Privacy, Part Two: Unwanted Gaze

Can pseudonymous downloading, "snoop-proof" e-mail, digital pseuds called "nyms," PDA-like machines, allegedly untraceable digi-cash and other changes in software and the architecture of cyberspace, restore some privacy and restore the idea of the "Inviolate Personality?" Part Two in a series based on Jeffrey Rosen's new book, "The Unwanted Gaze: The Destruction of Privacy in America." (Part Two; Part One here.)

In The Unwanted Gaze: The Destruction of Privacy In America, law professor and columnist Jeffrey Rosen first blames expanding sexual harassment and gender discrimination law for wanton destruction of individual privacy. Cyberspace is second on his list.

A growing number of lawyers and scholars, including Rosen, say they now believe that fundamental changes in Net architecture are necessary to protect constitutional values and restore the notion of the "inviolate personality" to the private lives of Americans. These would include copyright management systems to protect the right to read anonymously, permitting individuals to pay with untraceable digital cash; prohibiting the collection and disclosure of identifying information without the reader's knowledge, or using digital certificates to create psudonymous downloading.

To Rosen, author of Gaze, cyberspace is posing a greater menace to privacy by the day. He details the l998 forced resignation of Harvard Divinity School dean Ronald F. Thiemann, who downloaded pornography onto his university-owned home computer. A Harvard technician installing a computer with more memory at the dean's residence was transferring files from the old computer to the new one and noticed thousands of pornographic pictures. Although none of the pictures appeared to involve minors, the technician told his supervisor. University administrators asked the dean to step down.

Harvard justified its decision by claiming that Divinity School rules prohibited personal use of university computers in any way that clashed with its educational mission. But the dean was using his computer at home, not work. And no student or colleague suggested he had improperly behaved in any way as head of the Divinity School. His work was never questioned. It's ludicrous to suggest that the school would have fired him if he'd been downloading sports scores or bidding for furniture on eBay. But although he'd committed no crime and performed well in his job, he was forced out in disgrace, while his intimate communications were discussed in public. Even in a supposedly freedom-loving and prestigious university, what Justice Louis Brandeis dubbed the right of every citizen to an "inviolate personality" -- the part of our private thoughts, communications and explorations once thought beyond the reach of exposure and dissemination -- that is private could be invaded and voided.

The Harvard case also underscores the blurring of boundaries between home and work caused by technology. Millions of employees and workers criss-cross between their employer's equipment and their own for work and personal communications.

The one serious omission in The Unwanted Gaze, perhaps because Rosen is a member of the Washington journalistic elite, is his unaccountable failure to consider the media's role in growing assaults on the idea of privacy. Journalism has become a prime instigator of the destruction of privacy.

Until recently, politicians were permitted the right private lives, along with other citizens, as long as their private behavior didn't compromise their work. But journalism has been breaching that tradition for years, considering even the most private details of public people, now considering even themost private d etails of public officials' lives to be its business, justifying intrusions like the Lewinsky story in the name of investigating character and protecting the public. The contemporary press, which should be defending the right of individual's to historic privacy protections, is demolishing the idea of the inviolate personality, particularly for public figures. This has driven countless people from public service and discouraged many more from entering.

Because the Net is the planet's largest and fastest Xerox machine, as well as the world's greatest new marketing opportunity, it constitutes a particular menace to privacy and is escalating its erosion. Personal information can be - is -- gathered and transmitted more rapidly and comprehensively than has ever been possible.

Corporations busy stealing their customer's private information are now eager to appear concerned about it. In June, more than 30 major technology companies -- AT&T, American Online, Microsoft, Hewlitt-Packard among them -- went to the White House to announce a Net protocol designed to serve as an automatic privacy-protection agent -- the so-called P3P-compliance. But a number of privacy addvocay organizations, including the Electronic Privacy Information Center, Computer Professionals for Social Responsibility and Junkbusters derided P3P's claim to being any kind of real privacy-protection.

Many of these critics referred to what's known as the "VCR syndrome," which holds that in a country where most people can't figure out how to program their VCR's, overly technical solutions to privacy concerns are doomed. Despite the White House-generated hype, this leaves the idea of privacy in trouble.

The idea of the "inviolate personality" is one of the greatest and newest freedoms in history. In our time it's not only being nibbled to death but obliterated, and almost all of us are willing, even enthusiastic participants.

Rosen believes that changes in Net architecture and new encryption technologies ("snoop-proof" e-mail) could in a few years restore Justice Brandeis' ideal: the right of every individual to determine "to what extent his thoughts, sentiments, and emotions shall be communicated by others." Others agree. A professor in the United Kingdom sent me this e-mail in response to Part One of this series: "... one of my students has just completed a thesis that describes a system that allows you to send messages across the system that are guaranteed anonymous. The system assumes the use of PDA like machines but can definitely be made to work. Privacy of content can of course be obtained by encrypting the messages. (Up to a point etc ...) My student's system is a simple analogue of the public phone system. So it can work since the phone system allows anonymity."

Despite the clear and logical reasoning of his book, Rosen isn't persuasive on the idea that new software will protect our thoughts and secrets. The threshold of privacy referred to by Brandeis and outlined by the Constitution's framers has been nearly wiped out by the media, by gender-discrimination and harassment rulings, and by rabidly invasive and corporately-funded information-gathering software.

Rosen makes a great case that the idea of the inviolate personality has nearly been killed off. He fares a bit more poorly with the idea that it will magically be restored in a matter of a few years with digital cash and a handful of encryption programs.

"Already," writes Rosen, "user-friendly Web sites are spring up that give you the benefits of encryption without the hassles of having to understand the difference between public and private keys. A site like ZipLip.com, for example, allows you to send encrypted e-mails for free without leaving any records that can be subpoenaed or searched."

Rosen writes about the technology of anonymity and pseudonymity being developed bycompanies such as Zero-Knowledge.com, which is based in Montreal. For a modest fee, says Rosen, you can buy a software package called Freedom, which allows you to create five digital pseudonyms, or "nyms," that you can assign to different activities, from discussing politics to surfing the Web.

Should free citizens in a democratic society have to spend money for "nyms" to preserve the privacy they ought to be -- and once were -- accorded in law? How many millions of computer users will even know of this new technology, or have the money to use it?

Rosen's implication is that even if software caused the problem, then software will clean up. His assurances seem a bit "gee-whiz." But to ignore them cynically on that basis, or to trust them completely, ignores the history of technology. What people can create, others can and will undo. Technology that can be used will be used. In an otherwise powerful book, he also glosses over powerful incentives for eliminating privacy in cyberspace. First, the megacorporations dominating media, business and government will continue to aggressively explore ways of tracking potential customers as Net use grows. Secondly, law enforcement agencies like the FBI have been fighting for decades for the right to deploy tracking programs like "Carnivore" (see part one) and are hardly likely to back off. And finally, powerful institutions -- the entertainment and movie industry, professions like law and medicine, and entities like the U.S. Congress itself -- will inevitably seek to regain the primacy they had -- until the rise of the Net -- over copyright and culture, as well as the setting of social and political agendas. It seems naive to think that "user-friendly" Web sites are going to save the inviolate personality people once had, and are entitled to have again.

The salvation of society in non-anonymity

I love this kind of discussion, it's exactly the kind of thing where everyone and their uncle will wail at the top of their lungs that the world is going to hell and (in my humble opinion) be wrong.
Everywhere and anywhere one chooses to look, North American society is degrading at an ever accelrating rate.
Men, Women and children are being beaten, stolen from, harrassed and abused in more ways than any of us can begin to imagine.
Frustrations run higher and higher everyday, and the common view of one's place in society seems to be "I've got mine, and I don't care if you've got yours"
People that take this view, and with it, undermine the rights and freedoms of others do so often with perfect impunity.
Thus, the cop can beat the Afro-American on the street for no good reason, Husbands can beat their wives, Mothers can molest their children, and children can beat each other into hospitals on the school yard.
Why does this impunity exist? Simple:
Because they are ANONYMOUS.
In his book "The transparent society", Larry Niven (I think... I read it a while ago, so don't blast me for getting the name wrong, the title is what matters) argues this very point in an extremely creative way.
At first, he examines the words "anonymity" and "privacy", and defines them.
As the work continues, he draws parallels between the words, examining how they are similar and different, and in what context.
The idea that he arrives at is that "Privacy", "Freedom" and "Anonymity" are infact not the same at all, though most of modern society would belive it so.
One of the final conclusions that Niven arrives at is this: Anonymity allows members of a society to undermine the laws they agree(d) to uphold.
Because chances are no one will know they've committed a crime under the law, they continue to commit crimes.
Because these people can undermine the law and thus the safety and property of their fellow members, they infact infringe upon what "Freedom" and "Liberty" truely are.
Niven concludes with the idea that in order to protect Freedom, Anonymity might not be allowed.
So abolish anonymity: Place video cameras in the streets, on the freeways, in stores and bars and... everywhere.
And make sure that authorized people are watching them...
But:
Make sure that everyone know's WHO IS WATCHING THE CAMERAS.
Think of it like this:
If Bill Clinton had known that he was being watch by Security Guard John Doe the night of his escapade with Monica, and everyone in the country knew that Guard John Doe was watching Bill Clinton that evening, then the courts would have known
a) which video tape to watch,
b)which Guard to question to corroborate,
c) whether or not Bill did it on the desk or the couch.
Further, Rodney King's attackers might have had an incentive to treat him fairly, instead of abusing their positions as law enforcemnt agents, because they would have known that Officer Jane Doe of Internal Affairs was watching, and that the whole state knew that Jane Doe was watching.
In the end, North Americans will continue to insist that their anonymity keeps them free.
I would argue the opposite. That North Americans are not free because some one IS WATCHING all of this happen, we just don't know who.

