1 00:00:00,000 --> 00:00:19,450 2 00:00:19,450 --> 00:00:20,250 Welcome back. 3 00:00:20,250 --> 00:00:26,530 4 00:00:26,530 --> 00:00:29,820 Our next panel, or our first panel, actually, 5 00:00:29,820 --> 00:00:32,729 deals with an interesting and not so widely discussed 6 00:00:32,729 --> 00:00:36,390 technology along with its associated 7 00:00:36,390 --> 00:00:37,965 crucial social question. 8 00:00:37,965 --> 00:00:41,060 9 00:00:41,060 --> 00:00:43,330 Danny Weitzner, a lawyer by training, 10 00:00:43,330 --> 00:00:46,690 a pioneer of the negotiated approach to privacy, 11 00:00:46,690 --> 00:00:50,350 and head of the Laboratories Worldwide Web Consortium 12 00:00:50,350 --> 00:00:53,830 Technology and Society Division will chair the panel 13 00:00:53,830 --> 00:00:56,060 and frame the question. 14 00:00:56,060 --> 00:00:57,440 Danny? 15 00:00:57,440 --> 00:01:00,058 Thank you, Bob. 16 00:01:00,058 --> 00:01:01,850 [LAUGHTER] 17 00:01:01,850 --> 00:01:06,380 See, I knew that he would steal my opening. 18 00:01:06,380 --> 00:01:09,080 We're here to talk about a really important subject, 19 00:01:09,080 --> 00:01:12,230 pranks notwithstanding. 20 00:01:12,230 --> 00:01:14,964 I think we'd all agree that-- 21 00:01:14,964 --> 00:01:17,946 [LAUGHTER] 22 00:01:17,946 --> 00:01:18,940 23 00:01:18,940 --> 00:01:22,630 I think that we'd all agree that one of the tremendous paradoxes 24 00:01:22,630 --> 00:01:24,920 of the net is that on the one hand, 25 00:01:24,920 --> 00:01:27,900 our interactions online seem so impersonal, 26 00:01:27,900 --> 00:01:30,400 and this frustrates people sometimes 27 00:01:30,400 --> 00:01:33,230 and leads for calls for greater trust online. 28 00:01:33,230 --> 00:01:36,580 But at the same time, many of us are aware that we really 29 00:01:36,580 --> 00:01:38,770 do leave a trail of virtual breadcrumbs 30 00:01:38,770 --> 00:01:43,180 as we surf around the web, and this compels some of us 31 00:01:43,180 --> 00:01:47,590 to take rather extraordinary measures to hide our identity, 32 00:01:47,590 --> 00:01:51,610 to conceal our true identity when we're online. 33 00:01:51,610 --> 00:01:55,480 And one of these tools is an anonymous remailer, 34 00:01:55,480 --> 00:01:57,910 one such remailer is run here at LCS 35 00:01:57,910 --> 00:02:01,720 is the subject of a significant amount of research activity. 36 00:02:01,720 --> 00:02:04,240 And Michael Dertouzos, the head of the lab, 37 00:02:04,240 --> 00:02:08,020 has posed a very pointed question to all of us, 38 00:02:08,020 --> 00:02:10,090 should the lab be running this tool? 39 00:02:10,090 --> 00:02:13,090 Is this a valid subject for research? 40 00:02:13,090 --> 00:02:15,580 Is this a socially useful activity? 41 00:02:15,580 --> 00:02:17,530 Or is it destructive? 42 00:02:17,530 --> 00:02:20,950 And to answer these questions, which 43 00:02:20,950 --> 00:02:23,770 are very important, especially important to some people 44 00:02:23,770 --> 00:02:27,370 on the panel, we have a really tremendous panel 45 00:02:27,370 --> 00:02:31,420 of experts who are going to help us sort out 46 00:02:31,420 --> 00:02:35,290 both the core legal and technology questions posed 47 00:02:35,290 --> 00:02:37,840 by anonymous remailers. 48 00:02:37,840 --> 00:02:39,400 At the end of the table on the left 49 00:02:39,400 --> 00:02:42,910 is Nadine Strossen, who's a personal hero of mine, 50 00:02:42,910 --> 00:02:45,820 the president of the ACLU since 1991 51 00:02:45,820 --> 00:02:47,770 and a professor at New York Law School. 52 00:02:47,770 --> 00:02:49,663 She's been a national leader. 53 00:02:49,663 --> 00:02:51,430 [APPLAUSE] 54 00:02:51,430 --> 00:02:51,930 Thank you. 55 00:02:51,930 --> 00:02:54,205 Now, was that for New York Law School or the ACLU? 56 00:02:54,205 --> 00:02:57,710 57 00:02:57,710 --> 00:03:00,230 She has been a national leader in defending civil liberties 58 00:03:00,230 --> 00:03:01,250 on the internet. 59 00:03:01,250 --> 00:03:04,310 Her book, Defending Pornography, Free Speech, Sex, 60 00:03:04,310 --> 00:03:08,630 and the Fight for Women's Rights was named by The New York Times 61 00:03:08,630 --> 00:03:11,360 Notable Book of 1995. 62 00:03:11,360 --> 00:03:14,300 Next, we have Philip Reitinger, a colleague 63 00:03:14,300 --> 00:03:18,140 at a truly honorable adversary, sometimes, of mine, 64 00:03:18,140 --> 00:03:19,820 in these internet civil liberties 65 00:03:19,820 --> 00:03:21,840 debates in Washington. 66 00:03:21,840 --> 00:03:23,900 He is senior counsel with the United States 67 00:03:23,900 --> 00:03:26,630 Department of Justice Computer Crimes section. 68 00:03:26,630 --> 00:03:30,350 He's prosecuted a number of computer crime cases 69 00:03:30,350 --> 00:03:32,030 and is really a leading authority 70 00:03:32,030 --> 00:03:35,250 on this subject in the country. 71 00:03:35,250 --> 00:03:40,550 We have some guy sitting here, and next to him we have David 72 00:03:40,550 --> 00:03:43,520 MaziƩres, who's a graduate student here at LCS. 73 00:03:43,520 --> 00:03:46,130 He's doing research and operating systems, security, 74 00:03:46,130 --> 00:03:47,480 and privacy. 75 00:03:47,480 --> 00:03:51,410 He designed and implemented the nym.alias.net pseudonymous 76 00:03:51,410 --> 00:03:54,320 remailer, which is currently running at LCS. 77 00:03:54,320 --> 00:03:57,980 We're going to try to have a relatively open free form 78 00:03:57,980 --> 00:03:59,900 discussion among the panelists. 79 00:03:59,900 --> 00:04:02,510 To start us off, David has agreed 80 00:04:02,510 --> 00:04:04,970 to spend about 10 minutes just bringing us all up 81 00:04:04,970 --> 00:04:07,208 to speed on just what this technology is 82 00:04:07,208 --> 00:04:08,250 that we're talking about. 83 00:04:08,250 --> 00:04:11,126 So David, please. 84 00:04:11,126 --> 00:04:14,060 [APPLAUSE] 85 00:04:14,060 --> 00:04:16,510 86 00:04:16,510 --> 00:04:17,529 Thanks. 87 00:04:17,529 --> 00:04:21,790 There are many reasons you might want to send anonymous mail. 88 00:04:21,790 --> 00:04:23,440 So here's an example. 89 00:04:23,440 --> 00:04:24,903 This is a piece of email. 90 00:04:24,903 --> 00:04:26,320 And the person who sent this email 91 00:04:26,320 --> 00:04:27,940 might not want to be traced. 92 00:04:27,940 --> 00:04:29,560 Now, you can look at this and see 93 00:04:29,560 --> 00:04:33,430 that the message is addressed to Bill Gates at Microsoft.com 94 00:04:33,430 --> 00:04:38,745 and it's coming from pieguy@nym.alias.net. 95 00:04:38,745 --> 00:04:41,230 Now, what is nym.alias.net? 96 00:04:41,230 --> 00:04:44,680 Well, nym.alias.net is a pseudonym server 97 00:04:44,680 --> 00:04:46,360 that we've been running at LCS. 98 00:04:46,360 --> 00:04:49,780 And this allows people to establish email pseudonyms 99 00:04:49,780 --> 00:04:53,050 that we call nyms, and that look like ordinary email addresses, 100 00:04:53,050 --> 00:04:56,410 like, for example, pieguy@nym.alias.net. 101 00:04:56,410 --> 00:04:59,170 And nyms function just like regular email addresses, 102 00:04:59,170 --> 00:05:02,770 and that you can use one both to send and receive mail. 103 00:05:02,770 --> 00:05:04,900 But what's interesting about nyms 104 00:05:04,900 --> 00:05:07,300 is that nym owners are completely anonymous. 105 00:05:07,300 --> 00:05:10,120 So even the people who administer the system 106 00:05:10,120 --> 00:05:12,460 don't know the true identities of the people who 107 00:05:12,460 --> 00:05:15,100 own these nym email addresses. 108 00:05:15,100 --> 00:05:18,520 So nym.alias.net is actually in fairly widespread use outside 109 00:05:18,520 --> 00:05:20,140 of computer science research. 110 00:05:20,140 --> 00:05:23,710 It's been open to the public since June of '96, 111 00:05:23,710 --> 00:05:26,590 and you only need a PGP to use it. 112 00:05:26,590 --> 00:05:30,520 PGP is a widely available piece of encryption software. 113 00:05:30,520 --> 00:05:34,150 And people actually have gone ahead and developed more user 114 00:05:34,150 --> 00:05:37,480 friendly clients specifically for the server software that 115 00:05:37,480 --> 00:05:39,730 runs on DOS windows and Unix. 116 00:05:39,730 --> 00:05:41,920 And throughout the existence of the service, 117 00:05:41,920 --> 00:05:45,910 there have been about 2,000 to 3,000 active accounts on it 118 00:05:45,910 --> 00:05:48,510 at any given time. 119 00:05:48,510 --> 00:05:51,410 Now, why do people need a service like nym.alias.net? 120 00:05:51,410 --> 00:05:53,578 Well, of course, we don't know, since we 121 00:05:53,578 --> 00:05:56,120 don't read people's email, we have no way of knowing for sure 122 00:05:56,120 --> 00:05:57,980 what people are using the service for. 123 00:05:57,980 --> 00:06:01,137 But we decided to send out a survey to all of our users 124 00:06:01,137 --> 00:06:03,470 and ask them to tell us what they like about the service 125 00:06:03,470 --> 00:06:04,790 and what they're using it for. 126 00:06:04,790 --> 00:06:08,000 And we encouraged people to be as candid as possible, 127 00:06:08,000 --> 00:06:10,280 saying that this was not a referendum on the service's 128 00:06:10,280 --> 00:06:12,470 existence, but would help us in our research. 129 00:06:12,470 --> 00:06:15,110 And we got back a wide range of responses 130 00:06:15,110 --> 00:06:19,040 that vary in the degree of privacy that they needed. 131 00:06:19,040 --> 00:06:20,900 At the most critical end of the spectrum 132 00:06:20,900 --> 00:06:23,120 were people who use nym.alias.net 133 00:06:23,120 --> 00:06:25,820 because they need protection from oppressive governments. 134 00:06:25,820 --> 00:06:27,470 One particularly compelling story 135 00:06:27,470 --> 00:06:30,140 came from a person who was a humanitarian aid 136 00:06:30,140 --> 00:06:32,840 worker in a country with a fairly oppressive government. 137 00:06:32,840 --> 00:06:35,030 And that person said that he or she did not 138 00:06:35,030 --> 00:06:39,050 feel comfortable communicating back home to friends via email 139 00:06:39,050 --> 00:06:42,540 without the availability of a service like this. 140 00:06:42,540 --> 00:06:43,922 Another large class of people use 141 00:06:43,922 --> 00:06:45,380 the service because they're worried 142 00:06:45,380 --> 00:06:49,100 about losing their jobs, or potentially harassment, 143 00:06:49,100 --> 00:06:52,530 or just simply embarrassment for uses, 144 00:06:52,530 --> 00:06:55,340 such as discussing alcoholism, depression, being 145 00:06:55,340 --> 00:06:56,600 a sexual minority. 146 00:06:56,600 --> 00:06:59,660 Some people said that they used nym.alias.net to blow 147 00:06:59,660 --> 00:07:02,180 the whistle on illegal activities, 148 00:07:02,180 --> 00:07:06,020 and a few people said that they found it incredibly 149 00:07:06,020 --> 00:07:08,510 useful for fighting harmful cults 150 00:07:08,510 --> 00:07:10,790 and helping people escape those cults. 151 00:07:10,790 --> 00:07:14,180 Another class of people simply wanted protection from mail 152 00:07:14,180 --> 00:07:14,810 logs. 153 00:07:14,810 --> 00:07:18,290 Right now, on most systems, if you have an email account, 154 00:07:18,290 --> 00:07:20,660 even if no one's sitting there reading your mail, 155 00:07:20,660 --> 00:07:23,427 the system is building up a log file of all the mail 156 00:07:23,427 --> 00:07:25,010 messages that come and go, and someone 157 00:07:25,010 --> 00:07:27,440 can derive from that list of all the people you've 158 00:07:27,440 --> 00:07:28,910 exchanged email with. 159 00:07:28,910 --> 00:07:30,920 And people who don't feel comfortable with that 160 00:07:30,920 --> 00:07:32,840 use this service to keep the identity 161 00:07:32,840 --> 00:07:36,620 of their correspondence secret from the system administrators. 162 00:07:36,620 --> 00:07:40,580 And finally, some people simply use this service for protection 163 00:07:40,580 --> 00:07:41,630 from search engines. 164 00:07:41,630 --> 00:07:43,370 And the fact is right now you could 165 00:07:43,370 --> 00:07:46,130 make a statement in a public forum under your real name, 166 00:07:46,130 --> 00:07:50,090 and 10 years from now people may call up your name on a search 167 00:07:50,090 --> 00:07:51,710 engine and be looking at statements 168 00:07:51,710 --> 00:07:52,700 you made 10 years ago. 169 00:07:52,700 --> 00:07:54,830 Do you still want to be associated 170 00:07:54,830 --> 00:07:55,790 with those statements? 171 00:07:55,790 --> 00:07:59,420 And in particular, one person gave a story of a candidate 172 00:07:59,420 --> 00:08:03,272 at a job interview who's Usenet News posting history came up 173 00:08:03,272 --> 00:08:04,730 as a subject for the job interview, 174 00:08:04,730 --> 00:08:07,970 and that person was obviously very uncomfortable with that. 175 00:08:07,970 --> 00:08:10,250 Finally, a few people admitted to using 176 00:08:10,250 --> 00:08:12,938 the service for admittedly marginal purposes. 177 00:08:12,938 --> 00:08:14,480 And probably the most common of these 178 00:08:14,480 --> 00:08:16,340 are people who said they use it to discuss 179 00:08:16,340 --> 00:08:18,170 marijuana cultivation. 180 00:08:18,170 --> 00:08:19,970 But there are also a couple of people 181 00:08:19,970 --> 00:08:22,220 who said that they used it for software piracy 182 00:08:22,220 --> 00:08:26,330 and for virus development. 183 00:08:26,330 --> 00:08:28,960 So how do we build a system like this 184 00:08:28,960 --> 00:08:32,980 that allows people to have these email addresses anonymously? 185 00:08:32,980 --> 00:08:35,830 Well, the key idea is that users of the system 186 00:08:35,830 --> 00:08:39,340 never communicate directly with nym.alias.net. 187 00:08:39,340 --> 00:08:42,520 And the way we do this is to build on an existing 188 00:08:42,520 --> 00:08:44,350 network of anonymous remailers. 189 00:08:44,350 --> 00:08:47,230 And these are servers that forward email on 190 00:08:47,230 --> 00:08:51,550 to some destination address, but strip off all the information 191 00:08:51,550 --> 00:08:54,400 about the person who originated the piece of email. 