This was a joint meeting of the Los Angeles Chapter of ACM, CPSR, the IEEE Computer Society, Engineering Management Society, Society on the Social Implications of Technology(SSIT); and the IEEE Foothill Section. Our speakers were Cory Doctorow and Seth Schoen of the Electronic Frontier Foundation (EFF).

Cory Doctorow was the lead-off speaker. He started out by mentioning some of the victories of the EFF. The EFF was founded to determine whether email would have the same type of legal protection as telephone communication. They won this case. Code has been found by the courts to be a form of expressive speech protected by the first amendment and the use and export of strong cryptology has been approved.

The history of policy and technology is one of technologists creating opportunities for entertainment companies and these companies seeking legislative relief to eliminate these opportunities. Each generation writes its own law. In 1908 there was an attempt to disallow the player piano. Later the argument was raised by vaudeville houses that radio would eliminate them. Sony had to go to the Supreme Court to get its Beta Max television recorder approved. The Beta Max ruling says that a technology is legal if it has substantial noninfringing uses. The VCR is legal even if someone could use it to make illegal copies of movies. Technologists can't be responsible for what users do with it and devising a general purpose use machine is easier than designing one that can only do legal things.

The entertainment industry went to Congress with the complaint that the Internet can be used to infringe. They proposed that the Internet be redesigned so packets can be examined for infringing material. This was brought up in the past when most of the Internet was carried over leased telephone lines and was routed through centralized networks. Today seventy percent of Internet traffic is routed over U.S. territory and subject to U.S. legislation, so the issue of opening packets could be raised again.

Senator Fritz Hollings proposed a bill that most people call "The Hollings' Bill" that has been described as meaning "Consume, but don't try to program anything". Hollywood thinks that the Internet exists as a quick way of getting content delivered. The EFF was cofounded by John Gilmore. Gilmore's rant is that content is a made up word. Who knows what it means? Another word for content is data. We are supposed to protect content by preventing copying it. This is foreign to the usual concept that you protect data by making backup copies. The Hollings' bill proposed that technologists not be able to bring things to market until the entertainment interests approve it. In the past the entertainment industry claimed that "The VCR is to the entertainment industry as the Boston strangler is a woman alone". Now much of the industry's receipts come from pre-recorded media. In the mid 80's Congress considered the TV spectrum. The politicians have a motto "Don't screw around with the voter's TVs". There was a battle between mobile users and the spectrum taken up by big broadcasters who were not using quite a bit of it. Broadcasters claimed they needed the spectrum for High Definition television. Not too many people have HDTVs yet. It was claimed that the value of the spectrum was $80 billion, but this figure dates back to the dot com bubble period and the value is probably lower than that. The problem is how to make American's buy HDTVs. Hollywood says TV doesn't have enough high quality production for HDTV, but they have a lot of high quality movies available. However, digital signals are cheap and easy to copy so the movie industry won't make the movies available if they can be copied and transferred over the Internet.

They developed a DRM protection system. Technically sophisticated pirates can break the protection easily, but honest users are affected. The industry wants protection provided by a standard on the Internet distribution of movies. If the standard is made law it will be illegal to develop hardware or software that can copy content without permission from the entertainment industry. Any recorder has to appear on a list of approved technologies and one or more movie companies must approve the device for it to be used. People objected at the FCC hearing about this standard, but not enough people even knew about it. The meeting was kept a secret unless you were invited, but EFF found out about it and publicized it. Both Philips and Microsoft opposed the standard, so the EFF thought they had won. Then Senator Hollings wrote the FCC saying that they didn't need Congressional approval to make the rules so this is before the FCC right now. There are three objectives. One condition is a broadcast flag as a protection device and devices would be required to make sure no screen shots are taken when a DVD is inserted. This rule requires control of general purpose computing devices as the broadcast flag is a copy protection device that is completely ineffective unless the device knows enough to recognize the flag. Analog devices aren't controlled leading to what the entertainment industry calls the problem of analog conversion. They have a second proposal that all devices be equipped with a watermark detector and that all analog-digital converters shut down when they see a watermark and there is a group looking for a method to do this. A third piece to the proposal is that the Internet be redesigned to prohibit peer to peer communication to insure that the controls cannot be evaded. On February 18, 2003 the comment period on the broadcast flag set by the FCC will end. Doctorow asked people to write the FCC telling them that putting it into effect will significantly harm U.S. technology and the economy. He hopes technologists will complain to the FCC about this, that the FCC needs to hear from technologists who oppose it.

Cory Doctorow introduced the next speaker, Seth Schoen as the task technologist at the EFF. Schoen said he likes to talk about Linux, but keeps getting asked about policy questions. He is a programmer interested in technical things and can put 100 megs on a small CD fitted on something the size of a business card. He said the EFF was formed in Cambridge, Massachusetts; moved to Washington D.C., and is now located in San Francisco. Copyright issues are now dominating the legal landscape in free speech and privacy. It used to be issues of sexual content. The entertainment industry championed freedom to allow sexual content, but are on the other side on copyright issues. Trusted computing is market terminology. It is a research idea on controlling access that has been around since the 1970's. The Department of Defense has used it to separate areas of classified material like Top Secret and Secret from other information. The entertainment industry wants to see the technology in general commercial use for its own purposes. Schoen recommended Ross Anderson's document as a source of information (See the URL at the end of this article).