Privacy and personal sovereignity

A lot of people confuse privacy with personal sovereignity, the power to decide what you will do with your own life, control over your body and that sort of thing. The courts in fact may have ruled the woman's right to abortion based upon the right of privacy, but actually what they were ruling on was her right of personal sovereignty, to control herself. As proof of that, in many states it's not entirely private the fact that you had an abortion, but you have a blanket right to one.

The important thing about privacy is to recognize that there's always a tradeoff between it and accountability. Account demands light, privacy demands shadow. And whenever people get a choice between privacy and accountability, they always seem to choose privacy for themselves and accountability for everyone else. Especially those they don't trust.

Untracable cash

[phil+reed]

One of the perceived problems with untracable cash is that the government fears the establishment of an underground, untaxable economy. That was one of the unspoken reasons for the reluctance of the government to approve high-level encryption.


...phil

Re:Untracable cash

[phil+reed]

With cash, you have physical objects to track. You can follow somebody around, watching them lug bags of currency. With encryption, all you've got is data, and if you're careful (data floods to confound traffic analysis, that sort of thing), it can be much harder to trace. All you might be able to figure out is that money magically appeared someplace, which is pretty much the same as with physical cash, but you've got less chance to follow it around.


...phil

Re:Untracable cash

[hodeleri]

the government fears the establishment of an underground, untaxable economy

What is the difficulty of people doing this with cash? I'm certain that we've all heard (or known) people who got paid for working "under the table" and the government isn't able to tax that transfer or even see it if enough people keep there mouths shut. It will be far easier to carry around big bags of $20s than it will be attempt to hide your transactions online. If you really want high-level encryption you can just download it from some other country that doesn't have export restrictions. When there is a traceable record of communications and money transfers it is far easier for someone to step in and say "you people are doing wrong" than for under the table back-alley transactions that leave no records.

--
Eric is chisled like a Greek Godess

Re:Untracable cash

[hodeleri]

There is a flaw in your logic. How do you know what is in the bag? How do you know it isn't somebody's gym bag full of dirty laundry? There is no way you can tell unless you invade somebody's privacy, and there is no reason to invade privacy unless suspicious things start happening.

Being online just gives new methods of doing the same thing poeple have been doing for Millenia. It has been demonstrated that some things are always going to be able to slip around the backs of whoever the authority is.

--
Eric is chisled like a Greek Godess

Re:Untracable electronic money

[phil+reed]

Applied Cryptography has a good overview of the protocols required to handle digital money.


...phil

Re:PGP

[SoupIsGood+Food]

Hello. The quote was mine, and taken far out of context.

<em>This would be news to professional cryptographers.</em>

My info comes from the spook side rather than the big-brain side of the equation. I'm no cypherpunk, but it sounded like it was not brute forced, but required a lot of time on the big iron regardless.

It's not easy -or- cheap, and despite what Katz wrote, I was using it as an example as to why personal encryption was secure. Yes, they -can- break it, but it's too damn expensive to be used in routine law enforcement, and since everyone still remembers J. Edgar, it's doubtfull the FBI will get the funding to crack crypto.

SoupIsGood Food

I was quoted out of context. Here's the original.

[SoupIsGood+Food]

The quote is mine. I'm not a cypherpunk, or even a programmer. I'm simply an industry analayst (And a multi-platform sysadmin).

It was taken out of context. Here is the relevant part of the original mail in all it's unedited glory:

It's all about money. Ask any government engineer or defense contractor: computational time is measured in money. Right now, it's widely known that the NSA can crack PGP, and do so in perhaps as little as one day (probably a lot, lot longer, but we're talking worse case scenarios.) However, the cost of maintaining the computational rescources to crack that code aren't cheap. I'd suspect that unless someone is plotting to set off a nuke in Times Square or planning to invade Canada, the NSA won't touch it. The FBI simply does not have the money, and the spector of J. Hoover means that congress won't be too keen on allocating them money to buy fancy new machines to ferret out the secrets of private citizens. If Monica had encrypted her email and sent it via anonymizer.com, the feds would never have been able to get their grubby mitts on it. (And if the feds can get a hold of it, then disgruntled boyfriends, corporate spooks, or stalkers can, too.)

The problem is that the tools that enable privacy are way too difficult to employ.

SoupIsGood Food

Re:I was quoted out of context. Here's the origina

[SoupIsGood+Food]

OK, just to verify your credibility, what happens to your security clearance if you get caught using PGP to secure data in a govt. defense lab? Please explain why the sigint hardcases don't seem to mind theoretically weaker crypto that isn't PGP? Discuss!

You'd learn more about the practical aspects of cryptography if you paid more attention to the spooks than the big-brains.

SoupIsGood Food

Re:What the hell are you talking about?

[SoupIsGood+Food]

Speaking as a communications security hardcase

Anyone with a little bit of math background and a voracious crypto reading habit can be a communications security hard-ass. Get back to me when you're a sigint hardass with a GS rating or a military rank, m'kay?

and also as someone who has worked in a DoD-funded research lab, and also as someone who secured data in that lab using PGP...Nothing happened to me for using PGP to secure a couple of files. In fact, I don't think anyone even noticed. Security in those places isn't as tight as you're making it out to be.

A DoD lab != a DoD funded lab. Take this simple test: did your lab have a Commanding Officer as well as a civilian administrator? If the answer is no, you weren't working at a government lab. Security is -tighter- than I made it out to be. I know of one division head who's not allowed to see what his managers are working on because of a -minor- clearance issue. Unless you were handed a big, fat manual with DoD crypto guidelines spelled out in long words, you simply aren't qualified to say what the guidelines are or aren't. Hell, I know -when-, -where- and -how- PGP got on the official taboo list. The "why" isn't hard to figure out on your own.

Do the power analysis--it would take an optimal computer about one year at a constant 250 megawatts of power to break a 128-bit cipher.

If brute forced, sure. Big if. C'mon...I'm not into crypto and I can suss this one out.

If the NSA is so advanced that it has perfect computers running at a cryogenically-cool 3.2 Kelvins and hooked up to its own nuclear power plant just to flip the bits, I'd really like to know about it.

You aren't alone...bet the Chinese and a few Middle Eastern nations want to know the same thing. I just wonder what you -do- know about declassified NSA info (like its budget. Or recruiting objectives.). It's clear you don't know squat about what goes on -under- the kimono...

I'm not being facetious here. If you have any hard facts to back up your assertion, I'd like to hear them.

Actually, you -are- being facetious. You're a PGP partisan, not an cointel/sigint analyst, so snide bluster is -all- you got.

Getting back to the point, PGP is secure for day to day use, as the Fat Boys Institute does not have the money, the manpower or the mandate to do what the Nasty Snitch Association does.

Stop jerking your knee for a minute and think. The largest threat to national security these days are terrorist organizations who are likely to use inexpensive (free) cryptography. This means PGP was the largest cryptographic threat to national security. Do some math of your own.

SoupIsGood Food

How do you MAKE people care?

[Uruk]

I don't know that you can.

People have given a lot of lip service in the past year to the idea that consumers on the internet really value their privacy, and are willing to take a stand against companies that abuse it. But I don't see it. I am one of those people, and I'm sure that a lot of people on slashdot are too, but I don't see that in the general IE using, priceline.com and ebay.com surfing general public. I don't think they're capable of caring, because for the most part, the technology used to track them isn't very well known. Of all websurfers, what percentage would you say even know about doubleclick, much less know what it is that doubleclick does?

I figure that while 98% of the population continues to be oblivious to the problem, market droids will never stop exploiting customer information on the net. You can't make people care about issues, particularly when they're not informed about them.

These Katz articles in that regard make me feel like he's preaching to the choir on this and other topics.

Re:How do you MAKE people care?

[SimonK]

But a lot of [anti-privacy sentiment] comes from people who seem to genuinely believe that basic human rights are a threat to their security or to corporate profits

Well, speaking as someone who has occasionally expressed anti-privacy sentiment, my interest is not in my security or in corporate profits, but in whether or not privacy is a basic human right as you affirm.

There a strong feeling here on /. and elsewhere in the online community that privacy somehow is a fundamental right. This feeling is somewhat libertarian in nature, but interesting there's no libertarian philosophical literature that I can find that takes this position. Indeed, the politicians closest to holding this view are the sopping wet liberal bureaucrats of the European Commission.

The effects of increased and decreased privacy are quite complex, and since this is essentially a proposed addition (or corollary, or whatever) of the historically fundamental human rights, its worthy of more consideration than the knee-jerk reaction it generally gets.