192 00:08:54,400 --> 00:08:58,150 And there exist independently operated in several countries 193 00:08:58,150 --> 00:08:59,480 and jurisdictions. 194 00:08:59,480 --> 00:09:03,070 And when mail is sent through a series of remailers, 195 00:09:03,070 --> 00:09:05,050 the key point is that multiple retailers 196 00:09:05,050 --> 00:09:07,000 need to be compromised in order to expose 197 00:09:07,000 --> 00:09:09,880 the path that any email message has taken. 198 00:09:09,880 --> 00:09:12,760 And so you can see from this that it's 199 00:09:12,760 --> 00:09:15,100 fairly simple for users to send mail 200 00:09:15,100 --> 00:09:18,910 to nym.alias.net when they want to establish accounts and send 201 00:09:18,910 --> 00:09:20,020 outgoing mail. 202 00:09:20,020 --> 00:09:21,550 And there are actually several ways 203 00:09:21,550 --> 00:09:24,550 of receiving anonymous mail for nym.alias.net 204 00:09:24,550 --> 00:09:27,010 to reply to the users. 205 00:09:27,010 --> 00:09:29,260 And I'll give you a particularly simple example, which 206 00:09:29,260 --> 00:09:31,900 is that even if you forget about email, 207 00:09:31,900 --> 00:09:34,360 if you wanted someone to send you a message without knowing 208 00:09:34,360 --> 00:09:36,220 who you are, you might tell that person 209 00:09:36,220 --> 00:09:38,672 to go take out a classified ad in The New York Times, 210 00:09:38,672 --> 00:09:40,630 and you could read The New York Times every day 211 00:09:40,630 --> 00:09:42,130 along with millions of other people, 212 00:09:42,130 --> 00:09:44,050 and see the message when it arrives. 213 00:09:44,050 --> 00:09:48,700 And nym.alias.net allows people to configure their pseudonyms 214 00:09:48,700 --> 00:09:51,772 so that any mail that is received for that pseudonym 215 00:09:51,772 --> 00:09:53,980 is posted to a public forum where it's very difficult 216 00:09:53,980 --> 00:09:55,300 to trace to the person. 217 00:09:55,300 --> 00:09:59,320 And there are also ways of doing this more efficiently using 218 00:09:59,320 --> 00:10:02,000 the anonymous remailer network. 219 00:10:02,000 --> 00:10:04,190 OK, so the first thing that we noticed 220 00:10:04,190 --> 00:10:06,980 when we deployed the system is that nym.alias.net 221 00:10:06,980 --> 00:10:08,330 draws attacks. 222 00:10:08,330 --> 00:10:11,000 Anonymous speech can definitely upset people. 223 00:10:11,000 --> 00:10:13,273 And when people get upset at anonymous speakers, 224 00:10:13,273 --> 00:10:14,690 the first thing they want to do is 225 00:10:14,690 --> 00:10:17,000 know who is speaking anonymously so that they can 226 00:10:17,000 --> 00:10:18,980 exact some kind of retribution. 227 00:10:18,980 --> 00:10:21,375 And failing that, when they can't find out 228 00:10:21,375 --> 00:10:23,000 who's actually making these statements, 229 00:10:23,000 --> 00:10:24,920 they tend to turn on the service provider 230 00:10:24,920 --> 00:10:26,480 and they want to shut it down. 231 00:10:26,480 --> 00:10:30,320 And in fact, protecting the identities of users 232 00:10:30,320 --> 00:10:32,330 is a fairly well-known problem. 233 00:10:32,330 --> 00:10:34,970 And it's been going back to 1981, 234 00:10:34,970 --> 00:10:36,380 there's been work in that. 235 00:10:36,380 --> 00:10:38,570 And we understand how to do this fairly well. 236 00:10:38,570 --> 00:10:41,870 But in practice, defending a service and keeping it up 237 00:10:41,870 --> 00:10:44,060 and useful is actually not nearly as well understood 238 00:10:44,060 --> 00:10:44,907 a problem. 239 00:10:44,907 --> 00:10:47,240 And so I'll give you some examples of some of the things 240 00:10:47,240 --> 00:10:50,370 you can do to try to disrupt an anonymous service. 241 00:10:50,370 --> 00:10:52,520 One thing you can do is use the service 242 00:10:52,520 --> 00:10:54,710 to attack some third party anonymously, and then 243 00:10:54,710 --> 00:10:57,140 hope that that third party turns on the remailer 244 00:10:57,140 --> 00:10:58,890 and tries to get it shut down. 245 00:10:58,890 --> 00:11:01,580 Another thing you can try to do is 246 00:11:01,580 --> 00:11:05,420 to try to marginalize the service through disruptive use 247 00:11:05,420 --> 00:11:09,950 so that if the existence of the service 248 00:11:09,950 --> 00:11:12,710 becomes absolutely intolerable to everyone, 249 00:11:12,710 --> 00:11:15,442 then even legitimate users of the system 250 00:11:15,442 --> 00:11:17,900 are not going to be able to be heard because no one's going 251 00:11:17,900 --> 00:11:20,780 to have any choice but to ignore all anonymous traffic that's 252 00:11:20,780 --> 00:11:22,100 coming from the service. 253 00:11:22,100 --> 00:11:24,140 And finally, one thing you can try to do 254 00:11:24,140 --> 00:11:26,750 is to try to make life really difficult 255 00:11:26,750 --> 00:11:28,310 for the operators of the service, 256 00:11:28,310 --> 00:11:30,310 so that it will not be worth their while to keep 257 00:11:30,310 --> 00:11:33,470 running the service and they'll want to shut it down. 258 00:11:33,470 --> 00:11:35,930 Well, in fact, defending against some of these attacks 259 00:11:35,930 --> 00:11:37,940 also poses some unusual challenges. 260 00:11:37,940 --> 00:11:41,280 And there are several reasons for that. 261 00:11:41,280 --> 00:11:43,880 First of all, in general, when you have a server that's 262 00:11:43,880 --> 00:11:46,550 on the internet and you're trying to protect it 263 00:11:46,550 --> 00:11:48,525 from attack, one of your front line defenses, 264 00:11:48,525 --> 00:11:50,900 and the best ways of finding out if you're being attacked 265 00:11:50,900 --> 00:11:52,370 and potentially who's attacking you 266 00:11:52,370 --> 00:11:55,250 is to look at logs of who's connecting to the server 267 00:11:55,250 --> 00:11:55,880 and using it. 268 00:11:55,880 --> 00:11:58,160 And in general, with an anonymous server, 269 00:11:58,160 --> 00:12:00,840 privacy concerns preclude any kind of usage logs. 270 00:12:00,840 --> 00:12:04,130 You don't want to keep track of who's made use of your service. 271 00:12:04,130 --> 00:12:06,950 A second problem is that the service by its very nature 272 00:12:06,950 --> 00:12:09,680 is designed to hide the identities of users. 273 00:12:09,680 --> 00:12:11,480 And that applies to abusers, too. 274 00:12:11,480 --> 00:12:13,970 So when someone is abusing the system, 275 00:12:13,970 --> 00:12:16,400 you have no way of knowing who that person is. 276 00:12:16,400 --> 00:12:19,190 In fact, even if you do know who is actually 277 00:12:19,190 --> 00:12:21,530 trying to disrupt use of your service, 278 00:12:21,530 --> 00:12:23,990 you can't necessarily ban that person 279 00:12:23,990 --> 00:12:27,080 from making use of the service because the server is designed 280 00:12:27,080 --> 00:12:30,680 to prevent the operators from associating incoming messages 281 00:12:30,680 --> 00:12:32,240 with particular people, you're not 282 00:12:32,240 --> 00:12:34,550 going to know which incoming requests are actually 283 00:12:34,550 --> 00:12:38,480 coming from a malicious person trying to disrupt your service. 284 00:12:38,480 --> 00:12:40,700 And finally, for a number of reasons, 285 00:12:40,700 --> 00:12:43,040 any kind of content-based censorship 286 00:12:43,040 --> 00:12:45,350 of filtering disruptive messages is 287 00:12:45,350 --> 00:12:47,760 completely impractical for a number of reasons. 288 00:12:47,760 --> 00:12:50,540 First of all, if you try to put some kind of automatic filter 289 00:12:50,540 --> 00:12:53,120 in place that's just going to filter on keywords, 290 00:12:53,120 --> 00:12:55,530 well, you're dealing with human adversaries 291 00:12:55,530 --> 00:12:57,530 and they're going to adapt to whatever automatic 292 00:12:57,530 --> 00:13:00,710 filters you put in place if they know what you're blocking. 293 00:13:00,710 --> 00:13:04,130 Second of all, if you start filtering certain messages, 294 00:13:04,130 --> 00:13:07,160 you're going to block legitimate users, too, potentially. 295 00:13:07,160 --> 00:13:10,400 And in fact, this may well be the goal of your attacker. 296 00:13:10,400 --> 00:13:14,240 So if your response to attacking is to start filtering messages, 297 00:13:14,240 --> 00:13:15,865 and people want you to filter messages, 298 00:13:15,865 --> 00:13:17,282 they're going to attack the system 299 00:13:17,282 --> 00:13:19,170 and try to make disruptive use of it. 300 00:13:19,170 --> 00:13:20,750 Finally, if you actually try to look 301 00:13:20,750 --> 00:13:23,390 at every individual message going through the system, 302 00:13:23,390 --> 00:13:25,730 it's just simply way too much human effort. 303 00:13:25,730 --> 00:13:30,110 And in fact, in the US at least, inspecting messages manually 304 00:13:30,110 --> 00:13:32,138 like that actually opens you up to liability, 305 00:13:32,138 --> 00:13:33,680 which is something you certainly want 306 00:13:33,680 --> 00:13:36,620 to avoid in the case of an anonymous remailer. 307 00:13:36,620 --> 00:13:40,010 So some things we've concluded from running this service. 308 00:13:40,010 --> 00:13:42,680 First of all, we think that open anonymous servers, in fact, 309 00:13:42,680 --> 00:13:43,913 are practical. 310 00:13:43,913 --> 00:13:45,830 We've been running this system for three years 311 00:13:45,830 --> 00:13:48,390 and we've had some hard challenges to deal with. 312 00:13:48,390 --> 00:13:50,920 But basically, we've overcome all the problems that 313 00:13:50,920 --> 00:13:52,320 have been thrown in our way. 314 00:13:52,320 --> 00:13:54,110 But one thing we have learned is that when 315 00:13:54,110 --> 00:13:56,068 you're building an anonymous service like that, 316 00:13:56,068 --> 00:13:59,850 you have to factor abuse into the design of the service. 317 00:13:59,850 --> 00:14:01,970 A second thing we've learned is that people 318 00:14:01,970 --> 00:14:05,510 can be incredibly creative in finding ways 319 00:14:05,510 --> 00:14:07,520 to disrupt an anonymous server. 320 00:14:07,520 --> 00:14:10,190 So you really ought to deploy anonymous systems 321 00:14:10,190 --> 00:14:12,390 to assess their viability. 322 00:14:12,390 --> 00:14:15,200 And in fact, when you're trying to assess their viability, 323 00:14:15,200 --> 00:14:17,750 the key metric to use in measuring 324 00:14:17,750 --> 00:14:20,570 how successful and robust an anonymous system is, 325 00:14:20,570 --> 00:14:21,920 is really human time. 326 00:14:21,920 --> 00:14:23,840 And the worst thing you can possibly 327 00:14:23,840 --> 00:14:26,030 do if you're designing an anonymous system 328 00:14:26,030 --> 00:14:28,670 and deploying it is to put yourself in a situation 329 00:14:28,670 --> 00:14:31,490 where manually you have to inspect every message that goes 330 00:14:31,490 --> 00:14:34,430 through the system, or you have to manually clean up the mess 331 00:14:34,430 --> 00:14:36,260 every time someone manages to make 332 00:14:36,260 --> 00:14:38,720 disruptive use of the system, because then someone can 333 00:14:38,720 --> 00:14:41,228 write a program to generate all kinds of disruptive mail. 334 00:14:41,228 --> 00:14:42,770 And that person runs a program that's 335 00:14:42,770 --> 00:14:45,350 costing you countless hours every time it runs. 336 00:14:45,350 --> 00:14:48,080 And on the flip side, the way to win, 337 00:14:48,080 --> 00:14:50,750 and the way to control abuse, and to keep the service useful 338 00:14:50,750 --> 00:14:53,810 for legitimate users is to try to limit 339 00:14:53,810 --> 00:14:56,480 the trouble to any single person can stir up 340 00:14:56,480 --> 00:14:58,430 by making sure that the system costs 341 00:14:58,430 --> 00:15:00,620 a certain amount of human time to use. 342 00:15:00,620 --> 00:15:02,480 And I haven't been able to go into any 343 00:15:02,480 --> 00:15:04,813 of the details of the kinds of attacks that we had here, 344 00:15:04,813 --> 00:15:06,230 but if this is interesting to you, 345 00:15:06,230 --> 00:15:08,480 I'd invite you to read some of our war stories, which 346 00:15:08,480 --> 00:15:11,550 are on the LCS web page under human impact. 347 00:15:11,550 --> 00:15:12,864 Thank you. 348 00:15:12,864 --> 00:15:16,343 [APPLAUSE] 349 00:15:16,343 --> 00:15:20,330 350 00:15:20,330 --> 00:15:22,560 Thank you, David. 351 00:15:22,560 --> 00:15:25,220 So Phil Reitinger, can you give us 352 00:15:25,220 --> 00:15:27,140 a little bit of context here? 353 00:15:27,140 --> 00:15:31,790 At some level, this sounds like pretty interesting research. 354 00:15:31,790 --> 00:15:35,315 David and this other guy have worked hard. 355 00:15:35,315 --> 00:15:36,440 How do you know it's a guy? 356 00:15:36,440 --> 00:15:38,410 [LAUGHS] I was sitting next to him. 357 00:15:38,410 --> 00:15:42,800 358 00:15:42,800 --> 00:15:45,470 What are we losing here? 359 00:15:45,470 --> 00:15:46,290 What's the problem? 360 00:15:46,290 --> 00:15:47,750 That calls for a follow-up comment. 361 00:15:47,750 --> 00:15:48,250 Sorry. 362 00:15:48,250 --> 00:15:50,750 363 00:15:50,750 --> 00:15:52,880 I'd like to answer your question but I'm 364 00:15:52,880 --> 00:15:56,500 frozen into fear by the anonymous masked person 365 00:15:56,500 --> 00:15:57,188 next to me. 366 00:15:57,188 --> 00:15:59,640 [LAUGHTER] 367 00:15:59,640 --> 00:16:00,140 368 00:16:00,140 --> 00:16:01,040 Sure. 369 00:16:01,040 --> 00:16:02,780 You're not going to unmask him, are you? 370 00:16:02,780 --> 00:16:05,420 Well, the upshot of that is, of course, anonymity 371 00:16:05,420 --> 00:16:07,940 has a downside, too. 372 00:16:07,940 --> 00:16:10,220 I know this will come as a shock, 373 00:16:10,220 --> 00:16:13,940 to many of you, including Danny, but people actually 374 00:16:13,940 --> 00:16:16,350 commit crimes on the internet. 