Life Outside the Mainframe

My essay on Fred Moore and his historical significance, Life Outside the Mainframe, is now online in the August book review issue of the AFSC's Peacework. It's in the context of a review of John Markoff's new book, in which Fred Moore is a central figure, What the Dormouse Said: How the 60's Counterculture Shaped the Personal Computer Industry .

Different groups of my friends will be interested in different facets of this story. But here's an excerpt:

On Route 128, where I grew up, the dominant myth is that the computer and the Internet developed out of research funded by the military and the government, motivated by the goals of miniaturization for rocketry, nuclear and space weapons, and satellite surveillance.

For the last 20 years, I've lived on the fringe of Silicon Valley. Here, there's a different creation myth of personal computers and the Internet that idolizes the heroes of entrepreneurial capitalism.

"Both stories are true, but they are both incomplete," says longtime New York Times Silicon valley correspondent John Markoff at the start of his new work of historical correction, What the Dormouse Said: How the 60's Counterculture Shaped the Personal Computer Industry .

Myths matter. Are computer networks top-down tools of centralized government and corporate power, or participatory tools for grassroots empowerment, information democracy, and independent citizen journalism?

Markoff admits to having accepted the standard myths. But once he started hearing anecdotes that made him aware of the gaps in his view of high-tech history, he set out to tell the world the missing parts of the story: "One of Silicon Valley's supreme ironies [is] that an itinerant activist who rejected material wealth ... ended up lighting the spark of what became the 'largest legal accumulation of wealth in the 20th century'.... Indeed [Fred] Moore would also become the unrecognized patron saint of the open-source software movement."

You can read the full article here.

[Addendum, 4 November 2005: In connection with the 30th anniversary of the Homebrew Computer Club which Fred helped form, mnay of the club's newsletters Fred edited have been posted online, inlcuding one with a nice sketch of Fred and other club members. It's immediately apparent that the Homebrew newsletter was turned out with the same typesetting setup, and with mnay of the same stylistic features, that Fred later used in Resistance News .]

On a related note, the AFSC's San Francisco office is organizing an event on 27 october 2005, Remember The Draft: From Vietnam to Iraq: Honoring Resistance Then and Now : "Honor those who risked their lives and reputations as CO's, draft counselors and resisters during the Vietnam War. Welcome those who are resisting today." The organizers are soliciting names, stories, pictures, film footage, flyers, and artifacts of the anti-war movement "then and now". I'll be suggesting Fred Moore as one of those deserving posthumous honors.

I've also posted a new set of leaflets about the military draft , draft registration , draft resistance , conscientious objection, and the medical draft . There are hardly any substantive changes, but I think I've finally fixed most of the voice recognition errors in the earlier versions. If you have suggestions for further changes, please let me know -- or just make them yourself. I've posted all the leaflets in Wordperfect and HTML form, as well as the printable PDF's, for anyone who wants to edit them.

Opera Web browser giveaway today

If you are reading this, and don't already own Opera, go here today.

For at least 5 years, though versions 2 through 8, my default Web browser, both on Windows computers and my Psion palmtops, has been Opera . I regularly use and test other Web browsers (including MSIE, Netscape, Mozilla, Firefox, and Lynx), but Opera remains the best for most of my purposes . (It's also available for Linux, Mac OS-X, etc., but I haven't tested or compared it on those other platforms.)

Normally the free version of Opera is "ad-ware" that includes a banner ad panel. Even with the ads, I think Opera is the best browser available for most users, easier to use and with advanced usability and accessibility features other browsers (read, "MSIE and Firefox") only partially imitate, and have never caught up with. It's smaller, faster, and more stable than most competitors -- rivalled only on those measures by Lynx, which displays only text.

I paid US$39 to register Opera, and I've paid for several version upgrades. Considering the amount of time I spend on the Web, it would have been worth considerably more.

Today only, you don't have to choose between the best available browser and a free browser:

Normally the free version of Opera is "ad-ware" that includes a banner ad. But today is the 10th birthday of Opera Software. To advertise this, they are giving away free registration codes today only Once you get the free registration code, it's good forever, and eliminates the banner ad panel. Even if you don''t have time or access to downlaod and install Opera today, you can get the code today, and download and install Opera later.

If you like Firefox, you'll love Opera. Try it!

[Addendum, 31 August 2005: The promotion has been extended for a second day: "Free registration codes are available until midnight CET [Central European Time] (GMT +1) on Wednesday 31st of August." For those of you in North America, that means until 16:00 (4 p.m.) PDT, 19:00 (7 p.m.) EDT.]

[Further addendum, 20 September 2005: Opera has now been released in a free, advertising-free version 8.5. No strings attached, so far as I can tell, and no registration code is needed.]

ICANN claims to think I've given up on independent review

I checked my e-mail occasionally, but I heard nothing from ICANN this northern hemisphere summer (austral winter) while I was travelling in southern Africa -- although the .travel" top-level domain (TLD) was added to the root during that time. My last message to ICANN's General Counsel and Secretary, Mr. John Jeffrey, remained unanswered.

Once I got home, I wrote to ICANN to ask what (if anything) they planned to do, and when (if ever), with respect to my request for independent review of the process by which ICANN made its decision on ".travel", and my request for reconsideration of the lack of openness and transparency of the ICANN Board of Directors "meeting" of 3 May 2005, at which further discussion of TLD's was on the last-minute agenda.

Late last night, in reply to a query from the Chairman of ICANN's Board of Directors, Mr. Vinton G. Cerf, I finally got an answer from Mr. Jeffrey, claiming:

We have been under the impression until recently that Mr. Hasbrouck had abandoned his various requests for review, based upon his failure to respond to the Ombudsman's Office and the quality of his response to my own email.

