Representatives Rick Boucher (D-VA) and John Doolittle (R-CA) have introduced a bill that would scale back the effect of the anti-circumvention provisions of the DMCA and limit the liability of technological innovators, sparking debate among all stakeholders.

The Freedom And Innovation Revitalizing U.S. Entrepreneurship Act of 2007, or FAIR USE Act (pdf), has been wrongly equated with a re-introduction of the Representatives’ DMCA reform bill from the 109th Congress, HR 1201. It’s actually different in subtle but important ways.

Boucher’s 2005 bill Read more »

Senator Patrick Leahy, the (presumptive) incoming chair of the Senate Judiciary Committee, is promising reforms that will increase privacy and reform patents.

Among key privacy reforms, he is seeking tighter supervision of government databanks, action on data leaks and identity theft, and (the shock!) warrants as a prerequisite to surveillance of Americans.

Patent reform is long overdue, and there should be bipartisan support for his efforts. He and Republican Senator Orrin Hatch of Utah co-sponsored a bill this year that, among other things, would make it cheaper and easier to challenge bunk patents. It’s similar to a bill sponsored by Republican Lamar Smith in the House.

Of course, the Senate has a bigger concern right now: Senator Tim Johnson getting better. Our hearts go out to Senator Johnson and his family.

Having studied the DRM fight for a few years now, I’m starting to become fascinated by the politics of security vulnerabilities in general.

For those of us who came to this question via the study of DRM politics, Ed Felten is perhaps the poster boy for the politics of security vulnerabilities. The professor of computer science and public affairs at Princeton was once threatened with legal action by the RIAA because his research team hacked the Secure Digital Music Initiative watermarking system and was about to discuss the hack at an academic conference.

Last year, Felten helped users cope with the security vulnerabilities that some Sony music CDs created on the computers into which they were inserted. Lately, he’s been telling anyone who will listen, from readers of his blog to members of the House Administration Committee, that Diebold e-voting machines are remarkably insecure.

At each step, he has told people who didn’t want to hear it that the digital lock they’ve devised is not half as secure as their PR department would have you believe. The fact that Diebold felt compelled to respond (pdf) illustrates that he has a substantial audience for such discoveries.

Of course, Felten is not alone, but he may be the whitest hat in the crowd. (The RIAA backed off, in part, b/c they knew they would endanger the political viability of their DMCA suit-fest.) Other people who research digital security have several means to spread the word about vulnerabilities. You can contact the CERT Coordination Center (CERT/CC), which will notify companies of vulnerabilities, help coordinate the response, and update the network user and service provider community of the status of the problem.

Until the alert and/or patch comes out, this is all pretty behind-the-scenes stuff and, by now, it’s become pretty routine. But every once in awhile, somebody violates protocol, either publicly discussing the flaw pre-patch or credibly dangling an exploit in front of security researchers without revealing the tricks so that they can patch it. Both have been in the news lately.

The now-famous Apple wifi vulnerability, performed by SecureWorks researcher David Maynor in this video, was an instance of the latter. It quickly devolved into name calling. Initially, Apple claimed that the two researchers, Maynor and Jon “Johnny Cache” Ellch, had failed to share any code demonstrating an exploit. Later, SecureWorks said:

SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues. We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC, that it is appropriate.

Apple also stated that they are working with SecureWorks.

Some accused Maynor and Ellch of being irresponsible (not going directly to CERT), but the accusation by Apple and others that really angered them was that it was a cold fusion discovery–that is, they fabricated the whole thing. (With a little bit of effort, a great many people could perform what would look like the same hack without actually finding new vulnerabilities.)
Ellch gave a presentation on Saturday at ToorCon that defended their hacker honor as honestly having discovered a real vulnerability. SecureWorks pulled Maynor from the talk, during which the two were to share the code that enabled the exploit. Prevented from sharing the exploit (it sounds like his co-researcher had his arm twisted), Ellch’s speech was a self-described rant that left many to wonder what exactly was going on behind closed doors. All we know for sure is that this is definitely not the routine method for fixing vulnerabilities.

In contrast, nobody at ToorCon was doubting this Firefox exploit, also delivered on Saturday, by Mischa Spiegelmock and Andrew Wbeelsoi. (In case you care, it exploits Firefox’s implementation of JavaScript, which Spiegelmock calls “a complete mess” that is “impossible to fix.”) He put it on the screen for all to see–without having given Mozilla any lead time to begin to develop a patch.

Mozilla security chief Window Snyder (now THAT’S a name for an IT pro!) was not amused. Here is CNet’s reporting:

“It looks like they had enough information in their slide for an attacker to reproduce it,” [Snyder] said. “I think it is unfortunate because it puts users at risk, but that seems to be their goal.”

