January 10, 2025

Posts Comments

Join Us at Princeton Tomorrow for "Copyright Cat-and-Mouse: New Developments in Online Enforcement"

March 12, 2012 by

Tomorrow afternoon, the Center for Information Technology Policy is hosting an event that looks at the state of online copyright enforcement and the policy perspectives of the parties involved. We’ve got a great lineup, with folks from the content industry, internet service providers, web companies, academics, and the press.

Date: Tuesday, March 13, 2012
Time: 1:00 PM – 5:00 PM
Location: The Friend Center, Princeton University, Convocation Room
hashtag: #copyrightcitp

This conference is free and open to the public. Please register here.

Copyright enforcement in the digital era has been an ongoing game of cat-and-mouse. As new technologies emerge for storing and transmitting creative works, content creators struggle to identify the best response. The content industry has employed different tactics over time — including technological copy protection, litigation against infringers, and collaboration with Internet Service Providers (ISPs). In August of 2011, some members of the content industry signed an historic Memorandum of Understanding (MOU) with some of the largest ISPs, agreeing to a “graduated response” system of policing. ISPs agreed to notify their subscribers if allegedly infringing activity was detected from their connection and, if infringement continued after multiple warnings, to impede access. Meanwhile, a wave of “copyright troll” litigation has continued to sweep the country and burden the courts. Use of takedown notices under the Digital Millenium Copyright Act has continued to evolve. This event will examine enforcement efforts to date, and debate the merits of the new private approach embodied in the MOU framework.

New York, New Jersey, and Pennsylvania CLE credit is available for attorneys who attend. (details)

Keynote: Technology and Trends (1:00 PM – 1:30 PM)

Mike Freedman, Assistant Professor in Computer Science, Princeton University

Panel 1: The Existing US Legal Landscape (1:30 PM – 3:00 PM)

Moderator: Bart Huffman, Locke Lord LLP

  • Preston Padden, Adjunct Professor at Colorado Law School and former Executive VP of Government Relations, The Walt Disney Company
  • Timothy B. Lee, Ars Technica
  • Randy Cadenhead, Privacy Counsel, Cox Communications Inc.
  • Katherine Oyama, Copyright Counsel, Google Inc.

Break (3:00 PM – 3:30 PM)

Panel 2: The 2011 Content-ISP MoU (3:30 PM – 5:00 PM)

Moderator: Stephen Schultze, Princeton CITP

  • Joe Karaganis, Vice President, the American Assembly, Columbia University
  • Keith Epstein, Associate General Counsel at AT&T
  • Annemarie Bridy, Fellow, Princeton CITP
  • Daniel M. Mandil, Senior Vice President, Associate General Counsel, Litigation, Viacom Inc.
Filed Under: Uncategorized Tagged With:

Don't Upset the Intellectual Property Fashion Police

March 6, 2012 by

A student group at the University of Pennsylvania Law School has put together a fantastic symposium on the state of fashion law, but along the way they (allegedly) snagged themselves on Louis Vuitton’s trademarks. After creating a poster with a creative parody of the Louis Vuitton logo, they received a Cease & Desist letter from the company’s attorneys claiming:

While every day Louis Vuitton knowingly faces the stark reality of battling and interdicting the proliferation of infringements of the LV Trademarks, I was dismayed to learn that the University of Pennsylvania Law School’s Penn Intellectual Property Group had misappropriated and modified the LV Trademarks and Toile Monogram as the background for its invitation and poster for the March 20, 2012 Annual Symposium on “IP Issues in Fashion Law.”

Ironically, the symposium aims to further education and understanding of the state of intellectual protection in the fashion industry, and to discuss controversial new proposals to expand the scope of protection, such as the proposed bill H.R. 2511, the “Innovative Design Protection and Piracy Prevention Act”.

