Main

June 17, 2011

If you build it...

Lawrence Lessig once famously wrote that "Code is law". Today, at the last day of this year's Computers, Freedom, and Privacy, Ross Anderson's talk about the risks of centralized databases suggested a corollary: Architecture is policy. (A great line and all mine, so I thought, until reminded that only last year CFP had an EFF-hosted panel called exactly that.)

You may *say* that you value patient (for example) privacy. And you may believe that your role-based access rules will be sufficient to protect a centralized database of personal health information (for example), but do the math. The NHS's central database, Anderson said, includes data on 50 million people that is accessible by 800,000 people - about the same number as had access to the diplomatic cables that wound up being published by Wikileaks. And we all saw how well that worked. (Perhaps the Wikileaks Unit could be pressed into service as a measure of security risk.)

So if you want privacy-protective systems, you want the person vendors build for - "the man with the checkbook" to be someone who understands what policies will actually be implemented by your architecture and who will be around the table at the top level of government, where policy is being drafted. When the man with the checkbook is a doctor, you get a very different, much more functional, much more privacy protective system. When governments recruit and listen to a CIO you do not get a giant centralized, administratively convenient Wikileaks Unit.

How big is the threat?

Assessing that depends a lot, said Bruce Schneier, on whether you accept the rhetoric of cyberwar (Americans, he noted, are only willing to use the word "war" when there are no actual bodies involved). If we are at war, we are a population to be subdued; if we are in peacetime we are citizens to protect. The more the rhetoric around cyberwar takes over the headlines, the harder it will be to get privacy protection accepted as an important value. So many other debates all unfold differently depending whether we are rhetorically at war or at peace: attribution and anonymity; the Internet kill switch; built-in and pervasive wiretapping. The decisions we make to defend ourselves in wartime are the same ones that make us more vulnerable in peacetime.

"Privacy is a luxury in wartime."

Instead, "This" - Stuxnet, attacks on Sony and Citibank, state-tolerated (if not state-sponsored) hacking - "is what cyberspace looks like in peacetime." He might have, but didn't, say, "This is the new normal." But if on the Internet in 1995 no one knew you were a dog; on the Internet in 2011 no one knows whether your cyberattack was launched by a government-sponsored military operation or a couple of guys in a Senegalese cybercafé.

Why Senegalese? Because earlier, Mouhamadou Lo, a legal advisor from the Computing Agency of Senegal, had explained that cybercrime affects everyone. "Every street has two or three cybercafés," he said. "People stay there morning to evening and send spam around the world." And every day in his own country there are one or two victims. "it shows that cybercrime is worldwide."

And not only crime. The picture of a young Senegalese woman, posted in Facebook, appeared in the press in connection with the Strauss-Kahn affair because it seemed to correspond to a description given of the woman in the case. She did nothing wrong; but there are still consequences back home.

Somehow I doubt the solution to any of this will be found in the trend the ACLU's Jay Stanley and others highlighted towards robot policing. Forget black helicopters and CCTV; what about infrared cameras that capture private moments in the dark and helicopters the size of hummingbirds that "hover and stare". The mayor of Ogden, Utah wants blimps over his city, and, as Vernon M Keenan, director of the Georgia Bureau of Investigation put it, "Law enforcement does not do a good job of looking at new technologies through the prism of civil liberties."

Imagine, said the ACLU's Jay Stanley: "The chilling prospect of 100 percent enforcement."

Final conference thoughts, in no particular order:

- This is the first year of CFP (and I've been going since 1994) where Europe and the UK are well ahead on considering a number of issues. One was geotracking (Europe has always been ahead in mobile phones); but also electronic health care records and how to manage liability for online content. "Learn from our mistakes!" pleaded one Dutch speaker (re health records).

- #followfriday: @sfmnemonic; @privacywonk; @ehasbrouck; @CenDemTech; @openrightsgroup; @privacyint; @epic; @cfp11.

- The market in secondary use of health care data is now $2 billion (PriceWaterhouseCooper via Latanya Sweeney).

- Index on Censorship has a more thorough write-up of Bruce Schneier's talk.

- Today was IBM's 100th birthday.

- This year's chairs, Lillie Coney (EPIC) and Jules Polonetsky, did an exceptional job of finding a truly diverse range of speakers. A rarity at technology-related conferences.

- Join the weekly Twitter #privchat, Tuesdays at noon Eastern US time, hosted by the Center for Democracy and Technology.

- Have a good year, everybody! See you at CFP 2012 (and here every Friday until then).

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

June 16, 2011

The democracy divide (CFP2011 Day 2)

Good news: the Travel Security Administration audited itself and found it was doing pretty well. At least, so said Kimberly Walton, special counsellor to the administrator for the TSA.

It's always tough when you're the raw meat served up to the Computers, Freedom, and Privacy crowd, and Walton was appropriately complimented for her courage in appearing. But still: we learned little that was new, other than that the TSA wants to move to a system of identifying people who need to be scrutinized more closely.

Like CAPPS-II? asked the ACLU's Daniel Mach? "It was a terrible idea."

No. It's different. Exactly how, Walton couldn't say. Yet.

Americans spent the latter portion of last year protesting the TSA's policies - but little has happened? Why? It's arguable that a lot has to do with a lot of those protests being online complaints rather than massed ranks of rebellious passengers at airport terminals. And a lot has to do with the fact that FOIA requests and lawsuits move slowly. ACLU, said Ginger McCall, has been unable to get any answers from the TSA except by lawsuit.

Apparently it's easier to topple a government.

"Instead of the reign of terror, the reign of terrified," said Deborah Hurley.(CFP2001 chair) during the panel considering the question of social media's role in the upheavals in Egypt and Tunisia. Those on the ground - Jillian York, Nasser Weddady, Mona Eltawy - say instead that social media enabled little pockets of protest, sometimes as small as just one individual, to find each other and coalesce like the pooling blobs reforming into the liquid metal man in Terminator 2. But what appeared to be sudden reversals of rulers' fortunes to outsiders who weren't paying attention were instead the culmination of years of small rebellions.