375 00:16:16,350 --> 00:16:20,930 And it's hard for law enforcement 376 00:16:20,930 --> 00:16:24,350 to put a pseudonym in jail. 377 00:16:24,350 --> 00:16:26,250 You don't see a lot of indictments that say 378 00:16:26,250 --> 00:16:28,880 United States versus John Doe. 379 00:16:28,880 --> 00:16:33,080 If you want to discover people who are committing crimes, 380 00:16:33,080 --> 00:16:37,010 and then prosecute them, and put them in jail, if appropriate, 381 00:16:37,010 --> 00:16:39,170 you've got to discover who they are. 382 00:16:39,170 --> 00:16:43,220 In fact, law enforcement has to prove identity 383 00:16:43,220 --> 00:16:45,350 in every criminal case. 384 00:16:45,350 --> 00:16:49,440 But anonymity is the antithesis of identity. 385 00:16:49,440 --> 00:16:53,220 And so if a person is truly anonymous, 386 00:16:53,220 --> 00:16:55,820 then there can be no criminal law enforcement 387 00:16:55,820 --> 00:17:01,310 and people are free, which has an upside and a downside, 388 00:17:01,310 --> 00:17:04,609 to doing whatever they want on the internet. 389 00:17:04,609 --> 00:17:07,190 Now, one of the things I said was 390 00:17:07,190 --> 00:17:10,698 that if a person is completely anonymous-- it's 391 00:17:10,698 --> 00:17:12,740 an important distinction, because a lot of people 392 00:17:12,740 --> 00:17:16,550 think about anonymity as being a binary concept, 393 00:17:16,550 --> 00:17:19,250 either you are anonymous or you are not. 394 00:17:19,250 --> 00:17:21,410 But in point of fact, there's a fairly broad set 395 00:17:21,410 --> 00:17:24,740 of differentiation depending upon how difficult 396 00:17:24,740 --> 00:17:29,480 it is to determine the real identity of a person associated 397 00:17:29,480 --> 00:17:33,570 with a particular message or a pseudonymous identity. 398 00:17:33,570 --> 00:17:36,500 And that's where the distinctions come in. 399 00:17:36,500 --> 00:17:41,300 If one is serious about enforcing law regarding 400 00:17:41,300 --> 00:17:44,900 activities on the internet-- and by enforcing law, 401 00:17:44,900 --> 00:17:46,910 I'm talking about laws that refer 402 00:17:46,910 --> 00:17:50,150 to both speech-related crimes, if you will, 403 00:17:50,150 --> 00:17:56,840 such as harassment, extortion, and such similar sorts 404 00:17:56,840 --> 00:17:59,750 of crimes, and non speech-related crimes 405 00:17:59,750 --> 00:18:02,210 like engaging in computer intrusions, 406 00:18:02,210 --> 00:18:05,210 law enforcement has to be able to determine 407 00:18:05,210 --> 00:18:07,670 the identity of the person. 408 00:18:07,670 --> 00:18:11,300 And so you need the ability to trace communications 409 00:18:11,300 --> 00:18:13,640 to their source to determine the identity of the person 410 00:18:13,640 --> 00:18:16,380 committing the crime. 411 00:18:16,380 --> 00:18:19,660 Let me just ask you, I think that we understand 412 00:18:19,660 --> 00:18:22,350 the problem in the abstract. 413 00:18:22,350 --> 00:18:25,080 In point of fact, have any of your investigations 414 00:18:25,080 --> 00:18:27,810 or investigations you're aware of been blocked or made 415 00:18:27,810 --> 00:18:32,840 substantially more difficult by anonymous remailers? 416 00:18:32,840 --> 00:18:37,850 I know of cases where anonymous remailers were used 417 00:18:37,850 --> 00:18:40,830 in the commission of crimes. 418 00:18:40,830 --> 00:18:46,280 And I think anecdotally there is a large upswing 419 00:18:46,280 --> 00:18:50,810 in the use of anonymous, particularly web-based email 420 00:18:50,810 --> 00:18:54,350 services, to send harassing communications. 421 00:18:54,350 --> 00:18:56,720 A typical example might be, let's say 422 00:18:56,720 --> 00:18:59,690 you wanted to threaten the President of the United States. 423 00:18:59,690 --> 00:19:02,762 So you go to an anonymous web browsing service-- 424 00:19:02,762 --> 00:19:04,970 don't want to mention any of them-- but you go to one 425 00:19:04,970 --> 00:19:08,360 and you use that service to access an anonymous email 426 00:19:08,360 --> 00:19:11,030 account and send out a harassing message to the president 427 00:19:11,030 --> 00:19:13,550 or whatever person you want, because it's likely 428 00:19:13,550 --> 00:19:17,840 that neither the anonymous remailer or the anonymous web 429 00:19:17,840 --> 00:19:20,840 browsing service is going to keep any records at all 430 00:19:20,840 --> 00:19:23,300 that would allow tracing of that communications. 431 00:19:23,300 --> 00:19:26,180 You have effectively committed the perfect crime. 432 00:19:26,180 --> 00:19:28,850 It's an almost untraceable threat. 433 00:19:28,850 --> 00:19:31,335 And for example, if you make it fairly detailed 434 00:19:31,335 --> 00:19:32,960 and make it a bomb threat or something, 435 00:19:32,960 --> 00:19:36,950 you can cause a lot of damage without really 436 00:19:36,950 --> 00:19:39,800 facing any real jeopardy. 437 00:19:39,800 --> 00:19:43,820 Nadine, Phil's very worried about these services 438 00:19:43,820 --> 00:19:46,160 and he hasn't told us what exactly he 439 00:19:46,160 --> 00:19:48,350 wants to do-- we'll come to that later 440 00:19:48,350 --> 00:19:51,270 about these sorts of services. 441 00:19:51,270 --> 00:19:54,500 What do you think are the issues on the free speech 442 00:19:54,500 --> 00:19:56,360 side of this equation? 443 00:19:56,360 --> 00:19:58,820 Aren't people just hiding behind these barriers 444 00:19:58,820 --> 00:20:00,860 for no particularly good reason? 445 00:20:00,860 --> 00:20:04,130 Well, I, like Phil, am very concerned 446 00:20:04,130 --> 00:20:06,120 about law enforcement. 447 00:20:06,120 --> 00:20:12,860 And I, like Phil, recognize that the supreme law in this country 448 00:20:12,860 --> 00:20:15,440 is the United States Constitution. 449 00:20:15,440 --> 00:20:18,470 I want to be sure that constitutional guarantees 450 00:20:18,470 --> 00:20:21,420 of freedom of speech, freedom of the press, 451 00:20:21,420 --> 00:20:24,410 freedom of association, and privacy are 452 00:20:24,410 --> 00:20:27,830 as honored and robust in cyberspace 453 00:20:27,830 --> 00:20:31,190 as they have been in more traditional media. 454 00:20:31,190 --> 00:20:33,770 It proves too much to say, well, we 455 00:20:33,770 --> 00:20:38,210 might be able to solve more crimes, or detect more crimes, 456 00:20:38,210 --> 00:20:42,050 or even deter more crimes if we somehow 457 00:20:42,050 --> 00:20:47,030 bit that supreme law to alter the balance of power 458 00:20:47,030 --> 00:20:50,660 between individual freedom on the one hand and government 459 00:20:50,660 --> 00:20:53,760 surveillance capability on the other hand. 460 00:20:53,760 --> 00:20:57,380 The reason it proves too much is that very same 461 00:20:57,380 --> 00:21:00,770 philosophical issue confronted the framers. 462 00:21:00,770 --> 00:21:05,570 So I am taking the very conservative position adopted 463 00:21:05,570 --> 00:21:10,820 200 years ago that there are certain individual rights that 464 00:21:10,820 --> 00:21:16,160 simply may not be sacrificed, no matter what the potential law 465 00:21:16,160 --> 00:21:18,900 enforcement gain is on the other side. 466 00:21:18,900 --> 00:21:22,490 Another very, very important point is we cannot let 467 00:21:22,490 --> 00:21:28,010 the debate be driven by thinking of the most horrible abuses 468 00:21:28,010 --> 00:21:31,670 that could be made of freedom of speech or privacy, 469 00:21:31,670 --> 00:21:35,540 because after all, anything can be abused. 470 00:21:35,540 --> 00:21:38,600 When the automobile was first invented, 471 00:21:38,600 --> 00:21:41,840 Phil's predecessors in the Justice Department and law 472 00:21:41,840 --> 00:21:46,610 enforcement argued that it should be an illegal object, 473 00:21:46,610 --> 00:21:48,620 because, after all, criminals were 474 00:21:48,620 --> 00:21:51,350 going to be able to use cars to flee 475 00:21:51,350 --> 00:21:53,070 from the scene of the crime. 476 00:21:53,070 --> 00:21:55,580 Now, that seems like an absurd argument to us 477 00:21:55,580 --> 00:21:57,530 now, judging by the audience response, 478 00:21:57,530 --> 00:22:00,680 but to me is exactly the same argument that 479 00:22:00,680 --> 00:22:05,330 is being made now, because some technology can be abused, 480 00:22:05,330 --> 00:22:07,790 can be used to commit crimes, therefore, we 481 00:22:07,790 --> 00:22:10,760 are going to deprive all of the legitimate users 482 00:22:10,760 --> 00:22:15,620 from human rights dissidents, to whistleblowers, to authors, 483 00:22:15,620 --> 00:22:20,240 to all kinds of individuals who, in many cases, 484 00:22:20,240 --> 00:22:24,410 would not have freedom of speech if they did not 485 00:22:24,410 --> 00:22:28,070 have the security and confidentiality provided 486 00:22:28,070 --> 00:22:30,170 by anonymous remailers. 487 00:22:30,170 --> 00:22:32,760 Now, I think at this juncture, the guy in the mask 488 00:22:32,760 --> 00:22:34,010 might have something to offer. 489 00:22:34,010 --> 00:22:35,690 But he's going to have to take it off 490 00:22:35,690 --> 00:22:37,325 before he can speak to this audience. 491 00:22:37,325 --> 00:22:39,980 492 00:22:39,980 --> 00:22:44,300 This is a professor Frans Kaashoek, who many of you know. 493 00:22:44,300 --> 00:22:46,363 He's associate professor at MIT'S 494 00:22:46,363 --> 00:22:48,530 Electrical Engineering computer. science Department. 495 00:22:48,530 --> 00:22:52,490 And he's a member of LCS. 496 00:22:52,490 --> 00:22:55,280 Aside from his work on anonymous remailers, 497 00:22:55,280 --> 00:22:57,650 his research includes exokernels, 498 00:22:57,650 --> 00:22:59,750 and extensible operating system architecture, 499 00:22:59,750 --> 00:23:04,100 and SFSS, a secure decentralized global file system. 500 00:23:04,100 --> 00:23:07,220 Frans, why did you choose to do this work? 501 00:23:07,220 --> 00:23:10,410 502 00:23:10,410 --> 00:23:11,680 Good question. 503 00:23:11,680 --> 00:23:16,170 I guess I like getting subpoenas and receiving 504 00:23:16,170 --> 00:23:18,360 the blame for this project. 505 00:23:18,360 --> 00:23:19,500 I always like to joke that. 506 00:23:19,500 --> 00:23:23,400 Dave gets the credit, I get the blame. 507 00:23:23,400 --> 00:23:26,590 I guess it comes down to a couple of issues. 508 00:23:26,590 --> 00:23:31,290 First, I guess I strongly believe in freedom of speech. 509 00:23:31,290 --> 00:23:36,630 And I think this is going to be very important issue in trying 510 00:23:36,630 --> 00:23:39,900 to figure out how to have freedom of speech 511 00:23:39,900 --> 00:23:41,040 on the internet. 512 00:23:41,040 --> 00:23:44,370 And understanding that and providing services 513 00:23:44,370 --> 00:23:46,620 that actually allow you to have freedom of speech 514 00:23:46,620 --> 00:23:50,310 seems like crucial in understanding the debate 515 00:23:50,310 --> 00:23:52,170 and the issues that are involved here. 516 00:23:52,170 --> 00:23:55,350 And I guess go back to, and sort of one 517 00:23:55,350 --> 00:24:00,780 of the comments Nadine makes that the original federal 518 00:24:00,780 --> 00:24:05,040 papers were which were United States was founded on 519 00:24:05,040 --> 00:24:06,780 were published on a pseudonym. 520 00:24:06,780 --> 00:24:11,340 And so there's clearly a case that where 521 00:24:11,340 --> 00:24:16,370 anonymity is actually important and plays an important role. 522 00:24:16,370 --> 00:24:19,670 Now, we might not have been sitting here 523 00:24:19,670 --> 00:24:23,100 having been that the case 200 years ago. 524 00:24:23,100 --> 00:24:26,150 The other side of it is it brings out 525 00:24:26,150 --> 00:24:29,630 a lot of interesting research problems 526 00:24:29,630 --> 00:24:31,460 in the area of security. 527 00:24:31,460 --> 00:24:35,030 I know Dave touched on a number of them in his talk. 528 00:24:35,030 --> 00:24:39,140 Services like this attract people 529 00:24:39,140 --> 00:24:40,640 that actually get mad at the service 530 00:24:40,640 --> 00:24:42,920 and trying to shut down the service. 531 00:24:42,920 --> 00:24:46,450 nym.alias.net is not the only service that people are mad at. 532 00:24:46,450 --> 00:24:48,260 There are lots of people out there 533 00:24:48,260 --> 00:24:50,420 trying to attack other kinds of services 534 00:24:50,420 --> 00:24:52,650 and trying to force them down. 535 00:24:52,650 --> 00:24:55,400 So it seems to be from a research point, 536 00:24:55,400 --> 00:24:58,820 important to try to understand what kind techniques can 537 00:24:58,820 --> 00:25:02,870 be used to protect against people 538 00:25:02,870 --> 00:25:05,510 that illegally are shutting down services. 539 00:25:05,510 --> 00:25:09,170 I'm sure you have been reading the attacks on the NATO website 540 00:25:09,170 --> 00:25:11,040 in the last couple of weeks. 541 00:25:11,040 --> 00:25:13,370 What kind of techniques can develop 542 00:25:13,370 --> 00:25:18,440 to protect against these denial of service attacks? 543 00:25:18,440 --> 00:25:22,520 And nym.alias.net is one example of a service 544 00:25:22,520 --> 00:25:26,600 that we can investigate, learn, understand, and figure out what 545 00:25:26,600 --> 00:25:29,670 techniques work and don't work. 546 00:25:29,670 --> 00:25:32,930 And part of that is, if you offer a service like that, 547 00:25:32,930 --> 00:25:36,680 I think one of the key problems is, how do you deal with abuse? 548 00:25:36,680 --> 00:25:38,863 It's not only focusing on the problem 549 00:25:38,863 --> 00:25:40,280 of how do you protect the identity 550 00:25:40,280 --> 00:25:43,610 of the nym, the other side of that 551 00:25:43,610 --> 00:25:46,800 is, how do you deal with abuse? 552 00:25:46,800 --> 00:25:49,730 Phil gave his example of harassment. 553 00:25:49,730 --> 00:25:52,970 It turns out that actually is pretty easy to deal with. 554 00:25:52,970 --> 00:25:53,880 Two things. 555 00:25:53,880 --> 00:25:56,690 First of all, a piece of email coming from nym.alias.net 556 00:25:56,690 --> 00:25:58,970 is identifying that it came from there. 