Hello PJ,
> (somewhat OT)...
> In your argument you tend to agree that there will be a balance
> between security and privacy as we have today? I mean, there can
> not be 100% guaranteed privacy while belonging to a community - you
> have to interact with people who interact with others. Heck, every
> business in the world depends on "word of mouth" as a form of free
> advertising! This happens when one person divulges some information
> to another.
Yes ... I think that for now we'll have *less* security and privacy in the Internet (compared to the real world) until things evolve a little further. In the real world we can go to a remote mountian or valley and have a conversation that we can think is relatively safe. Unless a government satellite got access to us at the right angles with lip-readers viewing the video ... ;-) But even this would take a lot of coordination.
How ever on the Internet the first step that you take is traceable. Your connection to the Internet occurs through a "community" that immediately knows and can trace where the other end of the wire is connected. Whether by phone, cable, or DSL. So the "source" of any Internet communications is easily pinpointed to a physical location. (Ok ... in the case of wireless it's slight tougher ... cell can be triangulated, but still identified.)
> But you are correct, there are trust relationships formed at the
> communal level. These relationships are governed by our individual
> needs as well as our communal needs. If digitalme can provide us
> the tools we need to define those relationships, it will go a long
> way to liberating the internet from the current model.
Well ... you will still have to physically connect through some ISP. Even if you are at an airport kiosk ... you are accessing through a fixed physical point. You *could* then "proxy" communications through another "community" by pointing your browser or mail client at a remote machine. You could even do this through a secure connection. But then "they" (whoever is trying to trace things) will know the path of communications to that remote proxy. That proxy is then owned by some "community" ... if the community refuses to "give up" information about the communications that took place ... then the community could be held liable, or sanctioned. And anyone tracking communications to and from that "proxy" or "community" also can witness the timing of events. (i.e. News posting with virus from the proxy happens seconds after a secure connection from your house.)
> My point is this, the balance of privacy and security is very real.
> We tend to think in grand terms when we talk about privacy but in
> what context does that privacy live? It doesn't live in a vacuum.
Actually ... that is the only place that true privacy exists. Inside of your own thoughts in your head. Once you "export" these to a medium of almost any kind, they are potentially exposed to a "community". (Shouting in the woods is pretty safe ... but there *could* be people around. ;-)
> There is some give and take on just how much privacy one can have
> and still be a participant in society (or community).
I agree completely ... this is the key.
> So with that in mind, there will need to be much debate on just how
> much privacy will be sacrificed to maintain some semblence of
> civility in cyberspace. This argument grows from our real world
> experience which does not define our cyberworld experience. In that
> essence, this debate almost fails but only to a point.
Yes ... I believe that this is the traditional debate of "true freedom" ... in order that have freedom there are gives and takes.
> The same technology that gathers information can also be used in a
> reverse fashion. Quite frankly if my personal information can be
> tracked thereby allowing me to uncover the "guilty" parties, I feel
> my privacy doesn't need to be 100%. I can make an informed decision
> on which relationships to maintain or sever. Allowing me the power
> of choice multiplies as others join in.
There is an important issue here ... and that is the area of "tracking" or when you say "sever". I don't believe there is any way to completely solve the issue of passing information in a way that it can always be traced, or that it can revoked. If you send me *any* information that I can view ... I could take a screen capture and then send it to friends. You won't be able to trace what I do with it, once you have given it to me. If there is *any* way for me to alter or re-encode the information then it's mine. If I let you have my passport for a minute, out of my sight, there is nothing that prevents you from making a copy of it. Even if it's not perfect, you have the information on a medium that I can't control.
Now there are many ways to allow you to verify a "fact" without giving you the info ... or working through an intermediary.
> That's the problem with our information today in the real world. We
> want to protect our personal information because there is no
> control, no path for me to follow it. If companies know that they
> can and will be held responsible by individuals regarding the
> handling of their personal information, things would be alot
> differnet in our world today.
It's a tough problem to solve. I would suggest that being aware of what you share and where is critical. But also knowing that you can disable continued access. IMHO, don't expect miracles to happen where billions of years of evolution haven't solved it.
