Talk:Student Projects:Privacy Internet

From CSEP590TU
Revision as of 16:56, 9 November 2004 by Tedz (talk | contribs) (Rough Project Outline)

Jump to: navigation, search

Patchwork Laws

[TedZ]: I'm almost done reading the chapter in Asprey re: privacy. One point that I find interesting is that US law is a "piecewise patchwork" (my own interpretation of the text) of laws, and apparently that's ok with everybody in the legal system. Europe appears to have a more unified approach to privacy. Comments?

Ryank The author states that privacy is a nebulous concept and that different people will have different interpretations of what it means. I think the sectoral policy approach in the US is a direct result of this. I'm curious as to how satisfied people are with the EU omnibus legislation.

Possible Topics -- random thoughts for outlining

[TedZ] One possible hot topic that Ryan and I have exchanged several emails on is the use of RFID chips, particularly the recently FDA approved human-implantable RFID chip. Would you get one? I've also considered the use of cookies (and other spyware) as possible topics.

[TedZ]

  • US Privacy Laws (contrast to European law?)
  • European Union Safe Harbor Program
  • Is technology outstripping the law? Witness several recent cases of stalking, where the stalkers utilized high tech equipment such as GPS transmitters, webcams, and spyware to harass victims -- in many cases, the stalkers' actions were "on the edge" of current law. In some cases, the court/lawyers had trouble even describing the technology that the stalker had used.
  • Relevant Internet technologies -- cookies, spyware (including remote-install no-warning versions!), forms and "voluntary" information.
    • Ryank http://www.cs.washington.edu/homes/gribble/papers/spyware.pdf is a first cut at measuring the spread of spyware. The author first created models for 4 different types of spyware. A packet sniffer was then setup on UW's network and used to capture all network traffic for one week. The number of packets matching one of the model's signature was used to to determine the total number of infected machines on the network. The author found that 1,587 clients (5.1%) were infected with 1 or more spyware programs. Considering that there are hundreds of different types of spyware in the wild and only 4 were checked for this is a definite lower bound.
    • Ryank Can technology be used to ensure privacy rather than waiting for laws to be enacted? One of the reasons Firefox is gaining ground on IE is due to the fact that it is not as susceptible to hijacking attempts and spyware. Are self-regulation and grass roots organizations like EFF sufficient?
  • Ryank Carnivore (the FBI Internet 'wiretapping' toolkit)
  • P3P
  • Smart cards
  • Problems/Solutions


Ryank I realize its the name of the topic but did you guys want to focus exclusively on Internet technologies? That would rule out looking into things like smart cards and RFID chips. Then again, maybe its better to narrow the focus some. It looks like we have a mishmash of different subtopics now and I'm not sure how to tie them all together.

Ted Zuvich At this point, I don't have a problem with tossing up lots of ideas for consideration. I'm thinking of this as a sort of whiteboard brainstorming session. Maybe we could go with "IT and Privacy", which would be a little more inclusive of technologies like RFID chips. Here's my goal: by 10 PM PST on Thursday, Nov 04 2004, I want to have a rough outline up on this discussion page. I think I can pull this together for the group, if lots of discussion takes place.

Ryank: Unfortunately, I won't be able to contribute much to this page today as I am at work now and class is tonight.

Ted Zuvich Ryan, could you post a link to some general information about FireFox?

Ryank: Here's a few articles talking about how Firefox's market share is growing due to security issues with IE:

Ryank: I read a blurb today about the MPAA following the RIAA's lead and deciding to sue individuals who illegally trade movies. The relevant bit of interest are in regards to a company called BayTSP. This company tracks the distribution of copyrighted material online and can find the IP addresses of offending individuals. The RIAA can take this information and issue subpoenas to ISP's in order to get them to release the names of individuals who are trading the files. Is this a violation of online privacy? Is there any reasonable expectation of privacy on P2P networks anyway? The data that they accumulate also has marketing value. Would it be fair for them to sell this information to advertisers without consent? Here's another article about them: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2003/07/21/BU289815.DTL

