Doug Tygar points to a front-page article in yesterday's Wall Street Journal about a lawsuit that raises troubling questions about researchers' ability to use patented technologies for experimental purposes.

Patent law, which makes it illegal to make or use a patented invention without permission of the patent owner, has an exception for experimental use. The exception, as I understand it, applies only to non-commercial, curiosity-driven experiments.

John Madey invented, and patented, an important technology called the free-electron laser (FEL). He was a professor at Duke University, where he headed an FEL laboratory. Then he was ousted after a nasty squabble with Duke, and he moved to another university. Duke continued to operate the FEL.

Madey sued Duke for patent infringement, for using the FEL without his permission. Duke wrapped itself in the experimental use exception, but Madey argued that Duke, in its use of the FEL, was not engaged in idle inquiry but was carrying on its business of research and education. The Federal Circuit Court of Appeals agreed with Madey that Duke was not eligible for the exception:

Our precedent clearly does not immunize use that is in any way commercial in nature. Similarly, our precedent does not immunize any conduct that is in keeping with the alleged infringer's legitimate business, regardless of commercial implications. For example, major research universities, such as Duke, often sanction and fund research projects with arguably no commercial application whatsoever. However, these projects unmistakably further the institutions' legitimate business objectives, including educating and enlightening students and faculty participating in these projects. These projects also serve, for example, to increase the status of the institution and lure studentss, faculty, and lucrative research grants.

It's hard to see, in light of this decision, how anybody could ever qualify for the experimental use exception.

If this decision stands, it could have a big impact on university researchers. Up to now, researchers have been free to concentrate on discovery rather than patent negotiations, and to build and use whatever equipment was necessary for their experiments without worrying that somebody would sue to shut down their labs. Now that may have to change change.

Here's a tip for law students: current trends indicate hiring growth in research universities' general counsel offices.

Reportedly the Induce Act has stalled, after the breakdown of negotiations over statutory language. Ernest Miller has the last draft offered by the entertainment industry.

(Notice how the entertainment industry labels its draft as the "copyright owners'" proposal. It takes some chutzpah to call your side the "copyright owners" when the largest copyright-owning industry – the software industry – is on the other side.)

The draft tries makes yet another attempt to define "peer-to-peer". While the last draft's definition was too broad, including, for example, the Web, this one is too narrow. It probably encompasses most or all of the P2P systems currently being used, but its narrowness allows those systems to be redesigned to evade the definition.

Here's the definition:

The term "covered peer-to-peer product" shall mean a widely available device, or computer program for execution on a large number of devices, communicating over the Internet or any other publicly available network and performing or causing the performance at each such device all of the following functions:

(i) providing search information relating to copies or phonorecords available for transmission to other devices;

(ii) locating other devices that provide information relating to copies or phonorecords available for transmission that is responsive to search requests describing desired copies or phonorecords; and

(iii) transmitting a requested copy or phonorecord to another device that located the copy or phonorecord through such other device's performance of the function described in clause (ii);

unless the provider of the device or computer program has the right and ability to control the copies or phonorecords that may be located by its use.

It looks like there are several ways to design a P2P system that evades this definition:

The definition requires each device to do all three of the enumerated functions. A system could have some devices do a subset of the functions.

The product must be a device or a program, which would appear to exempt systems that use multiple programs to perform different functions.

Function (iii) requires that the copy be transmitted to another device, and that other device must have located the copy to be transmitted via function (ii). Data could move through intermediaries that don't use function (ii).

As I've written before, it's awfully hard to come up with a statutory definition of peer-to-peer, because many popular and completely legitimate services on the net are designed in a peer-to-peer style; and because there is nothing special about the particular design strategy used by today's P2P filesharing systems.

Heather Green at Business Week has a nice new piece, "Commentary: Are the Copyright Wars Chilling Innovation?" Despite the question mark in the title, it's clear from the piece that innovation is being chilled, especially in the research community.

The piece starts out by retelling the story of the legal smackdown threatened against my colleagues and me over a paper on digital watermarking technology. It goes on to discuss the chilling effect of copyright-related overregulation on others:

Intimidation isn't hard to spot in academia. Aviel Rubin, a Johns Hopkins University professor who last year uncovered flaws in electronic-voting software developed by Diebold Inc. (DBD ), says he spends precious time plotting legal strategies before publishing research connected in any way to copyrights. Matthew Blaze, a computer scientist at the University of Pennsylvania, avoids certain types of computer security-related research because the techniques are also used in copy protection.