Most of the concern appears to be around privacy from the state apparatus, on the implicit assumption that this provides protection from the enforcement of unjust laws. Its a remarkably weak and at the same time indiscriminate form of protection however.

On the one hand, privacy protections as a defence against law enforcement will inevitably result in an arms race where the state uses improved technology and enhanced legal powers to enforce its laws, and those trying to escape them try to invent more are more powerful protections to their privacy.

On the other hand privacy protections that protect those trying to form political parties, run cooperative enterprises, or trade MP3s will innevitably also protect those who really are international terrorists, theives and child pornographers.

The government will always be able to use the argument that it needs new powers to combat the evil of the day. Joe Bloggs and John Doe will believe them, and to some limited extent, they'll be right. Unfortunately, of course, the state can also use its powers to enforce laws that are not just.

This isn't a battle I want to fight, because I don't think we can win, and the reasons for fighting are weak at best. I think privacy's fundamentally not the issue. Restricting the state to its proper bounds is the issue, and privacy is a poor second best, surrounded by unintended consequences.

Re:How do you MAKE people care?

[Angst+Badger]

These Katz articles in that regard make me feel like he's preaching to the choir on this and other topics.

I don't know that that's the case here. I've seen a surprising level of quite passionate anti-privacy sentiment expressed on Slashdot. Some of that comes from the crowd that feels privacy is a lost cause or that future abuses are a continuation of (and somehow justified by) past abuses. These people are, IMHO, apathetic idiots whose right to vote would scare me if I thought any of them ever used it. But a lot of it comes from people who seem to genuinely believe that basic human rights are a threat to their security or to corporate profits.

The most absurd variation on that theme these days is David Brin's dumb idea of a surveillance state in which citizens get access to surveillance data. Ignoring for the moment the blackmailer's paradise that would be, the argument is still fundamentally flawed. Government surveillance is dangerous because the government has police forces, one of the world's largest militaries, the entire judicial system, and prisons capable of holding (at present) about two-and-a-half million people. Unless giving Joe and Mary Sixpack access to surveillance cameras also gives them the powers of the government, it hardly results in balancing power between the people and the government. Instead, it creates a situation like the one proposed in Fahrenheit 451 in which the general public vicariously participates in the oppression of their neighbors. Bradbury at least had the brains to see that this was a bad idea; Brin apparently believes that human suffering is ameliorated by being available for download.

Re:How do you MAKE people care?

[Angst+Badger]

Privacy is not considered a basic human right by any but privacy nuts and their sympathisers.

Try busting into a counseling session between a therapist and an underage rape victim and spew that nonsense. When the lack of privacy, at least under some conditions, is injurious to people, then it is a right, insofar as not being injured without due process of law is a right.

Re:How do you MAKE people care?

[legoboy]

(I think it was) Asimov (who) wrote a short story on the topic involving televiewers, or some word to that effect. Something-goggles? A technology which allowed users to see what was going on anywhere in the world at a given time. The story essentially centerred upon a woman confronting her husband about the time spent at some blonde's apartment while he was "working late", ending with her kicking him out, telling him to get a (word for item). It also included an additional scene in which two different groups of burglers stumble across each other while attempting to rob a vault they had just scoped out using (technology).

Anyway, in a truly transparent society - what most people refer to when mentioning the term -, blackmail is infeasible. Everything about everyone is common knowledge, easily accessible to all. The establishment of such a situation is another, much more difficult, matter altogether.

Privacy is not considered a basic human right by any but privacy nuts and their sympathisers. Your views on this matter lead you to believing that any future but Bradbury's is impossible. Everybody, bar none, has some manner of deviency.

------

Re:How do you MAKE people care?

[legoboy]

I find your nod to "What about the children?" quite amusing. Does the fact that the rape victim is underage strengthen the argument in any way?

And if statistics are to be believed, this rape victim might benefit from knowing that yes, there are thousands of others who are in the same situation, listening in on their counselling, etc.

------

Correction

[JonKatz]

Strange correction..In one of the posts below, the one which states that the NSA could read any encrypted e-mail program in a day, I identified an e-mailer as a programmer..He isn't. I got more than a score of e-mailers from people identifing themselves as cryptographers and government employers, but he wasn't one of them. Those that did e-mail me were very strong in saying no "snoop-proof" e-mail system most people could use was really snoop proof.

Re:Long reply

[SimonK]

Nope. Its only a copyright violation if you copy text verbatim and try to pass it off as your own, or sell it. Summaries, reviews, reports, even properly attributed quotes, are all OK.

Its no wonder, really, that the public is so easily confused about copyright "theft" when even /. readers can't get it straight.

Remember the good old days?

[PD]

In the good old days, people with a lot of money were usually able to stay out of trouble with the law.

Nowadays it seems that to stay out of trouble you need to know how to upgrade your own computer!

The more things change, the more they stay the same.

Re:A strong media is good for us

[Pig+Hogger]

Having journalists who are unafraid to dig into the private lives of politicians means that there is a far greater chance of scandal and corruption being uncovered and exposed, something which can only benefit society in the long run - who wants corrupt leaders?

" La liberté de presse ne s'use que lorsqu'on ne s'en sert pas "

Freedom of press only wears-out when you don't use it.

That's the slogan of "Le Canard Enchaîné", that french icon of journalism that uncovered more than one scandal and caused many public figures to resign...

Interestingly enough, that weekly has no advertising whatsoever; it solely survives through what people pay to read it, so it is a truly free newspaper.

--
Here's my mirror

No new taxes, please

[SurfsUp]

Hong Kong was essentially an untaxed economy, or at least then total level of taxation was very, very low. In spite of this, Hong Kong was still able to ship boatloads of surplus funds home to mother England and build up a such a huge surplus that they had great difficultly in making it evaporate before mainland China got hold of it. (To get rid of it they built a grandiose new airport.)

If Hong Kong could do it then so can every other government. It's time to stop thinking about how to *increase* taxation by technological means, and start thinking about how to *reduce the cost of governing* instead.

As far as we citizens go, I know of very few who support the concept of increased taxation, or the implementation of new taxes, or even the maintainance of taxation at its current levels.
--

Greetings from the 5th column!!

[Nickbot]

Nice to hear folx bragging about how you'd tell your supervisor about some titty pics the poor dean had on his machine! May we now have a look at your hard drive? Oh, but that was a _work_ computer, right? Well I daresay that reading slashdot probably isn't work related, is it? And I'd be willing to bet most of you are at work right now. As hodeleri puts it:

>1.He had a university computer
>2.He was using it for personal use (and quite a bit no less, thousands of pictures!)
>End of story. It does not matter if it was a laptop he was hauling around with him or if he was in his office. He was using company property for personal use. Violation of policy and grounds for termination.

Enjoy your pink slip, hodeleri!

I've often been put in the position of being ordered to rifle through a former employee's _work_ computer to look for incriminating emails/resumes/etc., by an asshole PHB. And you know what? Every time the hard drive of said machine was _mysteriously_ wiped clean! "Don't know what happened, boss, the froonium must have overloaded" aah, ignorance is a quality I love in a PHB..

A Way to do Anonymous Banking

[sterno]

It ocurred to me that one of the fundamental problems with financial anonymity is that in order for it to work properly you must have a way to actually get money into some sort of bank or what have you. Of course banking laws require banks to gather all sorts of information about you before you can open up an account. Well, I have an idea for a way around this.

Set up a company that would sell smart cards in varying increments that would be usable for any on-line transaction (basically they can just do an electronic fund transfer or send a check to the destination). The smart cards would be sold like calling cards are today and would be readable through a reader that could be picked up for a modest sum. Once you had the card there would be no way to attach the purchases you made to your identity as long as your identity couldn't be attached to the card. That is to say, if you went to a store and paid cash, there is no connection to you and thus you can spend knowing full well you won't be tracked.

---

Re:A Way to do Anonymous Banking

[TurboJustin]

7-11 sells these. They're called internet shopping cards or something like that, and work as a credit card (Amex I think)..

Re:Untracable electronic money

[Kaa]

That I wanted to know was if anyone could think of a good anonymous algorithm for exchanging money online

Search on the net for "David Chaum". Also, Applied Cryptography has some useful algorithms.

David Chaum tried to set up an anonymous electronic money system. His company was called Digicash (AFAIK). He failed. I think the main reasons were:

(1) There is no burning need for anonymous electronic money among the general public.

(2) Governments dislike this idea very much for obvious reasons.

(3) Chaum kept the technology very close to his vest and was unwilling to seed/share it widely so that it jumpstarts.


Kaa

Re:A strong media is good for us

[Kaa]

I have to disagree that the increasing intrusion of the media into the lives of politicians and public figures is a bad thing, at least for the rest of us. These people accept that they are to have their lives scrutinised to a far greater extent than normal people - it's part and parcel of being in the public eye.

What you say is true, but there is also the price to be paid. A lot of people who would have made excellent leaders and public figures avoid stepping into limelight for precisely that reason: they do not want their private life ripped to shreds by nasty people looking for any dirt they could find.

