December 22, 2024

Archives for January 2005

French Researcher Faces Criminal Charges for Criticizing Antivirus Product

Guillaume Tena, a researcher also known as Guillermito, is now being tried on criminal copyright charges, and facing jail time, in France. He wrote an article analyzing an antivirus product called Viguard, and pointing out its flaws. The article is in French, and standard online translators seem to choke on it. My French is poor at best so I have only a general idea of what it says. But it sure looks like the kind of criticism a skeptical security researcher would write.

This is a standard legal-attack-on-security-researcher story. Company makes grand claims for its product; security researcher writes paper puncturing claims; company launches rhetorical and legal attack on researcher; researcher’s ideas get even wider attention but researcher himself is in danger. Everybody in the security research field knows these stories, and they do deter useful research, while further undermining researchers’ trust in unsupported vendor claims.

At least one thing is unusual about Tena’s legal case. Rather than being charged with violating some newfangled DMCA-like law, he is apparently being charged with old-fashioned copyright infringement (or the French equivalent) because his criticism incorporated some material that is supposedly derivative of the copyrighted Viguard software. Unlike some previous attacks on researchers, this one may not have been enabled by the recent expansion of copyright law. Instead, it would seem to be enabled by a combination of two factors: (1) Traditional copyright law allows such a case to be brought, even though Tena had not caused the kind of harm that copyright law is supposed to prevent; and this allowed (2) a decision by the authorities to single him out for prosecution because somebody was angry about what he wrote.

It’s bad enough that Tegam, the company that created Viguard, is going after Tena. Why is the French government participating? Here’s a hint: Tegam’s statement plays on French nationalism:

TEGAM International has for many years been the only French company to design, develop, market and provide support for antivirus and security software in France. It has chosen a global approach to security, not relying on signature updates [a method used by the most popular U.S. antivirus products].

In the software sector, everybody knows that some people would like to exert their technological domination, and as a result crush any attempt to create an alternative. As the battle goes on to try to preserve and strengthen research in France, TEGAM International defends its difference and the results of its own research.

Patent Holding Companies

Lately we’ve seen many complaints about the proliferation of patent holding companies, which buy patents, usually from small inventors, and then try to extract royalties, by negotiation or lawsuit, from companies that (allegedly) use the patented inventions. Often this is depicted as some kind of outrage. But from a policy standpoint I don’t see a problem.

Now perhaps you believe that the patent system is irretrievably broken and ought to be scrapped or severely reformed. Perhaps you think it should be harder to bring patent lawsuits. If that’s your position, then your policy effort should be spent on reforms that apply to all patent owners and all lawsuits, and not just on holding companies. Why focus specially on patent activity by holding companies, unless your goal is to disadvantage small inventors?

If, on the other hand, you buy into the goals of the patent system, and you think that the system, though imperfect, generally works, then it’s hard to see the problem with holding companies. It seems sensible that the financial return for an invention ought to be the same, whether the inventor works for a big company or freelances in his garage. If the invention really is novel, non-obvious, and useful, then the inventor is entitled to reasonable royalties from people who use the patented technology. Why should small inventors face barriers that large inventors don’t?

An inventor’s ability to negotiate royalties depends, ultimately, on the threat that he will bring a lawsuit if the company using the invention doesn’t agree to pay. Patent litigation is costly and time-consuming, especially if the defendant is using delay tactics. A freelance inventor can’t credibly threaten to bring a suit without financial backing from somebody else. Litigation is risky, too, and the inventor may be risk-averse. The company using an invention knows these things, so a freelance inventor’s lawsuit threat won’t have much credibility, even if the suit would have merit. And so the freelance inventor won’t be able to extract the royalties that a deeper-pocketed inventor could. It’s often argued that the patent system unfairly favors large companies, for precisely this reason.

Why not allow an outside firm to invest in small inventors’ patents, so as to provide the financial resources to support a potential suit and to absorb the risk? Coming from such a firm, a lawsuit threat would have suitable deterrent value. And so, most importantly, suchs will bid against each other for small inventors’ patents. Holding companies can level the playing field by helping small inventors extract the true value of their inventions.

