I537: Social Informatics of Security

L Jean Camp
1031 Eigenmann
Scheduled for Fall 2006

 

 

 

Introduction and Course Overview

The first day is for introductions, overviews and expectations.

Topic 1: Fundamentals of Security as Social Informatics

Social Informatics of Security is a case-based course on privacy and security in social contexts. Privacy and security technologies can diverge from their designers. Privacy-enhancing technologies have been used to defeat data protection legislation, and cryptographic technologies of freedom can be used by corrupt regimes to protect their records from external view. This overview will take at most two sessions.

What is privacy?
You are supposed to read THE DISSENT. The entire document is readable, the famed Olmstead Dissent.
Warren and Brandies available on On-Course. Warren, Samuel D. and Brandeis, Louis D., The Right to Privacy, Harvard Law Review, Vol. IV, No. 5, Dec. 15, 1890, pp 193-220.
In this discussion of privacy the authors make two interesting claims. First, that the application of the concept of privacy should be technology-neutral. Second, that the technologies themselves demand responses. These articles provide a nice framework for Topics 2 and 3.

Having spent time discussing the early classic defenses of privacy, let us look at modern privacy. As journalists were the bane of Brandeis, bloggers today are the source of similar privacy issues. There are not classical writings on blogging v privacy. So here are links to cases that we will discuss in class.

Here are the perspectives of Jews on First and the Stop the ACLU posting of plaintiff's names.

Milking Against Students Against War. Student protesters found that their contact information was posted on Malkin's blog. See the articles http://www.santacruzsentinel.com/archive/2006/April/22/local/stories/02local.htm, here Malkin Posts Information twice, discussion from the punditry, an argument on SAWs site and finally, arguments that posting her contact information was or was not acceptable.

Now that was unfiltered discussion, including some randomness, rhetorical fallacies, and a bit of populist garbage. To make this a worthwhile discussion consider blogging as an amplifying technology. Just as lithography, the penny press, dime novels, and pamphlets created the first level of concern over privacy, blogging technology creates another. When everyone is a journalist, is everyone a public figure? If you post on the net are you a public figure? And what role does anonymity play in blogging?

Now read this article about the cost of anonymity The Social Cost of Cheap Nyms. How does this apply? Does it apply?

Guest Speakers: Paul Sylverson and Roger Dingledine
Readings:
introduction to TOR


Nissenbaum: Security as computer security and security as national security.
Now there is a shared concept of privacy and security. The conflicts between privacy and security will be a major theme continuing in this class. This article provides two very different concepts of security, particularly as security relates to privacy.

Topic 2: Technological Determinism

The last three sessions we have looked at two sets of technical change - one from the past century and one from the past decade. Do technologies cause social change or does social change drive technology? We are going to discuss that first in the case of the printing press - certainly an information revolution - and then in a situation where technology arguably drove policy.

Eisenstien, The Printing Press as An Agent of Change, excerpt


Bumber, Does Technology Drive History?, excerpt
Fischer, Touch Someone, The Telephone Industry Discovers Sociability, on on-course.
The telephone was invented by Ma Bell so we could reach out and touch someone. Today the phone is a toy, a camera, an accessory and also a tracking device. This is not how it was initially conceptualized.

In the general and in the specific case of privacy, we have question how society is influenced by technology, and how technology influences society. Some theory with an emphasis on historical cases of information technologies (e.g., the telephone and the printing press) has hopefully proved useful. When code is law, and when law defines code are or are not exceptions. Code, and societal responses, social belief systems, and uses of technology are complex interactions, not unidirectional forces. Finally, this frames the issue of accountability when designing or purchasing information and communications technologies.

Lessig: Code and Other Laws of Cyberspace, Basic Books, 1999, Chapter 7: What Things Regulate pp. 85-99
Kesan and Shah Establishing Software Defaults: Perspectives from Law, CS, and Behavioral Econ. available at on-course.


How will emerging technologies further redefine concepts of data control? Pervasive computing means ubiquitous data flows.

Security and Privacy in Radio-Frequency Identification Devices, pp 8-14; 27-31; pp 57-60.on on-course.
Location Privacy in Ubicomp, on on-course.

Topic 3: Social and Technical Concepts of Trust

Not only could the competing concepts of trust be a course in itself; but also entire courses have been built around each of these discrete concepts. Marketing, psychology, computer security, social theory and organizational theory all have different concepts of trust. We review these competing concepts, and use this session to evaluate security technologies.


