IP: for IP, CFP96 report

[Dave Farber <farber () central cis upenn edu>]

Lorrie Faith Cranor's CFP96 Conference Report


----------------------------------------------------------------------------
Copyright 1996 by Lorrie Faith Cranor. Permission to distribute this report
electronically is granted.
----------------------------------------------------------------------------


Computers, Freedom and Privacy '96 was held March 27-30 at the Cambridge,
Massachusetts Hyatt Hotel. This year the (mostly) single-track conference
was excellently chronicled by the CFP96 newsletter volunteers; thus I will
dispense with my usual session-by-session description of the conference and
instead focus my annual essay on a few conference highlights and my personal
reactions to the conference. Notes and audio recordings for most sessions
are available from the CFP96 web site (http://web.mit.edu/cfp96/).


I arrived late Wednesday night, after the day's tutorials and the evening
reception, but in time to join the group of CFP regulars at the hotel bar.
Before retiring for the evening I continued several conversations started at
CFP95, explained my dissertation research to a handful of CFPers who were
actually interested in hearing about the details of my esoteric work, and
collected a long list of web pointers and book titles which said listeners
recommended. As usual, informal networking proved to be a valuable part of
my conference experience.


As the main part of the conference got started the next morning, I noticed
that law enforcement officers and hackers were largely absent from the
attendance list this year. Perhaps that's why CFP96 lacked some of the
intrigue of previous conferences. There were no arrests, no attendees taken
in for questioning, and no groups of young people clustered around the pay
phones. Actually, there weren't too many young people at the conference at
all. Perhaps due to the expensive venue (and no easy way to find roommates
to cut down on expenses) there seemed to be fewer students than usual in
attendance.


As the CFP audience seemed to have matured from previous years, so did the
tone of the discussions. At CFP93 (my first CFP) the panels explored the
strange new worlds of the electronic frontier with speakers presenting
information which really surprised many of the participants. There were so
many new ideas -- so much to disagree with -- that there were loud protests
at the end of each session from those who didn't get to have their say
before time ran out. At CFP94, most of the attendees (while probably still
in much disagreement on many topics) were for the most part so much in
agreement that the Clipper Chip was bad, that all other issues seemed much
less significant. A year later, the Clipper crisis had blown over, allowing
CFP95 to proceed with more diverse discussions. At CFP96 there were new
crises to rally around: the Communications Decency Act and the threat of
restrictive encryption legislation. But for the first time at CFP, I heard
audience members other than Dorothy Denning and those employed by the
government acknowledging that these issues might not be all black and white.


Denning's "International Developments in Cryptography" panel exposed a lot
of important issues surrounding the cryptography regulation dilemma and
featured one of the most controversial speakers of this year's conference --
Michael Nelson of the White House Office of Science and Technology Policy.
Those who put aside their outrage long enough to listen to what Nelson had
to say, seemed to find themselves agreeing with much of his analysis, while
disagreeing with some of his fundamental assumptions. What set Nelson's
perspective apart from the views held by most CFP participants was his
belief that the potential consequences of unregulated cryptography
(especially non-key-escrow) would be more harmful than the potential
consequences of regulating cryptography. Nelson kept repeating that if
nothing was done to regulate cryptography, terrorists will use it to pull
off a major disaster and "people will die." As long as the administration
assumes that the risk of disaster due to unregulated cryptography (which may
not be insignificant) is an unacceptable risk, no solution that cannot
eliminate that risk will be acceptable. The problem is we don't really know
the magnitude of the risk, nor do we know whether people find this sort of
risk acceptable. Certainly our society has determined that some risks are
acceptable and we find it preferable to live with these risks than impose
the regulations that would reduce them significantly. On the other hand, we
have decided that other risks are more than we wish to bear. But these
determinations have come about after long debate, and even after regulations
are established they tend to get changed frequently as our knowledge about
the magnitude of the risks and the public attitude towards these risks
change.


This topic was discussed again in an excellent session, "Before the Court:
Can the US Government Criminalize Unauthorized Encryption?" organized by
Andrew Grosso. Remembering the confusing mock trial held at CFP93, I was a
bit skeptical about this moot court. But I was pleasantly surprised to watch
a thoroughly researched debate over a fictitious statute outlawing
unescrowed encryption. Although most of the participants were opposed to
this hypothetical statute, those assigned to represent the government
defended it convincingly. I was also impressed with the questions asked by
the panel of real Federal judges who presided over the court. Written
arguments on both sides are available from the CFP96 web site.


Another controversial speaker, Bruce Taylor, President and General Counsel
of the National Law Center for Families and Children, participated in the
late night Communications Decency Act session which began at 9:30 Thursday
night. As Taylor debated with CDA opponents, I noted that the discussion was
more about semantics and what the law really means than anything else.
Taylor attacked opponents' statements that the CDA is unconstitutional
saying that it does not really restrict the behavior that opponents say it
does. He failed to comment on whether such restrictions would be
unconstitutional, rather he insisted that such restrictions were not a part
of the law. Examples of materials Taylor claimed would not be restricted
(but opponents said would be restricted) include dirty words and graphic sex
education materials. The root of the disagreement surrounded the
interpretation of the vague language of the legislation and the significance
of explanatory documents which Congress voted not to include in the
legislation. Audience discussion of this issue continued well past midnight,
when the hotel staff asked us to move our conversation out of the ballroom
so they could lock up for the night.


The following evening, the New England Aquarium was the delightful setting
for the EFF Pioneer Awards presentation and reception. The ever squawking
penguins repeatedly interrupted the speakers, adding a bit of levity to the
event. Many attendees commented that watching the fish swim gracefully round
and round the central tank was a fitting contrast to all the high tech talk
of the previous two days.


Other highlights of the conference for me included being a panelist on David
Chaum's "Policy Implications of Privacy Technology" lunch panel along with
Phil Zimmerman, Esther Dyson, and John Gilmore; playing a 70-year-old women
in one of Simpson Garfinkel's electronic cash scenarios; and meeting other
graduate students who are working on interdisciplinary research projects.


One topic I wish had been discussed more at this conference was medical
records privacy, especially in light of the "Bennett bill" introduced in the
US Senate last fall. One lunch workshop took a cursory look at medical
records privacy issues, but I was disappointed in the way the organizers
framed the discussion, focusing on philosophical questions rather than on
the actual issues that have proven controversial. This is a topic that has
been discussed at previous CFPs, but I think there's plenty more to discuss.
Maybe at CFP97?


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Lorrie Faith Cranor                 Engineering and Policy, Computer Science
Washington University                   http://www.ccrc.wustl.edu/~lorracks/
1 Brookings Dr Box 1045
St. Louis, MO 63130        "UNLESS someone like you cares a whole awful lot,
lorracks () cs wustl edu   nothing is going to get better. It's not." -Dr.Seuss
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/