We have written in the past about RECAP, our project to help make federal court documents more easily accessible. We continue to upgrade the system, and we are eager for your feedback on a new set of functionality.

One of the most-requested RECAP features is a better web interface to the archive. Today we're releasing an experimental system for searching and browsing, at archive.recapthelaw.org. There are also a couple of extra features that we're eager to get feedback on. For example, you can subscribe to an RSS feed for any case in order to get updates when new documents are added to the archive. We've also included some basic tagging features that lets anybody add tags to any case. We're sure that there will be bugs to be fixed or improvements that can be made. Please let us know.

The first version of the system was built by an enterprising team of students in Professor Ed Felten's "Civic Technologies" course: Jen King, Brett Lullo, Sajid Mehmood, and Daniel Mattos Roberts. Dhruv Kapadia has done many of the subsequent updates. The links from the Recap Archive pages point to files on our gracious host, the Internet Archive.

See, for example, the RECAP Archive page for United States of America v. Arizona, State of, et al. This is the Arizona District Court case in which the judge last week issued an order granting injunction against several portions of the controversial immigration law. As you can see, some of the documents have a "Download" link that allows you to directly download the document from the Internet Archive, whereas others have a "Buy from PACER" link because no RECAP users have yet liberated the document.

On July 15th, a small but significant internet event occurred. On that day, years of planning culminated in the deployment of a cryptographic signature on the root DNS zone. To simplify greatly, this means that internet users will soon be able to have a much higher degree of trust in the hierarchical Domain Name System by utilizing the powers of recursion and cryptography. When a user's computer is told that the IP address for "gmail.com" is 72.14.204.19, the user can be sure that this answer is true. This is important if you are someone such as a Chinese dissident who wants to reliably and securely reach gmail.com in order to communicate with your peers. The rollout of this throughout all domains, DNS resolvers, and client applications will take a little while, but the basic infrastructure is now in place.

This mitigates a certain class of vulnerabilities that web users used to face. Although it forecloses attacks at the domain name-to-IP address stage of requesting a web page, it does not necessarily foreclose attacks at other stages. For instance, an attacker that gets between you and the server you are trying to reach can simply claim that he is the server at 72.14.204.19. Our traditional way of protecting against this style of attack has been to rely on Certificate Authorities -- trusted third-parties who certify digital key-pairs only for the true owners of a given domain name. Thus, even if an attacker tries to execute one of these "man-in-the-middle" attacks, he won't possess the secret portion of the digital key-pair that is required to prove that his communications come from the true gmail.com. Your browser checks for a certified corresponding public key in the process of setting up a secure SSL/TLS connection to https://gmail.com.

Unfortunately, there are several technical, operational, and jurisdictional shortcomings of the Certificate Authority model. As I discussed in an earlier post, many of these problems are not present in the hierarchical and delegated model of DNS. However, DNS does not inherently provide the ability to store domain name-to-key-pair information. But could it? At one of the recent DNSSEC deployment ceremonies, Vint Cerf noted:

More has happened here today than meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re-purposed in a number of different ways. And so I would predict that although we started out putting this system together to assure that the domain name lookups return valid internet addresses, that in the long run this hierarchical structure of trust will be applied to a number of other functions that require strong authentication. And so you will have seen a new major milestone in the internet story.

I believe that storing SSL/TLS keys in DNSSEC-secured DNS records will be the first significant "other function" that will emerge. An alternative to Certificate Authorities for domain-to-key mapping is sorely needed. There are two major practical hurdles to getting there: 1) We must define a standard for placing keys in DNS and 2) We must secure the "last mile" from the service provder's DNS resolver to the end-user's computer.

The first hurdle involves the type of standard-setting that the internet community is quite familiar with. On a technical level, it means that we need to collectively decide what these DNS records look like. The second hurdle involves building more functionality into end users' software so that it can do cryptographic validation of DNS results rather than blindly trusting its upstream DNS resolver. There may be temporary ways to do this within web browser code, but ultimately it will probably have to be built into what is called the "stub resolver" -- a local service running on your computer that usually just asks for the results from the upstream resolver.

It is important to note that none of his makes Certificate Authorities obsolete. Although the DNS-based approach replaces the most basic type of SSL certificates, the Certificate Authorities will continue to be the only entities that can offer validation of real-world identity of site owners. The DNS-based approach and basic "domain validated" Certificate Authority certificates both verify only that whoever controls the domain name is the entity that your computer is communicating with, without saying who that is. In recent years, "Extended Validation" certificates (the ones that make your browser bar glow green) have begun to be offered by all major certificate authorities. These certificates require more rigorous validation of the identity of the owner, so that for example you know that the person who controls bankofamerica.com is really Bank of America Corporation.