I have immediately responded to Messrs. Jeffrey and Cerf, reiterating that my requests remain outstanding, and that I have neither "fail[ed] to respond to the Ombudsman's Office" nor given any indication that I have "abandoned" my "various requests for review".

I have nothing personal against Mr. Jeffrey. I know nothing about him personally. So far as I know, we have never met, and I wouldn't recognize him if we did. My only communication with him has been by e-mail, in relation to ICANN business. But as I have said in my latest message to his employers -- ICANN's CEO (Mr. Paul Twomey) and Chairman of the Board:

I do not find it credible that Mr. Jeffrey sincerely believes that this message was intended to indicate my "abandonment" of my requests.

I've also noted repeatedly, in my published articles on this topic, that my request for independent review remains outstanding.

Following is the complete exchange of recent follow-up messages to my requests for independent review and for reconsideration and my previously posted messages from and to Mr. Jeffrey. I've edited out only the repetition of the thread of previous correspondence which was attached to each message:

From: "Edward Hasbrouck" edward@hasbrouck.org
To: "John Jeffrey" jeffrey@icann.org
Subject: Re: Pending requests for independent review and stay
Date: Thu, 11 Aug 2005 19:01:12 -0800

I have received no response to my e-mail message of 17 May 2005, as below .

I have also received no notice of any action by ICANN on my requests for independent review and stay pending independent review, and no notice of any meeting by any ICANN body concerning policies and procedures for independent review.

Please advise what action (if any) ICANN intends to take, and when, concerning my request for independent review and stay pending independent review, and formulation of policies and procedures for independent review.

Sincerely,

Edward Hasbrouck

From: "Edward Hasbrouck" edward@hasbrouck.org
To: "Vinton G. Cerf" vinton.g.cerf@mci.com
Subject: RE: Request for independent review
Date: Thu, 11 Aug 2005 19:03:55 -0800

I have received no notice of any action by ICANN on my requests for independent review and stay pending independent review, and no notice of any meeting by any ICANN body concerning policies and procedures for independent review.

Please advise what action (if any) ICANN intends to take, and when, concerning my requests (as acknowledged by you in the message copied below) for independent review and stay pending independent review, and formulation of policies and procedures for independent review.

Sincerely,

Edward Hasbrouck

Date: Fri, 12 Aug 2005 08:39:37 -0400
From: "Vinton G. Cerf" vinton.g.cerf@mci.com
Subject: RE: Request for independent review
To: "Edward Hasbrouck" edward@hasbrouck.org

Mr. Hasbrouck,

Again acknowledging receipt of your email. I will inquire of counsel as to the disposition of this request.

Vint

Vinton Cerf, SVP Technology Strategy, MCI
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
+1 703 886 1690, +1 703 886 0047 fax
vinton.g.cerf@mci.com

From: "Edward Hasbrouck" edward@hasbrouck.org
To: "Vinton G. Cerf" vinton.g.cerf@mci.com
Subject: RE: Request for independent review
Date: Thu, 25 Aug 2005 08:48:28 -0800

On 12 Aug 2005 at 8:39, "Vinton G. Cerf" vinton.g.cerf@mci.com wrote:

Again acknowledging receipt of your email. I will inquire of counsel as to the disposition of this request.

Thank you for looking into this.

When should I expect a reply regarding the status and ICANN's intentions and schedule for action on my request for independent review?

Sincerely,

Edward Hasbrouck

Date: Fri, 26 Aug 2005 01:50:24 -0400
From: "Vinton G. Cerf" vinton.g.cerf@mci.com
Subject: RE: Request for independent review
To: "Edward Hasbrouck" edward@hasbrouck.org
Cc: "Paul Twomey" twomey@icann.org , "jeffrey@icann.org"mailto:jeffrey@icann.org

Mr. Hasbrouck,

I have copied the ceo and the general counsel. One obvious question bearing on any answer is the conditions that must be met to initiate such an independent review.

John Jeffrey, are you able to assess whether the conditions are met by Mr. Hasbrouck?

Vint

Vinton Cerf, SVP Technology Strategy, MCI
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
+1 703 886 1690, +1 703 886 0047 fax
vinton.g.cerf@mci.com

From: "John Jeffrey" jeffrey@icann.org
To: "Vinton G. Cerf" vinton.g.cerf@mci.com
Cc: "Paul Twomey" "twomey@icann.org"mailto:twomey@icann.org , "Edward Hasbrouck" edward@hasbrouck.org
Subject: RE: Request for independent review
Date: Thu, 25 Aug 2005 23:22:29 -0700

We have been under the impression until recently that Mr. Hasbrouck had abandoned his various requests for review, based upon his failure to respond to the Ombudsman's Office and the quality of his response to my own email. I will review the facts relating to his contentions in his email below and will get back with Mr. Hasbrouck formally after my office's review is completed.

Best regards,
John

John O. Jeffrey
General Counsel
ICANN
Jeffrey@ICANN.org
+1.310.301.5834 direct
+1.310.404.6001 mobile

From: "Edward Hasbrouck" edward@hasbrouck.org
To: "John Jeffrey" jeffrey@icann.org
Subject: RE: Request for independent review
Cc: "Paul Twomey" , vinton.g.cerf@mci.com
Date: Fri, 26 Aug 2005 00:14:27 -0800

On 25 Aug 2005 at 23:22, "John Jeffrey" jeffrey@icann.org wrote:

We have been under the impression until recently that Mr. Hasbrouck had abandoned his various requests for review, based upon his failure to respond to the Ombudsman's Office and the quality of his response to my own email.

(1) I have never given any indication of abandonment of my requests for independent review, stay pending independent review, and notice of any meeting to consider this request or policies or procedures for independent review. In each of my communications to Mr. Jeffrey I have reiterated my continued request for independent review, stay, and notice of any meeting to consider my requests or independent review policies, and I do so again now.

