12th Conference On Computers, Freedom And Privacy

12th Conference On Computers, Freedom And Privacy

The Audiotaped ProceedingsMary Meernik and Barbara GloverWith an introduction by Mary Meernik

For this year's conference, participants do not have to manufacture hypothetical scenarios to debate situations that might warrant government encroachments on our civil liberties. The tragic events of September 11 are understandably at the forefront of many of the sessions, making everyone wonder how much freedom and privacy should be sacrificed in hopes of achieving at least the illusion of security and safety. Immediately after the terrorist attacks there was a rush to enact laws that expanded law enforcement's surveillance powers not only in the USA but also in Canada, seven European countries, and Australia. There is harsh criticism of the USA Patriot Act throughout the conference with one speaker characterizing it as "the eavesdropping equivalent of weapons of mass destruction." In attempting to prevent future attacks, the government has even been given the power to track the Web and e-mail activities of all citizens. Conference participants have always lamented how apathetic the public has been when it comes to privacy issues, and surveys are showing that we now have an increasing tolerance for surveillance. Besides the session devoted to the Patriot Act, there are fascinating, albeit alarming discussions on government efforts to implement a national ID card system, on whether biometrics can thwart terrorists without destroying our civil rights, and on how the availability of previously public information has changed since September 11. This last session examines how the Bush administration's "general bias against access to information" has resulted in the removal of scientific and technical information that had been on government Web sites prior to September 11. Another speaker on the same panel complains that the "dominant drumbeat of homeland security" is being used to circumvent government accountability.

The private sector also receives its share of criticism for practices that are threatening our online freedoms and privacy. The session on Privacy in Identity and Location Services discusses how the software industry is designing systems for mobile and wireless electronic devices that collect and store information about user identity and location. The privacy advocates on that panel are unanimous in their belief that these companies will not incorporate privacy protections into their software unless compelled to do so by legislation or public pressure. Another session examines efforts by businesses and public figures to thwart our right to post anonymous criticisms on the Internet. The session on the Digital Millenium Copyright Act criticizes the publishing industry for designing digital-rights-management schemes that effectively block our fair use rights.

Other panels examine the social and political aspects of the Internet, including how it can be used for voting and organizing local and global grassroots movements and whether it is really a shared global resource available to all. Perhaps the most intriguing session is the one on access to public records just because it is probably impossible to find a balance between preserving privacy and maintaining open access to such information. Excellent, thought-provoking comments on both sides of the debate are raised by the panelists and by audience members. There is a librarian on this panel, which is a welcome addition since the profession was not represented at last year's conference. It is ironic, however, that while she, and librarians in general, fervently advocate equal access to information, including public records, we make an exception when it comes to the circulation records of library users. Can these records really be placed in a different category than court records, motor vehicle records, voter registration data, professional and business licenses, criminal histories, property information from assessor files, and so on?

This year's conference, sponsored by the Association for Computing Machinery, was held April 16-19, 2002 in San Francisco, California. The four-day event featured one workshop, five tutorials, 11 plenary sessions (which are covered in this article), ten concurrent sessions, six keynote speeches, and two award ceremonies. Audiocassettes of the entire conference, except for the workshop and tutorials, can be purchased from Audio Archives International, 3043 Foothill Blvd, Suite No. 2, La Crescenta, CA 91214; (800) 747-8069. An order form is provided at the CFP Web site, www.cfp2002.org This excellent Web site also provides program schedules and information, speaker biographies, conference newsletters, and links to papers by the presenters and to numerous media articles about the conference.

"National ID card: the next generation"

This was presented by Peter Swire, Visiting Professor of Law, George Washington University Law School (moderator), Jay Maxwell, American Association of Motor Vehicle Administrators, Andrew Schulman, Privacy Foundation and Deirdre Mulligan, National Academy of Science Committee on Authentication Technologies and Their Privacy Implications.