At this year's Black Hat and Defcon, Dan Kaminsky demonstrated some new software he is releasing that could make deploying DNSSEC more easy in general, and that could also address the two main hurdles to placing keys in DNS. He readily admits that his particular implementation is not perfect, and has encouraged critiques and changes. [Update: His slides are available here.]

Hopefully, with the input of the many smart folks in the security, internet standards, and software development communities, we will see a production-quality DNSSEC-secured solution to domain-to-key authentication in the near future.

Court proceedings are supposed to be public. When they are public and easily accessible, citizens know the law and the courts are kept accountable. These are the principles that underpin RECAP, our project to help liberate federal court records from behind a pay-wall.

However, appropriate restrictions on public disclosure are equally critical to democracy-enhancing information management by the judiciary. Without protections on personal data, trade secrets, the addresses of cooperating witnesses, or other harmful information the courts would become a frightening place for many citizens in need of justice. Peter Winn has described this challenge in detail.

Thus, somewhat counter-intuitively, it is important to restrict some legal information in order to set the rest free. That is why our courts have a strong legacy of sealing cases when, on balance, their disclosure would do more harm to justice than good. When the risks don't require the entire case to be sealed, portions of documents can be redacted. Federal Rule of Civil Procedure 5.2 and Federal Rule of Bankruptcy Procedure 9037 define these instances.

But what happens when mistakes are made or negligence occurs? This has been a largely unexplored area to date. In a 2005 bankruptcy case in the US District of South Carolina, Green Tree Servicing included the debtors' social security numbers in a public filing. The document was made available via the courts' electronic public access system (PACER) for viewing by anyone who was willing to pay the fee. The debtors filed suit in 2008 against Green Tree for disclosing their personal information counter to the rules I mentioned above, as well as the Gramm-Leach-Bliley Act, and other provisions. This was to be an interesting case, but (unfortunately for scholars and perhaps fortunately for the parties) they settled.

However, this was not the end of Green Tree's entanglement with these provisions. In 2009 they were servicing another pair of debtors, and they likewise included their social security numbers in the filing. The debtors filed suit against Green Tree under similar reasoning. This time, the parties didn't settle. In its opinion, the US Bankruptcy Court for the Southern District of Indiana dismissed all claims that were based on a private right of action against Green Tree, but left open the possibility that a contempt of court claim could prevail:

The Debtors have pled sufficient facts to state a claim for contempt under §105 for Greentree's failure to comply with Rule 9037. The act of limiting access to [the document containing SSNs] may be a sufficient remedy under Rule 9037, and a finding of contempt would require that Greentree was aware of its violation of Rule 9037. [...] Greentree has "inadvertently" failed to redact social security numbers on proofs of claim forms in at least one other case in which the debtors alleged a claim for contempt. See, In re Petty, No. 08-34375 HCD (Bankr. N. D. Ind. September 21, 2009). Whether the failure to redact here was coincidence or something else is not for the court to decide at this juncture. Nonetheless, the Debtors have pled sufficient facts to establish their claim for contempt under §105(a) due to Greentree's failure to comply with Rule 9037 and thus, that count survives Greentree's motion to dismiss and will proceed to trial. All other counts shall be dismissed.

The outcome appears to hinge largely on the "willfulness" of Green Tree. Given the 2005 South Carolina case, it seems evident that Green Tree should have been quite aware of the federal rules of procedure regarding redaction. It will interesting to see how the case turns out.

In the context of these recent cases, the 4th Circuit issued a decision yesterday on a related matter. In Ostergren v. Cuccinelli, the court ruled that a third-party who downloaded public records ("land records") from government-provided web sites would not be liable for damages when republishing those records online -- even if that third-party knew that the records contained private information such as social security numbers.

The facts of the case are quite interesting. Betty Ostergren, a pro-privacy advocate, had for many years tried to get the State of Virginia to implement and then to improve its automatic redaction technology for these records. Virginia was making some effort to do so, but evidently the various counties were not working as fast as she would like, leaving many documents unredacted. Indeed, the original legislation setting the redaction system into motion would have required the task to have been completed by July 1, 2010, but it didn't go into effect because the General Assembly failed to appropriate the necessary funds. Ostergren decided that the only way to motivate the necessary attentiveness was to begin publishing land records with unredacted SSNs on her own web site. For maximum effect, she chose land records from known public officials.