Trusted Computing Performance Alliance (TCPA) and Palladium are things to be concerned about, but they are separate technologies and should not be lumped together too aggressively. Currently Palladium is a Microsoft vaporware product. TCPA hardware is out there, it is not vaporware and there is a Linux driver out. Prominent critics of TCPA include the Free Software Foundation. It is not true that Microsoft will put something in your computer that will prevent booting competitive operating systems and you won't be able to run software on an emulator. Schoen discussed how you would find out that your own senses were working properly, using your senses, and used the analogy to say that in computing there is a similar problem. Programs don't know what their platform is, you can run Apple software on a PC with an emulator on it. The emulator fools the software, it provides a version of a CPU that is not physically present. You can have malicious code that makes your computer do something that you don't want. Viruses can invade the operating system and set it so it won't recognize them. If you can get system administrator access you can delude the system administrator. Intruders have been doing this since about 1994. Intruders started writing kernel device drivers and can break into and take over UNIX systems. To recover you have to boot from something known to be good and then look around for anomalies.

Digital Rights Management has led to some strange devices such as a Real Player device without a record button on it so viewers cannot capture what was playing. Real Player got a marketing advantage by not providing the record button. Someone came up with a program called Total Recorder that allowed recording. Real Player sued another company and stopped them legally from modifying Real Player software to allow recording. Is there a technical way to keep things from being recorded? Copier people have stopped trying to illegal copy technically. Various anti-copying procedures need a conditional branch and the opcode can be searched for these and replaced by a null operation. A person using a PC can find a way to change the test.

Alternative - Change the PC architecture and have the hardware constructed so it is set up to enforce the policy. Do you want this to happen? Microsoft says you may want it done sometimes and not at other times. You run the program then you accept the hardware enforced policy by the entity that produced the program. Can someone give you code you can't over-ride or alter? Can someone know you are running altered code? Quake is a multi-player interactive game where every player has an independent local copy of the game pack. This can be changed by players so they can cheat. You want to be able to modify things that don't affect the game, but not things that can affect the outcome of the game. There is no way to know whether or not someone is cheating.

You can use tricks, but if people find out they can avoid them. Publishers would like to be able to know that a machine is running the actual Real Player and not a modified version of it. They want a credential like an ID card that you use to prove who you are and that you are running the right thing. The argument is totally wrong and you can be gaining a capability that is ambiguous. There are significant disadvantages in a society where everyone is required to have an ID card and also in a society where your machines are required to identify themselves.

TCPA, Palladium, and Le Grande are examples of new control items. TCPA is a narrower thing than Palladium or Le Grande, and is hardware only and you must write your own software to operate it. So far the technology has been marketed to corporate IT who may want to control their own software. You can develop your own applications with your own rules. The Palladium architecture is much more ambitious. It won't allow a virus to take over your information and spread it around the Internet. Microsoft claims you can create secure virtual machines within a PC. Microsoft Word could perform encryption partly using hardware and Microsoft Word running on that computer would be the only thing that could open it. A user might want this capability, so that if the file was removed without his permission it wouldn't work on another machine. This is a policy enforcement framework that just doesn't exist today. The document could be read only within your enterprise. In Microsoft's design there is probably one major key that could over-ride the other keys. Microsoft says they can protect software from other software attacks but they can't prevent someone from changing the hardware.

Ross Anderson claims that Microsoft is lying about their intentions and they intend to have the PCs changed so that the policies reside inside the CPU are not changeable by the user. Schoen does not know whether this is true.

The Electronic Theft Copyright act of 1997 was passed after a MIT student allowed people to transfer illegal copies of software but beat the rap when there was an attempt to prosecute him for wire fraud. The judge said there was no fraud involved, that it was a case of copyright infringement which is a civil case, not a crime.

Control key access control will not allow you to make backups unless the owner of the software allows you to make backups. Computers are not very smart, but are very flexible and you can establish a policy that is enforced by software like Palladium. Trusted Platform Cryptography could make breaking into by emulation of a trusted chip difficult to accomplish because there are cryptographic keys in the hardware. There is legitimate debate about whether you can make tamper resistant hardware, but tamper resistant software is impossible. In Palladium the author of a program could allow you to make a backup by another process if the author wanted the program to be transferred to someone else.

Palladium architecture is very elegant. Microsoft provides a general mechanism that allows the users to make their own decisions on whether they want others to be able to make copies. This could make it very hard for people using other systems to communicate with them so people using a minority platform could be marginalized. There is a misconception, this technology is not the same as the Hollywood desired technologies to prevent the copying of content by taking capabilities away from you. Microsoft wants to give you new capabilities, but not take away your ability to run other programs. A different goal is being able to determine whether illegal software copies are available and these are separate things. Your computer could be given some additional components you don't have control over that would determine what you can run on your machine. You could have new media provided that won't play on the old equipment. Why is Microsoft cooperating with the content producers in this technology? Microsoft says they want to continue to be able to play movies on PCs. They now think it may help IT managers control security and they may want to get government contracts by displacing more expensive proprietary equipment. One suggestion is that they are interested in making the PCs the government uses more secure and thereby increasing sales. There are a lot of benefits to be derived from this technology and powerful organizations are the ones that get the most benefit.

People were extremely interested in this presentation, which was excellent. There was too much information presented quickly for this article to give a really good report of what the two speakers presented. It is highly recommended that you should look at the URLs presented in last month's DATA-LINK.

Dr. Ross Anderson's excellent FAQ on TCPA and Palladium:

www.cl.cam.ac.uk/users/rja14/tcpa-faq.html

Seth Schoen's report on Microsoft's Palladium:

www.activewin.com/articles/2002/pd.shtml

Cory Doctorow's article on policy issues:

www.tidbits.com/database-cache/tbart06901.html