicitly informed about these often hidden alternatives (hegemonic discourse and agenda-setting, you know it), and can have a reasoned debate? Well, the folks in the PRISE project will now have to think about it.

This is what I liked so much about the workshop: We started with criteria on privacy-enhanced security technologies, and we ended with criteria for rational government.

ID Standard Wars, Episode One: OpenID vs CardSpace

2007-01-12T18:34:00.000+01:00

As I wrote in the previous blog entry: "Big standards organizations (ISO, W3C, ANSI) have set up working groups on identity management recently. Expect some interesting standard wars here in the short run." That was of course not intended to mean that only public institutions can fight each other.

Some private sector players are currently heating up their blog-to-blog debate. Dick Hardt from Sxip and Kim Cameron from Microsoft are discussing if OpenID or Windows CardSpace is more secure. See a summary at ZDNet or the original posts by Kim and Dick. Chronological order: Kim - Dick - Kim - Dick. To be continued.

I just wish they would put as much energy into discussing which system is more privacy-friendly.

Identity Management Systems and the State from 1500 to 2008

2007-01-04T17:38:00.000+01:00

The following is an edited part from my "Privacy, Identity and Anonymity" manuscript from the CCC congress. It looks like the official video of the presentation takes a bit longer to get online, and the inofficial recordings seem to have not recorded all sessions. Just making the slides available would not help, because we mainly used pictures and single words, which is hard to understand without hearing us. So you have to read.

As the sociologists have told us: Managing your identity is managing which roles you have in relation to different people and contexts. Corporate identity management systems have done role management for quite a while. They use role modelling for differentiating the several tasks their employees can take. Who can enter the premises? Who has access to which database? Who can authorize buy and sell orders for which amount of money? This is where the big players like Oracle, Novell, or Sun come from. They call it "provisioning" or "workflow auditing". In the end, of course, it is about controlling employees.

And this is one of the most fundamental functions of identity management systems: Control.

These ID vendors are now also trying to roll it out for the web. Here, ID management from the customer’s perspective (so-called "grassroots identity") is merging with ID management from the corporate perspective. The web companies are also working on it. Yahoo is doing this with is “BBAuth” service, Google is doing it with “Google Accounts”, Microsoft tried it with Passport and failed big time. They are now coming back with InfoCards AKA CardSpace.

Because of all these different approaches, big standards organizations (ISO, W3C, ANSI) have set up working groups on identity management recently. Expect some interesting standard wars here in the short run.

Looking back in history: Who was the first to establish identity management and identification systems? It was the early modern European state. At that time, the first laws were enacted that made it illegal to change your name without government approval. Now, in order to make sure to others that you are the person whose name you pretend to have, you need some extra proof. Normally this takes the form of identity tokens. First, they used to be official letters or seals, and later, we saw the development and spread of passports and ID cards.

The emergence of the computer then replaced names with numbers – social security numbers, tax numbers, passport numbers, and so on. But the idea is actually much older. Jeremy Bentham, who invented the idea of the Panopticon, also suggested that every citizen should have a serial number tattooed on his arm.

But even today, your tattoo is not transmitted when you go online. So, some governments now want to establish a certified, official link between your real physical identity and your online identity. Because this holds quite some potential for large-scale surveillance and control of online behaviour, a lot of people don’t like this idea. Especially in countries without ID cards, people still distrust the idea of mandatory online (and offline) identification systems.

So, what do you do as a security politician or a government agency that wants to establish a tighter infrastructure for control? How do you set up such a system? You start with groups like foreigners or criminals that get little support for their rights in the general population. US Senator John McCain has drafted this bill, which would force all convicted sexual offenders to register all their email-accounts and all other online identities with the authorities. And they are dead serious about this: If people fail to register, they will face up to ten years of imprisonment. Remember, this is not for raping someone, this is just for not telling the government all your online user names and pseudonyms. Can you remember all of the logins you ever created?

But welcome to Germany, the land of more advanced bureaucracy. The "E-Government 2.0" program, published by the German Interior Ministry in September, has an interesting chapter on electronic ID-cards and "e-Identity". They plan to issue an electronic ID-card from 2008 on, which will enable people to authenticate themselves online with their government-certified ID.

So in Germany, registration of your online identity with the authorities is not a “for criminals only” thing. It will apply to the whole population. And the private sector will love it, as it give them a better means to control their customers. In the end, we might end up with the government as the ultimate trusted third party or ID provider, and get a "perfect" ID management system that encompasses everybody. (Of course, according to democratic theory, you should not trust governments, but control them and limit their power.)