The biggest contributor may have been video, providing non-repudiable evidence of human rights abuses. When Tunisia's President Zine al-Abidine Ben Ali blocked video sharing sites, Tunisians turned to Facebook.

"Facebook has a lot of problems with freedom of expression," said York, "but it became the platform of choice because it was accessible, and Tunisia never managed to block it for more than a couple of weeks because when they did there were street protests."

Technology may or may not be neutral, but its context never is. In the US for many years, Section 230 of the Communications Decency Act has granted somewhat greater protection to online speech than to that in traditional media. The EU long ago settled these questions by creating the framework of notice-and-takedown rules and generally refusing to award online speech any special treatment. (You may like to check out EDRI's response to the ecommerce directive (PDF).)

Paul Levy, a lawyer with Public Citizen and organizer of the S230 discussion, didn't like the sound of this. It would be, he argued, too easy for the unhappily criticized to contact site owners and threaten to sue: the heckler's veto can trump any technology, neutral or not.

What, Hurley asked Google's policy director, Bob Boorstin, to close the day, would be the one thing he would do to improve individuals' right to self-determination? Give them more secure mobile devices, he replied. "The future is all about what you hold in your hand." Across town, a little earlier, Senators Franken and Blumenthal introduced the Location Privacy Protection Act 2011.

Certainly, mobile devices - especially Talk to Tweet - gave Africa's dissidents a direct way to get their messages out. But at the same time, the tools used by dictators to censor and suppress Internet speech are those created by (almost entirely) US companies.

Said Weddady in some frustration, "Weapons are highly regulated. If you're trading in fighter jets there are very stringent frames of regulations that prevent these things from falling into the wrong hands. What is there for the Internet? Not much." Worse, he said, no one seems to be putting political behind enforcing the rules that do exist. In the West we argue about filtering as a philosophical issue. Elsewhere, he said, it's life or death. "What am I worth if my ideas remain locked in my head?"

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

June 15, 2011

Public private lives

A bookshop assistant followed me home the other day, wrote down my street address, took a photograph of my house. Ever since, every morning I find an advertising banner draped over my car windshield that I have to remove before I can drive to work.

That is, of course, a fantasy scenario. But it's an attempt to describe what some of today's Web site practices would look like if transferred into the physical world. That shops do not follow you home is why the analogy between Web tracking and walking on a public street or going into a shop doesn't work. It was raised by Jim Harper, the director of information policy studies at the Cato Institute, on the first day of ACM Computers, Freedom, and Privacy, at his panel on the US's Do Not Track legislation. Casual observers on the street are not watching you in a systematic way; you can visit a shop anonymously, and. depending on its size and the number of staff, you may or may not be recognized the next time your visit.

This is not how the Web works. Web sites can fingerprint your browser by the ecology of add-ins that are peculiar to you and use technologies such as cookies and Flash cookies to track you across the Web and serve up behaviorally targeted ads. The key element - and why this is different from, say, using Gmail, which also analyzes content to post contextual ads - is that all of this is invisible to the consumer. As Harlan Yu, a PhD student in computer science at Princeton, said, advertisers and consumers are in an arms race. How wrong is this?

Clearly, enough consumers find behavioral targeting creepy enough that there is a small but real ecology of ad-blocking technologies - the balking consumer side of the arms race - including everything from Flashblock and Adblock for Mozilla to the do-not-track setting in the latest version of Internet Explorer. (Though there are more reasons to turn off ads than privacy concerns: I block them because anything moving or blinking on a page I'm trying to read is unbearably distracting.)

Harper addressed his warring panellists by asking the legislation's opponents, "Why do you think the Internet should be allowed to prey on the entrails of the hapless consumer?" And of the legislation's sympathizers, "What did the Internet ever do to you that you want to drown it in the bathtub?"

Much of the ensuing, very lively discussion centered on the issue of trade-offs, something that's been discussed here many times: if users all opt out of receiving ads, what will fund free content? Nah, said Ed Felten, on leave from Princeton for a stint at the FTC, what's at stake is behaviorally targeted ads, not *all* ads.

The good news is that although it's the older generation who are most concerned about issues like behavioral targeting, teens have their own privacy concerns. My own belief for years has been that gloomy prognostications that teens do not care about privacy are all wrong. Teens certainly do value their privacy; it's just that their threat model is their parents. To a large extent Danah Boyd provided evidence for this view. Teens, she said, faced with the constant surveillance of well-meaning but intrusive teachers and parents, develop all sorts of strategies to live their private lives in public. One teen deactivates her Facebook profile every morning and reactivates it to use at night, when she knows her parents won't be looking. Another works hard to separate his friends list into groups so he can talk to each in the manner they expect. A third practices a sort of steganography, hiding her meaning in plain sight by encoding it in cultural references she knows her friends will understand but her mother will misinterpret.

Meantime, the FTC is gearing up to come down hard on mobile privacy. Commissioner Edith Ramirez of course favors consumer education, but she noted that the FTC will be taking a hard line with the handful of large companies who act as gatekeepers to the mobile world. Google, which violated Gmail users' privacy by integrating the social networking facility Buzz without first asking consent, will have to submit to privacy audits for the next 20 years. Twitter, whose private messaging was broken into by hackers, will be audited for the next ten years - twice as long as the company has been in existence.

"No company wants to be the subject of an FTC enforcement action," she said. "What happens next is largely in industry's hands." Engineers and developers, she said, should provide voluntary, workable solutions.

Europeans like to think the EU manages privacy somewhat better, but one of the key lessons to emerge from the first panel of the day, a compare-and-contrast discussion of data-sharing between the EU and the US was that there's greater parity than you might think. What matters, said Edward Hasbrouck, is not data protection but how the use of data affects fundamental rights - to fly or transfer money.

In that discussion, while the Department of Homeland Security representative, Mary Ellen Callahan, argued that the US is much more protective of privacy than a simple comparison of data protection laws might suggest. (There is a slew of pieces of US privacy legislation in progress.) The US operates fewer wiretaps by a factor of thousands, she argued, and is far more transparent.

