April 20, 2014


Fritz’s Hit List #29

Today on Fritz’s Hit List: logic analyzers.

These devices, which are standard equipment in electronics laboratories, record electrical signals in digital form, so they qualify for regulation as “digital media devices” under the Hollings CBDTPA. If the CBDTPA passes, any newly manufactured logic analyzers will have to incorporate government-approved copy restriction technology.

Fight piracy – regulate laboratory equipment!

[Thanks to John Zulauf for suggesting this item.]


Microsoft Decisions Tomorrow

Judge Kollar-Kotelly has announced that she will release her decisions in the Microsoft antitrust case tomorrow at 4:30 Eastern time.


Intentia vs. Reuters: A (Slightly) Contrarian View

The recent dispute between Intentia and Reuters has gotten lots of online attention, most of it scornful of Intentia’s position. I think Intentia is wrong, but it’s a closer call than most online commentators seem to think.

Here’s the factual background, as far as I can tell: Intentia, a Swedish company, prepared their earnings report, and put that report on its web site, at a “hidden” URL to which there were no links anywhere. A Reuters reporter guessed the URL, accessed the earnings report, and published a story about it, all before Intentia intended for the information to be released. Now Intentia is suing Reuters in Swedish court, charging that Reuters accessed Intentia’s computers illegally and without authorization.

As a non-Swede and non-lawyer, I won’t opine on what Swedish law says about this. Anyway, the more interesting question is what what the law should say about this case. Or to put it another way, how should we draw the line between proper and improper access to a computer system?

Most people seem to feel that what Reuters did was legitimate. That’s my gut feeling too. But it’s not as easy as you might expect to explain why.

One common argument is that because Intentia put the file in a place where it was easily accessed, Intentia should have known that people would access it there, so Reuters cannot be faulted for doing so. This has intuitive appeal, but I don’t think it’s right to argue entirely from technical capabilities. That is, the mere fact that Reuters knew how to access the file cannot be enough to show that the access was proper.

Consider a hypothetical in which Intentia puts the file on its site, protected by a password. Is it proper for Reuters to guess the password and access the file? I don’t think so. I’m not comfortable with a rule that would legalize arbitrary file access via password-guessing.

Now from a technical standpoint, there is little difference between using a secret URL and using a secret password. Both rely on the user typing a secret text string; both send that string across an unencrypted HTTP connection; and both provide the requested file only if the string has been entered correctly. Both provide the same level of security. So if password guessing is improper, then why isn’t URL guessing improper?

The answer, I think, is that using a password sends different signals about Intentia’s intentions than using a URL. If a system challenges you to enter a password, it’s clear that the system’s owner is not authorizing you to continue. But if you just type a URL into a browser and the system supplies you with a file, the owner’s intentions are not clear. If, in fact, the URL was something obvious like “3rd_quarter_earnings.pdf,” then a reasonable person might have concluded that Intentia meant it to be accessed by the public.

Ultimately, this depends on the law recognizing social norms about the Net: that accessible files are by default meant to be accessed; that people use a password if they want to restrict access; and that the lack of a password mechanism is taken to imply that public access is allowed.


Fritz’s Real Hit List

Seth Finkelstein suggests that I should reexamine my “Fritz’s Hit List” feature in light of the “leeway” concept. Seth says, in effect, that it is possible, or at least it might be possible, to redefine the scope of the Hollings CBDTPA so that it covers “what 99.9% of the population uses for business or entertainment,” while not covering the items on Fritz’s Hit List.

I started Fritz’s Hit List to illustrate the extreme overbreadth of the Hollings CBDTPA. This can’t be fixed by making minor adjustments to the bill, or by relying on leeway to cover a few exceptional cases. The bill’s scope is far, far too broad. That’s the real point of Fritz’s Hit List.

This raises the obvious question of whether the bill can be fixed. Is it possible to redefine “digital media device” so that it is broad enough to cover the things it “needs” to cover, yet narrow enough to leave out dolls, dictaphones, and dog toys?

That’s harder than it sounds. I don’t know how to write such a definition. I haven’t seen anybody else offer a good definition either. The CBDTPA’s authors gave us a definition that is pretty far off.

So here is my challenge to the advocates of the Hollings CBDTPA: When you respond to Fritz’s Hit List, don’t just say, “That isn’t what we meant.” Tell us – specifically – what you did mean.


Fritz’s Hit List #28

Today on Fritz’s Hit List: cockpit voice recorders.

These devices, which are part of an airplane’s “black box,” record the sounds audible in an plane’s cockpit, for forensic use in case of an accident. Newer recorders use digital storage, so they qualify for regulation as “digital media devices” under the Hollings CBDTPA. If the CBDTPA passes, any newly manufactured cockpit voice recorders will have to incorporate government-approved copy restriction technology.

Fight piracy – regulate cockpit voice recorders!

[Thanks to Eric Bragg for suggesting this item.]


Microsoft Decision Upcoming?

We’re still waiting for Judge Kollar-Kotelly to rule on the two outstanding issues in the Microsoft antitrust case: whether to approve the settlement between Microsoft, the DOJ, and the settling states; and what remedy to give the non-settling states. She is expected to rule simultaneously on both issues, and the ruling could come at any time.

The court has a mailing list, to which it sends updates about the case. (Click here if you want to subscribe.) The updates are simple text messages, typically announcing that some minor motion has been filed. Today, though, the list received an unusual test message, apparently testing out the court’s ability to send a PDF attachment to the list. It’s almost as if the court is expecting to send out a large PDF document soon.


