November 27, 2024

Colorado Governor Vetoes Super-DMCA

Colorado governor Bill Owens has taken the Rocky Mountain News’ advice and vetoed his state’s Super-DMCA bill. Linda Seebach writes:

In his veto message [Owens] said the bill “could also stifle legal activity by entities all along the high tech spectrum, from manufacturers of communication parts to sellers of communication services.”

He urges the legislature, if it returns to this topic in the next session, “to be more careful in drafting a bill that adds protections that are rightfully needed, but does not paint a broad brush stroke where only a tight line is needed.”

Self-Destructing DVDs

Last week a company called FlexPlay announced Self-Destructing DVDs (SD-DVDs), which oxidize themselves – and so become unplayable – 48 hours after removal from their package. (The official name is, amusingly, “EZ-D”.) The idea is to provide the equivalent of a rental, while saving the consumer the trouble of returning the disk to the rental store afterwards.

This is an interesting kind of Digital Restrictions Management (DRM). Unlike most uses of DRM, this one does nothing to prevent copying or access to the disk. Consumers will be able to copy these DVDs as easily as any other DVDs. (Copying DVDs is often illegal, but many consumers are apparently willing to do it anyway.) SD-DVDs don’t do anything to make copying harder, and in fact their limited lifetime may create a new incentive to copy. While the use of DRM to (try to) control copying and access has gotten lots of attention, SD-DVDs are a nice illustration of the use of DRM to enable business models.

SD-DVDs may be a convenience for DVD-rental customers, but I doubt they will catch on, because consumers will find them offensive. Consumers hate planned obsolescence. The idea that a company would deliberately make a product worse, or make it wear out sooner than necessary, offends their sense of fairness. If Universal can press a regular DVD for one dollar, then why, ordinary consumers will ask, would they spend the same dollar to make a product that breaks? Fancy-pants economic arguments about efficiency and market segmentation won’t overcome this basic sense of unfairness.

Worse yet (and despite a claim to the contrary in FlexPlay’s press release), the nature of a chemical process like oxidation seems to imply that the disk’s decay will be gradual. Since DVDs use error correction, FlexPlay’s engineers can make the disk reliable for any desired period; but after that there will be an inevitable period of intermittent glitches as the disk gets worse and worse, until it becomes unusable. Seeing the decay, even if it lasts only for a short time, will only make consumers angrier.

The underlying problem is that because SD-DVDs will be sold for less than ordinary DVDs, they will draw consumers’ attention to the fact that ordinary DVDs are priced well above the marginal cost of producing them. That seems unfair to many consumers.

At this point, readers who are armchair economists (or real ones, for that matter) are raising their hands and bouncing in their seats, eager to point out that marginal-cost pricing isn’t sustainable in the movie business, given the high fixed cost of making a movie and the very low marginal cost of distributing a copy of it. That’s true, but I think consumers’ sense of fairness is based on a different kind of market in which variable costs of production dominate fixed costs.

As long as it seemed inherently expensive to manufacture and distribute a copy of a recorded movie, consumers tended not to notice that the copy was priced above marginal cost. As marginal cost approaches zero, the gap between marginal cost and price becomes much more apparent, and consumers increasingly conclude that the studios are ripping them off.

I see this as a big problem for the studios. The last thing they should want, at this point is to introduce a product like the Self-Destructing DVD that heightens consumers’ sensitivity to “unfair” pricing.

UPDATE (12:25 PM): Eric Rescorla has an interesting follow-up about consumer psychology. He also points out, in a separate post, that it is possible, at least in theory, to make an SD-DVD that fails cleanly and suddenly, rather than gradually.

NYT and Google

Sunday’s New York Times ran a piece by Geoffrey Nunberg complaining about (among other things) the relative absence of major-press articles from the top ranks of Google search results. This has triggered online discussion of why the Times itself doesn’t get much Googlejuice. Speculation has centered on the fact that Times articles get moved to a pay-for-access archive.

The real explanation is simpler : The Times forbids Google to index its site.

There’s a web standard that allows sites to declare a web-crawler program persona non grata. A file called “robots.txt” gives a set of rules, written in a standardized language, saying which automated programs have permission to access which parts of the site. The Times’ robots.txt file forbids all web-crawler programs to visit the parts of the Times site where the articles are. Google’s policy is to honor the requests in robots.txt files; that’s why Times stories don’t show up on Google.

A Challenging Response to Challenge-Response

One of the trendy ideas these days is challenge-response (CR) anti-spam technologies. The idea is simple: incoming email is intercepted before you see it, and a “challenge” email is returned to the sender. If the sender replies to the challenge message, then the original message is forwarded on to you; otherwise it is discarded. The idea is to require some kind of human involvement in the sending of each message. Sometimes the sender has to answer some kind of puzzle that is supposed to be easy for people but hard for computers.

Whenever we analyze a security technology – and that is what CR is – we need to look not only at the immediate effect of the technology, but also at how people will adapt to it. We need to look especially at how the bad guys will adapt. Will they adjust their attack strategy to defeat the new defense? Will the new defense create new opportunities for malicious attacks? Will the technology lead to an arms race between defenders and attackers? If so, can we predict the outcome of the arms race?