Ah, yes, said Frank Schmiedel, answering questions to supplement the videotaped appearance of European Commission vice-president Viviane Reding, but if the US is going to persist in its demand that the EU transfer passenger name record, financial, and other data, one of these days, Alice, one of these days...the EU may come knocking, expecting reciprocity. Won't that be fun?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

June 13, 2009

Futures

"What is the future of computers, freedom, and privacy?" a friend asked over lunch, apparently really wanting to know. This was ten days ago, and I hesitated before finding an out.

"I don't know," I said. "I haven't been to the conference yet.

Now I have been to the conference, at least this year's instance of it, and I still don't really know how to answer this question. As always, I've come away with some ideas to follow up, but mostly the sense of a work in progress. How do some people manage to be such confident futurologists?

I don't mean science fiction writers: while they're often confused with futurologists and Arthur C. Clarke's track record in predicting communications satellites notwithstanding, they're not, really. They're storytellers who take our world, change a few variables, and speculate. I also don't mean trend-spotters, who see a few instances of something and generalize from there, or pundits, who are just very, very good at quotables.

Futurologists are good at the backgrounds science fiction writers use - but not good at coming up with stories. They're not, as I had it explained to me once, researchers, because they dream rather than build things. The smart ones have figured out that dramatic predictions get more headlines - and funding - than mundane ones and they have a huge advantage over urban planners and actuaries: they don't have to be right, just interesting. (Whereas, a "psychic seer" like Nostradamus doesn't even have to be interesting as long as his ramblings are vague enough to be reinterpretable every time some new major event comes along.)

It's perennially intriguing how much of the past images of the future throw away: changing fashions in clothing, furniture, and lifestyles leave no trace. Take, for example, Popular Mechanics' 1950 predictions for 2000. Some of that article is prescient: converging televisions and telephones, for example. Some extrapolates from then new technologies such as X-rays, plastics, and frozen foods. But far more of it is a reminder of how much better the future was in the past: family helicopters, solar power in real, widespread use, cheap housing. And yet even more of it reflects the constrained social roles of the 1950s: the assumption that all those synthetic plastic fabrics, furniture, and finishings would be hosed down by...the woman of the house.

I'll bet the guy who wrote that had a wife who was always complaining about having to do all the housework. And didn't keep his books at home. Or family heirlooms, personal memorabilia, or silly gewgaws picked up on that trip to Pittsburgh. I'm not entirely clear why anyone would find frozen milk and candy made from sawdust appealing, though I suppose home cooking is indeed going out of style.

But my friend's question was serious: I can't answer it by throwing extravagantly wild imaginings at it for their entertainment value. Plus, he's probably most interested in his lifetime and that of his children, and it's a simple equation that the farther out the future you're predicting the less plausible you have to be.

It's not hard to guess that computing power will continue to grow, even if it doesn't continue to keep pace with Moore's Law and is counterbalanced by the weight of Page's Law. What *is* hard to guess is how people will want to use it. To most of the generation writing the future in the 1950s, when World War II and the threat of Nazism was fresh, it was probably inconceivable that the citizens of democratic countries would be so willing to allow so many governments to track them in detail. As inconceivable, I suppose, as that the pill would come along a few years later and wipe away the social order they believed was nature's way. Orwell, of course, foresaw the possibilities of a surveillance society, but he imagined the central control of a giant government, not a society where governments rely on commercial companies to fill out their dossiers on citizens.

I find it hard to imagine dramatic futures in part because I do believe most people want to hold onto at least parts of their past, and therefore that any future we construct will be more like Terry Gilliam's movies than anything else, festooned with bizarre duct work and populated by junk that's either come back into fashion or that we simply forgot to throw away. And there are plenty of others around to predict the apocalypse (we run out of energy, three-quarters of the world's population dies, economic and environmental collapse, will you burn that computer or sit on it?) or its opposite (we find the Singularity, solve our energy problems, colonize space, and fix biology so we live forever). Neither seems to me the most likely.

I doubt my friend would have been satisfied with the answer: "More of the same, only different." But my guess is that the battle to preserve privacy will continue for a long time. Every increase in computing power makes greater surveillance possible, and 9/11 provided the seeming justification that overrode the fading memory of what was at stake in World War II. It won't be until an event with that kind of impact reminds people of the risk you take when you allow "If you have nothing to hide, you have nothing to fear" to become society's mantra that the mainstream will fight to take back their privacy.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 4, 2009

Computers, Freedom, and Privacy 2009 - Day Four

The challenge posed by many of today's panelists: activism transfer. How do you get people communicating via Twitter, Facebook, and other social networks to take to the streets? Because that's where the real impact is.

How little things have changed since 1994, my first year at CFP, when Simon Davies dressed up as the Pope, read from the Book of Unix, and told everyone that if they wanted governments to listen they needed to stop sending around email petitions and organize at the grass roots level. In India, explained Gaurav Mishra, this meant getting people to vote instead of complaining that the system was corrupt and staying home.

Use online tools to build offline institutions, he concluded. "Real social change will not happen online."

But today's China panel - probably the best of all this year's offerings - made the point that although we have tended to assume that the Internet will bring democracy and light to anywhere it penetrates, China shows that the Internet can also be used to spread propaganda. You'd think this would have been obvious, but policy has tended to assume otherwise.

Said Rebecca MacKinnon, who is writing a book about China and the Internet, "It's true that China has shown that authoritarianism can do a lot better in the internet age than a lot of people ever expected."

China has implemented several different elements of control: many overseas sites and services are blocked (so many blogging sites are down "for maintenance" on this 20th anniversary of Tiannamen Square that there's a joke about China Maintenance Day). There is some change, but it's a slow evolution: "The Internet may be liberalizing people to some extent, but on the other hand, we're not going to see any kind of regime change." The liquid metal man in Terminator 2 only becomes a threat when the little blobs of metal flow together; you can let little local pockets of increasing liberalization occur as long as they never join together to become national.

In a later panel on taking Tweets to the street, Ralf Bendrath recounted creating a 75,000-person demonstration against surveillance and in favor of privacy in Germany starting with little more than a wiki. But, he noted that individual liberals are not the only voices who will be able to use these tools.