The attorneys at Penn responded by letter, indicating that Louis Vuitton’s complaint failed any conceivable interpretation of trademark law — outlining the standard claims such as confusion, blurring, or tarnishment — and asserted the obvious defenses provided by law for noncommercial and educational fair use. It indicated that the general counsel had told the students to “make it work” with the unmodified version of the poster, and concluded by inviting Louis Vuitton attorneys to attend the symposium (presumably to learn a bit more about how trademark law actually works.)

I, for one, am offended that the Center for Information Technology Policy here at Princeton has not received any Cease & Desist letters accusing us of “egregious action [that] is not only a serious willful infringement” of fashion trademarks, but “may also may mislead others into thinking that this type of unlawful behavior is somehow ‘legal’ or constitutes ‘fair use’.” You see, our lecture this Thursday at 12:30pm at Princeton by Deven Desai, “An Information Approach to Trademarks”, has a poster that includes portions of registered fashion industry trademarks as well. Attorneys from Christian Dior and Ralph Lauren, we welcome you to attend our event.

Filed Under: Uncategorized Tagged With: ,

DHS OIG study of scanners silent on computer threats

March 4, 2012 by

The U.S. Department of Homeland Security Office of Inspector General (DHS OIG) released their report on safety of airport backscatter machines on February 29. The report has received criticism from ProPublica among others for what it says as well as what it doesn’t, mostly focusing on issues of incremental risk to the traveling public, the large number of repair services, and the lack of data analyzing whether the machines serve their claimed purpose. (The report does not address millimeter wave machines, which most scientists believe are safer.)

But what’s surprising in both the report and the critiques about it is that they have only discussed the radiation aspects when used as intended, and not the information systems embedded in the devices, or what happens if the scanners are used in unintended ways, as could happen with a computer system malfunction. Like any modern system, the scanners almost certainly have a plethora of computer systems, controlling the scanning beam, analysis of what the beam finds, etc. It’s pretty likely that there’s Windows and Linux systems embedded in the device, and it’s certain that the different parts of the device are networked together, for example so a technician in a separate room can see the images without seeing the person being scanned (as TSA has done to head off the complaints about invasion of privacy).

The computer systems are the parts that concern me the most. We should be considered about security, safety, and privacy with such complex systems. But the report doesn’t use the word “software” even once, and the word “computer” is used twice in reference to training but not to the devices themselves.

On the safety front, we know that improperly designed software/hardware interaction can lead to serious and even fatal results – Nancy Leveson’s report on the failure of the Therac-25 system should be required reading for anyone considering building a software-controlled radiation management system, or anyone assessing the safety of such a system. We can hope that the hardware design of the scanners is such that even malicious software would be unable to cause the kind of failures that occurred with the Therac-25, but the OIG report gives no indication whether that risk was considered.

On the security and privacy front, we know that the devices have software update capabilities – that became clear when they were “upgraded” to obscure the person’s face as a privacy measure, and future planned upgrades to provide only a body outline showing items of concern, rather than an actual image of the person. So what protections are in place to ensure that insiders or outsiders can’t install “custom” upgrades that leak images, or worse yet change the radiation characteristics of the machines? Consider the recent case of the Air Force drone control facility that was infected by malware, despite being a closed classified network – we should not assume that closed networks will remain closed, especially with the ease of carrying USB devices.

Since we know that the scanners include networks, what measures are in place to protect the networks, and to prevent their being attacked just like the networks used by government and private industry? Yes, it’s possible to build the devices as closed networks protected by encryption – and it’s also possible to accidentally or intentionally subvert those networks by connecting them up using wireless routers.

Yes, I know that the government has extensive processes in place to approve any computer systems, using a process known as Certification and Accreditation. Unfortunately, C&A processes tend to focus too much on the paperwork, and not enough on real-world threat assessments. And perhaps the C&A process used for the scanners really is good enough, but we just don’t know, and the OIG report by neglecting to discus the computer side of the scanners gives no reassurance.

Over the past few years, Stuxnet and research into embedded devices such as those used in cars and medical devices have taught us that embedded systems software can impact the real world in surprising ways. And with software controlled radiation devices potentially causing unseen damage, the risks to the traveling public are too great for the OIG to ignore this critical aspect of the machines.