How will the government build the infrastructure for this? Well, they say they are currently working together with the private sector and some big IT corporations. And this is of course where "Identity 2.0", Windows Vista CardSpace and all the rest comelos into the picture.

The few critical contributions to the digital identity debate so far have largely focused on the privacy implications: How likely is tracking of people with these systems? It seems to me we should also think about the zoning aspects. Will the internet with an identity layer on top of it still be a space where we can more or less freely move around, or will it be divided into bordered national territories, fenced corporate playgrounds, and only a few open/outlaw places?

Get 'em while they're young

2007-01-04T14:53:00.000+01:00

I've been reading, thinking, and blogging about about identity management in the last few months, and my own thoughts, together with discussions with colleagues from computer science and law, have made me more and more sceptical that identity infrastructures can or will be privacy-enhancing at all. For the general reasoning, read my older posts and have a look at e.g. this paper or this presentation, or wait for the video of my presentation at the recent Berlin hackers conference. Or let me refer you to Lawrence Lessig, who as early as 1999 made a major point in his book on "Code and other Laws of Cyberspace" on how identification enables zoning, which in turn enables control. Control of course limits freedom, and identification also limits privacy.

Having said this, I was surprised by a report about the Scottish Secondary Teachers' Association (SSTA) that wants all secondary pupils in Scotland to carry photo ID cards. Their argument was it would stop bullying - yes, bullying!

The SSTA's general secretary, David Eaglesham, said the time had come for photographic identification to be added to the cards used to access school facilities. "Introducing photo ID cards will help bring an end to bullying over use of 'cash free' cards for school meals".

Of course, according to the SSTA, it would also enhance exams security and "assist with access to school bus services" (read: control access to school buses).

But the hidden agenda is elsewhere, and my feeling of being surprised came from how openly it was articulated :

He said that introducing such a system would also help prepare young people for "the realities of identity management in the 21st Century".

Yeah, great. Why not also start fingerprinting all pupils, taking their DNA, putting surveillance cameras in the classroom and forcing them to not let their bags unattended or else they will be blown up by a SWAT team? By establishing this kind of stuff in schools, you create little monsters and authority-obeying subjects, not people who have fun being curious and learning. I totally subscribe to the reaction by Green Party MSP Patrick Harvie:

"We should be preparing young people for the reality of defending their privacy and civil liberties against ever-more intrusive government systems".

Again, Bruce Schneier hits the mark here:

It's important that schools teach the right lessons, and "we're all living in a surveillance society, and we should just get used to it" is not the right lesson.

Speaking at the CCC Congress in Berlin

2006-12-23T14:28:00.000+01:00

I will be at the upcoming Chaos Communication Congress, the largest hacker convention in Europe. I am happy that they accepted both presentations I had submitted. They are both on the first day (Dec 27th):

"Privacy, Identity, and Anonymity in Web 2.0" (with Udo Neitzel and Jan Schallaböck), 16:00, hall 1
"Data Retention: Update on Implementation and Opposition" (with Patrick Breyer and Rikke Frank Jørgensen), 23:00, hall 2

I'll try to make the slides available right afterwards, and the videos will be on the congress server later. They also plan to live stream everything, but demand is high.

We also have a meeting of the German Working Group against Data Retention, 28th Dec, 15:00, hall 4.

Terror Forecast on TV

2006-12-18T22:18:00.000+01:00

Funny to-the-point parody of the terrorism alert warnings by the Department of Homeland Security. We need more people to laugh about all this fear, uncertainty and doubt (FUD).

(via Bruce Schneier, who also just blogged about a scary example of "When Computer-Based Profiling Goes Bad")

First Monday special issue on "Identity and Identification"

2006-12-05T17:14:00.000+01:00

Some of the papers presented at a symposium on "Identity and Identification in a Networked World" that was held at New York University in September have now been published in a special issue of "First Monday". They look at online identities from different social science perspectives:

Identity and Identification in a Networked World by Tim Schneider and Michael Zimmer

Friends, Friendsters, and Top 8: Writing community into being on social network sites by Danah Boyd

MySpace on the record: The admissibility of social website content under the federal rules of evidence by Stacy Schesser

On panopticism, criminal records and sex offender registries by Verónica B. Piñero

The cost of (anti-)social networks: Identity, agency and neo-luddites by Ryan Bigge

Update: Michael Zimmer, one of the organizers, has all the abstracts in his blog.

