(update:for a near live coverage see Lex Ferenda)

UPDATE: if you’ve missed the conference, the Berkman Centre has now made videos of the conference available)

I will try to cover what’s on the horizon.

Jonathan Zittrain (OII and Berkman) and John Palfrey (Berkman) introduced a new distributed application that they are devloping. It’s called Herdict – meaning “a verdict from the herd” – and is basically a software application people can install on their machines for the following purposes:

• Detect Badware: collect vital life signs of the computer
• Document Internet filtering: document Internet sites the user cannot access
• Measure Network Neutrality: measure network latency

The data collected by Herdict is sent back to a Berkman server, aggregated and distributed again so that each user can compare the performance of his/her machine/network with the performance of other machines in his neighbourhood or across the world. Eventually the software could help users

• to decide whether or not to install a certain piece of software (based on other user’s experiences with it)
• finding out that there is a problem with your machine as yours is performing much worse than everybody else’s
• produce a near real-time map of Internet filtering around the world that allows for an analysis of where filtering is actually taking place: on state, ISP or institutional (eg. company) level

The setup is likely to remain a centralized client-server architecture (P2P is possible but creates a whole host of security and trust problems) but the ultimate aim is to allow also interfacing with the data via an open API so that 3rd parties can create widgets using the collected information.

While the audience was widely in favour of the capabilities of such a tool, many concerns were raised about whether the privacy and security of Herdict users would be at risk. An Ethan Zuckerman in full constructive-criticism mode raised a whole host of issues but also suggested some potential solutions. Others joined in the discussion which I try to summarize below together with some responses from Jonathan and Steven J. Murdoch who is responsible for some of the technical ideas behind Herdict:

1. Does the collected information about a machine’s (mis)configuration not help malware programmers?
   JZ: These people do already know enough about the weaknesses of other people’s machines (e.g. via their botnets) so this information won’t help them but will make a difference for the good guys
2. Does one maybe draw attention to an insecure configuration on his/her machine so that it can be targeted specifically?
   JZ: Definitely important to strike a balance between openness and the ability to misuse this information. Possible solutions could be to synthesize the collected data. However, the applications installed on your computer give out so much of your information already (e.g. Skype, IM) that one should maybe worry less about Herdict but just start to use the information for a good purpose (if you cannot stop it from being distributed anyway)
3. Doesn’t the centralized client-server architecture make it easier to manipulate and interfere with the data collection?
   JZ: Exactly because the data is centralized it is easier to guarantee its freedom if it is operated by a trusted party with adequate licensing (see Wikipedia example)
   SM: client-server could be more secure than P2P because you only need to make sure that the server is trustworthy, not the whole array of hosts in the network. Also there might be a centralised aggregation of the collected data but a distributed communication to transport the information. The data will be sent encrypted and stripped of personal information.
4. Is a centralized architecture not easily blocked?
   JZ: This would be a sign of success (as governments would apparently take Herdict seriously) but if that would really happen one could think of new ways of working around that.
5. Even with Herdict it would be difficult to detect tempering with pages (e.g. the BBC page is served but with slightly different content, e.g. less critical of your countries government)?
   JZ: One could incorporate a review or user comparison of web pages, something like the ESP Game
6. Do people not draw attention from the authorities to themselves if they start using Herdict and in this way accessing forbidden sites to document filtering?
   Ethan: One idea could be just to report failure of accessing a site back to the Herdict server or a model similar to SETI@home where you download a bunch of URLs for testing. Also, no need to disclose full IP address as class C should be enough to estimate your location.

If you are interested, download the alpha version. which so far is only measuring and comparing the machine’s life signs (e.g. amount of free memory, number of processes running etc.)

Unsettling features of such a so-called “federal trojan” would include that it would have to go undetected by anti-virus software and could potentially enable law enforcement agencies to copy files to the monitored computer – so they might copy child pornography on your hard disk and then prosecute you for possessing it. I also wonder how the StopBadware project would deal with that. Jonathan, any comments?

However, today the German government has conceded that online monitoring of computers is already taking place and that has been the case for about the last two years. The justification of this in face of the high court ruling is almost cynical: The agencies would not violate the secrecy of telecommunications as they would only access files on the hard disk but not ongoing communication. Also, the online surveillance does not constitute a house raid (which would need a court permission) because laptops could also be used outside a flat and by spying on the computer one would not monitor events that happen inside a flat.

“More than a fifth of internet users (21%) feel more vulnerable to electronic crime than any other type of criminal activity. It is second only to bank card fraud (27%) as the type of crime to which survey respondents felt most exposed. Internet crime has overtaken burglary (16%) as one of the crimes people feel most at risk of.” (Guardian, 9.10.2006)

Although I don’t have too much trust in the survey (”So, you are an Internet user… Tell me, what do you think is your greatest security risk???”) it still highlights an interesting problem that has indeed the potential to seriously hinder take up of online services:

“Almost a quarter (24%) of respondents had been put off internet banking, while 18% would not shop online because of fear of crime. Another 17% had been deterred from using the internet altogether.” (Guardian, 9.10.2006)

However, what would be much more revealing is a survey of Internet users that actually have been victims of Internet crime. My guess would be that many more people made bad experiences in the real world than online – particularly in the UK.