August 25, 2016

Archives for August 2004


Valenti's Greatest Hits

Over at Engadget, JD Lasica interviews outgoing MPAA head Jack Valenti. In the interview, Valenti repeats several of his classic arguments.

For example, here’s Valenti, in this week’s interview, on fair use:

Now, fair use is not in the law.

We heard this before, in Derek Slater’s 2003 interview with Valenti:

What is fair use? Fair use is not a law. There’s nothing in law.

(Somebody should send him a copy of 17 U.S.C. 107.)

Here’s Valenti, this week, on the subject of backups:

Where did this backup copy thing come from? A digital thing lasts forever.

Here he is in the 2003 interview:

[A DVD] lasts forever. It never wears out. In the digital world, we don’t need back-ups, because a digital copy never wears out. It is timeless.

(Backing up digital data is, of course, a necessary ritual of modern life. Who hasn’t lost digital data at some point?)

Interestingly, in the recent interview, unlike the 2003 one, Valenti shows a blind faith in DRM technology:

I really do believe we can stuff enough algorithms in a movie that only the dedicated hackers can spend the time and effort to try to plumb through those 1,000 algorithms to try to find a way to beat it. In time, we’ll be able to do this, because I have great faith in the technological genius that’s out there.


We’re trying to put in place technological magic that can combat the technological magic that allows thievery. I hope that within a year the finest brains in the IT community will come up with this stuff. A lot of people are working on it—IBM, Microsoft and maybe 10 other companies, plus the universities of Caltech and MIT, to try to find the kind of security clothing that we need to put around our movies.

It may be possible to so infect a movie with some kind of circuitry that allows people to copy to their heart’s content, but the copied result would come out with decayed fidelity with respect to sound and color. Another would be to have some kind of design in a movie that would say, ‘copy never,’ ‘copy once.’

Even ignoring the technical non sequiturs (“stuff … algorithms into a movie”; “infect a movie with … circuitry”), this is wildly implausible. Nothing has happened to make the technical prospects for DRM (anti-copying) technology any less bleak.

We can only hope Valenti’s successor stops believing in “technological magic” and instead teaches the industry to accept technical reality. File sharing cannot be wished away. The industry needs to figure out how to deal with it.


Absentee Voting No Panacea

Various groups that oppose paperless electronic voting have recommended an alternative: if you really want to be sure your vote is counted, vote absentee. Having studied e-voting, and living in a county with paperless e-voting, I sympathize with the desire for an alternative. But it should be noted that absentee voting offers iffy security as well.

The best alternative to risky e-voting, where feasible, is in-person voting with a paper ballot. This allows the main election safeguard, which is the presence of observers from diverse political parties, to operate: the observers can watch the voter check-in process, watch the ballot boxes, and watch the counting of ballots.

With absentee voting, by contrast, the distribution, validation, custody, and counting of ballots are generally less transparent. You’re pretty much stuck trusting the country clerk and his/her staff. I don’t want to cast aspersions on the virtue of any particular county clerk; but I hope you’ll agree that a more transparent system is better.

Absentee balloting also weakens the secret-ballot guarantee, which requires that nobody can verify how another person voted. This is an important safeguard against vote-buying and intimidation, as it frustrates the vote-buyer’s or intimidator’s ability to know that he got his way. Absentee voting allows the voter to prove to somebody else (say an employer, union boss, or abusive spouse) that the vote was cast a particular way. That’s a serious drawback.

Now it may be that you don’t want to sell your vote, you don’t fear intimidation, and you trust your county clerk. For you, absentee voting might be the best available substitute for e-voting in person. But encouraging widespread absentee voting is not a good public policy response to the e-voting problem.


NYT Chimes in on the Real/Apple Issue

Today’s New York Times contains an odd unsigned editorial commenting on the recent dispute between Real and Apple. The piece tries to take Apple’s side, but can’t really find a good reason to do so. In the end, it reaches the unsurprising conclusion that Real is trying to make money.

The piece seems to misunderstand the law.

In late July, RealNetworks introduced a software called Harmony, which allows its music to be played on an iPod. In other words, RealNetworks mimics Apple’s software without licensing it. Litigation will surely ensue.

But mimicking the function of somebody else’s code, without copying the code itself, is perfectly legal, for good policy reasons.

In the end, the piece accuses Real of making truthful but self-serving statements:

It would be better for consumers if Apple began licensing its digital rights management software, only because the iTunes Music Store will not be able to lock up access to all the copyrighted music in the world. But RealNetworks’ contention that Apple is stifling freedom of choice is self-serving.

In other words, Real is right, but they chose to speak the truth, rather than remaining silent, for self-serving reasons. It seems odd, to me at least, to criticize a corporation, which after all is a profit-seeking entity, for trying to maximize its profit while respecting the ethical requirement to tell the truth.

