Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[Fola Odufuwa]

Dear Colleagues,

Richard Downing's contributions on the subject of anonymity made very
interesting reading. In Nigeria, as in much of Africa, secure,
nationally acceptable, authenticated identification for individuals
(both for private, business and regulatory purposes) in the real world
is highly undeveloped. Matching individuals to fixed locations for
transaction purposes is well near impossible in the near term for many
developing nations, making the question of web world identities for real
world peoples even more complex. The populations of Africa, to a large
extent and in many respects, are mobile and culturally nomadic, both in
the cities and in the villages.

Even if it where possible to identify and match a specific web
transaction to an online personality, how then will you match that
online figure to his (non-existent) real world database? If real world
identities can be changed or even recreated (for any number of reasons),
how would you be able to link the transactions (positive or negative) on
the Internet to the real world people behind them?

Regards,
Fola Odufuwa
ED

--
eShekels Limited
West Africa Office
13th Floor, Left Wing
Nigeria Stock Exchange House
2/4 Customs Street 
Lagos, Nigeria
Tel: +234-1-8116899
Fax: +234-1-2642852
Web: www.eshekels.com 
__



On Monday, September 27, 2004, Richard Downing wrote:

> I wanted to comment on the discussion of anonymity & security.
> 
> I would like to suggest that the question is really quite nuanced, not a
> black and white issue.

> The question of anonymity is a difficult one, and one that we have not
> quite worked out in our own society. There are certainly some things
> that we agree people should be able to do anonymously (pay for things
> with cash), and others that shouldn't be done anonymously (driving a
> car, opening a bank account).

   ...snip...

> It should also be clear that we, as a society, have long since decided
> that it is a necessary power of the government -- with appropriate
> restrictions and safeguards -- to have the authority to intercept
> communications.

> I would also like to point out that "anonymity" is a relative term that
> takes into account a broad spectrum of activities or regulations. For
> example, I understand that in order to obtain an Internet account in
> Australia, you need to provide certain sorts of proof of identity (as
> you would when applying for a driver's license). There is also the
> question of how much traffic information Internet service providers
> retain, as this information can, in many cases, allow the identification
> of the source of communcation after the fact. There are also questions
> of how to deal with wireless networks or Internet cafes that are open
> for use by anyone without any authentication or identification. There
> are lots of policy choices that law makers and Internet engineers can
> make that serve to increase or decrease anonymity.
> 
> Finally, it is worth noting that the primary problem with solving all
> sorts of Internet crime -- from hacking credit card databases to sending
> child pornography over the Internet to using the Internet to communicate
> with terrorists -- is identifying the perpetrator. Very often WHAT has
> occurred is fairly clear, but figuring out WHO the person is is the most
> difficult part. Without the ability to identify the perpertrator, there
> is no way to deter this conduct or bring those responsible to justice.





This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[Mike Hayes]

Dear Colleagues,

This is a rather late note on the topic last week. While the topic of
cyber-security was discussed, there was little mention of the human
rights issues, and I thought I would just briefly note some key points.

The main issue is the right to privacy, which is covered in the
International Covenant of Civil and Political Rights (ICCPR) Art 17.1
"No one shall be subject to arbitrary or unlawful interference with his
privacy, family, home, or correspondence." This right is derogable (can
be broken in instances of state of emergency or threats to the life of
the nation).

Other relevant articles are 19 - freedom of expression  - which comes
with a special caveat that there are special duties and
responsibilities, in particular the rights and reputation of others and
protection of national security.

Finally, in the international covenant of economic, social and cultural
rights is the right to enjoy the benefits of scientific progress, where
the state has a duty for the development and diffusion of science and
culture.

These are the most direct ones but there are a host of others, right to
information (for children, on health and reproductive health, on
politics, and so on), freedom from discrimination, freedom of assembly
(which in a very liberal interpretation could be taken as 'virtual
assembly').

The important point, I feel, is that human rights is largely irrelevant
in the cyber-security debate because most of the issues will be taken up
in domestic law, as most developed countries where cyber-security is an
issue have quite solid privacy laws, which are stronger than the
international human rights ones. Developing countries with weak laws,
even if they have not ratified the ICCPR, can use it as 'customary law'
though this is debatable.