The Global Governance of Privacy and Identity

2006-12-04T16:09:00.000+01:00

International organizations, originally created by states to coordinate their policies in specific fields, are starting to become more aware of identity management developments. At the same time, these organizations are more and more collaborating with non-state actors like business and public interest groups. A short list:

The ITU has just released its new report "digital.life", covering a wide array of issues related to digital lifestyle. Chapter four is titled "identity.digital", and it contains a thoughtful
discussion of digital ID management issues and developments. The conclusion says:
"legal and policy considerations require further harmonization at the global level. (...) In order to ensure the global impact of such a system, dialogue at the international level seems indispensable."
The EU has been funding several research projects in this context, like PRIME, FIDIS, RAPID, and GUIDE, the latter dealing with user-ids in e-government contexts.
The OECD has announced that it will look closer into digital ID management in 2007, building upon its earlier work on digital signatures and authentication as well as online ID-theft.
The OECD-APEC workshop in Seoul in September 2005 already had a session on "Comparing legislative and policy approaches to identity management and to security of information systems and networks".
The recent UN Internet Governance Forum saw the launch of a Dynamic Coalition on Privacy, which is planning to come up with recommendations in this field, among other things.
There is also some interest developing in the private sector for global public policy harmonization. See e.g. Microsoft's Jerry Fishenden who suggested a "UN Charter for Digital Identity".

Technology governs, as we have learned from the early sociologists of technology as well as from Lawrence Lessig and others elaborating this for cyberspace. It is good to see that the global governance of digital identity is no longer left to the technologists and private vendors alone, and that bodies charged with protecting the public interest and constitutional principles like privacy are getting more involved in this.

The Politics of "Identity Governance"

2006-12-03T18:30:00.000+01:00

Oracle has announced the "Identity Governance Framework", a set of draft standards for sharing and controlling personally identifiable information across different systems and applications. It is a back-end complement to data input and authentication front-ends like Microsoft's Infocards/CardSpace, the Liberty Alliance's Identity and Web Services Federation (ID-WSF), Eclipse.org's Higgins Trust Framework, OASIS' Service Provisioning Markup Language (SPML) and Security Assurance Markup Language (SAML), or older standards for transmitting user data in web connections like the W3C's Platform for Privacy Preferences Protocol (P3P). While the latter provide a unified platform for collecting and transmitting identifiable data to a web service provider, back-end systems are needed to ensure that the data is not flowing freely once the user has given it away and it has entered the corporate data warehouse. Similar approaches are the Enterprise Privacy Authorization Language (EPAL) or IBM's approach to have a "sticky" privacy policy that is attached to the user data and moves with it. Similar ideas that are more privacy-friendly and even minimize the collection and transmission of personal data in the first place are currently being developed in the EU-funded PRIME project.

Oracle has taken an application-centered perspective here, consistent with its general strategy for application-centered identity management. From the press release:

The IGF provides a standard mechanism for organizations to establish "contracts" between their applications and sources of identity data.

As a political scientist, I was surprised by the use of the word "governance" in this context (and because the abbreviation IGF is also used for the new UN Internet Governance Forum in which I am involved). But Oracle is right with the wording: Like all governance processes and frameworks, there are many options and decisions to be made, and that is where politics comes into play. You can exemplify this on several levels. Let me just take the Identity Governance Framework as an example:

Discourse

In the good old days, the social value to be safeguarded was called "privacy". Then came computers, and the ugly word "data protection" took over. The semantic move was subtile, but worked to some extent: It was about protecting the data (i.e. the computers on which they reside), not the privacy of the persons the data was about. After the rise of the Internet, it started to be called "privacy and identity management". The idea of protecting data or persons got lost and replaced by "management". Instead, "identity" was introduced, which also includes an idea of control: The users have to authenticate themselves. Nowadays, it is mostly called just "identity management", and the idea of privacy has to be re-introduced as a kind of add-on, like in the "privacy-embedded laws of identity".

So, it sounds like the discourse of identity has won over the discourse on privacy. By introducing the term "governance", Oracle makes it clearer again that it is not just a corporate process, as "identity management" sounds like, but includes externally set values and goals.

An interesting development. It is still unclear to me how "privacy" could systematically be inserted into this on the semantic level, as it would be one of many theoretically possible goals of the governance of identity. On the other hand, "governance" here just means enforcement of data-usage policies inside the corporation. In political science, "governance" has a far wider meaning, including public laws, private-public partnerships, standards, private contracts, education, publicity and so on. The Identity Governance Framework in this perspective is just enabling the operational implementation of values set in the larger network of institutions that deal with the governance of personal information - privacy governance, that is.

