November 27, 2024

CBS Tries DRM to Block Criticism of Rathergate Report

Last week the panel investigating CBS’s botched reporting about President Bush’s military service released its report. The report was offered on the net in PDF format by CBS and its law firm. CBS was rightly commended for its openness in facing up to its past misbehavior and publicizing the report. Many bloggers, in commenting on the report and events that led to it, included quotes from the report.

Yesterday, Ernest Miller noticed that he could no longer copy and paste material from the report PDF into other documents. Seth Finkelstein confirmed that the version of the report on the CBS and law firm websites had been modified. The contents were the same but an Adobe DRM (Digital Restrictions Management) technology had been enabled, to prevent copying and pasting from the report. Apparently CBS (or its lawyers) wanted to make it harder for people to quote from the report.

This is yet another use of DRM that has nothing to do with copyright infringement. Nobody who wanted to copy the report as a whole would do so by copying and pasting – the report is enormous and the whole thing is available for free online anyway. The only plausible use of copy-and-paste is to quote from the report in order to comment, which is almost certainly fair use.

(CBS might reasonably have wanted to prevent modifications to the report file itself. They could have done this, within Adobe’s DRM system, without taking away the ability to copy-and-paste material from the file. But they chose instead to ban both modification and copy-and-paste.)

This sort of thing should not be a public policy problem; but the DMCA makes it one. If the law were neutral about DRM, we could just let the technology take its course. Unfortunately, U.S. law favors the publishers of DRMed material over would-be users of that material. For example, circumventing the DRM on the CBS report, in order to engage in fair-use commentary, may well violate the DMCA. (The DMCA has no fair-use exception, and courts have ruled that a DMCA violation can occur even if there is no copyright infringement.)

Worse yet, the DMCA may ban the tools needed to defeat this DRM technology. Dmitry Sklyarov was famously jailed by the FBI for writing a software tool that defeated this very same DRM technology; and his employer, Elcomsoft, was tried on criminal charges for selling fewer than ten copies of that tool.

As it turns out, the DRM can apparently be defeated easily by using Adobe’s own products. A commenter on Seth’s site (David L.) notes that he was able to turn off the restrictions using Adobe Acrobat: “The properties showed it set to password security. I was goofin around and changed it to No Security adn it turned off the security settings. I then saved the pdf and reopened it and the security was gone…. Apparently forging documents is not all that CBS sucks at.”

UPDATED (12:35 PM) to clarify: changed “cut-and-paste” to “copy-and-paste”, and added the parenthesized paragraph.

French Researcher Faces Criminal Charges for Criticizing Antivirus Product

Guillaume Tena, a researcher also known as Guillermito, is now being tried on criminal copyright charges, and facing jail time, in France. He wrote an article analyzing an antivirus product called Viguard, and pointing out its flaws. The article is in French, and standard online translators seem to choke on it. My French is poor at best so I have only a general idea of what it says. But it sure looks like the kind of criticism a skeptical security researcher would write.

This is a standard legal-attack-on-security-researcher story. Company makes grand claims for its product; security researcher writes paper puncturing claims; company launches rhetorical and legal attack on researcher; researcher’s ideas get even wider attention but researcher himself is in danger. Everybody in the security research field knows these stories, and they do deter useful research, while further undermining researchers’ trust in unsupported vendor claims.

At least one thing is unusual about Tena’s legal case. Rather than being charged with violating some newfangled DMCA-like law, he is apparently being charged with old-fashioned copyright infringement (or the French equivalent) because his criticism incorporated some material that is supposedly derivative of the copyrighted Viguard software. Unlike some previous attacks on researchers, this one may not have been enabled by the recent expansion of copyright law. Instead, it would seem to be enabled by a combination of two factors: (1) Traditional copyright law allows such a case to be brought, even though Tena had not caused the kind of harm that copyright law is supposed to prevent; and this allowed (2) a decision by the authorities to single him out for prosecution because somebody was angry about what he wrote.

It’s bad enough that Tegam, the company that created Viguard, is going after Tena. Why is the French government participating? Here’s a hint: Tegam’s statement plays on French nationalism:

TEGAM International has for many years been the only French company to design, develop, market and provide support for antivirus and security software in France. It has chosen a global approach to security, not relying on signature updates [a method used by the most popular U.S. antivirus products].

