Category Archives: Writings

From Anonymity to Identification

The inaugural issue of the Journal of Self-Regulation and Regulation is out, and it includes an article of mine, From Anonymity to Identification. The article is adapted from a talk I gave in Heidelberg last December. I’m in good company: other authors in this issue are Markus Beckedahl, Jeanette Hofmann, Marianne Kneuer, Milton L. Mueller, Ekkehart Reimer, William Binney, Kai Cornelius, Myriam Dunn Cavelt, Sebastian Harnisch and Wolf J. Schünemann.

The full text of this open-access journal is available online, including a .pdf of From Anonymity to Identification. As Larry Solum likes to say, download it while it’s hot.

Here’s the abstract for “From Anonymity to Identification”:

This article examines whether anonymity online has a future. In the early days of the Internet, strong cryptography, anonymous remailers, and a relative lack of surveillance created an environment conducive to anonymous communication. Today, the outlook for online anonymity is poor. Several forces combine against it: ideologies that hold that anonymity is dangerous, or that identifying evil-doers is more important than ensuring a safe mechanism for unpopular speech; the profitability of identification in commerce; government surveillance; the influence of intellectual property interests and in requiring hardware and other tools that enforce identification; and the law at both national and supranational levels. As a result of these forces, online anonymity is now much more difficult than previously, and looks to become less and less possible. Nevertheless, the ability to speak truly freely remains an important ‘safety valve’ technology for the oppressed, for dissidents, and for whistle-blowers. The article argues that as data collection online merges with data collection offline, the ability to speak anonymously online will only become more valuable. Technical changes will be required if online anonymity is to remain possible. Whether these changes are possible depends on whether the public comes to appreciate and value the option of anonymous speech while it is still possible to engineer mechanisms to permit it.

Posted in Law: Internet Law, Surveillance, Writings | Leave a comment

Into the SOUPS

soupsI’m off to Ottawa for the 2nd Annual Privacy Personas and Segmentation (PPS) Workshop which is being held in conjunction with the Symposium on Usable Privacy and Security (SOUPS).

The organizers selected me to give the keynote for the workshop, and I’ve produced a provocation for them. Here is the introduction:

Users are notoriously bad at safeguarding their online privacy. They do not read privacy policies, which in any case are mostly contracts of adhesion. They make over-optimistic assumptions about protections and dangers.[15] They use weak passwords (and repeat them), accept cookies, and leave their cell phones on thus facilitating location tracking, which is vastly more destructive to privacy than almost any user grasps. [8] Contrary to Alan Westin’s privacy segmentation analysis [31], most privacy choices are not knowing and deliberate because they are not within the user’s control (e.g. surveillance in public). Other ‘choices’ happen because users believe, correctly, that they in fact have no choice if they want the services (e.g. Google, mobile telephony) that large numbers of consumers consider necessary for modern life. [27]

The systematic exposure of the so-called “privacy vulnerable” user [27] suits important public and private interests. Marketers, law enforcement, and (as a result) hardware and software designers tend towards making technology surveillance-friendly and tend towards making communications and transactions easily linkable.

If we each have only one identity capable of transacting–even if it is mediated through multiple logins–and if our access to communications resources, such as ISPs and email, requires payment or authentication, then all too quickly everything we do online is at risk of being linked to one master dossier. The growth of real-world surveillance, and the ease with which cell phone tracking and face recognition will allow linkage to virtual identities, only adds to the size of that dossier. The consequences are that one is, effectively, always being watched as one speaks or reads, buys or sells, or joins with friends, colleagues, co-religionists, fellow activists, or hobbyists. In the long term, a world of near-total surveillance and endless record-keeping is likely to be one with less liberty, less experimentation, and certainly far less joy [16] (except maybe for the watchers). In a country such as the US where robust data-protection law is deeply unlikely, a technological solution is required if privacy is to continue to be relevant in the era of big data; one such, perhaps the best such, technological improvement would be to create an IMA designed to give every person multiple privacy-protective transaction-empowered digital personae. Roger Clarke provides a good working definition of the “digital persona” as “a model of an individual’s public personality based on data and maintained by transactions, and intended for use as a proxy for the individual.” [4]

Whereas Clarke presciently saw (and critiqued) the ‘dataveillance’ project as being an effort to create a single, increasingly accurate, digital persona connected to the person, the objective here is to undermine that linkage by having multiple personae that would not be as easy to link to each other or to the person.

(Updated to correct link to workshop.)

Posted in Talks & Conferences, Writings | 1 Comment

Link to My Paper

I neglected to link to Lessons Learned Too Well: Anonymity in a Time of Surveillance, the paper I’m presenting at #yalefesc. A very very small number of people will recognize this as a partial redraft of a paper I started a few years ago, but never published because it didn’t seem quite right. My plan is to get it as right as I can in the next few months, which is why I’m workshopping it.

Posted in Talks & Conferences, Writings | Leave a comment

IETF’s Habermasian Resolve to Work Against Pervasive Monitoring

The IETF has issued RFC 7258, aka Best Current Practice 188, “Pervasive Monitoring Is an Attack”. This is an important document. Here’s a snippet of the intro:

Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large scale, rather than by introducing new types of technical compromise.