Various proposals for some type of nationwide ID system have been floating around during the past decade, but as moderator Swire points out, there has been "an unprecedented level of interest" since last September. In order to understand better the advisability and feasibility of such systems, the panel discusses two projects that are currently being implemented on a smaller scale. One of these is the AAMVAnet project which is exploring the electronic verification of documents presented to obtain a driver's license and the inclusion of some type of biometric on the license to uniquely identify the driver. According to Maxwell, the Departments of Motor Vehicles "make it really easy for people to commit fraud today" in obtaining driver's licenses and it is "painfully obvious that the terrorists used driver's licenses to facilitate what they did." He readily acknowledges the difficulties and challenges of implementing such a system, pointing out that several states are using different biometrics on their licenses and that up to this point a lot of money has been spent without achieving any interoperability among the different databases. He disputes accusations that his group is seeking to implement a de facto national ID card, insisting that the project is still in its infancy and that its goal is "simply to stop being an accomplice to fraud."

In order to get some sense of whether an ID system could have prevented the September 11 attacks, Schulman discusses the "largest machine-readable biometric ID that is currently run by the federal government." The State Department has been issuing border-crossing cards that are used by the INS to track people regularly crossing the US-Mexico border. Four million of these machine-readable cards are in circulation (with a six month backlog) and there are no machines to read them. Schulman is extremely concerned that in the rush to allay security concerns, we have taken at face value what the vendors are saying about the practicality of such systems. In his opinion, the "homeland security budget is pork for the IT industry."

Mulligan is also very critical of the two systems discussed and is concerned that ID systems are "viewed as panacea" in preventing terrorist attacks. She also stresses the dangers of implementing an ID system before there is any consensus on what the purpose and goals are, what data would be collected, how and by whom the data would be controlled and accessed, whether the system would be voluntary or mandatory, what legal structures would be needed to accommodate it, how system failures would be handled, and so on. She warns that even if the initial intent is not a national ID system, it would be difficult to prevent "function creep" as other groups would want to add to or access the data. In addition, the consequences of identity theft would be much more serious if "we have everyone relying on a single form of identification."

"Truth is the first casualty of war – availability of information post 9/11"

This was presented by Kevin Poulsen, SecurityFocus (moderator), Chris Hoofnagle, Electronic Privacy Information Center, Lee Tien, Electronic Frontier Foundation, and Michael Aisenberg, Verisign.

In his opening remarks, Poulsen decries the "diminishing availability of previously public information" since September 11. Hoofnagle stresses, however, that from its beginning, the Bush administration has been pursuing a policy of increased secrecy. In fact, he posits that September 11 is being used as a "pretense for a general bias against access to information." He discusses the current administration's efforts to change or circumvent laws that provide for the release of presidential records, documents from Vice President Cheney's energy task force, census data, and the names of detainees held on immigration violations. Tien focuses on two themes in his remarks – "the dominant drumbeat of homeland security which is being used by the administration to block off accountability" and the increasing emphasis on restricting access to scientific and technological information. Some 6,600 technical documents were removed from government Web sites in January and federal depository libraries were ordered to destroy a USGS CD-ROM on US water supplies. Tien is alarmed at the rash of recent, purposely vague executive directives that restrict access to "information that could be misused to harm the security of our nation and the safety of our people."

Aisenberg discusses the proposed Davis-Moran legislation that defines cyber-security information, establishes guidelines for industry and government to share that information, and exempts the information from disclosure under FOIA. Although he does have reservations about the bill, describing it as "a creature of uncertain character," he points out that critical information sharing about cyber-threats has not worked well up to this point. In his opinion, we need legislation to provide a mechanism for sharing information and to prevent the release of sensitive data that could threaten a company's existence if made public. Since the consensus is that a future terrorist attack would most likely target the Internet, Aisenberg stresses the difficulty of striking the right balance between a paranoid response that "tries to protect too much" and one that goes overboard in disclosing data "that could be threatening to our welfare." Audience members are unanimous in their opposition to the bill's FOIA exemption, voicing opinions that public security and safety are better served by disclosing information about cyber-threats and that the legislation should be rewritten to exempt companies that disclose data from civil liability.

Who goes there? Privacy in identity and location services

This was presented by Dan Gillmor, San Jose Mercury News (moderator), Avi Rubin, AT&T, Brian Arbogast, Microsoft, Roger Cochetti, Verisign, and Jason Catlett, Junkbusters.

