Cyberlaw: Difficult Issues Winter 2010 - User contributions [en]

Cybersecurity Project

2010-01-29T23:25:54Z

Rnagarajan: Ramesh's final project edits

''Topic Owners: Mike, Jason, Ramesh, and Sheel''

Saying that cybersecurity is a "difficult problem" is like saying that reversing global warming is a difficult problem: it's true, but it doesn't quite capture how devilishly complicated and multifaceted the problem really is. There's no single reason why creating a more secure global network is so difficult; it in part has to do with the radically-distributed architecture of the Net, in part with some deep flaws computer software for both consumers and businesses, and in part from the network's sheer size and importance to our daily lives. (For more on this, see the nice [[Cybersecurity]] backgrounder.)

Our group approached the problem not with the goal of inventing a panacea that would make all credit card transactions magically secure and make it impossible for hackers to [http://googleblog.blogspot.com/2010/01/new-approach-to-china.html compromise Gmail's security]. Instead, we wanted to offer suggestions with minimal implementation headaches and maximal benefit to users, from novices to experts.

The final "product" of our month-long thinking on this issue begins with a reasonably short video overview of our ideas [http://www.vimeo.com/9036735 here,] (or see below), explains some of the details of our proposal, and also has an alpha-release Firefox plugin that you can download and try out (thanks to [http://www.elance.com/ Elance] for making the plugin possible, by the way).

==Overview==

We discussed this topic at length in an in-class presentation on January 19. [http://www.vimeo.com/9036735 This] 9-minute video summarizes and extends the presentation we gave that day. The details on this page elaborate on the proposals mentioned in the video.

==Guiding Principles==

Before turning to the specific proposals we've made to improve cybersecurity, it's helpful to discuss some of the guiding principles that have informed our work. We applaud the [http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf government's] attempts to improve cybersecurity, but don't believe that a top-down, regulatory or legislative solution is a panacea.

====Empowering Users====
Cybersecurity is a huge, complicated problem, conceivably including everything from keeping the electrical grid from going down to garden-variety phishing spam. We consciously left the [http://www.sandia.gov/scada/history.htm SCADA] problem to those in government and industry, and focused on problems that face ordinary users.

We suggest tools that rely both on the power users who have contributed much to the internet's development as well as the ordinary users who are the overwhelming share of people online today. Bottom-up solutions seem improbable when they begin; Wikipedia and Firefox, to take just two examples, were thought to face extremely long odds. We believe that giving users the tools they need to take control of their own security can improve users' experiences on the net, as well as convincing major market players to adopt similar solutions that will help everyone, including those users who haven't taken affirmative steps to protect their security.

====Nudging Users====
The mind sciences and behavioral economics have demonstrated the tinkering with default settings and gently [http://www.nudges.org/ nudging] people in a direction can cause dramatic changes in behavior. We apply that insight to cybersecurity. If it's a little harder to reuse or create weak passwords, or a little easier to find out what malware has infected your computer, security may greatly improve.

====Code is Law====
[http://en.wikipedia.org/wiki/Lawrence_Lessig Lawrence Lessig's] 1999 insight that [http://www.code-is-law.org/ code is law] is still crucial to understand cybersecurity more than ten years later. Most fundamentally, the major browsers and websites can improve (or worsen) security for users, perhaps much more than the government can. Key browsers and websites, by coding our proposals or other security fixes, can make a major impact on security.

====No big thing, many little things====
Finally, we consider ourselves [http://berlin.wolf.ox.ac.uk/published_works/rt/HF.pdf foxes, rather than hedgehogs,] and believe that there's no one big thing, or top-down solution, by the government or the private sector, that could solve the cybersecurity problem overnight. Cybersecurity has so many dimensions that it must be improved on all levels, by the government, by industry, by non-profits, and by users. Even if the net suddenly became more secure, in a few months or years new vulnerabilities would be exposed and take the place of the old. As long as the Net remains open, cybersecurity will be a never-ending arms race, and we believe that empowering users, nudging them to better security practices, and remembering that code can be law can give the good guys the upper hand.

==Specific Proposals==

===Public Service Announcement===

We created a Public Service Announcement for generating public awareness for the cybersecurity problem, and showed it in class on January 19. It's online [http://vimeo.com/8937782 here] but is password-protected. Please email us if you were in the class and would like the password.

The upshot of the video is that we don't think a direct public awareness campaign will be very effective. We believe it would be more productive to nudge users and change their behavior by altering the way browsers and websites work, not by scolding people in 30-second TV ads.

===SafeWord===

====What is SafeWord?====

SafeWord is a real, working FireFox plugin designed to nudge users into keeping safer and more unique passwords, though it's too unstable and unrefined to be considered anything but alpha software at this point. It's available for download [http://www.jasonharrow.com/safeword-1.0.0-fx.xpi here]. To install, save that file to your disk, select File --> Open in Firefox 3.5 or above, and install it. You will need to restart Firefox before it takes effect. Thanks to Elance for helping with the coding on very short notice.

We have created a video demonstration of one of the key features of SafeWord [http://vimeo.com/9031865 here].

====What Are The Goals of SafeWord?====

SafeWord begins with a simple proposition: online passwords should be both strong and also different across different sites, and your browser should help you achieve that goal. Studies continue to show that most people use very simple passwords; see, for instance, [http://www.nytimes.com/2010/01/21/technology/21password.html this] ''New York Times'' article that gets right to the point. "If your password is 123456," reads the headline, "just make it HackMe." Moreover, most users also fall into the "dirty habit" of using the same password across multiple online accounts, which can lead to a disaster if only one of the accounts is able to be compromised. An extremely detailed analysis of a 2009 attack that used this principle to compromise many online accounts of Twitter employee is [http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ here].

====More on The Unique Password Feature====

=====A Scary Story, and A Word About Annoyance=====

Even readers who are all for stronger password security in general may nonetheless be skeptical of what can happen to "regular people" who can't be bothered to remember so many passwords. But here's a very scary story - which is taken directly from the [http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ Twitter attack analysis] cited above - of what can happen if users employ the same password at multiple important sites:

# HC [the hacker's alias] accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password, giving him control of the Gmail account.
# HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
# HC then used the same password to access the employeeâs Twitter email on Google Apps, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
# HC then used this information along with additional password guesses and resets to take control of other Twitter employees' personal and work emails.
# HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitterâs domain names at GoDaddy.
# Even at this point, Twitter had absolutely no idea they had been compromised.

That's the danger, and it ain't pretty.

On the other hand, as SafeWord users, we admit that the aspect of the program that requires you to use a different password for each new login is, well, pretty damn annoying. Complying with its demands to keep generating unique passwords might even require some old-fashioned tricks, like the creation of a heuristic for generating memorable but unique passwords or keeping a card in your wallet to keep track of your various logins (and maybe even separating out parts of ''that'' list or keeping it encoded somehow). Still, we think that the cost/benefit analysis weighs in favor of life being just a little more annoying in this area, because as our scary story illustrates, there are '''lots''' of points-of-entry to our various accounts, and '''lots''' of random people out there who would love to hack those accounts for financial gain or to get their kicks.

=====Why Do It This Way?=====

There are other solutions out there that automatically generate secure, unique passwords for each site you visit; [https://lastpass.com/features_free.php LastPass] is a particularly nifty one. But they all share several key points of failure: they rely on a master password, and they store your passwords in the cloud. Relying on a master password is particularly problematic, because a compromise of that password can lead to the same disastrous chain of events that we are trying to prevent. The only way to truly reduce the risk of this type of threat is to decentralize everything. And if that takes encouraging people to work a little harder, we at least want to make people aware that this just might be worth the hassle. Similarly, there are problems with storing passwords in the cloud, including intruder problems and problems if the company goes out of business or the cloud becomes inaccessible.

=====Extension v. Built-in Feature=====

Initially, we hoped to build this extension to make a pitch to Mozilla that they should think about building this kind of functionality into the browser. But as we have used a now-working copy of SafeWord in our browsers - admittedly, it's an alpha copy that's not even close to ready for prime-time - at least two of us (i.e. jharrow and rnagarajan) see that it's just too intrusive for mainstream users. If the average, busy user gets a pop-up every time he comes across a new website and tries to use an old password, he will get angry at the browser. If this happens a few times, he will probably switch from Firefox to another browser. So right now, the idea works best as an extension for people who really believe in password security and want a little nudge when they are thinking of giving in to the instinct to just use the password they used last time. But if SafeWord could work only with websites that store important personal information -- email providers, financial institutions, retailers with your credit card information -- and ignore the local newspaper's website, perhaps the balance between security and frustration would be a little closer to the former.

====More on the Stronger Password Feature====

On the other hand, the idea of adding a feature that helps users create more secure passwords - even if they are reused across multiple accounts - is a simple fix that should enhance the browsing experience for most users.

Increasingly, many websites are giving users some guidelines on password security. For instance, Yahoo!'s sign-up page looks like this:

[[Image:Yahoo.png]]

We think that's great. But not all sites have that feature. For instance, you get no visual feedback if you sign-up for an Amazon account with a weak password:

[[Image:Amazon1.png]]

Your browser can change this state-of-affairs easily. Here's the new view, with a SafeWord bar underneath the password field reminding you that your password is weak:

[[Image:Amazon2.png]]

SafeWord even lets you customize the password strength options:

[[Image:Amazon3.png]]

We think something like this really could be built into the browser, and would both add to the user experience and increase security.

==="Amber Alert" For The Internet===

Even if websites invest a lot of time and effort into securing their servers and user data, few sites take a more systematic approach to cybersecurity and view the massive numbers of compromised user machines as as "their" problem; they don't have any ownership over the fact that so many computers are running nasty malware and are thus compromised in important ways that can cause systemic harm to the Internet (like, say, when a site is taken offline in a Distributed Denial-of-Service attack; a partial list of such incidents is [http://en.wikipedia.org/wiki/Denial-of-service_attack#Incidents here]). However, there are some promising signs [http://bits.blogs.nytimes.com/2010/01/13/facebook-joins-with-mcafee-to-clean-up-malware-on-site/ this] may be [http://stopbadware.org/home/pr_01252010 changing].

Perhaps these initiatives can go even further. What if a coalition of leading Internet sites were willing to share certain information about security threats with a third party organization (like [http://stopbadware.org/home/index StopBadware]), and the third-party would vet the information and then issue certain "Amber Alerts" that all the sites would be willing to publicize in some way? When there's a particularly egregious security hole in an [http://en.wikipedia.org/wiki/Internet_Explorer_6 old browser], for instance, if all the leading websites actively encouraged its users to patch it, that has the potential to do a lot of good.

We initially proposed this solution as a unilateral move that individual sites could make - Google, say, could warn its users about the vulnerabilities of Internet Explorer 6. But we've realize that if the recommendations are filtered through a reliable third-party, perhaps the companies won't be threatened by the embarrassment of having an "Amber Alert" put out. Sure, there would be negative consequences for a company, just as a company who undertakes a product recall generates bad publicity. But ultimate the hope is that companies will realize the net positive value of this transaction, and that consumers will look kindly on companies promoting a new level of honesty and transparency.

====Good Cyber-Samaritans====

An idea we discussed on January 19 that was related to the "Amber Alert" system for websites involves empowering educated users to help out their less computer-savvy friends and neighbors with computer security problems just...because. Perhaps there could be a network of young people who think security is important and who don't mind hanging around their local library for a few hours helping people update software and patching security holes. This solution becomes ever-more feasible as a greater proportion of users switches to laptop computers and as projects showing that people are willing to assist strangers for the sheer fun and satisfaction of the experience - from building an [http://www.wikipedia.org encyclopedia] to giving them a [http://www.couchsurfing.org couch to crash on] for free - flourish. Relying on people's good natures could be a new way to make progress on this problem.

Cybersecurity Brainstorming

2010-01-21T08:31:25Z

Rnagarajan: /* "Safeword" */

This page reflects the brainstorming and discussion of the cybersecurity group in [http://en.wikipedia.org/wiki/Jonathan_Zittrain Jonathan Zittrain]'s Cyberlaw: Difficult Problems Class.

''For the Mozilla-icon-privacy project see: [[Terms of Service Brainstorming]].''

=Problems to Tackle=

Misaligned incentives have prevented industry, users, and government from solving many of the problems of cybersecurity. We're proposing three projects that will allow (power) users to increase the security of their data, as well as improve security for other people, and maybe even for the network as a whole. We may also be interested in working on the [[Terms of Service Brainstorming | Mozilla Privacy issue]].

=="Safeword"==
*''All functionality should be inserted into the browser to appear as part of the various websites.''
(1) Shows security level of user-selected password as it's typed in (for registration)
(2) If user chooses weak password, auto-fill will be turned off. User must manually type in all weak passwords
:Safeword will look for keystrokes and won't send the password to the website if it doesn't sense the appropriate keystrokes
(3) Refuse password if it's been used before (for a major/important/security-sensitive site)
:for security reasons, Safeword would only save the first 4 characters of each password (not the whole thing)
(4) Periodically prompt user to change password
:this would be a suggestion, not a requirement and users could set how often it should prompt

Other Ideas:
*encrypted password storage within browser
*using recaptcha or pictures (esp game), etc as dual key for all passwords
*perhaps regulation requiring financial institutions to only accept strong or dual-key passwords

NYT article on bad password security: http://www.nytimes.com/2010/01/21/technology/21password.html?hp

==Mesh Network Vaccination==
Firefox plug-in used by the 5% of power users that can help patch the problems created by the larger base of security-ignorant or security-apathetic users. I made the analogy to tower defense at some point.

''For your edification, see [http://en.wikipedia.org/wiki/Tower_defense Tower Defense].'' ''[[User:Mfeld|Mfeld]] 05:18, 13 January 2010 (UTC)''

==Stop Badware==
We propose a Firefox plug-in that would incorporate an improved Stop Badware database and automatically warn users when they attempt to access websites that are suspected of including malware or have been known to do so recently. We also propose this is included in search engines. While Firefox 3 and Google have recently implemented similar ideas, we would like to display more granular data (i.e., 99% of visitors to this site report no problems, 90% of visitors to that site), with better timing information, and automatically build in reporting of malware to the database.

==Distress Password==
Have 2 passwords --
:(1) secure password -- shows all emails, all data
:(2) distress password -- shows limited data (like limited profile), only showing safe data

==Password Picture==
Have a dual key mode of authentication for various web services: one would be the typical password, and the second would be a series of pictures. For example, when creating an account on a website for the first time, you would choose a password and choose keywords for pictures, like "animal" or "tree". Logging in would require you to enter a password as well as, from a series of pictures, choose your 1, 2, or 3 pictures that show your keyword. This would prevent robots from being able to try and guess your password, and would also prevent keystroke detectors from being fully functional.

=Presentational ideas=
*"This is your internet, this is your internet on botnet"
*Ham Sandwich metaphor acted out in reality
*Voiceover puppets a la JZ's [http://www.youtube.com/watch?v=NggzBHSXdCo video explanation of Herdict]
*PSA Announcement featuring Internationally Recognized Magician Michael Feldman
*Lessig-style keynote presentation (as part)

Spot 1: Ham Sandwich (Live).

Magic Michael is happily doing a magic trick. Suddenly, he makes a ham sandwich appear out of nowhere. He asks an audience member, "And now, who would like to eat this ham sandwich?" People in the audience (kids?) react angrily. One says, "But, where did that ham sandwich come from?"

