April 20, 2014

avatar

Story Time (Cont.)

Several readers took issue with my previous post relating anti-infringement technology to anti-cancer technology. So let me clarify what I was and wasn’t trying to say.

First, I wasn’t saying that infringement is okay. It’s not. And I wasn’t trying to draw a moral equivalence between infringers and copyright owners. Remember: I analogized infringement to cancer.

Second, I wasn’t saying that we shouldn’t do anything about infringement. Certainly, some anti-infringement measures are worth trying.

Third, I wasn’t saying that it would be wrong to deploy an effective, side-effect-free anti-infringement technology, if such a thing actually existed.

What I was trying to do was to draw an analogy between anti-infringement technologies and anti-cancer technologies, and to point out that people think about these two technology problems very differently, and without good reason. Here are four examples of the difference:

(1) Many people in the policy debate just assume that there must be a technology available that can prevent infringement. Nobody makes such an assumption about cancer.

(2) Doctors who say “I don’t know how to cure cancer” are not accused of being pro-cancer. But software companies that say “I don’t know how to stop infringement” are accused of being pro-infringement.

(3) When a company claims to have a foolproof anti-infringement technology, their claim is often taken seriously, even if no evidence is presented to support it. But nobody would believe a claim that a drug can cure cancer, based only on unsupported assertions by a drug company vice president. Actual scientific evidence is required.

(4) Congress or the FDA wouldn’t dream of mandating the use of a particular cancer treatment (thereby banning other treatments), without independent testing of the proposed treatment and a lengthy and open discussion of how and whether it worked. Yet when it comes to infringement, mandating secret or poorly tested technologies is taken seriously as a policy option.

For some reason, the development of anti-infringment technology is treated as a political problem that can be solved by dealmaking or by decree.

avatar

Diebold Voting Machines “At High Risk of Compromise”

As expected, an independent study of the Diebold electronic voting machines purchased by the state of Maryland has found that “The system, as implemented in policy, procedure, and technology, is at high risk of compromise.” The study was commissioned by the state and performed by SAIC. A Washington Post story by Brigid Schulte reports that SAIC “found 328 security weaknesses, 26 of them critical”.

The report is available to the public only in heavily redacted form, which in itself does not inspire confidence. What is in the redacted version is bad enough; for example, it reports that the Diebold machines didn’t even bother to encrypt the vote totals before sending them to the Board of Elections.

Diebold, which had previously said we should trust their unspecified security mechanisms, now says that we should trust them to implement unspecified fixes for these problems.

In case you have any remaining confidence in unaudited electronic voting systems, consider this: a Diebold executive told the Washington Post that the fixes will be made to the Maryland machines, but not to the 33,000 Diebold electronic voting machines already in use outside of Maryland.

avatar

Story Time

In a speech today, John Fictitious, president of the Hospital Association of America, expressed his industry’s disappointment at the continuing prevalence of cancer in America. “Our industry stands ready to deploy a cure, but the doctors and drug companies have been unwilling to sit down at the bargaining table to work out a mutually agreeable cure,” he said. Spokesmen for the doctors and drug companies said they were always open to discussion, and asked for more details about the proposed cures and their side effects. But Mr. Fictitious accused them of foot-dragging: “The time for research and discussion is past. Cancer is widespread today. The simple fact is that the doctors and drug companies profit from cancer and would rather not make a deal.”

Congressional leaders expressed sympathy for the Hospital Association’s position. “We are very disturbed by the continued failure of the affected industries to reach an agreement,” said one senator. “If the industries cannot negotiate a solution to the cancer problem, we may have to step in and impose one.”

This is ridiculous, of course. Everybody knows that cancer is a scientific problem – it is an aspect of reality that cannot be negotiated out of existence and cannot be cured by government decree.

But substitute “copyright infringement” for “cancer”, “solution” for “cure”, “motion picture” for “hospital”, “Jack Valenti” for “John Fictitious”, and “software consumer electronics companies” for “doctors and drug companies”, and you get this story, which might have come from a recent newspaper:

In a speech today, Jack Valenti, president of the Motion Picture Association of America, expressed his industry’s disappointment at the continuing prevalence of copyright infringement in America. “Our industry stands ready to deploy a solution, but the software and consumer electronics companies have been unwilling to sit down at the bargaining table to work out a mutually agreeable solution,” he said. Spokesmen for the software and consumer electronics companies said they were always open to discussion, and asked for more details about the proposed solutions and their side effects. But Mr. Valenti accused them of foot-dragging: “The time for research and discussion is past. Copyright infringement is widespread today. The simple fact is that the software and consumer electronics companies profit from copyright infringement and would rather not make a deal.”

Congressional leaders expressed sympathy for the Motion Picture Association’s position. “We are very disturbed by the continued failure of the affected industries to reach an agreement,” said one senator. “If the industries cannot negotiate a solution to the copyright infringement problem, we may have to step in and impose one.”

Somehow, people who would see the fallacy clearly in the cancer story, seem to miss the same fallacy when the topic is copyright infringement. Technical problems cannot be solved by negotiation or by government decree; and trying to do so will only hold back the progress that might one day lead to a solution.

Why do so many people miss this point? That’s a topic for a later posting.

avatar

File Sharing Vs. The Web

Ernest Miller is on a roll over at LawMeme. His latest post asks why people treat HTTP (i.e., the web) and peer-to-peer systems so differently:

P2P and http uploading and downloading of copyrighted MP3s are, essentially, functionally equivalent from a copyright point of view. From a technical point of view, however, there are significant differences. If anything, http has some serious advantages over P2P filesharing in many cases. Although P2P would still be useful in a world where http filesharing were allowed, http could easily and more effectively handle the vast majority of filesharing.

I venture that there seems to be a different set of copynorms for the practice of filesharing via P2P and http. Certainly some defend filesharing via both P2P and http, but others strongly defend P2P with nary a word in favor of http filesharing.

This is just a sample. Read the whole thing!

avatar

Senate Commerce Testimony: Post-Mortem

Today I testified at a Senate Commerce Committee hearing. The issue under discussion was whether (or how) the government should require the inclusion of DRM (anti-copying) technology in digital TV equipment. Here is my written testimony.

If you haven’t been to such a hearing, you might be surprised at some of what happens. For one thing, unlike the hearings you see on TV, some of the Senators are absent, and some come and go during the hearing. (A Senator is on multiple committees, and various hearings are going on simultaneously, along with other business.)

You would probably be disappointed as well at the quality of the debate. It’s not that debate doesn’t occur; and it’s not that the issues at hand aren’t important. But much time is wasted on posturing that is irrelevant to the nominal topic of the hearing and seems designed only to show that one side is purer of heart than the other. An example was the repeated references to porn on P2P networks. This had no connection to the hearing’s topic, and nobody even bothered to connect it to the topic. And none of the witnesses had any connection with P2P technology.

At the witness table, I was seated next to the one and only Mr. Jack Valenti, whom Senator Brownback laughingly introduced as “the eternal head of the MPAA.” Mr. Valenti was accompanied by a seeming army of helpers who passed him notes at a furious pace. He struck his usual apocalyptic tone – his testimony was titled “The Perils of Movie Piracy – and its dark effects on consumers, the million people who work in the movie industry, and the nation’s economy: Some facts, worries, and a look at the uncharted future”. The first paragraph is a real doozy:

No nation can lay claim to greatness or longevity unless it constructs a rostrum from which springs a “moral imperative” which guides the daily conduct of its citizens. Within the core of that code of conduct is a simple declaration that to take something that does not belong to you not only is wrong, but it is a clear violation of the moral imperative, which is fastened deep in all religions.

And this at a hearing about TV tuner regulation!

Mr. Valenti, characteristically, hit the P2P porn meme the hardest, even, in a surreal moment, inviting the Senators’ staffers to go download some porn from Kazaa and see for themselves how vile it is. As a parent, I had to chuckle on hearing the American movie industry complain about the distribution of inappropriate sexual content to kids. But then again the whole room seemed at times to be an irony-free zone.

avatar

Volokh and Solum Debate IP

Eugene Volokh and Lawrence Solum are having an interesting debate on the theory behind intellectual property. So far there have been four postings:

Volokh’s initial posting, explaining via a clever example why it might make sense to treat information as property

Solum’s response, challenging Volokh’s example

Volokh’s response to Solum

Solum’s response, digging deeper into the issue

Presumably we will see more on Volokh’s blog and Solum’s blog.

avatar

Senate Testimony

I’ll be testifying tomorrow morning at a Senate Commerce Committee hearing on “Consumer Privacy and Government Technology Mandates in the Digital Media Marketplace.”