Privacy and the Internet

(User John): The civil right of privacy is a composite of federal and state statutory law, administrative rulings, constitutional innuendo, common law traditions, and activist judicial case rulings. Traditionally, Americans have been concerned with the power of governments, and as those powers grow, so does the individual citizen's need for privacy. Today, the explosion of computer based technology provides the uncrupulous and the fearful with vast opportunities to invade the individual citizen's privacy. As a member of this research team, I would like to see at least four sub-areas of this privacy issue explored: 1) a history of the building of the right to privacy; 2) a study of the flaws in the present patchwork of the right to privacy; 3) a serious look at the technological threats to privacy available for use, today and tomorrow; 4) a proposal for effective options to the present system - perhaps a Constitutional Amendment of Individual Privacy. I have some data on the technological threat, such as Tempest related technologies. Some of our more technically inclined members might enjoy such research. As attorneys, Jim and I should be able to cover items 1 and 2, to a certain extent. After basic research has been completed, all of us could have a good bull session or two, and we should be able to create a serious proposal for item 4. Since the U.S. Constitution was mostly conceived in Taverns, I suggest that we consider similar accoutrements - to enhance the creative mood, of course. Comments? Alternative ideas? We need to get our heads out of the clouds and grind away on something concrete.

Ryank: I think this is a fine idea. Thank you for grounding the discussion. I would like to throw my hat into the technological threats ring. As a counterbalance, I think some examination of privacy enhancing technology would be interesting to look at. Certainly the latter can be a component of whatever proposal we make in subtopic 4. And yes, beer is always a good idea...

Ted Zuvich: Beer would be nice. Unfortunately, I'm out of the Seattle area and will be for the foreseeable future. And I'm in the middle of finalling a project. So no beer for me. I would suggest using IM, but I think its better if we keep discussion on the Wiki, as much as possible.

Jim Jantos: Third on the beer. I see some early narrowing topics as follows: Technology threats and/or technology enhancements to privacy? Internet vs. IT as a whole? EU vs. US patchwork privacy rights?

I thinks a basic outline could be (1) background on privacy and related underpinnings, (ii) an examination of U.S. privacy rights (i.e. basic laws, etc.) (iii) threats/enhancements to privacy related to IT (maybe pick a particular threat from a tech side - spyware, govt. investigation software noted above, etc.); and (iv) possible solutions/proposals (including a possible look at EU law).

Group Roles

Ted Zuvich: I think it would be helpful if we provide a bit of background on each other so that we can see how everyone is going to fit into the project.

Myself, I'm a technical guy. I'm a senior programmer with a background in games development. I also have significant experience with technical writing and editing, which should come in useful.

It sounds like we have two technical people (myself and Ryan) and two attorney/IP people (John and Jim). That should be a good mix.

Ryank: I'm also a tech guy with a background in information retrieval and information extraction. Developments in these areas can definitely be used to create automated systems to monitor user's email, IMs, etc.

Jim Jantos: My basic background is linked with my name on the Wiki somehow. Although I have an engineering background, I am an attorney (now 10+ years - I am somewhat shocked to admit it!) with a strong tax (probably not too useful here) and IP background. John and I are both in the masters IP program at the UW law school on a part-time basis. As far as attorneys are concerned, I am close to the tech side, if that is possible.

(User John, 11/3/2004) Jim and I have patent law backgrounds, so we should be able to keep up with the tech data. I like the idea of bringing in the EU approach somewhere in the project. I have some ideas and data regarding Tempest, Carnivore, and other eavesdropping technology, but I think you tech guys might be better suited to discuss those things. Please be aware that we need an outline to give Ed by Monday. Maybe, we can discuss these things further at class, tonight. What do you all think?

Project Schedule

[TedZ] Given that we've got a deadline and not much time left, here's a proposed schedule for the next few days:

Nov 4, end of day: rough outline up on Wiki for comment. I will provide this.

Nov 5-7: comments, refinement, and arguing.

Nov 8: prepare final draft of outline, submit.

Rough Project Outline

Privacy In/On/And the Internet

1. Privacy in the US 

       A.  What it means
       B.  A brief history of privacy law
       C.  Current state of privacy law
       D.  Contrast with EU law

2. The impact of the internet on privacy 

       A.  Notification/Consent/Opt-In/Retribution, etc.
       B.  Threats to privacy/new opportunities for invasion
         1. Data Mining
         2. Cookies
         3. Spyware
         4. Government "spyware," with emphasis on the post-9/11 era
       C.  Shortfalls and problems because of current privacy law
       D.  Technological failings -- shortfalls in IE and other internet software
       E.  Sneaky ways around current laws: scams, tricks, and hustles

3. Solutions 

       A.  More laws?
       B.  Constitutional ammendment?
       C.  Countermeasures -- a technological solution?
       D.  Self regulation
       E.  Grass roots organizations
       F.  Things that are working.