"We celebrate Obama's use of these tools because we believe in his ideology," said Mishra, going on to point out that in India a right-wing party that wants to restrict women's movements is at the forefront of using Twitter, Facebook, and blogging. "As much as I hate to say this, very soon we will find enthusiasm for these tools being tempered by realism that anybody can use them." The tools by themselves do not give us more power.

"Use online tools to build offline institutions," said Bendrath. "Real social change will not happen online."

Over and out. Anyone with ideas for next year should submit them not at www.cfp2010.org. Have a good year, folks!

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series. Readers are welcome to post here, follow on Twitter or email netwars@skeptic.demon.co.uk (but please turn off HTML).

Computers, Freedom, and Privacy 2009 - Day Three

"Do you feel guilty about killing newspapers?" Saul Hansell asked Craig Newmark yesterday. The founder of Craig's List, widely credited with stealing newspapers' classified ads, offered the mildly presented answer that it would be more correct to say that Craig's List, Amazon, and eBay took the newspapers' audience by offering them a more friendly and convenient marketplace.

At some point in the early 19-00s, Charlotte-Anne Lucas explained today, newspapers changed from charging for content to charging for audiences, leading them to selecting content based on its mass appeal. Exactly, she didn't say, like AOL in the mid 1990s, when it switched from making its money from connect time, which favored all sorts of niche content, to making its money from advertising, which required mass eyeballs.

One advantage bloggers have, noted Marcy Wheeler is that they don't have to frame every story as a controversy that can be resolved in 700 words (how like a sitcom).

My other favorite quote of the day, from a panel on whether government secrecy makes any sense in the post-Internet world "Secrecy makes people stupid." The speaker, Steve Aftergood, a senior research analyst with the Federation of American Scientists, went on to note that the US spends $10 billion a year on keeping secrets - that is, protecting classified information. He didn't draw the obvious conclusion...

The panel, which included a former undercover agent (Mike German, now with the ACLU), a former director of the US Information Security Oversight Office (Bill Leonard), and a former chief information policy officer from the NSA (Mike Levin), is worth listening to in full. Satirists could have fun with Aftergood's later note, that while you can find out that the 2008 intelligence budget was $47.7 billion, and the 2007 budget was $43.5 billion, the 2006 number is classified - as is the budget from 50 years ago. Aftergood tried to find out the number from the 1940s and was refused; appeal was denied, second appeal was denied, and a lawsuit to force disclosure was unsuccessful. He's not sure how this figure could damage national security; I say with these numbers he could go on Letterman.

Still, it's a fair point to say that secrets are harder to keep than they've ever been, not least because the intelligence community is adopting the same kinds of tools the rest of us use, albeit versions closed to public access. Perhaps we can get away from the sort of thing John Le Carre wrote about at the end of one of his books, in which an agent died for a fact that would be published in a Russian newspaper the following week. The good news is there's to be a review of all these procedures, a "unique opportunity", the panel called it, to effect real change.

We finished today with a selection of ultra-short presentations. Lock your credit record with a ten-digit code, said Jeremy Duffy, and celebrate Sam Warren, Brandeis's less famous partner, said Paul Rosenzweig. The highlight for me, though: meeting < a href="http://www.veni.com">Veni Markowski, whom I've read about for years as Bulgaria's cyberspace king. He's going to work now for the government to coordinate international action on cybersecurity. Good stuff.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Readers are welcome to post here, follow on follow on Twitter, or send email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 3, 2009

Computers, Freedom, and Privacy 2009 - Day Two

One hundred and thirty-three days into the Obama Administration. He still still has a lot of fans - one conference attendee was wearing silver Obama logo earrings yesterday and CNet writer Declan McCullough was pleased that a FOIA request that kept him waiting for over a year was answered within a few weeks of the inauguration - privacy advocates are beginning to carp that his record on privacy seems unlikely to be any improvement on his immediate predecessor's. Kicking off the day's first session, Susan Crawford talked some good principles, but a basic one - answering public questions - was off-limits. `

McCullough also noted that Obama has yet to fulfill his promise to post non-emergency legislation for public comment for five days before signing it.

Meanwhile, however, said the ACLU's Caroline Fredrickson, the US's Real ID effort, which threatened to unify state-issued driver's licenses into a single national ID card-equivalent, has halted under the pressure of the refusal of many individual states to participate. Why? Unworkable, costly, and invasive. Sounds like Britain's ID card, though the UK government still persists, lacking state governments to stand in its way.

"A mistake in the database can render you an unperson," she noted.

There was another good line on this: "Information asymmetry is how repressive regimes operate." The Internet's power to flatten information hierarchies all by itself might be why Nicole Wong wakes up every morning and checks her Blackberry to find out which country Google is blocked in today. As the deputy general counsel for Google, it's her job not only to track that sort of thing but to try to remove these blockages by negotiating with national governments. The New York Times recently described Wong as the person with the most influence over the exercise of free speech in the world.

Wong was part of my panel on Internet censorship, we were arguing about censorship in the US, the UK, and Australia, and debating whether John Gilmore's oft-quoted aphorism is still correct. "The Internet perceives censorship as damage, and routes around it," Gilmore thinks he probably said sometime in 1990 or thereabouts. Is that still true, given the computing power to do deep packet inspection? Very possibly not. Derek Bambauer had a neat list of the stages of Internet censorship. Version 1.0: it can't be done. Version 2.0: the bad guys do it. Version 3.0: everyone does it. Australia is on round two of let's-filter-the-Internet, and it is the world's pilot on this. The danger, Wong commented, is that we may get tied up in arguing whether it's OK to filter specific types of content; the existence of a filter in a country like Australia legitimizes filtering for the more repressive countries coming online that she has to negotiate with.

Perhaps the most surprising bit of the day was the appearance on the same panel of Bruce Schneierand Stewart Baker without acrimony. Valerie Caproni, the FBI's general counsel, also on that panel, was a little frostier, particularly when travel data privacy expert Edward Hasbrouck attacked her and the US government's apparent belief that foreigners do not have the same human rights as US citizens. Both Schneier and Baker fired off a few good lines. Schneier pointed out that as technology increases and gives each of us more personal power amplitude, the harm that ten armed men can do to society keeps getting bigger. At what point, he asked, is that noise bigger than society?