The pall has spread over classrooms as well. Eugene H. Spafford, a professor and digital-security expert at Purdue University, and David Wagner, an associate professor of computer science at the University of California at Berkeley, are refusing to take on teaching assignments in certain areas relating to computer security. "The problem isn't that we're worried about prosecution from the government. The problem is the civil lawsuits from the movie and music industries," Spafford says. "I don't have the resources to deal with that."

Rubin, Blaze, Spafford, and Wagner are all leaders in the field, and all are avoiding legitimate and useful research and/or teaching because of the DMCA and laws like it.

The movie industry, as usual, offers nothing but the suspension of disbelief. Fritz Attaway: "It's easy to assert you feel chilled, but I don't see any evidence to support that". This from an industry with a long record of suing technical innovators.

[link via SNTReport.com]

Reportedly, the secret negotiations to rewrite the Induce Act are ongoing. I got hold of a recent staff discussion draft of the Act. It's labeled "10/1" but I understand that the negotiators were working from it as late as yesterday.

I'll be back later with comment.

UPDATE (8 PM): This draft is narrower than previous ones, in that it tries to limit liability to products related "peer-to-peer" infringement. Unfortunately, the definition of peer-to-peer is overbroad. Here's the definition:

the term “peer-to-peer” shall mean any generally available product or service that enables individual consumers’ devices or computers, over a publicly available network, to make a copy or phonorecord available to, and locate and obtain a copy or phonorecord from, the computers or devices of other consumers who make such content publicly available by means of the same or an interoperable product or service, where –

(1) such content is made publicly available among individuals whose actual identities [and electronic mail address] are unknown to one another; and

(2) such program is used in a manner in which there is no central operator of a central repository, index or [directory] who can remove or disable access to allegedly infringing content.

By this definition, the Web is clearly a peer-to-peer system. Arguably, the Internet itself may be a peer-to-peer system as well.

The sudden resignation of Amit Yoran, the Department of Homeland Security's "Cybersecurity Czar", reportedly due to frustration at being bureaucratically marginalized, has led to calls for upgrading of the position, from the third- or fourth-level administrator billet that Yoran held, to a place of real authority in the government. If you're going to call someone a czar you at least ought to give him some power.

But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place.

One uncontroversial aspect of the job is to oversee the security of the government's own computer systems. Doing this will require the ability to knock heads, because departments and offices won't want to change their practices and won't want to spend their budgets on hiring and retaining top quality system administrators. That's one good argument for upgrading the czar's position, perhaps affiliating it with a government-wide Chief Information Officer (CIO) function.

A harder question is what the government or its czar can do about private-sector insecurity. The bully pulpit is fine but it only goes so far. What, if anything, should the government actually do to improve private-sector security?

Braden Cox at Technology Liberation Front argues that almost any government action will do more harm than good.

In an article I wrote last year when Yoran was first appointed, I argued that the federal government has a role to play in cybersecurity, but that it should not be in the business of regulating private sector security. Mandated security audits, stringent liability rules, or minimum standards would not necessarily make software and networks more secure than would a more market-based approach, though it would surely help employ more security consultants and increase the bureaucracy and costs for industry.

Certainly, most of the things the government can do would be harmful. But I don't see the evidence that the market is solving this problem. Despite the announcements that Microsoft and others are spending more on security, I see little if any actual improvement in security.

There's also decent evidence of a market failure in cybersecurity. Suppose Alice buys her software from Max, and Max can provide different levels of security for different prices. If Alice's machine is compromised, she suffers some level of harm, which she will take into account in negotiating with Max. But a breakin to Alice's machine will turn that machine into a platform for attacking others. Alice has no incentive to address this harm to others, so she will buy less than a socially optimal level of security. This is not just a theoretical possibility – huge networks of compromised machines do exist and do sometimes cause serious trouble.

Of course, the existence of a problem does not automatically imply that government action is required. Is there anything productive the government can do to address this market failure?