Of course, reality is much more complex, and there are always competing discourses, side-branches and so on. But this big picture with little complexity should do for the moment, if we look at the private sector perspective on it. I also did not attempt a Foucault-inspired discourse analysis, which would much more focus on the governmentality of the modern buraucracy that rose and developed together with the practices and laws of identity management from the 15th century on. (My former colleague Christoph Engemann is currently finishing a book about the latter, and I am looking forward to getting it as soon as possible.)

Law

The background for Oracle's move was the growing pressure by governments and the EU on corporations to limit access to data and its flow across enterprise units and to partners. Oracle refers to this in their press release:

Organizations today are struggling to balance the need to meet regulatory mandates and secure personal information while maintaining streamlined business processes. (...) With the IGF, organizations can more easily determine and control how identity information - including Personally Identifiable Information, access entitlements and personal attributes - is used, stored, and propagated across diverse systems, helping ensure the information is easily auditable and not abused, compromised or misplaced.

Some people tend to praise the recent moves by large IT companies to better protect the privacy of customer and user data. But they largely build the technical infrastructures that implement these protections. The original incentive for this is external, and it is coming from public institutions and laws: The EU privacy directives, the Safe Harbor agreement, US auditing regulations like Sarbanes-Oxley, and others. This reminds us that over the excitement about new technological approaches towards privacy and identity protection, we should not forget the enduring importance of public policy - and in the end, the state and its regulatory agencies.

Institutions

There are many options for how to make a set of technological definitions a standard. It can be mandated by the state (hierarchical governance), it can be selected at the marketplace (decentralized governance), or it can be defined by a committee like the W3C or the IETF (horizontal governance). Sometimes we find hybrid forms, e.g. when two or more committees compete at the market. Identity management is currently a living laboratory for these hybrid forms. The Identity Governance Framework was developed by Oracle in their attempt to integrate identity management products they had acquired from other companies. The first drafts will be further developed now with Sun, Novell, CA, Ping Identity, Layer 7, and Securent. Sun is the most interesting player here, because it has been the main driver behind the Liberty Alliance that developed an open identity federation standard (as a reaction to Microsoft's centralized Passport project). So we have a club or an alliance that is competing with other players.

As the next step, Oracle plans to submit the IGF drafts to a standards body. Which one will this be? Sun of course is pushing towards the Liberty Alliance. Other options may be OASIS, Eclipse.org, or the W3C. Oracle is also pressing for speed, as they made clear:

Our goal is to take this into a standards organization as quickly as possible to get the (intellectual property) stuff figured out, and not sit around and waste a lot of time and energy.

This focus on speed is understandable, because the Identity Governance Framework has to catch up with older developments like EPAL or IBM's sticky policy. But it could backfire. Important players like IBM, Microsoft or SAP are not on board yet, and they will be needed if this is to become a widely-used standard. If the IGF alliance moves too fast, its standard will only be applied in a part of the general market for enterprise-wide identity management. Inclusiveness and speed are conflicting goals here, as can be learned from the general theory of standardization processes and their institutional design. Speed can only be useful if you are the first mover and have enough market power. The choice of the standards body to which the final IGF drafts will be submitted will have an impact on how widely the technology is accepted as well as on the speed at wich it is agreed upon.

Maybe Oracle is just trying to secure its market share and aiming at a fragmented market, with the Identity Governance Framework driven by Oracle, Novell and Sun getting one part, IBM with its Tivoli Privacy Manager another one, and SAP with its own technologies as the third major one. I'd love to know where Microsoft fits into the picture here.

Who Controls the "Dog" that You are Online?

2006-11-29T14:00:00.000+01:00

Slate has published a nice and polemical column by Michael Kinsley about how the public display of peoples' lives on the internet has changed in the last ten years. He reminds us of the famous cartoon by Peter Steiner "On the Internet, nobody knows you're a dog", first published in The New Yorker in July 1993.

Nowadays, it seems that everybody wants everybody else to know not only that they're a dog, but also which kind of dog, where they live, which dogfood they like, and who their dog buddies are. It started already in Web1.0, but social platforms like Myspace or Facebook on the one hand, and free blogging services like this one here have made it much easier for everybody to publish online without having to know HTML codes or how to use an FTP server. And of course, publishing includes publishing things about themselves. This is a common theme among the people who think about what privacy and anonymity used to be, and it is not limited to the internet.
TV shows like "Big Brother" or others also are based on the principle of showing private details to the general audience. At a privacy congress I co-organized in 2002, we already had this as a theme in the opening session, and that was long before Web2.0. (The German documentation is here.)

But Kinsley and a lot of others always miss three important points.