4. Conclusions/Summary


Ryank: Thanks for putting this together Ted! Some random thoughts:

  • I think the Notification/Consent/Opt-In/Retribution section can be a subcategory of Sneaky ways around current laws.
  • Data mining (algorithms for extracting novel nuggets of information from huge repositories of data) does not directly relate to the Internet. However, the Internet does facilitate the creation of these huge databases. For example, web sites can create click-stream logs that track how long a user looks at a particular page, which links were clicked on, referrer sites, etc. Without data mining techniques, it would be near impossible to manually extract anything useful out of the vast quantities of data.
  • The Internet focus will cut out technologies like RFID and Tempest. This is fine with me but John had expressed some interest in the latter.
  • Re: Contrast with EU law. I found a memo that briefly discusses individual state privacy laws. It turns out that 13 states already have omnibus privacy laws. One of them, Hawaii, was considering the adoption of EU-style laws for protecting medical information. The memo is dated 1997 so perhaps Hawaii has already adopted such measures. Even if the proposal was thrown out, their reasons for doing so would also be instructive. This could serve as a test case for what would happen if the US as a whole adopts EU laws. Of course, trying to quantify the effectiveness of privacy legislation is the problem to begin with...
  • I don't know apriori what good solutions are. This subtopic is going to require all of us to do our background research and write our individual sections before we can come up with anything reasonable. This means that we will have to set an internal deadline before that of the real rough draft due date so we can discuss this. Also, are we all going to contribute to this section? Given the distributed nature of the group that could prove difficult to manage.

Ryank: I've created a skeleton project description page that we can turn in on Monday.

Ryank: What subtopics do people want to work on? We should probably split the paper up into 4 subtopics (not including the summary/conclusion). I'd like to work on a chapter surveying either the threats or privacy enhancing technologies.

Jantos: Based on Ryan's and Ted's work, the comments above, and my discussions with John, I have created a final page that can be used as our final product due today.

As you can see, I have left the techies with the tech topics: Ryan would like to examine technological threats and Ted would like to examine self-regulation with an emphasis on tech enhancing measures. I have left the legal related topics open for John and me: current law, laws abroad, and proposed legislative solutions. The difficulty with separate contributions will be the interaction of each contribution. For example, it is difficult to analyze a threat without a background on the law. Likewise, it is difficult to propose further laws without understanding the technoligical threat (although this is the way it probably works in real life!).

Feel free to edit and improve the work, with or without comments. Since the Wiki encourages it, I have no problem with a continuation of adding comments to the final project description, as long as they are substanative and not merely critique or procedural. Last, someone should probably email Tap with the link.

(User: John) I like the outline proposed by Jim. My only recommendation would be to include a separate conclusory segment that incorporates our collective technological and legal positions, post research. In response to RyanK regarding the exclusion of Tempest and similar technologies due to limiting the project to Internet applications, I don't think such limitations are necessary. The greatest threat to privacy is going to be technological in nature. Discussion of exotic technological advances that potentially affect citizen privacy is a legitimate subtopic for this project. Thanks for th4e effort, guys! The great mix of team member's backgrounds will enhance the quality of our project discussion.

Ryank: Do you guys think we should setup separate Wiki pages for each of the subtopics and post the findings of our research as we go? I think that would help idea generation for the policy recommendations section.

Ted Zuvich: The separate contributions will probably make things a bit more difficult, but I don't see a way around it. I envision a process that will have several rounds. As an example, I'll write a draft of the technological threats topic. Then you (Jim, John, and Ryan) will read it and offer comments. You will incorporate some of the material into your sections, possibly expanding on some of the legal issues. Then I will read your stuff and revise my section. Iterate until change -> 0.

Retrieved from "http://cubist.cs.washington.edu/CSEP590TU-wiki/index.php?title=Talk:Student_Projects:Privacy_Internet&oldid=2068"