Dr Mike Hayes
Visiting Professor
Office of Human Rights Studies and Social Development
Graduate Faculty
Mahidol University, Salaya Campus
Nakhon Pathom, 73170

Tel: (66 2) 441 4125 ext 400/401 (w)
Fax: (66 2) 441 9427
Email: [EMAIL PROTECTED]
web: www.humanrights-mu.org




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[King, Brian]

Hi Femi,

Thanks for your message. What is your feeling about the enforcibility of
such a law? It seems to me that as long as there are those (governments,
others) that insist on owning the keys, there will continue to be good
incentives for developing new keys. Enforcement of the law might then
come down to prosecuting individuals for possession of encryption
software tools, newly defined as 'contraband'.

Brian



On 9/23/04, Femi Oyesanya <[EMAIL PROTECTED]> wrote:

> One of the so-called 'developing countries' has begun implementing
> Cyber-crime Laws that would in the long run hinder individual liberties.
> Nigeria, for example, is proposing government ownership of Encryption
> keys.
> 
> See an article I wrote some time ago at:
>
 of-draft-nigerian-cybercrime.html>




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[King, Brian]

On 9/23/04, Shubhranshu Choudhary asked:
> Brian, Could you tell us more about encrypted P2P communication. (I am
> not a technical person). Thanks in advance.


Hi Shubhranshu,

Peer-to-peer (P2P) are networks that can be created by stand-alone
personal computers without the need of any other infrastructure--one
example is music file swapping people do through such programs as Kazaa.

Each computer is both a server and receiver, or 'client'.

There are programs that enable people to build their own networks in
this way, and collaborate in a sort of ad-hoc private network that can
be set up in minutes. Encyrption is what keeps that information exchange
from being deciphered. Only invited members can become part of it.

Groove networks, for example, makes a collaboration platform on this
model. It is currently used by military, humanitarian organizations, and
many others. It has a very high level of encyrption.

For a free taste of encrypted P2P, you could check out
. It is a downloadable program that allows you to
create a little networked space between computers. I use it to keep my
music libraries updated between several computers. I copy music into the
library of one computer, and it is immediately replicated in the others.

Or you could try  for a free (and fun) P2P voice and chat
communications tool. It, too, is encrypted.

I suspect that we are only beginning to see the power of these kinds of
networks. I think that a network of people is often smarter than the sum
of its individuals if everyone is being a good 'net-izen'.

Best wishes,

Brian King




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[s choudhary]

"Internet Politician" is a good word...

Brian, Could you tell us more about encrypted P2P communication. (I am
not a technical person). Thanks in advance.

Regards,

Shubhranshu Choudhary
Freelance Journalist
312, Patrakar Parisar
Sector 5, Vasundhara
Ghaziabad 201012 India
Ph - + 91 98110 66749
e mail - [EMAIL PROTECTED]



On 9/22/04, Brian King <[EMAIL PROTECTED]> wrote:

> For protecting human rights, vis a vis repressive governments,
> anonymity, many of us agree, is key.
>
> I had the fascinating, unsettling experience of working in a country
> last year in the tumultuous months preceding a coup d'etat. Virtually
> all media outlets were forcibly closed, journalists were harassed and
> silenced, and foreign news entities were expelled. People needed to tune
> in to foreign news agencies to hear reports on their own country. The
> international communications channel was the Internet. The President
> disparaged the "Internet politicians" publicly and threatened to shut
> down the Net, but ultimately could do little to stop the phenomenon.
>
> If the Government in this case had had more advanced snooping ability
> (as, say, China I imagine must have), they could have identified the
> so-called 'Internet politicians' and silenced them.
>
> For this reason I am a believer in highly-encrypted peer-to-peer (P2P)
> models of collaboration and communications that are emerging. I promote
> these to counterparts when I get the chance. Encrypted P2P can keep the
> international channel open and offer greater security of communications.
>
> Yes, they can be used by 'bad people' too. Still, if we agree that
> networks are smarter than individuals, getting the people and trends
> that we would like to see grow, securely networked, is a good step in my
> book, and outweighs the potential downsides.