> I feel that a model that would empower the individual to the point
> whereby their decisions to cut relationships or maintian them will
> directly affect corporate policy regarding the gathering of
> information is a step in the right direction.
Cut yes ... revoke I don't think so. They will always have the records that they have.
> There needs to be more debate on this at a different level in our
> society where marketing and sensationalism are not factors in the
> presentation of the arguments made. This will take some time for us
> to figure out but I have confidence. We were able to make good with
> the telephone (these same arguments of tracking were presented when
> the phone first began to populate homes) so I can see us following
> a similar path.
Yes ... and because the phone companies *could* and *would* trace calls, they cooperated with various agencies to provide procedures for society to decide what privacy to "invade" with taps, etc.
But again, in the case of the Melissa virus writer, what if AOL had not cooperated with authorities, or never logged the information necessary to trace the call, what would have happened? Authorities would not have been able to find the virus writer. And who is then liable? Could AOL have been sued as the "community" responsible for the virus? Can government "force" all ISPs to log information to be able to "track" people? If so, then people will resort to using complex proxies and relays to try and hide these communications in secure channels (it's now happening!) so do we now make this illegal? If so we are agreeing that there is no privacy in the Internet. If not, then bad things can happen. Classic dilemma of freedom.
> Also, one other thing - AOL's involvement in the Melissa case -
> perhaps I have a very "inside" perspective on just how that sort of
> thing works but AOL's Terms of Service explains things very fairly
> and openly. Almost like our laws in the real world. It's no secret
> that if you do wrong, AOL will comply with authorities. They can't
> do otherwise without reprimand from those authorities obstruction).
In who's law? What if the guy had thought about it and posted through an ISP in France? Or Sweden? Or Iraq? Or Cuba? Now what law are we going to evaluate? This is my point about communities. If each of these are viewed as a "community" then that "community" would be sanctioned for improper behavior. If the post had occurred from an ISP in France, maybe French law forbids the release of this "private" information. If you don't think this is possible, then think through countries that are currently selling domain names (like the .TM or .FM domains) ... just imagine what they will discover when they sell completely "discrete" or "private" proxy services. The only recourse will be "connectivity sanctions" ... but then that opens the door for blackmarket "connectivity". ;-)
> Also, from my understanding of the case, the virus writer
> "compromised" someone else's account so isn't that a crime? If
> someone stole a user account in your corporation and then
> used it to create/distribute a tool of destruction how would you
> feel?
I agree that the "theft of service" could probably be pursued ... if the community cooperates. But I believe that just as some communities like AOL are around, new secure ones will appear. And huge sums of money will drive it.
> [Sure we can point to AOL's shortcomings in it's security model but
> the weakest link in that model is the end-user.]
Yep ... if someone used my account I would feel dumb if I was the cause of the "leak" of my security information. But the account could have been stolen in many ways.
> That point I won't argue here since it would take too long but if
> AOL didn't do what it did, does it then open itself to civil
> lawsuits as the source of the problem or at least as a facilitor?
Yep ... the community would be sanctioned.
> Now that's a chilling affect -
That's a social reaction to what the majority (or those in control) feel is not in line with morales and values.
> It would send a chilling message if in some way AOL were to be held
> responsible for the actions of a "hacker" or as a haven for such
> activity. I for one would not want AOL "protecting" anyone who in
> my mind and the law's eyes had facilitated or committed a crime
> PERIOD. That goes for any service or company or agency or whatever.
But this is exactly what will *cause* it to happen. What you are doing is putting a price tag on the service. Because of the fact that you (and a lot of people) don't want it to occur, but there are people who want the ability, you are creating a search for the lucrative blackmarket.
The problem is that if you track everything because something bad might be in there, you are still tracking everything. ;-(
> Privacy should never shield foul deeds. I'm not willing to
> sacrifice that for 100% privacy.
These are the tough parts of freedom and democracy. There are only so many steps you can take in a direction before you become "one of them." In the current conflict with Yugoslavia, we are only going so far. We aren't targeting the leaders of what is occurring (not that I endorse this in any way ... just an example!), but instead can only resort to "sanctions" against a "community" of people.
Scott C. Lemon |
