Thursday, May 31, 2012

My Rightscon Rio Live Blog Day 1: Conclusion


[Disclaimer: The views and errors here are my own and do not represent anyone else, for one thing, they're likely 20% snarkier.]

Access Innovation Prize announced, focusing on gaps in human rights space

1: Blackout resilience - $25K for best blackout resilience tech.
2: Crypto - Proper integration into existing sys., encrypt. edu., or building community for use by default
3: Bounty for best patch of known/unknown platform used by activists
4: Golden jellybean - Other really cool things.  Great training program/research idea/censorship circumvention = $20K
5: Access Facebook award - Best idea to promote human rights/development on Facebook

App. process starts now and goes until August 15th.  Looking for things that are impactful, idea that has real impact for real life people and will likely turn into something real.  Also cool stuff that's new, but grounded and is measurable/sustainable.

Putting together judging panel, includes McLaughlin, for Facebook award, rep. from Facebook will come up.
*biting my tongue here on how sincere about privacy*  Brett says can also apply ideas to change Facebook platform (stop real name policies much??!!)
This is not government money (thank God/the Interwebz/Science)

And now, some info on party after conference (addresses were given, we had some lime cocktails that were the best booze I've ever had.  Yes, I'm slightly drunk while editing these notes. Don't do that, boys and girls.  Drink school, stay in drugs, and don't do milk.)

Some background on FGV, pretty much Brazil's Berkman Center/Gipi

Thoughts on regulation of Internet in Brazil.  Today no laws that regulate it today.  So people think "OK, no rules, we're free!", well instead it means many problems due to fact that there is no legislation.  One problem is proliferation of lawsuits.  One judge starts taking one decision, and other judges take other side, there's no precedent yet, Supreme Court puts out contradictory rulings.  Youtube was taken off air for a few days due to lawsuit.  Caused by "intimate conversation" involving Brazilian celebrity in Spain, vid was totally removed, Youtube was taken off air for a few days.
Lawsuits against bloggers also common, blogger got comment posted and was sued for it, no clear standard.

Data requests and content removal also a problem.  Google transparency report, Brazil is world leader in data requests coming from government bodies, above U.S.  China we don't know since they didn't provide the data.

Some years ago there was a child protection commission built to hinder and punish pedophilia.

Cybercrime commission: "azeredo law" vaguely worded law that would criminalize jailbreaking phones (4 years in jail!).  You don't wanna spend 4 years in a Brazilian jail.  After 1st vote in Senate, huge backlash which led to broader discussion.  There was a petition with tons of signatures, and before this there was talk of an Internet Bill of Rights.
Origin here is idea of protecting rights instead of direction of criminalizing.  So civil framework is collaborative law, made in very transparent way through the Internet ("consent of the networked' and all that jazz), so here Minister of Justice was present for deliberations on this. 
Key provisions were
1. Privacy
2. Limits to data retention
3. Rights of Access
4. Intermediaries' liability
5. spam
6. spam
7. spam (not a fast typer)

Lots of comments were processed, took almost a year.  This all went like Icelandic constitution.

Had some repercussions in Eur. Parliament, France, Germany, model is being used in other legislative initiatives (damn, can you even imagine Amer. politics working like this?)

Congress will vote on the "Marco Civil" (Internet Bill of Rights) hopefully in the next few weeks.

Next speaker: Sorry, I have something else on my mind.

We also don't want to be researched without our knowing about it, this is in executive protection, but we want to detail it more.   Second point is about net neutrality, we want to learn from other countries experiences and detail what neutrality is all about, we need a regulation that doesn't unconsciously impact that netutrality...out of power.  I've been running on adrenaline and caffeine all day(s).  All I can do now is listen.

Still bugging me is McLaughlin's reasoning, I'm a little uncertain about exact terms:

Internet is democratizing and decentralizing access to information
Information is power
----------------------------------------------------------------
Internet is democratizing and decentralizing access to power

(In the unlikely event you're reading this, Mr. McLaughlin, feel free to critique)

Simple, Discrete Math inductive logic.  I forget the name of the inference used.  Will come back to this later.  We're done, now cocktail party.