The IETF community’s technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. Pervasive monitoring was discussed at the technical plenary of the November 2013 IETF meeting [IETF88Plenary] and then through extensive exchanges on IETF mailing lists. This document records the IETF community’s consensus and establishes the technical nature of PM.

The term “attack” is used here in a technical sense that differs somewhat from common English usage. In common English usage, an attack is an aggressive action perpetrated by an opponent, intended to enforce the opponent’s will on the attacked party. The term is used here to refer to behavior that subverts the intent of communicating parties without the agreement of those parties.

The conclusion is simple, but powerful: “The IETF will strive to produce specifications that mitigate pervasive monitoring attacks.”

I can’t help but see this as a shining example of the IETF living up to its legitimate-rule-making potential, as I described in my 2003 Harvard Law Review article Toward a Critical Theory of Cyberspace.

Below, I reprint my abstract: Continue reading

Posted in Internet, Surveillance, Writings | Leave a comment

New Privacy Paper: Mass Surveillance as Privacy Pollution

I just uploaded a draft of my new paper, Regulating Mass Surveillance as Privacy Pollution: Learning from Environmental Impact Statements to SSRN. Be the first on your block to read it!

US law has remarkably little to say about mass surveillance in public, a failure which has allowed the surveillance to grow at an alarming rate – a rate that is only set to increase. This article proposes ‘Privacy Impact Notices’ (PINs) — modeled on Environmental Impact Statements — as an initial solution to this problem.

Data collection in public (and in the home via public spaces) resembles an externality imposed on the person whose privacy is reduced involuntarily; it can also be seen as a market failure caused by an information asymmetry. Current doctrinal legal tools available to respond to the deployment of mass surveillance technologies are limited and inadequate. The article proposes that — as a first step towards figuring out how to understand, value, and ultimately regulate this mass-privacy-destroying behavior — we should borrow from the environmental movement and require anyone planning a large-scale public data collection program to file a Privacy Impact Notice (PIN). The PIN proposal is contrasted to the existing much more limited federal privacy analysis requirement, known as Privacy Impact Assessments. The bulk of the article then explains how PINs would work and defends the idea against three predictable critiques (the claim that there is a First Amendment right to data collection, the claim that EISs are a poor policy tool not worthy of emulation, and the claim that notice-based regimes are in general worthless). It argues that PINs have applications to surveillance and data-collection in online public spaces such as Facebook, Twitter, and other virtual spaces. It also considers what the PINs proposal would have to offer towards addressing the now-notorious problem of the NSA’s drift-net surveillance of telephone conversations, emails, and web-based communications.

Modeling mass surveillance disclosure regulations on an updated form of environmental impact statement will help protect everyone’s privacy: Mandating disclosure and impact analysis by those proposing to watch us in and through public spaces will enable an informed conversation about privacy in public. Additionally, the need to build consideration of the consequences of surveillance into project planning, as well as the danger of bad publicity arising from excessive surveillance proposals, will act as a counterweight to the adoption of mass data collection projects, just as it did in the environmental context. In the long run, well-crafted disclosure and analysis rules could pave the way for more systematic protection for privacy – as it did in the environmental context. Effective US regulation of mass surveillance will require that we know a great deal about who and what is being recorded and about the costs and benefits of personal information acquisition and uses. At present we know relatively little about how to measure these; a privacy equivalent of environmental impact statements will not only provide case studies, but occasions to grow expertise.

I welcome your comments. I really mean that.

And if you are a law review editor, I’ll be sending it out soon…

Posted in Writings | 4 Comments

New Privacy Paper Posted

“PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, forthcoming in the Ohio State Law Journal, just posted to SSRN.


U.S. law puts the onus on the individual to protect his or her own privacy with only a small number of exceptions (e.g. attorney-client privilege). In order to protect privacy, one usually has three possible strategies: to change daily behavior to avoid privacy-destroying cameras or online surveillance; to contract for privacy; or to employ Privacy Enhancing Technologies (PETs) and other privacy-protective technologies. The first two options are very frequently unrealistic in large swaths of modern life. One would thus expect great demand for, and widespread deployment of, PETs and other privacy-protective technologies. But in fact that does not appear to be the case. This paper argues that part of the reason is a set of government and corporate policies which discourage the deployment of privacy technology. This paper describes some of those polices, notably: (1) requiring that communications facilities be wiretap-ready and engage in customer data retention; (2) mandatory identification both online and off; (3) technology-limiting rules; and also (4) various other rules that have anti-privacy side effects.

The paper argues that a government concerned with protecting personal privacy and enhancing user security against ID theft and other fraud should support and advocate for the widespread use of PETs. In fact, however, whatever official policy may be, by its actions the prevailing attitude of the U.S. government amounts to saying that PETs and other privacy protecting technology, must be kept on a leash.

A last-minute update reconsiders the argument in light of the Snowden revelations about the widespread dragnet surveillance conducted by the NSA.

Comments welcome!

Posted in Civil Liberties, Law: Internet Law, Writings | 1 Comment