Baker, who's made a sort of career of insulting the CFP crowd, more or less agreed: there is an illusion that the continued working of Moore's Law is always going to be beneficial to society. That aside, Baker was slightly miffed. After winning the Big Brother award for Worst Public Official in 2007, he said, Privacy International had yet to deliver his award. Via Twitter PI promised to deliver it. Eventually. When he least expects it.

More tomorrow.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk (but please turn off HTML).

January 2, 2009

No rest for 2009

It's been a quiet week, as you'd expect. But 2009 is likely to be a big year in terms of digital rights.

Both the US and the UK are looking to track non-citizens more closely. The UK has begun issuing foreigners with biometric ID cards. The US, which began collecting fingerprints from visiting tourists two years ago says it wants to do the same with green card holders. In other words, you can live in the US for decades, you can pay taxes, you can contribute to the US economy - but you're still not really one of us when you come home.

The ACLU's Barry Steinhardt has pointed out, however, that the original US-VISIT system actually isn't finished: there's supposed to be an exit portion that has yet to be built. The biometric system is therefore like a Roach Motel: people check in but they never leave.

That segues perfectly into the expansion of No2ID's "database state". The UK is proceeding with its plan for a giant shed to store all UK telecommunications traffic data. Building the data shed is a lot like saying we're having trouble finding a few needles in a bunch of haystacks so the answer is to build a lot bigger haystack.

Children in the UK can also look forward to ContactPoint (budget £22.4 million) going live at the end of January, only the first of several. The conservativers apparently have pledged to scrap ContactPoint in favor of a less expensive system that would track only children deemed to be at risk. If the conservatives don't get their chance to scrap it - probably even if they do - the current generation may be the last that doesn't get to grow up taking for granted that their every move is being tracked. Get 'em young, as the Catholic church used to say, and they're yours for life.

The other half of that is, of course, the National Identity Register. Little has been heard of the ID card in recent months; although the Home Office says 1,000 people have actually requested one. Since these have begun rolling out to foreigners, it's probably best to keep an eye on them.

On January 19, look for the EU to vote on copyright term extension in sound recordings. They have now: 50 years. They want: 95 years. The problem: all the independent reviewers agree it's a bad idea economically. Why does this proposal keep dogging us? Especially given that even the UK government accepts that recording contracts mean that little of the royalties will go to the musicians the law is supposedly trying to help, why is the European Parliament even considering it? Write your MEP. Meanwhile, the economic downturn reaches Cliff Richards; his earliest recordings begin entering the public domain...oh, look - yesterday, January 1, 2009.

Those interested in defending file-sharing technology, the public domain, or any other public interest in intellectual property will find themselves on the receiving end of a pack of new laws and initiatives out to get them.

The RIAA recently announced it would cease suing its customers in the US. It plans to "work with ISPs". Anyone who's been around the UK and France in recent months should smell the three-strikes policy that the Open Rights Group has been fighting against. ORG's going to find it a tougher battle, now that the govermment is considering a stick and carrot approach: make ISPs liable for their users' copyright infringement, but give them a slice of the action for legal downloads. One has to hope that even the most cash-strapped ISPs have more sense.

Last year's scare over the US's bald statement that customs authorities have the right to search and impound computers and other electronic equipment carried by travellers across the national borders will probably be followed up with lengthy protest over new rules known as the Anti-Counterfeiting Trade Agreement and being negotiated by the US, EU, Japan, and other countries. We don't know as much as we'd like about what the proposals actually are, though some information escaped last June. Negotiations are expected to continue in 2009.

The EU has said that it has no plans to search individual travellers, which is a relief; in fact, in most cases it would be impossible for a border guard to tell whether files on a computer were copyright violations. Nonetheless, it seems likely that this and other laws will make criminals of most of us; almost everyone who owns an MP3 player has music on it that technically infringes the copyright laws (particularly in the UK, where there is as yet no exemption for personal copying).

Meanwhile, Australia's new $44 million "great firewall" is going ahead despiteknown flaws in the technology. Nearer home, British Culture Secretary Andy Burnham would like to rate the Web, lest it frighten the children.

It's going to be a long year. But on the bright side, if you want to make some suggestions for the incoming Obama administration, head over to Change.org and add your voice to those assembling under "technology policy".

Happy new year!

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 24, 2007

Game gods

Virtual worlds have been with us for a long time. Depending who you listen to, they began in 1979, or 1982, or it may have been the shadows on the walls of Plato's cave. We'll go with the University of Essex MUD, on the grounds that its co-writer Richard Bartle can trace its direct influence on today's worlds.

At State of Play this week, it was clear that just as the issues surrounding the Internet in general have changed very little since about 1988, neither have the issues surrounding virtual worlds.

True, the stakes are higher now and, as Professor Yee Fen Lim noted, when real money starts to be involved people become protective.

Level 70 warrior accounts on World of Warcraft go for as little as $10 (though your level number cannot disguise your complete newbieness), but the unique magic sword you won in a quest may go for much more. The best-known pending case is Bragg versus Second Life over virtual property the world's owners confiscated when they realized that Bragg was taking advantage of a loophole in their system to buy "land" at exceptionally cheap prices. Lim had an interesting take on the Bragg case: as a legal concept, she argued, property is right of control, even though Linden Labs itself defines its virtual property as rental of a processor. As computer science that's fine, but it's not law. Otherwise, she said, "Property is mere illusion."

Ultimately, the issues all come down to this: who owns the user experience? In subscription gaming worlds, the owners tend to keep very tight control of everything – they claim ownership in all intellectual property in the world, limit users' ability to create their own content, and block the sale of cheats as much as possible. In a free-form world like Second Life which may host games but is itself a platform rather than a game, users are much freer to do what they want but the EULAs or Terms of Service may be just as unfair.