My Rightscon Rio Live blog Day 1: Privacy and Data Protection Online: How Companies, Governments, and Users Can Promote Online Privacy

[Disclaimer: This is meant to be completely separate from Access' Live Blog.  This is all my notes and my perspective of what was said, with at least 20% more snark.]

Privacy and Data Protection Panel

[Gap in English translation]  The major issue to deal with here is building of new methods and regulations and technical solutions to protect and enforce protection provisions on the Web.

Start with Prof. Nelson and theoretical discussion of privacy, how it has changed recently, and later broader issue of online privacy.

The major issue is relevance.  I think that historically we had two reasons for data protection: (1) human rights, [brain fart], (2) circulation of data, econ integration, since the 70s we have seen laws originally from Germany....7 countries with privacy laws that follow European model, and
strategies to foster data protection.

Education is of course important, how to use laptops, etc.

Companies need to know that this is an important asset (the translation overlaid on the Portuguese is distracting here)

[btw, many Skype server nodes are run by MSFT, learned over lunch]

Morozov, why couldn't you make it here?

Sarah Altschuler: First, I work through a corp. social responsibility law practice.  When we talk to companies about policy, we put it in a human rights practice.  For many companies, this stuff is about compliance, not human rights.  Ex. trying to push UN human rights criteria for online privacy
We work on how comps protect privacy as a human rights concern.  If the company has developed certain principles around protection of user data, then they are understood all up and down the chain of command, board to code monkeys.

We also talk about biz practices on what data you need to collect and how long, and where is it stored.  We frequently talk about location of data stores and do due diligence on countries where that data stored (Goog and Kazakhstan much?), and when it's ok to say we can't put a data center in country X.

Comm. for users, edu. component is key.  How are users engaged with platform, understand terms of service/their obligations/options.

How we make sure that requests for data are compliant with local law, and how/where they can push back.
Here there can be a large role for public sector, so U.S. can say back up dialogue with repressive regimes.  Still not dealing with repression from "the East" (Russia/Ukraine)

Q: We've been seeing some companies getting and abusing data, can you comment on some strategies that have tried to tackle that?

This is one of those where it's incredibly important for dialogue across the company about policy on user data protection, because they're trying to monetize it (predictive analytics).  But can be a problem of "What's our 3/5 year plan?" and other parts "how can we minimize disclosure and sharing?"  Can't be in separate compartments.  Some of this is what users are willing to tolerate, some of it is regulation (there was an allusion to "do not track" we'll get to later)

Bruno Magrani: Mario, We've been seeing a number of strategies adopted by companies about downloads and self-regulation.  There's some criticisms (not enough!), but what I'd like you to comment on is what are the self-regulation strategies out there now.  Are they efficient or not? 

Mario: I represent the insurance industry, which is very used to dealing with information, which is very vital to it and how it does business.  There's a number of databases involved, re: vehicles, customs, delicate information.  So the insurance sector has been dealing with data forever, and of course the volume of data has exploded of late.  So this sector--we have to view the consumer all the time, and s/he isn't passive anymore, they want information, they want to participate.  When you deal with insurance [not liking this translator, or maybe it's just me], so we decided to try to take a step ahead and get ahead of the legislation.  We're all in favor of it...now the insurance sector can't just wait for legislation, we have to deal with a situation that already exists, so we have some kind of regulatory framework (something like PCI-DSS? yes, exactly like PCI-DSS), and if you don't comply, you can be subjected to various sanctions (loss of business, bad press, etc.)
In Brazil, the insurance biz. wants to be a pioneer in self-regulation practices, even ahead of the government. 