CUT TO Magic Michael, now sitting on a stool, talking to the camera: Everyone knows not to eat a mysterious ham sandwich that I make appear out of nowhere. But why do some people install software when they don't know where it came from? Hi, I'm internationally-recognized magician Michael Feldman, and I'm here to remind you how important it is to keep your computer safe. When in doubt about whether or not you should download and install a piece of software, just follow the ham sandwich rule; if it came from a stranger and you're not sure when or where it was made, don't install it - or eat it!

(looks great -- I just want some more magic puns, like "if it were a rabbit sandwich, maybe that's ok" or "installing random programs isn't magic. it's stupid.")

End with "The More You Know" music and logo? (like at the end of this stupid clip: http://www.youtube.com/watch?v=3eazYHO3Hsg&feature=related).

Spot 2:
Magic Michael is seated, looking directly at the camera. "Hi, i'm internationally-recognized (and renowned) magician Michael Feldman. I can make many things disappear (hand gesture, and poorly patched together video making something disappear). But there's one thing that even I can't make disappear: the cybersecurity problem. (Michael attempts to make something symbolizing cybersecurity disappears, but fails). Remember, kids, installing random programs isn't magic. It's stupid."

[[Image:CyberSec1.jpg|thumb|120px|alt=Whiteboard Notes Part 1|Mesh Network Vaccination / Password Protection Ideas]]
[[Image:CyberSec2.jpg|thumb|120px|alt=Whiteboard Notes Part 2|Ideas for Incentivizing]]
[[Image:CyberSec3.jpg|thumb|120px|alt=Whiteboard Notes Part 3|Stop Badware Ideas]]
[[Image:Problems Solved.jpg|thumb|120px|alt=Whiteboard Notes Part 4|Problems Solved by "Safeword"]]
[[Image:Safeword Functionality.jpg|thumb|120px|alt=Whiteboard Notes Part 4|Functionality for "Safeword"]]

Cybersecurity Brainstorming

2010-01-15T23:27:28Z

Rnagarajan: /* Presentational ideas */

This page reflects the brainstorming and discussion of the cybersecurity group in [http://en.wikipedia.org/wiki/Jonathan_Zittrain Jonathan Zittrain]'s Cyberlaw: Difficult Problems Class.

''For the Mozilla-icon-privacy project see: [[Terms of Service Brainstorming]].''

=Problems to Tackle=

Misaligned incentives have prevented industry, users, and government from solving many of the problems of cybersecurity. We're proposing three projects that will allow (power) users to increase the security of their data, as well as improve security for other people, and maybe even for the network as a whole. We may also be interested in working on the [[Terms of Service Brainstorming | Mozilla Privacy issue]].

=="Safeword"==
*''All functionality should be inserted into the browser to appear as part of the various websites.''
(1) Shows security level of user-selected password as it's typed in (for registration)
(2) If user chooses weak password, auto-fill will be turned off. User must manually type in all weak passwords
:Safeword will look for keystrokes and won't send the password to the website if it doesn't sense the appropriate keystrokes
(3) Refuse password if it's been used before (for a major/important/security-sensitive site)
:for security reasons, Safeword would only save the first 4 characters of each password (not the whole thing)
(4) Periodically prompt user to change password
:this would be a suggestion, not a requirement and users could set how often it should prompt

Other Ideas:
*encrypted password storage within browser
*using recaptcha or pictures (esp game), etc as dual key for all passwords
*perhaps regulation requiring financial institutions to only accept strong or dual-key passwords

==Mesh Network Vaccination==
Firefox plug-in used by the 5% of power users that can help patch the problems created by the larger base of security-ignorant or security-apathetic users. I made the analogy to tower defense at some point.

''For your edification, see [http://en.wikipedia.org/wiki/Tower_defense Tower Defense].'' ''[[User:Mfeld|Mfeld]] 05:18, 13 January 2010 (UTC)''

==Stop Badware==
We propose a Firefox plug-in that would incorporate an improved Stop Badware database and automatically warn users when they attempt to access websites that are suspected of including malware or have been known to do so recently. We also propose this is included in search engines. While Firefox 3 and Google have recently implemented similar ideas, we would like to display more granular data (i.e., 99% of visitors to this site report no problems, 90% of visitors to that site), with better timing information, and automatically build in reporting of malware to the database.

==Distress Password==
Have 2 passwords --
:(1) secure password -- shows all emails, all data
:(2) distress password -- shows limited data (like limited profile), only showing safe data

=Presentational ideas=
*"This is your internet, this is your internet on botnet"
*Ham Sandwich metaphor acted out in reality
*Voiceover puppets a la JZ's [http://www.youtube.com/watch?v=NggzBHSXdCo video explanation of Herdict]
*PSA Announcement featuring Internationally Recognized Magician Michael Feldman
*Lessig-style keynote presentation (as part)

Spot 1: Ham Sandwich (Live).

Magic Michael is happily doing a magic trick. Suddenly, he makes a ham sandwich appear out of nowhere. He asks an audience member, "And now, who would like to eat this ham sandwich?" People in the audience (kids?) react angrily. One says, "But, where did that ham sandwich come from?"

CUT TO Magic Michael, now sitting on a stool, talking to the camera: Everyone knows not to eat a mysterious ham sandwich that I make appear out of nowhere. But why do some people install software when they don't know where it came from? Hi, I'm internationally-recognized magician Michael Feldman, and I'm here to remind you how important it is to keep your computer safe. When in doubt about whether or not you should download and install a piece of software, just follow the ham sandwich rule; if it came from a stranger and you're not sure when or where it was made, don't install it - or eat it!

(looks great -- I just want some more magic puns, like "if it were a rabbit sandwich, maybe that's ok" or "installing random programs isn't magic. it's stupid.")

End with "The More You Know" music and logo? (like at the end of this stupid clip: http://www.youtube.com/watch?v=3eazYHO3Hsg&feature=related).

Spot 2:
Magic Michael is seated, looking directly at the camera. "Hi, i'm internationally-recognized (and renowned) magician Michael Feldman. I can make many things disappear (hand gesture, and poorly patched together video making something disappear). But there's one thing that even I can't make disappear: the cybersecurity problem. (Michael attempts to make something symbolizing cybersecurity disappears, but fails). Remember, kids, installing random programs isn't magic. It's stupid."

[[Image:CyberSec1.jpg|thumb|120px|alt=Whiteboard Notes Part 1|Mesh Network Vaccination / Password Protection Ideas]]
[[Image:CyberSec2.jpg|thumb|120px|alt=Whiteboard Notes Part 2|Ideas for Incentivizing]]
[[Image:CyberSec3.jpg|thumb|120px|alt=Whiteboard Notes Part 3|Stop Badware Ideas]]
[[Image:Problems Solved.jpg|thumb|120px|alt=Whiteboard Notes Part 4|Problems Solved by "Safeword"]]
[[Image:Safeword Functionality.jpg|thumb|120px|alt=Whiteboard Notes Part 4|Functionality for "Safeword"]]

Cybersecurity Brainstorming

2010-01-14T08:24:44Z

Rnagarajan: /* Presentational ideas */

This page reflects the brainstorming and discussion of the cybersecurity group in [http://en.wikipedia.org/wiki/Jonathan_Zittrain Jonathan Zittrain]'s Cyberlaw: Difficult Problems Class.

''For the Mozilla-icon-privacy project see: [[Terms of Service Brainstorming]].''

=Problems to Tackle=

Misaligned incentives have prevented industry, users, and government from solving many of the problems of cybersecurity. We're proposing three projects that will allow (power) users to increase the security of their data, as well as improve security for other people, and maybe even for the network as a whole. We may also be interested in working on the [[Terms of Service Brainstorming | Mozilla Privacy issue]].

=="Safeword"==
*''All functionality should be inserted into the browser to appear as part of the various websites.''
(1) Shows security level of user-selected password as it's typed in (for registration)
(2) If user chooses weak password, auto-fill will be turned off. User must manually type in all weak passwords
:Safeword will look for keystrokes and won't send the password to the website if it doesn't sense the appropriate keystrokes
(3) Refuse password if it's been used before (for a major/important/security-sensitive site)
:for security reasons, Safeword would only save the first 4 characters of each password (not the whole thing)
(4) Periodically prompt user to change password
:this would be a suggestion, not a requirement and users could set how often it should prompt

Other Ideas:
*encrypted password storage within browser
*using recaptcha or pictures (esp game), etc as dual key for all passwords
*perhaps regulation requiring financial institutions to only accept strong or dual-key passwords

==Mesh Network Vaccination==
Firefox plug-in used by the 5% of power users that can help patch the problems created by the larger base of security-ignorant or security-apathetic users. I made the analogy to tower defense at some point.

''For your edification, see [http://en.wikipedia.org/wiki/Tower_defense Tower Defense].'' ''[[User:Mfeld|Mfeld]] 05:18, 13 January 2010 (UTC)''

==Stop Badware==
We propose a Firefox plug-in that would incorporate an improved Stop Badware database and automatically warn users when they attempt to access websites that are suspected of including malware or have been known to do so recently. We also propose this is included in search engines. While Firefox 3 and Google have recently implemented similar ideas, we would like to display more granular data (i.e., 99% of visitors to this site report no problems, 90% of visitors to that site), with better timing information, and automatically build in reporting of malware to the database.

==Distress Password==
Have 2 passwords --
:(1) secure password -- shows all emails, all data
:(2) distress password -- shows limited data (like limited profile), only showing safe data

=Presentational ideas=
*"This is your internet, this is your internet on botnet"
*Ham Sandwich metaphor acted out in reality
*Voiceover puppets a la JZ's [http://www.youtube.com/watch?v=NggzBHSXdCo video explanation of Herdict]
*PSA Announcement featuring Internationally Recognized Magician Michael Feldman
*Lessig-style keynote presentation (as part)

Spot 1: Ham Sandwich (Live).

Magic Michael is happily doing a magic trick. Suddenly, he makes a ham sandwich appear out of nowhere. He asks an audience member, "And now, who would like to eat this ham sandwich?" People in the audience (kids?) react angrily. One says, "But, where did that ham sandwich come from?"

CUT TO Magic Michael, now sitting on a stool, talking to the camera: Everyone knows not to eat a mysterious ham sandwich that I make appear out of nowhere. But why do some people install software when they don't know where it came from? Hi, I'm internationally-recognized magician Michael Feldman, and I'm here to remind you how important it is to keep your computer safe. When in doubt about whether or not you should download and install a piece of software, just follow the ham sandwich rule; if it came from a stranger and you're not sure when or where it was made, don't install it - or eat it!

(looks great -- I just want some more magic puns, like "if it were a rabbit sandwich, maybe that's ok" or "installing random programs isn't magic. it's stupid.")

End with "The More You Know" music and logo? (like at the end of this stupid clip: http://www.youtube.com/watch?v=3eazYHO3Hsg&feature=related).

[[Image:CyberSec1.jpg|thumb|120px|alt=Whiteboard Notes Part 1|Mesh Network Vaccination / Password Protection Ideas]]
[[Image:CyberSec2.jpg|thumb|120px|alt=Whiteboard Notes Part 2|Ideas for Incentivizing]]
[[Image:CyberSec3.jpg|thumb|120px|alt=Whiteboard Notes Part 3|Stop Badware Ideas]]
[[Image:Problems Solved.jpg|thumb|120px|alt=Whiteboard Notes Part 4|Problems Solved by "Safeword"]]
[[Image:Safeword Functionality.jpg|thumb|120px|alt=Whiteboard Notes Part 4|Functionality for "Safeword"]]

Cybersecurity Brainstorming

2010-01-14T08:22:28Z

Rnagarajan: /* Problems to Tackle */

Day 9 Predictions

2010-01-14T08:16:45Z

Rnagarajan:

Here is a related youtube video, [http://www.youtube.com/watch?v=6IDNKhAIOww CouchSurfing: What one website reveals about the future of the net]. [[User:Yosuke|Yosuke]]

I'm interested in hearing about the identity verification system that Daniel mentioned at approx. 23:30 in the YouTube video. How are they getting access to passport numbers and credit card numbers? If it is that much better at identifying people, why hasn't eBay implemented something like this?

It's interesting how the Extraordinaries (great name, reminded me of the Pixar movie The Incredibles) is for-profit, while Couchsurfing is non-profit. Will the Extraordinaries be able to build a Couchsurfing or Wikipedia-type community even though it's for-profit?

I was struck by the fissues within the couchsurfing movement. It seems inevitable in these bottom-up, free internet communities that there will be intense fights over the direction of the project. What keeps communities like Wikipedia and Couchsurfing from still providing useful services despite all the chatter? Could that balance be reversed?

Day 7 Thoughts

2010-01-14T02:01:20Z

Rnagarajan: /* ReputationDefender */

==ReputationDefender==
While I think some of the things ReputationDefender has done are admirable, I was troubled by the disclosure that the company has signed revenue-share agreements with information aggregators. These companies are often quite controversial (see http://en.wikipedia.org/wiki/Intelius for example). It seems like these revenue share deals could potentially set up the wrong incentives (even if signed with the best intentions), where ReputationDefender's profits are now aligned with profits of information aggregators. I could envision a future where everyone needs to pay "protection money" to companies like Intelius (or intermediaries, like ReputationDefender) in order to preserve their privacy, and that seems like the wrong state to be in. I can't help but wonder whether the solution here is more stringent regulation of information aggregators (mainly just requiring free and easy one-stop opt-out). Consumers don't need to pay to sign up for the national do not call registry, and one could imagine a similar opt-out process for information aggregators. It seems kind of perverse if people feel compelled to *pay* to opt out of things that they did not sign up for to begin with.
:I also wonder how sustainable this is as a business model. Reputation Defender can aggregate money from its clients and share that revenue with information aggregators, but wouldn't insurance companies be able to out spend them? It seems as if the primary purchasers of such information aggregation may be in better financial positions than any aggregator of individual concern about such things. Is it possible that ReputationDefender's market will one day compete with insurance companies and the like for annual revenue? Or, what if a big player like Google (or a Google spin off) decides to enter this space and crush ReputationDefender before it even gets off the runway?

:I agree with the distaste with having to pay protection money, but it seems better to have the option than not to. Regulation would be ideal, but would likely run up against powerful commercial interests. See the power of the insurance industry in the health care debate. Add advertisers and you're looking for trouble.

:I wonder if there are legal issues (antitrust?) with the protection money payments.

==Lifelock==

LifeLock is another consumer "reputation protection" company (more focused on identity fraud) with a pretty interesting business/marketing model. http://en.wikipedia.org/wiki/LifeLock
: However LifeLock has had many many problems, discussed in this article from [http://www.wired.com/politics/security/commentary/securitymatters/2008/06/securitymatters_0612 Wired Magazine] including one of the [http://phoenix.bizjournals.com/phoenix/stories/2007/06/11/daily15.html co-founders] having been an identity thief himself, the CEO's identity has been stolen successfully a [http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=lifelock+suit number of times], and there is currently a [http://www.forbes.com/2008/02/21/experian-lifelock-update-markets-equity-cx_md_0221-markets32.html pending suit] against the company claiming its business model isn't legal.

: Yeah, LifeLock is definitely controversial. Didn't mean to imply that it was "good", just "interesting" :)

==Opt-Out Programs==

Incidentally I believe that CAN-SPAM requires that opt-out has to be free to the user. CAN-SPAM failed for a lot of reasons, whereas the do-not-call registry has comparatively succeeded--would be interesting to discuss why.

==Transfer of Ownership==

What happens when formerly trustworthy companies get sold? Should the data submitted by users be transferred? This is a very real threat--Friendster and Spock were recently acquired (the latter by Intelius--see http://www.techcrunch.com/2009/04/29/spock-and-intelius-uh-oh/). Mint.com was also acquired by Intuit, but imagine if they had been acquired by a telemarketing firmâ¦

==Mozilla Privacy Icons==

''We have created an internal page on this wiki for [[Terms of Service Brainstorming|Brainstorming Ideas]] for this project''

I'm still not convinced that there is an actual problem here to solve (or rather, whether the problem is so severe as to require the hammer of a browser icon convention). In some ways I feel like people have already voted with their widespread usage of sites like MySpace, Twitter, Facebook, and Google despite the lack of a privacy icon.

It is worth noting that the icon-in-the-browser-to-signal-privacy already exists in one form today--the "lock" you see when performing credit card transactions over SSL. It'd be interesting to examine the origin of this convention. I'd argue that in this case there *was* an actual problem to solve (and that users probably would not submit credit card information without the lock, so that users and businesses had a strong incentive to come up with a convention--adding the lock increases conversion rates).

Day 8 Predictions

2010-01-13T23:34:53Z

Rnagarajan:

For those who aren't familiar, here are [http://creativecommons.org/dmca/ Creative Commons'] and [http://www.google.com/dmca.html Google's] explanations of DMCA Notice and Takedown Procedures, one example of Due Process online

==Should there be Due Process Online==
Yes.

It's great how the website with the article on the Google death penalty was filled with mostly internal links, which I'm guessing are intended to raise its Google rank.

==Due Process Defaults==

There are at least two default possibilities for due process of takedowns on the internet: (1) Due process afforded before takedown (default on), and (2) take down immediately upon request and afford due process to restore the content (default off). Google will probably take the stance that (2), default off, is a more appropriate standard for internet due process. Since internet content can do a great deal of harm in a very short period of time, it makes sense to take it down immediately (after someone has complained that it might be harmful information) and create a process by which the uploaded can ask that it be restored. That way the damage of offensive content is mitigated, but could not be unilaterally censored. (also, this process probably does the best job of limiting the liability of companies like Google, YouTube, etc).
:The counter argument to the above is that this cripples the generatively of the internet. If anyone can request that content be taken down which web companies must comply with, it would be possible for anyone to (at least temporarily) gag the production of new content. A better compromise might be to require that the requester make some showing of who they are and how they will be harmed (at something resembling a probable cause standard) before web companies must comply with such a complaint.

==Google and China==
Although today's class isn't about this topic, it's hard to believe it won't come up. It will be interesting to hear whether the Google guest will have a response to Jason's concern that Google disengaging with China will allow unscrupulous actors to dominate the world's biggest internet market, and that Google, even if it had to make compromises, could do more good than evil by working inside China.

Day 6 Thoughts

2010-01-13T23:01:28Z

Rnagarajan:

Quickie thought: how effective can Firefox plugins really be for many projects - especially those that require a large non-geek percentage? And what if IE were to allow easy compatibility with plugins? Consider the following back of the envelope calculations:

-25% of Internet users use Firefox. [http://www.downloadsquad.com/2009/05/05/how-many-firefox-users-are-there-mozilla-estimates-270-million/ Estimates] are that this is about 270 million users.

-The latest [https://addons.mozilla.org/en-US/statistics statistics] from Mozilla show that there are about 200 million add-ons in use total. But that's clearly not evenly distributed. I can't find the number, so let's wildly ballpark it and say that the average add-on user is using four add-ons (the Stanford computer in Room 280B is clearly using way more...), which means there are 50 million people that really use add-ons.

That means that if we take the roughly billion people who are estimated to be on the Net (based on the marketshare above of Firefox), about 5% even have the capacity to change their user experience with a Firefox extension.

I don't know what the implications of this are - anyone else have a deep thought? - but I think it's worth remembering that those who desire to change their Internet experiences this way are a small minority of users. If IE decided to open up to extensions, though - and if there was some way to translate existing Firefox extensions over to that platform - we might have a whole new ballgame... [[User:Jharrow|Jharrow]] 23:28, 12 January 2010 (UTC)

:Reuben: While we certainly demonstrated the utility of crowdsourcing and plug-ins in our discussion, Jason is correct in reminding us that we shouldn't lose the forest for the trees. Both crowdsourcing and plug-ins have their weaknesses, either the need for a critical mass of participation, the need for high quality participation (the kind that can't be bought from Mechanical Turk), or simple browser compatability. Without some larger education campaign or publicity, it's hard to imagine these plug-ins making significant impacts on many users. The majority will likely stick to plain vanilla internet and the cybersecurity problem, ubicomp problems, etc. will all still be out there for them. [[User:ReubRodriguez|ReubRodriguez]] 00:54, 13 January 2010 (UTC)

::Yeah, this is clearly an issue with all emerging internet technologies. 2/3s of people still use IE today. But it seems like innovation has been driven by the small group of elite users throughout the history of the internet (that's probably the case for other technologies). The cycle of plug-in to inclusion in Firefox to inclusion in IE probably could happen in a year or two, if the plug-in was really great. [[User:Rnagarajan|Rnagarajan]] 23:01, 13 January 2010 (UTC)

Day 7 Predictions

2010-01-12T23:39:13Z

Rnagarajan: /* Anonymity */

In the spirit of today's issues, our collective "anonymous" predictions are set out below:

== Reputation Defender ==

First of all, congratulations to Reputation Defender for raising $8.65 million last year (announced today, January 12, 2010):

http://www.techcrunch.com/2010/01/12/reputationdefender-kleiner-bessemer-8-65-million/

Mr. Fertik will probably try to persuade us that Reputation Defender offers great advantages to improve our reputation (even promoted by Dr. Phil?!), and the service obviously has a lot of merit--assuming you have the ability to pay for it. It gives people a great way to remove defamatory, or potentially defamatory, content in a way where it harms nobody and helps those who it should. However, we hope that the students and guests will discuss whether these kinds of initiatives are just one bridge too far; is Reputation Defender a tool to defend or artificially improve one's reputation? (And does it matter?)

:We'd also like to hear about the tactics Reputation Defender uses to increase Google page ranks (MyEdge) in a way that makes sure it doesn't get the Google Death Penalty, as well as what technological or legal tools Reputation Defender would add if it could.

Really interesting point taken from the Tech Crunch blog linked above: "It is still early days and there is a lot of work ahead. Perhaps ReputationDefenderâs biggest weakness is that it does not have a full view into Facebook, where only public comments or photos show up. If somebody is going to badmouth you online, chances are it will be on Facebook." Would be interested how they are planning to deal with this. On a related note, how would this itself be a privacy violation? Are individuals entitled to talk about each other in a social networking setting?

Another apparent weakness of ReputationDefender is that while they are one company with a limited amount of employed people working for them, they might have to fight against a legion of anonymous people - which sometimes amounts to over 9,000 participants - that can be easily mobilized in certain image boards and forums. It would be also interesting to know how they would deal with this.

Reputation Defender will probably also emphasize how its product is "family-friendly" -- its website must have more mentions of protecting your family and children than the all of the other websites we've looked at in the class, combined. Is Reputation Defender profiting from a generational gap with regard to privacy? Parents may be horrified by what their children post online, and assume it will doom their career prospects, but by the time the children are adults, it may be normal to have that information freely available.

Additionally, I would be very interested to hear anecdotes from our guests about the most compelling use cases for ReputationDefender - where does the majority of their business come from? What are some surprising use cases they have seen with the product? How do they plan to expand with this new infusion of cash?

== Anonymity ==

We hope our guests will not be too narrowly focused on the need to ensure accountability through identification and attribution. The democratic benefits of leaving an option open for anonymous contribution is important also, to help encourage frank speech and content. It seems to us that this would be particularly relevant in the US jurisdiction, where strong First Amendment principles are unlike what we see pretty much anywhere else in the world (which also raises the discrete sub-issue of how we can reconcile different international views of what an appropriate level of privacy protection might be). Like Dispute Finder discussed yesterday - their emphasis is not to resolve an issue in dispute, but to highlight for the public that there is a conflict, which cannot exist without vocalization of many different points of view, no matter how unpopular.

In terms of anonymity on the Internet in the user's control, I think services such as Tor do quite a good job. There still are weaknesses associated with the exit nodes of Tor allowing hackers to access user names and passwords due to the lack of encryption technologies available.

In light of the well-publicized events surrounding Shi Tao and Wang Xiaoning, Ebele may express Yahoo's recent concerns with anonymity and its sometimes drastic importance outside the U.S., and the difficulties of working with governments with completely different expectations that do not match with our First Amendement concerns. I expect the guests will discuss Google's dramatic announcement today about China, and wonder if it will have any effect on Mozilla.

== Mozilla and Privacy ==

We expect Ryan and the people of Mozilla will show the great advantages of understandable privacy policies in the form of icons. This might encourage people to actually check whether a website upholds certain privacy standards. Even more importantly, it would allow users, in an easy way, to realize the diverse range of privacy policies (and the amount of information released to third parties) that various add-ons have (the Location Aware feature of Firefox version 3.5, for example, can tap into a wide range of information). The advantages of easy-to-understand privacy icons are straightforward, although we might wonder whether users will have a collective voice strong enough to cause change, or whether users will really stop visiting nytimes.com if it has certain unpleasant policies. Beyond that question, the guests likely to justify why modifications to the browsers that we use are a necessary or desired way to implement them.

As we discussed yesterday, the people at the Mozilla foundation can take any idea to improve the internet from a fanciful theory to a concrete reality very quickly. It seems likely, then, that they are deluged with causes to adopt and browser functionality to build in. It would be interesting to hear how they decided what to focus on, and why privacy rose to the top of the list. Mozilla has, in effect, the ability to bundle any plug-in that it desires with Firefox by making it core browser functionality. The guests are likely to address whether there is a happy medium between bundling functionality with Firefox and relying entirely on users tracking down and installing plug-ins (like DisputeFinder requires). Is there a possibility of a central plug-in repository that can allow useful plug-ins to take off more easily? Can the decision of which plug-ins/concepts could be "promoted" to core browser functionality be crowdsourced somehow?

Day 7 Predictions

2010-01-12T23:26:18Z

Rnagarajan: /* Reputation Defender */

In the spirit of today's issues, our collective "anonymous" predictions are set out below:

== Reputation Defender ==

First of all, congratulations to Reputation Defender for raising $8.65 million last year (announced today, January 12, 2010):

http://www.techcrunch.com/2010/01/12/reputationdefender-kleiner-bessemer-8-65-million/

Mr. Fertik will probably try to persuade us that Reputation Defender offers great advantages to improve our reputation (even promoted by Dr. Phil?!), and the service obviously has a lot of merit--assuming you have the ability to pay for it. It gives people a great way to remove defamatory, or potentially defamatory, content in a way where it harms nobody and helps those who it should. However, we hope that the students and guests will discuss whether these kinds of initiatives are just one bridge too far; is Reputation Defender a tool to defend or artificially improve one's reputation? (And does it matter?)

:We'd also like to hear about the tactics Reputation Defender uses to increase Google page ranks (MyEdge) in a way that makes sure it doesn't get the Google Death Penalty, as well as what technological or legal tools Reputation Defender would add if it could.

Really interesting point taken from the Tech Crunch blog linked above: "It is still early days and there is a lot of work ahead. Perhaps ReputationDefenderâs biggest weakness is that it does not have a full view into Facebook, where only public comments or photos show up. If somebody is going to badmouth you online, chances are it will be on Facebook." Would be interested how they are planning to deal with this. On a related note, how would this itself be a privacy violation? Are individuals entitled to talk about each other in a social networking setting?

Reputation Defender will probably also emphasize how its product is "family-friendly" -- its website must have more mentions of protecting your family and children than the all of the other websites we've looked at in the class, combined. Is Reputation Defender profiting from a generational gap with regard to privacy? Parents may be horrified by what their children post online, and assume it will doom their career prospects, but by the time the children are adults, it may be normal to have that information freely available.

== Anonymity ==

We hope our guests will not be too narrowly focused on the need to ensure accountability through identification and attribution. The democratic benefits of leaving an option open for anonymous contribution is important also, to help encourage frank speech and content. It seems to us that this would be particularly relevant in the US jurisdiction, where strong First Amendment principles are unlike what we see pretty much anywhere else in the world (which also raises the discrete sub-issue of how we can reconcile different international views of what an appropriate level of privacy protection might be). Like Dispute Finder discussed yesterday - their emphasis is not to resolve an issue in dispute, but to highlight for the public that there is a conflict, which cannot exist without vocalization of many different points of view, no matter how unpopular.

In terms of anonymity on the Internet in the user's control, I think services such as Tor do quite a good job. There still are weaknesses associated with the exit nodes of Tor allowing hackers to access user names and passwords due to the lack of encryption technologies available.

In light of the well-publicized events surrounding Shi Tao and Wang Xiaoning, Ebele may express Yahoo's recent concerns with anonymity and its sometimes drastic importance outside the U.S., and the difficulties of working with governments with completely different expectations that do not match with our First Amendement concerns.

== Mozilla and Privacy ==

We expect Ryan and the people of Mozilla will show the great advantages of understandable privacy policies in the form of icons. This might encourage people to actually check whether a website upholds certain privacy standards. Even more importantly, it would allow users, in an easy way, to realize the diverse range of privacy policies (and the amount of information released to third parties) that various add-ons have (the Location Aware feature of Firefox version 3.5, for example, can tap into a wide range of information). The advantages of easy-to-understand privacy icons are straightforward, although we might wonder whether users will have a collective voice strong enough to cause change, or whether users will really stop visiting nytimes.com if it has certain unpleasant policies. Beyond that question, the guests likely to justify why modifications to the browsers that we use are a necessary or desired way to implement them.

As we discussed yesterday, the people at the Mozilla foundation can take any idea to improve the internet from a fanciful theory to a concrete reality very quickly. It seems likely, then, that they are deluged with causes to adopt and browser functionality to build in. It would be interesting to hear how they decided what to focus on, and why privacy rose to the top of the list. Mozilla has, in effect, the ability to bundle any plug-in that it desires with Firefox by making it core browser functionality. The guests are likely to address whether there is a happy medium between bundling functionality with Firefox and relying entirely on users tracking down and installing plug-ins (like DisputeFinder requires). Is there a possibility of a central plug-in repository that can allow useful plug-ins to take off more easily? Can the decision of which plug-ins/concepts could be "promoted" to core browser functionality be crowdsourced somehow?

Day 6 Predictions

2010-01-11T21:47:46Z

Rnagarajan:

Daniel: Our guests will probably discuss at length the challenges that Dispute Finder and most web-based cooperative tools bump into while attempting to harness input from virtual crowds. I guess they will talk about Dispute Finderâs design difficulties, such as costs and trade-offs (between precision and recall, between user-friendliness and number / quality of features, etc). Theyâll most likely also summon stories from the interviews discussed in the document we received, perhaps to illustrate content-layer problems with measurement of "information sources reliability"; usersâ misunderstandings / trouble with logic operations; and group biases.
I would love to hear their views on the [http://courses.ischool.berkeley.edu/i256/f09/lectures/RobEnnalsGuestLecture.ppt proposed use of Turks] to improve the database of disputed claims and arguments, as well as on the current biases of the disputed facts / arguments presently listed by the software.

:Jason: I predict that there will be a good deal of discussion of what Daniel calls the "user-friendliness" aspect of these tools - and I hope there is, because it's critical. Specifically, what is the necessary ratio between DisputeFinder or Herdict "passive users" and "active reporters" to make a project successful? I say this because both Herdict and DisputeFinder look somewhat sparsely-populated for them to be maximally-useful right now. For example, Herdict is [http://www.herdict.org/web/explore/country/CN;jsessionid=4A2D95D3EB7A8F96B073DE77D3654D53 reporting] that 2 Chinese users have reported YouTube as inaccessible. How do I interpret that? What percent of people who might know about and like Herdict in China are reporting back to Herdict? We know that Wikipedia is successful in spite of the fact that only a very small portion of readers become really regular editors - but Wikipedia is also one of the most visited sites in the world. I hope we discuss what strategies these organizations are employing to build participation for these more niche offerings. [[User:Jharrow|Jharrow]] 18:20, 11 January 2010 (UTC)

:Reuben: When Daniel talks about the challenges of web-based cooperative tools, my first thought is about the challenge of a achieving a critical mass. I poked around with Dispute Finder for just over an hour this morning and during the entirety of my browsing the New York Times, Washington Post, Miami Herald, and Slate I only came across one disputed claim. No offense to America's news media, but my guess is that what I read is more disputed than that, but that there just aren't enough people trolling the news sites and adding claims to the dispute finder database for the service to actually be that helpful yet. Jason's point about passive users versus active reporters is important. I too would like to hear about how to reach a critical mass and how many active users are needed in order to have a useful service. I'd also like to hear about the potential for users to participate in a more passive manner - notwithstanding the privacy issues, if Herdict could just monitor my browsing and automatically send a report whenever I come across an inaccessible website, something akin to a Last.fm for my click stream, the data would seem to be much more complete than simply recording whatever I choose to report. Never underestimate the laziness of the average person. My prediction is that our guests acknowledge the shortcomings in their current offerings while remaining optimistic about the possibilities of community based technology. [[User:ReubRodriguez|ReubRodriguez]] 18:49, 11 January 2010 (UTC)

::Ramesh: I agree with Reuben on the usefulness of Dispute Finder and Herdict. While Wikipedia (and Yelp, and a few other sites) show that sometimes, you can get useful content for free, that's not always the case. DisputeFinder didn't find many disputes when I did my regular scan of news websites, even when reading articles on topics like medical marijuana and same-sex marriage. It seems like applications like DisputeFinder and Herdict would be better if they were more automated -- if DisputeFinder automatically attached itself to controversial terms, and especially, as Reuben suggested, if Herdict was not based on self-reporting.

:Tyler: I completely agree with above thoughts about Herdict and DisputeFinder needing to collect a critical mass of users before becoming useful. This seems to echo the idea that wikipedia was not useful for its first several years because it did not possess a critical mass of articles. However, I think there are some differences because individual pieces of wikipedia could become useful before wikipedia as a whole in that individual articles could become independantly useful before wikipedia became as comprehensive as it is today. I don't see that Herdict or DisputeFinder have the same capability to be useful while scaling because they require users to explicitly decide to install plugins and begin using their services before any benefit can be gained by that user. Wikipedia was able to gradually grow in prominence as users occasionally found information on wikipedia that they wanted through web searches. I am wondering if Herdict or DisputeFinder can take advantage of automated solutions to increase their seemingly as-yet sparsely populated databases? For example, could web crawling robots be used to identify at least some inaccesible sites with the expectation that this list could then be pruned by users rather than expecting it to materialize entirely by user submissions? Could DisputeFinder use a web crawling robot, in conjunction with sophisticated text parsers to begin identifying at least some topics that clearly involve dispute? I expect and hope that the guests will discuss some strategies for increasing the datasets of their projects to the point that they can obtain their critical mass of users and data more quickly. [[User:TylerLacey|TylerLacey]] 19:49, 11 January 2010 (UTC)

Emily:
Dispute Finder bears an inherent flaw: individuals, not algorithms, decide whom and what to trust for information. Consider the watch on your wrist. If your watch starts to get the time wrong, you might try to fix the watch. You hope and pray your watch starts giving you accurate, dependable information because you like your watch. You might even love your watch. But, if it continues to betray your trust, and the people in your trusted circle insist your watch is wrong, you give up. You decide to trust a new watch, but your new watch will probably be reminiscent of your old watch with respect to personal taste, experience, and preferences. Most people are intuitive enough (though they donât necessarily convert insights into complex conclusions about source x versus source y) to know that 120 seconds of live, relatively unedited sound on Fox News Live or MSNBC Dayside is less likely to contain factually accurate information â even if relatively unimportant, like the location of a fire, or the total number of casualties in a mass shootingâ than a compulsively edited, fact-checked tome in the Sunday NY Times magazine, the Economist, or the New Yorker.

Article 3.5 of the Dispute Finder document, âDetermining Trustworthy Sources,â seems a bit absurd. It actually acknowledges the marketability challenges of its own software: âUnfortunatelyâ¦the sites people actually trust are often those that share the personâs own point of view.â So, again, what is this software and what, really, is the point? Segway into âCross-cutting themes.â Save the world. How? Is Dispute Finder intended to help people sue other people for libel? Richard Jewel (now deceased) had a reasonably compelling case. Thatâs probably why he successfully sued (for libel) every organization, from CNN, to NBC, to the NY Post. All settled. He collected from each of them. But Richard Jewel didnât need help from Dispute Finder. Richard Jewel had a case.

Cross-cutting themes: âChange the technology, save the world.â Okay, why not? Isnât there something else smart people at Intel and UC Berkeley could be doing to make the world better? Last November, the New York Times produced an alarming story [http://www.nytimes.com/2009/11/29/us/29foodstamps.html] about the food stamp program in America(ânow expanding at a pace of about 20,000 people a day.â) Also no shortage of children in custody. Last December, the New York Times obtained â and reported on [http://www.nytimes.com/2009/12/14/nyregion/14juvenile.html?_r=1&scp=1&sq=new%20york%20family%20court%20juvenile%20department%20of%20justice%20youth&st=cse]â a âconfidential draft reportâ prepared by a task force appointed by NY gov David Paterson: âNew York Stateâs current approach fails the young people who are drawn into the system, the public whose safety it is intended to protect, and the principles of good governance that demand effective use of scarce state resources.â Story also says the situation was so bad that the DOJ, at one point, was threatening to âtake over.â

So, if Intel is interested in contributing, how about addressing real problemsâhelping real peopleâ that could affect real, collective societal change and improvement? Children and education seem like obvious places to start. Basics like hardware and mentors could go a long way. Children in poverty struggle with range of issues, including asthma, low self-esteem, obesity, and depression. Consider children in places like the South Bronx (Jonathan Kozolâs children [http://www.amazon.com/Amazing-Grace-Children-Conscience-Nation/dp/0060976977]): allocation of resources in places like this (and/or lower-middle class communities), especially from companies like Intel, could change lives; give voices to people from whom we do not often hear.

Interested to hear thoughts on Internet privacy, though I'm not sure adults have an expectation of privacy anywhere [http://gawker.com/5444885/facebooks-mark-zuckerberg-on-your-erased-privacy-these-are-the-social-norms-now] on the Internet. If you want privacy, don't put yourself on the Internet. Finally, on the subject of online harassment, if we accept that the Internet is a public place, to what extent is it acceptable to regulate online communication, including but not limited to comments deemed 'offensive' on blogs?

Predictions. Guests will be nice. Class will be nice. Hope to hear more about Dispute Finder's business model.

Tyler: I would like an explanation for why the contributor of a disputed claim on DisputeFinder needs to provide a link to an article that illustrates the opposing point of view. If there are no article, isn't it still valuable to identify a claim as disputed, especially since this could break DisputeFinder's dataset building-process into two parts? I could enter a disputed claim without a link to another source and then another user, once alerted to the potential dispute could track down and enter the article. I see the argument that an issue is not actually in dispute if there is no contradictory reports of it, but I wonder if an entry into DisputeFinder should be enough to create a "dispute", rather than requiring a link. I agree that even a blog post outlining the opposing point of view would be more helpful than a "dispute" without any link, but I'm not sure that it should be a requirement. Today I entered a disputed claim as "Works prepared by amazon mechanical turkers are considered works for hire under the United States Copyright Act" to see if DisputeFinder would highlight portions of our wiki (which does not currently have any disputed claims, according to DisputeFinder) but I was stalled when it asked for a link to a web location outlining this dispute. Should I have entered the page on this wiki where we discuss the issue? I hope that the guests discuss this aspect of the DisputeFinder process. [[Special:Contributions/68.65.169.179|68.65.169.179]] 20:11, 11 January 2010 (UTC)

Victoria: I completely agree with the former point that DisputeFinder's success is dependent on gaining a critical mass of end users. In addition to the need for more users, I think the platform is very trusting of the end users themselves. DisputeFinder allows for a lot of users to subjectively claim anything is disputed even when it begins to reach the absurd. One EscapistMagazine.com posted in June 2009, that the following topics were included on the disputed list "The 2009 Iran Presidential election was rigged," "" and "Recycling is good for the environment," "2Pac is dead," "Dick Cheney is a robot" and "Italians look good." Although theoretically the idea of a marketplace of ideas works - without the appropriate robust marketplace DisputeFinder becomes a caricature of the truth-seeking function of free speech.

Day 6 Predictions

2010-01-11T21:46:48Z

Rnagarajan:

Daniel: Our guests will probably discuss at length the challenges that Dispute Finder and most web-based cooperative tools bump into while attempting to harness input from virtual crowds. I guess they will talk about Dispute Finderâs design difficulties, such as costs and trade-offs (between precision and recall, between user-friendliness and number / quality of features, etc). Theyâll most likely also summon stories from the interviews discussed in the document we received, perhaps to illustrate content-layer problems with measurement of "information sources reliability"; usersâ misunderstandings / trouble with logic operations; and group biases.
I would love to hear their views on the [http://courses.ischool.berkeley.edu/i256/f09/lectures/RobEnnalsGuestLecture.ppt proposed use of Turks] to improve the database of disputed claims and arguments, as well as on the current biases of the disputed facts / arguments presently listed by the software.

:Jason: I predict that there will be a good deal of discussion of what Daniel calls the "user-friendliness" aspect of these tools - and I hope there is, because it's critical. Specifically, what is the necessary ratio between DisputeFinder or Herdict "passive users" and "active reporters" to make a project successful? I say this because both Herdict and DisputeFinder look somewhat sparsely-populated for them to be maximally-useful right now. For example, Herdict is [http://www.herdict.org/web/explore/country/CN;jsessionid=4A2D95D3EB7A8F96B073DE77D3654D53 reporting] that 2 Chinese users have reported YouTube as inaccessible. How do I interpret that? What percent of people who might know about and like Herdict in China are reporting back to Herdict? We know that Wikipedia is successful in spite of the fact that only a very small portion of readers become really regular editors - but Wikipedia is also one of the most visited sites in the world. I hope we discuss what strategies these organizations are employing to build participation for these more niche offerings. [[User:Jharrow|Jharrow]] 18:20, 11 January 2010 (UTC)

:Reuben: When Daniel talks about the challenges of web-based cooperative tools, my first thought is about the challenge of a achieving a critical mass. I poked around with Dispute Finder for just over an hour this morning and during the entirety of my browsing the New York Times, Washington Post, Miami Herald, and Slate I only came across one disputed claim. No offense to America's news media, but my guess is that what I read is more disputed than that, but that there just aren't enough people trolling the news sites and adding claims to the dispute finder database for the service to actually be that helpful yet. Jason's point about passive users versus active reporters is important. I too would like to hear about how to reach a critical mass and how many active users are needed in order to have a useful service. I'd also like to hear about the potential for users to participate in a more passive manner - notwithstanding the privacy issues, if Herdict could just monitor my browsing and automatically send a report whenever I come across an inaccessible website, something akin to a Last.fm for my click stream, the data would seem to be much more complete than simply recording whatever I choose to report. Never underestimate the laziness of the average person. My prediction is that our guests acknowledge the shortcomings in their current offerings while remaining optimistic about the possibilities of community based technology. [[User:ReubRodriguez|ReubRodriguez]] 18:49, 11 January 2010 (UTC)

::Ramesh:
I agree with Reuben on the usefulness of Dispute Finder and Herdict. While Wikipedia (and Yelp, and a few other sites) show that sometimes, you can get useful content for free, that's not always the case. DisputeFinder didn't find many disputes when I did my regular scan of news websites, even when reading articles on topics like medical marijuana and same-sex marriage. It seems like applications like DisputeFinder and Herdict would be better if they were more automated -- if DisputeFinder automatically attached itself to controversial terms, and especially, as Reuben suggested, if Herdict was not based on self-reporting.

:Tyler: I completely agree with above thoughts about Herdict and DisputeFinder needing to collect a critical mass of users before becoming useful. This seems to echo the idea that wikipedia was not useful for its first several years because it did not possess a critical mass of articles. However, I think there are some differences because individual pieces of wikipedia could become useful before wikipedia as a whole in that individual articles could become independantly useful before wikipedia became as comprehensive as it is today. I don't see that Herdict or DisputeFinder have the same capability to be useful while scaling because they require users to explicitly decide to install plugins and begin using their services before any benefit can be gained by that user. Wikipedia was able to gradually grow in prominence as users occasionally found information on wikipedia that they wanted through web searches. I am wondering if Herdict or DisputeFinder can take advantage of automated solutions to increase their seemingly as-yet sparsely populated databases? For example, could web crawling robots be used to identify at least some inaccesible sites with the expectation that this list could then be pruned by users rather than expecting it to materialize entirely by user submissions? Could DisputeFinder use a web crawling robot, in conjunction with sophisticated text parsers to begin identifying at least some topics that clearly involve dispute? I expect and hope that the guests will discuss some strategies for increasing the datasets of their projects to the point that they can obtain their critical mass of users and data more quickly. [[User:TylerLacey|TylerLacey]] 19:49, 11 January 2010 (UTC)

Emily:
Dispute Finder bears an inherent flaw: individuals, not algorithms, decide whom and what to trust for information. Consider the watch on your wrist. If your watch starts to get the time wrong, you might try to fix the watch. You hope and pray your watch starts giving you accurate, dependable information because you like your watch. You might even love your watch. But, if it continues to betray your trust, and the people in your trusted circle insist your watch is wrong, you give up. You decide to trust a new watch, but your new watch will probably be reminiscent of your old watch with respect to personal taste, experience, and preferences. Most people are intuitive enough (though they donât necessarily convert insights into complex conclusions about source x versus source y) to know that 120 seconds of live, relatively unedited sound on Fox News Live or MSNBC Dayside is less likely to contain factually accurate information â even if relatively unimportant, like the location of a fire, or the total number of casualties in a mass shootingâ than a compulsively edited, fact-checked tome in the Sunday NY Times magazine, the Economist, or the New Yorker.

Article 3.5 of the Dispute Finder document, âDetermining Trustworthy Sources,â seems a bit absurd. It actually acknowledges the marketability challenges of its own software: âUnfortunatelyâ¦the sites people actually trust are often those that share the personâs own point of view.â So, again, what is this software and what, really, is the point? Segway into âCross-cutting themes.â Save the world. How? Is Dispute Finder intended to help people sue other people for libel? Richard Jewel (now deceased) had a reasonably compelling case. Thatâs probably why he successfully sued (for libel) every organization, from CNN, to NBC, to the NY Post. All settled. He collected from each of them. But Richard Jewel didnât need help from Dispute Finder. Richard Jewel had a case.

Cross-cutting themes: âChange the technology, save the world.â Okay, why not? Isnât there something else smart people at Intel and UC Berkeley could be doing to make the world better? Last November, the New York Times produced an alarming story [http://www.nytimes.com/2009/11/29/us/29foodstamps.html] about the food stamp program in America(ânow expanding at a pace of about 20,000 people a day.â) Also no shortage of children in custody. Last December, the New York Times obtained â and reported on [http://www.nytimes.com/2009/12/14/nyregion/14juvenile.html?_r=1&scp=1&sq=new%20york%20family%20court%20juvenile%20department%20of%20justice%20youth&st=cse]â a âconfidential draft reportâ prepared by a task force appointed by NY gov David Paterson: âNew York Stateâs current approach fails the young people who are drawn into the system, the public whose safety it is intended to protect, and the principles of good governance that demand effective use of scarce state resources.â Story also says the situation was so bad that the DOJ, at one point, was threatening to âtake over.â

So, if Intel is interested in contributing, how about addressing real problemsâhelping real peopleâ that could affect real, collective societal change and improvement? Children and education seem like obvious places to start. Basics like hardware and mentors could go a long way. Children in poverty struggle with range of issues, including asthma, low self-esteem, obesity, and depression. Consider children in places like the South Bronx (Jonathan Kozolâs children [http://www.amazon.com/Amazing-Grace-Children-Conscience-Nation/dp/0060976977]): allocation of resources in places like this (and/or lower-middle class communities), especially from companies like Intel, could change lives; give voices to people from whom we do not often hear.

Interested to hear thoughts on Internet privacy, though I'm not sure adults have an expectation of privacy anywhere [http://gawker.com/5444885/facebooks-mark-zuckerberg-on-your-erased-privacy-these-are-the-social-norms-now] on the Internet. If you want privacy, don't put yourself on the Internet. Finally, on the subject of online harassment, if we accept that the Internet is a public place, to what extent is it acceptable to regulate online communication, including but not limited to comments deemed 'offensive' on blogs?

Predictions. Guests will be nice. Class will be nice. Hope to hear more about Dispute Finder's business model.

Tyler: I would like an explanation for why the contributor of a disputed claim on DisputeFinder needs to provide a link to an article that illustrates the opposing point of view. If there are no article, isn't it still valuable to identify a claim as disputed, especially since this could break DisputeFinder's dataset building-process into two parts? I could enter a disputed claim without a link to another source and then another user, once alerted to the potential dispute could track down and enter the article. I see the argument that an issue is not actually in dispute if there is no contradictory reports of it, but I wonder if an entry into DisputeFinder should be enough to create a "dispute", rather than requiring a link. I agree that even a blog post outlining the opposing point of view would be more helpful than a "dispute" without any link, but I'm not sure that it should be a requirement. Today I entered a disputed claim as "Works prepared by amazon mechanical turkers are considered works for hire under the United States Copyright Act" to see if DisputeFinder would highlight portions of our wiki (which does not currently have any disputed claims, according to DisputeFinder) but I was stalled when it asked for a link to a web location outlining this dispute. Should I have entered the page on this wiki where we discuss the issue? I hope that the guests discuss this aspect of the DisputeFinder process. [[Special:Contributions/68.65.169.179|68.65.169.179]] 20:11, 11 January 2010 (UTC)

Victoria: I completely agree with the former point that DisputeFinder's success is dependent on gaining a critical mass of end users. In addition to the need for more users, I think the platform is very trusting of the end users themselves. DisputeFinder allows for a lot of users to subjectively claim anything is disputed even when it begins to reach the absurd. One EscapistMagazine.com posted in June 2009, that the following topics were included on the disputed list "The 2009 Iran Presidential election was rigged," "Global warming does not exist" and "Recycling is good for the environment," "2Pac is dead," "Dick Cheney is a robot" and "Italians look good." Although theoretically the idea of a marketplace of ideas works - without the appropriate robust marketplace DisputeFinder becomes a caricature of the truth-seeking function of free speech.

Day 5 Predictions

2010-01-08T22:54:03Z

Rnagarajan:

Victoria: My prediction is that the speakers are going to be extolling the virtues of Wikipedia and explaining that although the site has gone under some transformations it is still a vibrant force. I would concede that I think it is. Most people I know still immediately turn to Wikipedia for a quick run down of a topic or an answer to a quick question. However, as time moves on the site is becoming less innovative and more standard. I would like to ask them about their understanding and personal experiences in trying to keep Wikipedia young. Moreover, having read that 85% of the contributors to Wikipedia are male I'd specifically love to ask Phoebe whether she feels that the articles are written from the male gaze and lack the other gender's perspective.

:: Sharona: Like Vickie, I was also struck by the statistics on the demographic breakdown, and I would love to hear their thoughts on whether they feel wikipedia really does represent a wide range of views, or more specifically (especially in the US) that of a white male. Another thing I think they will likely discuss - and probably not have a good answer for - is the question of privacy and defamation on wikipedia and other wikimedia projects. Can, or should, the website and/or its users or editors be held accountable if allegedly defamatory posts are not removed? Who makes that call? And what standards are used? It seems to me that there's no easy answer to this: while they may not run into strictly legal issues, it could definitely affect reader's trust in the information or fear that they too are vulnerable.

::: Ramesh: I was struck by the Economist's comparison of the number of articles about Pokemon and the Solidarity movement on English Wikipedia. I expect the Wikipedians will admit that they are disproportionately white, young, male, more interested in science fiction than what others might consider more interesting forms of culture, etc, and that's a problem, but that there's really no better solution. They may be right; is there a better internet resource in English on Solidarity than Wikipedia? Maybe when Google Books is fully up and running, it would be a better resource (or just co-opted and summarized by Wikipedia).

Bruno: I expect our guests to focus their comments on the strategies Wikipedia is adopting to address two of what seems to be the main problems of the project: (i) quality/accuracy of its articles, and (ii) issues concerning vandalism. After reading the materials, I was struck by the fact that Wikipedia doesn't seem to be worried about increasing its user base. The increasing amount of rules, the hostility of veteran users to newbies and the efforts to attract more scientists to participate in the project suggest that in fact they would be interested in less, but more qualified participation. Just like the attitude of our guest from CrowdFlower, perhaps a sort of procrastination to address a problem that is not yet so concrete might be operating here: with over 40 thousand contributors it's not clear when more means actually less.

:: Sheel: I'd be interested in hearing Wikimedia's reaction to this: what if people started using CrowdFlower or MechanicalTurk, if they don't already, to pay people 10 cents or so to go edit Wikipedia pages? I know they weren't okay with MyWikiBiz, but this is much more under the radar. Finally, I'd like to hear where the debate is on inclusionists v. exclusionists (meaning those who want to produce the 'integrity' of the encyclopedia and shy away from what may be deemed as frivolous by some portion of editors). My guess is that there is still no concrete answer---if enough editors are passionate about editing/creating a new page, then it'll stay.

::: Andrew: I also hope to hear some discussion about the intersection between Wikipedia and paid crowdsourcing. The possibilities here aren't all nefarious (what about an mturk task to fix Wikitypos?)

Daniel: In addition to the topics above, I expect a discussion about the possible increase in vulnerability Wikipedia faces at the content layer, on par with a less dynamic environment. Since most pages are already done, at least in the English version, editors may feel less motivated to monitor existing, but seldom edited pages which are not on the "watch list". As a consequence, they can be more easily twisted by outsiders. In connection with that issue, I guess that our guests will raise the question "how does it feel to be a Wikipedian?" - and try to describe the community feeling from the perspective of insiders, and the challenges to bring more people in.

Franny: Main problems within the wikipedia bubble are summarized well above - I think that we also need to examine the problem of how to improve/encourage the transfer of wikipedia's benefits (e.g. generativity and sense of community) outside of the wikipedia microcosm. To that end, I hope that our guests will discuss their experiences with similar applications and initiatives (e.g. citizendium, etc.), and provide their views of the successes or weaknesses.

:Jason: Great point by Franny; I too hope they address how Wikipedia's success can to other initiatives. After all, I've been struck by just how ''sui generis'' Wikipedia seems to be, and now that we are in 2010, I think we need to start asking whether Wikipedia is an outlier or whether its principles of both creation and governance can really generalize to other projects. Of course, as I write that, I find myself wondering whether free and open source software is another example of the Wikipedia model. Further, I wonder what they think of as other really good candidates for adopting Wikipedia's new form of participatory self-government. For instance, some of us have been laughing about Stanford's new, fairly permissive policies when it comes to handing in papers at the end of the semester (you can still pass the . Could these new policies have been created by the Stanford community via wiki? What would the outcome have been?

Juan: I would like to hear their opinions on
1. How to deal with vandalism and spams while keeping the generativity of Wikipedia as much as possible. Now they've created several restrictions to lower of the possibility of attacks by vandals and spams, such as blocking IP addresses of repeat offenders, using full protection and semi-protection functions to restrict editing of certain pages. However, these restrictions limits free editability and thus seems jeopardize its generativity.
2. The prospect of wikipedia in China. How will it compete with its local counterpart Hudong. Unlike wikipedia, Hudong rewards top contributors with gifts ranging from post cards to MP3 players, and offers some features that complies with Chinese users' habits. Recently, it even launched it partnership with some popular overseas Chinese website, making its first steps to expand into overseas Chinese market. What is wikipedia's strategy facing this situation? Is there any possibility to establish some cooperation or strategic partnership between these two on-line encyclopedias?
3. Sustainable problem. Dedicated editor may leave because of life cycle change, motivation by other UGC websites, tire of anti-threat work, and etc. How will wikipedia attract new editors and keep them?

Ethan: In addition to all the issues mentioned above, I'd like to know how Wikipedia addresses censorship efforts from various governments. We talked about how the Chinese government forced Google to remove certain search results (e.g. falun gong) and I'm wondering if Wikipedia receives such requests. Censorship doesn't necessarily have to be so nefarious-- it's illegal to deny holocaust in 13 countries according to Wikipedia, truth is not an absolute defense to defamation in Korea, etc. How will Wikipedia abide by local laws when pressed?

Elisabeth: I predict we'll hear that Wikipedia's editor corp is either growing or sufficiently large already. But I'd like to solicit some ideas on how active editors' time could be better leveraged if numbers do start dropping. Some of the articles we read suggested that editors spent a lot of time bickering over minor points--perfecting one page while ignoring a slew of others. Are there ways to eliminate the bureaucracy and consciously turn to a state that maximizes pages edited at least once vs. pages edited by 100 people? On the subject of growing pains more generally, can they point to examples of online communities that have overcome the problem they're having -- an influx of newcomers -- that inspire them?
I'd also like to hear whether the donation strategy is feasible for funding Wikipedia long-term, or if they're planning on using other Wikimedia projects to fund some of it, or if there's some other theory.

Day 4 Predictions

2010-01-07T18:14:22Z

Rnagarajan:

Amanda: I am very interested to hear Chuck's take on the relationship between the government, large corporations like Microsoft, and the defcon-attending hacker community (like the L0pht group mentioned in the Wired article). Is the government receptive to both groups? I imagine the relationship specifically between the hacker community and the government can become tense because the interests of both groups is not exactly aligned and is sometimes conflicting. Have they been able to successfully work together around a common threat like cybersecurity? While I imagine the government often tries to recruit from the hacker community, and I'm interested to hear where they draw the lines legally as far as subversive behavior within the hacker community (ie do they bend the rules for the sake of potential advances in cybersecurity?).
:Of course there are great advances yet to be made in the relationship between white-hat hackers and corporations like Microsoft. Skepticism abounds from both sides for obvious reasons, as well as entrenched interests and preconceptions based on past interactions ("Hackers are simply criminals", or on the other side "Microsoft is The Man").

Vickie: I'm going to dovetail from Amanda's comment and say that I think Chuck is going to speak more specifically about the ID program he was talking about the other day as a possible solution to cybersecurity. Just as in the Wired article - identification solves a large percent of the problem, mostly through accountability. However, this seems too Orwellian for my blood. Unlike a passport that is shown in person - a computer ID is never going to be checked person to person. The computer will always be the intermediary. Moreover, this type of program may deter people from doing things on the Internet that they normally would do - if it wasn't anonymous. Visit certain political sites, fetish sites etc. etc. At what point is our fear balanced by our need for an Internet that is not being surveyed.

:Ramesh: I wonder what Chuck would say are the benefits to anonymity on the internet, and whether they are outweighed by the security risks. It seems like there could be a creditable argument saying just that. Also, I wonder about problems in scaling up ID programs -- one would assume that many countries would not participate, but if desirable content could only be accessed by an ID, perhaps consumers would then demand their nations also issue internet IDs.

Hector: Some of Chuck's points from his remarks on Tuesday that stuck with me most were the strengthening of internet identification and alternative networks that use something else than TCP. I hope that he elaborates on the possible applications of the latter.

Lien: I'm very interested to hear (i) what Chuck thinks the biggest cybersecurity risk is that Microsoft and other simular major private companies face and (ii) how the company is prepared for attack on its system and will react on it. I however predict he's not gonna answer that question...

Day 3 Predictions

2010-01-06T20:00:06Z

Rnagarajan:

Daniel: My guess is that three issues will be focused:

1- ''labor rights'' â workers in UHC are not attached to a safe work environment, do not receive any fringe benefits, health care, etc., and as of yet there are no unions for Turks and the like. It is quite easy to see homeworkers as nonworkers, and to build [http://www.missconceptions.net/downloads/mturk-pca09-web.pdf digital sweatshops].

2- workersâ new ''expectation of complete anonymity'', that go way beyond privacy demands in regular work environments. Hopefully ethical issues concerning this faceless workforce will be discussed, as well as its potential identity and community feelings (taking into account that, unlike bearers of [http://www.iab.net/about_the_iab/recent_press_releases/press_release_archive/press_release/pr-061009-value formal jobs], UHC workers have shifting numbers, not social security ones). Still on this topic, I expect debates about people willing to perform otherwise shameful tasks, and about the opportunities for children, sick or unfit workers in general to work / be worked.

3- the ''use of UHC for complex, creative tasks'', analyzed in conjunction with a look at the economics of commoditized labor pools. Resulting discussions could examine quality control and its costs, and [http://portal.acm.org/citation.cfm?id=1357054.1357127 proper design], necessary to unleash [http://www.youtube.com/watch?v=rQ3Q6Y6Ylqo creativity] and demand more than repetitive, boring tasks from fellow anonymous humans. On that note, it is nice to see that, as scientific experiments with Mechanical Turks [http://experimentalturk.wordpress.com/ become more popular], academic attention is drawn towards the problematic incentives in the platformâs most common setting (low payment + repetitive tasks), which encourages Turks to finish HITs as fast as they can, [http://experimentalphilosophy.typepad.com/experimental_philosophy/2010/01/looking-for-subjects-amazons-mechanical-turk.html at the expense of proper comprehension of the tasks].

My wish list for the session: discussions of solutions / tools such as [http://turkopticon.differenceengines.com/ Turkopticon], a Firefox application designed to identify and expose âshady employersâ.

Ramesh: I predict that the founders of human computing websites will be more focused on the technology and potential of the websites and may have a blind spot for the legal issues that may be raised by UHC (applicability of minimum wage and other laws) while as law students, we may naturally focus on the legal issues implicated.

Alternatively, perhaps the founders of UHC websites will see them simply as a continuation of current trends, especially the increasing numbers of contractors in the labor force of large companies and governments and the outsourcing of call-center (and increasingly higher-skilled) jobs overseas. Does UHC present any problems that are different from the current trends? What role can employment and labor law play in a world where increasing numbers of workers are "independent contractors" or even Mechanical Turks? Will technology re-enact Lochner?

Ubiquitous Human Computing

2010-01-05T21:30:58Z

Rnagarajan: /* LiveOps */

= What is Ubiquitous Human Computing? =

Professor Zittrain provides an excellent overview of the emerging field of "Ubiquitous Human Computing" in a recent [http://drop.io/cyberlaw_winter10/asset/ssrn-id1140445-pdf paper]. For the purposes of this course, focus on the paper's discussion of "fungible networked brainpower" as exemplified by Amazon Mechanical Turk, LiveOps and InnoCentive. Alternatively, these core ideas are expressed in video form [http://bigthink.com/jonathanzittrain/the-long-and-silent-subway-ride-of-the-future here].

= The Current Services =

== Amazon Mechanical Turk ==

Amazon's Mechanical Turk (AMT) [http://www.mturk.com/mturk/welcome product] is the simplest ubiquitous human computing model currently available. It provides a marketplace for "Human Intelligence Tasks" (HITs), which are typically large collections of simple and repetitive tasks that nonetheless require a human mind to complete. The HITs are necessarily limited in scope because their maximum price is $10.

== LiveOps ==

LiveOps's [http://www.liveops.com marketplace] is a step up from AMT because it carefully selects those that can perform tasks. Out of 3500 candidates to become a LiveOps worker each week, LiveOps only selects 50-75 after a test and an interview.

Patrick McKenna, founder of LiveOps but no longer with the company, has outlined what he believes draws each party to LiveOps. Workers desire (1) access to work, (2) control over their own work schedules, and (3) independence. McKenna believes that the most important factor to workers in their schedule flexibility. Also very important to the worker is the lack of setup and takedown time - there is no LiveOps equivalent to the unpaid commute to and from work. There is also no LiveOps equivalent to the real-world workplace expenses of gas, work clothes and workplace eating. McKenna believes that the average LiveOps worker make $9 an hour, but that this amount is equivalent to earning $16/hour in a job involving the aforementioned expenses.

McKenna believes that work providers are drawn to LiveOps primarily because of its flexibility and capacity to maximize productivity from their workers. Work providers are also able to avoid costs associated with the real-world workplace - office space, setup and takedown time, etc. - LiveOps employers only pay for work when it is actually being done. The flexibility offered by LiveOps allows for work providers to quickly vary the size of their workforce - they do not need to keep a "reserve" of employees that are paid with no work to do in order to handle spikes in workforce needs.

== InnoCentive ==

InnoCentive's [http://www.innocentive.com/ marketplace] is again a step up from LiveOps in terms of complexity of its tasks and skills needed to complete them. InnoCentive's asks its workers to solve minor scientific problems posed by its work suppliers. InnoCentive offers its workers large awards, including awards of $1,000,000 for some solutions. InnoCentive refers to its work providers and workers as "seekers" and "solvers", respectively.

= The Difficult Issues =

== Present Day Doctrinal Problem Areas ==

*<b>American Business Law Journal: The Information Revolution and its Impact on the Employment Relationship: An Analysis of the Cyberspace Workplace</b>
**<i>This is a fantastic survey paper on the many issues raised with employment law in combination with cyber-workers.</i>
**This article seems to assume that cyberworkers will still be working in the United States, but this seems like an unrealistic assumption
**Written in 2003, around the time LiveOps launched (2000)
**Citation: 40 AMBLJ 301
**Section II of this article examines how working over the internet blurs/challenges current law about the employee/contractor distinction.
***"Under the right-of-control test, an employee is not an independent contractor if the employer has the ability to control the time, method, and manner of employment"
**Section IV of this article examines how cyber-working affects non-compete agreements and copyright considerations (such as works-for-hire)
***"The Internet exacerbates this tension by raising previously unheard of issues in drafting and enforcing non-compete agreements."
***Work-for-hire: How does UbiComp affect the work-for-hire test established by Creative Non-Violence v. Reid? ( 490 U.S. 730 (1989) )
**Section V - Employment Regulation
***A: The Burlington/Faragher sexual harassment standard is not clear when applied to cyber-workers
****"The Ninth Circuit held that remoteness will not dilute an employee's obligation to report sexual harassment."
***C: Family Medical Leave Act - depends on employee/independent contractor distinction
***D: Workers Compensation
***E: Fair Labor Standards Act
***F: The National Labor Relations Act
***G: The Occupational Safety & Health Act
**Conclusions
***For employee/contractor distinction, "courts must use the existing and long-standing right-of-control test, but apply it with sensitivity to the unique characteristics of Internet-enabled workplaces."
***As courts evolve toward the Zippo sliding scale, they must set some standard of how much contact remote employment creates between the employee's forum state and the employer.
***Agencies need to adopt specific regulation to deal with cyberworkers
***"When regulatory guidance is insufficient, the legislature must act"
****Congress must clarify how unions can organize and communicate in cyberspace in order to protect labor and management rights.

*Case study: Amazon's Mechanical Turk may violate employment/tax laws because the employee-employer relationship is between the requester and the worker [http://behind-the-enemy-lines.blogspot.com/2009/07/is-amazon-mechanical-turk-black-market.html]

== Potential Difficult Problems in the Future ==

* What if UbiComp is used for political lobbying?
** In general, any mass movement could be created using UbiComp
* Could employees "outsource" their own work using UbiComp? [http://webchicanery.com/2009/06/20/4-minute-work-week/]
** How can child labor be prevented?

Day 2 Predictions

2010-01-05T21:16:12Z

Rnagarajan: /* Mark */

= Mark =

Sheel: Cisco, with its involvement in China's Golden Shield Project and $16 Billion investment (http://www.socialfunds.com/news/article.cgi/2825.html), doesn't want to have to deal with issues of human rights that might diminish ROI. Notable quote from article and 2008 testimony: Chandler said, "Cisco does not customize, or develop specialized or unique filtering capabilities, in order to enable different regimes to block access to information." My guess: Mark Chandler will affirm this statement tomorrow, but the real reason is that following the GNI principles would be a poor business decision and CISCO isn't willing to make any sacrifice.
: Elisabeth: we might push back on the idea that this would be a poor business decision, and solicit Cosson and Hope's opinions. Yahoo and Google have faced real backlash for their actions, and GNI serves as something of a safety net against that backlash. We could also ask Chandler if he can imagine how GNI could be structured such that it would be worthwhile for Cisco to join--it would be interesting to see if what he says matches up with what Cosson says GNI needs to do to recruit new members.
:: Andrew: I doubt Chandler would be cynical (frank?) enough to respond this way, but Cisco may be shielded from the kind of "PR risks" that Yahoo/Google/Microsoft face, since their products and services reside below the content layer and are less intuitively understandable to the general public. Along these lines, I hope to hear some discussion about the sources of contention between stakeholders at different architectural layers. How do differences in the type of actions governments request from these companies translate to materially different policy preferences, given the extreme broadness of the principles at issue?
:: Hector: I agree with Andrew and wonder whether Cisco will go to lengths to emphasize the hardware-side of its products/services. This may be a more palatable version of JZ's "gun's don't kill people" framing: "Look, we provide hardware and the software interfaces that are infinitely customizable." Such an argument works only to the extent that the products/services are general-use (generative?) and the extent that CISCO is '''truly''' removed from any immoral end-use.
:: Michael: I think Mark will lean on the fact that Cisco provides hardware. The current constituents of GNI (Micosoft, Google, and Yahoo) exclusively provide services and software which only have a limited range of customizable options. Cisco's products, on the other hand, can be customized for myriad purposes. Unlike the "guns don't kill people, people kill people" fallacy, Cisco's hardware products have a wide variety of applications and are designed specifically and primarily for a number of innocuous purposes and can only be transformed into destructive tools with significant input by the consumer/user. So then Cisco probably has a specific problem with the final bullet point under "Responsible Company Decision Making" of the [http://www.globalnetworkinitiative.org/cms/uploads/1/GNI_-_Principles_1_.pdf GNI Guiding Principles] which requires that companies use their best efforts to force clients or customers to conform to these rules. It could be a seriously onerous burden on hardware providers to say that they must force customers in other countries to abide by American/European concepts of ethical uses of that equipment, and even more onerous to consider punishing Cisco when its products are used in violation of such standards.
: Jason: I doubt that he will emphasize ROI and the need to make money to a group like ours - or, at least he won't explicitly mention his company's desire to make billions of dollars. Instead, I suspect that Mark will emphasize the need for more Internet infrastructure in developing countries, and the uncertain effect of the GNI in terms of continuing to do business everywhere. He would be right about that need - see, for instance, the Internet density map [http://www.chrisharrison.net/projects/InternetMap/medium/worlddotblack.jpg here]. So he can ask us rhetorically, "What is Cisco supposed to do? Don't you cyberlaw students want people in China and Southeast Asia and the Middle East and Africa to get online, too? If so, those countries need our hardware - and we can't choose who runs their governments!" And you know what? If he says this, he will have a very, very good point.

Daniel: I believe Chandler will provide his professional - and hopefully personal - account on the role CISCO plays in [facilitating / enabling / providing neutral tools] to allow for "different regimes" to control their nationals' internet experience. Cosson and Hope will probably dedicate more time to in depth discussion of two issues: involvement of industry actors other than the GNI founding members and the types of incentives that are needed for that, including legal alternatives and public exposure of "do some evil" firms. Also, given that we will not have representatives from Google and Yahoo, these companies are likely to figure prominently in the examples of events, actions and concessions to be avoided.

Sanford Lewis: I predict that Mr. Chandler will not discuss in very much depth the extent to which external stakeholder and stockholder pressure has shaped company policy, unless he is prompted by student questions to discuss this.

Lien: The GNI principles are so general and an "implementation / repetition" of international standards. If a certain company (for whatever reason) does not want to join the GNI, this company still has to comply with these standards. To play the devil's advocate, does joining the GNI change anything in reality or is it just a good thing to join because of the company's image and reputation? Furthermore, the concept of the GNI (sort of self- regulation) is a very American concept. European companies are not very familiar with this kind of approach. The GNI might be a good starting point for a company to obey to certain principles. However, the privacy principles are so broadly written that, if a company would follow these principles, it would still not comply with European Privacy legislation. Why would an European company then join the initiative and do all the effort (e.g. audit, ...), knowing that it would still not comply with European legislation?

:Elisabeth: I also wonder how true it is that these are "international" standards, rather than American or American/European standards.

Michael: I expect Mark will point out that GNI's primary focus seems to be providing guidelines for instances in which a government or other entity makes direct requests of a company for information (ID of a dissident) or to take certain action (block certain functions of software), but that these values are inapplicable to much of what Cisco does. Cisco is likely less concerned with such direct inquiries and more concerned with customers altering its devices to accomplish bad objectives. The kinds of hardline, direct guidelines that GNI will likely promulgate to address issues that would apply to governments' direct inquiries to Microsoft, Google and Yahoo would be very difficult to apply to companies like Cisco who provide heavily customizable software. In fact, any steps Cisco might take to prevent consumers from using its products to violate GNI rules would, itself, violate the rule encouraging freedom of expression by the consumer of such products. (of course the easy response to this might be that all of these are, a fortiori (had to throw some legal speak in here somewhere), reasons that companies like Cisco should be a part of the conversation to create rules that will be more generally applicable.

Ramesh: I wonder if Mark will agree with the distinction I tried to draw below between removing content that's objectionable to governments and providing private information to those governments to find dissidents. It seems like Cisco's technologies could be used for either; does Mark think both are acceptable forms of behavior?

= Dunstan =
Tyler: I believe Dunstan will try and draw a distinction between situations involving two types of countries. The first type is countries with laws in accordance with GNI principles but that are not enforced or poorly enforced. The second type is countries with laws that on their face are violative of GNI principles. I hope Dunstan will discuss strategies that corporations should use for situations that arise involving both types of countries and the different approaches that GNI stakeholders can collectively take to preemptively forestall problems in each of the two types of countries.
: Daniel: It would be great if we further explored the (blurring) division between these two country-types. Was Google's first move in the negotiation with Turkey - accepting to block videos insulting AtatÃ¼rk, but only within the country's limits - OK under the GNI principles? How much can a country legitimately curb freedom of speech, according to the GNI framework? IMO, its diplomatic language allows for an "American" interpretation, but also for an "European" one and perhaps others even more restrictive.
Reuben: I'd be interested in hearing how BSR's involvement with the GNI was different than corporate social responsibility projects in other economic sectors and how that speaks to the uniqueness of ICT and these issues.
: Ramesh: I'd like to hear Dunstan draw distinctions between two types of conduct that often seem to be conflated in this area -- removing content at the best of governments (Google.cn) vs. providing private information to governments that can lead to the arrest and prosecution of dissidents (Shi Tao). The first seems like a necessary step to take for companies to conduct business in countries with different laws, while the second seems to raise much more serious ethical issues, as the company is actively helping repressive governments search out and persecute dissidents. I suspect that Dunstan may draw this distinction, as perhaps companies, both inside and outside the GNI, think there are serious differences between the two types of conduct.

= Chuck =

Tyler: I expect Chuck to express frustration that more corporations have not signed up for GNI and identify some specific reasons why he thinks GNI has so far been unable to recruit any additional corporations from the initial roster of three (Yahoo!, Google, Microsoft). I also hope that Chuck discusses what preparations Microsoft has made to allow GNI auditors access the sensitive Microsoft information.

::Michael: I expect that Chuck will express some level of understanding that many companies are still reticent to join GNI in its infancy before there are any real tangible benefits (especially for smaller companies). But I also expect that he will express some optimism that more companies and organizations will begin to join as GNI matures and proves itself.
::I would like to hear how Chuck thinks abiding by GNI guidelines might affect smaller companies. If such companies refuse to give foreign governments the information they request, could a boycott of services by that country's government have have a disastrous effect on a smaller companies bottom line?