557 00:25:58,970 --> 00:26:02,210 Second of all, we have features on the servers that 558 00:26:02,210 --> 00:26:05,570 allow users to say, I don't want to receive an email coming 559 00:26:05,570 --> 00:26:06,855 from nym.alias.net. 560 00:26:06,855 --> 00:26:08,480 So one of the things we're trying to do 561 00:26:08,480 --> 00:26:11,660 is to figure out how to make the servers in such a way 562 00:26:11,660 --> 00:26:19,490 that people can live pleasantly with the service in existence. 563 00:26:19,490 --> 00:26:23,458 And I guess, then, the final side of this 564 00:26:23,458 --> 00:26:25,000 is that I think it's important-- now, 565 00:26:25,000 --> 00:26:29,800 clearly the area of anonymity and the role of technology 566 00:26:29,800 --> 00:26:31,360 here is ill understood. 567 00:26:31,360 --> 00:26:34,240 And we wouldn't be having this panel here if we actually 568 00:26:34,240 --> 00:26:36,370 understood the problem exactly. 569 00:26:36,370 --> 00:26:41,380 And one of the hopes when I got involved in all this, 570 00:26:41,380 --> 00:26:45,340 was trying to understand the role between technology, 571 00:26:45,340 --> 00:26:47,290 and the role between law enforcement, 572 00:26:47,290 --> 00:26:49,000 and the role between society. 573 00:26:49,000 --> 00:26:52,135 And if we hadn't done this particular experiment, 574 00:26:52,135 --> 00:26:54,260 again, we wouldn't be sitting here, and discussing, 575 00:26:54,260 --> 00:26:55,960 and having this particular debate. 576 00:26:55,960 --> 00:26:59,530 And so to sum up, there's three important reasons for me 577 00:26:59,530 --> 00:27:03,820 to be involved and support the nym.alias.net. 578 00:27:03,820 --> 00:27:05,320 One is the freedom of speech. 579 00:27:05,320 --> 00:27:06,910 I'm a strong believer in it. 580 00:27:06,910 --> 00:27:09,190 Two, there are very interesting research problems 581 00:27:09,190 --> 00:27:10,750 and we've got to figure them out. 582 00:27:10,750 --> 00:27:14,590 Three, what's the role of technology in society? 583 00:27:14,590 --> 00:27:20,470 And all of the three are important in supporting 584 00:27:20,470 --> 00:27:21,890 this particular service. 585 00:27:21,890 --> 00:27:24,130 Now, Frans, you said that it's actually not 586 00:27:24,130 --> 00:27:26,188 so hard to deal with some problems 587 00:27:26,188 --> 00:27:28,480 that Phil brought up, some crimes that Phil brought up, 588 00:27:28,480 --> 00:27:29,897 namely harassment, that you've got 589 00:27:29,897 --> 00:27:31,840 a method for dealing with that. 590 00:27:31,840 --> 00:27:33,858 But you also said that you've been the subject 591 00:27:33,858 --> 00:27:34,900 of a number of subpoenas. 592 00:27:34,900 --> 00:27:36,317 So it must be that you can't quite 593 00:27:36,317 --> 00:27:40,840 deal with all the problems that are at least allegedly arising 594 00:27:40,840 --> 00:27:41,710 out of your service. 595 00:27:41,710 --> 00:27:43,480 Tell us a little bit about what happens 596 00:27:43,480 --> 00:27:44,480 when you get a subpoena. 597 00:27:44,480 --> 00:27:46,480 What sort of information is asked for? 598 00:27:46,480 --> 00:27:50,102 What kind of information do you give law enforcement? 599 00:27:50,102 --> 00:27:52,310 Let me make a couple of statements along those lines. 600 00:27:52,310 --> 00:27:55,690 So first of all, the policy statement that we actually 601 00:27:55,690 --> 00:27:59,200 have on nym.alias.net and for any user on nym.alias.net 602 00:27:59,200 --> 00:28:02,020 says clearly that one shouldn't use nym.alias.net 603 00:28:02,020 --> 00:28:06,350 for breaking any federal or Massachusetts laws. 604 00:28:06,350 --> 00:28:10,480 And we have received in the last couple 605 00:28:10,480 --> 00:28:12,040 of years, a number of subpoenas where 606 00:28:12,040 --> 00:28:17,770 allegedly one of our users did something incorrectly. 607 00:28:17,770 --> 00:28:23,010 And if we discuss this with our lawyers, 608 00:28:23,010 --> 00:28:25,440 and if our lawyers advise us to comply, 609 00:28:25,440 --> 00:28:27,270 we comply with the subpoena. 610 00:28:27,270 --> 00:28:30,660 And in most cases, this means that there's 611 00:28:30,660 --> 00:28:35,640 a little bit of information stored on nym.alias.net that 612 00:28:35,640 --> 00:28:39,030 basically says, if you think about the chain of remailers, 613 00:28:39,030 --> 00:28:41,940 it basically says, what's the last remailer where 614 00:28:41,940 --> 00:28:45,510 it came from, and where it has to go to on its way 615 00:28:45,510 --> 00:28:47,070 back to the owner? 616 00:28:47,070 --> 00:28:52,440 And all this information is carefully encrypted. 617 00:28:52,440 --> 00:28:54,780 The last hop has to be known. 618 00:28:54,780 --> 00:28:58,650 So we supply what we call the reply block, which contains 619 00:28:58,650 --> 00:29:01,308 some information, a set of instructions what 620 00:29:01,308 --> 00:29:03,600 the next hop should you do, and the set of instructions 621 00:29:03,600 --> 00:29:05,820 are encrypted, so we don't really know what it means, 622 00:29:05,820 --> 00:29:10,150 but we supply that particular piece of information. 623 00:29:10,150 --> 00:29:11,675 So if a user-- 624 00:29:11,675 --> 00:29:13,050 and this is the important point-- 625 00:29:13,050 --> 00:29:17,100 if a user uses our service correctly, 626 00:29:17,100 --> 00:29:20,310 the information that we're providing 627 00:29:20,310 --> 00:29:25,920 doesn't really have much value to law enforcement, at least. 628 00:29:25,920 --> 00:29:27,690 Not clear what you could learn from it. 629 00:29:27,690 --> 00:29:30,720 Of course, there are people that use our system incorrectly 630 00:29:30,720 --> 00:29:33,840 and law enforcement might actually 631 00:29:33,840 --> 00:29:35,700 have good luck with this particular piece 632 00:29:35,700 --> 00:29:36,490 of information. 633 00:29:36,490 --> 00:29:38,590 So Phil, what do you expect Frans to do? 634 00:29:38,590 --> 00:29:42,120 I mean, these guys can obviously configure the system 635 00:29:42,120 --> 00:29:43,920 in a variety of ways. 636 00:29:43,920 --> 00:29:48,810 Frans has just told us that, in fact, correctly used, 637 00:29:48,810 --> 00:29:50,400 his system doesn't really provide 638 00:29:50,400 --> 00:29:52,110 much useful information. 639 00:29:52,110 --> 00:29:54,030 What are these guys to do? 640 00:29:54,030 --> 00:29:57,300 Well, I don't have any real silver bullets, Danny. 641 00:29:57,300 --> 00:30:00,330 I hate to tell you that, but it's true. 642 00:30:00,330 --> 00:30:06,910 It seems to me that people are too ready, generally, 643 00:30:06,910 --> 00:30:12,730 to resort to law to solve all of the problems presented 644 00:30:12,730 --> 00:30:14,180 by technology. 645 00:30:14,180 --> 00:30:16,120 Technology can solve a lot of the problems, 646 00:30:16,120 --> 00:30:19,240 policies and practices can solve a lot of the problems. 647 00:30:19,240 --> 00:30:25,480 And if I may refer to the nym.alias.net policy FAQ, 648 00:30:25,480 --> 00:30:26,680 it has a great line in it. 649 00:30:26,680 --> 00:30:29,110 "Out experience with nym.alias.net shows 650 00:30:29,110 --> 00:30:31,540 that controlling abuse is as important 651 00:30:31,540 --> 00:30:34,640 as protecting the identities of anonymous users", 652 00:30:34,640 --> 00:30:37,120 excuse me, users. 653 00:30:37,120 --> 00:30:40,570 I think the first and primary thing that has to happen 654 00:30:40,570 --> 00:30:44,590 is that people who are responsible for designing 655 00:30:44,590 --> 00:30:47,410 and implementing technology and standards 656 00:30:47,410 --> 00:30:52,000 need to be sensitive to how technologies can be abused, 657 00:30:52,000 --> 00:30:56,770 and need to consider the extent to which that 658 00:30:56,770 --> 00:31:02,820 can happen in designing and implementing the systems. 659 00:31:02,820 --> 00:31:06,270 I agree completely, by the way, with Nadine, 660 00:31:06,270 --> 00:31:09,540 that we should not reason from worst-case scenarios. 661 00:31:09,540 --> 00:31:12,030 Either the worst-case scenario, probably, 662 00:31:12,030 --> 00:31:17,190 of the kidnapper who you need to trace immediately or people 663 00:31:17,190 --> 00:31:18,450 will die. 664 00:31:18,450 --> 00:31:21,180 But you also don't need to reason 665 00:31:21,180 --> 00:31:23,760 from the worst-case scenario on the other side 666 00:31:23,760 --> 00:31:27,390 of the human rights advocate in a country who, 667 00:31:27,390 --> 00:31:30,930 if his identity is exposed, will be immediately executed. 668 00:31:30,930 --> 00:31:32,820 These these are both harms that you 669 00:31:32,820 --> 00:31:35,490 have to take into consideration in developing 670 00:31:35,490 --> 00:31:39,030 a balanced policy that addresses all of the relevant concerns. 671 00:31:39,030 --> 00:31:42,900 I think Phil's point about a lot of these problems, 672 00:31:42,900 --> 00:31:46,200 we should see technology as providing solutions 673 00:31:46,200 --> 00:31:50,940 and not jump to law, I'd like to agree with that point 674 00:31:50,940 --> 00:31:53,610 but come at it from a different perspective, which 675 00:31:53,610 --> 00:31:59,790 is, I'm very concerned about the very enormous threats 676 00:31:59,790 --> 00:32:04,620 to individual privacy that have occurred in cyberspace because 677 00:32:04,620 --> 00:32:09,480 of technological power that has vastly increased 678 00:32:09,480 --> 00:32:12,540 the ability of everybody, from government 679 00:32:12,540 --> 00:32:17,940 to the private sector, to engage in snooping, and putting 680 00:32:17,940 --> 00:32:21,960 together, and trading in what many of us like to think 681 00:32:21,960 --> 00:32:26,100 is personal information that pertains only to us, including 682 00:32:26,100 --> 00:32:28,590 information of a very personal nature, 683 00:32:28,590 --> 00:32:32,760 such as financial information and medical information. 684 00:32:32,760 --> 00:32:35,350 Unfortunately, from my point of view, 685 00:32:35,350 --> 00:32:37,620 the laws in the United States are not 686 00:32:37,620 --> 00:32:41,130 very protective of individual privacy with respect 687 00:32:41,130 --> 00:32:42,960 to that kind of information. 688 00:32:42,960 --> 00:32:46,980 And therefore, I welcome the kind of technology 689 00:32:46,980 --> 00:32:50,910 that LCS has put together through the anonymous remailer, 690 00:32:50,910 --> 00:32:54,760 together with other such privacy protecting technologies, 691 00:32:54,760 --> 00:32:59,760 including encryption, as the only way that individuals 692 00:32:59,760 --> 00:33:03,840 can try to enjoy, in cyberspace, the kind of privacy 693 00:33:03,840 --> 00:33:08,820 that we've traditionally enjoyed in other kinds of media. 694 00:33:08,820 --> 00:33:11,140 So Nadine, you're a law professor, 695 00:33:11,140 --> 00:33:13,500 you're a defender of the Constitution, 696 00:33:13,500 --> 00:33:16,920 and you appear to be ready to throw it all out the window 697 00:33:16,920 --> 00:33:19,170 and rely on what these guys sitting up 698 00:33:19,170 --> 00:33:21,570 at the table and our colleagues at in the audience 699 00:33:21,570 --> 00:33:22,195 have developed. 700 00:33:22,195 --> 00:33:24,870 I'd rather rely on them than the current United States Supreme 701 00:33:24,870 --> 00:33:26,738 Court, I'm sorry to say. 702 00:33:26,738 --> 00:33:28,112 [LAUGHS] 703 00:33:28,112 --> 00:33:30,860 [APPLAUSE] 704 00:33:30,860 --> 00:33:35,910 But in all seriousness, I mean, we do have, 705 00:33:35,910 --> 00:33:38,520 as you well know, a Fourth Amendment to the US 706 00:33:38,520 --> 00:33:41,338 Constitution that protects against unreasonable search 707 00:33:41,338 --> 00:33:41,880 and seizures. 708 00:33:41,880 --> 00:33:45,240 We have an extensive wiretapping law 709 00:33:45,240 --> 00:33:48,630 which prescribes very difficult hurdles 710 00:33:48,630 --> 00:33:51,870 that Phil and his colleagues have to jump through in order 711 00:33:51,870 --> 00:33:55,260 to gain access to private information, 712 00:33:55,260 --> 00:33:59,790 whether on the internet or other telecommunications systems. 713 00:33:59,790 --> 00:34:01,440 Isn't that enough for you? 714 00:34:01,440 --> 00:34:04,830 Well, it would be if the Fourth Amendment were 715 00:34:04,830 --> 00:34:07,350 enforced in accordance with its plain language 716 00:34:07,350 --> 00:34:08,460 and original intent. 717 00:34:08,460 --> 00:34:09,991 But that's, in fact, not the case. 718 00:34:09,991 --> 00:34:11,699 We're sounding very conservative tonight. 719 00:34:11,699 --> 00:34:14,280 Really conservative. 720 00:34:14,280 --> 00:34:16,710 About almost 20 years ago, a law professor 721 00:34:16,710 --> 00:34:19,770 wrote an article called, The Incredible Shrinking Fourth 722 00:34:19,770 --> 00:34:20,580 Amendment. 723 00:34:20,580 --> 00:34:23,760 And unfortunately, it's shrunk a lot more since then. 724 00:34:23,760 --> 00:34:27,330 Most recently, just last week, the United States Supreme Court 725 00:34:27,330 --> 00:34:28,620 cut back very far. 726 00:34:28,620 --> 00:34:30,630 And I think the most pernicious thing that's 727 00:34:30,630 --> 00:34:33,420 happened to constitutional privacy doctrine 728 00:34:33,420 --> 00:34:37,350 is that rather than setting an absolute guarantee, which 729 00:34:37,350 --> 00:34:40,770 I believe the Fourth Amendment was clearly intended to do, 730 00:34:40,770 --> 00:34:43,110 it's become extremely relative. 731 00:34:43,110 --> 00:34:46,139 And this started happening about a generation ago 732 00:34:46,139 --> 00:34:49,110 when the Supreme Court said, you will only 733 00:34:49,110 --> 00:34:53,760 be protected in what you claim to be a privacy right if it 734 00:34:53,760 --> 00:34:58,560 is something that society recognizes 735 00:34:58,560 --> 00:35:02,860 where you have a legitimate expectation of privacy. 736 00:35:02,860 --> 00:35:07,020 So if you know that your government, together 737 00:35:07,020 --> 00:35:10,170 with private actors, are putting video surveillance 738 00:35:10,170 --> 00:35:13,530 cameras in public places, if you know 739 00:35:13,530 --> 00:35:16,440 that websites are using cookies, if you 740 00:35:16,440 --> 00:35:19,800 know that your employer is engaging in wiretapping, 741 00:35:19,800 --> 00:35:24,720 you no longer have a legitimate expectation of privacy, 742 00:35:24,720 --> 00:35:26,250 says the Supreme Court. 