November 24, 2024

Report from the ACM DRM Workshop

Yesterday I attended the ACM “Digital Rights Management” Workshop in Washington DC. There were about 100 attendees, most of them computer scientists, with a few lawyers and Washington policy types thrown in. Papers from the workshop are available online.

My main impression was that the speakers were more openly skeptical about DRM than at past conferences. I don’t think this represents any real change in opinion. The real cause, in my view, is that industrial researchers are now starting to say in public what they would only say in private before.

The skepticism about watermarking was especially strong. One speaker described a simple attack that apparently can defeat essentially all state-of-the-art watermarking methods. Another speaker’s paper says

Proposals for systems involving mandatory watermark detection in rendering devices try to impact the effectiveness of [file sharing systems]…. In addition to severe commercial and social problems, these schemes suffer from several technical deficiencies, which, in the presence of an effective [file sharing system], lead to their complete collapse. We conclude that such schemes are doomed to failure.

In Search of Technology News

I still remember the first time I saw a newspaper that had a technology section. It seemed to herald the arrival of technology in the mainstream of American life, and to offer the public a chance to understand how life was about to change.

Lately I have begun to wonder whether the technology section is a good idea. Don’t get me wrong; straightforward, down-to-earth discussion of technology is needed now more than ever. The problem is that that isn’t what technology news means anymore.

More and more, our “technology news” isn’t about technology at all. It’s about stock prices, earnings reports, lawsuits, and executive hiring and firing. In short, it’s an annex to the business page, reporting on companies that just happen to make high-tech products. This seems to be true at all of the major newspapers I have seen.

Consider the technology page of today’s New York Times online. It highlights these five stories:

1. A shareholder lawsuit against Homestore.com alleges financial improprieties at AOL Time Warner.

2. A brokerage firm changes its advice to its customers about whether to invest in Intel stock.

3. Executives at Citigroup bribe New York’s 92nd Street Y to admit one of their children to the Y’s preschool.

4. Workers at a Canadian phone company vote to go on strike.

5. A court approves the bankruptcy plan of a telecom company.

This is all about finance and labor relations. You could write the same stories about bathtub manufacturers or fast-food chains. The only connection to technology is that each story mentions a company that sells high-tech products.

Story number 3 is a particularly extreme example. To the extent that it’s even about a company, the company involved is Citigroup, which isn’t a tech firm. This is an eye-opening story that belongs in the newspaper – just not on the tech page.

For a long time I bemoaned this not-really-tech-news phenomenon but thought of it as basically harmless. What’s the big deal, I thought, if some newsworthy material is mislabeled?

But lately I’ve started to wonder whether this mislabeling is having insidious effects. What if the editors of these newspapers think they are educating their readers about technology, because they publish a tech section? What if readers think they are learning about technology because they read the tech section? What if lawmakers think that this stuff is what technology is really about?

Yes, I know. Too many pure technology stories are boring. It’s a rare writer who can make a real tech story clear and compelling. If the tech section were really about tech, it would have to be much smaller.

That’s fine with me. In an ideal world, today’s non-tech “technology” stories would still run, but they would be put in the business section where they belong. The tech section would run less often, and would actually talk about technology; think of it as a cousin of the science section, which might run once a week at a big-budget paper. Like science writers, technology writers would be fewer and would have the rare talent required to write tech stories that people actually wanted to read.

The first time I see that kind of tech section, I’ll really know the world really has changed.

Virus With a EULA

Rob Lemos at news.com reports on a new “greeting card” virus that protects its author by using a EULA (End User License Agreement):

The FriendGreetings electronic greeting card has all the hallmarks of a mass-mailing computer virus.

The e-mail misleads a victim into downloading an application–ostensibly to view a Web card–and then sends itself to every e-mail address in the victim’s Outlook contacts file. At least a few systems administrators have complained in Usenet postings that the mass-mailing e-card was to blame for swamping their network.

Yet the creators–Permissioned Media, a company apparently based in Panama–will be hard to prosecute: The viral card is protected by a license agreement that tricks unsuspecting users into clicking “Yes” and consenting to have the program send itself to all their e-mail contacts.

This exploits the well-known fact that people don’t actually read EULAs, but just click “I Accept.”

The theory underlying the validity of long, hard-to-read EULAs (if indeed they are valid) is that companies that use misleading EULAs will get bad publicity – if BadCorp’s EULAs are evil, somebody will notice this, and when this information is spread BadCorp will lose business. This is all well and good when BadCorp is a company that wants to do business for an extended period.

This virus-with-a-EULA is a challenge to that theory. The virus spreads so rapidly that it does all of its damage before the news about the bad EULA can spread. And the virus’s author is a company that nobody has ever heard of. Having spread the virus, the author-company can close up shop, so the damage to its reputation doesn’t matter.

If the law says that this kind of EULA actually makes a virus legal, then we’re in a tough spot. We can ask every user to read, understand, and evaluate every EULA he sees. But that’s not going to happen. People can decide not to accept EULAs, except those from well-known companies. That isn’t a very satisfying answer either. Or people can settle on a few standardized EULAs, and we can rely on software tools to recognize non-standard EULAs so that we can reject them.

This recapitulates a debate that the research community had about mobile code security. The problem there is that little programs are arriving on people’s computers, and somebody has to decide what those programs are allowed to do. One approach is just to ask the user to decide in every case; but users get “dialog box fatigue” and start agreeing to everything without reading it. Another method is to apply a standardized one-size-fits-all policy to all programs, but that policy is either too restrictive for legitimate programs, or too lax for malicious programs, or both. In the end, no fully satisfactory solution was found, but everybody agreed that a well-engineered system would limit the harm that bad programs could do. How to apply that lesson to the EULAs isn’t immediately clear.

A Stroll Through the Logs

The website statistics program I use (webalizer) lets me see what search strings people are using when they find this site via the usual search engines. November’s report is amusing.

The most common search string that led to the site is “tinker.” No surprise there. Number two, though, was “fart noises.” (That matches a Fritz’s Hit List entry, in case you’re wondering.)

This raises important questions that merit future research. Is this site known primarily for its material on fart noises? Or are there lots of people out there searching for “fart noises” and then stumbling onto this site? Readers are invited to submit explanations.

(“Fart noises” ranked highly in October, too, behind only “tinker,” “freedom to tinker,” and “fritz’s hit list”.)

Also interesting is the fact that more people found this site by searching for “ed felton” (with my last name spelled incorrectly) than for “ed felten” (the correct spelling). The misspelling appears nowhere on this site, so it must be that people link to the site using the misspelled name, or that some search engines are smart enough to correct for the misspelling.

In a related story, click here for an explanation of how Eugene Volokh’s serious, non-porn site was a search result for “kazakh girls nude”.

More Great Stuff From Seth Schoen

If you want to understand what the whole Palladium/LaGrande/”trusted computing” issue is about, you should read Seth Schoen’s recent writing. His analysis is insightful, technically sound, independent, and hype-free. For the latest example, click here, scroll down to “Trusted Computing,” and read the next several sections.