Moderator Gillmor predicts that Web-based services utilized by mobile and wireless electronic devices to collect and store information about user identity and location will be a "massive issue soon" for privacy advocates. Rubin, speaking from the "perspective of a computer scientist concerned with privacy," outlines two scenarios for the development of these services. At one extreme is a system built to take privacy into account, which uses an untraceable temporary ID that is "never linked to the person actually behind it." At the other end of the spectrum are systems such as Microsoft's Passport and Sun's Liberty Alliance that compile extensive personal data about users in centralized, cross-indexed databases. He does not trust the industry to incorporate privacy preserving technologies into their services; in fact, he characterizes the Passport concept as "the enemy of privacy." Since it is much more difficult and costly to add protections after a system is in operation, he stresses that consumers must demand that protection now. Arbogast, on the other hand, insists that Microsoft is an industry leader in privacy enhancing technologies. He points out that Passport's single sign-on service enables consumers to visit and shop at participating Web sites without re-entering their personal data each time. He insists that the system "puts users in control of their own data," and with "progressive disclosure," they can choose to give out very little information initially and only provide more data in exchange for getting more value. In response to panelist and audience observations about Microsoft's software security problems, he concedes that it will never be possible to guarantee security. He also disputes accusations that Passport is compiling a large database, insisting that the system "doesn't require that you disclose a bunch of information to do anything." Cochetti, whose company provides authentication services for the Microsoft and Sun projects, insists that "privacy will be enhanced as we go forward." In fact, he claims that the Microsoft and Sun initiatives have "established newer, higher standards of self-regulation in the protection of consumer privacy," and that single sign-on services do not work without privacy. He also echoes Arbogast's view that these systems give customers "extensive controls over their data." Catlett is adamantly opposed to services like Passport, which he insists "is effectively a transnational ID card." He is extremely concerned about the "deep databases of information" behind such authentication schemes regardless of whether the systems are imposed by the government or the private sector. He refers to a complaint filed with the FTC last year, which accuses Microsoft of deceiving consumers about the security of Passport and of coercing them to participate in the system in order to use such services as instant messaging. He also claims that all the personal information stored on Microsoft's Web servers is made available to third parties offering location-based services.

How public is too public? Public records and personal privacy

This was presented by Deirdre Mulligan, Boalt Law School, University of California (moderator), Beth Givens, Privacy Rights Clearinghouse, Rebecca Daugherty, Reporters' Committee for Freedom of the Press, Carrie Gardner, outgoing chair of the American Library Association Intellectual Freedom Committee Subcommittee on Privacy, and Kim Alexander, California Voter Foundation.

This excellent session presents compelling arguments on both sides of the debate over the availability of public records on the Internet. Moderator Mulligan points out how Internet access has "changed the meaning of the public record," bringing information that had been "legally public but practically obscure" into the limelight. She stresses that the struggle to find a balance between preserving privacy and maintaining open access in the interests of a free society is "no doubt one of the thorniest issues."

Givens discusses the negative consequences of increased access to public records. These include fewer individuals choosing to participate in government, justice being limited to those who can afford private judicial proceedings, more identity theft, discrimination and destroyed reputations, the merger of public records and commercial sector files, the creation of a "dossier society," and the loss of social forgiveness. She proposes several interesting solutions, particularly in the area of court records. She suggests posting only indexes, registers, and calendars rather than the full texts of court proceedings. Either individuals should have to physically go to where the records are stored or only edited files, stripped of sensitive information, should be posted online, creating what she calls a "two tier policy" for accessing court records. She recommends stronger and more uniform regulation of information brokers and private investigators and closing loopholes in background check laws. She also urges that we as a society decide what we are trying to achieve by making public records available, and if the records are to be so easily accessible, we need to work harder at teaching tolerance and social forgiveness.

