My DMCA paper focuses on the law’s most controversial section, the part that prohibits circumventing DRM schemes. When I was writing it, I briefly considered discussing its other provisions, most notably the “notice and takedown” provisions of §512. After all, EFF has a whole web site documenting the chilling effects of that provision. But although I think EFF has some legitimate gripes, I ultimately concluded that the anti-circumvention provision was far more problematic, and decided to focus my paper exclusively on that section.
Today Tim Wu has an interesting article in Slate arguing that we should be grateful we got §512, because if Hollywood had gotten its way, things would have been much worse:
This summer, Sen. Ted Stevens, R-Alaska, earned the bemused contempt of geeks everywhere when he described the Internet as “a series of tubes.” But back in 1995, Hollywood was insisting that the Internet be characterized as “a bookstore.” And a bookstore, unlike a series of tubes, breaks the law if it “carries” pirated novels. So too, Hollywood urged, Internet companies should be liable if they carry any illegal materials, whether the companies know it or not.
Had that view prevailed, there would probably be no YouTube today, and also no free blog sites, and maybe not even Google or Web 2.0. What venture capitalist would invest in a company already on the hook for everything its users might do? But, in one of the lesser-known turning points in Internet history, Hollywood never got its law. Its unstoppable lobbyists ran into an unmovable object: the Bell companies, who own those “tubes” over which the Internet runs. In the mid-1990s, fearing a future of liability, the Bells ordered their lobbyists to fight Hollywood’s reforms, leading to one of the greatest political struggles in copyright history. (This paper provides a history of this and other struggles.)
Hollywood employs legendary lobbyists, like Jack Valenti, but when they ran into the Bells, it was like Frazier meeting Foreman. The Bells quickly put holds on all the legislation the content industries wanted. Telecom lobbyists like Roy Neel, a close friend of Al Gore (and later Howard Dean’s campaign manager), went to Congress and began saying things like, the “copyright law threatens to put a damper on the expression of ideas on the Internet.”
Copyright law is at its worst when it’s unclear where the boundaries of liability lie, because then deep-pocketed, risk-averse companies will decline to take the risk of incurring large copyright liabilities. The “safe harbor” provision gives businesses clarity regarding what they need to do to avoid liability when it comes to user-generated content. And that, in turn, has allowed individuals to push the boundaries of copyright law and produce absolutely brilliant works of likely copyright infringement.
One of the important points made in Jon Stokes’s write up of e-voting is how much easier it is to hide malicious code in a program than it is to find it. This was also a point that Avi Rubin made quite well in Brave New Ballot, when he describes a computer security course he taught in 2004:
I broke the class up into several small groups, and we divided the semester into thirds. In the first third, each group built an electronic voting machine that it demonstrated to the rest of the class. These machines were basically simple programs that allowed a user to make choices among several candidates in different races and that were required to keep an electronic audit log and produce the final tallies when the election was over. The groups then devoted the second third of the term to planting a back door in their voting machines–a mechanism by which a voter could cheat and change the vote totals and the audit logs so that the change would be undetectable. Each team had to turn in two versions of its system, one that worked properly and one that “cheated,” with all the code for both.
The groups spent the last third of the semester analyzing the machines and code from the other groups, looking for malicious code. The goal of the project was to determine whether people could hide code in a voting machine such that others of comparable skill could not find it, even with complete access to the whole development environment. Each group was assigned three machines from other groups–one good one, one bad one, and one chosen at random, but none of them identified as such. That was for the students to figure out by analyzing the code and running the machines. Admittedly, this setting was not much like that of a real manufacturer, in which there would be years to develop and hide malicious code in a code base that would be orders of magnitude larger and more complex than in our little mock-ups. Furthermore, the students had all just spent more than a month developing and hiding their own malicious code, so they had a good idea of what other groups might try. Conversely, in practice, auditors would have considerably more time to analyze and test potential code for problems. Still, I expected the results to be revealing, and I was not disappointed.
Many of the groups succeeded in building machines in which the hidden code was not detected. In addition, some fo the groups succeeded in detecting malicious code, and did so in a way that in and of itself was enlightening. In one case, the student discovered the cheating almot by accident because the compiler used by the programmer was incompatible with the one used by the analyzing team. The experiment demonstrated, as we suspected it would, that hiding code is much easier than finding hidden code.
I think this is a big part of the reason that computer security experts tend to be so skeptical of claims that independent testing has “proven” that a company’s voting machine code was secure. Even if the “independent” firm were genuinely independent, (which it usually isn’t) and even if they were to do a truly exhaustive security audit, (which judging from the Rubin and Felten reports, they usually don’t) it would still be unlikely that they would be able to detect malicious code that was inserted and camouflaged by a relatively talented programmer.
