January 22, 2019

Archives for June 2007

All the Interested Parties? Not Quite.

Here’s a quick quiz to detect whether you’re stuck in Washington groupthink.

There’s a patent reform bill under consideration in Congress. According to a blog entry by Andrew Noyes at the National Journal, a group of Republican senators sent a letter to Rep. Howard Berman, the chair of the relevant House subcommittee, asking that the patent bill be given more consideration before the committee votes on it. Senator Berman responded:

“There have been a number of hearings, briefings, and meetings about these issues over the past four years,” said Berman, who introduced a companion bill, H.R.1908. “We’ve heard from representatives of all the interested parties – from independent inventors, universities, bio-technology, pharmaceutical, software and financial services industries.”

Here’s the quiz: who did Rep. Berman leave off his list of “all the interested parties”?

Rep. Berman’s omission is a common one in Washington. Start listening for this omission, and you’ll be surprised how often you hear it.

I don’t mean to pick on Rep. Berman personally. Okay, maybe I do, just a tiny bit, given some of his past actions such as co-sponsoring the ill-advised Berman-Coble bill that would have legalized denial-of-service attacks against people suspected of sharing infringing content. If this was just one congressman, once, it wouldn’t be worth noting. But given the frequency of this mistake, I think it does reveal something about the standard Washington mindset.

In the case of patent reform, there are complex issues at stake. Changes to patent law can affect innovation and competition in subtle ways. That affects all of the parties Rep. Berman mentioned, as well as the one notable group he left out. Which is …

Ordinary citizens.

Staying Off the Regulatory Radar

I just returned from a tech policy conference. It was off the record so I can’t tell you about what was said. But I can tell you that it got me thinking about what happens when a tech startup appears on policymakers’ radar screens.

Policymakers respond to what they see. Generally they don’t see startups, so startup products can do whatever makes sense from a technical and customer relations standpoint. Startups talk to lawyers, they try to avoid doing anything too risky, but they don’t spend their time trying to please policymakers.

But if a startup has enough success and attracts enough users, policymakers suddenly notice it and everything changes. To give just one example, YouTube is now on the radar screen and is facing takedown requests from national authorites in places like Thailand. (Thai authorities demanded takedown of an unflattering video about their king.) The cost of being on the policy radar screen can be high for online companies that have inherently global reach.

Some companies respond by changing their product strategy or by trying to outsource certain functions to other companies. We might even see the emergence of companies that specialize in coping with policymakers, making money by charging other tech-focused companies for managing certain parts of their technology.

Perhaps this is just another cost of scaling up a service that works well at smaller scale. But I can’t help wondering whether companies will change their behavior to try to stay off the radar screen longer. There’s an old strategy called “stealth mode” where a startup tries to avoid the attention of potential competitors by keeping secret its technology or even its very existence, to emerge in public at a strategically chosen time. I can think of several companies that wish for a new kind of stealth mode, where customers notice a company but policymakers don’t.

Apple's File Labeling: An Effective Anticopying Tool?

Recently it was revealed that Apple’s new DRM-free iTunes tracks come with the buyer’s name encoded in their headers. Randy Picker suggested that this might be designed to deter copying – if you redistribute a file you bought, your name would be all over it. It would be easy for Apple, or a copyright owner, to identify the culprit. Or so the theory goes.

Fred von Lohmann responded, suggesting that Apple should have encrypted the information, to protect privacy while still allowing Apple to identify the original buyer if necessary. Randy responded that there was a benefit to letting third parties do enforcement.

More interesting than the lack of encryption is the apparent lack of integrity checks on the data. This makes it pretty easy to change the name in a file. Fred predicts that somebody will make a tool for changing the name to “Steve Jobs” or something. Worse yet, it would be easy to change the data in a file to frame an innocent person – which makes the name information pretty much useless for enforcement.

If you’re not a crypto person, you may not realize that there are different tools for keeping information secret than for detecting tampering – in the lingo, different tools for ensuring confidentiality than for ensuring integrity.

[UPDATE (June 7): I originally wrote that Apple had apparently not put integrity checks in the files. That now appears to be wrong, so I have rewritten this post a bit.]

Apple apparently used crypto to protect the integrity of the data. Done right, this would let Apple detect whether the name information in a file was accurate. (You might worry that somebody could transplant the name header from one file to another, but proper crypto will detect that.) Whether to use this kind of integrity check is a separate question from whether to encrypt the information – you can do either, or both, or neither.

From a security standpoint, the best way to do guarantee integrity in this case is to digitally sign the name data, using a key known only to Apple. There’s a separate key used for verifying that the data hasn’t been modified. Apple could choose to publish this verification key if they wanted to let third parties verify the name information in files.

But there’s another problem – and a pretty big one. All a digital signature can do is verify that a file is the same one that was sold to a particular customer. If a file is swiped from a customer’s machine and then distributed, you’ll know where the file came from but you won’t know who is at fault. This scenario is very plausible, given that as many as 10% of the machines on the Net contain bot software that could easily be directed to swipe iTunes files.

Which brings us to the usual problem with systems that try to label files and punish people whose labels appear on infringing files. If these people are punished severely, the result will be unfair and no prudent person will buy and keep the labeled files. If punishments are mild, then users might be willing to distribute their own files and claim innocence if they’re caught. It’s unlikely that we could reliably tell the difference between a scofflaw user and one victimized by malware, so there seems to be no escape from this problem.