It’s Election Day, and residents here in Mercer County may have cast our last votes on the big old battleship-gray lever voting machines. Next election, we’re supposed to be using a new all-electronic system, without any of the necessary safeguards such as a voter-verifiable paper trail or public inspection of software code.
WaPo Confused On CD-DRM
Today’s Washington Post runs an odd, self-rebutting story about the sales of the copy-protected Anthony Hamilton CD – the same CD that Alex Halderman wrote about, leading to SunnComm’s on-again, off-again lawsuit threat.
The article begins by saying that the CD’s sales had an unusually small post-release drop-off in sales. Sales fell 23% in the first week, where 40-60% is more typical. There are several reasons this might have happened: the album was heavily promoted, it was priced at $13.98, and it had good word of mouth. But the article tries to argue that the SunnComm DRM technology was a big part of the cause.
The article proceeds to rebut its own argument, by undercutting any mechanism by which the DRM could have reduced copying. Did the DRM keep the music off peer-to-peer networks? No. “Songs from Hamilton’s CD appeared on unauthorized song-sharing Internet services, such as Kazaa, before the release date…” Did the DRM keep people from making CD-to-CD copies? No. “Though buyers of the Hamilton CD are allowed to make three copies, nothing prevents them from copying the copied CDs”
Was the DRM unobtrusive? Here the reporter seems to misread one of the Amazon reviews, implying that the reviewer preferred DRM to non-DRM discs:
“I give this CD four stars only because of the copyright protection,” wrote one reviewer. “This CD didn’t play too well on my computer until I downloaded some kind of license agreement, and was connected to the Internet. Otherwise, it’s very good.”
It should be clear enough from this quote (and if you’re not sure, go read the full review on Amazon) that this reviewer saw the DRM as a negative. And at least two other reviewers at Amazon say flatly that the CD did not work in their players.
The topper, though, is the last paragraph, which shows a reporter or editor asleep at the switch:
A Princeton University graduate student distributed a paper on the Internet shortly after the CD’s release demonstrating, he argued, how the copy-protection could be broken. But Jacobs, who initially threatened to sue the student before backing off, said his technology is meant to thwart casual copying, not determined hackers.
What’s with the “he argued”? The claims in the student’s paper are factual in nature, and could easily have been checked. SunnComm even admits that the claims are accurate.
And how can the reporter let pass the statement by Jacobs implying that only “determined hackers” would be able to thwart the technology? We’re talking about pressing the shift key, which is hardly beyond the capabilities of casual users.
We’ve come to expect this kind of distortion from SunnComm’s press releases. Why are we reading it in the Washington Post?
DMCA Exemptions Granted, Problems Remain
The U.S. Copyright Office has issued its report, creating exemptions to the DMCA’s anti-circumvention provisions for the next three years. The exemptions allow people to circumvent access control technologies under certain closely constrained conditions. The exemption rulemaking, which happens every three years, was created by Congress as a kind of safety valve, intended to keep the DMCA from stifling fair use too severely.
This time around, exemptions were granted for (1) access to the “block-lists” of censorware products, and (2) works protected by various types of broken or obsolete access control mechanisms.
My own exemption request, asking for exemptions for information security researchers, was denied as expected.
It is abundantly clear by now that the DMCA has had a chilling effect on legitimate research related to access control technologies. When researchers ask Washington for a solution to this problem, they have so far gotten a Catch-22 answer. When we ask Congress do to something, we are told to seek an exemption in the Copyright Office rulemaking. But when we petitioned the Copyright Office for an exemption in the 2000 rulemaking, we were told that the Copyright Office did not have the power to grant the kind of exemption we had requested.
So this time, I wrote an exemption request that was designed to end the Catch-22 – to entice the Copyright Office to either (a) grant an exemption for researchers, or (b) state flatly that Congress had not given it the power to grant any kind of useful research exemption. As I read the Copyright Office’s findings (see pages 14-15 of the short version, or pages 86-89 of the extended dance version; they designate my request as number 3), they have essentially said (b) – exemptions of the type I requested “cannot be considered.”
Broadcast Flag Confusion
In today’s New York Times, Stephen Labaton reports on the continuing controversy over the FCC’s impending Broadcast Flag rules. In the midst of a back-and-forth about the rules, Labaton writes this:
An F.C.C. official said, for instance, that the broadcast flag could contain software code that was recognized by computer routers in a way that the program would self-destruct after passing through three routers while being e-mailed by a user.
Somebody is really confused here about how the Internet works. Maybe it’s the reporter, or maybe it’s the FCC source, or maybe (God forbid) both.
If this statement bears any connection to reality, it’s cause for serious worry. I can’t think of any way of translating the statement into a technically coherent form that doesn’t involve the FCC redesigning the basic workings of the Internet.
UPDATE (8:55 PM): Seth Schoen has solved the mystery; see his comment. The mystery sentence looks like a very confused attempt to explain the fact that DTCP-over-IP sets the Time-To-Live field on its IP packets equal to three.
Remote Controls for Traffic Lights
Many cities have installed systems that let emergency vehicles control traffic lights via infrared remote controls, thereby getting to the scene of an emergency more quickly. This is good.
Yesterday’s Detroit News, in a story by Jodi Upton, reports on the availability of remote controls that allow ordinary citizens to control the same traffic lights. Now traffic engineers worry that selfish people will use the remotes to disrupt the flow of traffic.
As Eric Rescorla notes, this could have been avoided by using cryptography in the design of the original system. Instead, we’re likely to see a crackdown on the distribution of the remote controls, and the predictable black market in the banned devices.
This seems like a classic example of the harm caused by deploying a technology without considering how it might be abused. It would be interesting to know why this happened. Did the vendor not stop to think about the potential for abuse? Did they think that nobody would ever figure out how to abuse the system? Did they fail to realize that anti-abuse technologies were available? I wish I knew.