PEW report on spam and phishing, available http://www.pewinternet.org/PPF/r/155/report_display.asp>Here.
Guest Speaker:Markus Jakobsson

What is Trusted Computing?
Trustworthy Computing Group backgrounder describes itself from the perspective of enhanced network security.
Anderson, Trusted Computing Platform analysis and frequently asked questions.
Interestingly enough, the TCB backgrounder that most clearly defined the program, appears to have disappeared. Of course, now trust computing is called Next Generation Secure Computing Base. An alternative paper is on the oncourse page.
Lucky Green, talks about Treacherous Computing at Defcon X, 2002
A nice transistion to the next section: trusted evice authentication

Topic 4: The techno-Social Construction of Identity

Identity theft is a particularly interesting name for a type source of fraud that, ironically, takes advantage of social distance and the lack of identities in electronic contexts. Identity theft, and phishing, are considered online crimes while the most significant portion occurs through the mails and phone systems. Identity construction as social and organizational are discussed during these session. Two of the cases considered here, X.509 and PGP, have been well examined. Identity management systems make assumptions about a fundamental question: who are we? Role-based systems, federated identity systems, and centralized systems implement different views of identity, authentication and trust. Agency and contracts are discussed. Examples rich with rhetoric are stripped to the essential forces at play.


What are biometrics?
Newton, Elaine M. and J. D. Woodward, Biometrics: A Technical Primer adapted from John D. Woodward, Katherine W. Webb, Elaine M. Newton et al., Appendix A, Biometrics: A Technical Primer "Army Biometric Applications: Identifying and Addressing Sociocultural Concerns," RAND/MR-1237-A, Santa Monica , CA : RAND 2001.

Columbus day. Sick day. Not related events.


Technical Construction of Identity
Who Goes There? Authentication Through the Lens of Privacy.www7.nationalacademies.org/cstb/pub_authentication.html

Readings on PKI and on the keynote trust architecture on OnCourse. The core class question today is on the instantiation of trust.

What is privacy? Is it a preference? Hochheiser's analsysis and a reading By Cranor on the OnCourse site ask these questions. Wiretapping: How Legal?
The War of Information': The Constitution, the Foreign Intelligence Surveillance Act, and the President's Warrantless Wiretapping Program Download at http://ssrn.com/abstract=899820

Wiretapping: How Cost Effective?
Song, Technology, Terrorism and the Fishbowl Effect: An Economic Analysis of Surveillance and Searches Berkman Center for Internet & Society.
Economics of Mass Surveillance, www.cosic.esat.kuleuven.be/publications/article-788.pdf

Wiretapping: How Effective?
Schneier on Security: Two Articles
http://www.schneier.com/blog/archives/2006/08/terrorism_secur.htmlSecurity Theater
http://www.wired.com/news/columns/0,71968-0.html?tw=wn_index_3Security and Architecture
http://www.wired.com/news/columns/1,70886-0.htmlThe Value of Privacy


Surveillance and DRM
http://www.law.duke.edu/boylesite/foucault.htm Surveillance, Sovereignty, and Hard-Wired Censors

DRM
Julie Cohen. The Right to Read Anonymously


DRM
Samuelson: Towards More Sensible Anti-circumvention legislation

FYI:Sony Corp. v. Universal City Studios, Inc. 464 U.S. 417 (1984).

DRM and Economics
www.eecs.harvard.edu/~stuart/papers/eis03.pdf Economics of Trusted Computing
www.firstmonday.org/issues/issue6_8/pfahl/ Music and Money


Reading on OnCourse

DRM to Games
BitDefender Labs detects Sony DRM trojan http://blogs.zdnet.com/Spyware/?p=699
Trojan horse exploits Sony DRM copy protection vulnerability http://www.sophos.com/pressoffice/news/articles/2005/11/stinxe.html
EFF Deep Links, A New Gaming Feature -Spyware,October 20, 2005 http://www.eff.org/deeplinks/archives/004076.php
Blizzards response ttp://forums.worldofwarcraft.com/thread.aspx?fn=blizzard-archive&t=33&p=1&tmp=1#post33

Thanksgiving Day Recess!

Patents: The Good, the Bad, the Ugly

Usable security.

Usable security.

The great Ethics Debate.