First, the problem is not that people publish information about themselves. This is free speech, and I would always fight for everybody's right to be able to do it. But that does not mean that I also want to have to do it myself. The privacy problems do not lie in the fact that people become more outspoken about themselves (which is just one side-effect of the current neoliberal model of society, where everybody is his own entrepreneur), but in the extent to which people are forced to publish about themselves - socially, legally or economically.

Second, what the online community still has to learn is the fact that just because something is online somewhere about someone else, it is not automatically appropriate to tell everybody else everywhere about this. This is what Helen Nissenbaum has called "contextual integrity": My buddies at Myspace meet me there in my private role, where things that are relevant and expected are much different from what my boss should see if he's looking for my professional online behaviour, eg at our institute's website. Different information about people is relevant and should be used in different contexts. In the old times, people called it politeness and discretion, and it included the fact that gossiping was highly regulated through social norms. We still have to learn how to use information about others in an appropriate way in the new online contexts - even if it is theoretically out there for all the world to see.

Third, all this relates to what people publish about themselves. It's a totally different thing if I publish information about myself, or if others collect, store, transfer, and use information about me. In the latter case, I have much less control over it (even under strong European data protection law). Even more important, some data that is collected is much more detailed than I would ever publish or even write down for myself. Cookies, referrers and other technologies allow others to track which websites I visit, how long I read them, where I go next, which ads I click and so on. This is the shift from transactional data in the offline world (e.g. credit card bills when I go shopping) to behavioural data that now is produced in the online world (how often I return to a website, when I read a specific blog etc.). So it's both the amount of data and the information it reveals that is becoming much bigger, and it's the ability of companies to collect this even without my knowledge. This is where the real transformation of and threat to privacy through the internet lies.

Stefan Brands on User-Centric Identity Management and Privacy

2006-11-18T15:12:00.000+01:00

A very nice presentation (and short summary) on the dangers of the current frenzy of "user-centric" ID-management. Stefan looks at how

the data subject is in essence contributing to “super-federation”,

thereby weakening instead of improving privacy and user control. He provides a number of criteria to assess if any identity-management system actually protects privacy. It's one of the best pieces on the subject I've seen so far. Stefan should re-formulate his criteria into the "laws of privacy-friendly identity", as they are much more to the point that the Ontario ones.

Reputation Systems and the Social Function of Lying

2006-11-18T14:43:00.000+01:00

Reputation systems are part of what I would call Web 3.0. They don't just connect people (like many web2.0 platforms do), but they also add some information on the semantic layer of the links. Examples are microformats like XFN or FOAF, self-managed platforms like claimID, or outsourcing and "let lawyers deal with this" services like Reputation Defender. And of course there are the built-in reputation systems in platforms like eBay or Amazon that allow users to rate others' payment or delivery morale.

Ok - long preface just to say that Alice Marwick at tiara.org has started to write about reputation systems and their inherent problems. (She also provides a link to the Reputation Research Network with a long list of academic papers on the subject.)

My favourite quote, which really hits the mark:

We have a wide variety of social norms and social practices built up around avoiding being honest about our friends.

This reminds me of one the old classics of sociology. Georg Simmel wrote about the value of secrets for the functioning of modern and complex societies - exactly 100 years ago and still worth a read. And always a good counter-argument to the "nothing to hide"-statements against privacy that have become way too popular recently.

Reputation Defender or: Privacy 2.0 as a business model

2006-11-09T20:46:00.000+01:00

A company called Reputation Defender is offering an interesting service:

We scour the Internet to dig up every possible piece of information about you and present it in an interactive monthly report.

They scan social networks like MySpace or Facebook, professional review websites, blogs, news sources, pics and videos at Flickr, YouTube, etc. and

millions of additional sites on the "open Internet."

All for $15,95 a month. So it sounds like they know how to use Google and Technorati. Wow. But it gets better: They have lawyers!

If we find an item of online content you don't like, we'll carry out our proprietary DESTROY process for you on that item for the one-time low fee of $29.95. This is where the rubber hits the road. It is an arduous and time-consuming process for our team of specialists, but we work hard so you can sleep better at night. You don't pay this till you command us to DESTROY unwanted online content.

Which probably means they send automated cease-and-desist letters (also called "nastygrams") in the manner of the recording industry mafia.

I don't particularly dislike this offer, though I may sound like (which is probably because their wording is just over the top). I do think it is yet another sign that people feel there is a business case in protecting privacy. Which is a good thing. I only wonder how much they would ask for getting all the information about us that is not on the web, but in large corporate data warehouses. I also wonder how they will deal with the obvious "censorship" accusation, especially if they want to target news sites and bloggers. Anyway, the Privacy 2.0 bubble is growing, it seems.