Virginia enacted a statute designed to stop this type of behavior, and Virginia filed suit under that statute. The Electronic Privacy Information Center filed an amicus brief in support of Ostergren. The 4th Circuit delivered a double-whammy to Virginia: not only did it uphold the district court's ruling that Ostergren's site warranted First Amendment protection, it ruled that the protection should extend even further than the district court had ruled. This interpretation was made even easier for the court given the fact that she was posting the materials for the explicit purpose of drawing attention to the problem -- it was disclosure, critique, and commentary via simple transparency. As the court noted:

Under Cox Broadcasting and its progeny, the First Amendment does not allow Virginia to punish Ostergren for posting its land records online without redacting SSNs when numerous clerks are doing precisely that.¹⁹

¹⁹ For the same reason, Virginia could not punish Ostergren for publishing a SSN-containing land record that had accidentally been overlooked during its imperfect redaction process—having a one to five percent error rate—unless Virginia had first corrected that error. Even then, we leave open whether under such circumstances the Due Process Clause would not preclude Virginia from enforcing section 59.1-443.2 without first giving Ostergren adequate notice that the error had been corrected.

Thus, we have an intriguing reversal of the principle I set out above (that it is important to restrict some legal information in order to set the rest free). In this case, it was important to (hopefully temporarily) make more visible the very type of information that ultimately needed to be restricted.

We are delighted to announce the CITP visiting scholars, practitioners, and collaborators for the 2010-2011 academic year. The diverse group of leading thinkers represents CITP's highly interdisciplinary interests. We are looking forward to their work at the center, and welcome them to the family. The short list is below, but you can see more description on the announcement page.

• Ronaldo Lemos, Fundação Getulio Vargas Law School
• Fengming Liu, Microsoft
• Frank Pasquale, Seton Hall
• Wendy Seltzer, Berkman Center
• Susan Crawford, Cardozo Law School
• Alex Halderman, University of Michigan
• Joe Hall, UC Berkeley School of Information
• Ron Hedges, Former Federal Magistrate Judge
• Adrian Hong, Pegasus Project
• Rebecca MacKinnon, New America Foundation
• Philip Napoli, Fordham
• W. Russell Neuman, University of Michigan
• Steven Roosa, Reed Smith

The last seven days at the FCC have been drama-filled, and that's not something you can often say about an administrative agency. As I noted in my last post, the FCC is considering reclassifying broadband as a "common carrier" service. This would subject the access portion of the service to some additional regulations which currently do not apply, but have (to some extent) been applied in the past. Last Thursday, the FCC voted 3-2 along party lines to pursue a Notice of Inquiry about this approach and others, in order to help solidify its ability to enforce consumer protections and implement the National Broadband Plan in the wake of the Comcast decision in the DC Circuit Court. There was a great deal of politicking and rhetoric around the vote. Then, on Monday, the Wall Street Journal reported that lobbyists were engaged in closed-door meetings at the FCC, discussing possible legislative compromises that would obviate the need for reclassification. This led to public outcry from everyone who was not involved in the meetings, and allegations of misconduct by the FCC for its failure to disclose the meetings. If you sit through my description of the intricacies of reclassification, I promise to give you the juicy bits about the controversial meetings.

The Reclassification Vote and the NOI
As I explained in my previous post, the FCC faces a dilemma. The DC Circuit said it did not have the authority under Title I of the Communications Act to enforce the broadband openness principles it espoused in 2005. This cast into doubt the FCC's ability to not only police violations of the principles but also to implement many portions of the National Broadband Plan. In the past, the Commission would have had unquestioned authority under Title II of the Act, but in a series of decisions from 2002-2007 it voluntarily "deregulated" broadband by classifying it as a Title I service. Chairman Genachowski has floated what he calls a "Third Way" approach in which broadband is not classified as a Title I service anymore, and is not subject to all provisions of Title II, but instead is classified under Title II but with extensive "forbearance" from portions of that title.

From a legal perspective, the main question is whether the FCC has the authority to reclassify the transmission component of broadband internet service as a Title II service. This gets into intricacies of how broadband service fits into statutory definitions of "information service" (aka Title I), "telecommunications", "telecommunications service" (aka Title II), and the like. I was going to lay these out in detail, but in the interest of getting to the juicy stuff I will simply direct you to Harold Feld's excellent post. For the "Third Way" approach to work, the FCC's interpretation of a "telecommunications service" will have to be articulated to include broadband internet access while not also swallowing a variety of internet services that everyone thinks should remain unregulated -- sites like Facebook, content delivery networks like Akamai, and digital media providers like Netflix. However, this narrow definition must not be so narrow that the FCC does not have jurisdiction to police the types of practices it is concerned about (for instance, providers should not be able to discriminate in their delivery of traffic simply by moving the discrimination from their transport layer of the network to the logical layer, or by partnering with an affiliated "ISP" that does discrimination for them). I am largely persuaded of Harold's arguments, but the AT&T lobbyists present the other side as well. One argument that I don't see anyone making (yet) is that presuming the transmission component is subject to Title II, the FCC would seem to have a much stronger argument for exercising ancillary jurisdiction with respect to interrelated components like non-facilities-based ISPs that rely on that transmission component.

