Privacy & security in a wireless world
Wireless Silicon Valley is a project of Joint Venture Silicon Valley. JVSC has been promoting ICT infrastructure projects since the mid-90's when it sponsored "Smart Valley" loosely based on Singapore's Intelligent Island but without the intense government involvement. This morning's program is cosponsored by the Santa Clara University Markkula Center for Applied Ethics and the Center for Science, Technology, and Society.
Several towns in the Silicon Valley cloud now offer Internet access via a wireless network installed by a commercial partner. Some are ad-supported such as Google's in Mountain View or the one in Santa Clara, where this workshop is being held. However, it does not work inside the theater on the Santa Clara University campus. Connection strength varies as you drive around town, but registration is fairly simple, though a first time Internet user would have problems because they demand an email address. What if you want to get online to get one?
This meeting brings speakers from law enforcement, library, corporate, and the ACLU which has long been an advocate for stronger privacy protection. It is timely because recent articles this past week have pointed up the weakness of popular unlicensed networks such as wi-fi hotspots. Commonly available software called packet sniffers allows snoops to capture data flowing across such open networks.
At the opening I counted 65 in the audience (14 women) while Russell Hancock, CEO JVSV mad some opening remarks including
"We are frustrated that the technologies we have developed are still not implemented here compared with other geographic areas." There is a wireless task force comprised of CIOs from cities in the region. They issued an RFP with help from Intel and the 'community of vendors' replied. One will be recommended with a press release by September 5.
Context: when you build something new there are issues, and large ubiquitous wireless systems include privacy and security concerns. In this network operators will know when and where a connection is made. Some of these systems are supported by advertisements, and they want to know a lot about who is using the system.
Al Hammond. a law professor and head of the Broadband Institute moderated the session. He summarized why there is uneven access to high speed access. He says that without BB, "cities will be left behind." Cities that are reluctant to use taxes to provide this network will allow commercial providers to have access to subscriber data. <Well, cities and other regions are "left behind" for other reasons besides not having a high speed infrastructure for telecommunications.>
Wireless: easier to tap into and there are greater risks to individual privacy: and general security issues for companies and government. Different policy options:
-free and anonymous access. Leave it to the user
-Registered access: know at all times who is using the system
-Active court ordered surveillance: warrants and subpoenas used to restrain govt. intervention.
Policy question for the task force:
-How should this project manage these issues?
How much of the response. to protect privacy and sec should be for cities or providers or the user?
Once allocated, how should the protection of privacy and security be accomplished?
An agenda and some short position papers were handed out. These will be on the project web site shortly, according to Seth Feary who leads the task force.
Nicole Ozer, ACLU: nozer@aclunc.org one of 3 lawyers tracking new tech for the ACLU. Community members should not have to pay with their privacy to use a free municipal system. Wireless SV did not include a question about privacy and free speech but did say it would count a lot in the final decision. <the head of the task force said it was discussed already> All three finalists get a failing grade. they track who you are, where you are, and what you are looking at. All of it could be disposed to other parties. It's as if you had free phones around town, but there would be ads and all calls would be monitored. The California Constitution guarantees privacy and it can't be bought sold or traded. These finalists say that if you have money you can have some privacy. It's up to WSV to have a fast, secure network that protects our privacy.
Don't track users from session to session. This creates a profile in a database. All three have a failing grade for this. Our data should not be commercialized.
Legal demands: notice should be given, with court.
The less info kept the better.
Sherman Hall, former IT guy now with the Atherton Police Department. The competing pressures: privacy vs security. anonymity vs. tracking: He is assigned to REACT (a law enforcement TF) and computer forensics. Generally savvy and supporter of the status quo, as it exists today. With complete anonymity there is no deterrent. Record retention: 90 days. He explained the lag time in a credit card theft, the red tape in a police dept. There will be more sniffing in this open network. He said there is a barrier to getting warrants because of limited resources. Ozer challenged him on this, saying there were provisions for telephone warrants.
Graham Barnes, Covad NextWeb They are not bidders in the project. We are caught in the middle. With the freedom comes an openness that includes some tradeoffs the user may not understand. Last month was the first time there are more broadband subscribers(200 Kb/sec or greater) than dialup in the U.S. Two ways of producing revenue: tracking aggregate data. he claims single user data is not valuable to anyone. But he mentions targeted advertising, a la Google.
Lauren Gelman, Stanford Internet Center. said there's another model to let the market figure out who puts repeaters on the city phone poles. It need not be a monopoly. She seemed to agree with much of what Ozer said.
John Tuomy, Secure Content, Inc. Working with school boards on IT security issues. The federal government is not funding ed tech any more. Most superintendents feel like they can't handle any more complexities. School officials are risk averse and they want to protect their kids and data about families. There are more that 1000 schools in many districts for this project. There are great benefits and risks. Equal access to families will be useful to those who can't or won't afford it.
SANS institute said that last week was the greatest week for break-ins. Most take place in school and university computer networks. Dangers of porn and My Space. but the universal access will be valuable. This service should not be tied to a credit card. That's why prepaid cell phones are so important in the walled garden of cellular services. Educators don't want a wide-open system; they want to track 'evildoers.'
Jane Light San Jose Public Library. We have 10 years experience in providing public access to the Internet. We have about 1.2 million sessions a year on 600 computers. Some do not have access at home; some do. We have fast access and researchers use it along with other sources such as printed matter and site-licensed databases in the library. More importantly is our many years of experience in providing free and open access and ensuring that it is free to people. Library users expect that their use won't be tracked. Our records are kept confidential unless there is a court order, but this is rare.
Many libraries have added wireless service to their wired networks. This JV program is a governmental action we are taking, so we have to give much more thought to privacy issues. The standard enduser agreement is completely inadequate for a municipally sponsored project. It's too complicated. the public expects that the muni access will protect their privacy. Wifi does not do much for those who have no computer. It's a short term issue because of the development of new generation cell phones.
Q&A
In other muni systems these issues have not been addressed properly, especially San Francisco dealing with Google and Earthlink.
Can there be software to detect sniffers and other problem users? Google is going to provide a virtual private network client in Mountain View. this will allow users to encrypt their traffic. <But will they, any more than parents use filters or V-chip on television sets?>
Graham: "when people think they are using the I anonymously and they are not, that is the real challenge."
A big problem is that several vendors want to take a credit card to use the system. Of course this cuts out a lot of kids and people with poor credit or no card. Library card should not be used as a universal identifier. It's exempt from the public records act. A credit card is not fair. We could use a student ID.
Gelman said we might have a pre-paid card for a small amount of time. She thinks this would 'address the digital divide issue" but this seems ludicrous for what is billed as a free service at one tier. Why should people have to buy something that's free?
How do you audit compliance with the provisions in a service. Hall: there's a civil incentive to conform to what they say they will do. Ozer: the Calif article one section one, digital issues are handled.
The
session ended promptly at 10 a.m. In two hours there were a lot of
positions stated clearly but little heated debate. As the task force
negotiates with the finalists it is hard to understand how they can
convince the provider not to "monetize" the user's
information and adequately protect our privacy. Much of the public
seems willing to give up some privacy and civil rights in a perceived
exchange for coupons, free services, and to support the federal
government's war on terror. Think of it, the city of
San Jose controls the airport and the library. The intrusions and
safety measures we put up with at airports is getting worse and will
spread to other parts of our daily life while the oasis of the
library where the system is meant to serve and protect the
user is not appreciated enough for the values it helps preserve. -Steve Cisler
Recent Comments