• Privacy & Security

last modified November 19, 2011 by tomlowenhaupt

­­Ask people about security and privacy and you'll find they want to maximize both. But as privacy diminishes security and absolute security obliterates privacy, a fair balance is necessary. Here we seek equitable privacy and security policies to guide the operation of the .nyc TLD. 

Navigating the Scylla & Charybdis
of Privacy & Security

Scylla-and-Charybdis.JPG  

Avoiding an Orwellian Future

privacy.jpg
(Commons photo courtesy of Mikey G. Ottawa.) 

"Privacy is dead, get over it!"
                Scott McNealy

From a Realtime Community article quoting Carnegie- Mellon's Latanya Sweeney:

"My answer is that the privacy problems that I've seen are probably best solved by the person who first created the technology. What we really have to do is train engineers and computer scientists to design and build technologies in the right kind of way from the beginning. Normally, engineers and computers scientists get ideas for technologies on their own and engage in a kind of circular thinking and develop a prototype of their solution and then do some kind of testing. But we are saying we will give them tools that help them see who are the stakeholders and do a risk assessment, and then see what barriers will come up and deal with the riskiest problems and work to solve them in the technology design. I think if we are successful in producing a new breed of engineers and computer scientists, society will really benefit. The whole technology-dialectics thing is really aiming at how you should go about teaching engineers and computer scientists to think about user acceptance and social adoption [and also that they] have to think about barriers to technology [from the beginning]. So the best scenario is that this kind of training takes hold and as new technologies emerge they are less likely to be constantly clashing with accept-or-reject options."  