The other legal debate involves an even more arcane discussion about whether -- assuming there is a "telecommunications service" offered as part of broadband service -- that "telecommunications service" is something that can be regulated separately from the other "information services" (Title I) that might be offered along with it. This includes things like an email address from your provider, DNS, Usenet, and the like. Providers have historically argued that these were inseparable from the internet access component, and the so-called "Stevens Report" of 1998 introduced the notion that the "inextricably intertwined" nature of broadband service might have the result of classifying all such services as entirely Title I "information services." To the extent that this ever made any sense, it is far from true today. What consumers believe they are purchasing is access to the internet, and all of those other services are clearly extricable from a definitional and practical standpoint (indeed, customers can and do opt for competitors for all of them on a regular basis).

But none of these legal arguments are at the fore of the current debate, which is almost entirely political. Witness, for example, John Boehner's claim that the "Third Way" approach was a "government takeover of the Internet," Fred Upton's (R-MI) claim that the approach is a "blind power grab," modest Democratic sign-on to an industry-penned and reasoning-free opposition letter, and an attempt by Republican appropriators to block funding for the FCC unless they swore off the approach. This prompted a strong response from Democratic leaders indicating that any such effort would not see the light of day. Ultimately, the FCC voted in favor of the NOI to explore the issue. Amidst this tumult, the WSJ reported that the FCC had started closed-door meetings with industry representatives in order to discuss a possible legislative compromise.

Possible Legislation and Secret Meetings
It is not against the rules to communicate with the FCC about active proceedings. Indeed, such communications are part of a healthy policymaking process that solicits input from stakeholders. The FCC typically conducts proceedings under the "permit but disclose" regime in which all discussions pertaining to the given proceeding must be described in "ex parte" filings on the docket. Ars has a good overview of the ex parte regime. The NOI passed last week is subject to these rules.

Free Press Ad in 6/23 Washington Post

It therefore came as a surprise that a subset of industry players were secretly meeting with the FCC to discuss possible legislation that could make the NOI irrelevant. This issue is made even more egregious by the fact that the FCC just conducted a proceeding on improving ex parte disclosures, and the Chairman remarked:

"Given the complexity and importance of the issues that come before us, ex parte communications remain an essential part of our deliberative process. It is essential that industry and public stakeholders know the facts and arguments presented to us in order to express informed views."

The Chairman's Chief of Staff Edward Lazarus sought to explain away the obligation for ex parte disclosure, and nevertheless attached a brief disclosure letter from the meeting attendees that didn't describe any of the details. There is perhaps a case to be made that the legislative options do not directly fall under the subject matter of the NOI, but even if this position were somehow legally justifiable it clearly falls afoul of the policy intent of the ex parte rules. Harold Feld has a great post in which he describes his nomination for "Worsht Ex Parte Ever". The letter attached to the Lazarus post would certainly take the title if it were a formal ex parte letter. The industry participants in the meetings deserve some criticism, but ultimately the problems can only be resolved by the FCC by demanding comprehensive openness rather than perpetuating a culture of loopholes.

The public outcry continues, from both public interest groups and in the comments on the Lazarus post. If it's true that the FCC admits internally that "they f*cked up", they should do far more to regain the public's trust in the integrity of the notice-and-comment process.

Update: The Lazarus post was just updated to replace the link to the brief disclosure letter with two new links to letters that describe themselves as Ex Parte letters. The first contains the exact same text as the original, and the second has a few bullet points.

There is increasingly heated rhetoric in DC over whether or not the government should begin to "regulate the internet." Such language is neither accurate nor new. This language implies that the government does not currently involve itself in governing the internet -- an implication which is clearly untrue given a myriad of laws like CFAA, ECPA, DMCA, and CALEA (not to mention existing regulation of consumer phone lines used for dialup and "special access" lines used for high speed interconnection). It is more fundamentally inaccurate because referring simply to "the internet" blurs important distinctions, like the difference between communications transport providers and the communications that occur over those lines.

However, there is a genuine policy debate being had over the appropriate framework for regulation by the Federal Communications Commission. In light of recent events, the FCC is considering revising the way it has viewed broadband since the mid-2000s, and Congress is considering revising the FCC's enabling statute -- the Communications Act. At stake is the overall model for government regulation of certain aspects of internet communication. In order to understand the significance of this, we have to take a step back in time.