For years, Jon “Hannibal” Stokes has been writing incredibly detailed articles on CPU architecture. He’s particularly good at presenting a lot of in-depth technical information in a way that’s accessible to moderately tech-savvy people. I’m much more capable of pretending to understand CPU architectures after reading his articles.
Now he’s turned his attention to voting machines, and he does his usual thorough and clear job explaining “How to steal an election by hacking the vote”:
hat if I told you that it would take only one person–one highly motivated, but only moderately skilled bad apple, with either authorized or unauthorized access to the right company’s internal computer network–to steal a statewide election? You might think I was crazy, or alarmist, or just talking about something that’s only a remote, highly theoretical possibility. You also probably would think I was being really over-the-top if I told you that, without sweeping and very costly changes to the American electoral process, this scenario is almost certain to play out at some point in the future in some county or state in America, and that after it happens not only will we not have a clue as to what has taken place, but if we do get suspicious there will be no way to prove anything. You certainly wouldn’t want to believe me, and I don’t blame you.
So what if I told you that one highly motivated and moderately skilled bad apple could cause hundreds of millions of dollars in damage to America’s private sector by unleashing a Windows virus from the safety of his parents’ basement, and that many of the victims in the attack would never know that they’d been compromised? Before the rise of the Internet, this scenario also might’ve been considered alarmist folly by most, but now we know that it’s all too real.
Continue reading →
Today’s Cato podcast features yours truly discussing the DMCA. Anastasia was obviously a friendly interviewer, but I still found it challenging to boil the complexities of the issue down to something that could be readily understood in a 10-minute interview. We discuss the French protests from earlier this month, what the recently-passed French law did, and how the courts were handling reverse engineering cases before Congress enacted the DMCA.
Many months ago, Derek Slater pointed me to the paper he did while he was at the Berkman Center late last year. It’s been on my to-read list ever since, and I’ve finally gotten a chance to check it out.
The paper reports on the increasing popularity of what they call “taste-sharing” tools on the Internet. That would include peer-to-peer file-sharing sites, but it also includes collaborative filtering tools like Amazon’s “People who bought this book also bought…” feature, and Apple’s iTunes playlist sharing tools.
Clearly, the trends Derek identified in this paper have continued into 2006, as evidenced by Microsoft choosing to make music sharing one of the central selling points of its Zune media devices. I’ve also read that the community features of YouTube were an important factor in that sites meteoric rise. Consumers clearly love being able to share their cultural tastes with others, and so smart media companies will find ways to make it easier for their customers to recommend their products to others.
It seems that the United States isn’t the only country having problems with e-voting. They’re having problems up in Canada too. Mike at Techdirt is on the case:
Following a report by Quebec’s electoral chief that runs through all of the problems Quebec had with e-voting machines last year, the government has extended an injunction against e-voting machines that had been put in place after the problems in the election became clear. The elections official admits that there’s no way to tell if last year’s election results were accurate or fair–but that there’s nothing that can be done now. Some opposition politicians, however, are thinking of trying to force the election to be wiped out and held again, claiming that the results clearly were incorrect. To make it even more fun, the firm that supplied the e-voting machines, PG Elections, is apparently upset that Quebec hasn’t paid their bill in full for the machines that didn’t work properly. Even worse, they seem to shrug off the problems: “We have to admit that we did have a few problems,” but he then suggests you have to give them some leeway because “It was the first time all Quebec municipal elections were held on the same day and that so many used electronic voting.” I’m sorry, but if the one thing your machines are supposed to do is handle the election and count people’s votes, it really needs to do that–and trying to brush it aside because it was the first time so many of your machines were being used isn’t just a bad excuse, it’s a reason no one should use your machines again.
Damn straight. I mean, seriously, when’s the last time you heard Ford say “Yeah, our cars tend to break a lot. But give us a break! We’ve never produced this many cars in a single year before.” Vendors need to demonstrate their products are secure
before they’re used in real elections.
A coalition including the Consumer Electronics Association, Public Knowledge, and EFF have launched a digital freedom campaign. These are good groups and I’m always happy to see them highlighting an important set of issues, but frankly, if I weren’t already well versed on this controversy, I think I’d find their website a little bit confusing.
The campaign talks about innovators, artists, and consumers all having their freedom threatened. And it’s true: all of them can be harmed by aggressive expansions of copyright law. But the only concrete example the digital freedom campaign mentions is recording satellite broadcasts. As important as that issue is, that’s not likely to spark a nationwide backlash.
Oh, now that I’ve looked at the home page again, I see that clicking on the people causes them to tell their story. That’s pretty cool. They ought to make it more obvious that you’re supposed to click on the people, as it took me a good 10 minutes to figure that out, and most people visiting the site aren’t going to spend 10 minutes poking around.