As usual, it's a matter of balance: allow people in power to hide their business and corruption will flourish. Strip them of any privacy and no decent person will want to become one. Hard separation between public and personal might help, but it's somewhat unnatural and not likely to work well. I don't think there is a good solution.

Kaa

Re:Long reply

[Kaa]

Basing something on a book is technically copyright violation.

No, it's not. Even leaving aside fair use, ideas are not copyrightable. So don't pretend to be a hard-ass lawyer.

Who controlls the digital certificates?

So-called "certification authorities" (CAs). Who they would be is a subject of much debate.

Bah humbug. They own the computer, they dictate how it's used. Simple as that.

Not as simple as that. The poster correctly points out that finding, say, baseball statistics on the same computer would not have caused any problems at all. This is actually not a privacy story (other that the obvious moral: don't put personal stuff on other people's machines). This is a story about puritanical attitudes to sex and maintaining a facade of respectability.

But inappropriate use of company resources has always been a reason for firing somebody.

Don't be anal-retentive. Receiving a personal email on a company machine is, technically, inappropriate use of company resoures. Ditto reading Slashdot and a bunch of other stuff. I can assure you that a company that will fire people for sending/receiving personal non-offensive emails at work will soon find itself with a severe personnel problem. Send/receive a sexually explicit message, though, and things can get ugly very quickly. So, again, it's mostly not about privacy but about attitudes to sex.

However, people lost there individuality to the collective many moons ago

Speak for yourself.

The price of popular culture is losing yourself.

Is it really? Sometimes I eat at McDonalds, occasionally I listen to bubblegum pop music (so, shoot me), and I have been known to watch popular movies. So how does it make me lose myself?

Kaa

Re:Dean's Firing.

[Claudius]

I couldn't agree with you more regarding use of University facilities for pr0n downloads. A suggestion to the Harvard Divinity School (and to any organization who distributes computers for people's home uses) would be to do as the U.S. Department of Energy does, and that is, put a sticker on every machine that explicitly states the usage policy. This makes issues of perceived privacy easily resolvable by most anyone capable of logging in. Quoting from their policy:

"Notice to Users. This is a Federal computer system and is the property of the United States Government. it is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy."

No ambiguity here.

Using the company (or university) resources to surf pr0n is, in my mind, akin to using a company car to drive to the pr0n shop to pick up a few vids. If someone sees you and reports you to your organization, I don't see how privacy can keep you from getting fired if your organization so chooses.

Re:Dean's Firing.

[Claudius]

If my company gave me a computer for my home and then told me how I could use it, the motherfuckers better pay my ass $24/hr when I use the damn thing. My employer should have absolutely no say whatsoever about what I do when I am off the clock.

While I admire your strong sense of principle, I disagree with you regarding the fairness of the arrangement. I hate to argue over semantics, but in most cases, such as the organization I described in my earlier post, the machines are not intended as being "given" but rather as being "provided." They are the property of the employer, and as such they are intended to be used only in a manner that is approved by the employer. I see this as being no different from an employer providing me with other equipment to take home, be it a cell phone, company car, or ball point pen. If I don't like the rules on how I can use the equipment, then I can always just buy my own car, phone, pen, computer, PDA, etc. I just don't see how I am entitled, for example, to drive the company car on my vacation or to use their computer and fast net connection to surf pr0n if they don't permit it.

In my position I receive a fixed salary regardless of how long it takes me to do my job. If I want to leave early two days a week to play tennis, then I can do that and nobody will care. If I want to log in from home in the evening to check the status of a job that I launched earlier that day, then I rather like their having provided me with a machine and a fast connection to the lab with which to do this.

In my mind, as long as policies are straightforward, unambiguous, and reasonable, then I have no problems with abiding by them. If I do find them to be objectionable, then I can always find a new employer. I guess I missed your point--how exactly is this unjust and unfair?

Re:Nothing transparent about this

[Remus+Shepherd]

If everyone's lives were out in the open, who would attack you for being a zoophile? Only people whose personal lives were deemed to be much "cleaner" than yours.

And to avoid being attacked, people would be driven into living "cleaner" lives; thus a homogenized society is created via peer pressure.

Now obviously, this is a rather idealized notion that involves people being nicer to each other than they are now. However, the vindictiveness of people stems not from an innate property, but from society, a society that encourages people to hide any deviant behavior away and pretend that everyone is perfectly normal. Having a less private society is the first step away from this kind of nonsense.

No. Human vindictiveness stems from a very basic fear of the unknown. Things that are different or outside of one's experience are frightening, and there is a strong tendency to avoid and condemn them. In a less private society, people are forced to avoid deviancy, or face condemnation -- which has real and painful consequences. Those that cannot avoid being deviant (drug use is addictive; sexual deviancies can be both addictive and incurable) will become second-class citizens, able to be ostracized at the whim of any 'normal' person. There is no defense against being truly ostracized from society. It's no comfort that you are able to commiserate with others of similar deviancy, when you are all sleeping in the street and unable to get any employment because of your abnormalities.

Remember, there are people out there who have *no* deviancies. They may even be a majority -- the moralists today certainly *act* like they are a majority, with a very prominent attitude that the rest of society should be just like they are. These people don't live in glass houses, and they love throwing stones. A Transparent Society would be a tool for this type of busybody majority to prey upon and ostracize any minority they wish.

Re:Totally transparent

[Remus+Shepherd]

Heh. Do a search on Slashdot, Zigurd -- I've been active in conversations for over a year using this name. Do a web or usenet search and you'll see that I've kept the same name (and email address!) for six years. Yes, the name's corny. But it has always identified me.

I am no troll. Although I use a psuedonym, I have always taken responsibility for the words that I write. A pseudonym is a nice middleground; it allows me to act freely on the internet without fear, yet I remain accountable for my opinions.

Re:Nothing transparent about this

[Remus+Shepherd]

Anonymous coward wrote (albeit in unexpurgated form):
"I f*** farm animals"

Interesting that you should write that in a discussion on privacy. Personally, I do f*** farm animals. I am a zoophile, an ex-FAQ-keeper of alt.sex.bestiality, and it's not much of a secret to anyone who knows me. (Why did you think I was using a psuedonym?)

And my situation is a good example of why David Brin's Transparent Society will never work. My personal life harms no one, and in my state of residence it's perfectly legal. But I guarantee you that if my personal life were revealed to everyone, I would have problems with my employer, not to mention my coworkers and possibly with over-zealous law enforcement who aren't familiar with the (lack of) sodomy laws in this state.

It's happened to me already, you see. A usenet.kook hired a private detective to ferret out information on me, then wrote to my previous employer. Although I broke no law, my career was nearly destroyed because of a private behaviour outside the mainstream, found by someone who was able to snoop on me too easily. I'm a little harder to find, now...although I have no illusions that I'm completely unfindable.

The premise behind Brin's Transparent Society is that we can catch corporations and governments doing illegal things also. But how many people have money to pay for investigation of every corporation or government agency they suspect of wrongdoing? Are corporations held responsible for legal-but-frowned-upon behaviour, or do they just ignore outcries until they affect their profits? And of course, any corporation has the funds to research the individuals opposing them, and destroy their lives if they can.

The Transparent Society will shift power away from individuals and towards those who have the resources to mine and act upon information. It will create a homogenized society, and threaten everyone whose lives differ from the mainstream by any minor behaviour or percieved difference from 'normal'. It's a dangerous concept, and I believe a very evil future for Brin (who I otherwise respect) to be promoting.

Clarification needed. . .

[SMN]

"Harvard justified its decision by claiming that Divinity School rules prohibited personal use of university computers in any way that clashed with its educational mission. But the dean was using his computer at home, not work. And no student or colleague suggested he had improperly behaved in any way as head of the Divinity School. His work was never questioned. It's ludicrous to suggest that the school would have fired him if he'd been downloading sports scores or bidding for furniture on eBay. But although he'd committed no crime and performed well in his job, he was forced out in disgrace..."

I think a little clarification may be needed hear - it appears to me that this man was not "fired" - he was "asked to step down."

Now, while I know those are more or less equivalent, it's important to note that he complied with the university's request, which leads me to believe he did not contest it. Were he to feel as strongly about this issue as Jon does, he would wait until he was formally fired and then take the University to court. This implies that he consented, and it appears that Jon is (as usual) creating an issue where there is none.

Furthermore, I object to the use of the statement "But the dean was using his computer at home, not work." Jon said that there was an understood agreement that "rules prohibited personal use of university computers in any way that clashed with its educational mission," - regardless of whether or not that rule was intended for these circustances, it _was_ a rule, and he _did_ break it. I'll reference some real (read: non-geek) culture here - these seems somewhat analogous to Les Miserables, in which the protagonist stole a loaf of bread to save his sister's (?) life, and was imprisoned for it. While the rules may not always be intended for such circumstances, they still do.

And I probably gave Jon a little too much blame/credit for repeating Rosen's ideas here, but that's out of habit.

Summary

[SMN]

Correct me if I'm wrong, but I just read through that whole embellished rant (it wasn't easy, believe me) to find that it just expressed one simple idea:

New encryption in the not-too-distant future will allow us to break rules and look at pr0n on Harvard computers without getting caught. Oh yeah, and we can do legal stuff in private, too, but that's not important.

