July 7, 1998

THE FABRIC OF PRIVACY IS VULNERABLE EVEN TO PIN PRICKS

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Computerized incursions on our privacy have been in the spotlight for the past year. Two pending Congressional bills show that attacks can creep in from unexpected corners. Neither bill abridges privacy in itself, but both set precedents that can be unsettling if you’ve followed the history of privacy abuses.

The first bill is the Anti-slamming Amendments Act (H.R. 3888). As its name indicates, it concerns itself mostly with unethical marketing practices in the telephone industry. But stuck in at the end is a section controlling the sending of unsolicited commercial email (an annoyance discussed so often on the Internet that the term is often abbreviated to UCE), or the practice popularly called “spamming.”

I am as eager as anyone to get rid of UCE. If you have electronic mail, you probably are either sick of UCE or have taken extraordinary measures to rid yourself of it. But one clause of the Anti-slamming Act worries me: the requirement that UCE contain the sender’s “name, physical address, electronic mail address, and telephone number.”

Since UCE is defined fairly narrowly by the bill, I think the application of this clause to UCE does no harm. (It doesn’t do much good, either, as I shall explain later.) Commercial speech deserves regulation. But we must look carefully every time someone encroaches on the right to anonymity, as this bill does.

Anonymous email is a traditional haven provided by the Internet. Many therapeutic newsgroups are visited by recovering drug users, alcohol abusers, and victims of rape or child abuse, often using anonymous remailers or other technical means to disguise the sources of their mail. Anonymity is also reputed to be valuable for whistle-blowers, although the only incidents I know of its use for this purpose were the posting of internal Church of Scientology documents by its critics.

None of this is prevented by the Anti-slamming Act, but legislators need to remain sensitive to the value of anonymity. If UCE or any other email abuse pushes forward a drive to shut down anonymous remailers, many innocent people will suffer.

This was precisely the effect of a lawsuit by the Church of Scientology against a popular remailer in Finland that was the conduit for unauthorized news postings containing Church documents. The administrator of the remailer was forced in 1996 by a court to reveal the identity of the person making the postings, and thereupon shut down the remailer in disgust.

While offering a precedent against the right of anonymity, the Anti-slamming Act actually does little to stop UCE. Few spammers are really anonymous, even if they use fake email addresses. To buy their services you need their address, phone number, or Web URL, all of which would permit them to be traced if Congress passed a law with teeth. Neither the Anti-slamming Act or the related Murkowski bill has such teeth, which is why they are opposed by CAUCE, the major organization fighting UCE.

The one thin benefit of prohibiting fake email addresses is that system administrators and users can filter out email from known spammers. But the value of this practice would be greatly reduced by the bill, ironically, because it actually encourages spammers to change email accounts frequently.

The travesty of the act is that it makes the first email from any organization legal. It does not prevent the thousands of fly-by-night con artists from preying on millions of users as they do now.

Meanwhile, to shut off mail from any spamming account, you have to reply to the message and ask to be removed from their list. That’s the greatest gift you can offer a spammer (save for purchasing his folderol) because he knows you read your email and can sell your address to other spammers. To really help prevent UCE, a bill should restrict the sale of personal information, as privacy advocates have long requested.

The second surprise threat to privacy came buried in a copyright bill that is making fast headway through the House, H.R. 2281. Among its many far-reaching provisions—some of which are widely criticized by the academic, library, and computing communities—came one requiring that no one “circumvent a technological protection measure that effectively controls access to a work.”

The technological measures that the bill refers to include a kind of indelible code called a digital watermark. A digital watermark alters a tiny fraction of the thousands of bits that make up a graphic, audio recording, or video to embed information identifying the copyright owner.

What bothers privacy experts—and brought such experts as EPIC’s Marc Rotenberg to testify before a House subcommittee in June—is that proponents of digital watermarks suggest they be used to embed information about the buyer as well as the seller in each copy of a work. The intent is to trace unauthorized copies back to a pirate.

But if a movie maker or newspaper requires personal information identifying every user of its product, we lose the right we now have to read or view material anonymously. Someone can make a record of our preferences, and we do not know how that record may be used, whether for future marketing or as evidence about our character in court.

Of course, we don’t know whether embedding user information will actually enhance the value of digital watermarks, because they have hardly started to be deployed. H.R. 2281 is an unusual case of a bill regulating something that doesn’t yet exist.

It so happens that digital watermarking was the featured topic in the July issue of the computer field’s leading journal, the Communications of the ACM. Normally, coverage by that journal in itself indicates that the featured technology is not yet viable. And for digital watermarks, such an assessment is borne out by several authors.

In fact, the article by Craver, Yeo, and Yeung in the Communications gives me the impression digital watermarking is like Ronald Reagan’s favorite technology, the Strategic Defense Initiative (a.k.a “Star Wars”). Both are complex and costly defenses that can be easily punctured by a moderately clever attack.

The authors don’t even evaluate the essential step that starts copyright enforcement: finding copyright violations through “Web crawling.” This is the automated process of visiting thousands of Web sites and checking each image or audio clipping for a watermark. My hunch is that the costs of checking for violations will be prohibitive.

Both the anti-spamming bill and the copyright protection bill reveal a key dilemma of law enforcement: to stop an abuse you must be able to trace the abuser. While I avow that the Internet requires some regulation, I ask in every instance whether the benefits are worth it. And in these two cases, the answer is no.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles