CFP96 Conference Report

Lorrie Faith Cranor's CFP96 Conference Report

Copyright 1996 by Lorrie Faith Cranor. Permission to distribute this report electronically is granted.

Computers, Freedom and Privacy '96 was held March 27-30 at the Cambridge, Massachusetts Hyatt Hotel. This year the (mostly) single-track conference was excellently chronicled by the CFP96 newsletter volunteers; thus I will dispense with my usual session-by-session description of the conference and instead focus my annual essay on a few conference highlights and my personal reactions to the conference. Notes and audio recordings for most sessions are available from the CFP96 web site (

I arrived late Wednesday night, after the day's tutorials and the evening reception, but in time to join the group of CFP regulars at the hotel bar. Before retiring for the evening I continued several conversations started at CFP95, explained my dissertation research to a handful of CFPers who were actually interested in hearing about the details of my esoteric work, and collected a long list of web pointers and book titles which said listeners recommended. As usual, informal networking proved to be a valuable part of my conference experience.

As the main part of the conference got started the next morning, I noticed that law enforcement officers and hackers were largely absent from the attendance list this year. Perhaps that's why CFP96 lacked some of the intrigue of previous conferences. There were no arrests, no attendees taken in for questioning, and no groups of young people clustered around the pay phones. Actually, there weren't too many young people at the conference at all. Perhaps due to the expensive venue (and no easy way to find roommates to cut down on expenses) there seemed to be fewer students than usual in attendance.

As the CFP audience seemed to have matured from previous years, so did the tone of the discussions. At CFP93 (my first CFP) the panels explored the strange new worlds of the electronic frontier with speakers presenting information which really surprised many of the participants. There were so many new ideas -- so much to disagree with -- that there were loud protests at the end of each session from those who didn't get to have their say before time ran out. At CFP94, most of the attendees (while probably still in much disagreement on many topics) were for the most part so much in agreement that the Clipper Chip was bad, that all other issues seemed much less significant. A year later, the Clipper crisis had blown over, allowing CFP95 to proceed with more diverse discussions. At CFP96 there were new crises to rally around: the Communications Decency Act and the threat of restrictive encryption legislation. But for the first time at CFP, I heard audience members other than Dorothy Denning and those employed by the government acknowledging that these issues might not be all black and white.

Denning's "International Developments in Cryptography" panel exposed a lot of important issues surrounding the cryptography regulation dilemma and featured one of the most controversial speakers of this year's conference -- Michael Nelson of the White House Office of Science and Technology Policy. Those who put aside their outrage long enough to listen to what Nelson had to say, seemed to find themselves agreeing with much of his analysis, while disagreeing with some of his fundamental assumptions. What set Nelson's perspective apart from the views held by most CFP participants was his belief that the potential consequences of unregulated cryptography (especially non-key-escrow) would be more harmful than the potential consequences of regulating cryptography. Nelson kept repeating that if nothing was done to regulate cryptography, terrorists will use it to pull off a major disaster and "people will die." As long as the administration assumes that the risk of disaster due to unregulated cryptography (which may not be insignificant) is an unacceptable risk, no solution that cannot eliminate that risk will be acceptable. The problem is we don't really know the magnitude of the risk, nor do we know whether people find this sort of risk acceptable. Certainly our society has determined that some risks are acceptable and we find it preferable to live with these risks than impose the regulations that would reduce them significantly. On the other hand, we have decided that other risks are more than we wish to bear. But these determinations have come about after long debate, and even after regulations are established they tend to get changed frequently as our knowledge about the magnitude of the risks and the public attitude towards these risks change.

This topic was discussed again in an excellent session, "Before the Court: Can the US Government Criminalize Unauthorized Encryption?" organized by Andrew Grosso. Remembering the confusing mock trial held at CFP93, I was a bit skeptical about this moot court. But I was pleasantly surprised to watch a thoroughly researched debate over a fictitious statute outlawing unescrowed encryption. Although most of the participants were opposed to this hypothetical statute, those assigned to represent the government defended it convincingly. I was also impressed with the questions asked by the panel of real Federal judges who presided over the court. Written arguments on both sides are available from the CFP96 web site.

Another controversial speaker, Bruce Taylor, President and General Counsel of the National Law Center for Families and Children, participated in the late night Communications Decency Act session which began at 9:30 Thursday night. As Taylor debated with CDA opponents, I noted that the discussion was more about semantics and what the law really means than anything else. Taylor attacked opponents' statements that the CDA is unconstitutional saying that it does not really restrict the behavior that opponents say it does. He failed to comment on whether such restrictions would be unconstitutional, rather he insisted that such restrictions were not a part of the law. Examples of materials Taylor claimed would not be restricted (but opponents said would be restricted) include dirty words and graphic sex education materials. The root of the disagreement surrounded the interpretation of the vague language of the legislation and the significance of explanatory documents which Congress voted not to include in the legislation. Audience discussion of this issue continued well past midnight, when the hotel staff asked us to move our conversation out of the ballroom so they could lock up for the night.

The following evening, the New England Aquarium was the delightful setting for the EFF Pioneer Awards presentation and reception. The ever squawking penguins repeatedly interrupted the speakers, adding a bit of levity to the event. Many attendees commented that watching the fish swim gracefully round and round the central tank was a fitting contrast to all the high tech talk of the previous two days.

Other highlights of the conference for me included being a panelist on David Chaum's "Policy Implications of Privacy Technology" lunch panel along with Phil Zimmerman, Esther Dyson, and John Gilmore; playing a 70-year-old women in one of Simpson Garfinkel's electronic cash scenarios; and meeting other graduate students who are working on interdisciplinary research projects.

One topic I wish had been discussed more at this conference was medical records privacy, especially in light of the "Bennett bill" introduced in the US Senate last fall. One lunch workshop took a cursory look at medical records privacy issues, but I was disappointed in the way the organizers framed the discussion, focusing on philosophical questions rather than on the actual issues that have proven controversial. This is a topic that has been discussed at previous CFPs, but I think there's plenty more to discuss. Maybe at CFP97?

Lorrie Faith Cranor                 Engineering and Policy, Computer Science
Washington University         
1 Brookings Dr Box 1045  
St. Louis, MO 63130        "UNLESS someone like you cares a whole awful lot,   nothing is going to get better. It's not." -Dr.Seuss