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[Femi Oyesanya]

On 9/20/04, Global Knowledge Dev. Moderator asked:

> 6. Where do we draw the line between individual rights and freedoms
> (e.g., to use encryption to protect privacy) and government
> responsibility to protect citizens (e.g., outlawing encryption)?


One of the so-called 'developing countries' has begun implementing
Cyber-crime Laws that would in the long run hinder individual liberties.
Nigeria, for example, is proposing government ownership of Encryption
keys.

See an article I wrote some time ago at: 





This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[Robert Guerra]

On 9/20/2004, Global Knowledge Dev. Moderator asked:

> 3. Are there cyber-security tools and techniques that are particularly
> important and appropriate for developing countries?


I'd like to point out that Privaterra works in the area of information
security. We focus on advising and training social justice NGOs,
particularly Human rights organizations.

Our focus is to help organizations understand the risks, and privacy
implications of ICTs. As well, we provide information and training on
the tools and techniques that can be used to ensure information security
(ie. cyber-security).

Given the nature our work, and profile of the groups we've worked with
-- our focus has been primarily in developing countries and emerging
democracies.

I'd be keen to hear from others who are either working in this area, or
keen to fund projects that specifically focus on cyber-security.


If you are just hearing about Privaterra - please do feel free to visit
our website at the address below.


Regards,

Robert Guerra
--
###
Robert Guerra <[EMAIL PROTECTED]>
Privaterra - 




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[King, Brian]

For protecting human rights, vis a vis repressive governments,
anonymity, many of us agree, is key.

I had the fascinating, unsettling experience of working in a country
last year in the tumultuous months preceding a coup d'etat. Virtually
all media outlets were forcibly closed, journalists were harassed and
silenced, and foreign news entities were expelled. People needed to tune
in to foreign news agencies to hear reports on their own country. The
international communications channel was the Internet. The President
disparaged the "Internet politicians" publicly and threatened to shut
down the Net, but ultimately could do little to stop the phenomenon.

If the Government in this case had had more advanced snooping ability
(as, say, China I imagine must have), they could have identified the
so-called 'Internet politicians' and silenced them.

For this reason I am a believer in highly-encrypted peer-to-peer (P2P)
models of collaboration and communications that are emerging. I promote
these to counterparts when I get the chance. Encrypted P2P can keep the
international channel open and offer greater security of communications.

Yes, they can be used by 'bad people' too. Still, if we agree that
networks are smarter than individuals, getting the people and trends
that we would like to see grow, securely networked, is a good step in my
book, and outweighs the potential downsides.




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[Patrick]

At 20:22 20/09/2004, Global Knowledge Dev. Moderator asked:

> 3. Are there cyber-security tools and techniques that are particularly
> important and appropriate for developing countries?

Perhaps this Open Source initiative may be relevant. Its content appears
to me to be heavily technical and aimed at the security auditor and
those charged with cracker countermeasures.


http://www.oissg.org/
Open Information System Security Group

"As of yet we have established 38 Chapters in 21 countries world wide.
Objective of forming these chapters is to share and build knowledge and
spread information security awareness."



   Patrick O'Beirne,  Systems consultant
   Spreadsheet model review, test, audit
   www.sysmod.com  +353 55 22294
.




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

Re: [GKD-DOTCOM] Cyber-Security and Human Rights

[Barbara Fillip]

Dear GKD Members,

I must confess that a few weeks ago, my understanding of cyber-security
issues was limited to what I had learned from unfortunate experiences
with computer viruses and the dangers (real or perceived) of using a
credit card to make online purchases.

While helping to organize and attending the DOT-COM / InterAction
Cyber-Security event that took place on the 16th of September, I
certainly learned a great deal, yet the more I learn the more I realize
how much I do not know. If I've learned anything in the past few weeks,
it's that cyber-security is an issue that should receive more attention
from everyone, from individual computer users to small business owners
and policy makers. Yet that does not mean we should all become
cyber-security experts.