Back to Magrani: In the distinction between regulation and self-regulation, can you say some more on this topic in terms of FTC trying light "we don't want to break it" approach, or whether this has been effective in protecting user's privacy online and [something about business models]

Altschuler:  It's hard to tell if this User's Bill of Rights thing has been effective.  I'm a Washington lawyer, I don't expect Capitol Hill to make sense, and we're dealing with an institution that doesn't understand these issues all that well.  Also a problem, since the biz. community would rather self-regulate than deal with "series of tubes" people.  We work a lot with GNI, where you commit to principles, but it isn't one size fits all.  Do you have practices/processes out for ind. review and assessment, and are you engaging with civil society groups on this?  I see that as part of the effort to get companies on board with self-regulation.  We have another practice in our firm on sec. and data privacy specifically.  We're working very much on compliance and data breach policy, and there you have a lot of significant fines for data breaches.  I'm not one to think that tech. isn't the full answer, but we really don't have a lot of legislators who understand this, and so I very much prefer self-regulation.

Magrani: More technical approach to data protection?

JAKE APPLEBAUM!!!:  First I think everyone has right to speak freely and to read.  So we have to talk about privilege a little bit, so to talk about privacy, we have to talk about how companies are incentivized to do what we want.  In some cases, insurance industry is surveillance industry, they surveill an area to determine rates.   Facebook can be recontextualized as Stasibook, given opportunities for snitching and spying.  In the case of Skype, my understanding is that when MSFT acquired Skype, they agreed to add lawful intercept (read: spy) capabilities.  But when your tech. is reduced to whether or not you have due process, you have failed (WIN!).  So there have been several cases where Skype has been weakened (ex. CALEA), so for Skype to comply with these laws, they leave everyone in a vulnerable state, and instead of making these kinds of compromises, companies like Skype should be pushing for end-to-end secure communication.  We should have something like Diaspora, and maybe that will work, but the $$$ really comes from surveillance, and it's very hard that way to get Facebook to throw away its pool of money.  We need to recontextualize this like safe sex, we have a responsibility to ourselves and others for secure communications, and when we don't use it, there is a transitive danger to others.

Look these up, he recommends them, therefore they're cool
ZRPT
OSTel - can install on your phone tomorrow
TechSecure from Moxie Marlinspike (a little Googling and looking at Marlinspike's site (which is worth a visit regardless) didn't show anything.  Post a comment if you know what he was referring to)
RedPhone
CryptoPhone
Gipsi (sp? Again, not sure what he was referring to)

J.A: Companies can still make money on this, and with tech. like this
First, we have to admit there's a problem, first the police and later the state.
For the FBI to intercept my phone calls, her phone has to be insecure, and then someone can track her and all her calls
For that to happen, we all have to have the same problem.  We can stop this, at the cost of not listening to my phone calls
This can't happen without large econ. incentives to change the way we look at this stuff.  OSTel has built a full telecom system with full secure encryption.  We all need to make a decision that all being secure, including the bad guys beats all insecure with some bad guys caught.

Magrani: How can we convince governments/ incentivize them to demand more security protections?

Other guy: We are in a society with different players.  How many of you have decided to accept ??????  another thing, that issue of self-regulation...[sorry, the double speech (Portuguese and English translation) is a huge problem here.]Claims there are no borders on Internet and now very self-

[Network made my computer barf for a sec, not much lost in interim]

Not sure if I'm not paying close enough attention, or he's not actually saying anything.  Happens all the time with lawyers.
From what I am getting, he's talking completely past what Applebaum said
yup, if you want all of this, see the legit liveblog.  So, who's here?  Yeah, I got nuthin'.

How long has this guy been talking?  30 minutes?  Made mention of national sec. exceptions

after notes on paper from Applebaum: 1st, we should question idea that state has power to suspend rights.  Ex. in Greece '06 & Vodafone PM & several pols were tapped, guy behind it found suicided.  Creates real risk of abuse that previously belonged to the military. Internet challenges the national security state  If Google can  be compromised by the Chinese, no one can do better.  To me it's very scary to hear people talk about state as if it's perfect.  How many cops who have committed police brutality on Internet?  Lots more than child pronographers.  If we want to give privacy, we have to give to the bad guys as well.

Response: ...yeah..