CR stands up poorly to this kind of analysis. To see why, suppose that Alice sends an email to Bob, and Bob is using CR. Bob’s computer sends a challenge message back to Alice and awaits her response. This challenge message had better get through to Alice; if it doesn’t, the whole scheme breaks down. If Alice is using anti-spam technology that blocks the challenge message, then she’ll never see the challenge – her original message won’t get through to Bob, and she won’t know what went wrong.

We can fix this problem by making sure that Alice’s anti-spam technology has a loophole for challenge messages, to make sure they are never blocked. (Note that although Bob is the one using CR, it is Alice who has to create the loophole.) If CR is going to succeed, most of the Alices out there will have to open the loophole. Messages with certain “challenge-ish” attributes will be mostly immune from spam controls.

At this point, the bad guys’ response is obvious: create spam that can exploit the loophole, spam that looks like a challenge message. If they can do this, then CR will have made things worse – spam will pour in through the loophole.

We might try to solve this problem by narrowing the loophole, requiring the challenge messages to be so narrowly stylized that they cannot carry a spam. This too creates an opportunity for the spammers. If the challenges are so predictable, then the spammers will be able to develop computer programs that spot the challenges and auto-send the required responses. If they can do this, then the spammers can just add automated CR responses to their automated email-sending software, and continue to pollute our inboxes.

Given all of this, I’m skeptical of CR as a response to email. If you’re the first on your block to adopt CR, and if nobody else uses anti-spam technology, then CR might provide you some modest benefit. But it’s hard to see how CR can be widely successful in a world where most people use some kind of spam defense.

Kerr on Cybercrime Laws

Orin Kerr has written an.interesting paper, “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes,” in which he argues for a new way of understanding the prohibition, in the Computer Fraud and Abuse Act (CFAA) and other laws, on “access … without authorization” to a computer. It’s a long, dense law review article, but it’s definitely worth reading if you are interested in cybercrime law.

Both “access” and “authorization” turn out to be harder to interpret than one might think. Kerr argues convincingly that courts have interpreted these words inconsistently, and that the trend has been toward an overly broad interpretation that would effectively criminalize any violation of the Terms of Use of any online service. While such violations may be breaches of contract subject to civil lawsuit, it is unwise to criminalize every breach of contract. Criminal law is a sharp tool to be used only when necessary.

While he would narrow the interpretation of the CFAA, Kerr would not eliminate the CFAA entirely. He provides two main examples of the kind of acts he would still criminalize. The first example involves stealing or guessing a password to gain access to a password-protected service running on somebody else’s computer. More generally, he would ban any circumvention of an authentication mechanism used to control access to somebody else’s computer. The second example involves computer attacks that exploit a program bug (such as a buffer overflow) to seize control of a program running on somebody else’s computer.

Thus far, I was reasonably convinced by Kerr’s arguments. But now we come to the part that I found harder to swallow, in which he argues that “courts …should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges.”

Talk of banning “circumvention” may raise ugly comparisons to the DMCA, but that’s a red herring. Kerr makes clear that he is talking only about code-based restrictions on access to other people’s computers. The egregious aspects of the DMCA, by contrast, are, first, that it allows someone to lock you out of parts of your own computer, and second, that it includes a broad ban on certain technologies. Kerr’s proposal suffers from neither of these flaws. While enshrining “circumvention” as a central concept in cybercrime law might be inconvenient rhetorically for DMCA opponents, it’s no problem substantively.

My skepticism about Kerr’s formulation is based instead on two issues. First, I suspect that “circumvention” may turn out to be just as slippery a term as “authorization.” Password-guessing is clearly circumvention, but that’s an easy case. When the facts are more complicated, judges will have a harder time figuring out what is circumvention and what is just clever action.

Here’s an example. Suppose you lock the front door of your house. If I pick the lock, that’s circumvention. But suppose I enter through the back door. Have I circumvented the front door lock? What if I crawl in an open window next to the front door? Is that a circumvention? “Circumvention,” like “authorization,”ends up entangled in a subtle calculus of expectations and social norms.

Kerr’s example of a buffer-overflow attack illustrates another problem with “circumvention.” Suppose that a bad guy sends your computer a sort of “ping of death” packet, and that because of a bug in your operating system, this packet allows him to seize control of your computer. What exactly is the “code-based restriction” that he has circumvented? You could argue that he has circumvented the absence of a method for controlling your machine from afar; but it seems like a stretch to claim that that absence is a “code-based restriction.”

What really happened in this example is that the bad guy exploited a difference between the way you thought your system worked, and the way it actually did work. This is a useful distinction that courts have recognized (as Kerr notes), but it doesn’t seem to fit neatly within Kerr’s framework.

My second objection to Kerr’s conclusion is more fundamental. Kerr’s strong argument for carefully tailored cybercrime law compels him to justify having a broader “circumvention” ban rather than a set of more narrow bans on specific actions, such as circumvention of certain authentication features. He does offer some justification, but I am not yet convinced. (It’s also worth noting that Kerr’s approach may be expedient, even if it’s not the best possible solution from a purely theoretical standpoint. For example, it may be easier to convince courts to adopt a “circumvention” interpretation of the CFAA than it would be to get either courts or Congress to rewrite cybercrime law around a family of narrower prohibitions.)

Finally, Kerr’s paper is a valuable reminder of how much we rely on the discretion of prosecutors and judges to make cybercrime law work. So far, this discretion has moderated the defects in current law, but that’s no excuse for complacency. We need to talk about what the law should be. Kerr’s paper is a valuable contribution to that discussion.