Before 2005

In pre-American British law, there prevailed a concept of "common carriage." Providers of transport services to the general public were required to conduct their business on equal and fair terms for all comers. The idea was that all of society benefited when these general-purpose services, which facilitated many types of other commerce and cultural activities, were accessible to all. This principle was incorporated into American law via common-law precedent and ultimately a series of public laws culminating in the Communications Act of 1934. The structure of the Act remains today, albeit with modifications and grafts. The original Act included two regulatory regimes: Title II regulated Common Carriers (telegraph and telephone, at the time), whereas Title III regulated Radio (and, ultimately, broadcast TV). By 1984, it became necessary to add Title VI for Cable (Titles IV and V have assorted administrative provisions), and in 1996 the Act was revised to focus the FCC on regulating for competition rather than assuming that some of these markets would remain monopolies. During this period, early access to the internet began to emerge via dial-up modems. In a series of decisions called the Computer Inquiries, the FCC decided that it would continue to regulate phone lines used to access the internet as common carriers, but it disclaimed direct authority over any "enhanced" services that those lines were used to connect to. The 1996 Telecommunications act called these "enhanced" services "information services", and called the underlying telephone-based "basic" transport services "telecommunications services". Thus the FCC both did and did not "regulate the internet" in this era.

In any event, the trifurcated nature of the Communications Act put it on a collision course with technology convergence. By the early 2000s, broadband internet access via Cable had emerged. DSL was being treated as a common carrier, but how should the FCC treat Cable-based broadband? Should it classify it as a Title II common carrier, a Title VI cable service, or something else?

Brand X and Its Progeny

This question arose during a period in which a generally deregulatory spirit prevailed at the FCC and in Congress. The 1996 Telecommunications Act contained a great deal of hopeful language about the flourishing competition that it would usher in, making unneccessary decades of overbearing regulation. At the turn of the milennium, a variety of revolutionary networking platforms seemed just around the corner. The FCC decided that it should remove as much regulation from broadband as possible, and it had to choose between two basic approaches. First, it could declare that Cable-based broadband service was essentially the same thing as DSL-based broadband service, and regulate it under Title II (aka, a "telecommunications service"). This had the advantage of being consistent with decades of precedent, but the disadvantage of introducing a new regulatory regime to a portion of the services offered by cable operators, who had never before been subject to that sort of thing (except in the 9th Circuit, but that's another story). The 1996 Act had given the FCC the authority to "forbear" from any obligations that it deemed unnecessary due to sufficient competition, so the FCC could still "deregulate" broadband to a significant extent. The other option was to reclassify cable broadband as a Title I service (aka, an "information service"). What is Title I, you ask? Well, there's very little in Title I of the Communications Act (take a look). It mostly contains general pronouncements of the FCC's purpose, so classifying a service as such is a more extreme way of deregulating a service. How extreme? We will return to this.

The FCC chose this more extreme approach, announcing its decision in the 2002 Cable Modem Order. This set off a prolonged series of legal actions, pitting the deregulatory-spirited FCC against those that wanted cable to be regulated under Title II so that operators could be forced to provide "open access" to competitors who would use their last-mile infrastructure (the same way that the phone company must allow alternative long distance carriers today). This all culminated in a decision by the 9th Circuit that Title I classification was unacceptable, and a reversal of that decision by the Supreme Court in 2005. The case is commonly referred to by its shorthand, Brand X. The majority opinion essentially states that the statute is ambiguous as to whether cable broadband is a Title I "information service" or Title II "telecommunications service", and the Court deferred to the expert-agency: the FCC. The FCC immediately followed up by reclassifying DSL-based broadband as a Title I service as well, in order to develop a, "consistent regulatory framework across platforms." At the same time, it released a Policy Statement outlining the so-called "Four Freedoms" that nevertheless would guide FCC policy on broadband. The extent to which such a statement was binding and enforceable would be the subject of the next chapter of the debate on "regulating the internet."

Comcast v. FCC

After Brand X and the failure of advocates to gain "open access" provisions on broadband generally, much of the energy in the space focused to a fallback position: at the very least, they argued, the FCC should enforce its Policy Statement (aka, the "Four Freedoms") which seemed to embody the spirit of some components of the non-discriminatory legacy of common carriage. This position came to be known as "net neutrality," although the term has been subject to a diversity of definitions over the years and is also only one part of a potentially broader policy regime. In 2008, the FCC was forced to confront the issue when it was discovered that Comcast had begun interfering with the Bittorrent traffic of customers. The FCC sought to discipline Comcast under its untested Title I authority, Comcast thought that it had no such authority, and the DC Circuit Court agreed with Comcast. It appears that the Title I approach to deregulation was more extreme than even the FCC thought (although ex-Chairman Powell had no problem blaming the litigation strategy of the current FCC). To be clear, the Circuit Court said that the FCC did not have authority under Title I. But, what if the FCC had taken the alternate path back in 2002, deciding to classify broadband as a Title II service and "forbear" from all of the portions of the statute deemed irrelevant? Can the FCC still choose that path today?