Both Dougherty and Gardner are adamantly opposed to creating different levels of access to public records, resulting in fewer individuals having rights to information. In Daugherty's opinion, "if you lose parts of the First Amendment, you're going to lose them forever." Reporters have needed access to private, often embarrassing details about individuals in order to expose social problems and government malfeasance. She is concerned about trends in some states to restrict open records laws concerning criminal histories of teachers and police misconduct. She reasonably points out that we "shouldn't use the easier accessibility [of online information] as justification for restricting access." Likewise, Gardner is "not comfortable with information being hidden behind tiers." As a librarian, she advocates the crucial role public libraries play in equalizing access to information and eliminating the digital divide. Rather than figuring out who should have access and under what circumstances, she prefers to educate people on how to protect information they really want to keep private. Ironically, however, she does an about face when it comes to the privacy of circulation records of library users. Librarians, with the backing of the American Library Association, strongly oppose releasing these records because patrons should be able to access information without fear of being monitored. Libraries have usually been successful in quashing subpoenas for circulation records, but after September 11, law enforcement agencies started using search warrants that are executed immediately.

In the area of voter privacy, Alexander discusses the findings of a state by state survey of voter registration data. Every state requires name, date of birth, address, and signature to register, but beyond that there is an extraordinary amount of other information (i.e. SSN, marital status, place of birth, driver's license, race, occupation, employer, etc.) that is either required or requested. Half the states permit commercial use of the registration data, and policies on release of the data vary widely county by county. Congress is now working on federal election reform legislation that will mandate states to computerize and centralize their registration data, making it much more accessible. Stressing that "voters are unaware of just how public this information is," she offers several recommendations for improving voter privacy, including notifying voters that their data is a matter of public record, clarifying what data is required versus what is optional, explaining what secondary uses are permitted, and prohibiting commercial use of the information.

"Should we meet John Doe? Civil litigation and anonymity in cyberspace"

This was presented by Cindy Cohn, Electronic Frontier Foundation (moderator), Megan Gray, Electronic Privacy Information Center, Michael Vogel, Allegaert Berger and Vogel LLP, Paul Levy, Public Citizen and Ann Beeson, American Civil Liberties Union.

This session examines current court cases and rulings on the right to post anonymous criticisms of businesses and public figures on the Internet. A recent case, Dendrite International versus John Doe, established four requirements that must be satisfied before an Internet service provider (ISP) can be compelled to provide the identity of an online poster. First, the anonymous defendant must receive notice of the lawsuit and be given an opportunity to respond. Second, the plaintiff must provide the exact statements that are the basis of the defamation claim. Third, evidence that the alleged defamation caused damages must be presented. Fourth, regardless of whether the case has merit, the strength of the plaintiff's claim must be balanced against the defendant's right of anonymous speech.

Gray points out that when John Doe cases first started appearing in the late 1990s, civil procedure rules were typically ignored; subpoenas were issued prior to filing the lawsuit and the defendants were not notified that their identities were being sought. However, she contends that there are substantial grounds for protecting anonymity that generally have to do with the "context and content of the posting." The poster must not only have made a fairly specific statement of fact, but also have known that the statement was false or made it with a reckless disregard for the truth. Although the Dendrite guidelines have strengthened the rights of anonymous posters, Gray warns that this type of issue will surface in attempts to obtain the listener logs of services like Napster and the personal data of replay TV subscribers.

Vogel contends that Dendrite is "a radical departure from the ordinary rules governing civil litigation." Although agreeing with Gray about earlier abuses in John Doe cases, he now asserts that Dendrite has "shifted things too far in the other direction." He criticizes the catch-22 aspects of Dendrite's third test, pointing out that evidence that may depend on who the defendant is must be presented at the outset before a poster's identity can be obtained. He particularly disapproves of the balancing test which gives judges too much discretion in dismissing cases regardless of their merit.

Although Levy acknowledges that harmful speech does exist on the Internet and that remedies must be available to parties that have been libeled, he asserts that "companies often tend to sue just because they want to suppress the criticism." He accuses these businesses of trying to circumvent the legal process by using subpoenas to threaten or intimidate anonymous posters. He argues that the "first line of defense shouldn't be litigation but be more speech" to rebut accusations or opinions of posters. In response to Vogel's assertion that Dendrite's tough guidelines discourage companies from seeking redress, Levy contends that companies should be forced to more carefully scrutinize which cases to pursue and that Dendrite does allow plaintiffs who have presented evidence of falsity and damages to obtain identities of posters. He emphasizes the importance of the balancing test because in some cases there is the "danger of very severe consequences to the defendants if they're identified."