(2) I do not know on what basis Mr. Jeffrey claims that I "failed to respond to the Ombudsman's Office". I have responded fully and promptly to each and every communication I have received from the Ombudsman's Office. And my communications with the the Ombudsman's Office should not, in any case, form the basis for any ICANN decision-making.

(3) I do not know on what basis Mr. Jeffrey claims that "the quality of his response to my own email" indicates in any way that I had abandoned my request for independent review. My response to his e-mail message is not posted on the ICANN Web site, but I have posted it in its entirely at:

http://hasbrouck.org/blog/archives/000585.html

I said in that message:

"[P]lease (1) refer my request to an IRP, or to the person or body within ICANN responsible for making that mandatory referral, (2) stay any action by ICANN on the disputed matters pending receipt of the recommendation of the IRP concerning a stay, and [3] advise me of the date, time, place, manner, and available means for attending, observing, or auditing any meeting of ICANN or any constituent body to consider my request [or] independent review policies, as soon as such a meeting is planned or scheduled."

I do not find it credible that Mr. Jeffrey sincerely believes that this message was intended to indicate my "abandonment" of my requests. And I urge the Board to consider whether Mr. Jeffrey's making of such a patently false claim, in his capacity as legal counsel to the corporation, is indicative of professional competence, honesty, or fitness for his office.

(4) Mr. Jeffrey says, "We have been under the impression...", but he does not say to whom the plural "we" refers, other than to himself. I have received no notice of any ICANN meeting to consider my request. I reiterate my request that you advise me of the date, time, place, manner, and available means for attending, observing, or auditing any meeting of ICANN or any constituent body to consider my request or independent review policies, as soon as such a meeting is planned or scheduled.

I also reiterate to each of you, Mr. Twomey and Mr. Cerf as well as Mr. Jeffrey, that as I said earlier,

"ICANN's continuing failure to refer my outstanding request to an IRP, and ICANN's failure (as evidenced by its signing of a contract for ".travel" with Tralliance Corp. on 5 May 2005, by which time my request had been outstanding and unanswered for almost a month) to respect the authority of the IRP to recommend a stay, is an ongoing material violation of ICANN's own bylaws and ICANN's contractual commitment to the USA Department of Commerce.

To the extent that you are party to these decisions (which I do not know and cannot know, because of the lack of transparency of ICANN's decision making process), it is a violation of your obligations as an officer of the corporation. I appeal to you as an officer of the corporation to bring its conduct into compliance with its bylaws and contractual obligations."

I request that this message be forwarded to ICANN's Board of Directors (there is no contact e-mail address for the Board as a whole on the ICANN Web site, and not all members of the Board have e-mail addresses listed on the ICANN Web site), so that they will also be aware of my ongoing requests, and my ongoing objection to ICANN's failure to act on them as required by the Bylaws and the MOU with the USA Department of Commerce.

Please advise me promptly of any action or decision with respect to these requests. I look forward to prompt notice that ICANN has referred my request to an Independent Review Panel and stayed its action on ".travel" pending the reocmmendation of the IRP concerning a stay; or that ICANN has stayed its action on ".travel" and scheduled an open and transparent (to the maximum extent feasible) process of developing policies and procedures for independent review, to comply with the requirement of the Bylaws that "ICANN shall have in place a separate process for independent third-party review of Board actions alleged by an affected party to be inconsistent with the Articles of Incorporation or Bylaws."

Should you have any questions, confusion, or uncertainty about my requests, please let me know so that I can attempt to clarify them.

Sincerely,

Edward Hasbrouck

From: "Edward Hasbrouck" edward@hasbrouck.org
To: jeffrey@icann.org , twomey@icann.org , vinton.g.cerf@mci.com
Subject: (Fwd) Re: my request for reconsideration of 16 May 2005
Cc: reconsider@icann.org
Date: Fri, 26 Aug 2005 00:35:15 -0800

My request for reconsideration is on a separate issue, and was made and acknowledged separately, from my request for independent review. But since Mr. Jeffrey has claimed to believe that I had abandoned "my various requests", I am also forwarding my most recent message to the Reconsideration Committee, so that there will be no possible doubt that this request also remains outstanding and not abandoned.

Sincerely,

Edward Hasbrouck

------- Forwarded message follows -------

From: "Edward Hasbrouck" edward@hasbrouck.org
To: reconsider@icann.org
Subject: Re: my request for reconsideration of 16 May 2005
Date sent: Wed, 17 Aug 2005 09:05:23 -0800

I have received no further communication from the Reconsideration Committee or anyone at ICANN concerning my request for reconsideration, which was acknowledged by Mr. Jeffrey and forwarded to the Committee on 16 May 2005. My request has not been posted on the ICANN Web site, I have received no notice or report of any meeting of the Committee or any ICANN body to consider my request, and no recommendation by the Committee to the Board concerning my request has been posted on the ICANN Web site.

I call to your attention that more than 90 days have passed since your receipt of my request, and that -- as I am sure you are aware -- ICANN's Bylaws require that, (1) all requests for reconsideration, without exception, regardless of whether or how they are acted on, must be posted on the ICANN Web site, (2) the Committee must, within 90 days of receipt of any request for reconsideration, either report its recommendations concerning that request to the Board, or report "the circumstances that prevented it from making a final recommendation and its best estimate of the time required to produce such a final recommendation", and (3) "The final recommendation shall be posted on the Website".

I reiterate my request for reconsideration and my request for notice of any meeting of the Committee or any ICANN body concerning my request.