It looks to me like both Real and Apple are behaving rationally within the rules, at least so far. I don’t understand why Mac chauvinists feel a need to take sides on this issue. Real and Apple are competing, and consumers benefit from competition.


Nurturing Innovation (II)

Yesterday, following Tim Wu, I wrote about the use of “innovation” as a slogan by advocates of the freedom to tinker. Today I want to probe further the rhetoric of “innovation” as used in public policy debates.

True innovation occurs in both high-tech and low-tech settings, and it is practiced by everyone: large companies, small companies, other organizations, and individuals. Yet sometimes the term “innovation” is coopted, to stand only for product development by big companies. This is what Microsoft meant with their “Freedom to Innovate” slogan during the antitrust case, and it’s what VeriSign means when they call their troublesome SiteFinder product an innovation.

This narrow view of innovation is especially common in Washington lobbying, where big companies often have disproportionate influence. Yet many of the most important innovations don’t involve big companies, at least not at first.

Consider Tim Wu’s example of Internet email. When email was new, nobody thought it would ever make anyone rich. There was no business model anywhere in sight. If “innovation” means commercial development, then email was not an “innovation” in the 1970s, and a pro-“innovation” policy process would have been indifferent to it.

That’s one of the reasons I like “tinkering” rather than “innovation” as a buzzword. Nobody expects tinkering to have a short-run payoff, but a pro-tinkering policy will allow sleeper technologies like email to be born and to incubate until the commercial world is ready for them.


Nurturing Innovation

Tim Wu, near the end of his stint as guest-blogger at Larry Lessig’s site, offered a typically thoughful entry, entitled “Who Cares About Innovation?“. The gist was that although “innovation” is the mantra of anti-regulation technologists, it may not be clear to the average person what good innovation does. Here’s a sample:

Consider a question that professor Brett Fischman asks his class about the internet, the central monument for innovationists: “What actually makes the Internet valuable to society?”

This question stopped me for awhile. Measured in social value, surely some of the oldest applications, like email, relatively untouched by innovation, produce most of the network’s present social value. Sure, I think VoIP over powerlines would be pretty cool (thanks Adam Thierer). But compared to finding old friends, staying in touch, and everything else that email does, there is no serious comparison. Logic like this suggests that faith in innovation is a faith out of touch with human ends. Perhaps making what is obviously useful – like email – reach more people is more important than constantly reinventing, redestroying, or finally writing the perfect debugger.

I do think the criticisms can be rebutted. Email, after all, was an invention, and required the right environment for it to come about. Innovationists don’t always think about nothing else. But those who share a faith in the importance of innovation should be sure that what we fight hardest for is not just the abstract beauty of new technologies, but ideals that actually have some connection to human ends.

Tim has a point here, but I worry more about the opposite error, in which we don’t bother to protect an innovation because we can’t see an immediate use for it.

Internet email was invented in 1971. Back then, could you have found even one single person in Washington who would point to this fledgling technology as one day being important to the average American? No way – anybody who said that would have been dismissed as a nut. Even two decades later, very few policymakers recognized the eventual importance of email.

Often, we seem to be drifting toward a rule in which new technologies are, by default, banned, unless some functionary can be convinced that they have merit. That’s a dangerous rule, not least because we may never know which potentially world-changing technology was snuffed out at birth.


Paper Trail Allows Venezuela Recount

On August 15, Venezuelans voted in a national referendum on whether to remove President Hugo Chavez. The (Chavez-run) government announced afterward that 58% had voted to keep Chavez in office. The opposition claimed fraud.

The election was held on electronic voting machines. Fortunately, the machines generated a voter-verified paper trail, so that there was some hope of recounting the ballots. Without a paper trail there could have been no recount, and Venezuelans would have had to take the result on faith, or reject it. With a paper trail, there is at least some evidence of how the votes were cast.

What evidence is there for fraud? The opposition says that the election results were inconsistent with exit polling, which they say went 58-42 in the other direction. That’s a big enough swing to raise eyebrows, but it’s hard to evaluate the accuracy of the exit polls based on the information available to me.

The opposition’s other claim is that the voting machines were programmed to cap the number of yes votes (i.e., anti-Chavez votes) recorded on each voting machine. In support of this, the opposition points to the data on machine-by-machine voting results, arguing that machines in the same polling place recorded the exact same number of yes votes too often, that is, more often than would have occurred by chance. That’s a claim that is amenable to statistical analysis. I’ll evaluate it in a future entry.


Grokster Wins in Appeals Court

The 9th Circuit Court of Appeals ruled today that Grokster (along with other vendors of decentralized P2P systems) is not liable for the copyright infringement of its users. Today’s decision upholds a lower court decision, which had been appealed by a group of music and movie companies.

The Court largely accepted Grokster’s arguments, finding that although the vast majority of Grokster users are infringers, Grokster itself cannot be held liable for that infringement.

The Court found Grokster not liable for contributory infringement, because Grokster did not have the necessary knowledge of specific infringement. In light of the Supreme Court’s 1984 Sony Betamax decision, as elaborated in this appeals court’s Napster decision, the court first determined that Grokster’s software has substantial commercially significant uses other than infringment. As a result, contributory infringement would have required that Grokster have knowledge of specific acts of infringement, at a time when Grokster could take action to stop those acts. But Grokster simply distributes its product to consumers, and has no knowledge of how any particular customer uses the product later. If copyright owners tell Grokster about an act of infringement, after that act has already happened, that is not actionable knowledge because it is too late to stop the infringment.

The court also held Grokster not liable for vicarious infringement, because Grokster does not have the right and ability to control its customers’ infringing activity. Grokster has no practical way to kick users off the system or to police the system’s use. The court also ruled that Grokster cannot be required to redesign its software and force its customers to update to the redesigned version.

The money quote comes near the end of the opinion:

As to the issue at hand, the district court’s grant of partial summary judgment … is clearly dictated by applicable precedent. The Copyright Owners urge a re-examination of the law in light of what they believe to be proper public policy, expanding exponentially the reach of the doctrines of contributory and vicarious copyright infringement. Not only would such a renovation conflict with binding precedent, it would be unwise. Doubtless, taking that step would satisfy the Copyright Owners’ immediate economic aims. However, it would also alter general copyright law in profound ways with unknown ultimate consequences outside the present context.

Further, as we have observed, we live in a quicksilver technological environment with courts ill-suited to fix the flow of internet innovation. The introduction of new technology is always disruptive to old markets, and particularly to those copyright owners whose works are sold through well-established distribution mechanisms. Yet, history has shown that time and market forces often provide equilibrium in balancing interests, whether the new technology be a player piano, a copier, a tape recorder, a video recorder, a personal computer, a karaoke machine, or an MP3 player. Thus, it is prudent for courts to exercise caution before restructuring liability theories for the purpose of addressing specific market abuses, despite their apparent present magnitude.


Report from Crypto 2004

Here’s the summary of events from last night’s work-in-progress session at the Crypto conference. [See previous entries for backstory.] (I’ve reordered the sequence of presentations to simplify the explanation.)

Antoine Joux re-announced the /msg02554.html">collision he had found in SHA-0.

One of the Chinese authors (Wang, Feng, Lai, and Yu) reported a family of collisions in MD5 (fixing the previous bug in their analysis), and also reported that their method can efficiently (2^40 hash steps) find a collision in SHA-0. This speaker received a standing ovation, from at least part of the audience, at the end of her talk.

Eli Biham announced new results in cryptanalyzing SHA-1, including a collision in a reduced-round version of SHA-1. The full SHA-1 algorithm does 80 rounds of scrambling. At present, Biham and Chen can break versions of SHA-1 that use up to about 40 rounds, and they seem confident that their attacks can be extended to more rounds. This is a significant advance, but it’s well short of the dramatic full break that was rumored.

Where does this leave us? MD5 is fatally wounded; its use will be phased out. SHA-1 is still alive but the vultures are circling. A gradual transition away from SHA-1 will now start. The first stage will be a debate about alternatives, leading (I hope) to a consensus among practicing cryptographers about what the substitute will be.


SHA-1 Break Rumor Update

Tonight is the “rump session” at the Crypto conference, where researchers can give informal short presentations on up-to-the-minute results.

Biham and Chen have a presentation scheduled, entitled “New Results on SHA-0 and SHA-1”. If there’s an SHA-1 collision announced, they’ll probably be the ones to do it.

Antoine Joux will present his SHA-0 collision. Also the authors of the slightly flawed paper claiming an MD5 collision have a presentation; it seems likely they’ll announce that they’ve fixed their bug and have a collision in MD5.

Each group has been given fifteen minutes, which is a significant departure from the normal five minutes allocated for rump session talks.

The session is tonight; I’ll give you an update as soon as I hear what happened. It will be webcast at 7PM Pacific time, tonight.

I wish I could be there, but I’m on the wrong coast. Anybody who is at Crypto is invited to post updates in the comments section of this post.


MD5 Collision Nearly Found

Following up on yesterday’s discussion about new attacks on cryptographic hashfunctions, Eric Rescorla points to a new paper from Chinese computer scientists, which claims to have found a collision in MD5. MD5 is a cousin of the SHA-1 function discussed yesterday; MD5 is believed to be the weaker of the two.

The paper is odd, in that it includes two values that it claims have the same MD5 value, but it doesn’t explain how the claimed collision was generated. And it turns out that the authors made an error, so that the two values don’t in fact generate the same MD5 value. Eric and the commenters on his site did some clever detective work to determine that the two published values generate a collision for a slightly different function, which Eric dubbed MD5′. MD5′ is very similar to MD5 so it seems very likely that the new attack can be extended to the real MD5.