Stressing that Dendrite "has not been entirely successful in preventing frivolous suits," Beeson focuses primarily on another case involving an anonymous client, Joan Melvin versus John Doe, currently being heard on appeal before the Pennsylvania Supreme Court. A Pennsylvania judge is suing the anonymous poster who alleged that the judge improperly lobbied the governor to appoint a friend of hers to a judgeship. With the outcome of this case in question, Beeson emphasizes the importance of educating Internet users about their rights in anonymous postings. She also urges ISPs to develop better procedures in dealing with subpoenas and "to be more active on behalf of their users."

"PATRIOT and privacy"

This was presented by Tim Lordan, staff counsel, Internet Education Foundation (moderator), John Podesta, visiting professor, Georgetown University Law School, former White House Chief of Staff, Clinton Administration, Jerry Berman, executive director, Center for Democracy and Technology, and president, Internet Education Foundation, Clint Smith, vice president, WorldCom and president, US Internet Service Provider Association, Chris Painter, attorney, US Department of Justice, Computer Crime and Intellectual Property Division, and Ann Cavoukian, Information and Privacy Commissioner, Ontario.

Congress passed the Patriot Act on October 26, 2001, a mere six and one-half weeks after September 11. Most of this session's panelists were tapped by the Internet Education Foundation last Fall to hurriedly educate Congressional staff on the implications of various elements of the legislation. Now they have reconvened to evaluate whether the Patriot Act was written to allow a proper balance between security and privacy.

It is interesting to note that panelists Podesta and Berman, despite coming from two widely different points of view, seem to concur that the legislation was not really necessary. According to Podesta, "vast amounts of data relevant to fighting the war on terrorism already existed and were readily accessible once law enforcement and the intelligence authorities in the United States and Europe started looking for them." He claims that the problems were cultural, stemming from "generations of institutional rivalry between the FBI and the CIA," and conceptual, stemming from the FBI mindset of working cases to solve crimes already committed and its corresponding lack of experience at working intelligence to disrupt or prevent criminal action. Berman claims that prior to the Patriot Act the government already possessed enormous "intelligence investigative authority whereby they could track terrorist organizations with less than probable cause of a crime."

Painter is the only panelist defending the law in its entirety and its balance between security and privacy. Podesta is concerned about the law's "excessive reliance on executive branch review and control of the authorities contained in the Act." Along with Berman, he expresses alarm that the Patriot Act lowers current standards by allowing the government "to permit the gathering of information with a mere certification that the information likely to be obtained is relevant to an ongoing criminal investigation." There is definite potential for abuse since the government no longer has to claim that a criminal action is likely before it performs electronic surveillance. Berman agrees that this law presents a "very serious civil liberties danger which we have to organize to reverse."

With the perspective of the Internet service provider (ISP) community, Smith focuses on several serious ambiguities in the Patriot Act. An ISP now has the right to ask the FBI to perform surveillance on a computer trespasser, but does it also have the right "to limit the duration or scope of the consent?" An ISP is allowed to make an emergency disclosure "if it has a reasonable belief that there's an immediate threat to life or bodily injury," but to whom should the ISP reveal the information? Finally, although the law permits the collecting of routing and addressing information while excluding content, will a long URL pointing to a PDF document be considered to be providing content in addition to addressing information?

Cavoukian makes it clear that other countries quickly followed the lead of the US Congress. Canada passed the Anti-Terrorism Act in mid-December. A total of 15 European Union countries either passed new anti-terrorist legislation or amended existing laws to include anti-terrorism clauses. Common to all of these laws are several elements that might prove to be extremely harmful to civil liberties:

1. 1.

   a definition of terrorism that has been so broadened that it might actually stifle lawful dissent;

2. 2.

   the expansion of surveillance powers and capabilities to the extent of permitting warrant-less interception of citizens' daily communications; and

3. 3.

   the reduction of judicial supervision and oversight.

Cavoukian is working with Ontario's Information and Privacy Commission to reframe the language of the discussion of privacy and security so that they can be seen as complementary parts of an indivisible whole rather than polar opposites.