Of Note

Afilias Announces New Policy To Make .INFO Even Safer For Internet Users

~~~

New policy leads industry in the effective deterrence of abuses like phishing and spam

DUBLIN, IRELAND – 7 October 2008 – Afilias, a global provider of registry services, today announced a new registration policy that makes the nature of domain name abuses clear for registrants and registrars, and furthers the power of the registry to take quick and appropriate action regarding .INFO domains used for abusive behavior. This policy will go into effect on 6 November 2008.

"This policy is the result of over a year of dedicated work by Afilias to understand and curtail the abusive use of domain names, and to design effective deterrents," said Ram Mohan, Executive Vice President and Chief Technology Officer of Afilias. ".INFO's tremendous overall popularity has attracted criminals online, as do many other domains, so we are taking further firm action to protect users by improving detection and enforcement actions."

Under the policy, abusive use has been more clearly defined and includes, but is not limited to: phishing, e-mail spam and other types of spam, the willful distribution of malware, the use of botnets and fast-flux hosting, distribution of child pornography, illegal access to other computers or networks, and other illegal or fraudulent actions. Domains that are being abused will be reported to the sponsoring registrar, and Afilias has the option of removing them from the DNS and reporting the abuser to law enforcement. Afilias is committed to working closely with its registrars, legal authorities, security professionals, and others to rid the Internet of the scourge of domain abuse."

The full details of the .INFO Anti-Abuse Policy can be found at: http://www.info.info/info/abusive_use_policy.

 

 

 

 

 

 

 

 

 

 

 

 

Security

With the Internet in a state of flux, disorganization, and disrepair, one way the .nyc TLD might benefit a great city is through the creation of a more secure Internet. By a secure Internet we imagine one where trust prevails; where person and property are safe from theft and tampering. In a highly digital society safety at home is a social-psychological need obliging the modern democratic state to act.

Former British Prime Minister Gordon Brown put the task of securing borders as:

Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we also have to secure our position in cyberspace in order to give people and businesses the confidence they need to operate safely there.1  

The questions for New York City are: what are .nyc's borders, and who will secure them? Are we concerned only with names within the .nyc TLD or the online security needs of all residents and organizations?

The following are being evaluated for their value in providing security for those under the .nyc umbrella:

  • Registration Oversight - When we ask people if they like the comfort level within the .gov or .edu environment, everyone nods, "yes absolutely." But the reality is that charging $20 for a domain name - a rate that would make .nyc names readily accessible, another goal - there's no way to perform a thorough security check. So how do we avoid the disorder of the .com and .net  TLDs? One advantage we have is that time is on our side, there is no immediate, desperate need to issue names. (See Time and the .nyc TLD.)
  • Education - The promise that technology alone will provide for our security is hollow for the foreseeable future. Internet security will always require an educated public. Public education is of course a key step to creating a trusted .nyc web and education is a key mission of Connecting.nyc Inc. Both online and off we will present New York with techniques they can follow to create beneficial online experiences. We will develop a security curriculum to address these concerns.

Privacy

In this era of the Open & Transparent, privacy is frequently seen by many, especially the young, as unimportant. Some say: “If you have nothing to hide, then what do you have to fear?”

This video might get the Scott McNealy-types (see sidebar) thinking. And see Daniel J. Solove's analysis of the "The I've Got Nothing To Hide" fallacy. Here's a quote:

data mining aims to be predictive of behavior, striving to prognosticate about our future actions. People who match certain profiles are deemed likely to engage in a similar pattern of behavior. It is quite difficult to refute actions that one has not yet done. Having nothing to hide will not always dispel predictions of future activity. The problems are not just Orwellian, but Kafkaesque.

      Privacy is the ability of an individual or group to keep their lives and personal affairs out of public view, or to control the flow of information about themselves. In fulfillment of our education mission we will:

      • develop a privacy curriculum to address these concerns,
      • set aside privacy.nyc and similar names where New Yorkers can learn about the issue,
      • develop a privacy policy on the use of data acquired by accessing the registry. See DNS Data Log
      • develop public spaces where privacy options are visible.

      Basic principles to meet individual privacy expectations need to be established. These should include:

      • Users must have a simple way to opt out of any data sharing. Too often controls are hard to interpret, if you can find them at all.
      • Companies that collect data should tell users what information is being shared and regularly remind them of their options, including opting out.
      • Firms should only gather information essential to the services they're providing.
      • Companies should prominently display a description of the other companies they share customer data with, and why.
      • When a company changes its rules, it should fully disclose the changes in clear language.   

      Security/Privacy and TLDs

      In these early days of planning for the .nyc TLD, we are thinking about ways a TLD might be used to improve civic life, about how .nyc might facilitate privacy and security. Might the DNS play a role in improving civic life in our small geographic entity? A while back, a DNS inventor answered our question on this as follows: 

      I think your challenge is a bit different from the technical. 
What you really need to do is either:

   - go down the same old roads that were pioneered by .com,
     .biz, .cat, ...

   - try and come up with a totally new paradigm (assuming
     you haven't painted yourself in a corner already with ICANN)

Its more about thinking of a structure that's innovative and breaks
the mold, I think. I'd suggest you do a lot of thinking about that
before you get to immersed and ossified in the old way of doing
things. It's about thinking of what you could do by giving all of
your constituents a unique digital identity and an organization
for those identities.

­­­­­­Good luck!

      We explore possibilities of this sort on our Identity page. Another DNS app that combines both privacy and security in a most complex way is the DNS Data Query Log file, how is it maintained and accessed, by whom, and when.

      Search Transparency

      A related issue is search transparency. At a civic level, it's vital that we know why a search presents one site higher than another. For example, think of search within the governance realm: We can not have ourselves dependent on a opaque, "secret sauce" search supplier to set our priorities in issue and candidate listings. Same for creating a level business environment. But you might imagine that the big engines will find it difficult to operate under today's shadow of suspicion, and choose to open up. With suitable transparency they might be trustworthy for civic use with connecting.nyc's role relegated to one of testing and assurance. See Transparent Search for more on this.

      Security Links

      Privacy Links

      Key .nyc Pages

      1. Tom Espiner, “UK launches dedicated cybersecurity agency,” ZDNet UK online, 25 June 2009.^