Friday, March 12, 2010

Funny Laws of the New Century

Every few months I try to write a scifi RPG (tabletop) using fairly realistic reactions to theoretical advancements. Basically, I try to write some speculative fiction in game form. I never publish or anything, but the one I created last month has some interesting characteristics, so I thought I'd share a few of the details.

The tabletop game is codenamed "anonymesh", and revolves around the idea of a massive, dense network of interconnected wireless nodes. Extremely low-energy computers combined with cheap solar cells make running a wireless node quite literally free, and so most people use "meshnet" instead of the centralized backbone internet. This leads to a lot of really interesting characteristics, and as you might expect, the players all play hackers.

The interesting bits are endless, but one of the most interesting things that popped out of this universe was the idea of "deanning". Basically, I tried to think of the weirdest, cleverest laws I could, and some of the privacy laws that emerged were very strange.

For example, you can take a picture of main street and post it on line without getting anyone's permission, without blurring faces, without any of that, because the people in the picture are anonymous.

What isn't legal is running face-scanning technology across that image to identify who these people are. This is de-anonymizing the data, or "deanning" it. Technically, while the deanning is illegal, it can't be enforced. Instead, only the propagation of deanned data is illegal. (More specifically, the propagation of any non-anonymous data without permission, regardless of whether it's been deanned or was never anonymized in the first place.) Data is considered non-anonymous if it reveals more of the person's personal information than the person expected to people they didn't intend. This is an objective statement, but a huge and growing number of guidelines exist in the courts to support it.

This has a huge number of implications, especially since propagation includes "feeding into data mining programs for purposes unrelated to the initial data".

So if you buy a bagel, the bagel shop can remember you bought a bagel. But they can't use the fact that you bought a bagel for non-you-buying-bagel purposes. They can't email you ads, they can't use your preferences in analysis of what bagels are best, they certainly can't sell your debit card info to another company. Not unless the data is properly anonymized. So they can say that their Washington Ave store sold a poppy seed bagel at 10:45 AM, but not who bought it.

It's pretty easy for anyone to save up a lot of vaguely related data and then dean it using basic pattern recognition tools. For example, if you record main street 24/7, you can easily start matching up individuals and determining their habits. Combined with a simple web trawl, you may be able to identify a significant number of people and their exact schedules.

This is illegal, but how would you enforce it? Especially since it's so easy to do with the mesh network: ten thousand man-in-the-middle attacks per message. Just save every bit of recognizable traffic. Analyze encryptions: you'll have gigabytes of data from the same source spooling by day after day, cracking it is just a matter of time and effort.

Well, the truth is that things get deanned all the time. You don't even have to run a thieving wifi router to get enough data to dean. You can dean from an internet search.

But using this information generally leaves a pretty clear trail. The same algorithms that can dean anonymous data can detect when a project or statement contains references to less-than-anonymous data. Individuals rarely have to worry about this in the same way pirates rarely worry about it. But companies have to worry, and have to be scrupulous.

This is especially dangerous to them because many of the wifi routers they depend on are run by untrusted sources who would love nothing better than to forward their illegal data to the police for a reward. It's not illegal to copy the information transferred through their router, not illegal to decrypt it, either, due to some anti-terrorism laws passed by the panicky government.

It's also not illegal to hack into devices, although it is illegal to use those hacked devices in an illegal manner (including data theft). This means that if you do dean data, you want to make sure you do it on an offline-only machine that can't be hacked remotely. Otherwise a hacker might forward that data to the police for that reward, get you thrown in jail.

Those are some of the basic rules, which actually make for a surprisingly interesting hacker game dynamic. There are a few things that may not occur to you at first read, though. Here are a few of those things:

Your friends can talk about you. This is called "implicit permission to dean". Where this permission ends is a rough concept and depends on what the individual has released publicly in the past.

Things you publish "publicly" that aren't intended for public use - for example, your mood on LiveJournal - are considered non-public data. The end user is not expected to always know exactly how every piece of software works, and therefore it is not the user that is held accountable, but the software and those that propagate the information for their own purposes.

So-called "shadow puppets" can be made. These are VR/AR avatars built out of real data fed to them. For example, feed your shadow puppet all the president's videos and speeches, and you have a shadow puppet that looks, talks, and acts like the president. This is almost always a dean even if you do it on public and non-anonymous data, because the shadow puppet can be made to act in a manner normally considered to be private and personal. For example, you can make your president puppet strip naked and dance the watusi. You can also release simulations of the president saying things he normally wouldn't say.

The law hasn't caught up to that extent, yet. Sometimes the infringements are allowed as parody, and sometimes the shadow puppet is waved off as not breaching privacy, but people are starting to crack down on the matter ever since a parody site began releasing pixel-perfect variants of Fox News shows.

"Virtual characters" have some very complex rights ever since the supreme court came down on the side of Disney to find that a shadow puppet of Mickey was not only a violation of trademark, but also a violation of "expected privacy on behalf of Mickey Mouse".

Anyway, the actual game is significantly more detailed (it's actually a bit too detailed for a tabletop game), but the laws about anonymizing and deanning were interesting enough I thought I'd talk about them on their own.


Patrick said...

Oh dude, please publish it. Sounds like you're taking Stephenson/Gibson/Sterling but with some rigorous design underlying. I'm interested.

Craig Perko said...

Designing a game takes only a few days. Publishing a game takes months. That's too much effort.