Beyond this, holding companies may develop expertise in patent valuation or negotiating royalties. Holding companies that specialize in valuation and revenue-extraction allow small inventors to specialize in what they do best, which is inventing. This would mirror the structure in large companies, where one subgroup of people handles invention and another handles revenue-extraction. Why treat the small inventor differently from the large one?

Though there is no good policy argument for disadvantaging small inventors, we may see such changes anyway, due to rent-seeking by large companies. Those who support rational patent policy should focus on setting up the right patent rules (whatever they are), and applying those rules to whoever happens to own each patent.

Whom Should We Search at the Airport?

Here’s an interesting security design problem. Suppose you’re in charge of airport security. At security checkpoints, everybody gets a primary search. Some people get a more intensive secondary search as a result of the primary search, if they set off the metal detector or behave suspiciously during the primary search. In addition, you can choose some extra people who get a secondary search even if they look clean on the primary search. We’ll say these people have been “selected.”

Suppose further that you’re given a list of people who pose a heightened risk to aviation. Some people may pose such a serious threat that we won’t let them fly at all. I’m not talking about them, just about people who pose a risk that is higher than average, but still low overall. When I say these people are “high-risk” I don’t mean that the risk is high in absolute terms.

Who should be selected for secondary search? The obvious answer is to select all of the high-risk people, and some small fraction of the ordinary people. This ensures that a high-risk person can’t fly without a secondary search. And to the extent that our secondary-searching people and resources would otherwise be idle, we might as well search some ordinary people. (Searching ordinary people at random is also a useful safeguard against abusive behavior by the searchers, by ensuring that influential people are occasionally searched.)

But that might not be the best strategy. Consider the problem faced by a terrorist leader who wants to get a group of henchmen and some contraband onto a plane in order to launch an attack. If he can tell which of his henchmen are on the high-risk list, then he’ll give the contraband to a henchman who isn’t on the list. If we always select people on the list, then he can easily detect which henchmen are on the list by having the henchmen fly (without contraband) and seeing who gets selected for a secondary search. Any henchman who doesn’t get selected is not on the high-risk list; and so that is the one who will carry the contraband through security next time, for the attack.

The problem here is that our adversary can probe the system, and use the results of those probes to predict our future behavior. We can mitigate this problem by being less predictable. If we decide that people on the high-risk list should be selected usually, but not always, then we can introduce some uncertainty into the adversary’s calculation, by forcing him to worry that a henchman who wasn’t selected the first time might still be on the high-risk list.

The more we reduce the probability of searching high-risk people, the more we increase the adversary’s uncertainty, which helps us. But we don’t want to reduce that probability too far – after all, if we trick the terrorist into giving the contraband to a high-risk henchman, we still want a high probability of selecting that henchman the second time. Depending on our assumptions, we can calculate the optimal probability of secondary search for high-risk people. That probability will often be less than 100%.

But now consider the politics of the situation. Imagine what would happen if (God forbid) a successful attack occurred, and if we learned afterward that one of the attackers had carried contraband through security, and that the authorities knew he posed a hightened risk but chose not to search him due to a deliberate strategy of not always searching known high-risk people. The recriminations would be awful. Even absent an attack, a strategy of not always searching is an easy target for investigative reporters or political opponents. Even if it’s the best strategy, it’s likely to be infeasible politically.

The "Pirate Pyramid"

This month’s Wired runs a high-decibel piece by Jeff Howe, on topsites and their denizens:

When Frank … posted the Half-Life 2 code to Anathema, he tapped an international network of people dedicated to propagating stolen files as widely and quickly as possible.

It’s all a big game and, to hear Frank and others talk about “the scene,” fantastic fun. Whoever transfers the most files to the most sites in the least amount of time wins. There are elaborate rules, with prizes in the offing and reputations at stake. Topsites like Anathema are at the apex. Once a file is posted to a topsite, it starts a rapid descent through wider and wider levels of an invisible network, multiplying exponentially along the way. At each step, more and more pirates pitch in to keep the avalanche tumbling downward. Finally, thousands, perhaps millions, of copies – all the progeny of that original file – spill into the public peer-to-peer networks: Kazaa, LimeWire, Morpheus. Without this duplication and distribution structure providing content, the P2P networks would run dry.