Geez, Katz, if you wanted to appeal to us geeks, you could have saved a lot of time. I suggest that your next article be composed of just a few, simple words:

Proactivily utilizing encryption means pr0n at work!

I have issues with Jeffrey Rosen

[/]

I've met Rosen briefly, and I've gotten him to sign my copy of Unwanted Gaze, and this is only my own opinion, but there is something a bit phoney about the man. I kept getting the impression that he was someone who, while he was genuinely interested in the topic he was writing about, he came off as someone who really wanted to write a book and therefore did precisely the amount of research necessary to appear to know what he was talking about without actually getting a clear grasp on even some of the important details. I watched an interview with him the other day, and he was completely confused about whether it was Intel who was responsible for putting serial numbers into PIII chips and whether Microsoft was responsbile for their unique ids inserted into MSOffice documents, claiming it was Intel who was responsible for the latter. And this doesn't even begin to address the logical errors encountered within the first few chapters of his book.

Actually, I could express the exact same opinion of a certain other columnist on slashdot, but that would be rude.

Re:How do you MAKE people care? - you don't!

[e-gold]

If a corporation has your Visa number, than several persons do as well.
...

Ain't it the truth. Of course, anyone on the planet can know that my e-gold account number is 101574 (well, among others, but that's the main one) and all they can do is spend to it without my passphrase. I guess what I'm saying (ok, while plugging my company's currency) is that 1950s technology stapled onto the world wide web does not make "ecommerce" once you've tried a better system.
JMR
(And, once again, /. readers are encouraged to try e-gold, tell me an account number and I'll click you half a gram or so.)

What the hell are you talking about?

[rjh]

Speaking as a communications security hardcase, and also as someone who has worked in a DoD-funded research lab, and also as someone who secured data in that lab using PGP...

... what the hell are you talking about?

Really?

Nothing happened to me for using PGP to secure a couple of files. In fact, I don't think anyone even noticed. Security in those places isn't as tight as you're making it out to be.

Answer the question, please. Do the power analysis--it would take an optimal computer about one year at a constant 250 megawatts of power to break a 128-bit cipher.

If the NSA is so advanced that it has perfect computers running at a cryogenically-cool 3.2 Kelvins and hooked up to its own nuclear power plant just to flip the bits, I'd really like to know about it.

I'm not being facetious here. If you have any hard facts to back up your assertion, I'd like to hear them.

Re:What the hell are you talking about?

[jovlinger]

Do the power analysis--it would take an optimal computer about one year at a constant 250 megawatts of power to break a 128-bit cipher.

That's interesting. How did you arrive at this conclusion? I've never seen that sort of comparison done -- I supose it uses information==entropy?

How would this be affected by reversible computing?

Until you have something to back this up...

[rjh]

... you're an idiot.

Worse, you're the sort of idiot who, instead of having any facts to back up outrageous allegations, says "if you only knew what I know, then you'd agree with me".

That's intellectual fraud.

Factual error: PGP is *not* insecure.

[rjh]

Disclaimer: I am not, in any way, speaking for my company. More than that, I don't have my reference books handy, so I'm going purely from memory--I may be off on a detail or two.

PGP (more accurately, programs which implement the OpenPGP specification) is not insecure when properly used. By "properly used" I mean choosing a reasonable size for asymmetric keys, choosing a reasonably good passphrase, and practicing good email discipline--unrevealing subject headers, not sending anything cleartext which could compromise your key, etc.

Is it trivial to use PGP/GPG properly? No, and that's the biggest problem with PGP/GPG. Still, that's not what Jon Katz's source said; the strong implication was that government agencies could, either by brute force or cryptanalysis, break a PGP-encrypted email in a day. So let's address that now.

In order to break a PGP/GPG encrypted email, either the asymmetric or symmetric components of its cryptography need to be broken. Breaking the asymmetric component requires either an efficient way to factor large numbers[*] (for RSA) or an efficient way to solve the discrete logarithm problem[**] (for El Gamal).

After more than twenty years of study, such efficient algorithms remain Holy Grails of cryptographic research.

Breaking the symmetric component requires some efficient way to break the cipher. By "efficient" I mean better than brute force, better by several orders of magnitude. Being ragingly paranoid here, I'd expect government agencies (DGSE, NSA, etc.) to be able to break 80 bit ciphers by brute force. The weakest [+] cipher in the OpenPGP spec is Triple DES at 112 bits. That still exceeds governmental capabilities by a factor of four billion or so.

Basically, the claim that "the NSA can break PGP-encrypted email in a day" is so much hogwash.

That being said, there are undoubtedly attacks which government agencies can perform against ciphers. Cryptanalysis is just very rarely one of them. It's far cheaper for the government to Van Eck your monitor, or break into your apartment and plant eavesdropping devices, or crack your box to grab your private key and plant a keypress sniffer to take your passphrase. And if you're sending stuff which is so tempting to the government that they'd go to this effort, then you probably want to invest in something more than PGP/GPG.

There are many attacks which exist against PGP/GPG. It's just that, to the best of my knowledge, there are no good cryptanalytic attacks against PGP/GPG.

[*] Strictly speaking, this isn't true--we don't know for a fact that you have to come up with an efficient factoring algorithm to break RSA. It seems to be strongly implied, but there has never been a formal proof of this requirement.

[**] This isn't true, either--see the above footnote. Interestingly, coming up with an efficient factoring algorithm doesn't help you solve discrete logarithms, but an efficient solution to the DLP will give you an efficient factoring algorithm.

[+] 3DES is "weakest" in the sense that it has only a 112-bit keyspace, as opposed to the 128-bit keyspaces of the other ciphers used by PGP/GPG. There are some extremely esoteric attacks against 3DES which bring down its complexity somewhat, but it's still solid as a rock. 3DES has survived a quarter-century of cryptanalysis and nobody's been able to hit a home run against it yet; this means that 3DES, while "weakest" in the sense of keyspace, is probably the strongest cipher in common use today.

Re:Factual error: PGP is *not* insecure.

[Signail11]

I want to address the issues in [*], [**], and [+] in a bit of greater detail. The issue of whether RSA is computationally equivalent to the IFP is considerably more up in the air than you imply. The exponents on low exponent RSA and the recent results on the distinguishibility of non-quadratic residues under certain conditions of smoothness for the numbers offset by a small integer from factors of the modulus give me pause on whether the above equivalence is true. It may well be true for the vast majority of RSA moduli. An efficient solution to the DLP *in the case where one operates modulo a composite n*, NOT in GF(p), implies that one can factor composites of the form n. 3DES is the algorithm that I would *trust* the most, but I do not believe that it is the strongest or best designed cipher in common use today; there have been many advances in cryptoanalytic techniques since DES as exemplified by an algorithm like CAST-128.

Dean's Firing

[jyuter]

Harvard justified its decision by claiming that Divinity School rules prohibited personal use of university computers in any way that clashed with its educational mission. But the dean was using his computer at home, not work.

It's irrelevant if the Dean was at work or not. It was the universities computer, and I far I can tell, most religions would consider pornography to "clash" with an educational mission. Reading sports scores might not be one of the principles of the Catholic faith, but it certainly isn't a cardinal sin.

On this one, I have to agree with the university for sticking to its policies. The Dean should have known about them and clearly violated the rules. If it would have been on his own computer in his house, then you'd have a legitamate complaint.





Being with you, it's just one epiphany after another

Re:Sex

[Hard_Code]

The problem is that anything just slightly risque to the American puritanical facade is candidate for stern and immediate censorship instead of rational analysis. For instance, many other countries like France and Spain have alcohol as part of the culture. Children grow up around it and don't go into insane drinking binges when they turn 21. Some with sex, sort of. Almost every other western nation is more free about sex. Yet in America it's some strange dangerous thing. If a guy so much as pats a man or crosses his legs the wrong way, he is immediately a homosexual. Parents can hardly hug their children without somebody crying sexual harassment. It's just really insane.

What gets me is the irony that the religious south, known for its piety is also know for its brothels and liquor. There is some disconnect there.

Re:Long reply

[Hard_Code]

I'd have to agree. I don't think this guy was under any illusion that downloading porn was not in conflict with his job duties (which probably required maintain some sort of moral stature). Of course that should have been made clear for those who expect to be hired to a religious institution and then break their moral laws.

Now if this was a secular institution with no pretense of moral job requirements then it might be another issue.

Re:A strong media is good for us

[Hard_Code]

And consequently natural selection has selected for a breed of politician which is exceptionally lacking the integrity of personal honer and exceptionally good at hiding dirt.

Don't you love evolution.

Re:Long reply

[Hard_Code]

I guess it all depends on getting on better with your associate employee contemporaries and frequently checking credit at moral bank. ;)

Re:Wow, privacy in the UK sucks

[DaveHowe]

I think the truely worrying thing is that all this is being put through because of a ruling in the European Court of human rights;
Basically, the ECRH said that, unless the uk had an EXPICIT law that allowed interceptions, bugging and so forth, then evidence of that type (and any further evidence that would not have been gathered if they hadn't seen the first lot of evidence) is inadmissible in court. The UKGOV position is that they are only formalising things they have *already* been doing due to the lack of a law telling them not to.