To start addressing this week's specific questions focusing on human
rights and cyber-security, I'd like to relay some comments that were
made during the "Questions & Answers" session that took place during the
September 16 Speaker Series event, after the presentations by the
panelists. I am copying below the question and the answer by one of the
panelists, Jim Dempsey.


Question from the audience:
How much anonymity should people have a right to when they are online?

Response from Jim Dempsey (Center for Democracy and Technology):

"Due to the very design of this technology, we create and leave behind
footprints. Assembling those requires effort, but to mandate some kind
of uniform authentication process or uniform traceability requirement to
be built into the technology will have lots of unintended consequences
for policies that we favor (whistleblowers, various kinds of online
health inquiries, access to information). Look at a country like China
and the huge efforts it's putting into controlling the technology, and
tracking down democracy advocates. Also think about it from a security
standpoint and how hackers might well be able to use things that are
designed for traceability and identification purposes.

The relative anonymity that the Internet offers serves a number of
important policy goals, separate from privacy goals. This is similar to
the ability to walk into a store and buy a newspaper without identifying
ourselves.

Lots of technical measures can be taken by network operators to
authenticate packets. These are generally not regulatory steps. Egress
filtering provides the ability to identify packets coming out of a
server and identify whether they're authentic. It provides an increased
ability to identify the source of an attack on a network. End to end
authentication for all packets would have adverse impacts. It's a trade
off. You can't find everybody every time, but the price of finding
everybody every time comes at the expense of other social policies we
favor. A technique that may be perfectly good in the hands of the US
Dept. of Justice may not be so desirable in the hands of the government
of China."


It's really a question of finding the right balance, isn't it?

You can access Jim Dempsey's presentation as well as the other
panelists' presentations on the DOT-COM web site at:
http://www.dot-com-alliance.org/events/cybersecurity.htm 


Best regards,
Barbara Fillip
Information & Dissemination Coordinator
DOT-COM Alliance
AED - Technology Center
Email: [EMAIL PROTECTED]
Tel: (202) 884-8003
http://www.dot-com-alliance.org




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org

[GKD-DOTCOM] Cyber-Security and Human Rights

[Global Knowledge Dev. Moderator]

Dear GKD Members,

This week we would like to focus on the issue of protecting
Cyber-Security while preserving human rights.

ICTs make it increasingly easy to collect, store and transfer massive
amounts of data virtually instantaneously. We often consider this power
crucial to providing universal access to information and knowledge
sharing.  Yet, the benefits are not risk-free. Worldwide, there are
growing concerns about misuse of this power in ways that infringe on
personal privacy, data integrity and human rights.  Take, by way of
example:

* Criminals can gain access to personal information (through keyboard
loggers, for example), resulting in financial loss, and even personal
identify theft.

* Governments can use data against their own citizens. Rwanda is a case
in point. The government wants to automate the work of the electoral
commission, improving its functioning. Yet the data they want to gather
includes how citizens vote in elections. This type of data gathering
would clearly violate citizens' right to vote without fear of
repercussions.

* Encryption is a major source of controversy. Some argue people using
the Internet have the right to encrypt their messages to ensure privacy.
Others insist that the same encryption tools are dangerous, enabling
criminals or terrorists to avoid detection.


Key Questions:

1. What efforts do your projects take to protect data from misuse?

2. What solutions are effective for protecting information from human
rights violations?

3. Are there cyber-security tools and techniques that are particularly
important and appropriate for developing countries?

4. When gathering data, what kinds of dangers should be anticipated?
What types of measures should be taken to protect individual privacy?

5. Who is responsible for taking what measures, especially when
regulations are unclear? Donors? Government? NGOs? Businesses? Citizens?
ISPs?

6. Where do we draw the line between individual rights and freedoms
(e.g., to use encryption to protect privacy) and government
responsibility to protect citizens (e.g., outlawing encryption)?

7. What concrete good practices have you observed, that we should
publicize and utilize?




This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative
Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides
more information.
To post a message, send it to: <[EMAIL PROTECTED]>
To subscribe or unsubscribe, send a message to:
<[EMAIL PROTECTED]>. In the 1st line of the message type:
subscribe gkd OR type: unsubscribe gkd
For the GKD database, with past messages:
http://www.GKDknowledge.org