In the software sector, everybody knows that some people would like to exert their technological domination, and as a result crush any attempt to create an alternative. As the battle goes on to try to preserve and strengthen research in France, TEGAM International defends its difference and the results of its own research.

Patent Holding Companies

Lately we’ve seen many complaints about the proliferation of patent holding companies, which buy patents, usually from small inventors, and then try to extract royalties, by negotiation or lawsuit, from companies that (allegedly) use the patented inventions. Often this is depicted as some kind of outrage. But from a policy standpoint I don’t see a problem.

Now perhaps you believe that the patent system is irretrievably broken and ought to be scrapped or severely reformed. Perhaps you think it should be harder to bring patent lawsuits. If that’s your position, then your policy effort should be spent on reforms that apply to all patent owners and all lawsuits, and not just on holding companies. Why focus specially on patent activity by holding companies, unless your goal is to disadvantage small inventors?

If, on the other hand, you buy into the goals of the patent system, and you think that the system, though imperfect, generally works, then it’s hard to see the problem with holding companies. It seems sensible that the financial return for an invention ought to be the same, whether the inventor works for a big company or freelances in his garage. If the invention really is novel, non-obvious, and useful, then the inventor is entitled to reasonable royalties from people who use the patented technology. Why should small inventors face barriers that large inventors don’t?

An inventor’s ability to negotiate royalties depends, ultimately, on the threat that he will bring a lawsuit if the company using the invention doesn’t agree to pay. Patent litigation is costly and time-consuming, especially if the defendant is using delay tactics. A freelance inventor can’t credibly threaten to bring a suit without financial backing from somebody else. Litigation is risky, too, and the inventor may be risk-averse. The company using an invention knows these things, so a freelance inventor’s lawsuit threat won’t have much credibility, even if the suit would have merit. And so the freelance inventor won’t be able to extract the royalties that a deeper-pocketed inventor could. It’s often argued that the patent system unfairly favors large companies, for precisely this reason.

Why not allow an outside firm to invest in small inventors’ patents, so as to provide the financial resources to support a potential suit and to absorb the risk? Coming from such a firm, a lawsuit threat would have suitable deterrent value. And so, most importantly, suchs will bid against each other for small inventors’ patents. Holding companies can level the playing field by helping small inventors extract the true value of their inventions.

Beyond this, holding companies may develop expertise in patent valuation or negotiating royalties. Holding companies that specialize in valuation and revenue-extraction allow small inventors to specialize in what they do best, which is inventing. This would mirror the structure in large companies, where one subgroup of people handles invention and another handles revenue-extraction. Why treat the small inventor differently from the large one?

Though there is no good policy argument for disadvantaging small inventors, we may see such changes anyway, due to rent-seeking by large companies. Those who support rational patent policy should focus on setting up the right patent rules (whatever they are), and applying those rules to whoever happens to own each patent.

Whom Should We Search at the Airport?

Here’s an interesting security design problem. Suppose you’re in charge of airport security. At security checkpoints, everybody gets a primary search. Some people get a more intensive secondary search as a result of the primary search, if they set off the metal detector or behave suspiciously during the primary search. In addition, you can choose some extra people who get a secondary search even if they look clean on the primary search. We’ll say these people have been “selected.”

Suppose further that you’re given a list of people who pose a heightened risk to aviation. Some people may pose such a serious threat that we won’t let them fly at all. I’m not talking about them, just about people who pose a risk that is higher than average, but still low overall. When I say these people are “high-risk” I don’t mean that the risk is high in absolute terms.

Who should be selected for secondary search? The obvious answer is to select all of the high-risk people, and some small fraction of the ordinary people. This ensures that a high-risk person can’t fly without a secondary search. And to the extent that our secondary-searching people and resources would otherwise be idle, we might as well search some ordinary people. (Searching ordinary people at random is also a useful safeguard against abusive behavior by the searchers, by ensuring that influential people are occasionally searched.)

But that might not be the best strategy. Consider the problem faced by a terrorist leader who wants to get a group of henchmen and some contraband onto a plane in order to launch an attack. If he can tell which of his henchmen are on the high-risk list, then he’ll give the contraband to a henchman who isn’t on the list. If we always select people on the list, then he can easily detect which henchmen are on the list by having the henchmen fly (without contraband) and seeing who gets selected for a secondary search. Any henchman who doesn’t get selected is not on the high-risk list; and so that is the one who will carry the contraband through security next time, for the attack.