Juan: As a stakeholders unite, GNI is supposed to have more flexibility and accommodation than its legislative alternatives, such as GOFA. With this flexibility, how will it attract new members in China, such as Baidu (www.baidu.com, the market leader of search services), Kaixin network (www.kaixin001.com, the most popular social network website in China, which is a knockoff of facebook), Tudou (www.tudou.com, the biggest video site mainly serving local videos) and etc. Facing with a very powerful government, I doubt they will have an incentive to join the GNI.
Another question is what is the role of GNI? If company challenges the government request, government would not buy it, what actions would company be supposed to take? Will GNI interface with government? By challenging the government request, the company may be punished by government, either directly or indirectly. Is there any benefit for the company to take the risk?
Will GNI work for China? Can it enlighten Chinese government to change its position on human rights and free expression?
Should GNI have multiple standards on human rights protection in different countries, since different countries have different views on human rights.
: Lien: Good point. I believe we should indeed ask the question to all speakers whether the GNI is not a typical American way of approaching issues, that might not work that easily in other continents.

Reuben: With regards to the relationship between Chuck and Mark, I think that while Chuck will make statements supporting the GNI, he is unlikely to challenge Mark or CISCO to join. I'd also expect Chuck to express some reticence in allowing auditors too much freedom to access sensitive information.

Day 2 Predictions

2010-01-05T21:13:18Z

Rnagarajan: /* Dunstan */

= Mark =

Sheel: Cisco, with its involvement in China's Golden Shield Project and $16 Billion investment (http://www.socialfunds.com/news/article.cgi/2825.html), doesn't want to have to deal with issues of human rights that might diminish ROI. Notable quote from article and 2008 testimony: Chandler said, "Cisco does not customize, or develop specialized or unique filtering capabilities, in order to enable different regimes to block access to information." My guess: Mark Chandler will affirm this statement tomorrow, but the real reason is that following the GNI principles would be a poor business decision and CISCO isn't willing to make any sacrifice.
: Elisabeth: we might push back on the idea that this would be a poor business decision, and solicit Cosson and Hope's opinions. Yahoo and Google have faced real backlash for their actions, and GNI serves as something of a safety net against that backlash. We could also ask Chandler if he can imagine how GNI could be structured such that it would be worthwhile for Cisco to join--it would be interesting to see if what he says matches up with what Cosson says GNI needs to do to recruit new members.
:: Andrew: I doubt Chandler would be cynical (frank?) enough to respond this way, but Cisco may be shielded from the kind of "PR risks" that Yahoo/Google/Microsoft face, since their products and services reside below the content layer and are less intuitively understandable to the general public. Along these lines, I hope to hear some discussion about the sources of contention between stakeholders at different architectural layers. How do differences in the type of actions governments request from these companies translate to materially different policy preferences, given the extreme broadness of the principles at issue?
:: Hector: I agree with Andrew and wonder whether Cisco will go to lengths to emphasize the hardware-side of its products/services. This may be a more palatable version of JZ's "gun's don't kill people" framing: "Look, we provide hardware and the software interfaces that are infinitely customizable." Such an argument works only to the extent that the products/services are general-use (generative?) and the extent that CISCO is '''truly''' removed from any immoral end-use.
:: Michael: I think Mark will lean on the fact that Cisco provides hardware. The current constituents of GNI (Micosoft, Google, and Yahoo) exclusively provide services and software which only have a limited range of customizable options. Cisco's products, on the other hand, can be customized for myriad purposes. Unlike the "guns don't kill people, people kill people" fallacy, Cisco's hardware products have a wide variety of applications and are designed specifically and primarily for a number of innocuous purposes and can only be transformed into destructive tools with significant input by the consumer/user. So then Cisco probably has a specific problem with the final bullet point under "Responsible Company Decision Making" of the [http://www.globalnetworkinitiative.org/cms/uploads/1/GNI_-_Principles_1_.pdf GNI Guiding Principles] which requires that companies use their best efforts to force clients or customers to conform to these rules. It could be a seriously onerous burden on hardware providers to say that they must force customers in other countries to abide by American/European concepts of ethical uses of that equipment, and even more onerous to consider punishing Cisco when its products are used in violation of such standards.
: Jason: I doubt that he will emphasize ROI and the need to make money to a group like ours - or, at least he won't explicitly mention his company's desire to make billions of dollars. Instead, I suspect that Mark will emphasize the need for more Internet infrastructure in developing countries, and the uncertain effect of the GNI in terms of continuing to do business everywhere. He would be right about that need - see, for instance, the Internet density map [http://www.chrisharrison.net/projects/InternetMap/medium/worlddotblack.jpg here]. So he can ask us rhetorically, "What is Cisco supposed to do? Don't you cyberlaw students want people in China and Southeast Asia and the Middle East and Africa to get online, too? If so, those countries need our hardware - and we can't choose who runs their governments!" And you know what? If he says this, he will have a very, very good point.

Daniel: I believe Chandler will provide his professional - and hopefully personal - account on the role CISCO plays in [facilitating / enabling / providing neutral tools] to allow for "different regimes" to control their nationals' internet experience. Cosson and Hope will probably dedicate more time to in depth discussion of two issues: involvement of industry actors other than the GNI founding members and the types of incentives that are needed for that, including legal alternatives and public exposure of "do some evil" firms. Also, given that we will not have representatives from Google and Yahoo, these companies are likely to figure prominently in the examples of events, actions and concessions to be avoided.

Sanford Lewis: I predict that Mr. Chandler will not discuss in very much depth the extent to which external stakeholder and stockholder pressure has shaped company policy, unless he is prompted by student questions to discuss this.

Lien: The GNI principles are so general and an "implementation / repetition" of international standards. If a certain company (for whatever reason) does not want to join the GNI, this company still has to comply with these standards. To play the devil's advocate, does joining the GNI change anything in reality or is it just a good thing to join because of the company's image and reputation? Furthermore, the concept of the GNI (sort of self- regulation) is a very American concept. European companies are not very familiar with this kind of approach. The GNI might be a good starting point for a company to obey to certain principles. However, the privacy principles are so broadly written that, if a company would follow these principles, it would still not comply with European Privacy legislation. Why would an European company then join the initiative and do all the effort (e.g. audit, ...), knowing that it would still not comply with European legislation?

:Elisabeth: I also wonder how true it is that these are "international" standards, rather than American or American/European standards.

Michael: I expect Mark will point out that GNI's primary focus seems to be providing guidelines for instances in which a government or other entity makes direct requests of a company for information (ID of a dissident) or to take certain action (block certain functions of software), but that these values are inapplicable to much of what Cisco does. Cisco is likely less concerned with such direct inquiries and more concerned with customers altering its devices to accomplish bad objectives. The kinds of hardline, direct guidelines that GNI will likely promulgate to address issues that would apply to governments' direct inquiries to Microsoft, Google and Yahoo would be very difficult to apply to companies like Cisco who provide heavily customizable software. In fact, any steps Cisco might take to prevent consumers from using its products to violate GNI rules would, itself, violate the rule encouraging freedom of expression by the consumer of such products. (of course the easy response to this might be that all of these are, a fortiori (had to throw some legal speak in here somewhere), reasons that companies like Cisco should be a part of the conversation to create rules that will be more generally applicable.

= Dunstan =
Tyler: I believe Dunstan will try and draw a distinction between situations involving two types of countries. The first type is countries with laws in accordance with GNI principles but that are not enforced or poorly enforced. The second type is countries with laws that on their face are violative of GNI principles. I hope Dunstan will discuss strategies that corporations should use for situations that arise involving both types of countries and the different approaches that GNI stakeholders can collectively take to preemptively forestall problems in each of the two types of countries.
: Daniel: It would be great if we further explored the (blurring) division between these two country-types. Was Google's first move in the negotiation with Turkey - accepting to block videos insulting AtatÃ¼rk, but only within the country's limits - OK under the GNI principles? How much can a country legitimately curb freedom of speech, according to the GNI framework? IMO, its diplomatic language allows for an "American" interpretation, but also for an "European" one and perhaps others even more restrictive.
Reuben: I'd be interested in hearing how BSR's involvement with the GNI was different than corporate social responsibility projects in other economic sectors and how that speaks to the uniqueness of ICT and these issues.
: Ramesh: I'd like to hear Dunstan draw distinctions between two types of conduct that often seem to be conflated in this area -- removing content at the best of governments (Google.cn) vs. providing private information to governments that can lead to the arrest and prosecution of dissidents (Shi Tao). The first seems like a necessary step to take for companies to conduct business in countries with different laws, while the second seems to raise much more serious ethical issues, as the company is actively helping repressive governments search out and persecute dissidents. I suspect that Dunstan may draw this distinction, as perhaps companies, both inside and outside the GNI, think there are serious differences between the two types of conduct.

= Chuck =

Tyler: I expect Chuck to express frustration that more corporations have not signed up for GNI and identify some specific reasons why he thinks GNI has so far been unable to recruit any additional corporations from the initial roster of three (Yahoo!, Google, Microsoft). I also hope that Chuck discusses what preparations Microsoft has made to allow GNI auditors access the sensitive Microsoft information.

::Michael: I expect that Chuck will express some level of understanding that many companies are still reticent to join GNI in its infancy before there are any real tangible benefits (especially for smaller companies). But I also expect that he will express some optimism that more companies and organizations will begin to join as GNI matures and proves itself.
::I would like to hear how Chuck thinks abiding by GNI guidelines might affect smaller companies. If such companies refuse to give foreign governments the information they request, could a boycott of services by that country's government have have a disastrous effect on a smaller companies bottom line?

Juan: As a stakeholders unite, GNI is supposed to have more flexibility and accommodation than its legislative alternatives, such as GOFA. With this flexibility, how will it attract new members in China, such as Baidu (www.baidu.com, the market leader of search services), Kaixin network (www.kaixin001.com, the most popular social network website in China, which is a knockoff of facebook), Tudou (www.tudou.com, the biggest video site mainly serving local videos) and etc. Facing with a very powerful government, I doubt they will have an incentive to join the GNI.
Another question is what is the role of GNI? If company challenges the government request, government would not buy it, what actions would company be supposed to take? Will GNI interface with government? By challenging the government request, the company may be punished by government, either directly or indirectly. Is there any benefit for the company to take the risk?
Will GNI work for China? Can it enlighten Chinese government to change its position on human rights and free expression?
Should GNI have multiple standards on human rights protection in different countries, since different countries have different views on human rights.
: Lien: Good point. I believe we should indeed ask the question to all speakers whether the GNI is not a typical American way of approaching issues, that might not work that easily in other continents.

Reuben: With regards to the relationship between Chuck and Mark, I think that while Chuck will make statements supporting the GNI, he is unlikely to challenge Mark or CISCO to join. I'd also expect Chuck to express some reticence in allowing auditors too much freedom to access sensitive information.

Day 2 Predictions

2010-01-05T21:12:49Z

Rnagarajan: /* Dunstan */

= Mark =

Sheel: Cisco, with its involvement in China's Golden Shield Project and $16 Billion investment (http://www.socialfunds.com/news/article.cgi/2825.html), doesn't want to have to deal with issues of human rights that might diminish ROI. Notable quote from article and 2008 testimony: Chandler said, "Cisco does not customize, or develop specialized or unique filtering capabilities, in order to enable different regimes to block access to information." My guess: Mark Chandler will affirm this statement tomorrow, but the real reason is that following the GNI principles would be a poor business decision and CISCO isn't willing to make any sacrifice.
: Elisabeth: we might push back on the idea that this would be a poor business decision, and solicit Cosson and Hope's opinions. Yahoo and Google have faced real backlash for their actions, and GNI serves as something of a safety net against that backlash. We could also ask Chandler if he can imagine how GNI could be structured such that it would be worthwhile for Cisco to join--it would be interesting to see if what he says matches up with what Cosson says GNI needs to do to recruit new members.
:: Andrew: I doubt Chandler would be cynical (frank?) enough to respond this way, but Cisco may be shielded from the kind of "PR risks" that Yahoo/Google/Microsoft face, since their products and services reside below the content layer and are less intuitively understandable to the general public. Along these lines, I hope to hear some discussion about the sources of contention between stakeholders at different architectural layers. How do differences in the type of actions governments request from these companies translate to materially different policy preferences, given the extreme broadness of the principles at issue?
:: Hector: I agree with Andrew and wonder whether Cisco will go to lengths to emphasize the hardware-side of its products/services. This may be a more palatable version of JZ's "gun's don't kill people" framing: "Look, we provide hardware and the software interfaces that are infinitely customizable." Such an argument works only to the extent that the products/services are general-use (generative?) and the extent that CISCO is '''truly''' removed from any immoral end-use.
:: Michael: I think Mark will lean on the fact that Cisco provides hardware. The current constituents of GNI (Micosoft, Google, and Yahoo) exclusively provide services and software which only have a limited range of customizable options. Cisco's products, on the other hand, can be customized for myriad purposes. Unlike the "guns don't kill people, people kill people" fallacy, Cisco's hardware products have a wide variety of applications and are designed specifically and primarily for a number of innocuous purposes and can only be transformed into destructive tools with significant input by the consumer/user. So then Cisco probably has a specific problem with the final bullet point under "Responsible Company Decision Making" of the [http://www.globalnetworkinitiative.org/cms/uploads/1/GNI_-_Principles_1_.pdf GNI Guiding Principles] which requires that companies use their best efforts to force clients or customers to conform to these rules. It could be a seriously onerous burden on hardware providers to say that they must force customers in other countries to abide by American/European concepts of ethical uses of that equipment, and even more onerous to consider punishing Cisco when its products are used in violation of such standards.
: Jason: I doubt that he will emphasize ROI and the need to make money to a group like ours - or, at least he won't explicitly mention his company's desire to make billions of dollars. Instead, I suspect that Mark will emphasize the need for more Internet infrastructure in developing countries, and the uncertain effect of the GNI in terms of continuing to do business everywhere. He would be right about that need - see, for instance, the Internet density map [http://www.chrisharrison.net/projects/InternetMap/medium/worlddotblack.jpg here]. So he can ask us rhetorically, "What is Cisco supposed to do? Don't you cyberlaw students want people in China and Southeast Asia and the Middle East and Africa to get online, too? If so, those countries need our hardware - and we can't choose who runs their governments!" And you know what? If he says this, he will have a very, very good point.

Daniel: I believe Chandler will provide his professional - and hopefully personal - account on the role CISCO plays in [facilitating / enabling / providing neutral tools] to allow for "different regimes" to control their nationals' internet experience. Cosson and Hope will probably dedicate more time to in depth discussion of two issues: involvement of industry actors other than the GNI founding members and the types of incentives that are needed for that, including legal alternatives and public exposure of "do some evil" firms. Also, given that we will not have representatives from Google and Yahoo, these companies are likely to figure prominently in the examples of events, actions and concessions to be avoided.

Sanford Lewis: I predict that Mr. Chandler will not discuss in very much depth the extent to which external stakeholder and stockholder pressure has shaped company policy, unless he is prompted by student questions to discuss this.

Lien: The GNI principles are so general and an "implementation / repetition" of international standards. If a certain company (for whatever reason) does not want to join the GNI, this company still has to comply with these standards. To play the devil's advocate, does joining the GNI change anything in reality or is it just a good thing to join because of the company's image and reputation? Furthermore, the concept of the GNI (sort of self- regulation) is a very American concept. European companies are not very familiar with this kind of approach. The GNI might be a good starting point for a company to obey to certain principles. However, the privacy principles are so broadly written that, if a company would follow these principles, it would still not comply with European Privacy legislation. Why would an European company then join the initiative and do all the effort (e.g. audit, ...), knowing that it would still not comply with European legislation?