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. “If it is in the JavaScript virtual machine, it is not going to be a quick fix,” Snyder said.

Again, this deliberate release of a zero-day exploit is a clear violation of the heads-up-to-CERT protocol. The authors also claim to know of around 30 more unpatched Firefox flaws; they’re keeping those to themselves.

If this blog had a big audience, undoubtedly some of you would be insisting that zero-day exploits must be made illegal–that security flaws must be disclosed only to certain kinds of entities. (I’m still waiting for the high-publicity “war on hacking.” All we need is a “digital 9/11,” and the same mentality that brought you the very successful wars on drugs and terrorism will kick in.)

If the brief history of the DMCA is any indicator, that’s the wrong attitude. Felten was reluctant to release details about the Sony rootkit because he was scared of DMCA-fueled legal trouble. Additionally, part of CERT’s success has been in pressuring private firms to develop more secure products. Without third-party pressure, they just won’t do it. Sure, CERT works now, but that model may fail in the future.

Additionally, open source models (an important part of the “freedom to tinker”) generally provide greater security than proprietary closed source models (the Windows model, complete with public begging that the software’s producers release patches more quickly). If anyone can see the code, anyone can find and fix vulnerabilities, and more will be found and squashed. But if tinkering with the code is forbidden–by closed-source publishing models, EULAs, and/or the law–then only two kinds of people will look for bugs: people who have an incentive to avoid embarrassment (the authors of said closed-source code) and people who have the intention to exploit them.

Despite the pain of hacker conferees occasionally publicizing zero-day vulnerabilities and/or taunting us with their still-secret exploits, I’d still prefer a policy of freedom of information, knowing that the Feltens of the world got our collective back, over a system that prevents computer science professors and other whitehats from investigating and fixing flaws.

Yesterday, the American Consumer Institute inaccurately assailed network neutrality proponents for pretending to represent the voice of consumers while actually representing the voices of very large and powerful companies. The report’s author, who is no neutral observer, uses decontextualized economic data to obscure the political reality on the ground.

Read more »

My response to Ed Felten’s policy recommendations (Felten suggests we wait and see before imposing network neutrality mandates), has garnered its own response. Tim Lee of TechLiberation has posted two responses (first) (second), the first of which becomes part of Felten’s sensible follow-up, and the second of which references this thoughtful post by EFF Chairman Brad Templeton.

The very short summary of the dispute goes like this: We network neutrality supporters are so scared of the perils of broadband discrimination that we are willing to accept the perils of imperfect regulation. Opponents are so scared of the perils of regulation that they are willing to accept the perils of discrimination, at least for now.

The other three guys are very intelligent people, one of whom has been dragged into this (reluctantly, I’m sure), and all of whom have thought long and hard about this. As in any decent debate, both sides have some merit.

First, consider the large degree to which we agree: Read more »

In this interview from today, Brooklyn-based telecom analyst Bruce Kushnick insists that big telecom has systematically failed to deliver on its promises to the public and to policymakers.

In the early and mid 1990’s, telecommunications companies promised to build networks that could allow them to compete with cable. We were all supposed to get high-speed fiber optic cables (light pipes) right to the house, and they were supposed to carry voice, data, and video. There would be tons of competition, and 86 million homes would get 45 Megabits per second of two-way data capacity.

Of course, this new fiber network would not be cheap, and telecom firms would need to be compensated accordingly. In fact, there would need to be several changes in the law that would allow telecom firms to make much higher profits, but that’s okay because these higher prices and tax breaks would go toward building a next-generation data network.

Sound familiar? Even if you discovered the joys of tracking telecom laws just this January, these claims should ring a bell. They should also make you want to ring a Bell’s neck, because Verizon, at&t, and friends are singing the same song in Congress–and winning. Let us bypass state and local regulations. Let us design non-neutral networks and charge protection money for the data we don’t throttle. Let us turn excessive profits into obscene profits.

After all, we’re trying to build high-capacity fiber networks here, and those aren’t cheap. What’s that? You say there are actually countless miles of unused fiber? Oh, well we need a telecom rewrite before we’ll have the incentive to light those pipes. And those $200 billion in increased rates and tax breaks? That’s just not enough, and we need more.

Never mind what we said last time.

(Link from Benton; expect a cross-post on Public Knowledge.)

Last Wednesday, June 28, during the network neutrality debate at the markup of Sen. Ted Stevens’ massive telecom bill, many of us at Public Knowledge listened anxiously to the streaming audio from the Hill. I placed my digital voice recorder on Alex Curtis’ PowerBook speaker so that we could get audio of the event.