743 00:35:26,250 --> 00:35:28,880 Sorry, the Fourth Amendment doesn't apply. 744 00:35:28,880 --> 00:35:34,050 So this vicious cycle has set up that the more we have invasions 745 00:35:34,050 --> 00:35:38,220 of privacy, the less we have constitutional protections 746 00:35:38,220 --> 00:35:40,290 against it. 747 00:35:40,290 --> 00:35:42,240 I want to get Phil's response, because we 748 00:35:42,240 --> 00:35:46,680 seem to have backed ourselves into a vicious circle where 749 00:35:46,680 --> 00:35:50,250 the lawyers are concerned about what the technologists are 750 00:35:50,250 --> 00:35:53,700 doing, and the users of the technology 751 00:35:53,700 --> 00:35:55,620 don't trust the legal system to protect them, 752 00:35:55,620 --> 00:35:58,510 so they're heading back to the technology. 753 00:35:58,510 --> 00:36:02,000 Well, if I could respond, then. 754 00:36:02,000 --> 00:36:03,830 Yes. 755 00:36:03,830 --> 00:36:05,840 You can get us out of this vicious circle. 756 00:36:05,840 --> 00:36:08,810 I don't know if I can do that. 757 00:36:08,810 --> 00:36:13,940 I, as both a human being and a member of the United States 758 00:36:13,940 --> 00:36:15,355 government, find-- 759 00:36:15,355 --> 00:36:16,355 Two separate categories? 760 00:36:16,355 --> 00:36:18,985 [LAUGHTER] 761 00:36:18,985 --> 00:36:21,800 762 00:36:21,800 --> 00:36:23,315 They are some sort of Venn diagram. 763 00:36:23,315 --> 00:36:25,880 764 00:36:25,880 --> 00:36:27,612 Whether one is completely captured 765 00:36:27,612 --> 00:36:29,820 within the other or not, I'll leave for you to judge. 766 00:36:29,820 --> 00:36:32,480 I think there are no non humans employed by the United States 767 00:36:32,480 --> 00:36:35,210 government, it's fair to say. 768 00:36:35,210 --> 00:36:37,230 Privacy is very important to me. 769 00:36:37,230 --> 00:36:39,230 But I am not-- 770 00:36:39,230 --> 00:36:41,330 Drug sniffing dogs. 771 00:36:41,330 --> 00:36:44,660 But privacy is not an absolute right. 772 00:36:44,660 --> 00:36:47,030 It's one of a lot of rights which have 773 00:36:47,030 --> 00:36:48,590 to be taken into consideration. 774 00:36:48,590 --> 00:36:51,110 If somebody broke into your house 775 00:36:51,110 --> 00:36:53,540 and stole everything you owned, would you 776 00:36:53,540 --> 00:36:56,090 defend the right of that person to remain private? 777 00:36:56,090 --> 00:36:57,710 Probably not. 778 00:36:57,710 --> 00:37:01,898 We have, from the beginning of this country, recognized-- 779 00:37:01,898 --> 00:37:03,440 and the Fourth Amendment recognizes-- 780 00:37:03,440 --> 00:37:06,140 that there are times when we can interrupt 781 00:37:06,140 --> 00:37:08,820 people's reasonable expectations of privacy, 782 00:37:08,820 --> 00:37:11,450 particularly by getting a search warrant that allows law 783 00:37:11,450 --> 00:37:14,570 enforcement to go in and discover the things it needs 784 00:37:14,570 --> 00:37:17,510 to do to enforce the law. 785 00:37:17,510 --> 00:37:21,730 This is why anonymity is also not an absolute right. 786 00:37:21,730 --> 00:37:23,570 Frans here, was wearing a mask before. 787 00:37:23,570 --> 00:37:25,310 This may come as a shock to you, he's 788 00:37:25,310 --> 00:37:27,320 not allowed to do that in some courthouses. 789 00:37:27,320 --> 00:37:28,970 And the Seventh Circuit, at least, 790 00:37:28,970 --> 00:37:32,210 has said that laws banning him wearing a mask in a courthouse 791 00:37:32,210 --> 00:37:34,430 is OK. 792 00:37:34,430 --> 00:37:39,260 We don't allow people to drive anonymously in the real world. 793 00:37:39,260 --> 00:37:43,700 We have to recognize that there are costs to allowing people, 794 00:37:43,700 --> 00:37:46,700 allowing the government to breach anonymity and find out 795 00:37:46,700 --> 00:37:48,290 who is doing what. 796 00:37:48,290 --> 00:37:50,570 There are benefits to doing that. 797 00:37:50,570 --> 00:37:53,120 If you give government the ability to do that, 798 00:37:53,120 --> 00:37:55,070 there will be abuses. 799 00:37:55,070 --> 00:37:58,070 If you don't give government the ability to do that, 800 00:37:58,070 --> 00:38:00,320 then there will be no law enforcement. 801 00:38:00,320 --> 00:38:03,140 That's why you have to have a balanced solution that 802 00:38:03,140 --> 00:38:05,600 takes into account what technology can provide 803 00:38:05,600 --> 00:38:08,540 and what policies can do and address 804 00:38:08,540 --> 00:38:11,690 the balance with an proprioceptive of standards. 805 00:38:11,690 --> 00:38:16,250 The two questions really are, should law enforcement 806 00:38:16,250 --> 00:38:19,280 be able to trace communications on the internet 807 00:38:19,280 --> 00:38:21,450 in order to enforce the law? 808 00:38:21,450 --> 00:38:23,270 And if they should-- 809 00:38:23,270 --> 00:38:24,770 I think the answer is they should, 810 00:38:24,770 --> 00:38:27,228 that we shouldn't have no law enforcement on the internet-- 811 00:38:27,228 --> 00:38:30,500 what ought the standards be for law enforcement 812 00:38:30,500 --> 00:38:33,080 to get access to the information in order 813 00:38:33,080 --> 00:38:34,630 to trace communication. 814 00:38:34,630 --> 00:38:35,030 Can I just interject something about-- 815 00:38:35,030 --> 00:38:36,572 Please, and then we'll come to David. 816 00:38:36,572 --> 00:38:38,870 Because the United States Supreme Court did, 817 00:38:38,870 --> 00:38:40,730 two years ago, issue-- 818 00:38:40,730 --> 00:38:42,080 four years ago, I'm sorry-- 819 00:38:42,080 --> 00:38:43,860 issue a decision. 820 00:38:43,860 --> 00:38:48,500 7 to 2 was the vote, so very lopsided in favor of the right 821 00:38:48,500 --> 00:38:51,800 to engage in anonymous expression. 822 00:38:51,800 --> 00:38:54,255 The Seventh Circuit decision was wrong, 823 00:38:54,255 --> 00:38:56,130 but that's not the highest court in the land. 824 00:38:56,130 --> 00:38:57,930 We won't get there. 825 00:38:57,930 --> 00:39:01,250 And in that case, the United States Supreme Court 826 00:39:01,250 --> 00:39:04,820 said, yes, it's not an absolute right, 827 00:39:04,820 --> 00:39:08,900 but it is a very strongly protected right, which 828 00:39:08,900 --> 00:39:13,880 means it may be limited if, but only if, government can meet 829 00:39:13,880 --> 00:39:17,000 a very high standard of proof. 830 00:39:17,000 --> 00:39:19,340 Namely, it has to show an interest 831 00:39:19,340 --> 00:39:21,740 of compelling importance. 832 00:39:21,740 --> 00:39:25,880 Thinking that Frans has a cute face that we'd like to look at 833 00:39:25,880 --> 00:39:27,680 is not of compelling importance. 834 00:39:27,680 --> 00:39:31,250 Obviously, dealing with a serious crime would be. 835 00:39:31,250 --> 00:39:32,160 Sorry. 836 00:39:32,160 --> 00:39:34,460 [LAUGHS] 837 00:39:34,460 --> 00:39:38,120 But even more importantly is the second requirement. 838 00:39:38,120 --> 00:39:42,920 And that is that there is no less restrictive alternative 839 00:39:42,920 --> 00:39:46,070 means that government can use to promote 840 00:39:46,070 --> 00:39:47,480 that compelling purpose. 841 00:39:47,480 --> 00:39:49,940 So this case that I'm talking about 842 00:39:49,940 --> 00:39:52,490 was an ACLU case, by the way. 843 00:39:52,490 --> 00:39:57,560 We defended the right of a woman to hand out anonymous handbills 844 00:39:57,560 --> 00:40:00,950 or distribute anonymous campaign literature with respect 845 00:40:00,950 --> 00:40:04,610 to a campaign issue, a political issue. 846 00:40:04,610 --> 00:40:07,430 And the government had, the Supreme Court agreed, 847 00:40:07,430 --> 00:40:09,530 a compellingly important interest 848 00:40:09,530 --> 00:40:13,190 in being sure that there wasn't false information 849 00:40:13,190 --> 00:40:15,440 injected into the political campaign, 850 00:40:15,440 --> 00:40:19,130 but it said laws could be written that more narrowly 851 00:40:19,130 --> 00:40:22,280 would deal with that problem, laws specifically targeting 852 00:40:22,280 --> 00:40:23,630 fraud or deception. 853 00:40:23,630 --> 00:40:25,760 So I would think at the very least-- 854 00:40:25,760 --> 00:40:28,070 and maybe this is not fair-- but I 855 00:40:28,070 --> 00:40:29,780 would think at the very least, Phil, 856 00:40:29,780 --> 00:40:32,360 you would agree that the broad question that's 857 00:40:32,360 --> 00:40:36,530 posed to this panel, should the anonymous remailer be shut 858 00:40:36,530 --> 00:40:39,620 down, would have to be answered in the negative 859 00:40:39,620 --> 00:40:44,240 because your concern has to do with the kind of abuses 860 00:40:44,240 --> 00:40:46,010 that, as the Supreme Court has said, 861 00:40:46,010 --> 00:40:49,310 you don't deal with by completely prohibiting 862 00:40:49,310 --> 00:40:50,060 anonymity. 863 00:40:50,060 --> 00:40:53,510 You deal with it in a more selected, targeted, focused 864 00:40:53,510 --> 00:40:54,740 fashion. 865 00:40:54,740 --> 00:40:57,590 Well, it seems that one of the dilemmas we have 866 00:40:57,590 --> 00:41:01,110 is that the technology-- 867 00:41:01,110 --> 00:41:03,030 I think we heard from David-- 868 00:41:03,030 --> 00:41:06,000 is not all that good at being selective. 869 00:41:06,000 --> 00:41:08,760 In other words, these guys have not 870 00:41:08,760 --> 00:41:11,970 built a political speech anonymous remailer 871 00:41:11,970 --> 00:41:15,060 that rejects any speech which is not political. 872 00:41:15,060 --> 00:41:20,060 They've not built the remailer for the late Mrs. McIntyre. 873 00:41:20,060 --> 00:41:24,570 Not-- yeah, McIntyre, who was the plaintiff in the case 874 00:41:24,570 --> 00:41:28,890 that you mentioned, they built a remailer for everyone. 875 00:41:28,890 --> 00:41:31,080 For Mrs. McIntyre, for the person 876 00:41:31,080 --> 00:41:33,990 who would harass Mrs. McIntyre, for the person who 877 00:41:33,990 --> 00:41:36,270 would blow up the city that Mrs. McIntyre 878 00:41:36,270 --> 00:41:38,350 lives in, wherever that is. 879 00:41:38,350 --> 00:41:40,890 So David, I guess the question to you, 880 00:41:40,890 --> 00:41:44,040 since you've built this stuff, is, are you 881 00:41:44,040 --> 00:41:45,960 going to help Phil out? 882 00:41:45,960 --> 00:41:50,940 Phil has said that he's going to be extra, extra, extra careful. 883 00:41:50,940 --> 00:41:53,440 And Nadine is probably going to keep Phil honest. 884 00:41:53,440 --> 00:41:57,480 She's going to go into court time, and time, and time again. 885 00:41:57,480 --> 00:42:01,830 When Phil shows up at your door with a search warrant, 886 00:42:01,830 --> 00:42:04,860 with a wiretap order for access to information, 887 00:42:04,860 --> 00:42:06,930 Nadine is a great lawyer, is going 888 00:42:06,930 --> 00:42:08,700 to figure out how to find out what 889 00:42:08,700 --> 00:42:10,080 it is that Phil is asking for. 890 00:42:10,080 --> 00:42:12,720 And if he's asking for too much, the ACLU 891 00:42:12,720 --> 00:42:16,080 or some other organization, the defense attorney 892 00:42:16,080 --> 00:42:17,310 is going to stop Phil. 893 00:42:17,310 --> 00:42:19,380 So are you going to build something 894 00:42:19,380 --> 00:42:22,970 that gives Phil a little bit? 895 00:42:22,970 --> 00:42:28,190 Well, I think in some sense I'm interested in helping Phil out, 896 00:42:28,190 --> 00:42:31,880 but I'm coming at it from a very different angle in the sense 897 00:42:31,880 --> 00:42:34,513 that I'm very interested in making sure 898 00:42:34,513 --> 00:42:35,930 that anonymous remailers, in fact, 899 00:42:35,930 --> 00:42:39,958 can't be used to do horrible things, and commit crimes, 900 00:42:39,958 --> 00:42:40,500 and so forth. 901 00:42:40,500 --> 00:42:43,580 And in particular, probably one of the greatest threats 902 00:42:43,580 --> 00:42:47,180 of an anonymous remailer is in terms of computer security, 903 00:42:47,180 --> 00:42:49,970 potentially attacking computer systems. 904 00:42:49,970 --> 00:42:56,270 And so certainly, to the extent that we 905 00:42:56,270 --> 00:42:59,810 can do things to prevent the kinds of crimes 906 00:42:59,810 --> 00:43:02,580 that you might be worried about, I'm all in favor of that. 907 00:43:02,580 --> 00:43:05,330 And in particular, if you're worried about the White House 908 00:43:05,330 --> 00:43:07,640 receiving a lot of bomb threats, I'm 909 00:43:07,640 --> 00:43:10,140 perfectly happy if the White House comes to me and says, 910 00:43:10,140 --> 00:43:13,307 well, you're costing the Secret Service hundreds of thousands 911 00:43:13,307 --> 00:43:15,140 of dollars to search all these bomb threats, 912 00:43:15,140 --> 00:43:16,520 and you know this president isn't 913 00:43:16,520 --> 00:43:19,190 interested in getting anonymous political advice anyway, 914 00:43:19,190 --> 00:43:20,750 just stop sending us mail, right? 915 00:43:20,750 --> 00:43:21,680 OK, no problem. 916 00:43:21,680 --> 00:43:24,138 You're not going to receive another piece of anonymous mail 917 00:43:24,138 --> 00:43:25,850 from our server if you don't want to. 918 00:43:25,850 --> 00:43:28,940 But again, that's up to you. 919 00:43:28,940 --> 00:43:33,230 I mean, one thing I'd like to add, going back a little bit, 920 00:43:33,230 --> 00:43:36,710 is that I shared Nadine's concern 921 00:43:36,710 --> 00:43:39,440 that the Fourth Amendment may be shrinking. 922 00:43:39,440 --> 00:43:42,290 But in the particular case of this anonymous remailer, 923 00:43:42,290 --> 00:43:45,890 the US government is, in fact, not the only enemy. 