Anyway, my point is that advocates for digital freedom (myself definitely included) need to do a better job of getting down to specifics in a way that’s accessible to ordinary people. I think EFF’s endangered gizmos and DRM guide sites are good examples. When you tell people that Hollywood almost got the VCR outlawed, that immediately gets peoples’ attention. There are now thousands of consumers who’ve discovered that their “plays for sure” music doesn’t play on their iPods. If we can tie those controversies back to the current debates over the PERFORM Act, the broadcast flag, the Boucher bill, etc, we can help voters clearly understand what’s at stake and why they should care.
But without those ties to specific examples, all the rhetoric about freedom and consumer rights in the world won’t get peoples’ attention. Voters have heard all the freedom rhetoric before, and it’s usually hogwash. I thought the middle guy–the aspiring filmmaker with the tape over his mouth–did a good job of offering a specific example of what’s at stake. But the other two, and most of the copy on the rest of the website, is just too vague to get anybody other than me fired up.
I’ve re-enabled comments. Thanks for your patience.
I’m embarrassed to admit I didn’t see this New York Times op-ed until today. It’s written by Damian Kulash, the lead singer of OK Go, one of my favorite bands. And it’s on one of my pet topics:
The truth is that the more a record gets listened to, the more successful it is. This is not our megalomania, it’s Marketing 101: The more times a song gets played, the more of a chance it has to catch the ear of someone new. It doesn’t do us much good if people buy our records and promptly shelve them. We need people to fall in love with our songs and listen to them over and over. A record that you can’t transfer to your iPod is a record that you’re less likely to listen to, less likely to get obsessed with and less likely to tell your friends about.
Luckily my band’s recently released album, “Oh No,” escaped copy control, but only narrowly. When our album came out, our label’s parent company, EMI, was testing protective software and thought that we were a good candidate for it. Record executives reasoned that, because we appeal to college students who have the high-bandwidth connections necessary for accessing peer-to-peer networks, we’re the kind of band that gets traded instead of bought.
That may be true, but we are also the sort of band that hasn’t yet gotten the full attention of MTV and major commercial radio stations, so those college students are our only window onto the world. They are our best chance for success, and we desperately need them to be listening to us, talking about us, coming to our shows and, yes, trading us.
To be clear, I certainly don’t encourage people to pirate our music. I have poured my life into my band and, after two major-label records, our accountants can tell you that we’re not real rock stars yet. But before a million people can buy our record, a million people have to hear our music and like it enough to go looking for it. That won’t happen without lots of people playing us for their friends, which in turn won’t happen without a fair amount of file sharing.
As it happened, for a variety of reasons, our label didn’t put copy-protection software on our album. What a shame, though, that so many bands aren’t as fortunate.
Don’t listen to me. Listen to the up-and-coming rock star.
I’ve finished reading Brave New Ballot, Avi Rubin‘s new book on the hazards of e-voting. Brave New Ballot is something of an oddity; it’s virtually a tech policy tell-all. It provides a personal, in-depth look at his crusade against paperless, unverifyable voting from July 2003, when he and his grad students started work on their famous report detailing the flaws in Diebold’s source code, to November 2004, the first presidential election since the widespread adoption of e-voting. We get to meet his allies in the e-voting fight, his opponents in the computer security community and among state officials, and a variety of other figures who shaped the e-voting debate during 2003 and 2004.
The most depressing thing I learned from the book is that Diebold’s response to the Felten paper was part of a pattern. When Rubin described security vulnerabilities in their products, Diebold could have taken the opportunity deployed smoke and mirrors to discredit the study, just as they did with Felten’s study last month.
Even more disturbing was that many state election officials, especially those in Georgia and Maryland, reacted the same way. They could easily have taken the paper’s criticisms back to Diebold and demanded immediate actions to address the flaws Rubin identified. Instead, at least as Rubin tells it, they were some of Rubin’s most dogged critics.
Rubin’s book is delightfully readable. I read it cover to cover over the weekend. It’s structured as a personal narrative, but Rubin does a good job of weaving in the technical and theoretical arguments against paperless voting along the way.
In addition to being a good introduction to the e-voting issue, I think it’s also worthwhile reading for aspiring geek activists in general: Rubin describes himself as relatively apolitical prior to his involvement in the e-voting issue, and he offers some insights on striking a balance between being an activist and being an independent, objective expert. He discusses the mini-scandal that erupted when it was revealed that he was on the advisory board of one of Diebold’s “competitors.” Rubin says (and I believe him) that the connection was tangential and the company wasn’t really a Diebold competitor. But that didn’t stop his critics from bringing the issue up any time they needed a convenient way to discredit him.
All in all, it’s well worth the read. I encourage you to grab a copy.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.