Ultimately, no matter what the agreement says, today's privately owned virtual worlds all function under the same reality: the game gods can pull the plug at any time. They own and control the servers. Possession is nine-tenths of the law, and all that. Until someone implements open source world software on a P2P platform, this will always be the way. Linden Labs says, for what it's worth, that its long-term intention is to open-source its platform so that anyone may set up a world. This, too, has been done before, with The Palace.

One consequence of this is that there is no such thing as virtual privacy, a topic that everyone is aware of but no one's talking about. The piecemeal nature of the Net means that your friend's IRC channel doesn't know anything about your Web use, and Amazon.com doesn't track what you do on eBay. But virtual worlds log everything. If you buy a new shirt at a shop and then fly to a distant island to have sex with it, all that is logged. (Just try to ensure the shirt doesn't look like a child's shirt and you don't get into litigation over who owns the island…)

There are, as scholars say, legitimate reasons. Logging everything that happens is important in helping game developers pinpoint the source of crashes and eliminate bugs. Logs help settle disputes over who did what to whose magic sword. And in a court case, they may be important evidence (although how you can ensure that the logs haven't been adjusted to suit the virtual world provider, who is usually one of the parties to the litigation, I don't know).

As long as you think of virtual worlds as games, maybe this isn't that big a problem. After all, no one is forced to spend half their waking hours killing enough monsters in World of Warcraft to join a guild for a six-hour quest.

But something like Second Life aspires to be a lot more than that. The world is adding voice communication, which will be interesting: if you have to use your real voice, the relative anonymity conferred by the synthetic world are gone. Quite apart from bandwidth demands (lag is the bane of every SLer's existence), exploring what virtual life is like in the opposite gender isn't going to work. They're going to need voice synthesizers.

Much of the law in this area is coming out of Asia, where massively multi-player online games took off so early with such ferocity that, according to Judge Unggi Yoon, in a recent case a member of a losing team in one such game ran to the café where the winning team was playing and physically battered one of its members. Yoon, who explained some of the new laws, is an experienced online gamer, all the way back to playing Ultima Online in middle school. In his country, a law has recently come into force taxing virtual world transactions (it works like a VAT threshold – under $100 a month you don't owe anything). For Westerners, who are used to the idea that we make laws and export them rather than the other way around, this is quite a reality shift.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

May 4, 2007

Cryptanalysis

Was Whitfield Diffie robbed when he failed to win a Big Brother Award or even secure a nomination?

It was Diffie himself who complained, and even being given the first annual Computers, Freedom, and Privacy Distinguished Innovators award didn't quite make up for the slight (pleased as he seemed to be by that recognition, which he shared with fellow cryptography inventor Ron Rivest, the 'R' in RSA).

Why does one of the key inventors of public key cryptography think he deserves to be publicly shamed for privacy invasion?

"I was thinking that cryptography is a two-edged sword," he explained, "and technology, especially complicated technologies, tend to serve the people who can invest in them." People with power – governments, large companies, big organisations – can afford to invest substantially in developing and deploying cryptography, where individuals and small outfits can't. "Use follows the structure of society. It supports the powerful and suppresses the weak."

This conference, in the mid-1990s, was a hotbed of impassioned crypto activism. One of this year's actual BBA winners was Stewart Baker, the former general counsel to the National Security Agency, whom Simon Davies, executive director of the awarding organization, Privacy International, noted was behind the US's most heinously invasive policies. Though here at CFP Baker is chiefly identified with deriding the 1994 conference by saying that the only people opposed to key escrow were those who couldn't go to Woodstock because they'd had to stay home to do their math homework.

Fortunately, Diffie waited until now to argue that crypto could be a bad thing.

Nonetheless, he has a point. Cryptography is deployed by banks, the military, and the mobile phone companies. Hardly any individuals install it personally. The most widespread use of crypto is probably SSL – the security that protects credit card details and other personal information in transit to ecommerce Web sites. Second, if not now then soon, is the trusted computing module in computers.

"My original vision was 100 million secure telephones," said Diffie. "That's come nowhere near true, and most of the secure telephones – less than a million – are in the hands of governments."

Besides key escrow, the other big crypto issue of the mid 1990s was the Clipper Chip, a government effort to create a standard for strong cryptography. Clipper was supposed to go in all kinds of things – phones, modems – but it included key escrow, and so everyone despised it. But had Clipper been deployed, consumers and businesses would in general have far more secure telephones than the wholly insecure ones they have now. This may soon change with the rise of VOIP and the understanding that data in progress across the Internet is insecure. But it's entirely arguable that the government was right in the mid 1990s when it said that deploying Clipper would enable greater general security for the masses. Certainly, nothing has arrived to do replace it.

Still, in the next decade telephony will be so completely reinvented that Diffie's old dream of the secure telephone will have little relevance. Sure, VOIP traffic may be routinely encrypted. But, he said, "Within a decade no significant program will be secure in the sense that we talk about secure computing today."

Why? Outsourcing.

In the sense that: "Nobody in the country can avoid making trade secret queries using Google." Within a decade, most of the time if you want a computing service you'll buy it in from someone you find via some form of search.
"Phone calls," added Ron Rivest in the post-award discussion, "will be kept as documents by the phone company." They'll be searchable. "The whole nature of what a phone call is is going to change in very interesting ways. It means trusting another party to manage all the data, though it's yours in principle."

(Think of your voicemail now. Technically, you own the messages, but if you use the service supplied by your telco, those messages are stored on their server, and possession and all that.)

Crypto also solves only one type of security problem; it does not defeat traffic analysis, which earlier sessions at this conference showed requires as little as 6 percent of the nodes in a network – providing they're the right 6 percent. Nor does it make clear in and of itself whom you should trust.
"I've thought for a while," Diffie said, "that the word 'trust' is not quite the right thing. There's nothing you can do about relying on people – but with mounds of traffic data, what can you protect? And that depends on how much you're willing to invest in that protection."

In Montreal, it's well known that people are not willing to invest very much. The one company that really tried to commercialize privacy software, Zero Knowledge, was based here before it crashed and burned.

"My view," he concluded, "is that we're entering a heyday of intelligence."