It is a frightening time for CFP community members concerned with maintaining freedom and privacy. Cavoukian quotes Attorney General John Ashcroft as saying, "information is the best friend of prevention." Podesta foresees a future of "more collection, more authentication, more analysis, more access, more information-sharing." Fortunately, sunset clauses were built into the Patriot Act and many concerned citizens and watchdog groups are keeping a close eye on what transpires under provisions of the Patriot Act.

"Biometrics face-off: can biometrics systems promise better security without destroying privacy and civil rights?"

This was presented by Deborah Pierce, Privacyactivism.org (moderator), Ron Davis, Captain, Oakland Police Department, Peter Hope-Tindall, dataPrivacy Partners Ltd, Barry Steinhardt, American Civil Liberties Union, Martin Huddart, International Biometric Industry Association, and Roger Clarke, Xamax Consultancy Pty, Ltd.

According to Huddart, the biometrics marketplace is currently about $300 million and is projected to grow to $2 billion by 2006. Biometrics is being used successfully to authenticate the identities of people who work in nuclear power facilities or in secure areas of airports, to identify workers punching in and out of the time clocks of a large New York hospital, and to approve University of Georgia students as they enter their dormitories or use their libraries. Use of biometrics is increasing in law enforcement, immigration, and the casino industry. Large-scale applications involving face-recognition have drawn much attention and criticism. Not only are they seen as an invasion of privacy, but they have proven to be extremely unreliable.

Standards and guidelines for the development and use of biometric systems are being established by governments and organizations such as the American Civil Liberties Union (ACLU) and the International Biometric Industry Association. The ACLU recommends three principles for evaluating any new biometric technology:

1. 1.

   the technology has to be effective;

2. 2.

   the level of intrusion must reflect the level of risk; and

3. 3.

   the technology should be applied in a non-discriminatory way.

Captain Davis pleads that law enforcement be invited to the table when technologies are being developed and when guidelines are being discussed. He hopes that biometrics will be effective in actually removing biases and reducing racial profiling because the more information law enforcement personnel have, the less they will have to rely on subjective impressions and stereotypes.

While Huddart says, "privacy and security aren't necessarily mutually exclusive," Hope-Tindall claims, "public security and privacy are at polar opposites – in order to improve one, we much diminish the other and vice versa." He warns us away from using systems that store biometric templates in a database because "it will most likely be used as a surrogate for a universal ID system" that will compromise privacy and is likely to be abused in times of national crisis. Steinhardt warns that "we really are on the verge now of a surveillance society." We must insist that cryptographers and technologists build privacy into new biometric systems.

"How to hack an election"

This was presented by Kim Alexander, California Voter Foundation (moderator), Ernie Hawkins, Sacramento County Registrar of Voters, Peter G. Neumann, SRI International Computer Science Laboratory, Joe Taggard, Election Systems and Software, Jason Dearen, Columbia University, and Andy Neff, VoteHere.

Although this program fails to provide instructions on "how to hack an election," it does provide convincing evidence of the vulnerability of today's voting systems while offering some hope for the future. Alexander makes it clear from the start that "voting systems are managed on a state-by-state level and there is no public investment in voting technology – it's entirely market-driven." There is very little federal law concerning voting systems. Most requirements imposed on the 10,000 or so electoral jurisdictions are hammered out at the state level. Local funds are used to purchase voting systems which are rarely, if ever, given a high budget priority.

The public expects that their voting systems will be secure and accurate, while remaining user-friendly. Unfortunately, steps that ensure easy accessibility can lead to such abuses as the recent voter registration of both a dog and bird in California. On the other hand, tightening voter registration require-ments usually results in diminished participation. Despite the extraordinary steps that are taken to watermark, inventory, and track ballots in California, Hawkins claims "no voting system is 100% accurate." Taggard says, "no system will be totally free of abuse due to access, resources, and human ingenuity – we can subvert anything!" In fact, Dearen's research has revealed "multiple cases of fraud in almost every state over the last ten years." Viewing "every part of the process [as] a weak link," Neumann says "we need totally independent verification of the entire end-to-end process."