Reclassification

Chairman Genachowski recently announced a proposed approach that would reclassify the transport portion of broadband as a Title II service, while simultaneously forbearing from the majority of the statute. This approach is motivated by the fact that Comcast cast a pall over the FCC's ability to fulfill its explicit mandate from Congress to develop a National Broadband Plan, which requires regulatory jurisdiction in order for the FCC to be able to implement many of its components. I will discuss the reclassification debate in my next post. I'll be at a very interesting event in DC tomorrow morning on the subject, titled The FCC’s Authority Over Broadband Access. For a preview of some of what will be discussed there, I recommend FCC General Counsel's presentation from yesterday (starting at 30 minutes in), and Jon Neuchterlein's comments at this year's Silicon Flatirons conference. I am told that the event tomorrow will not be streamed live, but that the video will be posted online shortly thereafter. I'll update this post when that happens. You can also follow tweets at #bbauth. [Update: the video and transcripts for Panel 1 and Panel 2 are now posted]

A New Communications Act?

In parallel, there has been growing attention to a revision of the Communications Act itself. The theory here is that the old structure just simply doesn't speak sufficiently to the current telecommunications landscape. I'll do a follow-up post on this topic as well, mapping out the poles of opinion on what such a revised Act should look like.

Bonus: If you just can't get enough history and contemporary context on the structure of communications regulation, I did an audio interview with David Weinberger back in January 2009.

On April 27th, the Center for Information Technology Policy is hosting a one-day workshop on campus here at Princeton. We invite you to attend. Here is the summary of the event, called Internet Security, Internet Freedom:

The internet is at once a means for great openness and great control — expression and exclusion. These forces have long been at work online, but have recently come to the fore in debates over the United States’ cyber security policy and its increased focus on “internet freedom.” The country now has a Cybersecurity “czar” that has presented a 12-part national initiative, and also has a Secretary of State who has forcefully stated the case for internet freedom. But what do these principles mean in practice?

This workshop explores how security and freedom both compliment each other and compete. A spectrum of security risks at different layers of the network beg for technical and governance solutions. Flash points like the recent Google-in-China developments highlight the nexus of security and speech. A growing discourse about internet freedom calls out for workable theories and models. This event will bring together technologists, policymakers, and academics to discuss the state of play and viable ways forward.

The keynote speaker will be Alec Ross, Senior Advisor for Innovation in the Office of Secretary of State. Alec will discuss the State Department's increased focus on the issue of Internet freedom. He recently commented that 2009 was "the worst year in the history of the Internet as it related to Internet freedom." The panelists feature a variety of experts on issues of online freedom as well as network security.

Please join us. For more information and instructions on how to register, see the workshop page here:
http://citp.princeton.edu/internet-security-internet-freedom/

The Google Summer of Code program provides student stipends for summer work on open source projects. CITP is thrilled to have been chosen as a mentoring organization for 2010, meaning that students will be working on some CITP projects this summer. We think that these projects are very interesting, and potential participants now have the opportunity to propose their ideas for what they'd like to work on. Applications accepted from March 29 to April 9.

You can browse our list of project ideas, read our overall description, and apply here.

The past year has seen an explosion of interest in free access to the law. Indeed, something of a movement appears to be coalescing around the issue, due in no small part to the growing Law.gov effort (see the latest list of events). One subset of this effort is our work on PACER, the online document access system for the federal courts. We contend that access to electronic court records should be free (see posts from me, Tim, and Harlan). Our RECAP project helps make some of these documents more accessible, and has gained adoption far above our expectations. That being said, RECAP doesn't solve the fundamental problem: the federal government needs to publish the full public record for free online. Today, this argument came from an unlikely source, the FCC's National Broadband Plan.

RECOMMENDATION 15.1: the primary legal documents of the federal government should be free and accessible to the public on digital platforms. [...]

- For the Judicial branch, this should apply to all judicial opinions.

[...] Finally, all federal judicial decisions should be accessible for free and made publicly available to the people of the United States. Currently, the Public Access to Court Electronic Records system charges for access to federal appellate, district and bankruptcy court records.^[7] As a result, U.S. federal courts pay private contractors approximately $150 million per year for electronic access to judicial documents.^[8] [Steve note: The correct figure is $150m over 10 years. However it is quite possible that the federal government as a whole spends $150m or more per year for access to case materials.] While the E-Government Act has mandated that this system change so that this information is as freely available as possible, little progress has been made.^[9] Congress should consider providing sufficient funds to publish all federal judicial opinions, orders and decisions online in an easily accessible, machine-readable format.