:Elisabeth: I also wonder how true it is that these are "international" standards, rather than American or American/European standards.

Michael: I expect Mark will point out that GNI's primary focus seems to be providing guidelines for instances in which a government or other entity makes direct requests of a company for information (ID of a dissident) or to take certain action (block certain functions of software), but that these values are inapplicable to much of what Cisco does. Cisco is likely less concerned with such direct inquiries and more concerned with customers altering its devices to accomplish bad objectives. The kinds of hardline, direct guidelines that GNI will likely promulgate to address issues that would apply to governments' direct inquiries to Microsoft, Google and Yahoo would be very difficult to apply to companies like Cisco who provide heavily customizable software. In fact, any steps Cisco might take to prevent consumers from using its products to violate GNI rules would, itself, violate the rule encouraging freedom of expression by the consumer of such products. (of course the easy response to this might be that all of these are, a fortiori (had to throw some legal speak in here somewhere), reasons that companies like Cisco should be a part of the conversation to create rules that will be more generally applicable.

= Dunstan =
Tyler: I believe Dunstan will try and draw a distinction between situations involving two types of countries. The first type is countries with laws in accordance with GNI principles but that are not enforced or poorly enforced. The second type is countries with laws that on their face are violative of GNI principles. I hope Dunstan will discuss strategies that corporations should use for situations that arise involving both types of countries and the different approaches that GNI stakeholders can collectively take to preemptively forestall problems in each of the two types of countries.
: Daniel: It would be great if we further explored the (blurring) division between these two country-types. Was Google's first move in the negotiation with Turkey - accepting to block videos insulting AtatÃ¼rk, but only within the country's limits - OK under the GNI principles? How much can a country legitimately curb freedom of speech, according to the GNI framework? IMO, its diplomatic language allows for an "American" interpretation, but also for an "European" one and perhaps others even more restrictive.
Reuben: I'd be interested in hearing how BSR's involvement with the GNI was different than corporate social responsibility projects in other economic sectors and how that speaks to the uniqueness of ICT and these issues.
Ramesh: I'd like to hear Dunstan draw distinctions between two types of conduct that often seem to be conflated in this area -- removing content at the best of governments (Google.cn) vs. providing private information to governments that can lead to the arrest and prosecution of dissidents (Shi Tao). The first seems like a necessary step to take for companies to conduct business in countries with different laws, while the second seems to raise much more serious ethical issues, as the company is actively helping repressive governments search out and persecute dissidents. I suspect that Dunstan may draw this distinction, as perhaps companies, both inside and outside the GNI, think there are serious differences between the two types of conduct.

= Chuck =

Tyler: I expect Chuck to express frustration that more corporations have not signed up for GNI and identify some specific reasons why he thinks GNI has so far been unable to recruit any additional corporations from the initial roster of three (Yahoo!, Google, Microsoft). I also hope that Chuck discusses what preparations Microsoft has made to allow GNI auditors access the sensitive Microsoft information.

::Michael: I expect that Chuck will express some level of understanding that many companies are still reticent to join GNI in its infancy before there are any real tangible benefits (especially for smaller companies). But I also expect that he will express some optimism that more companies and organizations will begin to join as GNI matures and proves itself.
::I would like to hear how Chuck thinks abiding by GNI guidelines might affect smaller companies. If such companies refuse to give foreign governments the information they request, could a boycott of services by that country's government have have a disastrous effect on a smaller companies bottom line?

Juan: As a stakeholders unite, GNI is supposed to have more flexibility and accommodation than its legislative alternatives, such as GOFA. With this flexibility, how will it attract new members in China, such as Baidu (www.baidu.com, the market leader of search services), Kaixin network (www.kaixin001.com, the most popular social network website in China, which is a knockoff of facebook), Tudou (www.tudou.com, the biggest video site mainly serving local videos) and etc. Facing with a very powerful government, I doubt they will have an incentive to join the GNI.
Another question is what is the role of GNI? If company challenges the government request, government would not buy it, what actions would company be supposed to take? Will GNI interface with government? By challenging the government request, the company may be punished by government, either directly or indirectly. Is there any benefit for the company to take the risk?
Will GNI work for China? Can it enlighten Chinese government to change its position on human rights and free expression?
Should GNI have multiple standards on human rights protection in different countries, since different countries have different views on human rights.
: Lien: Good point. I believe we should indeed ask the question to all speakers whether the GNI is not a typical American way of approaching issues, that might not work that easily in other continents.

Reuben: With regards to the relationship between Chuck and Mark, I think that while Chuck will make statements supporting the GNI, he is unlikely to challenge Mark or CISCO to join. I'd also expect Chuck to express some reticence in allowing auditors too much freedom to access sensitive information.

Experiences in Crowd Sourcing

2010-01-02T01:57:28Z

Rnagarajan:

== Mechanical Turk ==

=== Daniel Arbix ===

I have signed up to Mechanical Turk as a Brazilian citizen (not all HIT opportunities were available, then). I have tried to explore different tasks to check the diversity the platform offers for workers. There are some amusing tasks to be performed, but most â against the websiteâs Participation Terms â, are boring schemes to distort internet advertisement payments or to gather active e-mails (for spam or worse, I presume). There are also numerous HITs which demand fake reviews of products and websites, or which require âturksâ to show support to social-networking profiles or events, and even to write posts in blogs making compliments to the blog ownerâs clever analyses. A short summary of my experiences follows.

''1st try'': bad page design, no $
I saw a task as available, was able to follow the instructions and actually perform it on a third party website, but then I realized that the event that would trigger a confirmation number required for my payment had already expired, so of course no payment was made to my account. This was the first contact I had with HITs designed to redirect traffic to earn advertisement revenues (it was described as âa test for page load time, very easy, for USD 2.00â).

''2nd try'': the second HIT I tried had the following misleading instructions:
* "This HIT is an easy to complete 'sign up' assignment. It shouldn't take you longer than 2 minutes to complete. Many thanks for your time! Simply go to: http://www.awin1.com/awclick.php?mid=633&id=93282 Sign up. Then send a print screen of your confirmation email to: mark.studentearnings@gmail.com and write your username and approximate time of sign up in the box below"
The site redirected me to http://www.offersclick.co.uk/offers/SiteRender.aspx?SiteID=501&ThemeID=21&q14259=AFW&q26274=93282 Again, it seems like arbitrage of internet advertisement revenuesâ¦
It was impossible to complete the task within the assigned time â the form-filling advertisements website took too much to load â, so I returned the HIT (and received no $, in spite of losing a lot of time)

''3rd try'': the HIT had the following description:
* "Complete free online quote form. MUST BE 18 OR OLDER AND LIVE IN USA TO COMPLETE THIS HIT Visit Site - Enter Name and Email - Takes less than a minute. IMPORTANT: Eligible only to those who have not yet signed up to this offer. Please don't use disposable e-mails as well. Let's keep this site honest. INSTRUCTION: 1) To get started, visit this website: http://www.aislezone.com/mturk-offer02.php 2) Select make, model and enter zip code. Click "get quotes" 3) Complete the form and click on "get free dealer quotes" REQUIRED PROOF: On activation confirmation copy/paste or type full text to the box below starting with : "Sent!..." "
The time-description was fair, and I received payment after two days. I also (stupidly) provided my real Stanford e-mail, with the result of getting my mailbox now filled by car dealers messages. Again, the HIT seems like arbitrage of internet advertisement revenues.

''4th try'': the HIT had the following description:
* "Data Collection-Google Results Reward: $1.25 per HIT Insert address, perform google searches and indicate first result"
This HIT was an honest one, requiring a verification of search results (Google), all related to the same company. Time description was fair, and my $ arrived a day later.

''5th try'': the HIT had the following description:
* "Rate faces of candidates running for office. Usually takes less than 5 minutes. You can find the survey here: http://www.surveygizmo.com/s/207922/faces3 At the end of the survey, you'll find a code. To get paid, please enter the code below:"
This was a fun, quick HIT. It had a fair time description, and payment was received after a day. I was, however, a terrible subject for the MIT social psychology survey, since most pictures to be rated are of Brazilian politiciansâ¦

=== Jason Harrow ===

It all started out so promisingly. Before I even started, I was excited because "Mechanical Turk" is such a great name. What did it mean? What was mechanical about it? And who or what is the âTurkâ in the transaction? Then, in the back of my mind: isnât that somehow vaguely racist?

Wikipedia would know what a Mechanical Turk is, of course. So I searched for it, and I immediately found my answer. The Mechanical Turk was a chess playing âmachineâ that, âfrom 1770 until its destruction by fire in 1854 . . . was exhibited by various owners as an automaton, though it was explained in the early 1820s as an elaborate hoax.â Something thought to be a form of artificial intelligence later explained to be just a smart guy in a box? How cool is that? Could there be a more perfect name for this service? I made a mental note that if I am ever in the position to pick a name for an Internet company or service, I will find out who chose "Mechanical Turk" and consult him or her. I couldnât have been more excited to get started.

I logged in with my Amazon ID and created my Amazon payment account. Unlike Daniel (above), I am a US citizen; also unlike Daniel, I chose to go first for a little assignment that paid $.02 per HIT. My task was to go to the website of a given educational institution, type in when the spring semester 2010 started, and give the URL of the Academic Calendar page confirming this. I did one successfully and submitted it. It took about 90 seconds. Easiest job of my life. Bring on a few more.

The next one took longer and bore no fruit, though: the little Midwestern barbershop college that was assigned to me didnât display when their spring semester started (side thought: do barbershop colleges even have spring semesters?). That was frustrating; all that effort, and no shiny pennies at the end of the rainbow. And why in the world does this guy â Aaron Smyth, whoever that is â even want to include barbershop colleges in his survey? What could he possibly be doing with that data? I pressed on and did a few more start dates before trying to find something else. It got boring pretty quickly, and I realized that 2 cents wasnât really worth it beyond the initial thrill of it all.

Like Daniel, I then encountered what later became obvious as a scam: someone who said theyâd pay me money for signing up, but the time given was too fast and there was no way to actually verify that I completed the task in the way they said I needed to. This made me angry. How in the world does Amazon â one of my favorite companies on the planet, by the way â let them get away with this? I reported the bastards, but I donât know what happened to that complaint. A few days later, Mechanical Turk still seems littered with these scams. Thatâs disappointing.

I turned to a final HIT, what seemed like just an individual who wanted me to go to his website and post any kind of comment, just for the sake of getting more hits. Seemed a little shady, but I gave it a try and duly posted a comment. Days later, I got the bad news: rejected! I wouldnât be getting the shiny nickel I was promised. Hey Amazon: how is that allowed?

I was once so excited by the great name and the prospect of making easy money, but I'm now deeply disappointed with both the requesters and with Amazon. Why did all the posters seem so scammy? Why aren't there any tasks that seem interesting and worthwhile? And how does Amazon let the requesters get away with this? I felt somehow betrayed by an Internet company that I feel oddly loyal to; it was as if HBO launched a new channel that turned out to be entirely infomercials. Get your act together, Mr. Bezos!

I logged into my account a few days later. The final tally was 8 HITs accepted; 4 submitted; 1 returned; 3 abandoned; 3 approved; 1 rejected; and, in the end, 6 measly American cents earned. I wish that the original chess-playing Mechanical Turk hadnât been destroyed in 1854. That Mechanical Turk might have been a sight to see. This one isnât.

== LiveOps ==

=== Sheel Tyle ===

I am in the process of signing up as an inexperienced bilingual (Spanish & English - I'm conversational, not fluent, in Spanish, but let's see how much I'm tested on it) LiveOps call center agent. There are videos on the website from independent agents, testimonials on the sidebar ($15-22/hour), and press releases from various periodicals that try and convince.

There are five steps that I must follow in order to be 'submitted for review':

Validate your email address

Verify your understanding of the general requirements

Provide basic information on your background

Assess your comprehension and computer skill

Audition your voice

Under ''''basic information'''', here are some of the questions:

Have you ever contracted your business with LiveOps in the past?, Do you have prior call center experience?, Are you currently licensed to sell both health and life insurance products?, Are you currently licensed to sell both property and casualty insurance products?, Do you have prior experience in sales?, Do you have prior experience taking calls from Radio offers?, Do you have any experience in outbound telemarketing?, Do You Speak, Read and Write Spanish - FLUENTLY?, Do You Speak, Read and Write French - FLUENTLY?

I said "No" to every one except "Yes" to speaking Spanish.

Then, under ''''comprehension and computer skill'''', I had to answer questions like:

''
Please read this script:"We dont want you to miss out on this great offer, so what I can do for you today is offer you 1 HotBrush for 3 easy payments of $29.99 plus $14.75 to cover processing or you can take advantage of our special offer, the SpeedyHeat model for only $6.67 additional per payment. The SpeedyHeat Model contains a computer chip which lets your HotBrush heat up faster and hold a more even temperature just like the most expensive professional quality hot tools. So, would you like to order the HotBrush or the SpeedyHeat Model?"

In this script, is the customer choosing between two different products or are they deciding whether to add a product (for two products total)?
Deciding whether to add a product
Choosing between two different products''

'' What is the keyboard shortcut to move between windows you already have open on your computer?
Hold down the "Alt" button and press the "Tab" button
Drag the window offscreen
Click the appropriate button in the task bar
Close the program you are currently working in, and open a new one
Minimize the window you are currently working in ''

Finally, the voice test. LiveOps asked me to call in to a 1-800 number and, when prompted, read two passages: one in English and one in Spanish.

Submitted. Once I hear back, I'll update whether I was accepted =)

=== Ramesh Nagarajan ===

I've completed the agent qualification process to become a LiveOps representative. Sheel did a good job of explaining the basics of the qualification process, so I'll share two observations I had about the process.

First, there's a fair amount of legal language LiveOps uses, with the intention of disclaiming any liability or even the existence of much of a relationship between it and its contractors. One must agree to the following: "I understand that LiveOps will investigate all of my information provided during the Agent Qualification process, and that Certification of my home business to contract with LiveOps will be contingent upon successful completion of a criminal and credit background check." They aren't currently accepting Massachusetts residents as LiveOps contractors -- perhaps Massachusetts's laws are too worker-friendly -- so I hope that means I get to avoid the "criminal and credit background check." Also, I didn't have to provide a Social Security Number, which makes me wonder if there is a real background check. Going back to the phrase I agreed to, I found it interesting that LiveOps representatives are setting up "home business[es] to contract" with LiveOps. There seem to be at least two advantages that LiveOps has over traditional telemarketing and call center companies -- first, it could save money on infrastructure by having employees work out of their own homes and use their own computers and phones, and second, it could save money by not having actual employees. I wonder which is more important, and if the second is a necessary part of the company's business strategy.

On a lighter note, the questions for "comprehension and computer skill" were quite entertaining. I was asked if booting a computer meant to turn on the sound, throw it out, turn it on, or add extra drives, and I had to decipher the meaning of a call script. I think there's a good chance I got one of the questions wrong. It asked what a customer paid today for a product that had "an upfront trial payment" of $15, three monthly payments of $40, and a shipping and handling charge of $10. I answered $15, but when I think about it, maybe it should be $25.