So does he really think he deserves a BBA? Does his name truly belong up there with Baker, the UK (worst government), ICAO (most appalling project), and "the common good" (the justification for every heinous proposal)?

"I realized I wasn't even a runner-up."

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

March 2, 2007

Fusion cuisine and the Chamber of Legislative Horrors

So this is the pitch:

Do you still recognize the country you grew up in? In Britain, the home of habeus corpus and the Magna Carta, the London 2012 Olympics are serving as the excuse to give police powers to inspect postal packages for drugs, track individuals through the use of CCTV and electronic travel passes, and identify suspects through their relatives' DNA stored among the 3 million samples held in the nation's DNA database. In the US, it's now extremely difficult to travel, even on a Greyhound bus, without presenting photo ID, a government agency maintains a list of who is not allowed to fly, and your most private medical records are open to inspection by a raft of people from medical personnel to insurance companies and prospective employers.

The Australian Parliament has a compendium of anti-terrorism legislation from Australia and elsewhere, much of it passed since 2001.
It seems as though in every country surveillance is on the rise, backed by legislation granting more and more powers to law enforcement.

What's it like in your country? The 2007 Computers, Freedom, and Privacy conference wants to know. You have nothing to lose but your homes, jobs, freedom...

Something like that. (Do get in touch if you want to hand over examples.) The losers will be featured somewhere on the CFP program.

About that reference to the 2012 Olympics. It's generally true that the World Trade Center/Pentagon attacks of September 2001 gave security forces everywhere a chance to dust of the failed proposals they had in their bottom drawers that no politicians would ever accept previously and get them through before the first shock faded. Every subsequent event – such as the July 7 London bombs, or last summer's mixed-liquids-on-a-plane madness – has fueled another round of Add the Police Powers. But the 2012 Olympics? They're harmless, right? (Except for the ever-mounting bill; the Evening Standard this week put it at £10 billion, four times the original estimate, and counting. For the record, I was always against the Olympics coming to London.)

Not so much harmless. And they're almost open about it.
The Telegraph discovered a leaked memo in late January that specifically suggested that public support for increased surveillance (scanning postal packages, location tracking via enhanced CCTV, mobile phones, and smart travel cards) could be increased by piloting them during the Olympics. The documents, prepared for the Number 10 Policy Review Working Group on Security, Crime, and Justice, also revealed that the DNA database that Blair is so proud of and its 3 million samples could be used for familial tracing. Your DNA may not be on the database, but if your father's is identifying a familiar connection might help lead the police to you. Oh, yeah, and while we're at it, why don't we conceal X-ray cameras in lampposts everywhere?

I know how much this sounds like bad science fiction, and since the X-ray camera bit came from The Sun, who knows? And the fact that something is being discussed doesn't mean they won't see sense and not implement it or that the technology will work in the first place. But these are thoughts that only a few years ago would have been unthinkable, and now they're not only being thought they're being outlined in policy memos.

And even that is relatively trivial compared to part 2A of the Serious Crime Bill, which creates Serious Crime Prevention Orders, to be granted by the High Court or Crown Court, that will grant the power to do data matching between, from the sounds of it, any and all data held about you anywhere – within different government departments, outside it in commercial databases, travel data, ISP logs, whatever. The bill is at the committee stage in the Lords but has yet to be introduced in the Commons. A friend of mine has taken to calling this scenario "data fusion".

What this all signifies is very precisely and carefully laid out in a just-published book, Illusions of Security by Canadian author Maureen Webb. In it, Webb makes the carefully documented case that in the years since 2001 a massive shift has taken place from reactive policing to preemption of risk (which seems a logical extension of the sort of nervousness that requires warning labels on bags of marbles). She primarily writes about Canada and the US, but she could be writing about many other countries: you could be guilty at any time and so you should be watched, just in case. Instead of giving us greater security, Webb argues that increased surveillance is counter-productive because it alienates the very communities we most need help from – and that in fact it makes us all more insecure because our lives could be abruptly turned upside down at any moment. Whose life doesn't look suspicious if it's examined in great detail?

So: send your examples and I'll enter them in the Chamber of Legislative Horrors contest. You could be a loser!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 23, 2006

Thinking time

If it's Christmas it must be time to come up with program proposals for Computers, Freedom, and Privacy, the 17th edition of which will take place in Montreal, May 1-4. Submissions (via email or the Web system) are due on January 20. It's something to think about after you've finished listening to the Queen's Speech (UK)) or watching It's a Wonderful Life (US). Who needs trivia quizzes when you can think up and propose speakers for CFP?

CFP is a cross-disciplinary oddity of a conference. Others focus more tightly on privacy, data protection, cryptography, software, hardware, games, music, new technology...but CFP is the only one where, as I'm so fond of saying, for four days you never want to finish anyone else's sentence.

The 2007 theme is autonomy, which should include one of the subjects CFP has long neglected, disability. Generally speaking, redesigning anything to make disabled access easier has benefited many other people (curb ramps, for example, help not only people in wheelchairs but those dragging luggage or pushing babies in strollers). But it's been contentious in designing electronic voting systems, especially when you're trying to design a paper trail voters can verify – how does a blind person verify the paper?

It's worth noting, by the way, that the UK, apparently refusing to believe the stories it reads about snafus (PDF) everywhere else, has decided to run trials in 2007. Look for a talk by Rebecca Mercuri on the problems encountered in the last US elections on February 8 in London as part of a conference on e-voting that will attract speakers from Ireland and Italy; it's being organized by Jason Kitcat for the Open Rights Group.

The disabled, the elderly, and even the seriously ill, figure in another trend: one of the promises people talk about with respect to ubiquitous computing is the ability to monitor people at risk and make sure they're all right. It sounds so warm and fuzzy: install a bunch of sensors in Grandma's house so you can check in every day via a Web interface and make sure she's still alive. Or give her a robot to make sure she eats every day and doesn't spend all day sitting around in that one stained bathrobe. Is that the life you want when you're 87? (I can hear my mother saying even now, of her old robot that's been replaced, "It never calls, never writes…")

Autonomy is also an umbrella for the many trends that, compared to the glamour days of the file-sharing wars, sound too dry or remote to be dangerous. What could be harmful about putting medical records on a centralized database? Wouldn't it be better if emergency personnel can quickly find out the medical history of an unconscious person – what medications they take, what allergies they have, what their health problems are? Speaking as someone with almost no medical records at all (most of my doctors are dead; those that aren't shredded their records rather than show them to me), that sounds appealing. But who will have access? How will that information be used and protected? Where will it go once it's collected? The UK's proposals in this area are so weak that Ross Anderson is heading a movement to help people opt out of having their patient records uploaded.