^[7] See Public Access To Court Electronic Records—Overview, http://pacer.psc.uscourts.gov/pacerdesc.html (last visited Jan. 7, 2010).
^[8] Carl Malmud, President and CEO, Public.Resource. Org., By the People, Address at the Gov 2.0 Summit, Washington, D.C. 25 (Sept. 10, 2009), available at http://resource.org/people/3waves_cover.pdf
^[9] See Letter from Sen. Joseph I. Lieberman to Carl Malamud, President and CEO, Public.Resources.Org (Oct. 13, 2009), available at http://bulk.resource.org/courts.gov/foia/gov.senate.lieberman_20091013_from.pdf

This issue is outside of the Commission's direct jurisdiction, but the Broadband Plan is intended as a blueprint for the federal government as a whole. In that context, the notion of ensuring that primary legal materials are available for free online fits perfectly with a broader effort to make government digitally accessible. In a similar vein, a bill was introduced today by Rep. Israel. The Public Online Information Act, backed by the Sunlight Foundation, creates a new federal advisory committee to advise all three branches of government on how to make government information available online for free.

To establish an advisory committee to issue nonbinding government-wide guidelines on making public information available on the Internet, to require publicly available Government information held by the executive branch to be made available on the Internet, to express the sense of Congress that publicly available information held by the legislative and judicial branches should be available on the Internet, and for other purposes.

These two developments are the first of what I expect to be many announcements in the coming months, coming from places like the transparency caucus. These announcements will share a theme -- there is a growing mandate for universal free access to government information, and judicial information is a key component of that mandate. These requirements will increasingly go to the heart of full free access to the public record, and will reveal the discrepancies between different branches in this regard.

The FCC's language doesn't quite get everything right. Most notably, the language focuses on opinions even though there are other components of the record that are key to the public's understanding of the law. Opinions on PACER are already theoretically free, but the kludgy system for accessing them doesn't include all of the opinions, isn't indexable by search engines, and only gives a minimal amount of information about the case that each is a part of. Furthermore, the docket text required to understand the context, and the search functionality required to find the opinions both require a fee. Subsequent calls for free access to case materials will have to be more holistic than the opinions-only language of the Broadband Report.

The POIA language is also a step forward. A federal advisory committee is a good thing in the context of a branch that is more accustomed to the adversarial process than notice-and-comment. However, we will need much more concrete requirements before we will have achieved our goals.

In the context of these announcements, the Administrative Office of the Courts made their own announcement today. The Judicial conference has voted in favor of two measures that make incremental improvements on the current pay-wall model of access to PACER.

• Adjust the Electronic Public Access fee schedule so that users are not billed unless they accrue charges of more than $10 of PACER usage in a quarterly billing cycle, in effect quadrupling the amount of data available without charge. Currently, users are not billed until their accounts total at least $10 in a one-year period.
• Approve a pilot in up to 12 courts to publish federal district and bankruptcy court opinions via the Government Printing Office’s Federal Digital System (FDsys) so members of the public can more easily search across opinions and across courts.

These are minor tweaks on a fundamentally limited system. Don't get me wrong -- a world with these changes is better than a world without. It is slightly easier to avoid spending more than $10 in a given quarter than in a given year, but it's nevertheless likely that you will do so unless you know exactly what you are looking for and retrieve only a few documents. It's also good to establish precedent for GPO publishing case materials, but that doesn't require a limited trial that could end in bureaucratic quagmire. The GPO can handle publishing many documents, and any reasonably qualified software engineer could figure out how to deliver them in short order. What's more, the courts could provide universal free public access today, with zero engineering work: offer a single PACER login that is never billed or, better yet, just stop billing all accounts.

The next round of the PACER debate will be over whether or not we make a fundamental change in access to federal court records, or if we concede minor tweaks and call it a day.

[This is part of a series of posts on this topic that also includes: Mozilla Debates Whether to Trust Chinese CA, Web Certification Fail: Bad Assumptions Lead to Bad Technology, and A Major Internet Milestone: DNSSEC and SSL]

Last week, Ed described the current debate over whether Mozilla should allow an organization that is allegedly controlled by the Chinese government to be a default trusted certificate authority. The post prompted some very insightful feedback, including questions about alternative trust models. I will try to lay out the different types of models on a high level, and I encourage corrections or clarifications. It's worth re-stating that what we're talking about is how you as a web user know that who you are talking to is who they claim to be (if they are, then you can be confident that your other security measures like end-to-end encryption are working).

Flat and Inflexible
This is the model we use now. You browser comes pre-loaded with a list of Certificate Authorities that it will trust to guarantee the authenticity of web sites you visit. For instance, Mozilla (represented by the little red dragon in the diagram) ships Firefox with a list of pre-approved CAs. Each browser vendor makes its own list (here is Mozilla's policy for how to get added). The other major browsers use the same model and have themselves already allowed CNNIC to become trusted for their users. This is a flat model because each CA has just as much authority as the others, thus each effectively sits at the "root" of authority. Indeed any of the CAs can sign certificates for any entity in the world (hence the asterisk in each). They do not coordinate with each other, and can sign a certificate for an entity even if another CA has already done so. Furthermore, they can confer this god-like power on other entities without oversight or the prior knowledge of the end users or the entities being signed for.