Sincerely,

Edward Hasbrouck

------- Forwarded message follows -------

From: "Edward Hasbrouck" edward@hasbrouck.org
Subject: Re: Lack of openness and transparency of 3 May 2005 Board "meeting"
To: "John Jeffrey" jeffrey@icann.org
Copies to: reconsider@icann.org
Date sent: Tue, 17 May 2005 11:55:06 -0700

On Mon, 16 May 2005 18:17:06 -0700, "John Jeffrey" jeffrey@icann.org wrote:

We have received your request for reconsideration and have forwarded it to the ICANN Board's Reconsideration Committee for handling.

Thank you.

Please inform me as soon as any meeting of the Reconsideration Commitee or any other ICANN body is scheduled to consider my request for reconsideration, including the date, time, place, and manner of that meeting and what means are available for attending, observing, and/or auditing the meeting.

If it is your decision or ICANN's decision to deny this request for notice and access to such a meeting, in whole or in part, please inform me as soon as you or ICANN has made such a decision, and inform me of the person or body responsible for the decision and the reason(s) for the decision.

Sincerely,

Edward Hasbrouck

------- End of forwarded message -------

Airline bankruptcy fears in the news

As I said in an interview with Minnesota Public Radio in June, just before I left for Africa, "I think people have been lulled into an entirely unwarranted complacency about the possibility of [airline] bankruptcy."

That complacency may be fading, with renewed speculation as to which additional airlines in the USA might be forced to seek protection from their creditors through bankrupcy, and/or which of those that are already operating in bankruptcy might be shut down and liquidated by order of the bankruptcy courts.

Airlines have used bankruptcy, or the threat of bankruptcy, to impose cuts in wages, benefits, and pensions. But that may have backifired: Strikes, and the resulting flight delays and cancellations, have only heightened travellers' legitimate fear of paying money to an airline that might not actually be operating when the time comes to travel, whether because of a strike or because of involuntary liquidation .

I've updated my FAQ about Airline Bankruptcies with the latest information I have. My basic advice remains: Don't buy tickets on airlines that are already in bankruptcy if you have a reasonable alternative for a comparable price.

In addition to my own articles, here are some of the other places I've been in the news on this issue:

• A bankrupt Northwest: What could travelers expect? (Jeff Horwich, Minnesota Public Radio, 21 June 2005). Audio archive

• Coping with the unthinkable: An airline's demise (Bill McGee, USA Today, 24 May 2005)

• A few precautions for fliers in financially turbulent times (Jane Engle, Los Angeles Times, 26 September 2004)

• How to Rise Above a Belly-Up Airline (Amy Tsao, Business Week Online, 14 September 2004)

Last-minute lobbying on California RFID bill

"Silicon Valley tech companies have launched an 11th-hour bid to stop state legislation" to regulate the use of secretly and remotely-readable RFID chips in identification documents issued by the state government of California, according to a report today in the San Jose Business Journal .

Despite being limited to California, the proposed regulations for RFID chips on government-issued ID documents would set an important precedent. This bill needs your support -- especially if you live in California -- in the face of this last-minute industry attempt to derail it. The Electronic Frontier Foundation (EFF) has a Web form to e-mail and fax your comments (customizable) on the bill to California's Governor and legislators.

SB 682 wouldn't affect the use of RFID in international travel documents (e.g. passports) or for interstate travel (e.g. registered traveller credentials for interstate airline travel), both of which are subject to the exclusive jurisdiction of the Federal government and international treaties.

As I read it, though, the bill would create significant privacy protections for RFID chip use in local travel documents such as those used for paying road and bridge tolls (e.g. Fastrak) or public transit fares (e.g. Translink).

Travel, toll, or fare payment documents aren't explicitly included in the list of types of "identification documents" covered by the law. But that list is explicitly not limiting, and travel documents used to establish the identity of the person travelling, so that the toll or fare can be charged to the proper personally identified account, would seem to fit the definition of "any document containing personal information that an individual uses alone or in conjunction with any other information to establish his or her identity."

There's a partial exemption for "An identification document that is part of a contactless integrated identification document system ... that is operational and in use prior to January 1, 2006" . That would appear to "grandfather in" Fastrak, but it's less clear whether that would apply to Translink, which is being used to collect actual fares, but only for a small sample of beta testers.

The most significant provision of the law makes it a crime to "intentionally remotely read[] or attempt[] to remotely read a person's identification document ... using radio waves, without the knowledge of that person." That clause applies even to existing insecure systems like Fastrak: governments are allowed to continue to use them, without additional security measures, for their current purposes. But no one else is allowed to read any personal information (including the unique and personally identifiable RFID chip number) without your knowledge.

As of now, there are no restrictions whatsoever, anywhere in the USA, on the collection, sharing, use, and sale of RFID tag data (unique chip number, time and place of reading, and any associated events) for any private or commercial purpose. Really the law should require consent, not just knowledge -- that's a huge loophole that would likely result in "Your RFID chip numbers may be read in this area" notices becoming so ubiquitous as to be useless -- but the bill as written is still an important start toward restrictions on the use of government-issued RFID tracking chips by travel compnaies, commercial data aggregators, and others to compile logs of our movements for their purposes without our knowledge.

ICAO standards and Chicago Convention amended to require machine-readable passports by 2010

A new "technical Standard 3.10" adopted by the International Civil Aviation Organisation (ICAO) and a parallel Amendment 19 to Annex 9 of the Chicago Convention on Internatonal Civil Aviation (one of the two main multilateral treaties governing international air transportation) took effect 11 July 2005 to require all passports issued by countries that are party to the Chicago Convention, and/or whose laws require compliance with ICAO technical standards, to include a machine-readable version of the basic passport data (name, nationality, passport number, etc.) in all passports issued on or after 1 April 2010.