Certainly I find that a frightening thought....
--

Re:A view from Europe

[DaveHowe]

Oh, and just for those americans that are feeling smug that their constitution protects them from THEIR politicians doing the same to them:

US "RIP" Bill
--

A view from Europe

[DaveHowe]

Hmm. here in .uk, we have learned to our cost that, once the government gets used to having access to personal data on its citizens, it is very reluctant indeed to give it up. in particular, the .uk government are in the final stages of passing a bill with the following characteristics:

1. Any government official (including local government, police inspectors and Tax/Customs) can self-issue a notice requiring your ISP to give up emails and/or HTTP traffic logs to them.
2. Notices don't expire
3. Notices can come with an attached "gagging order" that makes it an arrestable offence (5 yrs emprisonment) to tell anyone a notice has been served on you
4. Gagging orders do not expire
5. Notices can require you turn over a secret encryption key; if you are a company employee with access to the key (for example, a .uk technician with access to the .us based ordering system for a major multinational can be ordered to download the key from that system on the .uk government's behalf)
6. If you have the authority to order the production of the key (for example, a UK resident CEO of a US company) they can serve a notice on you to do so
7. If you fail to produce the key (and forgetting / losing the key is no defence unless you can prove it in court) there is a 2 yr jail sentence in your future.
8. Once they have the key, no-one is liable for its safety or for any losses you suffer as a result of its disclosure
9. What few safeguards exist are in a Code of Practice that can be re-written by the government at any time; in addition, there are no penalties for failing to follow the Code of Practice.
10. The target (and/or recipient) of the notice is not required to be suspected of a crime; it is enough that the official is investigating a potential crime
11. the "economic well-being" of the UK is a valid justification for notices - so trade unions, human rights organisations and foreign multinationals competing against government-lobbying firms are all valid targets with no further justification required

It shouldn't be too surprising to hear that three ISPs have already announced they are planning to move their servers overseas; the largest .uk worker's union and indeed most of the Trade Union Council are planning on following suit.
--

Weird Story Time or WTF Is In Those Big DB's?

[iamriley]

I always assume that sites are collecting information about me. Consequently, I rarely put real information into anything. I was not always so hardened to the dangers of the net, though...

Flash back to January 1996:
Fresh into college, the young me pays $10 to my small college's computer center for one semester of POP3 email.

Fast forward to July 1996: The slightly older me signs up for a yahoo mail account. I put my college email as an alternate email.

Fast forward to December 1996:
The tired-of-paying-for-email me let's my account go unpaid and fade into oblivion. The account had gone unused for months.

Fast forward to yesterday:
I have a job programming for a small company. I have worked at this job for a year and a half now. We often make online purchases using my boss's CC. I have made between 5 and 10 of these, and I never put my own name as a contact for these purchases, instead I always put my boss's name. There have been a couple of times that I have called into one of these places to check on an order--in these cases I have identified myself.

A strange thing happened today:
I purchased another product online. The secure server was taken care of through Yahoo's store, though the company not Yahoo. On the first screen that asked for information, I entered my boss's name and the shipping address for the company. I clicked next. On the next screen, there were several boxes, one of which asked for an email address. In that box appeared something that I never expected to see again: my old college email address.

I feel violated. Ugh.

Re:PGP and the NSA

[jovlinger]

I don't see how your points about symmetric and asymetric encrypytion support your conclusion about the infeasability of the NSA breaking PGP (either possibly flawed implementation or ideal design).

All they does is rule out brute force and publically know attacks. It is totally possible (though I would hope not the case) that the NSA has the knowhow and resources to significantly comprimise PGP.

An unfortunate aspect of PGP is that it features both symmetric and asymmetric technologies. If either one is compromised, the system is broken. Thus we have multiple points of possible attack.

However, I do agree with your conclusion that even should they have the capability, the NSA are constrained by larger issues not to divulge this act for anything less that earth-shaking consequences.

So it is academic whether they can or not, cause they wouldn't be able to tell anyone about what they found.

Even more prosaically; DES is effectively cracked, what with the $100K brute force machine, but AFAIK, no law enforcement agency has built one. If they aren't willing to spend a measly 2 man-years in salary for something generally applicable, you have to wonder as to the level of effort they could get the NSA to put in for them.

Re:I was quoted out of context. Here's the origina

[jovlinger]

Ok, just to verify your credibility, would you detail the computational resources that sort of crack would need? Please give ball-park estimates of how many bits would be needed to be bruteforced for a 1024 RSA /128 3DES PGP key?

If you could provide (once again, ballpark) numbers on aggregate MIPS availible and the time needed to perform the crack, that too would help substantiate the claim.

'cause I have to be frank here; I'm more than a little sceptical.

Sex

[The+Queen]

You are absolutely right.
Why is Internet filtering so popular? Not because parents don't want their kids visiting the National Democratic Party homepage (which sometimes gets blocked - I love that) but because they don't want them finding pr0n. People have sex. People think about sex. Anybody who pretends otherwise is full of it.

The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk

Re:Mod Enoch_Root up

[Enoch+Root]

Hush. I know you're replying to a post marked -1, but a zealous moderator might overhear you!

Re:Offline privacy

[Pfhreakaz0id]

I have a pretty simple solution for this: a few times, I've swapped cards with someone! I just approach them as we exit the store if they are in line in front of me and I notice them use the card. I just explain "hey, do you know they use this to track buying habits? I'm kind of a privacy freak and don't like it, let's swap cards to confuse 'em. This isn't even my card, I have no idea whose it is!" The first time, I did it with a guy I knew. Since then, I've swapped it three more times. I also have two people I swap doubleclick cookies and the like with occasionally.

I think the best way to protest this crap is not to stop shopping there. If you complain to the manager and say "I won't shop here anymore, they just look at you like you are nuts and say "fine" and since the VAST majority of folks don't care, your boycott has no effect. Instead, do things like this to undermine the effectiveness of the data, so the fabulous things these companies are selling don't really come to pass.
---

Re:Harvard Divinity School dean firing

[hodeleri]

No. He would not have. Part of almost any computer policy any work you work (probably the place where you work too) says that company resources may not be used for personal use. Lets see:

1. He had a university computer
2. He was using it for personal use (and quite a bit no less, thousands of pictures!)

End of story. It does not matter if it was a laptop he was hauling around with him or if he was in his office. He was using company property for personal use. Violation of policy and grounds for termination.

--
Eric is chisled like a Greek Godess

Transparent Society

[hodeleri]

Here's a rather fascinating interview with David Brin (probably picked up from slashdot earlier) that I found a fascinating read. Its about having the light shine both ways.

Link is here

--
Eric is chisled like a Greek Godess

Privacy == Suspicion

[pongo000]

Unfortunately, until the use of encryption become the norm, rather than the current exception, law enforcement agencies will continue to devote special attention to individuals who insist on using encryption to protect their privacy. It's a well-known fact in law enforcement circles that only people who have something to hide use encryption.

Re:Encryption does not ensure privacy

[SIGFPE]

and even quantum computers will take a LONG time to be able to handle modern key sizes.

Actually I think you'll find that if quantum computers ever come to be (which I personally doubt) you'll find that the algorithms take a time proportional to the key size - ie. they won't take a long time.

Specifically, there is no quantum algorithm for solving even one of the NP-complete problems

Nobody knows whether such algorithms exist. Someone might find one tomorrow. I think you needed to say 'yet'.
--

Re:Long reply

[Harri]

...my employer has every right to watch what I'm doing at work (like this post), whether by a physical boss with eyes or with an electronic monitoring system

When you say "right" I assume you mean "legal right", which is all too different from "moral right"... I can't comment on the legal side of it, but there are certainly moral issues.

1. Is it reasonable to give me a computer for my home, tell me that I can use it for personal things as long they don't "clash with its educational mission", and then snoop on that personal use without informing me that they are doing so? Are they entitled, for example, to read my private correspondence with my doctor, or my diary, or anything at all just in order to check that it doesn't Clash with the Mission?

2. I'd interpret "clashing with its educational mission" to mean actively interfering with the department's activities or doing something which would affect the man's ability to do his job. Not "clashing with the morals of the employer". Surely if you can be sacked for your morals, you should be told before you sign the contract. Perhaps he was. I wouldn't want a job like that!

PGP and the NSA

[Signail11]

The algorithms that PGP uses with reasonable length keys are almost certainly not breakable by the NSA in trivial lengths of time (I am not discussing the actual implementation used by any specific version of PGP). The "programmer"'s quote establishes that he or she is obviously incompetent and probably does not work for any defense-related contractor. Jon Katz's use of the quote reveals that he is clueless, but we all suspected that already.