The story paints this as a sort of organized-crime scene, akin to a drug cartel, in which a great many people conspire, via some kind of command-and-control network, to achieve the widest distribution of the product. If true, this would be good news for law enforcers – if they chopped off the organization’s head, “the P2P networks would run dry.”

But this is wrong way to interpret the facts, at least as I understand them. The topsites are exclusive clubs whose members compete for status by getting earlier, better content. The main goal is not to seed the common man’s P2P net, but to build status and share files within a small group. Smebody on the fringe of the group can grab a file and redistribute it to less exclusive club, as a way of building status within that lesser club. Then somebody on the fringe of that club can redistribute it again; and so on. And so the file diffuses outward from its source, into larger and less exclusive clubs, until eventually everybody can get it. The file is distributed not because of a coordinated conspiracy, but because of the local actions of individuals seeking status. The whole process is organized; but it’s organized like a market, not like a firm.

[It goes without saying that all of this is illegal. Please don’t mistake my description of this behavior for an endorsement of it. It’s depressing that this kind of disclaimer is still necessary, but I have learned by experience that it is.]

What puts some people at the top of this pyramid, and others at the bottom? It’s not so much that the people at the bottom are incapable of injecting content into the system; it’s just that the people at the top get their hands on content earlier. Content trickles down to the P2P nets at the bottom of the pyramid, often arriving there before the content is available by other means to ordinary members of the public. Once a song or movie is widely available, there’s no real reason for an ordinary user to rip their own copy and inject it.

The upshot is that enforcement against the top of the pyramid would have some effect, but much less than the Wired article implies. The main effect would be to delay the arrival of content in the big P2P networks, at least for a while, by blocking early leaks of content from the studios and production facilities. The files would still show up – there are just too many sources – but the copyright owners would gain a short interval of exclusivity before the content showed up on P2P. Certainly the P2P networks would not “run dry.”

Don’t get me wrong. Law enforcers should go after the people at the top of the pyramid. At least they would be making examples of the right people. But we should recognize that the rivers of P2P will continue to overflow.

UPDATE (7:25 PM): Jeff Howe, author of the Wired article, offers a response in the comments.

BSA To Ask For Expansion of ISP Liability

The Business Software Alliance (BSA), a software industry group, will ask Congress to expand the liability of ISPs for infringing traffic that goes across their networks, according to a Washington Post story by Jonathan Krim.

The campaign to modify the law is part of a broader effort by the BSA to address a variety of copyright and patent issues. In a report to be released today, the group outlines its concerns but offers no specifics on how the 1998 law should be changed. But in an interview, [Adobe chief Bruce] Chizen and BSA Executive Director Robert Holleyman said Internet service providers should no longer enjoy blanket immunity from liability for piracy by users.

The article doesn’t make clear what limits BSA would put on ISP liability. Making ISPs liable for everything that goes over their networks would be a death blow to ISPs, because there is no way to look at a file and tell what might be hidden in it. (Don’t believe me? Then tell me what is hidden in this file.) Actually, BSA members sell virtual private network software that hides messages from ISPs.

So the BSA must want something less than total liability. Perhaps they want to expand the DMCA subpoena-bot rule so that ISPs have to turn over a customer’s name on demand. The music industry once claimed that the existing DMCA rule requires that, but the courts disagreed. Congress could amend the DMCA to override that court decision.

Or perhaps they want to hold ISPs liable unless they deploy filtering and blocking technologies to try to stop certain files from circulating and certain protocols from being used. These technologies are only stopgap measures that would soon be overcome by P2P designers, so requiring their deployment seems like bad policy.

Most likely, this is just a tactic to put political pressure on ISPs, in the hope of extracting some concessions. I predict that either (a) this will go nowhere, or (b) ISPs will agree to allow an expansion of the subpoena-bot rule.