924 00:43:45,890 --> 00:43:49,003 And one thing that has sort of become apparent 925 00:43:49,003 --> 00:43:51,170 is that if you have anonymous systems and they fail, 926 00:43:51,170 --> 00:43:52,580 people can get hurt. 927 00:43:52,580 --> 00:43:58,932 And so one thing that I'm interested in this research, 928 00:43:58,932 --> 00:44:00,140 and I want to carry this out. 929 00:44:00,140 --> 00:44:01,665 And in order to carry this out, I 930 00:44:01,665 --> 00:44:04,040 need to really deploy the system in the real world, which 931 00:44:04,040 --> 00:44:06,610 means that there are people who are relying on this system-- 932 00:44:06,610 --> 00:44:07,610 Who's going to get hurt? 933 00:44:07,610 --> 00:44:08,150 --for their safety. 934 00:44:08,150 --> 00:44:09,150 Who's going to get hurt? 935 00:44:09,150 --> 00:44:12,413 Well, for example, people in countries 936 00:44:12,413 --> 00:44:13,580 with oppressive governments. 937 00:44:13,580 --> 00:44:16,550 Or people who have escaped cults, for example, 938 00:44:16,550 --> 00:44:18,922 and are trying to help other people escape cults. 939 00:44:18,922 --> 00:44:20,630 There's some cults where in order to join 940 00:44:20,630 --> 00:44:22,547 you have to give a lot of personal information 941 00:44:22,547 --> 00:44:23,360 about yourself. 942 00:44:23,360 --> 00:44:24,980 And you can be seriously harassed 943 00:44:24,980 --> 00:44:29,330 afterwards if you start trying to work against the cult. 944 00:44:29,330 --> 00:44:32,780 And in particular, I have an office 945 00:44:32,780 --> 00:44:34,730 with a standard MIT lock on the door, 946 00:44:34,730 --> 00:44:37,050 and I'm sure it's not very secure. 947 00:44:37,050 --> 00:44:39,032 And if I had some machine in my office 948 00:44:39,032 --> 00:44:41,240 that actually had information that was of great value 949 00:44:41,240 --> 00:44:43,228 to someone, say, other than the US government, 950 00:44:43,228 --> 00:44:45,020 say some organization that didn't, in fact, 951 00:44:45,020 --> 00:44:46,520 care about respecting the laws, then 952 00:44:46,520 --> 00:44:48,937 I'd be worried that someone could just walk into my office 953 00:44:48,937 --> 00:44:50,330 and walk out with the machine. 954 00:44:50,330 --> 00:44:54,788 And so, if in fact, I have to worry a lot about the security 955 00:44:54,788 --> 00:44:57,080 of the system or worry about potentially getting people 956 00:44:57,080 --> 00:44:59,510 hurt, then that's going to be a serious impediment 957 00:44:59,510 --> 00:45:01,560 to my research. 958 00:45:01,560 --> 00:45:07,680 Now, Phil, you've urged us to rely on the, 959 00:45:07,680 --> 00:45:09,540 I think what we would all agree is 960 00:45:09,540 --> 00:45:13,290 the very delicate and careful balance 961 00:45:13,290 --> 00:45:16,590 that the Fourth Amendment strikes here. 962 00:45:16,590 --> 00:45:20,520 Michael Dertouzos, ever internationally-minded has 963 00:45:20,520 --> 00:45:21,540 pointed out that-- 964 00:45:21,540 --> 00:45:22,620 what did he say? 965 00:45:22,620 --> 00:45:27,060 Only 4% of the world is in the United States. 966 00:45:27,060 --> 00:45:29,430 These guys have built the technology 967 00:45:29,430 --> 00:45:33,240 to help not just human rights workers in other countries, 968 00:45:33,240 --> 00:45:36,120 but people who live in countries which do not 969 00:45:36,120 --> 00:45:40,230 have the benefit of the Fourth Amendment protections 970 00:45:40,230 --> 00:45:42,360 that we have as US citizens. 971 00:45:42,360 --> 00:45:46,080 Now, all those people are not necessarily 972 00:45:46,080 --> 00:45:50,130 your responsibility, and I don't want to put it on you alone. 973 00:45:50,130 --> 00:45:54,450 But if you are urging the design of systems 974 00:45:54,450 --> 00:45:58,710 to strike a more careful balance between US law, 975 00:45:58,710 --> 00:46:01,020 and the rights that we have as US citizens, 976 00:46:01,020 --> 00:46:04,200 and the needs of law enforcement in a Democratic country 977 00:46:04,200 --> 00:46:08,670 like ours, what does that do in a global environment 978 00:46:08,670 --> 00:46:12,850 to people who don't have those protections available to them? 979 00:46:12,850 --> 00:46:15,670 Well, I'll steal an argument from Nadine, 980 00:46:15,670 --> 00:46:17,380 I think that argument may prove too much. 981 00:46:17,380 --> 00:46:20,130 982 00:46:20,130 --> 00:46:24,060 Police officers in other countries may use firearms 983 00:46:24,060 --> 00:46:26,820 to kill people that they shouldn't. 984 00:46:26,820 --> 00:46:29,460 That doesn't mean we don't allow police officers in the United 985 00:46:29,460 --> 00:46:31,380 States to be armed. 986 00:46:31,380 --> 00:46:34,440 The fact that a technology can be abused outside the United 987 00:46:34,440 --> 00:46:37,470 States is a fact to be taken into consideration 988 00:46:37,470 --> 00:46:40,020 in deciding what the appropriate balance is. 989 00:46:40,020 --> 00:46:41,620 But it's just an additional fact. 990 00:46:41,620 --> 00:46:44,250 You still have to come up with a balanced policy. 991 00:46:44,250 --> 00:46:46,140 And in particular, where those systems are 992 00:46:46,140 --> 00:46:49,310 located in the United States. 993 00:46:49,310 --> 00:46:51,320 The anonymous remailer is not going 994 00:46:51,320 --> 00:46:54,770 to have to respond to requests from foreign governments. 995 00:46:54,770 --> 00:46:56,270 The requests are going to have to be 996 00:46:56,270 --> 00:46:58,430 root through the US government. 997 00:46:58,430 --> 00:47:01,460 And the US government is going to make its own decision 998 00:47:01,460 --> 00:47:03,440 on whether it's appropriate to bring 999 00:47:03,440 --> 00:47:06,770 legal process in the United States, 1000 00:47:06,770 --> 00:47:08,870 if it's a foreign law enforcement request. 1001 00:47:08,870 --> 00:47:11,960 A more serious threat to anonymous remailers 1002 00:47:11,960 --> 00:47:14,660 may be civil lawsuits in the United States 1003 00:47:14,660 --> 00:47:18,090 about people who want access to information. 1004 00:47:18,090 --> 00:47:18,590 [INAUDIBLE] 1005 00:47:18,590 --> 00:47:19,820 Can you give us an example? 1006 00:47:19,820 --> 00:47:23,060 There's a fairly recent published case 1007 00:47:23,060 --> 00:47:29,060 involving an internet service provider where a-- 1008 00:47:29,060 --> 00:47:31,400 [INAUDIBLE] if I remember-- 1009 00:47:31,400 --> 00:47:33,500 a couple was getting divorced. 1010 00:47:33,500 --> 00:47:39,080 The new spouse of the divorced man 1011 00:47:39,080 --> 00:47:42,290 published some derogatory information 1012 00:47:42,290 --> 00:47:46,190 using a screen name on the internet 1013 00:47:46,190 --> 00:47:48,200 about the prior spouse. 1014 00:47:48,200 --> 00:47:52,910 And the spouse who was defamed was 1015 00:47:52,910 --> 00:47:55,880 able to get the information about who did that 1016 00:47:55,880 --> 00:47:58,980 from the service provider, because there were no anonymity 1017 00:47:58,980 --> 00:47:59,480 protections. 1018 00:47:59,480 --> 00:48:01,710 It was just done under a screen name. 1019 00:48:01,710 --> 00:48:04,802 Now, you can argue that either way, 1020 00:48:04,802 --> 00:48:07,010 whether you think that's a good thing or a bad thing. 1021 00:48:07,010 --> 00:48:09,190 The ability was there in that case. 1022 00:48:09,190 --> 00:48:10,960 And you can also argue-- 1023 00:48:10,960 --> 00:48:12,940 I'm sure Nadine would say, well, there 1024 00:48:12,940 --> 00:48:15,190 weren't sufficient protections for that person's 1025 00:48:15,190 --> 00:48:16,810 anonymous identification. 1026 00:48:16,810 --> 00:48:18,310 She might be right. 1027 00:48:18,310 --> 00:48:20,740 But I think the way you address that type of problem 1028 00:48:20,740 --> 00:48:25,180 is by setting legal standards for access to the information. 1029 00:48:25,180 --> 00:48:27,340 And I'm sure Nadine will tell you that we already 1030 00:48:27,340 --> 00:48:30,442 have, with regard to government access, incredibly 1031 00:48:30,442 --> 00:48:32,775 complicated standards under the electronic communication 1032 00:48:32,775 --> 00:48:33,040 [INAUDIBLE]. 1033 00:48:33,040 --> 00:48:33,707 Tell us, Nadine. 1034 00:48:33,707 --> 00:48:35,170 Well, I agree with that. 1035 00:48:35,170 --> 00:48:38,500 And they're not nearly as protective as they should be. 1036 00:48:38,500 --> 00:48:41,290 But I want to come back to Michael's point 1037 00:48:41,290 --> 00:48:44,300 as conveyed by Danny from a somewhat different perspective, 1038 00:48:44,300 --> 00:48:47,080 which is, I want to be very clear that I'm not here 1039 00:48:47,080 --> 00:48:51,520 advocating American imperialism in terms of exporting 1040 00:48:51,520 --> 00:48:53,710 the Fourth Amendment as originally written 1041 00:48:53,710 --> 00:48:54,460 around the world. 1042 00:48:54,460 --> 00:48:56,650 I certainly wouldn't want to export it 1043 00:48:56,650 --> 00:48:59,600 in its current watered down fashion. 1044 00:48:59,600 --> 00:49:04,990 But what we are talking about are basic concepts of privacy 1045 00:49:04,990 --> 00:49:08,530 that are respected and reflected at least as 1046 00:49:08,530 --> 00:49:11,740 strongly in international human rights law, 1047 00:49:11,740 --> 00:49:14,680 and in regional human rights agreements, 1048 00:49:14,680 --> 00:49:19,930 and in the constitutions of every country around the world. 1049 00:49:19,930 --> 00:49:22,990 Now, as is often the case in our own country, 1050 00:49:22,990 --> 00:49:26,410 sometimes those guarantees are honored in the breach. 1051 00:49:26,410 --> 00:49:31,810 But it is a standard that has been at least aspired to 1052 00:49:31,810 --> 00:49:34,900 by governments, and regional, and international bodies 1053 00:49:34,900 --> 00:49:39,280 around the world, and is advocated by cyber libertarians 1054 00:49:39,280 --> 00:49:40,420 around the world. 1055 00:49:40,420 --> 00:49:42,370 When I work on these issues, it's 1056 00:49:42,370 --> 00:49:46,570 not only in coalition with other organizations in this country, 1057 00:49:46,570 --> 00:49:49,810 but also organizations around the world, many of which 1058 00:49:49,810 --> 00:49:53,920 are working together under euphonious named 1059 00:49:53,920 --> 00:49:57,940 GILC, which stands for the-- the first time I heard it 1060 00:49:57,940 --> 00:49:59,530 I thought, geek. 1061 00:49:59,530 --> 00:50:00,220 Not quite. 1062 00:50:00,220 --> 00:50:03,960 It's the Global Internet Liberty Campaign. 1063 00:50:03,960 --> 00:50:04,470 Frans? 1064 00:50:04,470 --> 00:50:06,095 Yeah, I just wanted wanted to follow up 1065 00:50:06,095 --> 00:50:08,815 on this point of international and globalization. 1066 00:50:08,815 --> 00:50:10,440 And I think this is one of the problems 1067 00:50:10,440 --> 00:50:11,982 that, actually, Phil is going to face 1068 00:50:11,982 --> 00:50:14,700 is, this particular service runs in the United States, 1069 00:50:14,700 --> 00:50:17,490 but there's no reason why there couldn't 1070 00:50:17,490 --> 00:50:19,590 be a number of them outside of United States, 1071 00:50:19,590 --> 00:50:22,530 where the United States law doesn't apply at all. 1072 00:50:22,530 --> 00:50:28,710 And in fact, work even harder for you to try to, I guess, 1073 00:50:28,710 --> 00:50:31,470 create any particular piece of communication. 1074 00:50:31,470 --> 00:50:33,150 So one of the things that we have 1075 00:50:33,150 --> 00:50:35,160 to think about I think when we move forward, 1076 00:50:35,160 --> 00:50:37,920 and as the change the internet is bringing 1077 00:50:37,920 --> 00:50:42,840 is that we get this sort of universal globalization 1078 00:50:42,840 --> 00:50:46,710 and everybody can run these kinds of services. 1079 00:50:46,710 --> 00:50:49,740 And that changes, I think, some of the perspectives. 1080 00:50:49,740 --> 00:50:52,650 Because even if we enact some law here that says, 1081 00:50:52,650 --> 00:50:55,530 we decide today, or somebody decides that nym.alias.net 1082 00:50:55,530 --> 00:50:58,030 shouldn't be running, somebody can go off, 1083 00:50:58,030 --> 00:51:00,030 and actually, our software's publicly available, 1084 00:51:00,030 --> 00:51:01,113 and run it somewhere else. 1085 00:51:01,113 --> 00:51:02,910 As a footnote, someone's actually 1086 00:51:02,910 --> 00:51:05,610 running a copy of our software in Poland. 1087 00:51:05,610 --> 00:51:07,710 And there's another copy of the software running 1088 00:51:07,710 --> 00:51:09,475 in a server in the US, also. 1089 00:51:09,475 --> 00:51:10,600 So we aren't the only site. 1090 00:51:10,600 --> 00:51:16,380 Phil, it sounds like this situation is rapidly 1091 00:51:16,380 --> 00:51:19,240 spinning out of control from your perspective. 1092 00:51:19,240 --> 00:51:22,020 I mean, we have the clear proliferation 1093 00:51:22,020 --> 00:51:25,140 of these remailers, other kinds of encryption technology, 1094 00:51:25,140 --> 00:51:27,120 as you well know. 1095 00:51:27,120 --> 00:51:31,740 And I hear in what you say, a subtle message which 1096 00:51:31,740 --> 00:51:37,230 says that it's really incumbent on the technology 1097 00:51:37,230 --> 00:51:40,080 community, the internet community, the researchers 1098 00:51:40,080 --> 00:51:43,680 here at LCS and other places, to try 1099 00:51:43,680 --> 00:51:47,460 to direct the development of this technology in a way 1100 00:51:47,460 --> 00:51:52,210 that, as you say, would have a little bit more balance to it. 1101 00:51:52,210 --> 00:51:56,370 And I'm going to try to pin you down and see 1102 00:51:56,370 --> 00:51:59,040 if you can say, what would that mean in your eyes? 1103 00:51:59,040 --> 00:52:00,660 How would how would the world look? 1104 00:52:00,660 --> 00:52:03,290 1105 00:52:03,290 --> 00:52:05,615 I don't know if you can pin me down. 1106 00:52:05,615 --> 00:52:07,700 [LAUGHS] We'll see. 1107 00:52:07,700 --> 00:52:11,900 I'm a highly-trained lawyer. 1108 00:52:11,900 --> 00:52:15,050 First, I'll give an uncharacteristically brief 1109 00:52:15,050 --> 00:52:17,060 response to what Frans was saying, 1110 00:52:17,060 --> 00:52:19,820 and that's, Frans is right. 1111 00:52:19,820 --> 00:52:24,800 The globalization causes us severe problems. 