I can see two possibilities. The first approach is for the government to use its market power, as a buyer of technology, to try to nudge the market in the right direction. Essentially, the government would pay for compromise-resistance, beyond its market incentive to do so, in order to bolster the market for more compromise-resistant software. For example, it might, in deciding what to buy, try to take into account the full social cost of potential breakins to its computers. Exactly how to make this happen, within a budget-conscious bureaucracy, is a challenge that I can't hope to address here.

The second approach government might take is to impose some form of liability, on somebody, for the types of security breaches associated with this market failure. Liability could be placed on the user (Alice, in our example above) or on the technology vendor. There has been lots of talk about the possibility of liability rules, but no clear picture has emerged. I haven't studied the issue enough to have a reliable opinion on whether liability changes are a good idea, but I do know that the idea should not be dismissed out of hand.

What's clear, I think, is that none of these possibilities require a "czar" position of the sort that Yoran held. Steps to improve cybersecurity inside the government need muscle from a CIO type. Changes to liability rules should be studied, but if they are adopted they won't require government staff to administer them. We don't need a czar to oversee the private sector.

Ernest Miller, continuing his stellar coverage of the Induce Act, reports that, according to PublicKnowledge:

An all-star game of private sector legislative drafters will start at 10:30 [today]. There will be representatives from consumer electronics, Verizon, CDT, and others on our team and from the usual suspects on the other team. They are supposed to produce a draft by 4 p.m. That draft will then be, probably revised, to see if it can be marked up next week.

Yes, you read that right: critically important decisions about our national innovation policy need to be made, and a small group has been given a few hours to make them.

The result of this process will be yet another Induce Act draft. Doubtless it will take the same approach – blanket bans on broad classes of behavior, with narrow carveouts to protect the present business plans of the groups in the room – as the previous bad drafts.

How bad have these drafts been? Well, as far as I can tell, the now-current draft would appear to ban the manufacture and sale of photocopy machines by companies like Xerox.

Xerox induces infringement because, when it makes and sells photocopiers, it "engage[s] in conscious and deliberate affirmative acts that a reasonable person would expect to result in widespread [copyright infringement] taking into account the totality of circumstances." After all, everybody knows that photocopiers are sometimes used to infringe, so that widespread distribution of copiers will lead to widespread infringement.

Now we come to the issue of the narrow carveouts. The Induce Act draft does have two subsections that provide carveouts, which appear to be constructed to protect iPods. But those carveouts appear not to protect Xerox. Subsection (C) of the draft exempts some product distributors, but only if the infringements that are induced are entirely private, non-commercial, and done by consumers. This would appear not to protect Xerox, which has many commercial customers. Subsection (D) exempts Xerox's user manuals and advertising, but not the distribution of its copiers, so that doesn't help either. It looks like Xerox would be liable as an inducer under the current draft.

Am I missing something here? Perhaps a reader who is a lawyer can straighten me out. Regardless, this kind of analysis shows the risk induced by the "broad ban; narrow carveouts" approach to tech regulation – the risk that some legitimate business activity will fall outside the carveouts.

This problem is at its worst when regulatory language is written in a hurry, and when only a few stakeholders are invited to participate in drafting it. But that's exactly what is scheduled to be happening, right now, in a conference room in Washington.

A Federal Court in Missouri has ruled on the BNETD case, which involves contract and DMCA claims, and issues of reverse engineering and interoperability. Because I played a role in the litigation (as an expert), I won't comment on the court's ruling. The rest of you are welcome to discuss it.

The music industry likes to complain about sales lost to piracy, but figures that show huge sales declines only tell part of the story. Before we blame this trend on infringement, we have to make several assumptions, including that the demand for music (whether purchased or pirated) has remained steady.

Figures available from the US Census bureau suggest otherwise. Data on "Media Usage and Consumer Spending" abstracted from a study by Veronis Suhler Stevenson show the average number of hours spent listening to music by US residents age 12 and older has declined steadily since 1998 (from 283 to a projected 219 in 2003, a 21% decline). Meanwhile, home video, video games, and consumer Internet have seen dramatic gains. This suggests that people are turning to new forms of entertainment (i.e., the Internet, video games, and DVDs) at the expense of recorded music.