As much data as is now collected about us all – credit card trails, online shopping, medical data, government dealings, phone bills, Web logs – it's nothing compared to what's coming our way. Location-tracking (primarily but not solely via mobile phones), national identity databases, border controls that require fingerprinting and other biometrics will all generate far more data than anything we have now. And that's without RFID. A friend points out that in the US foreigners are required (although it's rarely enforced) to carry their I-94 entry forms with them at all times; trials are underway to include RFID chips in these, and the privacy flaws are already being reported.

Which leads to another strand: technologies that don't work. Despite the fact that everyone who's ever installed new software has had the experience of having it utterly fail to work, hope seems to spring eternal that any IT project will do what its vendors promise if only it's sufficiently large and commissioned by a government. In a way, we have to be grateful when those hopes are crashed; an identity database that fails obviously, frequently, and undeniably is much less damaging to the person who is the object of that failure (the failee?) than one that fails subtly and rarely. The real problem is not that technology fails – all technologies fail sometimes – but our faith that it can be trusted.

The Hitchhiker's Guide to the Galaxy summed up the three stages of civilization thus: How can we eat? What shall we eat? Where shall we have lunch? There is a similar thread running from the natural desire for greater safety for ourselves and our children (warning labels on bags of marbles) to surrendering control over our own lives (a database to make sure that marbles aren't sold to anyone who isn't bright enough to know not to eat them).

Enjoy the holidays.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

May 5, 2006

Computers, Freedom, and Privacy XVI

“Everyone seems depressed,” someone said a half-day into this year’s Computers, Freedom, and Privacy conference.

It’s true. Databases are everywhere this year. FEMA databases made of records from physicians, pharmacists, insurers. The databases we used to call the electoral rolls. Choicepoint. The National Health infrastructure they want to build. Real ID. RFID tracks and trails – coming soon to a database near you. And so on.

The only really positive moment is when Senator Leahy (Democrat – VT) bounds in to deliver a keynote, saying that the society we are creating is “a different US society than the one we know”. He ringingly denounces the claim that voting for the resolution to pursue Al-Qaida included voting for warrantless wiretapping, and everyone applauds.
Wait. CFP is being bucked up by a senator? Ten years ago, this conference thought it could code its way out of anything. PGP and Internet architecture could beat any lawmaker.

Now, someone says, “The governments are moving in in a big way” and there is a sense that the only hope lies in policy-making and persuasion. Privacy advocates are brainstorming legislative proposals. The Electronic Frontier Foundation is opening an office in DC.

Even the government types are depressed. Stewart Baker, who in 1994 baited this group by claiming that opposition to key escrow was coming only from those who couldn’t go to Woodstock because they had to finish their math homework, is now at the Department of Homeland Security, and tells us that in an emergency we should save ourselves.

Actually, that was one of the few moments of levity. What he did was ask how many libertarians were there in the room who believed that a government governs best that governs least. About ten percent of the crowd raised their hands (another major change from minus ten years, when at least half would have done so). How many actually had provisions of food and water for 72 hours? Most hands dropped. “Who,” Baker asked, “are you expecting to rescue you?” Gotcha.

The science fiction writer Vernor Vinge, who’s been wandering the conference to sample the zeitgeist preparatory to delivering his wrap-up late Friday, summed it up in an advance sample.

“The angle that’s somewhat discouraging,” he says, “is the sense I have in many of these issues that they do reflect an almost implacable advance and on many different fronts on the part of the government in support of the fundamental government idea that total information awareness (no trademark) is absolutely essential to the national interest. I see that as clearly and explicitly recognized by the government as essential to national security, so that in the long run opposing it is at best a matter of slowing its advance down and at worst giving it the appearance of slowing its advance down.”

Vinge was last at CFP in 1996, when he, Bruce Sterling, and Pat Cadigan all participated in a panel called “We Know Where You Will Live”. I remember it as one of the best CFP panels, ever. It was, to be sure, somewhat gloomy. I remember, for example, predictions that a supermarket might know what foods you had been eating from your sales records and, in cahoots with your medical insurer, order you off the potato chips and onto the celery sticks. But being able to imagine this dysfunctional future gave the sense that we would be able to avert it. And without, as one prominent CFPer has done since last year, moving to Canada.

This year, Katherine Albrecht, the leading campaigner against RFID tags and their prospective use to tag and track goods and people, presented her latest findings. Some of her scenarios are far-fetched enough to be truly lame (for example, the idea that someone could sit next to you in a plane and scan your bag so they could steal exactly what they wanted while you were in the lavatory) and others are too clearly chosen to try to manipulate emotional hot buttons (such as the idea that someone passing on the street could point a cellphone reader at a woman and be able to tell what model and color bra she was wearing; I mean, so what?). But the tracking, storing, and eventually sharing of data are all logical consequences of the infrastructure her research shows they are building. I’m not convinced we will go there. But the possibility is no longer outlandish enough for me to feel empowered by considering it any more.

“We haven’t,” a privacy activist now in the corporate sector said to me over dinner, “had one single success. It’s just a long list of failures.”

It is the health care situation that is particularly depressing. The UK has its flaws, but one benefit of nationalized health care is a real reduction in the number of people and organizations who are intensely interested in your medical records. In the US, it seems as though everyone is lining up hoping to get a glimpse of what might be wrong with you.

In one panel we learn that medical identity theft is one of the biggest and fastest growing problems. Now, I wouldn’t mind that so much if they’d take my ailments, too. Such as this growing sensation of being surrounded, spied upon, watched by cameras…

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML)