November 28, 2024

Posts Comments

NIST Recommends Not Certifying Paperless Voting Machines

December 1, 2006 by

In an important development in e-voting policy, NIST has issued a report recommending that the next-generation federal voting-machine standards be written to prevent (re-)certification of today’s paperless e-voting systems. (NIST is the National Institute of Standards and Technology, a government agency, previously called the National Bureau of Standards, that is a leading source of independent technology expertise in the U.S. government.) The report is a recommendation to another government body, the Technical Guidelines Development Committee (TGDC), which is drafting the 2007 federal voting-machine standards. The new report is notable for its direct tone and unequivocal recommendation against unverifiable paperless voting systems, and for being a recommendation of NIST itself and not just of the report’s individual authors.

[UPDATE (Dec. 2): NIST has now modified the document’s text, for example by removing the “NIST recommends…” language in some places and adding a preface saying it is only a discussion draft.]

The key concept in the report is software independence.

A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome. In other words, it can be positively determined whether the voting system’s (typically, electronic) CVRs [cast-vote records] are accurate as cast by the voter or in error.

This gets to the heart of the problem with paperless voting: we can’t be sure the software in the machines on election day will work as expected. It’s difficult to tell for sure which software is present, and even if we do know which software is there we cannot be sure it will behave correctly. Today’s paperless e-voting systems (known as DREs) are not software-independent.

NIST does not known how to write testable requirements to make DREs secure, and NIST’s recommendation to the STS [a subcommittee of the TGDC] is that the DRE in practical terms cannot be made secure. Consequently, NIST and the STS recommend that [the 2007 federal voting standard] should require voting systems to be [software independent].

In other words, NIST recommends that the 2007 standard should be written to exclude DREs.

Though the software-independence requirement and condemnation of DREs as unsecureable will rightly get most of the attention, the report makes three other good recommendations. First, attention should be paid to improving the usability and accessibility of voting systems that use paper. Second, the 2007 standard should include high-level discussion of new approaches to software independence, such as fancy cryptographic methods. Third, more research is needed to develop new kinds of voting technologies, with special attention paid to improving usability.

Years from now, when we look back on the recent DRE fad with what-were-we-thinking hindsight, we’ll see this NIST report as a turning point.

Filed Under: Uncategorized Tagged With:

Duck Amuck and the Takedown Gun

November 28, 2006 by

I wrote last week (1, 2) about the CopyBot tool in Second Life, which can make an exact lookalike copy of any object, and the efforts of users to contain CopyBot’s social and economic effects. Attempts to stop CopyBot by technology will ultimately fail – in a virtual world, anything visible is copyable – so attention will turn, inevitably, to legal tactics.

One such tactic is the DMCA takedown notice. Second Life lets users keep the copyright in virtual objects they create, so the creator of a virtual object has a legal right to stop others from copying it (with standard exceptions such as fair use). The Digital Millennium Copyright Act (DMCA), among its other provisions, exempts service providers such as Second Life from liability for copyrighted stuff posted by users, provided that Second Life implements the DMCA’s notice and takedown procedure. Under this procedure, if you see an infringing copy of your material on Second Life, you can send a notice containing certain information to Second Life, and they have to respond by taking down the accused material. (For further details consult your neighborhood copyright lawyer.)

Let’s apply this to a specific example. Alice designs a spiffy new hot air balloon that everyone covets. Bob uses CopyBot to make his own replica of the balloon, which he starts riding around the skies. Alice discovers this and sends a takedown notice to Second Life. Bob’s balloon is then “taken down” – it disappears from the world, as in the classic cartoon Duck Amuck, where the animator’s eraser plays havoc with Daffy Duck’s world.

But surely Bob isn’t the only one riding in a copied balloon. Others may have CopyBotted their own balloons or bought a balloon copy from Bob. It’s tedious for Alice to write and send a takedown notice every time she sees a copied balloon.

What Alice needs is a takedown gun. When she sees an infringing balloon, she just points the takedown gun at it and pulls the trigger. The takedown gun does the rest, gathering the necessary information and sending a takedown notice, dooming the targeted balloon to eventual destruction. It’s perfectly feasible to create a takedown gun, thanks to Second Life’s rich tools for object creation. It’s a gun that shoots law rather than bullets.