The problem here is that our adversary can probe the system, and use the results of those probes to predict our future behavior. We can mitigate this problem by being less predictable. If we decide that people on the high-risk list should be selected usually, but not always, then we can introduce some uncertainty into the adversary’s calculation, by forcing him to worry that a henchman who wasn’t selected the first time might still be on the high-risk list.

The more we reduce the probability of searching high-risk people, the more we increase the adversary’s uncertainty, which helps us. But we don’t want to reduce that probability too far – after all, if we trick the terrorist into giving the contraband to a high-risk henchman, we still want a high probability of selecting that henchman the second time. Depending on our assumptions, we can calculate the optimal probability of secondary search for high-risk people. That probability will often be less than 100%.

But now consider the politics of the situation. Imagine what would happen if (God forbid) a successful attack occurred, and if we learned afterward that one of the attackers had carried contraband through security, and that the authorities knew he posed a hightened risk but chose not to search him due to a deliberate strategy of not always searching known high-risk people. The recriminations would be awful. Even absent an attack, a strategy of not always searching is an easy target for investigative reporters or political opponents. Even if it’s the best strategy, it’s likely to be infeasible politically.

The "Pirate Pyramid"

This month’s Wired runs a high-decibel piece by Jeff Howe, on topsites and their denizens:

When Frank … posted the Half-Life 2 code to Anathema, he tapped an international network of people dedicated to propagating stolen files as widely and quickly as possible.

It’s all a big game and, to hear Frank and others talk about “the scene,” fantastic fun. Whoever transfers the most files to the most sites in the least amount of time wins. There are elaborate rules, with prizes in the offing and reputations at stake. Topsites like Anathema are at the apex. Once a file is posted to a topsite, it starts a rapid descent through wider and wider levels of an invisible network, multiplying exponentially along the way. At each step, more and more pirates pitch in to keep the avalanche tumbling downward. Finally, thousands, perhaps millions, of copies – all the progeny of that original file – spill into the public peer-to-peer networks: Kazaa, LimeWire, Morpheus. Without this duplication and distribution structure providing content, the P2P networks would run dry.

The story paints this as a sort of organized-crime scene, akin to a drug cartel, in which a great many people conspire, via some kind of command-and-control network, to achieve the widest distribution of the product. If true, this would be good news for law enforcers – if they chopped off the organization’s head, “the P2P networks would run dry.”

But this is wrong way to interpret the facts, at least as I understand them. The topsites are exclusive clubs whose members compete for status by getting earlier, better content. The main goal is not to seed the common man’s P2P net, but to build status and share files within a small group. Smebody on the fringe of the group can grab a file and redistribute it to less exclusive club, as a way of building status within that lesser club. Then somebody on the fringe of that club can redistribute it again; and so on. And so the file diffuses outward from its source, into larger and less exclusive clubs, until eventually everybody can get it. The file is distributed not because of a coordinated conspiracy, but because of the local actions of individuals seeking status. The whole process is organized; but it’s organized like a market, not like a firm.

[It goes without saying that all of this is illegal. Please don’t mistake my description of this behavior for an endorsement of it. It’s depressing that this kind of disclaimer is still necessary, but I have learned by experience that it is.]

What puts some people at the top of this pyramid, and others at the bottom? It’s not so much that the people at the bottom are incapable of injecting content into the system; it’s just that the people at the top get their hands on content earlier. Content trickles down to the P2P nets at the bottom of the pyramid, often arriving there before the content is available by other means to ordinary members of the public. Once a song or movie is widely available, there’s no real reason for an ordinary user to rip their own copy and inject it.

The upshot is that enforcement against the top of the pyramid would have some effect, but much less than the Wired article implies. The main effect would be to delay the arrival of content in the big P2P networks, at least for a while, by blocking early leaks of content from the studios and production facilities. The files would still show up – there are just too many sources – but the copyright owners would gain a short interval of exclusivity before the content showed up on P2P. Certainly the P2P networks would not “run dry.”

Don’t get me wrong. Law enforcers should go after the people at the top of the pyramid. At least they would be making examples of the right people. But we should recognize that the rivers of P2P will continue to overflow.

UPDATE (7:25 PM): Jeff Howe, author of the Wired article, offers a response in the comments.