Hash function: PGP in its latest incarnations uses SHA-1, RIPEMD-160, and MD5 in that order of preference. SHA-1 was designed by the NSA and is almost unanamously regarded as the best public hash function today. The expansion function makes it very difficult to control and restrict bit changes within the hash function itself. Even if the NSA were able to create arbitrary collisions on SHA-1, this would not affect the security of the encryption algorithms, only the signature component of PGP. RIPEMD-160 seems reasonably designed; MD5 has serious weaknesses in its compression function. Luckily, almost nobody uses these two hash functions anymore.

Symmetric algorithms: A brute force attack on any encryption algorithm with prudently chosen keylengths (>128 bits) is impossible today and for the forseable future, even with customized hardware. The NSA has cryptanalytic techniques, even decades old, that the academic cryptographic community has not yet discovered. To give some trivial examples, let's look at double transposition, codes, and rotor machines. Even today, the analytic techniques used for the solution of double transposition (without multiple anagramming or known plaintext) were redacted from Friedman's Military Cryptanalytics. The state of linguistic and textual analysis is far more developed in military cryptanalysis circles; centuries of code reconstruction have seen to that. Moreover, the details of attacking advanced rotor machines (essentially anything more sophistocated than the Enigma/Hagelin machines) are still classified. The NSA has shown an ability to design algorithms so fragile that they apparently have precisely the strength they were designed for (visit Skipjack). Nonetheless, if the NSA can break academic algorithms (such as CAST, 3DES, and IDEA), they would be wise to avoid disclosing this fact on something as insignificant as a non-national security related criminal investigation.

Public key algorithms: Without QC, it's impossible that a 1024-bit RSA key will be factored using current algorithms. Even if an extension to GNFS that reduces the hueristic complexity to that of SNFS, 1024-bit RSA keys would require a large enough matrix reduction step that there is probably not enough memory in existence in the world today to do it (even with Balanced Block Lanzcos). It would even be more difficult for the DL problem; the matrix step would require entries to be mod p, rather than mod 2.

Off Topic: but on the issue of harassment....

[xianzombie]

Just a lil somethin' FYI.

IIRC, in the millitary, sexual harassment can be defined (by some individuals, but it varies according to who you ask), that even looking at a person for more than 5 seconds can be defined as sexual harassment.

Oi, they days when the millitary was trained killers, now looking at a person for too long can get you demoted, jailed, fined, dischared, etc. Not that its really likely that those would happen for just looking, but there are some real pricks who could and would take it that far

Privacy

[Kondoor]

I have come to the realization that anything I do online isnt really private. Your ISP can intercept your email. People can sniff packets if your on a LAN. I use PGP if I really feel the need but, thats maybe once a month. Phone calls are still fairly safe but who knows if your tapped. If people are really all the worried get in your car and meet someone in a park or somewere private and have a conversation.

Re:Nothing transparent about this

[ruin]

And my situation is a good example of why David Brin's Transparent Society will never work. My personal life harms no one, and in my state of residence it's perfectly legal. But I guarantee you that if my personal life were revealed to everyone, I would have problems with my employer, not to mention my coworkers and possibly with over-zealous law enforcement who aren't familiar with the (lack of) sodomy laws in this state.

I disagree. While the "Transparent Society" would require a massive, massive change in the way our society views people and does its business, I don't think the reason you state is the one why it wouldn't work.

Let's say we had a very open society, and everyone knew of your "deviant" sexual practices. To be fair of course, you would know about everyone else's sexual practices as well. And so what?

Yes, in today's society, the revelation of your private practices did you great harm. But I don't think it would be the case that an open society would encourage conformity, quite the opposite. You see, of all the people who persecuted you for your actions, at least some of them had secrets about themselves, perhaps sexual, that they'd rather not share. It's the ability of these people to keep themselves hidden that allows them to attack you for your foibles.

If everyone's lives were out in the open, who would attack you for being a zoophile? Only people whose personal lives were deemed to be much "cleaner" than yours. If everyone were open to scrutiny, I think people would be *less* inclined to criticize, not more -- sort of like if *everyone* lived in a glass house there'd be a lot less stone-throwing.

Let's take to a concrete example -- drug use. In today's society a person usually, for good reason, covers up their drug use and doesn't let other people know. Suppose they had to let everyone know they were doing drugs. This would create three possibilities. A: the person would stop doing drugs, because they don't want to be seen doing them. (unlikely for most drugs.) B: The person would do drugs, and be comfortable doing drugs, and if anyone tried to ostracize them for it, they'd just shrug their shoulders and go on with their life. Or C: The person would do drugs, but desire not to do them, at which point people would know that that person had a problem, and perhaps the person would be able to get some help.

Now obviously, this is a rather idealized notion that involves people being nicer to each other than they are now. However, the vindictiveness of people stems not from an innate property, but from society, a society that encourages people to hide any deviant behavior away and pretend that everyone is perfectly normal. Having a less private society is the first step away from this kind of nonsense.

Carl Jung once obverved, and I forget the exact wording or circumstance, so don't quote me, that as society grows larger in population, the amount of "deviant" behavior increases. This is because the more people there are, the greater chance a deviant can find others her to support her. This would seem to indicate that eventually scenario B that I described above could come to pass -- if people don't like you for some reason, then fine, just find people who do like you.

--

my privacy wishlist

[argoff]

1st) get rid of that damn SS number. I hate that thing, and the idea of the fed paying for my retirement makes me sick to my stomach. Even if you must insist that we need it for tax reporting (which is just as bad, but that's another story) I certainly don't need it for my movie card. for christ sake, I know they can't require it - technically speaking - by law (yeah right). but it should be illegal for them to even ask for it.

2) drivers licenses should be for driving. if it isn't about the saftey of my driving - then it should be illegal to ask for that too. and why do they need my fingerprint to proove I'm a good driver. sheesh, thankfully our fore-fathers didn't think that id-ing criminals was so more important then individual liberty. I guess that's why we have those "inconviences" like innocent untill proven guilty, and trial by jury.

3) copyrights anyone? alot of people think that copyrights are about property rights, but their not - they're about controll over markets, and any type of controll requires tracking. Nobody would ever be inconsiderate enough to put code in apache that sends your ID to a centralized microsoft server, but it's amazing how these kind of things happen with closed software.

4)fed up with the Fed. it amazes me how many americans can see that monopolies are bad, and socialisim is worse, but when it comes to our very own money system - all of a sudden the free market gets thrown out the window. I can't help thinking that one of the best ways to get financial privacy is to get the government out of the finance busisness.

5)end the war on drugs. lets just face it, as bad as drugs are - they are not as bad as alchol probition which was a direct cause of the mob, and drug prohibition today which is a direct cause of druglord violence today. These laws have been used to screw citizens out of more privacy than anything that I can think of.

6)why in the hell do i need a prescription. Have you ever noticed that countries that don't require prescriptions and all that formal paperwork about your medicine habits, that people in these contries somehow seem to survive with out the glorious intervention of the FDA. Sheesh, why do mexicans pay 1/3 for perscription drugs that americans do, without the paper work - when they come from the same factory and everything else.

Untracable electronic money

[grahamsz]

I had a brief discussion about this something like 8 levels deep in another dicussion but I thought it might raise some interesting points.

What I wanted to know was if anyone could think of a good anonymous algorithm for exchanging money online (or on smart cards as the previous discussion was).

My mind heads along the lines of having electronic pennies, each worth one cent each which are merely strings of text electronically signed by your bank.

That way any peice of software can verify that a penny is actually a real one, but without access to the banks secret key there is no way to make more.

Unfortunately i'm struggling to find a way to stop pennies being circulated at the same time... does anyone here have any thoughts or other schemes for anonymous online cash?

Re:Untracable electronic money

[grahamsz]

Having read up on this stuff I think it could be done quite well. Given that as every day goes by it becomes easier for transactions to be online I dont think thier are any big problems with multiple spending. The mechanisms to detect it whilst maintaining anonimity mean it would be practical to exchange small amounts offline (bus & taxi fares seem like a good example) but most stores and individuals could no doubt afford an IP connection to do the transactions properly and securely.

Our university used to have a system like this (mondex) which they are now getting rid of due to lack of interest. Unfortunately mondex was very closed source, had at least one known security flaw (if you broke a link in the chip it would turn off encryption! however i never did get to put my card under a tunnelling ion beam to do so, and since the service was only available to students no stores in the city took out the machines needed for transactions.

What would be a big step forward is if an open source solution would emerge. This could be coupled with cheap $25ish smart card readers and we'd soon be headed in the right direction.

Assuming users could quickly and easily get their cards online (Why not just have little slots next to cashlines that you just swipe your card through to do the necessary processing) we'd have the basis of a wonderful system.

My only grievance with this system is it is still very reliant on the existing financial network. In that respect closed source cards have something of an advantage although i'm not sure if it's the way to go.

Re:Untracable electronic money

[grahamsz]

I was part of the Edinburgh trial of Mondex and it was pretty much a total failure.

Very few people used it becuase it took about 6 to 8 seconds per transaction (hence not much use in a busy student union). Added to this very few shops external to the university adopted it and the Bank of Scotland (imho) didn't put enough effort into getting better use. I feel that if they had put mondex systems into edinburgh's buses then overnight they would have secured its sucess. Given that the buses dont give any change i would expect thousands of people would jump at the chance to pay exactly.