ICAO's announcement doesn't mention what ICAO decision-making body formally adopted the new rules, when, or by what process -- probably because ICAO doesn't wants to avoid public notice of the facts that (1) ICAO decision-making meetings are closed to the public, journalists, and civil society; and (2) no representatives of government data protection authorities, and no privacy or civil liberties NGO's, have ever been included in government or industry delegations to ICAO meetings.

The new rules are particularly problematic since many countries have adopted national laws requiring compliance with ICAO standards, effectively delegating national and international legislative authority to ICAO. I'm not a lawyer, and it's unclear to me whether that delegation of authority is valid, or potentially subject to challenge, in the USA or other countries. Any comments on this from lawyers who read this blog would be welcome.

Although the USA has misrepresented these ICAO standards as requiring so-called electronic passports containing RFID chips, the standards in ICAO Document 9303 and its annexes (appendices) can be satisfied equally by either RFID passports or the much simpler, cheaper, and more secure optical character recognition (OCR) printing used for the machine-readable data on current USA passports.

And despite claims by the USA State Department that the machine-readable information on passports would rarely, if ever, be read and used for commercial, rather than governmental (immigration and border control) purposes, ICAO's announcement makes clear the interest of travel companies such as airlines and airports in using government-required machine-readable passports for their own business automation of "passenger processing" (don't you just love being "processed" when you get on an airplane?):

[A] two-day Symposium on ICAO-standard MRTDs and biometric enhancement will be held in Montréal from 29 to 30 September 2005, in conjunction with the sixteenth meeting of ICAO's Technical Advisory Group on Machine Readable Travel Documents (TAG MRTD) scheduled to be held from 26 to 28 September 2005.... The objective is to provide essential information and encourage all States to issue either the ICAO-standard MRP or e-Passport, and operate reading systems at their border control points.

World experts involved in ICAO's MRTD standard development programme will discuss MRTDs as a means of processing airline passengers with increasing speed, efficiency and security, as well as the operation of document and biometric reading systems at border control points. An exhibition will highlight key MRTD-related products and services.

If anyone attends this symposium (registration appears to be open to anyone, although it costs US$500), I would welcome your report.

Update on airline codesharing

Back in March 2005, I reported here in my blog and in my e-mail newsletter on the USA Department of Transportation (DOT) solicitaiton of public comments on the practice of airline codesharing (labelling a flight actually operated by one airline with the flight number of a different airline).

My comments were filed with the DOT on 14 March 2005, and are available here (DOT docket) or here (local copy).

Other public comments can be viewed and downloaded from the online DOT docket index for this rulemaking.

On the good side, the DOT analysis of the comments acknowledged that:

Over half of the comments received from individuals ... used the occasion to opine that, as a general matter, the practice of code sharing, in and of itself, is deceptive and misleading and can lead to customer confusion. In addition, a few individual commenters argued that code sharing should be altogether abolished.

On the bad side, the DOT decided to ignore the prevailing opinion of the travelling public that codesharing is, and should be prohibited as, fraud:

[W]e wish to note our disagreement with the commenters who opined that code sharing is inherently deceptive. The prohibition of the practice is far beyond the scope contemplated in this proceeding.... Furthermore, as a matter of policy, the Department has long held that code sharing is not inherently unfair or deceptive.

Instead, the DOT promulgated a final rule that went even further than the airlines had originally requested in reducing the extent to which airlines have to disclose codesharing in their print and Internet advertising.

Update on RFID passports and traveller tracking

The USA State Department's Passport Office has already issued some RFID passports to airline employees and plans to start issuing RFID passports to USA diplomats by the end of 2005 and to the general public in February 2006, according to August 2005 press reports.

The State Department claims to have mitigated the privacy-invasion and surveillance-facilitation aspects of the RFID passport scheme. But they've done nothing to address the scenario I posed to the head of the Passport Office following his presentation this spring at CFP. Even if most of the data on the RFID chips in passports is encrypted using so-called "basic access control", the government-assigned unique identifying number of the RFID chip will still be transmitted in plain text in response to any query from any RFID reader, even a reader that doesn't have the "basic access control" decryption key to the rest of the data.

As Bruce Schneier pointed at CFP, that unique passport RFID number "will be sold to Choicepoint for a dollar and added to your file the first time it is read", so encryption and securing of the rest of the data will do almost nothing to limit the use of RFID passports (or any other similar government-mandated RFID credentials) for covert personal surveillance, tracking, compilation, aggregation, and correlation of lifetime dossiers of our movements, for government or commercial purposes, by anyone who can afford an RFID reader.

The State Department continues to claim that RFID passports for visitors to the USA are required by the USA Border Security Act of 2002. But the original author and sponsor of that law in Congress, Republican and House Judiciary Committee Chairperson James Sensenbrenner, has said in public remarks to European diplomats that the law doesn't require RFID chips in passports, and that the choice by some European countries of RFID as the technology for machine-readable passports is "regrettable".

Meanwhile, the USA Department of Homeland Security is also testing longer-range RFID chips embedded in I-94 (immigration entry/exit) cards which visitors are required by law to keep in their possession at all times throughout their stay in the USA, as part of the US-VISIT system for logging visitors' movements across borders.

Neither the DHS Privacy Act notice nor privacy impact assessment mentions the range at which the DHS expects the RFID chips being used in I-94 cards can be read. But press reports quote DHS spokespeople as saying they can be read from up to 30 feet (9 meters) away, which is consistent with their intended use for automated recording of entry and exit data from passengers in moving vehicles crossing borders by road.

Each visitor (non-USA citizen entering the country) would be issued an I-94 form containing a "unique traveler identification number (i.e., the traveler's RFID tag number)" which would be read and logged by the government each time they cross a USA border (and by anyone else with an RFID reader who gets within range of the chip at any time). "It is when this information on the RFID tag entries and exits along with the biographic information from TECS is sent to ADIS that the individual's complete travel history is created," according to the DHS Privacy Impact Assessment.