1112 00:52:24,800 --> 00:52:26,790 One thing computer hackers do, for example, 1113 00:52:26,790 --> 00:52:29,452 is they break into a series of computers 1114 00:52:29,452 --> 00:52:31,160 before they get to their eventual target, 1115 00:52:31,160 --> 00:52:33,410 and they intentionally across international borders 1116 00:52:33,410 --> 00:52:35,450 to make it more difficult for law enforcement. 1117 00:52:35,450 --> 00:52:37,940 You do the same thing with anonymous remailers. 1118 00:52:37,940 --> 00:52:40,100 You can go through a chain of anonymous remailers 1119 00:52:40,100 --> 00:52:42,740 crossing borders, so that if we want to try and trace 1120 00:52:42,740 --> 00:52:47,030 the communication we've got to work with 8, or 10, or 20 1121 00:52:47,030 --> 00:52:49,910 odd countries in order to try and trace it. 1122 00:52:49,910 --> 00:52:54,350 That is becoming a more and more difficult burden for us 1123 00:52:54,350 --> 00:52:57,500 because it's very rare that we deal with a computer intrusion 1124 00:52:57,500 --> 00:53:01,410 case, for example, that doesn't have an international element. 1125 00:53:01,410 --> 00:53:03,980 But it may not be an insuperable-- 1126 00:53:03,980 --> 00:53:05,930 excuse me-- an insuperable burden 1127 00:53:05,930 --> 00:53:09,000 if people keep the relevant records 1128 00:53:09,000 --> 00:53:11,730 and are able to assist us. 1129 00:53:11,730 --> 00:53:15,000 The reason-- now, moving on to your not pin me down question-- 1130 00:53:15,000 --> 00:53:19,320 I cannot give you an absolute prescription on what people 1131 00:53:19,320 --> 00:53:21,480 should do now or shouldn't do now. 1132 00:53:21,480 --> 00:53:26,460 I think, like apparently the MIT anonymous remailer has done, 1133 00:53:26,460 --> 00:53:29,730 they need to keep into account what the risks are. 1134 00:53:29,730 --> 00:53:31,770 And they need to assist law enforcement 1135 00:53:31,770 --> 00:53:34,110 when law enforcement comes knocking 1136 00:53:34,110 --> 00:53:37,740 at the door with appropriate legal process. 1137 00:53:37,740 --> 00:53:39,240 As I said before, there shouldn't 1138 00:53:39,240 --> 00:53:41,760 be a first resort to law. 1139 00:53:41,760 --> 00:53:44,190 There should generally be a first resort 1140 00:53:44,190 --> 00:53:46,500 to technology and policy. 1141 00:53:46,500 --> 00:53:48,780 And I can't give you a prescription 1142 00:53:48,780 --> 00:53:51,630 because over the years, and in internet time, 1143 00:53:51,630 --> 00:53:54,360 over the hours or days, I don't know what 1144 00:53:54,360 --> 00:53:55,740 technology is going to bring. 1145 00:53:55,740 --> 00:53:57,840 I don't know how this is going to develop. 1146 00:53:57,840 --> 00:54:01,140 This all may be moot because we may have-- 1147 00:54:01,140 --> 00:54:06,870 in six months, we may have a universal anonymous 1148 00:54:06,870 --> 00:54:08,983 infrastructure that's going to prevent the tracing 1149 00:54:08,983 --> 00:54:09,900 of any communications. 1150 00:54:09,900 --> 00:54:12,120 That's going to be a very different world. 1151 00:54:12,120 --> 00:54:16,260 And that might cause Congress to consider legal solutions. 1152 00:54:16,260 --> 00:54:20,670 But you have to look at each step of the way 1153 00:54:20,670 --> 00:54:23,130 and see where you are, what technology can do for you, 1154 00:54:23,130 --> 00:54:25,320 what policy can do for you, and balance 1155 00:54:25,320 --> 00:54:28,280 the harms at that point. 1156 00:54:28,280 --> 00:54:29,340 So-- 1157 00:54:29,340 --> 00:54:31,090 And I'm not going to tell you to shut down 1158 00:54:31,090 --> 00:54:32,048 the anonymous remailer. 1159 00:54:32,048 --> 00:54:33,400 No, no, no, I know you're not. 1160 00:54:33,400 --> 00:54:38,650 But let me take a little straw poll, because clearly 1161 00:54:38,650 --> 00:54:41,380 no one's going to say shut it down, Michael. 1162 00:54:41,380 --> 00:54:41,980 Can we go now? 1163 00:54:41,980 --> 00:54:43,647 You should give them a chance to say it. 1164 00:54:43,647 --> 00:54:45,730 I defend their free speech right to say that. 1165 00:54:45,730 --> 00:54:46,390 [INAUDIBLE] 1166 00:54:46,390 --> 00:54:49,090 Of course you do, of course you do. 1167 00:54:49,090 --> 00:54:53,770 But I don't think anybody is even inclined, even Phil. 1168 00:54:53,770 --> 00:54:59,170 Now, let's see if we could get to a closer question. 1169 00:54:59,170 --> 00:55:03,280 Should the policy fact that you read 1170 00:55:03,280 --> 00:55:07,660 from, what I understand to be, more or less, the rules 1171 00:55:07,660 --> 00:55:14,170 that the remailer operators have agreed to guide themselves by, 1172 00:55:14,170 --> 00:55:19,570 should they say that they will not, if they can help it, 1173 00:55:19,570 --> 00:55:24,640 or that or the remailer should not be used in a chain 1174 00:55:24,640 --> 00:55:27,670 with a remailer in a country to which US law 1175 00:55:27,670 --> 00:55:30,925 enforcement does not have access through valid legal process? 1176 00:55:30,925 --> 00:55:34,040 1177 00:55:34,040 --> 00:55:37,440 In other words, let's try to accommodate-- oh I stumped 1178 00:55:37,440 --> 00:55:37,940 Phil. 1179 00:55:37,940 --> 00:55:38,720 That's great. 1180 00:55:38,720 --> 00:55:39,570 In other words-- 1181 00:55:39,570 --> 00:55:41,850 This is the way to duck the question [INAUDIBLE].. 1182 00:55:41,850 --> 00:55:45,020 In other words, what we've understood here 1183 00:55:45,020 --> 00:55:50,150 is that if people use the remailer carelessly, 1184 00:55:50,150 --> 00:55:52,970 it's no problem for law enforcement. 1185 00:55:52,970 --> 00:55:55,910 If people use the remailer very cleverly, 1186 00:55:55,910 --> 00:55:57,830 and get good legal advice, and figure out 1187 00:55:57,830 --> 00:56:00,600 that they need to send their mail through a remailer chain, 1188 00:56:00,600 --> 00:56:03,080 including some country that has no wiretapping law 1189 00:56:03,080 --> 00:56:11,330 or won't answer US court orders or US requests for assistance, 1190 00:56:11,330 --> 00:56:16,640 then they've got a pretty good chance of evading access 1191 00:56:16,640 --> 00:56:17,870 by US law enforcement. 1192 00:56:17,870 --> 00:56:20,600 Should these guys, out of the goodness 1193 00:56:20,600 --> 00:56:25,670 of their hearts, being good netizens, 1194 00:56:25,670 --> 00:56:29,390 say that they will try to prevent that and encourage 1195 00:56:29,390 --> 00:56:34,127 people who use their service to abide by that policy? 1196 00:56:34,127 --> 00:56:35,210 But just a technical note. 1197 00:56:35,210 --> 00:56:39,020 I mean, we would potentially also need to keep logs for-- 1198 00:56:39,020 --> 00:56:40,500 I understand you can't enforce it. 1199 00:56:40,500 --> 00:56:41,875 I'm not asking you to enforce it. 1200 00:56:41,875 --> 00:56:43,850 You don't want to force any of the policies 1201 00:56:43,850 --> 00:56:46,280 in your policy fact, now. 1202 00:56:46,280 --> 00:56:48,050 All you do is you say, here are the rules 1203 00:56:48,050 --> 00:56:51,990 for being a good citizen using our remailer. 1204 00:56:51,990 --> 00:56:55,070 I'm proposing to add another rule. 1205 00:56:55,070 --> 00:56:57,050 Nadine? 1206 00:56:57,050 --> 00:57:00,620 I suppose there's no harm in encouraging people to do it, 1207 00:57:00,620 --> 00:57:04,510 as long as it's not enforceable and there are no sanctions. 1208 00:57:04,510 --> 00:57:06,980 [LAUGHTER] 1209 00:57:06,980 --> 00:57:08,630 I defend their right to encourage 1210 00:57:08,630 --> 00:57:10,770 as a form of advocacy. 1211 00:57:10,770 --> 00:57:13,350 But again, one point where we agree-- 1212 00:57:13,350 --> 00:57:16,820 and I think that's partly why Phil can't be pinned down-- 1213 00:57:16,820 --> 00:57:19,550 is we don't want policy to be shaped 1214 00:57:19,550 --> 00:57:23,120 by the worst-case scenario, because maybe the person who 1215 00:57:23,120 --> 00:57:25,880 wants that kind of untraceable rooting 1216 00:57:25,880 --> 00:57:29,000 has what we would all agree is not only legitimate, 1217 00:57:29,000 --> 00:57:32,590 but indeed, even a compelling reason for doing it. 1218 00:57:32,590 --> 00:57:35,090 In fact, it may even be a law enforcement reason. 1219 00:57:35,090 --> 00:57:36,860 Maybe this is somebody who is going 1220 00:57:36,860 --> 00:57:41,450 to provide some tips about a crime that's been committed, 1221 00:57:41,450 --> 00:57:45,920 but fears for his or her safety if the identity comes to light. 1222 00:57:45,920 --> 00:57:47,900 So it may actually be an informant 1223 00:57:47,900 --> 00:57:51,335 who's trying to help Phil crack one of his cases open. 1224 00:57:51,335 --> 00:57:52,730 [LAUGHTER] 1225 00:57:52,730 --> 00:57:56,400 Let me see if I can answer the question this way. 1226 00:57:56,400 --> 00:57:59,900 What we are approaching now is perilously close 1227 00:57:59,900 --> 00:58:03,140 to a lose-lose situation on the internet, 1228 00:58:03,140 --> 00:58:06,080 generally, and not with respect to this anonymous remailer, 1229 00:58:06,080 --> 00:58:11,570 where legitimate citizens who are out there surfing the web 1230 00:58:11,570 --> 00:58:13,910 have little, if no privacy, because they're 1231 00:58:13,910 --> 00:58:17,300 tracked by commercial interests, et cetera. 1232 00:58:17,300 --> 00:58:20,750 But people who want to engage in criminal activity 1233 00:58:20,750 --> 00:58:23,360 can obtain nearly perfect privacy 1234 00:58:23,360 --> 00:58:27,050 by using things such as anonymous web browsing services 1235 00:58:27,050 --> 00:58:28,910 and anonymous emailers. 1236 00:58:28,910 --> 00:58:32,020 Essentially, we're reaching a level 1237 00:58:32,020 --> 00:58:36,340 where just the cognoscenti have privacy, 1238 00:58:36,340 --> 00:58:38,980 and criminals who have motive can 1239 00:58:38,980 --> 00:58:41,170 become part of the cognoscenti. 1240 00:58:41,170 --> 00:58:46,567 And I don't think that situation is advantageous for anyone. 1241 00:58:46,567 --> 00:58:49,561 [APPLAUSE] 1242 00:58:49,561 --> 00:58:51,560 1243 00:58:51,560 --> 00:58:54,390 What you can do about that, Frans? 1244 00:58:54,390 --> 00:58:57,463 Well, it seems to me that good criminals and clever criminals 1245 00:58:57,463 --> 00:58:58,880 have access to the same technology 1246 00:58:58,880 --> 00:58:59,880 that everybody else has. 1247 00:58:59,880 --> 00:59:02,630 And if they have access to good crypto stuff, 1248 00:59:02,630 --> 00:59:08,100 they can commit and communicate in any degree of security 1249 00:59:08,100 --> 00:59:08,600 they like. 1250 00:59:08,600 --> 00:59:15,350 And nym.alias.net or any of the other services, I don't think, 1251 00:59:15,350 --> 00:59:19,340 offer any additional benefit than existing technologies 1252 00:59:19,340 --> 00:59:21,170 for committing crimes. 1253 00:59:21,170 --> 00:59:24,650 And I don't see what any additional benefit a criminal 1254 00:59:24,650 --> 00:59:25,550 would get. 1255 00:59:25,550 --> 00:59:27,350 If you're going to go down that line, 1256 00:59:27,350 --> 00:59:28,880 I think the debate really is going 1257 00:59:28,880 --> 00:59:32,510 to go about whether people should be allowed to use crypto 1258 00:59:32,510 --> 00:59:33,590 technology or not. 1259 00:59:33,590 --> 00:59:37,850 And what we're providing, or what nym.alias.net provides 1260 00:59:37,850 --> 00:59:42,210 is basically one application of cryptology. 1261 00:59:42,210 --> 00:59:42,710 David? 1262 00:59:42,710 --> 00:59:45,830 If I could add, first of all, a lot 1263 00:59:45,830 --> 00:59:48,290 of the building blocks for privacy 1264 00:59:48,290 --> 00:59:51,380 are very, very basic things that are easy to obtain. 1265 00:59:51,380 --> 00:59:54,600 So to take a particularly, maybe oversimple example, 1266 00:59:54,600 --> 00:59:58,113 if you have two criminals who want to plot some terrorist act 1267 00:59:58,113 --> 01:00:00,530 and they don't want you to know that they're communicating 1268 01:00:00,530 --> 01:00:03,250 with each other, they could each take out classified ads 1269 01:00:03,250 --> 01:00:05,750 in The New York Times every day, or do the equivalent, which 1270 01:00:05,750 --> 01:00:08,810 is post to this newsgroup called alt.anonymous.messages, 1271 01:00:08,810 --> 01:00:11,270 where they're just all these encrypted messages going by, 1272 01:00:11,270 --> 01:00:13,635 and presumably people are downloading the ones that 1273 01:00:13,635 --> 01:00:16,010 are destined to them, but you don't know where it's going 1274 01:00:16,010 --> 01:00:18,590 or who's reading what. 1275 01:00:18,590 --> 01:00:22,070 Definitely one of the goals of nym.alias.net 1276 01:00:22,070 --> 01:00:24,780 is to make this technology more available. 1277 01:00:24,780 --> 01:00:27,750 And we've done it in at least sort of a one-sided way. 1278 01:00:27,750 --> 01:00:30,800 So one thing that people were particularly appreciative 1279 01:00:30,800 --> 01:00:33,380 of in the surveys we sent out is that, for example, 1280 01:00:33,380 --> 01:00:36,565 this humanitarian aid worker said 1281 01:00:36,565 --> 01:00:38,690 that there was no way his or her friends were going 1282 01:00:38,690 --> 01:00:40,670 to learn how to use PGP, and encryption software, 1283 01:00:40,670 --> 01:00:41,460 and all this stuff. 1284 01:00:41,460 --> 01:00:43,918 But this person was willing to put in the time to learn it. 1285 01:00:43,918 --> 01:00:46,850 And then, this person could use nym.alias.net to communicate 1286 01:00:46,850 --> 01:00:47,630 with other people. 1287 01:00:47,630 --> 01:00:50,360 And the nym just looked like an ordinary email address. 1288 01:00:50,360 --> 01:00:52,797 So that at least now you can communicate with people. 1289 01:00:52,797 --> 01:00:54,380 If you need privacy, you can learn it. 1290 01:00:54,380 --> 01:00:58,610 And you don't need to make all your friends learn this stuff. 