But at 6 seconds per transaction... it's useless again.

Edinburgh have already withdrawn from the trials.

A far more sucessful card is the swedish kashkortt since it is closed source, untraceable and anyone can buy a calculator sized device to shift cash between cards.

I have issues with the Harvard Dean...

[yankeehack]

Jon, I don't agree with you on your point about the Harvard Dean being asked to step down for looking at porn at home on a university PC.

I've worked as a lowly PC tech and have been in a similar position, finding stuff on a work computer that should not have been there. It is **NOT** an "invasion of privacy" when there's a bunch of adult oriented .jpgs sitting in a C:\windows\temporaryinternetfiles folder.

If I were the tech in the same position, working on a university owned computer, I would have reported it to my superiors. No sense in losing one's job over someone's stupidity.

The incident you described just illustrates how much non-computer literate people don't understand about their machine's capabilities.

Re:Long reply

[Chiasmus_]

Now if this was a secular institution with no pretense of moral job requirements then it might be another issue.

Well, I work in a secular institution with no pretense of moral job requirements. We had a guy who was downloading a lot of porn a couple years ago. We went to the guy, talked to him, and asked him to put it on one of the servers in the NOC.

Harvard is almost like a foreign country to most of us - these people have so little in common with average Americans that they probably are more removed from us than, say, the average Brit or Australian. After all, the media has somewhat homogenized culture all throughout the western world, but huge chunks of inherited money seem to carry their own culture.

Similarly, hard-core Christianity is also a little confusing to me. I'm sure if this guy had been a professor at BYU, he would have been fired for drinking coffee. All I can say is that you should think long and hard about working for a Christian. Unless there's some advantage I'm overlooking in having religion tied into your job security, it's better to separate church and work.

Privacy is what you make of it

[Fjord_Redd]

First off, i don't necessarily agree with Rosen's first claim that sexual harassment is the leading cause of the violation of personal freedom. Sexual harassment, which can go against both sexes, is just another form of plain old harassment, which has been going on for centuries. People have learned to either learned to adapt to it and ignore it, or go off the deep end and sue whoever looks twice at them.

But enough of that. I see the internet as provding more freedom than the real world can. In the internet, through chat rooms and MUDs / MOOs, a person can REcreate themselves to be whatever/whoever they want to be. Most everyone wants to be someone else, a more gregarious character or someone without physical limitations. In the physical realm, this is not possible. The internet provides a place where we can be all that we want to be.

That true freedom also can be a form of privacy. In this other self you create, you can be as private as you like. You need not include all your actual personal identifications. False information flows abundantly on the internet.

--

The Tip of the Iceberg.

[Alarmist]

Katz isn't saying anything new, but that should hardly be a surprise by now.

We have known for some time--practically since the end of the Second World War (and to a certain extent before)--that the cloak of privacy is shrinking, and eventually it will be gone.

Already, the powers that be are training the public for the day when anyone can turn on a television or go to a website and watch the daily activities of a total stranger. Witness the success of shows like "Big Brother." The groundwork was laid years ago, and though people deride their banality, soi-disant "reality shows" like "Cops" and even (dare I say it) "The Real World" have been preparing people for this for years. Voyeur shows like "Big Brother" were simply the next logical step.

Eventually, the common citizen will have to conduct his or her life under the unblinking stare of the camera, not knowing who will be watching or when. I suspect that eventually, everyone will be watching everyone else. We will all be the stars of our own little Truman Shows.

And when this is in place, then they will have won. Intelligence agencies such as the FBI and NSA can be dealt, however ineffectually, because they can only do so much. The scenario I describe is akin to what's going on with distributed computing processes: you don't need just the best or the brightest to work on the problem. Every extra set of eyes helps.

We know that large segments of a population can be stirred up by mentioning a few key issues. How hard would it be for a fundamentalist figure to convince conservatives to spy on one another (and others) for evidence of sin? How hard would it be for some government official to say, "It's for the good of the children"? When you have a large body of motivated people working towards a common goal, little can stand against them. It is up to us, those who know and can see what is going on, to make sure that they act for the good of all, rather than for ill.

Fight the Power. Close your blinds and stay out of others' business.

Re:Long reply

[Sodium+Attack]

Basing something on a book is technically copyright violation.

Pretending you know something about copyright when you obviously don't is technically stupidity.

Is it even possible to have a secure internet?

[davonds]

I don't think so. A determined cracker, with enough skill, and the necessary resources can crack any system. Even if it were possible to create a new, better internet, with complete anomynity, and security of data transfer, it would not be feasable to do so. It would require disassembling the existing system, and building the new system, with all the requisit hardware and software. The financial impact would be catastrophic, especially on the user end, the system would collapse.

And even if you could, would you want to? Perfect anomynity also protects those who would abuse the system, and every system creates it's own unique abuses.

Our only recourse is a legal one, though, given the international nature of the internet this can be extremely difficult. Only by making it cost prohibitive for people to violate your privacy, as in the new anti spam law, can we insure any security on the net.

A strong media is good for us

[Jon+Erikson]

I have to disagree that the increasing intrusion of the media into the lives of politicians and public figures is a bad thing, at least for the rest of us. These people accept that they are to have their lives scrutinised to a far greater extent than normal people - it's part and parcel of being in the public eye.

Having journalists who are unafraid to dig into the private lives of politicians means that there is a far greater chance of scandal and corruption being uncovered and exposed, something which can only benefit society in the long run - who wants corrupt leaders?

There was a case in Belgium IIRC where a paedophile ring had been running for years thanks to press cover-ups from people in power. This sort of thing is a direct consequence of having a press whose ability to speak is curtailed, and is not something that any freedom-loving person would want.

I've lived both here and in the US and both countries have a vocal press who aren't afraid to dig out and publicize political scandal and corruption. Sure it may look bad at the time, but who knows what goes on in countries where the press can't or won't let people know what's going on?

---
Jon E. Erikson

The Public Eye, and Acceptance

[LionKimbro]

Looking for a technology to preserve privacy is about as ineffective as looking for a technology to enforce copyright laws.

Increasingly, our privacy is disappearing, and this is not necessarily a bad thing.

Acknowledging this, we must predict that the world is going to become a bit more exposed. Cases such as the one involving the man at the university, fired for viewing porn on the school internet, will become more common.

I would hope that we, an increasingly online global community, would seek to make ourselves beacons of tolerance and acceptance towards others, rather than desperately clinging to our privacy, out of fear of what others may do to us.

Recently, on Slashdot, I have read that because my anime watching friends and I thought that Lime and Cherry in Saber Marionette J are cute (yes, they are young, and yes, they are sexual), that we must therefor be child molesting pedofiles, and that we should be prohibited from watching anime, at least in the Western hemisphere. This would be very amusing, if people just weren't so serious about it.

But I refuse to hide behind a wall of privacy (one that will be as effective as copyright law at that), and distribute Aa Megamisama and Ranma 1/2 episodes to my friends under the digital table.

I think it would be better to promote tolerance and acceptance in this world.

I believe that there is lots of hope for our society, and by extension, me and you. American Beauty was voted as the most popular film last year. This movie is about many of these issues: Tolerance, Acceptance, and even Privacy. Because people liked that movie, I believe that we will be able to become a more tolerant society.

Please consider re-considering privacy, and please consider promoting tolerance and acceptance.

Re:Long reply

[11223]

He worked in the *Divinity School* - if you can glean anything from that name, you'd notice that they probably have a pretty strong objection to that type of stuff.

Note that employers also can take away your company car for speeding, or fire you if you get into an accident with it. A Christian orginization has every right to fire one if its employees for partaking in strongly objectionable material with company resources... no different than being fired for soliciting sex in the company car.

If it was his home computer, it might have been different, but not much. He signed on to work with a *religious orginization* and as such needs to hold himself to the morals of that orginization... or find somewhere else to work that's not connected to a religious orginization.

Potential PGP weaknesses and the NSA

[rxmd]

You are right in so far as PGP is not crackable by a brute-force assault in reasonable time at present, at least when key lengths are large enough.

In theory, however, the key generation mechanism or even the encryption algorithm of PGP may show flaws (as we have seen recently with PGP 5.0 on Unix where key pair generation was not as random as it could have been). This happened in spite of PGP being open source all the time. In theory, the NSA or whoever might exploit these

And since PGP is open source (more or less), its weaknesses, if they exist, are openb for exploiting them - flaws are much more easily discovered than in other products that would need reverse engineering. Of course, this very same open source principle adds to the security to some extent because flaws can be discovered "benevolently" and "publicly", so to speak, but this is no guarantee against the possibility of someone discovering a flaw all by himself and not sharing, but keeping the knowledge, thus gaining the ability to decipher encrypted messages. (No matter if it's the NSA or whoever.)

Offline privacy

[91degrees]

Strangely enough, a lot of people who are concerned about their privacy on line seem to only care about it online. For years, Supermarkets have been correlating and cross referencing our buying habits, for more carefully targetted advertising, using loyalty cards.

They manage to convince people that this is what they want. How long will it be before they can convince us that online web tracking is also what we want? People are remarkable forgiving when you give them 1% of what they spend back.