Questions: From developer, question for Applebaum, I understand need to keep Tor intact, but where does the line need to be drawn for privacy?  Should we go further and say cops can't follow people in the street?  CCTV?  Cameras?
Applebaum: I'll see your trolling and raise you.  It's important to point out we're talking about expansion of police powers.  History with FBI has not been exclusively that they will be used as sold.  Does cop have right to follow you?  Maybe.  Should you have right to impersonate a cop and follow? Maybe on halloween.
From analog sense, it's like every road should have cameras and mics, and only some people have access to that equip.  This is not a world I want to live in.  I don't want a world where cops can do covert surveillance.  We should not allow the Internet to go in ways that society should not have gone but has gone anyways.  Not building backdoors is a matter of accountability.  Prob. here is sec. agencies get a free pass.  We don't know from facts that they're being honest.  With technology, we can equalize much of this (this is a big leap from the way I've thought, but I kinda like it).

What is a best practice for an insurance company that does surveillance?  It's not clear that beyond regulations, corporations have any incentive to make a decision to keep data private

A. Altschuler: I do see a role for regulation.  Large fines for data breaches have incentivized beefing up on data security.  I think in some of the more iterative conversations.  I think there's a lot of a role for multi-stakeholder approach (take a shot, we've expanded the drinking game now beyond mentions of the Arab Spring)

Question: From judge from state of Rio de Janeiro, concern in terms of privacy.  Is there any means to virtualize a page with false data in false social network, e.g. web page with false data?

[Here the double-speak plus probably my own exhaustion took over.]
END

My Rightscon Rio Live Blog, Day 1

[Disclaimer: This is meant to be completely separate from Access' Live Blog.  This is all my notes and my perspective of what was said, with at least 20% more snark.]



Here's my notes from the first conference panel I attended at Rightscon, "Open Empowerment - How Digital Natives are Changing the World and What it Means for Democracy, Human Rights, Criminality, and Security ".  It's a little scattershot, but there's some fun stuff in here.

Creating rule of law in cyberspace

Open empowerment

[tak dali = Russian for etc.]

World Bank study of countries since the 50s,
level of econ. development, everything below blue line can be based
on "human factors", rest is "leveraging" information, sci. progress, claim is
individual empowerment good for business (yeah, we'll need the slides).

For those from rights community, ICT really broke info. monopoly (soviet
graphic up there)
again comparison to Guttenberg

and now space is being contested (yes, a certain kind of dictatorship
died in 1991). 

Open global commons vs. corporatized/state-dominated space is key battlefield here.

first item: technological change, "has outpaced ability of regulators to act proactively", uhm, no, Misra anecdote.
well, example of cloud computing...ehhhhh....
raises significant issues of rights, ex. in Canada, 30% of Google's cloud hosted there, who's jurisdiction (recall Kazakh example a year back).

90% of Canadian email cleaned by company in Portland, Ore., now grey area question, still being tackled by int'l law.

MOBILE TECHNOLOGIES
Eh, Tajikistan is "the global north', #itsforlatinamerica

THE INTERNET OF THINGS (IPv6 + NATs)

Cloud computing + mobile + internet of things = Inet is now completely generative limited by only "intellect" and "capital" (as if there's no relation there)

Demographics of Cyberspace

U.S. 15% of Inet population, center of gravity being pushed to South and East, out of Silicon Valley.

3 in 5 poor users in failed states, median age of 18, significant youth cultures, so demands to practice what you preach + upward mobility
Think Malenkaya Vera (a very important late Soviet film that captured the full extent to which the USSR had failed to meet its promise of a classless society) and tak dali, Nazarbayev knows.

Globalized cybercrime

Ah, those old KGB thugs.  Much less risky to steal somebody's credit card number in New York than to fight over Rubles in Petropavlovsk.
Forming new underclass of cyberspace that will force us to face certain basic social issues.

Take a shot each time someone mentions the Arab Spring #rightscondrinkinggame
New form of protest possibly forming with the Internet.  Picket lines were illegal until the 20s in the U.S. Should DDoS be a 21st century picket
line?  EEEEEEEEHHHHHHHHHHHHHHHHH..........

BORDERS IN CYBERSPACE

[Many things we know from CIS research/Morozov]

RELATION TO LATIN AMERICA

Open empowerment, two extremes (one photo, iphones, one photo a gun)

empowerment has taken Econ. rather than political forms.  Damn I should have tried the mobile conference.