As with RFID chips in passports, the RFID chips in I-94 forms could also be read by any other RFID readers, and the records of these reading used by unregulated (in the USA) data aggregators to compile their own histories of people's movements. The DHS privacy impact assessment claims this isn't a significant threat because the RFID chip ID numbers in I-94 forms won't be readily distinguishable from the ID numbers of other RFID chips. But that ignores the fact that visitors to the USA are required to carry their I-94 forms 9with the RFID chips) on their person at all times whilst in the USA, in contrast to any other RFID chips.

So far as I can tell, this is the first case in which anyone in the USA (even non-citizens), other than convicted criminals or those subject to specific restrictive court orders issued following adversary and evidentiary legal proceedings, will have been required by law to carry remote radio tracking devices.

EPIC has further criticisms of the RFID visitor tracking scheme in its comments on the DHS Privacy Act notice, but these appear to have been ignored.

For those travelling closer to home, the London transit bombings in July 2005 have been used to justify renewed initiatives for searches and surveillance of transit passengers in the USA, despite the lack of any evidence that such searches and demands for identification could or would have prevented the London bombings.

The New York Civil Liberties Union has sued the New York Police Department and the City of New York to stop the warrantless, suspicionless searches of passengers on public transit vehicles and in stations; see the legal complaint for full details.

But the greater emphasis in transit "security" seems to be on identification and tracking of passengers, rather than searches. As with the airline industry, there's an unfortunate coincidence of interests between transit operators' desire for automated passenger processing (especially fare and toll collection) and marketing and operational data collection, and governments' desires for surveillance data collection and passenger movement logging. And as with air travel, the trend in transit and toll-road travel is toward "touchless" travel through RFID chips that serve as payment devices, entry/exit and vehicle boarding credentials, and unique personal identifiers inextricably bundled together.

In most cases these aren't (yet) mandatory, but those who decline to choose them, and insist on paying cash to travel anonymously, are increasingly subject to longer queues, higher fares and tolls, and ineligibility for certain discounts or services. This is a key period for privacy and travel-rights activists to make their objections heard as these personally identifiable RFID payment-cum-surveillance cards are rolled out, especially by government-operated toll-road and mass-transit transportation systems.

In the Boston area, the MBTA claims (see, "Will I have to personalize my CharlieCard?") that it will still be possible to travel anonymously by paying cash for a prepaid RFID "Charlie Card", they neglect to mention that many currently available discounts, including those for seniors and people with disabilities, will be available only to holders of secretly and remotely trackable personally identified RFID credentials. So my mother, for example -- a senior citizen who by reason of medical disability is not permitted to drive a car, and relies on the T as a primary mode of transportation -- will have to choose between giving up her current fare discounts, as the price of anonymity, or getting a new-style RFID Transportation Access Pass that will enable the compilation of a comprehensive log of the times and places of all of her movements throughout Eastern Massachusetts by all modes of public transport.

In the San Francisco Bay Area, cash tolls and cash transit fares are already as much as 50% higher than tolls and fares paid by personally-identifiable Fastrak or Translink RFID payment accounts and cards. There is not (yet) any option for anonymous cash purchase of a prepaid Fastrak or Translink card, although this would be technically feasible with the current equipment, and is a choice offered by similar payment systems in other places such as the metropolitan Washington, DC, area.

In a recent local example of the ways that new features of transportation systems are being made available only to those who carry personally identified RFID chips, Federal and California law has just been modified to permit hybrid gas-electric vehicles to use highway, bridge, and tunnel lanes otherwise reserved for "high-occupancy vehicles" (HOV's) -- but only if any such hybrid vehicle registered in the San Francisco Bay Area gets a personally identified hybrid vehicle Fastrak account and tracking transponder . Fastrak is ostensibly a toll payment scheme, but the California Vehicle Code section 5205.5 subsection (i) requires hybrid vehicles to have Fastrak transponders to use even non-toll HOV lanes, and the Fastrak terms include consent to vehicle tracking (unless you put your Fastrak transponder in a tin-foil bag).

These may seem small steps and isolated examples, but the clear trend is toward widely used multi-system personally identified RFID payment devices and access credentials for all types of transportation charges including road tolls and transit fares -- systems ripe for abuse by commercial aggregators of RFID scan records of our every movement. As Wendy Grossman points out in her latest "net.wars" column, the danger may be less in how such tracking data is now used, or intended to be used, or by whom, but whether such data is retained sat all, by anyone.

Any retention of this sort of data, especially when it contains unique identifiers (such as government-assigned RFID chip numbers) that permit its aggregation and correlation into a personal dossier, inevitably creates the risk of abuse of the detailed picture of our movements and associations that it enables to be created.

I've just come back from six weeks in South Africa, where I was forcibly impressed by the central role that ID requirements and controls on personal movement played in the evil of apartheid. And if there's one resolution with which I returned from this latest trip, it's not to let the USA repeat that error and evil of pass book laws.

Update on "Secure Flight"

This summer there's been both a public sideshow about (relatively) minor privacy and legal violations by the USA Transportation Security Administration (TSA) in its ongoing testing of the "Secure Flight" airline passenger screening and surveillance scheme, and a larger unreported story of much more fundamental illegality and privacy invasion.

In June 2005, the USA Government Accountability Office (GAO) reported that "TSA did not fully disclose to the public its use of personal information [in "Secure Flight" testing] in its fall 2004 privacy notices as required by the Privacy Act."

In response, the TSA published an amended Privacy Act notice admitting to some of the things the GAO had complained about, and giving (retroactive) "notice" to people identified in reservations for June 2004 flights as to some of the ways that information about them had already been used.