Here’s the data, extracted from the Census Bureau report, on the number of hours Americans spent using various types of media in 1998 and 2003.

(Source: US Census Bureau, Statistical Abstract of the United States: 2003, p. 720.)

(Note 1: We chose to use 2003 as the ending point, even though the source includes projected 2004 data, on the assumption that the 2003 Statistical Abstract's projected data would be more trustworthy for 2003 than for 2004. Using 2004 as the endpoint would not materially affect the analysis.)

(Note 2: It is possible that part of the decline in recorded music hours may be an artifact of the study methodology. The table caption states that the data for categories including recorded music were based on "survey research and consumer purchase data". To the extent that the estimate of music listening hours is based on survey data, it can serve as a possible cause of the drop in music sales. But to the extent that the listening time estimate might be inferred from the drop in sales, it should not be used to explain the sale drop. More methodological details might be available in the VSS report, but that is not available to the public.

However, we think it is unlikely that the listening time estimate is derived entirely from sales data. According to the same Census Bureau report (which cites as its source the same Veronis Suhler Stevenson report), per-capita spending on recorded music fell by only 4% from 1998 to 2003; the RIAA estimated a 15% drop in its total recorded music revenue over the same period. It seems unlikely that a 21% drop in listening time would be inferred entirely from a 4% or 15% spending drop.)

(Note 3: VSS wants $2000 for a copy of their report. We're not in a position to pay that much. If anybody has a copy of the report and is able to fill us in about their methodology, we'd be grateful.)

[This entry was written by Alex Halderman and Ed Felten. If you cite this, please don't attribute authorship to Ed alone.]

Ashlee Vance at the Register tells the amazing story of SunnComm, the DRM company whose CD "protection" product was famously defeated by holding down a PC's Shift key. It's one of those true stories that would be hopelessly implausible if told as fiction. Here's the opening paragraph:

You might expect one of the world's leading digital rights management (DRM) technology makers to have a rich history in either the computing or music fields or both. This is not the case for SunnComm International Inc. Instead, the firm's experience revolves around a troubled oil and gas business, an Elvis and Madonna impersonator operation and even a Christmas tree farm.

The story goes on with shell companies, phantom sales contracts, SEC investigations, shareholder lawsuits, and many, many excuses from the CEO. Oh yeah, at some point the company found time to develop a laughably weak CD copy "protection" product, to threaten legal armageddon against my student Alex Halderman when he wrote a paper analyzing the technology and detailing its weaknesses, and to somehow sell the technology to record companies despite its utter failure to keep even one song off the file-sharing networks.

Readers who are even moderately skeptical of CEO excuses will recognize this company for what it is. And remember, this company can plausibly claim to be the leader in music DRM. Gives you lots of confidence in the viability of DRM, doesn't it?

In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked – the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, and kerning will prove instructive to would-be amateur forgers, who will know not to repeat the mistakes of the CBS memos' forger. Who knows, some amateur forgers may even figure out that if you want a document to look like it came from a 1970s Selectric typewriter, you should type it on a 1970s Selectric typewriter. The discussion, in other words, provides a kind of roadmap for would-be forgers.

This kind of tradeoff, between open discussion and future security worries, is common with information security issues – and this is a infosecurity issue, since it has to do with the authenticity of records. Any discussion of the pros and cons of a particular security system or artifact will inevitably reveal information useful to some hypothetical bad guy.

Nobody would dream of silencing the CBS memos' critics because of this; and CBS would have been a laughingstock had it tried to shut down the discussion by asserting future forgery fears. But in more traditional infosecurity applications, one hears such arguments all the time, especially from the companies that, like CBS, face embarrassment if the facts are disclosed.

What's true with CBS is true elsewhere in the security world. Disclosure teaches the public the truth about the situation at hand (in this case the memos), a benefit that shouldn't be minimized. Even more important, disclosure deters future sloppiness – you can bet that CBS and others will be much more careful in the future. (You might think that the industry should police itself so that such deterrents aren't necessary; but experience teaches otherwise.)

My sense is that it's only the remote and mysterious nature, for most people, of cybersecurity that allows the anti-disclosure arguments to get traction. If people thought about most cybersecurity problems in the same way they think about the CBS memos, the cybersecurity disclosure argument would be much healthier.