For extra style points, Alice can program the gun so that it refuses to shoot at balloons that she herself built. To do this, she programs the gun, before it fires, to issue a cryptographic challenge to the balloon. Authorized balloons will know a secret key that allows them to respond correctly to the challenge. But unauthorized copies of the balloon won’t know the key, because the key is built into the object’s scripted behavior, which CopyBot can’t duplicate. (Exercise for computer security students: how exactly would this protocol work?)

But of course there is a small problem with abuse of takedown guns. To send a takedown notice, the law says you must be (or represent) the copyright owner and you must have a good faith belief that the targeted object is infringing. Alice might be careful to shoot the gun only at objects that appear to infringe her copyright; but others might not be so careful. Indiscriminate use of a takedown gun will get you in legal trouble for sending bogus takedown notices.

Initially, the management at Second Life pointed to takedown notices as a response to CopyBot-based infringement. More recently, they have shifted their position a bit, saying that infringement violates their Terms of Use and threatening to expel violators from Second Life. They still face the same problem, though. Presumably their enforcement actions will be driven by user complaints, which motivates Alice to make a complaint gun.

As the music industry has learned, when copying is easy, laws against copying are very hard to enforce.

Filed Under: Uncategorized Tagged With: , ,

DMCA Exemptions Granted

November 27, 2006 by

Last Wednesday afternoon the U.S. Copyright Office released its list of DMCA exemptions for the next three years. The timing is interesting: releasing news in the afternoon of the day before Thanksgiving is a near-optimal strategy if you want that news to escape notice and coverage in the U.S.

The purpose of these exemptions are to prevent harm to the public from overbreadth of the DMCA’s prohibition on circumventing technologies that control access to copyrighted works. Exemptions last three years.

The good news that that six exemptions were granted, the most ever:

  • Professors can make compilations of film and video material for research or teaching.
  • Archivists can preserve copies of old programs and computer games.
  • Anyone can work around broken hardware “dongles” that prevent access to software programs.
  • Blind people can use software to have e-books read aloud.
  • Wireless phone customers can switch their phones to a different wireless provider.
  • Anyone can study, test, or remove malware distributed on CDs.

(These are summaries; the exact scope of each exemption is detailed in the original document.)

I’m particularly happy about the last exemption, which was requested by Alex Halderman and me, with lots of help from Deirdre Mulligan and Aaron Perzanowski. The exemption is narrower than I would have liked – plenty of valuable research still raises legal issues – but it’s good to see official recognition that the DMCA has harmed research.

The not-so-good news is in some of the exemptions that were not granted. The exemption for censorware research was not renewed, mostly because its most effective advocates, such as Seth Finkelstein, got tired of re-requesting it. (Even if nothing has changed, each exemption must be rerequested every three years through the same bureaucratic process – one example of how the playing field is tilted against exemptions.)

Also, exemptions for space-shifting (e.g. downloading content into portable players like iPods) and backing up digital media were denied. As usual, the Copyright Office pretended not to know what everybody else seems to know, e.g. that digital media are fragile and need to be backed up.

On the other hand, they did seem to recognize the DMCA’s harm to public discourse. The exemptions for film scholarship, archiving, access by the blind, and malware research all address harms to public debate caused by the DMCA. Fair use is sometimes broken down into two categories: transformative uses such as scholarship, research and parody; and personal uses such as time-shifting and space-shifting. The Copyright Office now seems to recognize that the DMCA is harming transformative use.

But what they don’t yet see, apparently, is the harm to personal use – hence the denial of the space-shifting and backup requests. Worse yet, they didn’t even acknowledge that these personal uses are lawful in the first place. In short, the Copyright Office still isn’t willing to grapple with the issues of most direct interest to the public. Maybe they’ll catch on three years from now, or six. Or maybe the new Congress will act sooner and reform the DMCA.

(Derek Slater has a nice summary of some other commentary.)

Filed Under: Uncategorized Tagged With: , ,

Will It Copy?

November 21, 2006 by

In the spirit of the cult “Will It Blend?” videos, today’s question on Freedom to Tinker is “Will It Copy?” As we saw with the CopyBot in Second Life, when something becomes easily copyable, the economics of its production change: users benefit more from already-existing objects, but the incentive to make new objects decreases.

This is exactly what happened to the music industry when computers and the Internet suddenly made small files, including digitized music, easily copyable. In the case of music, we know that the business is changing, but we don’t know yet what will be the net effect on the availability of good music.

Like the music business, the software business is challenged by cheap copying. If you make software that runs on users’ computers, your software will be copied by at least some users. By contrast, if you provide an interactive service, delivered across the net but implemented on your own servers – a search engine, perhaps – then your product can’t be trivially copied. You have an inherent advantage over the sellers of packaged software.

A similar story holds for the Second Life CopyBot. Objects in Second Life can be described by shape, coloration, and behavior. Shape and coloration are duplicated perfectly by the CopyBot, but behavior (the script code describing what the object does) is not. So if your business makes beautiful but passive objects – clothing, perhaps– your objects can be copied perfectly and you have a problem. But if you make functional objects – a magic wand that does tricks in response to voice commands, perhaps – then the CopyBot won’t affect you much.

Second Life users are reportedly fighting back by building anti-CopyBot technologies, but this is ultimately futile. As long as shape and coloration are visible, it will be possible to observe and copy them. It will be easier to build a three-dimensional scanner-copier in Second Life than in real life. Copying of beautiful, nonfunctional objects will remain possible.

Eventually, this will happen in real life too. Tools for analyzing and replicating real objects will get better and better; knockoffs will get closer and closer to the real thing; and the time window when only the original is available will get shorter and shorter. Today, fashion flourishes despite relatively free copying. Indeed, some argue that the high-fashion world is so dynamic because of copying – always moving, to stay ahead of the masses. So it’s not a given that the fashion world will dry up, in real life or Second Life, if copying gets faster and more accurate.

Part of the fun of “Will It Blend?” is that the answer is almost always “yes”. Increasingly, the answer to “Will It Copy?” will be the same.

Filed Under: Uncategorized Tagged With: , ,

CopyBot Roils SecondLife Economy

November 17, 2006 by

Here’s one from the It-Was-Only-a-Matter-of-Time file. Somebody in SecondLife, a popular multiplayer virtual world, created a gadget called the CopyBot, which can make a perfect copy of any object in the SecondLife world. (Here’s a Reuters story.) This raises some interesting technical issues, but I want to focus today on how it effects SecondLife’s economy.

If you’re not familiar with virtual worlds, you might think the word “economy” is a stretch. But really it’s not. SecondLife has about 1.5 million residents. Residents are given a sophisticated toolset they can use to design complex objects, specifying the objects’ shape, appearance, and behavior. Objects can be sold for a currency called Linden Dollars. Linden Dollars are real money – they can be traded for U.S. dollars on currency exchange markets. Quite a few people make their living in SecondLife, running businesses that make Linden-Dollar profits, which are then cashed in for U.S. dollars. Most days, the SecondLife economy sees transactions worth a total of between $500,000 and $1,000,000 (real U.S. dollars). This is clearly a real economy.

To understand the possible impact of CopyBot, imagine such a thing existed in real life. Point this CopyGadget at any real-world object, push a button, and you get a perfect copy of that object. Want a new Lambourghini sportscar? Just find one in a parking lot and copy it. Like the lime sorbet at the local ice cream parlor? Buy a cup, take it home, and fill your freezer with copies. When you get down to the last cup in the freezer, just copy it again. You get the idea.

Needless to say, this would cause Big Trouble in the real-world economy. Lambourghini would have trouble selling cars. There would be no waiting at the ice cream parlor, even on the hottest summer night. Could these businesses survive? Could any business that provided goods survive?

A SecondLife business that designs and sells virtual objects faces the same challenge. If you design an object in SecondLife, the system lets you make copies of the object, but if you mark the object as uncopyable, the system won’t let other users copy it. So if you design a cool virtual widget, you can “manufacture” copies to sell to people, but your customers can’t re-copy the widgets they buy. Only you can make widgets, so people have to come to you to buy them. Like Lambourghinis and sorbet, manufactured virtual objects couldn’t easily be copied – until the CopyBot came along.

It’s too early to predict all of the impacts this will have. All we can say for sure is that it will be fascinating to watch. Already the story has several interesting facets, which I’ll write more about next week.

Filed Under: Uncategorized Tagged With: ,