When some of those people made formal requests under the Privacy Act for the TSA records about them from June 2004 flights, the TSA said that many of those records, and the records of how they had been used and with whom they had been shared, had already been destroyed before their existence was disclosed, and before they could be reviewed by the data subjects or the GAO.

Although the knowing and willful creation of a new Federal government database of personal information without proper notice is a criminal violation of the Privacy Act, the DHS and TSA made no mention of any referral of the episode for criminal investigation or possible prosecution. It remains unclear -- although I asked in my comments on the original draft Privacy Act notice for Secure Flight testing -- who is responsible for policing criminal violations of the Privacy Act by the TSA and/or DHS. It certainly appears that the TSA and DHS "Privacy Officers" are not taking on this responsibility. Scarcely surprising since, as those responsible for issuing the knowingly erroneous, incomplete, and misleading Privacy Act statements, they are among the criminals.

Both the GAO report and the revised Privacy Act disclosures focus solely on the ways that commercial data from other sources was used in conjunction with airlines' commercial reservation records in the Secure Flight "tests". But the unexamined core use of commercial data in the Secure Flight program remains the use of passenger name record (PNR) data from airlines' commercial databases.

There's still been no real scrutiny of the fundamental legal problems with Secure Flight and its testing (it violates the First Amendment right of assembly, the Privacy Act restrictions on collection and use of records related to activities protected by the First Amendment, and the requirement of the Airline Deregulation Act that airlines operate as "common carriers"), and the fundamental deficiencies in the Privacy Act notice (it's based on false claims -- which I believe the TSA and DHS Privacy Officers must have known to be false -- that "TSA does not agree that PNR's contain information related to First Amendment rights, including the right of assembly," and that "inclusion in PNR's of names other than passengers is rare").

Nor have the international obstacles to Secure Flight been resolved: Since there is still no agreement with the European Union that could even arguably permit the use of PNR data collected in the EU for Secure Flight, and since even the DHS and the TSA have admitted that it is impossible to identify or filter out which reservations were made in EU, each and every demand by the USA government for reservation data for Secure Flight -- even for "testing" -- has required, and will continue to require, airlines and the computerized reservation systems (CRS's) that host their reservation data to violate EU data protection law and the EU Code of Conduct for CRS's.

Just from the first round of Secure Flight testing, each passenger who made a reservation, while in the EU, for a flight within the USA in June 2004, already has grounds for a complaint and request for sanctions against the airline with their national data protection authorities, and against the airline's host CRS with the European Commission (as the agency responsible for enforcing the Code of Conduct for CRS's).

Under an oversight law enacted last year, the GAO must certify that specific criteria have been met before "CAPPS II or Secure Flight or other follow on/successor programs" can be deployed or implemented "on other than a test basis".

As it has been publicly described, the first Secure Flight "test" was inherently incapable of generating any evidence that could satisfy the criteria in the law. In particular, the GAO must certify that, "the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly."

In order to measure the rate of errors in the identification of passengers on the basis of data in reservations, or the number of passengers identified "mistakenly", one would have to compare the identifications by the Secure Flight "black box" matching system (based on inputs of databases of PNR's, watch lists, etc.) with some other method of identification of the actual passengers. But the test was based on flights in June 2004, and no attempt has been reported to track down people who travelled on those dates or determine to what extent the data in their reservations corresponded to their "real" identities (rather than being e.g. the identifying information of a victim of identity theft, as would likely be the case for a real terrorist traveller).

The only information we have about whether any June 2004 passengers posed an actual threat to aviation, if allowed to fly, is that none of them actually committed any detected acts of air terrorism during that month. So Secure Flight, if in place during the test period, would not have prevented any terrorist acts in flight. And any and all identifications on the basis of the test data of passengers who must be prevented from flying must be treated as "false positives".

In a softball interview last week with USA Today , Secretary of Homeland Security Michael Chertoff vowed to implement Secure Flight -- with no mention of whether the statutory prerequisites are, or can ever be met.

Since Secure Flight is unlikely ever to be certified by the GAO as meeting the statutory criteria without drastic changes, the DHS and TSA appear, undeterred, to be following a two-pronged strategy to deploy and implement it anyway:

Their short-term tactic is to exploit the absence of any definition of "on a test basis" in the oversight law by fully deploying and implementing Secure Flight as fast as they feel like, while publicly describing whatever they do as being "on a test basis".

Their longer-term goal is to repeal the oversight law so that they can openly declare the "test" period over, and continue Secure Flight permanently, without ever having to satisfy the GAO or anyone else that the test have proven anything, or that the program actually accomplishes any legitimate purpose. Earlier this week Ryan Singel of Wired News reported on a leaked copy of draft legislation to accomplish just that. Singel's report confirms an alert last week by the ACLU to its members that such a bill is being shopped around by the DHS for Congressional sponsors.

The next "phase" of Secure Flight "testing" (i.e. deployment) is planned for next month with at least two unnamed airlines based in the USA -- although airlines say they still haven't been given the necessary details of what's expected of them.

That's typical. As I've been saying for years, aviation "security" initiatives in the USA since 11 September 2001 have largely been devised by people whose background is in "intelligence" (spying), not aviation safety or security, and who have no idea how the air travel industry actually operates or how it might be affected by the new procedures they are trying to impose.

At first, airlines were hesitant to complain, and focused on lobbying for reimbursement of unfunded "security" mandates rather than outright opposition to these schemes. But as the pressure to convert travel industry operational infrastructure into a surveillance infrastructure have mounted, while hopes for full assumption of the huge costs by the government have faded, airlines have become more outspoken.