1291 01:00:58,610 --> 01:01:00,410 And again, there's a lot of work to be 1292 01:01:00,410 --> 01:01:02,602 done in making this stuff easier to use. 1293 01:01:02,602 --> 01:01:04,310 And people have actually written software 1294 01:01:04,310 --> 01:01:05,840 to help make it easier to use. 1295 01:01:05,840 --> 01:01:08,370 But I absolutely agree that there's a lot to be done. 1296 01:01:08,370 --> 01:01:12,950 And I hope that things happen to make privacy easier for people 1297 01:01:12,950 --> 01:01:14,900 who are not computer literate. 1298 01:01:14,900 --> 01:01:17,320 I definitely think that's an important problem. 1299 01:01:17,320 --> 01:01:20,380 Well, David, I think you're bringing us to a close here. 1300 01:01:20,380 --> 01:01:22,900 I think that we've learned, on the one hand, 1301 01:01:22,900 --> 01:01:26,020 that no one's ready to shut this remailer down. 1302 01:01:26,020 --> 01:01:30,130 I also think we've learned that the lose-lose scenario 1303 01:01:30,130 --> 01:01:34,960 that Phil describes where privacy is inaccessible to most 1304 01:01:34,960 --> 01:01:40,540 and, in fact, used harmfully by some is also not a scenario 1305 01:01:40,540 --> 01:01:43,920 judging by the Gallup poll of this audience, 1306 01:01:43,920 --> 01:01:45,940 that anyone wants to encourage. 1307 01:01:45,940 --> 01:01:47,890 In the spirit of this conference, 1308 01:01:47,890 --> 01:01:50,860 in the spirit of looking forward 35 years, 1309 01:01:50,860 --> 01:01:53,090 creating the future world of information, 1310 01:01:53,090 --> 01:01:54,790 I just want to ask all of you-- 1311 01:01:54,790 --> 01:01:57,493 David gave his closing hopes, I think. 1312 01:01:57,493 --> 01:01:59,410 I want to ask all of you, starting with Frans, 1313 01:01:59,410 --> 01:02:03,160 to just give us a sense of how you'd 1314 01:02:03,160 --> 01:02:07,720 like the techniques of anonymity to look on the net 1315 01:02:07,720 --> 01:02:10,850 as we go forward. 1316 01:02:10,850 --> 01:02:15,155 I guess the two-- 1317 01:02:15,155 --> 01:02:16,280 one way [INAUDIBLE] common. 1318 01:02:16,280 --> 01:02:20,600 Basically, I think if we like to see the technology develop 1319 01:02:20,600 --> 01:02:24,290 in the direction where more and more people can get access 1320 01:02:24,290 --> 01:02:27,380 to technology easily so that their privacy is protected. 1321 01:02:27,380 --> 01:02:31,730 And as Nadine pointed out, it's sort of a wild wild west there 1322 01:02:31,730 --> 01:02:36,640 on the internet, and privacy is really ill-protected, 1323 01:02:36,640 --> 01:02:38,630 and there's a lot of commercial efforts going 1324 01:02:38,630 --> 01:02:40,880 on trying to figure out who somebody is 1325 01:02:40,880 --> 01:02:42,410 and trying to record things. 1326 01:02:42,410 --> 01:02:45,060 And as was pointed out in the talk, 1327 01:02:45,060 --> 01:02:47,900 and, in fact, was pointed out in the haystack talk, 1328 01:02:47,900 --> 01:02:51,740 it's basically you say something now, or do something now, 1329 01:02:51,740 --> 01:02:53,690 and 10 years later, and you can still 1330 01:02:53,690 --> 01:02:57,300 be able to find it and exactly discover what you did. 1331 01:02:57,300 --> 01:03:00,110 And it also came out, I think, in Ron's talk very clearly. 1332 01:03:00,110 --> 01:03:05,670 So figuring out technology that will protect privacy of users 1333 01:03:05,670 --> 01:03:08,170 in the internet, I think, is going to be a crucial question, 1334 01:03:08,170 --> 01:03:10,760 and I would see that like to to happen. 1335 01:03:10,760 --> 01:03:12,420 At the same time, I think it's going 1336 01:03:12,420 --> 01:03:14,810 to be crucial to figure out in the next-- whatever-- 1337 01:03:14,810 --> 01:03:18,320 a couple of decades, what this division is between law 1338 01:03:18,320 --> 01:03:20,930 enforcement, or under the laws, and the legal laws 1339 01:03:20,930 --> 01:03:22,610 in the technology. 1340 01:03:22,610 --> 01:03:25,083 And that struck me as a very important point, 1341 01:03:25,083 --> 01:03:26,750 because we certainly want to be the case 1342 01:03:26,750 --> 01:03:34,462 that if somebody commits a crime, they face prosecution. 1343 01:03:34,462 --> 01:03:36,170 Since this is the sort of final comments, 1344 01:03:36,170 --> 01:03:38,660 I want to make and one more other comment. 1345 01:03:38,660 --> 01:03:42,140 And actually, I want to thank all the people that actually 1346 01:03:42,140 --> 01:03:44,770 have made it possible to be able to run the service 1347 01:03:44,770 --> 01:03:46,020 over the last couple of years. 1348 01:03:46,020 --> 01:03:47,060 I mean, there are a lot of people, actually, some 1349 01:03:47,060 --> 01:03:50,300 in the audience, so many outside of here that helped us 1350 01:03:50,300 --> 01:03:52,520 in running the service and dealing 1351 01:03:52,520 --> 01:03:55,850 with some of the problematic issues that we faced. 1352 01:03:55,850 --> 01:03:58,847 And that's why I want to make sure that those people get 1353 01:03:58,847 --> 01:03:59,930 the appropriate thank you. 1354 01:03:59,930 --> 01:04:03,494 And Phil, you can thank those people, too, if you choose. 1355 01:04:03,494 --> 01:04:05,370 Please. 1356 01:04:05,370 --> 01:04:05,950 Am I next? 1357 01:04:05,950 --> 01:04:06,450 Yes. 1358 01:04:06,450 --> 01:04:07,300 OK. 1359 01:04:07,300 --> 01:04:11,020 I'll briefly return to an analogy Nadine drew earlier, 1360 01:04:11,020 --> 01:04:13,960 because I'm not really sure she'd like where it goes. 1361 01:04:13,960 --> 01:04:18,730 She indicated briefly that I was a person who 1362 01:04:18,730 --> 01:04:22,940 wanted to ban the use of the automobile. 1363 01:04:22,940 --> 01:04:25,180 But if you think about the illogical 1364 01:04:25,180 --> 01:04:29,740 result of that analogy, we have people use automobiles, 1365 01:04:29,740 --> 01:04:31,960 but you have to have a driver's license to use them, 1366 01:04:31,960 --> 01:04:34,970 and you have to identify yourself to drive the car. 1367 01:04:34,970 --> 01:04:37,270 So I think the logical extension of that is everyone 1368 01:04:37,270 --> 01:04:38,687 can use computers on the internet, 1369 01:04:38,687 --> 01:04:40,930 but you've got to identify yourself to government 1370 01:04:40,930 --> 01:04:44,200 and get a license to do it. 1371 01:04:44,200 --> 01:04:47,170 I don't think anybody here wants to go there. 1372 01:04:47,170 --> 01:04:50,245 So let's just leave that analogy behind. 1373 01:04:50,245 --> 01:04:55,740 1374 01:04:55,740 --> 01:04:58,680 I guess the concluding point comes from something 1375 01:04:58,680 --> 01:05:01,770 that Frans said, which is-- 1376 01:05:01,770 --> 01:05:04,590 and this comes up all the time in the encryption debate-- 1377 01:05:04,590 --> 01:05:07,602 the best criminals are going to use-- 1378 01:05:07,602 --> 01:05:09,060 no matter what government policy is 1379 01:05:09,060 --> 01:05:10,435 in encryption-- strong encryption 1380 01:05:10,435 --> 01:05:12,360 that doesn't allow for government access. 1381 01:05:12,360 --> 01:05:14,070 The best criminals on the internet 1382 01:05:14,070 --> 01:05:17,340 are always going to be able to obtain anonymity. 1383 01:05:17,340 --> 01:05:21,210 In designing systems, in designing procedures, 1384 01:05:21,210 --> 01:05:24,060 for example, building in things like digital signatures 1385 01:05:24,060 --> 01:05:26,640 into products that will help law enforcement 1386 01:05:26,640 --> 01:05:28,710 determine who's engaging in communications, 1387 01:05:28,710 --> 01:05:30,750 if it's a part of a standard. 1388 01:05:30,750 --> 01:05:35,790 In designing products, and in designing policies and systems, 1389 01:05:35,790 --> 01:05:38,220 if we can do that so that you can 1390 01:05:38,220 --> 01:05:41,850 help law enforcement catch the stupid criminals, 1391 01:05:41,850 --> 01:05:43,057 that's a big help. 1392 01:05:43,057 --> 01:05:46,470 [APPLAUSE] 1393 01:05:46,470 --> 01:05:51,810 Nadine, the fate of the smart criminals are in your hands. 1394 01:05:51,810 --> 01:05:54,810 I don't want to get too much off into the driving analogy, 1395 01:05:54,810 --> 01:05:56,970 but I want to assure everybody out there 1396 01:05:56,970 --> 01:06:01,830 that the ACLU is constantly, and to some degree with success, 1397 01:06:01,830 --> 01:06:06,330 challenging violations of privacy that are now committed 1398 01:06:06,330 --> 01:06:08,760 in the name of driving. 1399 01:06:08,760 --> 01:06:13,080 In fact, here in Massachusetts, we recently 1400 01:06:13,080 --> 01:06:17,190 won the right of drivers to keep their Social Security numbers 1401 01:06:17,190 --> 01:06:19,350 off those licenses, because that's, as you know, 1402 01:06:19,350 --> 01:06:22,490 a major way to invade data privacy. 1403 01:06:22,490 --> 01:06:26,740 But when Danny asked us to look ahead 35 years, 1404 01:06:26,740 --> 01:06:28,440 I did a little bit of calculation here 1405 01:06:28,440 --> 01:06:33,390 and I thought, where were we 35 years ago, which was 1964. 1406 01:06:33,390 --> 01:06:36,750 In 1964, the United States Supreme Court 1407 01:06:36,750 --> 01:06:41,130 was still ruling that wiretapping was not 1408 01:06:41,130 --> 01:06:44,550 a search and seizure that was subject to the Fourth Amendment 1409 01:06:44,550 --> 01:06:45,060 at all. 1410 01:06:45,060 --> 01:06:48,540 That was a decision they made back in 1927 1411 01:06:48,540 --> 01:06:53,430 over an eloquent dissent by Justice Louis Brandeis who 1412 01:06:53,430 --> 01:06:58,110 issued ringing words that are still uncannily true today. 1413 01:06:58,110 --> 01:06:59,610 And unfortunately, I'm going to have 1414 01:06:59,610 --> 01:07:02,430 to paraphrase because I didn't bring the quote with me. 1415 01:07:02,430 --> 01:07:06,780 But basically the concept was that government is always 1416 01:07:06,780 --> 01:07:09,630 going to come up with new technologies that 1417 01:07:09,630 --> 01:07:13,980 can be used to invade individual freedom even more 1418 01:07:13,980 --> 01:07:18,090 effectively than the means that were available that prompted 1419 01:07:18,090 --> 01:07:20,760 the framers to write the Fourth Amendment, the First 1420 01:07:20,760 --> 01:07:24,810 Amendment, other individual freedoms into our Constitution. 1421 01:07:24,810 --> 01:07:28,590 And we cannot just throw those freedoms to the wind 1422 01:07:28,590 --> 01:07:32,730 because of the initial temptation to be panicked about 1423 01:07:32,730 --> 01:07:36,630 the potential abuses of the new technology. 1424 01:07:36,630 --> 01:07:38,790 But we've repeatedly gone through this cycle, 1425 01:07:38,790 --> 01:07:41,730 not only in American history, but around the world when 1426 01:07:41,730 --> 01:07:43,800 the printing press was first invented, 1427 01:07:43,800 --> 01:07:45,870 panic on the part of governments. 1428 01:07:45,870 --> 01:07:49,050 We've got to license it, prior restraint, all of this danger 1429 01:07:49,050 --> 01:07:51,390 can be used by criminals, it can corrupt children, 1430 01:07:51,390 --> 01:07:53,310 the same litany that we subsequently 1431 01:07:53,310 --> 01:07:56,220 heard with every new technology, and now we're 1432 01:07:56,220 --> 01:07:57,420 hearing with the internet. 1433 01:07:57,420 --> 01:08:00,360 But after a while, the panic subsides. 1434 01:08:00,360 --> 01:08:03,540 People understand that it's more alike than it's dissimilar, 1435 01:08:03,540 --> 01:08:07,440 that the positive uses far outweigh the dangerous uses, 1436 01:08:07,440 --> 01:08:10,690 that alternative means can be found to deal with the danger. 1437 01:08:10,690 --> 01:08:14,280 So I hope that, and believe strongly, 1438 01:08:14,280 --> 01:08:18,450 that 35 years from now, the panic about this supposed 1439 01:08:18,450 --> 01:08:22,920 unique dangers of the internet will seem as antiquated 1440 01:08:22,920 --> 01:08:27,810 as the panic that first withdrew constitutional protection 1441 01:08:27,810 --> 01:08:30,880 from earlier technologies. 1442 01:08:30,880 --> 01:08:32,040 Thank you, Nadine. 1443 01:08:32,040 --> 01:08:33,779 I think that the panel has really 1444 01:08:33,779 --> 01:08:39,420 done us a tremendous service, because not only have you 1445 01:08:39,420 --> 01:08:42,750 really helped us to think through the issues about today 1446 01:08:42,750 --> 01:08:45,100 and what we ought to be doing today, 1447 01:08:45,100 --> 01:08:46,950 but I think that you've helped us 1448 01:08:46,950 --> 01:08:49,950 really to frame what we all have to be thinking about 1449 01:08:49,950 --> 01:08:52,920 as we try to put privacy and other important values 1450 01:08:52,920 --> 01:08:55,020 into oxygen going forward. 1451 01:08:55,020 --> 01:08:59,229 With that, back to Bob Metcalf, our able master of ceremonies. 1452 01:08:59,229 --> 01:08:59,939 Thanks very much. 1453 01:08:59,939 --> 01:09:00,500 [APPLAUSE] 1454 01:09:00,500 --> 01:09:01,150 Thank you, all. 1455 01:09:01,150 --> 01:09:07,260 1456 01:09:07,260 --> 01:09:10,020 This marks the end of the presentations for the day. 1457 01:09:10,020 --> 01:09:11,600 Don't forget that tomorrow morning 1458 01:09:11,600 --> 01:09:16,282 we start sharply at 8:30 at the nearby Johnson Center. 1459 01:09:16,282 --> 01:09:17,990 And to help you find it tomorrow morning, 1460 01:09:17,990 --> 01:09:21,793 we're going to go there now just to show you where it is. 1461 01:09:21,793 --> 01:09:23,210 Incidentally, I want to remind you 1462 01:09:23,210 --> 01:09:27,529 that we have a special security event tomorrow in connection 1463 01:09:27,529 --> 01:09:29,779 with the visit of the Chinese Premier. 1464 01:09:29,779 --> 01:09:31,850 So you could come early if you wanted. 1465 01:09:31,850 --> 01:09:34,220 It would be OK to come early, rather than try 1466 01:09:34,220 --> 01:09:37,580 to think you're going to get in just at the last minute. 1467 01:09:37,580 --> 01:09:39,229 And now, we're going to move over 1468 01:09:39,229 --> 01:09:42,590 to the Johnson Center for a reception and for demos. 1469 01:09:42,590 --> 01:09:44,720 There's a bunch of demos waiting for you now 1470 01:09:44,720 --> 01:09:46,580 at the Johnson Center. 1471 01:09:46,580 --> 01:09:47,960 Good evening. 1472 01:09:47,960 --> 01:09:51,010 [APPLAUSE] 1473 01:09:51,010 --> 01:09:59,000