The hearing is really about two topics: the DMCA subpoena process that allows copyright owners to learn the identities of Internet users (“Consumer Privacy”), and the impact of regulations that would require technology makers to build anti-copying technology into their devices (“Government Technology Mandates”). I’ll be on the panel discussing the second topic. Other witnesses on the panel will be Lawrence Blanford of Philips, Jack Valenti of the MPAA, and Chris Murray of Consumers Union.

I’ll post my written testimony here later. I’ll also post my impressions of the hearing afterward.

UPDATE (4:50 PM): It appears that a live Internet audiocast of the hearing will be available on capitolhearings.org, starting at 9:30 AM (Eastern). The hearing starts at 10:00 with a panel discussing the subpoena issue; I’m on the second panel.

avatar

A Virus Made Me Do It

According to press reports, an Alabama accountant has been acquitted on charges of tax evasion, after he argued that a computer virus had caused him to underreport his income three years in a row. He could not say which virus it was. Nor could he explain why it had affected only his own return, but not any of his clients’ returns which he had prepared on the same computer.

If the reports are accurate, the man’s claims sound bogus. I suppose the jury felt they had a reasonable doubt about whether his story was true.

It’s hard to see how juries can reach just outcomes in cases like this. Virus infestations are common, and it’s often hard to tell after the fact what happened. We’ll probably see more computer-virus defenses in cases like this, and some of them will lead to unjust verdicts.

This is yet another price we have to pay for the persistent insecurity of our computer systems.

[Thanks to Brian Kernighan for pointing out this story.]

avatar

More RIAA Suits to Come

Louis Trager at the Washington Internet Daily (no link; subscription only) reported yesterday that the RIAA is planning on filing hundreds of additional lawsuits against peer-to-peer users within the next month.

RIAA VP Matt Oppenheim also expressed outrage at the criticism of the group’s amnesty program. Trager quotes Oppenheim as saying, “We can only give away what we can give away….” Oppenheim also claims that the public supports the RIAA’s lawsuits, citing poll numbers and talk radio callins.

avatar

Why So Many Worms?

Many people have remarked on the recent flurry of worms and viruses going around on the Internet. Is this a trend, or just a random blip? A simple model predicts that worm/virus damage should increase in proportion to the square of the number of people on the Net.

First, it seems likely that the amount of damage done by each worm will be proportional to the number of people on the Net. This is based on three seemingly reasonable assumptions.

(1) Each worm will exploit a security flaw that exists (on average) on a fixed fraction of the machines on the Net.
(2) Each worm will infect a fixed fraction (nearly 100%, probably) of the susceptible machines.
(3) Each infected machine will suffer (or inflict on others) a fixed amount of damage.

Second, it seems likely that the rate of worm creation will also be proportional to the number of people on the Net. This is based on two more seemingly reasonable assumptions.

(4) A fixed (albeit very small) fraction of the people on the Net will have the knowledge and inclination to be active authors of worms.
(5) Would-be worm authors will find an ample supply of security flaws for their worms to exploit.

It follows from these five assumptions that the amount of worm damage per unit time will increase as the square of the number of people on the Net. As the online population continues to increase, worm damage will increase even faster. Per capita worm damage will grow as the Net gets larger.

Assuming that the online population will keep growing, the only way out of this problem is to falsify one of the five assumptions. And each of the five assumptions seems pretty well entrenched.

We can try to address Assumption 1 by applying security patches promptly, but this carries costs of its own, and in any case it only works for flaws that have been discovered by (or reported to) the software vendor.

We can try to address Assumption 2 by building defenses that can quarantine a worm before it spreads too far. But aggressive worms spread very quickly, infecting all of the susceptible machines in the world in as little as ten minutes. We’re far from devising any safe and effective defense that can operate so quickly.

Assumption 3 seems impossible to prevent, since a successful worm is assumed to have seized control of at least one significant part of the victim’s computer.

Assumption 4 seems to be human nature. Perhaps we could deter worm authors more effectively than we do, but deterrence will only go so far, especially given that we’ve had very little success so far at catching (non-rookie) worm authors, and that worms can originate anywhere in the world.

So we’re left with Assumption 5. Can we reduce the number of security flaws in popular software? Given the size and complexity of popular programs, and the current state of the art in secure software development, I doubt we can invalidate Assumption 5.

It sure looks like we’re in for an infestation of worms.