In the most recent major example, trade associations of airlines both in the USA and Europe sent a joint public letter in May to USA Secretary of Homeland Security Chertoff, protesting his proposal for a an agreement with the EU to require airlines to provide a complete passenger list to the USA and EU governments 60 minutes before the departure of each trans-Atlantic flight (rather than 15 minutes at present):

[T]he member airlines of the Air Transport Association of America (ATA) and the Association of European Airlines (AEA) believe that such a rule will result in severe adverse consequences for the airline industry, and indeed, to the world economy....

[S]uch a requirement would have a devastating impact on industry operations and efficiency. We are particularly concerned with the statement attributed to CBP [the DHS division for Customs and Border Protection] in a May 25 Washington Post article that the rule change "will cost the airlines no money." This suggests a complete lack of understanding of the implications of such a requirement.

Airlines operate network systems, both on their own and in conjunction with other airlines. These networks are designed to connect as much traffic as possible to multiple destinations, in as brief a period as practicable.... The APIS-60 rule would disrupt both objectives by requiring either wholesale rescheduling of flights on much less efficient schedules or simply eliminating connecting traffic....

Finally, with regard to the observation attributed to you suggesting that the airlines would surely prefer an APIS-60 rule to the occasional diversion of a flight, we want to be absolutely clear that is not the case. The economic impact of the rule would vastly outweigh the cost of diversions.

[Addendum, 19 August 2005: I neglected to link to Ryan Singel's report on some of the lies and possible criminal violations of the Privacy Act by the TSA.]

[Further addendum, 20 August 2005: The Electronic Privacy Information Center (EPIC) and a group of travellers and travel agents in Alaska are pursuing lawsuits under the Freedom of Information ACT (FOIA) to get more information about the use of commercial data from PNR's identifying travellers and travel agents, as well as additional commercial data from other sources, in Secure Flight testing.]

[Further addendum, 26 August 20005: More from USA Today onTSA/DHS lobbying to eliminate GAO oversight of "Secure Flight"]

Update on ".travel"

The ".travel" top-level Internet domain name (TLD) has been added to the root-zone files and the Web site of the first active ".travel" sub-domain has gone live at http://www.travel.travel .

In its role as the Internet Assigned Numbers Authority , ICANN issued a report 5 August 2005 recommending the addition of ".travel" to the root, and recommending the delegation by ICANN to the Tralliance Corp. subsidiary of TheGlobe.com / Voiceglo of authority over ".travel policies. The IANA report fails to mention that ICANN's decision to approve and delegate ".travel" is subject to my pending request for independent review and stay pendcing independent review. Nor does the IANA report consider the implications of having to remove ".travel" from the root, or stay its approval and/or delegation, if the independent review panel eventually upholds my request.

I've still received no notice of any action by ICANN on my request for independent review of whether ICANN's decision on ".travel" was made in accordance with ICANN's bylaws on openness and ytransparency; no notice of any action on my request for a stay pending independent review; no response to my request for a copy of any ICANN policies and procedures for independent review; no notice of any meeting of ICANN or any ICANN body to consider either these requests or ICANN policies and procedures for independent review; and no response or acknowledgement of any kind of my request to the USA Department of Commerce not to approve the addition of ".travel" to the root servers.

Back from Southern Africa

Cape Point, Cape Peninsula National Park and World Heritage Site, South Africa

I'm back from two weeks of vacation at Silver Bay and six weeks travelling in Africa, mostly in South Africa but also briefly in Swaziland, Mozambique, and Qatar.

The trip was, above all, thought provoking. The slogan of the South African government tourism promotion board, SATOUR, used to be, "A World In One Country". The intended reference was to the size and geographic diversity of the country. But even more, I think, the issues facing South Africa today, as a country that contains both First World and Third World (but still, so far as I could tell or most people we met seemed to think, little middle ground) are a microcosm of those facing the world at large. Some travellers eschew comparisons, lest they become unfairly judgmental, but it's almost axiomatic that we travel to learn about ourselves and our homelands as much as to learn about the people and places we visit. On this trip, I constantly found analogies -- albeit not the easy answers I might have hoped for -- to issues within the USA, and even more to those between the USA and the rest of the world, the global North and South, and the First and Third Worlds.

I'll be posting updates shortly on what's happened while I'm gone with respect to some of the issues I've been following.

[Addendum: The Hasbrouck family in America are all descendants of two brothers who came here in the late 1600's, and were among the dozen founding fathers of New Paltz, New York. So I'm at least a tenth cousin of any Hasbrouck you might have known in the USA, although there are now tens of thousands of Hasbroucks, concentrated in New York and New Jersey. Seven generations and more than 200 years after the family's arrivial, my gradfather was born less than 20 miles from New Paltz. And I'm in the first generation of my father's family not to have been raised in the Dutch Reformed Church. This is me in front of the stone house in New Paltz built by my 7-greats grandfather, Abraham Hasbrouck. The Hasbroucks were Huguenots from the town of Hazebrouck (between Calias and Lille) who fled France after the St. Bartholemew's Day Massacre, a state-sponsored pogrom of Huguenots (Protestants) by Catholics in 1572. While two Hasbrouck brothers went via Holland to the Dutch colonies in America, other Hasbroucks stayed in Holland, and at least one, Leendert Johannes Haasbroek, eventually went to the Dutch colonies in South Africa, where there is a separate branch of the family to this day. We happened somewhat accidentally on a memorial to Leendert Johannes Haasbroek in the old Dutch Reformed Church in Tulbagh, in the Cape Province wine country. And I found to my surprise that my surname was immediately recognized by many Afrikaaners as an old and honorable South African Huguenot family name, albeit with a different spelling. They were generally quite surprised that someone with my name -- and with my appearance and what they took for an ultra-traditional Voortrekker beard! -- didn't speak Afrikaans or Dutch.]