Hope for the future may be pinned on the Federal Election Commission's soon-to-be-released major revision of its national voting system standards as well as on recent Congressional bills that might provide substantial funding for voting systems improvements. There is also hope that new technology being developed and promulgated by companies such as VoteHere will overcome some of the problems experienced with the legacy systems. Neff envisions "a voter roll where people are authenticated by a set of public keys, … an electronic ballot that can be delivered according to some public standard; [and] voters signing their marked ballots with digital signatures." Standards and oversight are essential to meet the goal of having each vote "counted as cast."

"Grassroots goes global: activism online"

This was presented by Michael Cornfield, George Washington University (moderator), Jason Mark, Global Exchange, Chris Carlsson, Shaping San Francisco; Critical Mass, Caruso, Quantum Light, and Heather Mansfield, eActivist.org

Along with many interesting stories, the experienced online activists and researchers on this panel provide advice and draw conclusions about the limitations and advantages of the Internet as a tool for political activity. Moderator Cornfield works with the Democracy Online Project, which not only tracks online political activity but also attempts to educate political staffers about best practices for responsible and effective campaigning. The Project's strongest words of advice have to do with privacy and spamming:

1. 1.

   post and live by a privacy policy; and

2. 2.

   never spam!

Carlson was one of the founders of the Critical Mass bicycling movement in 1992 in San Francisco. What started as a monthly bike ride promoting the idea of bicycle commuting has spread to 300 cities on five continents. Print media and word of mouth were the initial publicity methods. Although the Internet has played a role in the spread of the concept since the mid-1990s, Carlson warns against the "bubble mentality" of Internet users who think everything important is happening online just because they are so active online themselves. He has had too many bad experiences with dominant individuals ruining the possibility of achieving reasoned democratic discourse online. Another risk is that governmental authorities can tune into online forums to prepare themselves to meet threats to the status quo. His final words are "what's going to really shape history is not going to happen on a computer; it's going to happen when you go out and talk to other people." Caruso shows some sympathy for Carlson's point of view when he suggests we should consider the Internet to be simply "an organizing tool and remember the hearts and souls that are being tied together by this tool." However, he certainly succeeded in reaching the hearts and souls of many people when his socially responsible Web design firm Quantum Light took up the cause of saving Ben & Jerry's Ice Cream from a corporate takeover.

Mark and Mansfield both operate very successful Web sites promoting citizen involvement in social causes. Mark is the communications director of Global Exchange, an international human rights organization that is concerned with the human and environmental effects of corporate globalization. His Web site, http://www.globalexchange.org/, gets 35,000 unique visitors per month and has signed up 14,000 unique subscribers to its various listservs. Its "Urgent Action" announcements can generate up to 2,000 faxes within 48 hours on an announced topic. Its Web site and listservs have also facilitated a number of extremely large political demonstrations. While promoting the Internet as an extremely effective and inexpensive organizing tool, Mark acknowledges the racial and social class digital divides and concludes Internet activity is "no substitute for pounding the pavement and pressing the flesh and talking with people … one on one because those are the relationships that will build meaningful social change." Mansfield's started her website, http://www.eactivist.org/, a couple of years ago to provide citizens with quick and easy connectivity to numerous social action organizations. Her advice is:

1. 1.

   reputation is everything (non-profit sponsorship with no banner ads is best);

2. 2.

   less is more (keep your email newsletters short and send them no more often than four times a month); and

3. 3.

   consistency is critical (users like to recognize a homepage).

Costing only $50 per month to operate, her Web site provides a comfortable and convenient opportunity for social activism to thousands of people who prefer online clicking to protesting on the streets.

"The DMCA and you"

This was presented by Barbara Simons, Stanford (moderator), Allan Adler, Association of American Publishers, Ed Felten, professor, Princeton University, plaintiff in Felten v. RIAA, Robin Gross, Electronic Frontier Foundation, and Jessica Litman, professor, Wayne State University Law School.

The scenario participants were Lance Hoffman, George Washington University, Chair of the CFP Steering Committee, William P. Keane, Farella Braun & Martel (former Assistant US Attorney), Daralyn Durie, Keker & Vannest (represented Dmitry Skylarov in a similar case), Ed Felten, professor, Princeton University, plaintiff in Felten v. RIAA, and Dan Gillmor, columnist, San Jose Mercury News.