Latin America one of the faster growing ICT markets.  60% users located in Brazil and Mexico.  4% through mobile phones (!!!), not like CIS AT ALL
2/3rds under 35, 1/3rd under 24.  Only just now beginning to worry about adult things (family, etc.).  Reasons for engaging in cyberspace only
now starting to reach forefront.  Latin American also most overrepresented in social media.  84% of Internet users use Facebook, which has overtaken
Orkut (maybe explains those fake friend requests I keept getting), almost certainly identityy theft.  In Costa Rica, phishing sites have jumped 14,000%

Arms/narcotrafficking has taken advantage, too. 

QUESTIONS
Is there some uniformity in how "digital natives" are pursuing their econ./soc. agendas?
What gov. reaction will occur?  Securtitization (large and disproportional) of cyberspace?
Role of civil society?
What tools should we in civil society groups should build?

PANEL:
Rafal Rohozinski : CEO, SecDev Group
Robert Muggah : Fellow, Instituto de Relações Internacionais, Pontifícia Universidade Católica do Rio de Janeiro
Misha Glenny : Writer & Professor, Columbia University
Camino Kavanagh : Senior Programme Coordinator & Fellow, NYU Centre on International Cooperation

Case of Mexico
Gangs that have taken to the Internet/gang culture, comment please?
Drug traffickers have dominated social media until recently, they're the ones who for the last 8-10 years have been able to almost
systematically control entire communities (sound familiar?).  They have millions of dollars invested in human intel, for buying off govt's. 
This could be helpful for tackling heroin trade in C. Asia.
20 years ago, an AS/400 was intercepted, imagine what they have now

Where do they get their cyber-capabilities?
Anywhere from 10-20K people disappeared in Mexico thnx to cartels.  Many of these people (cartel folks) came from high-tech backgrounds. 
Also in control of toll roads, so by the time you arrive they know who you are. 

Have they tried to buy into ISPs?  Ex of Anonymous vs. Mexican cartels seems to be tie-in
There does seem to be one, it seems like they could buy in to get info on two bloggers who were disappeared, and possibly through 4 generals
who were arrested for their connections.  It's still a developing story.


#YoSoy132 demonstrations, 1st time folks using tech. (and offline too) against the cartels, comments?
When you live in this kind of destruction and see this movement of students essentially reclaiming lost territory, it's an exciting thing.
Popular image going around on Twitter is a pic of a dove pooping on Televiso (Mexican media network).

[Where's the key special sauce here that could be applied to C. Asia?  I can't help but think it's in the political culture.]

We're talking about several Latin Americas here, let's talk about Argentina.  Could you talk a little about key challenges of cyber security rights
vs. legit gov. functions?

[Gap due to switch to Spanish/Portuguese headphones]

That has precisely to do with use of agents for criminal, like child porn for instance and other things which are considered pending, for example in Eur. Council.

These are offenses that are transnational, so we need int'l support, and possible chance for int'l agreements for extradition.  We're working
very intensely with regulation of service networks.  And I do believe that there is lack of development of Argentina's legislation, not only lack of
knowledge from operators but also lawyers, and mea culpa, we (judges, lawyers, etc.) all have to be more informed #fortheolds.  Also necesssary to
emphasize lack of IT experts,

Budapest Convention as potential model, very Eurocentric in some ways.  Defends interests more for developed north.  Is there Latin American sawse here?

In the questions we ask, BRIC countries are not going to add to these conventions, since they weren't invited, so they have the option to not adhere
(well, Russia would skip in the first place, but anyway...).  So it will be very difficult to fight cybercrime, there have been some advances within
the UN (hahahaha), and that could be excellent, but we have to take long-term view, not easy to do due to red tape.

Gustavo/Roberto - Open Empowerment (ok, I forgot the question)
There's a paper on Open Empowerment on the SecDev website.  Int'l level, no Latin American country has signed on to Budapest Convention.
Some Eurocentric perspective and less relevance to local realities, no country has signed on since 2004 (!!!).  Limited Latin American role, which
will hopefully change with more awareness.  OAS Comprehensive Inter-American Strategy for Cybersecurity Threats (for terrorism, telecom, collaboration)
has helped out tho (U.S. dominated?  They have their place, I guess).  At least 4 kinds of responses adopted:

1. Aligning and codifying legal frameworks for cybersecurity/cybercrime.  Legis. action, including Brazil revisions to penal code.