Filed Under: Uncategorized Tagged With: , , , ,

The New Ambiguity of "Open Government"

February 29, 2012 by

David Robinson and I have just released a draft paper—The New Ambiguity of “Open Government”—that describes, and tries to help solve, a key problem in recent discussions around online transparency. As the paper explains, the phrase “open government” has become ambiguous in a way that makes life harder for both advocates and policymakers, by combining the politics of transparency with the technologies of open data. We propose using new terminology that is politically neutral: the word adaptable to describe desirable features of data (and the word inert to describe their absence), separately from descriptions of the governments that use these technologies.

Clearer language will serve everyone well, and we hope this paper will spark a conversation among those who focus on civic transparency and innovation. Thanks to Justin Grimes and Josh Tauberer, for their helpful insight and discussions as we drafted this paper.

Download the full paper here.

Abstract:

“Open government” used to carry a hard political edge: it referred to politically sensitive disclosures of government information. The phrase was first used in the 1950s, in the debates leading up to passage of the Freedom of Information Act. But over the last few years, that traditional meaning has blurred, and has shifted toward technology.

Open technologies involve sharing data over the Internet, and all kinds of governments can use them, for all kinds of reasons. Recent public policies have stretched the label “open government” to reach any public sector use of these technologies. Thus, “open government data” might refer to data that makes the government as a whole more open (that is, more transparent), but might equally well refer to politically neutral public sector disclosures that are easy to reuse, but that may have nothing to do with public accountability. Today a regime can call itself “open” if it builds the right kind of web site—even if it does not become more accountable or transparent. This shift in vocabulary makes it harder for policymakers and activists to articulate clear priorities and make cogent demands.

This essay proposes a more useful way for participants on all sides to frame the debate: We separate the politics of open government from the technologies of open data. Technology can make public information more adaptable, empowering third parties to contribute in exciting new ways across many aspects of civic life. But technological enhancements will not resolve debates about the best priorities for civic life, and enhancements to government services are no substitute for public accountability.

Filed Under: Uncategorized Tagged With: , , , , ,

New research: There's no need to panic over factorable keys–just mind your Ps and Qs

February 15, 2012 by

You may have seen the preprint posted today by Lenstra et al. about entropy problems in public keys. Zakir Durumeric, Eric Wustrow, Alex Halderman, and I have been waiting to talk about some similar results. We will be publishing a full paper after the relevant manufacturers have been notified. Meanwhile, we’d like to give a more complete explanation of what’s really going on.

We have been able to remotely compromise about 0.4% of all the public keys used for SSL web site security. The keys we were able to compromise were generated incorrectly–using predictable “random” numbers that were sometimes repeated. There were two kinds of problems: keys that were generated with predictable randomness, and a subset of these, where the lack of randomness allows a remote attacker to efficiently factor the public key and obtain the private key. With the private key, an attacker can impersonate a web site or possibly decrypt encrypted traffic to that web site. We’ve developed a tool that can factor these keys and give us the private keys to all the hosts vulnerable to this attack on the Internet in only a few hours.

However, there’s no need to panic as this problem mainly affects various kinds of embedded devices such as routers and VPN devices, not full-blown web servers. (It’s certainly not, as suggested in the New York Times, any reason to have diminished confidence in the security of web-based commerce.) Unfortunately, we’ve found vulnerable devices from nearly every major manufacturer and we suspect that more than 200,000 devices, representing 4.1% of the SSL keys in our dataset, were generated with poor entropy. Any weak keys found to be generated by a device suggests that the entire class of devices may be vulnerable upon further analysis.

We’re not going to announce every device we think is vulnerable until we’ve contacted their manufacturers, but the attack is fairly easy to reproduce from material already known. That’s why we are working on putting up a web site that you can use to determine whether your device is immediately vulnerable.

Read on for more details, and watch for our full paper soon.

Filed Under: Uncategorized