This session provides much hilarity during its dramatization of the following fictitious case: a Stanford graduate student from Argentina is arrested and charged with a criminal violation of the Digital Millennium Copyright Act (DMCA) while presenting a paper at CFP about a software program that enables users to break through the security wall set up by a digital-rights-management system. The DMCA says "you can't distribute a device that allows you to circumvent technology that effectively controls access to a copyrighted work." His defense attorney argues that the law is unconstitutional because it violates her client's First Amendment rights and it is unduly vague. Hoffman wonders if the conference is going to be sued and worries that he, as conference organizer, might be held personally liable. The DMCA's legality test is supposed to examine the primary purposes for which a program was designed. While agreeing that the program could be used for illegal purposes, the defendant protests that the program was created to accomplish several legitimate purposes such as allowing people to make backup copies of ebooks and excerpting quotes. The defendant points out that almost any product can be used in an illegal manner and claims it is up to the people who purchase his software to obey the law.

The DMCA became law in 1998 but the anti-circumvention and anti-dissemination provisions were delayed from taking effect until 2000, presumably because of Y2K concerns. Pointing to the fact that there have been only three criminal cases and five or fewer civil cases filed since the law was enacted, Adler considers that fears of DMCA are exaggerated because the law is misunderstood. However, Felten speaks from firsthand experience about the huge shadow cast by DMCA, having been prosecuted under the law himself. While minimizing the likelihood that anyone would be arrested while making a speech, he claims the law causes a lot of worry and time lost to strategizing how to avoid confrontation with law enforcement. According to Gross, DMCA has had a chilling effect on technological innovation and has caused technical conferences to be relocated overseas. Russia has gone so far as to warn its citizens, particularly computer programmers, about the dangers of traveling to the United States since the DMCA has passed. Unfortunately, law enforcement is not only targeting pirates but also the technology experts who provide information about the weaknesses in access protection technology.

The Electronic Frontier Foundation has taken the position that circumvention laws need to be repealed in order to restore some kind of balance in copyright law. According to panelist Gross, "copyright law is designed to create a rich and vibrant public domain for everyone" and the principle of fair use has been viewed by the Supreme Court as "the breathing space that is required by the First Amendment." Fair use limits a copyright owner's right to control copying, permitting lawful use that need not be authorized. Because the same technology allows both access and copying, the Digital Millennium Copyright Act actually disallows fair use copying by outlawing tools that circumvent access.

"Are the tools the rules? The future of the digital commons"

This was presented by Bruce Koball, technical consultant and information director, CFP Steering Committee (moderator), and Dewayne Hendricks, chief executive officer, Dandin Group.

Hendricks works tirelessly on the front of spectrum management to guarantee the future of the digital commons. The Federal Communication Commission (FCC) has held back progress for the past quarter century by continuing to treat radio spectrum as property. Because of cold war fears and the powerful television lobby, the FCC refused to recognize or promote wideband technologies that would allow overlaying and re-farming of existing spectrum. Under the old property model, the FCC has raised huge sums of money by dividing the dwindling supply of spectrum into bands and auctioning it off. Hendricks champions a new model under which the spectrum supply can become almost infinite if it is used properly. A new breed of software radios "can monitor the radio frequency environment and figure out how best to use the spectrum." He wants the FCC to redirect its focus away from frequency channels over to concerns about capacity, architecture, and scaling. Smart new technologies eliminate interference so there is no need to regulate it anymore.

Hendricks fights his battles on two fronts. While serving as a member of FCC's Technology Advisory Council, he also goes outside the government's influence in order to set up commercially viable demonstration projects within Indian tribal nations as well as in developing countries such as Tonga and Mongolia. He wants to show the United States government what can be accomplished if the paradigm is changed, if we let "the tools become the rules" by allowing the smart new devices to manage the spectrum.

Barbara Glover (barbara.glover@emich.edu) is Federal Depository Librarian and Cataloger,andMary Meernik (mary.meernik@emich.edu) is Cataloging Librarian, both at Bruce T. Halle Library, Eastern Michigan University, Ypsilanti, Michigan, USA.