This is also an inflexible model because there is no reasonable way to impose finer-grained control on the authority of the CAs. The standard used is called X.509. It doesn't allow you to trust Verisign to a greater or less than the Chinese government -- it is essentially all or nothing for each. You also can't tell your browser to trust CNNIC only for sites in China (although domain name constraints do exist in the standard, they are not widely implemented). It is also inflexible because most browsers intentionally make it difficult for a user to change the certificate list. It might be possible to partially mitigate some of the CA/X.509 shortcomings by implementing more constraints, improving the user interface, adding "out of band" certificate checks (like Perspectives), or generating more paranoid certificate warnings (like Certificate Patrol).

Decentralized and Dependent
In the early days of the web, an alternative approach already existed. This model did away entirely with a default set of external trusted entities and gave complete control to the individual. The idea was that you would start by trusting only people you "knew" (smiley faces in the diagram) to begin to build a "web of trust." You then extend this web by trusting those people to vouch for others that you haven't met (kind of like a a secure virtual version of Goodfellas). This makes it a fundamentally decentralized model. There is nothing limiting certain entities from gaining the trust of many people and therefore becoming de facto Certificate Authorities. This has only happened within technically proficient communities, and in the case of USENIX they eventually discontinued the service.

So, this is a system that is highly dependent on having some connection with whoever you want to communicate with. It has enjoyed some limited success via the PGP family of standards, but mostly for applications such as email or in more constrained situations like inter/intra-enterprise security. It is possible that with the boon in online social networks there is a new opportunity to renew interest in a web-of-trust style security architecture. The approach seems less practical for general web security because it requires the user to have some existing trust relationship with a site before using it securely. It is not necessarily an impossible approach -- and the mod_openpgp and mod_gnutls projects show some technical promise -- but as a practical matter wide-scale adoption of a "web of trust" style security model for the web seems unlikely.

Hierarchical and Delegated
A third approach starts with a single highly trusted root and delegates authority recursively. Any authority can only issue certificates for itself or the entities that fall "underneath" it, thus limiting the god-like power of the flat model. This also pushes signing power closer to the authenticated sites themselves. It is possible that this authority could be placed directly in their hands, rather than requiring an external authority to approve of each new certificate or domain. Note that I am describing this in a very domain-centric way. If we are willing to fully buy into the domain hierarchy way of thinking about web security, there may be a viable implementation path for this model.

Perhaps the greatest example of this delegation approach to web governance is the existing Domain Name System. Decisions at the root of DNS are governed by the international non-profit ICANN, which assigns authority to Top Level Domains (eg: .com, .net, .cn) who then further delegate through a system of registrars. The biggest problem with tying site authentication to DNS is that DNS is deeply insecure. However, within the next year a more secure version of DNS, DNSSEC, is scheduled to be deployed at the DNS root. Any DNSSEC query can be verified by following the chain of authority back to the root, and any contents of the response can be guaranteed to be unaltered through that chain of trust. The question is whether this infrastructure can be the basis for distributing site certificates as well, which could form the basis for hierarchical site authenticity (which would also permit encryption of traffic). CNNIC happens to also be the registry for the .cn TLD, so in this case it would be restricted to creating certificates for .cn domains. This approach is advocated by Dan Kaminsky (interview, presentation) and Paul Vixie (here, here). I've also found posts by Eric Rescorla and Jason Roysdon informative.

If implemented via DNSSEC, this approach would thoroughly bind web site authentication to the DNS hierarchy, and the only assurance it would provide is that you are communicating with the person who registered the domain you are visiting. It would not provide any additional verification about who that person is, as Certificate Authorities theoretically could do (but practically don't). Certificates were originally envisioned as a way to guarantee that a particular real-world entity was behind the site in question, but market pressures caused CAs cut corners on on the verification process. Most CAs now offer "Domain Validation" (DV) certificates that are issued without any human intervention and simply verify that the person requesting the certificate has control of the domain in question. These certificates are treated no differently than more rigorously verified certificates, so for all intents and purposes the DNSSEC certificate delegation model would provide at least the services of the current CA model. One exception is Extended Validation certificates, which require the CA to perform more rigorous checks and cause the browser URL bar to take on a "green glow". It should hover be noted that there are some security flaws with the current implementation.

[Update: I discuss the DNSSEC approach in more detail here]

Open Questions
Are there appropriate stopgap measures on the existing CA model that can limit authority of certain political entities? Are there viable user interface improvements? Are users aware enough of these issues to do anything meaningful with more information about certificates? Does the hierarchical model force us to trust ICANN, and do we? Does the DNS hierarchy appropriately allocate authority? Is domain name enough of a proxy for identity that a DNS-based system makes sense? Do we need better ways of independently validating a person's identity and binding that to their public key? Even if an alternative model is better, how do we motivate adoption?