How Much Progress?

Dan Gillmor quotes Ray Kurzweil as saying that:

The rate of change … is accelerating exponentially. We are “doubling the paradigm shift rate” on a constant basis. This century will be the equivalent to 20,000 years of progress at today’s rate, and people don’t appreciate the implications of this.

I have to admit that this 20,000-years-of-progress claim sounded roughly plausible to me at first. Ted Shelton had the same reaction. But even a little bit of number-crunching shows that Kurzweil must be wildly wrong.

I’m not precisely sure what Kurzweil means by “progress,” but in light of the talk about paradigm shifts, it seems reasonable to assume that “progress” has something to do with the advancement of human knowledge, understanding, or well-being.

Kurzweil says that progress advances exponentially, which seems to be a reasonable assumption. But how fast does the exponential rise? Kurzweil’s “20,000 years” claim turns out, through the magic of logarithms, to imply a 7% annual growth rate, that is, 7% more progress each year than the year before, with the increases compounding over time. That translates to a doubling in human progress every ten years.

That just can’t be right. For one thing, it implies that the amount of human progress between 1,000,000 B.C. and 1992 A.D. is equal to the amount of progress between 1992 and 2002. By any reasonable definition of human progress, things can’t be advancing nearly as fast as Kurzweil claims.

It’s surprising that a guy as smart as Kurzweil made this kind of mistake. In retrospect, I’m surprised that the claim sounded plausible to me and Gillmor and Shelton. I guess people are not very good at thinking about exponentials.


Too Stupid to Look the Other Way

David Weinberger explains the value of “leeway,” or small decisions not to enforce the rules in cases where enforcement wouldn’t be reasonable.

Imagine that your mother were visiting your apartment, and she got sick, so you let her stay overnight because she wan’t well enough to travel home. If this happened, no reasonable landlord would enforce a no-overnight-guests rule against you. Weinberger says:

Leeway is the only way we manage to live together: We ignore what isn’t our business. We cut one another some slack. We forgive one another when we transgress.

By bending the rules we’re not violating fairness. The equal and blind application of rules is a bureaucracy’s idea of fairness. Judiciously granting leeway is what fairness is all about. Fairness comes in dealing with the exceptions.

And there will always be exceptions because rules are imposed on an unruly reality. The analog world is continuous. It has no edges and barely has corners. Rules at best work pretty well. That’s why in the analog world we have a variety of judges, arbiters, and referees to settle issues fairly when smudgy reality outstrips clear rules.

The problem, Weinberger says, is computers don’t give leeway. Would the computer toss your sick mother out on the street, or cancel your lease because you let her stay?

Of course, you can always change the rules to add exceptions, such as a sick-mother allowance. Doing this would cover some cases, but you would be left with a more complex set of rules that was still enforced inflexibly. You can change the rules, but you can’t teach a computer to give leeway.

Weinberger goes on:

Which brings us to “digital rights management” which implements in code a digital view of rights. Yes, vendors and users should have a wide variety of agreements possible, but the nature of those agreements is necessarily digital….

If we build software that enables us to “negotiate” usage rules with content providers, the rules can be as favorable as we’d like but their enforcement will necessarily be strict, literal and unforgiving. Binary, not human.

DRM raises very difficult leeway issues. Fair use is an officially sanctioned leeway mechanism, designed to prevent enforcement of certain rules when the particular circumstances would make enforcement unwise. Fair use is just the kind of subtle and context-dependent leeway mechanism that computers can’t handle.

Weinberger’s message can be summed up in a quote attributed to him by Jon Udell:

That’s the problem with DRM. Computers are too stupid to look the other way.


Wiley’s Super-Worm

Brandon Wiley writes about the possibility of a “super-worm” that would use sophisticated methods to infect a large fraction of Internet hosts, and to maintain and evolve the infection over time. This is scary stuff. I have two comments to add.

First, the worst case is probably even worse than Wiley suggests. His paper may only scratch the surface of what a really sophisticated bad guy could do.

Second, Wiley’s paper points out the double-edged nature of basic security technology. The methods we use to protect ourselves against attacks – encryption, redundancy, decentralization, code patching – are the same methods that Wiley’s bad guy would use to protect himself against our counterattacks. To counterattack, we would need to understand the flaws in these methods, and to know how to attack them. If we ban or stigmatize discussion of these flaws, we put ourselves at risk.


Wishful Thinking

In recent debates about copyright and technology, pro-regulation people have started using an interesting rhetorical tactic. Rather than trying to rebut challenges to the workability of their proposed solutions, they talk instead about how intensely they want their proposals to be workable.

For example, my Fritz’s Hit List series points out a serious flaw in Sen. Hollings’ regulatory proposal. Here is the response from the Senator’s office (from the Oct. 21 New York Times):

Andy Davis, a spokesman for Mr. Hollings, said the technology-minded critics of the bill were “missing the thrust of the senator’s argument,” which is that there is need for more protection of copyright works if online content and broadband Internet access are to flourish.

I don’t doubt that Senator Hollings wants very badly for there to be a solution to this problem. But wishing for a solution is not the same thing as having one.

The same phenomenon is at work when pro-regulation people “debate” the regulation issue by repeating statistics about copyright infringement. By now, everybody knows that there is a serious problem with copyright compliance, and (almost) everybody wishes for a solution to that problem.

Again, saying that you want a solution doesn’t imply that a solution is possible. And it certainly doesn’t imply that the “solution” you are currently peddling is any good.