Ted Stevens just embarassed himself, displaying his ignorance of internet architecture in an angry tirade against net neutrality. As just one example, he claimed that an email took five days to reach him because the internet’s “tubes” were plugged up with video.

This was too good to pass up, so we decided to make a blog post. Little did we know it would take off so well…
Read more »

Today, the Senate Judiciary Committee held a hearing considering the “problem” of the analog hole. Public Knowledge President Gigi Sohn was the last witness, and the 3 Senators in attendance seemed to react well to her message and the concerns of our allies in the tech sector.

First, let’s cover some technical and legal background. (Skip ahead if you just want the digs on the hearing. Also, here are Gigi’s oral and written (pdf) testimony.) Read more »

Update: This post has been edited. Thanks to Tim Schneider for his excellent legal insight.

The new draft of the Stevens Telecom bill (pdf) features a shameless attempt to deliver just enough compromise on net neutrality to buy off political activist groups (e.g. the Christian Coalition) who are worried about being censored online. It’s not enough.

The draft adds a new Title IX, the “Internet Consumer Bill of Rights Act.” (See p. 144+) Yet Stevens’ bill still reserves for ISPs the right to pick online winners and losers in terms of speed and other quality of service measures, creating an “improved” bill that still stinks.

The new draft seems to be a minor improvement over the previous draft’s mere FCC study on the issue of neutrality. Section 902 requires that each ISP allow consumers to “access and post any lawful content of [their] choosing.” Section 904, “Application of the First Amendment,” insists:

No Internet service provider engaged in interstate commerce may limit, restrict, ban, prohibit, or otherwise regulate content on the Internet because of the religious views, political views, or any other views expressed in such content unless specifically authorized by law.

This is perhaps a 2-degree improvement over the wait-and-see approach of previous drafts, but the bill is still essentially facing backwards. On page 149, the bill tells the FCC that it may not “promulgate any regulations implementing this title,” which means that the FCC must enforce each violation anew. This is highly inefficient and a substantial hurdle to enforcement, which means this section does next to nothing.

Of course, this bill does nothing to prevent Ed Whitacre from carving monopoly profits out of content providers and, because they have no profits to carve, drowning out the noncommercial voices online.

Thanks to Stevens, broadband companies will have to deliver all legal content at some speed while pay-to-play content wizzes by in the fast lane. But the speed difference will cripple all but the richest outlets. Dialup treatment in the broadband era–or 1 Mbps treatment in the (still forthcoming) 30 Mbps era–will muffle the voices of most online speakers.

Congressmen including Lamar Smith (R-TX) and Howard Berman (D-CA) were among the Representatives who used a hearing yesterday as a chance to take rhetorical swipes at patent trolls.

The hearing, held by the House Judiciary Subcommittee on Courts, the Internet, and Intellectual Property, was called, “Patent Trolls: Fact or Fiction?”

A patent troll is a person or small company that traffics primarily or exclusively in the threat of patent litigation. The company will either register or purchase patents with no intention of developing products using the patented technologies or techniques. Rather, they will go seeking people whom they can credibly accuse of infringement. Trolls will seek licensing fees that exceed the market rate but fall short of the would-be defendant’s legal expenses (pdf). Failing that, they are willing and able to go to court.

The bill at issue is H.R. 2795, “The Patent Reform Act of 2005.” The bill makes some substantial improvements to patent law. It limits damages and limits the ability of patentees to get injunctions. The bill reduces the ability of would-be patentees with pending applications to tack on “continuation” applications subsuming similar products that others have brought to market since the first filing.

Perhaps most excitingly, the bill makes it much cheaper and easier to challenge bad patents–either within nine months of the PTO’s granting of an application, or within six months of being accused of infringement. Rather than spending hundreds of thousands in federal court, one can spend much less money and contest patents in front of the PTO.

So far, the bill looks like it has a very good shot at passage. Republican Lamar Smith, the Subcommittee Chair, sponsored the bill. In opening the hearing, he argued that “the patent system should reward creativity, not legal gamesmanship.”

Howard Berman, the ranking Democrat and one of 11 bipartisan cosponsors, expressed concern about the patent troll who “spends not a cent on development…(and) patents every monkey he kisses. All he does is spend his time sitting around waiting, (hoping) that he can make enough of a case that it might infringe on his monkey that somebody will pay him to go away.”

If this bill does not pass, it is probably due to the shortened election year calendar, and bipartisan enthusiasm for reforming the patent system should eventually carry the day.