Slashdot Mirror

← Back to Stories (view on slashdot.org)

CFP2000 - Freedom and Privacy by Design

Posted by michael on from the building-the-network dept.

The organizers of the next Computers, Freedom and Privacy conference, to be held April 4-7, 2000, in Toronto, Canada, are issuing a Call for Participation in a workshop entitled "Freedom and Privacy by Design" - how to use technology to bring about strong protections of civil liberties against governments and businesses that would censor or snoop. I plan to attend: give me some ideas!

3 of 41 comments (clear)

  1. Encryption everywhere. by pb · · Score: 4

    Don't use telnet, use ssh. Got any sensitive e-mails? Time for PGP or GPG. (GPGPGP? Ahh!)

    Why, you say? I don't have any data anyone would care about? Well, you might be right, but don't use that business e-mail account for personal reasons if you care about your job. And remember that the company might be logging your web access too, checking it against company policy. Chilling, isn't it? It's practically standard procedure nowadays.

    Also, if you encrypt your stuff, and you usually have nothing to hide, and others do the same, eventually it gets much harder for anyone to snoop on the internet. They'd generally want to attack people who send unencrypted streams of data... Sucks for them. :)

    Also, some common sense: Don't leave any encryption keys lying around if you care about your identity. In the future, I'm sure this can only get worse, and not just for Sandra Bullock. And saying "encrypt everything" might sound cool, but alas there are a few places where it isn't a good idea for everything. Like slashdot, for example. I wish my user account / password was secure, that would be nice... (the lesson here: have a throw-away password for the WWW, since much of the submissions are in plaintext, or a reasonable facsimilie) But I could care less about the actual content of my posts, they definitely don't need to be encrypted as they are being posted to a public forum! Like so.
    ---
    pb Reply or e-mail rather than vaguely moderate.

    --
    pb Reply or e-mail; don't vaguely moderate.
  2. Time for reliable anonymous transactions .... by taniwha · · Score: 4
    Might be time to set up that Cryptomiconon-style offshore anonymizing data haven .... and run everything thru there

    Seriously though I think there's going to be a need for anonymized access to web sites and other net resources - so we can give away our email address without getting spam, our credit card information without getting ripped off, our home address to get something shipped without getting paper spam, our IP address so we're not being tracked around the net, use our SSN without it being being passed around, use our DNA without it affecting our medical insurance rates etc etc

    And it has to be done a way that's proactive from our point of view - ie we don't depend on other people that we have to business with, (like the medical insurers, or the retailers or ....) who don't put our best interest ahead of theirs, to be nice to us and respect our confidentiality - gotta start using protocols (net, commercial, social, ...) that don't give them any option

    These are difficult technical and social problems.

    I suspect that what it comes down to is that we're going to need some reputable 3rd parties (those datahavens) to proxy our transactions for us.

    At some levels we already have these - the big companies that sell financial (credit) and medical information about us - today they don't have our interests at heart either - somehow we have to find a way to take back ownership of our data.

    I know Europe has stricter privacy laws than the US - anyone want to enlighten us on how they work?

    1. Re:Time for reliable anonymous transactions .... by kris · · Score: 4

      I know Europe has stricter privacy laws than the US - anyone want to enlighten us on how they work?

      Germany has a federal law governing privacy, which applies to federal govermental institutions and all non-governmental institutions, including companies. There is state law governing all state governmental institutions, too, and it is usually stricter than the federal law. Privacy law came into existence in Germany as a response to a census in the Mid-70ies, where the Government asked some over-investigative questions and ran into a PR desaster. The law which came from this regulates mainly the relationship between the state as a data-collector and citizens. The relationship between companies and customers was not seen as the major problem at that time and was not as thoroughly regulated. This is changing at the moment.

      The basic idea behind all privacy law in Germany is that you cannot collect any data at all without stating clearly and in advance what data you will collect and - that is the catch - without stating beforehand what you will use that data for. It is a violation of the law to use such data for other purpose than specified.

      There is a federal privacy commissioner, who supervises federal institutions and (at the moment) companies and other non-governmental institutions. There are state privacy commissioners, who deal with state govermental institutions. The privacy commissioners are fairly independent and report only to the parliament. They have the ability to check about any personal data records anywhere, without stating that beforehand. Usually they do so because some citizen has complained about some irregularity and the commisioner is now investigating this. As a counterweight the commisioner cannot act directly upon his findings, but can only file a report, which will then be acted upon by other institutions, for example the Police, a prosecutor or somebody else, depending on the case. All privacy commisioners produce annual reports of their findings.

      The work of the commissioners is currently changing, as responsibility for companies and other non-governmental institutions is shifted from the federal commisioners to the respecive state commissioners. Also, some of the state commissioners (the "gang of 5") are begining proactive work such as technology evaluation, best-practice definition and sample implementations. The best-practice definition is particularly interesting, because privacy law requires that you use state-of-the-art techniques for privacy protection.

      There are some interesting alliances forming at the moment between the privacy commissioners and the federal ministry for commerce, as the ministry learned about the importance of trustworthy software in cryptographic applications and understood that only Open Source and peer reviewed software is able to generate this kind of trust. There are several projects coming up in Germany which involve cooperation between the privacy commissioners and the ministry, such as governmentally operated anon remailers, anonymizing web proxies, governmentally sponsored developement and distribution of the Open Source software necessary for this and other projects. These projects will fit nicely into a frame as sketched by the above CfP.
      © Copyright 1999 Kristian Köhntopp