2. Specialized police units for cybercrime (phishing, ident. theft, etc.) not much for cartels and narcotrafficking

3. Computer search teams usually outside of government

4. Exec. branch entities, for managing internal infrastructure within governments.

Some observatories on cyberbullying too, issue of militaries involved too, not much militarization of cyberspace yet.  Only Brazil has Cyber
Defense Command est. 2010.  Not as much as America/Eastern Europe/China. 

Only official filtering policy in Cuba (well, we know about isolated decisions in Venezuela, elsewhere via court order).

what about Central America?  Largely recovering from conflicts and drug trade, lots of security aid.  What do you think about securing that region?

Good question, really understudied.  Point is levels of penetration, great heterogeneity.  Brazil/Argentina well above global average.  Honduras/El Salvador/ Carribean < 20%
Important to recognize variation.  On those challenges, speaker has been working on tracking changes across the region. 

Murder rates very, very high in Central America/Latin America/Carribean - El Salvador/Carribean/Brazil (!!!) etc.
Threat often from gangs, nobody really knows how many.  What we've seen is "heavy handed" responses for at-risk youths, heavy deployment of police.
Started in 2003 and has spread.  U.S. assistance has come in to help with this, billions of $ poured in for sec. initiatives (alphabet soup of initiatives)
So we have a climate of securitization in parts of Central America.  What is clear is that there is a significant lack of capacity to deal with this
threat.  So we're at a real transition moment of low capacity and high potential. 

So paradox now is movement of empowerment for pol. purposes started here with original Rio conference (Earth Summit?), first solidarity networks came from here, now being taken over by criminal groups and attempts to contain neg. aspects of mobilization online.  So Turkmenistan/Uzbek. might find allies in Latin America who do this for economic reasons.

QUESTIONS

Isn't answer to gangs on Internet to deal with gang crime rather than using the tech. against them?
John Dillinger once said he robbed banks because that's where the money is.  Criminality in the culture, won't disappear.  Since transnational,
tech. comes in and countries will respond.  That doesn't mean we go into root causes [brain fart, missed end]

Gangs in previous forms to transnationals today often used as pretext for strong heavy handed response (aka the boogeyman.  Uzbekistan has the IMU,
Latin America has gangs). 

There's a big difference between gangs and cartels.  A cartel is much more sophisticated, very much state capture, a la Bakiyev and drug agency abolition.

GO GO GADGET PORT. TRANSLATOR

Guy here looks like Zuckerberg with glasses.  Maybe he's here in disguise

(for all the Internet boosterist-sounding comments, damn I'm glad I came).  Also, I have no idea what the question was, no translation.  Maybe it was a comment.

When you say that pols are more and more under influence of cartels, and you say we should try to fight more with tech. means, aren't we actually giving more power to cartels if they control the gov't?

(ME: AYUH).  In some ways this is the paradox of state capture, there's no simple answer to that.  Where does regulation/empowerment come from?  Tech. or laws?  In many ways from both, cyberspace is synthetic domain built by engineers and can be influenced by laws.  So responsibility of engineers to understand the pol. consequences of their design decisions.  There's no true and right path, just several tricky and haphazard experiments.

[I missed the question, it's just before lunch.] - But it was LLOOOONNNGGGGGG

Guiana, we've seen cartels buying into cartels for money laundering and other criminal activities.

Conventional sec. reform approaches are often state-bound, but with cyberspace it gets interconnected with military and intelligence concerns.  A lot to do with information sharing and tak dali.

Issue of stigmatization and youth important here.  Many youth groups clustered together as gangs, need to meake sure that sec. response doesn't expand beyond gangs proper.

We've seen communities if not in full control by cartels then severely intimidated (hanging bodies have that effect).  That's why YoSoy132 is so important, also old and young people, and expanding all throughout Mexico.

END