In Miami-Dade County, Florida, an internal county memo has come to light, documenting misrecording of votes by ES&S e-voting machines in a May 2003 election, according to a Matthew Haggman story in the Miami Daily Business Review.

The memo, written by Orlando Suarez, head of the county's Enterprise Technology Services Department, describes Mr. Suarez's examination of the electronic record of the May 2003 election in one precinct. The ES&S machines in question provide two reports at the end of an election. One report, the "vote image report", gives the vote tabulation (i.e., number of votes cast for each candidate) for each voting machine, and the other gives an audit log of significant events, such as initialization of the machine and the casting of a vote (but not who the vote was cast for), for each machine.

Mr. Suarez's examination found that the two records were inconsistent with each other, and that both were inconsistent with reality.

In his memo, Suarez analyzed a precinct where just nine electronic voting machines were used. He first examined the audit logs for all nine machines, which was compiled onto one combined audit log. He found that the audit log made no mention of two of the machines used in the precinct.

In addition, he found that the audit log reported the serial number of a machine that was not used in that precinct. The phantom machine that appeared on the audit showed a count of ballots cast that equaled the count of the two missing machines.

Then he looked at the vote image report that was an aggregate of all nine voting machines. He discovered that three of the machines were not reported in the vote image report. But a serial number for a machine not used in the precinct appeared on the vote image report. That phantom machine showed a vote count equal to the vote count on the two missing machines. The other missing machine showed no activity.

Further examination revealed 38 votes that appeared in the vote image report but not in the audit log.

There is some evidence that the software used in this election was uncertified.

County officials don't see much of a problem here:

Nevertheless, [county elections supervisor Constance] Kaplan insisted that Suarez's analysis did not demonstrate any basic problems with the accuracy of the vote counts produced by the county's iVotronic system. "The Suarez memo has nothing to do with the tabulation process," she said. "It is very annoying that the coalition keeps equating the tabulation function with the audit function."

Maybe I'm being overly picky here, but isn't the vote tabulation supposed to match the audit trail? And isn't the vote tabulation report supposed to match reality?

Very annoying, indeed.

Microsoft, reversing a previous decision, says it will not provide security updates to unlicensed users of Windows XP. Microsoft is obviously entitled to do this if it wants, since it has no obligation to provide product support to people who didn’t buy the product in the first place. A more interesting question is whether this was the best decision from the standpoint of Microsoft and its existing customers. The answer is far from obvious.

Before I go further, let me make two assumptions clear. First, I’m assuming Microsoft has a reliable way to tell which copies of Windows are legitimate, so that they never deny updates mistakenly to legitimate customers. Second, I’m assuming Microsoft doesn’t care about the welfare of infringers and feels no obligation at all to help them.

Helping infringers could easily hurt Microsoft’s business, if doing so makes infringement a more attractive option. If patches are one of the benefits of buying the product, then people are more likely to buy; but if they can get patches even without buying, some will choose to infringe, thereby costing Microsoft sales.

On the other hand, if there is a sizable population of unpatched infringing copies out there, this hurts Microsoft’s legitimate customers, because an infringing customer might infect a legitimate customer. A large reservoir of unpatched (infringing) machines will aggravate an already serious malware problem, by making Windows an even more attractive target to malware authors, and by speeding the spread of new malware.

But wait, it gets even more complicated. If infringing copies are susceptible to existing malware, then some of the bad guys will be satisfied to reuse old malware, since there is still a population of (infringing) machines it can attack. But if infringing copies are patched, then the bad guys may create more new malware which is not stopped by patches; and this new malware will affect legitimate and infringing copies alike. So refusing to update infringing copies may leave the infringers as decoys who draw fire away from legitimate customers.

There are even more factors in play, but I’ve probably written too much about this already. The effect of all this on Microsoft’s reputation is particularly interesting. Ultimately, I have no idea whether Microsoft made the right choice. And I doubt that Microsoft knows either.

In his testimony at the House DMCA-reform hearing today, Jack Valenti quoted me, in support of a point he wanted to make. The quote comes from last year's Berkeley DRM Conference, from my response to a question asked by Prof. Pam Samuelson. Here's the relevant section from Mr. Valenti's testimony (emphasis in original):

Keep in mind that, once copy protection is circumvented, there is no known technology that can limit the number of copies that can be produced from the original. In a recent symposium on the DMCA, Professor Samuelson of UC Berkeley posed the question: "whether it was possible to develop technologies that would allow…circumvention for fair uses without opening up the Pandora’s Box so that allowing these technologies means that you’re essentially repealing the anti-circumvention laws."

The question was answered by the prominent computer scientist and outspoken opponent of the DMCA, Professor Ed Felton [sic] of Princeton: "I think this is one of the most important technical questions surrounding DRM – whether we know, whether we can figure out how to accommodate fair use and other lawful use without opening up a big loophole. The answer, I think, right now, is that we don’t know how to do that. Not effectively."

Moreover, there is no known device that can distinguish between a “fair use” circumvention and an infringing one. Allowing copy protection measures to be circumvented will inevitably result in allowing anyone to make hundreds of copies – thousands – thereby devastating the home video market for movies. Some 40 percent of all revenues to the movie studios come from home video. If this marketplace decays, it will cripple the ability of copyright owners to retrieve their investment, and result in fewer and less interesting choices at the movie theater.

Here's the full excerpt from the DRM Conference transcript:

Question from Prof. Pam Samuelson:

So yesterday when I was doing the tutorial, Alex Alben asked me a question which, because I'm not a technologist, I was not in a very good position to try to answer, but since there are several technologists on this panel who are interested in information flows. The question that was put to me was a question about whether it was possible to develop technologies that would allow circumvention for fair use or other non-infringing purposes. Is it possible to sort of think creatively about anti-circumvention laws that might allow some room for circumvention for fair uses without opening up the Pandora's box so that allowing these technology means that you've essentially repealed the anti-circumvention laws.

[Other panelists' answers omitted.]

Answer by Ed Felten:

I think this is one of the most important technical questions around DRM, whether we know, whether we can figure out how to accommodate fair use and other lawful use without opening up a big loophole. And the answer is, I think, right now, is that we don't know how to do that. Not effectively. A lot of people would like to know whether we can do that or how we go about doing it, but it's a big open question right now.

Let's leave aside for now the flaws in Mr. Valenti's argument, and focus just on his use of the quote. Note that he artfully excerpts segments from Prof. Samuelson's question, to make it appear that she asked a different question than she really did. Also note that he removes an important part of my answer: the last sentence, where I talk about the technological relation between DRM and fair use as being a "big open question".

Which brings us back to the bill being discussed today. If we want to answer the "big open question" I mentioned, we need to do more research. But the DMCA severely limits some of the key research that we would need to do. The Boucher-Doolittle bill would open the door to this research, by creating a research exemption to the DMCA. But that issue is apparently not up for discussion today.

[Note: This post is based on Mr. Valenti's written testimony, of which I have a copy. I did not hear his live testimony. Seth Finkelstein reports that Mr. Valenti did use the quote in his oral testimony.]

Today a congressional committee will hold a hearing on the Boucher-Doolittle bill (H.R. 107), known as the DMCRA, that would reform the DMCA. The hearing will be webcast, starting at about 10:00 AM Eastern. Look here for a witness list and link to the webcast.

The DMCRA would do four main things: require labeling of copy-protected CDs; allow circumvention of DRM for non-infringing purposes; allow the distribution of DRM-circumvention tools that enable fair use; and create an exemption to the DMCA for legitimate research.

Based on the witness list and other hints I have gotten, it appears that the hearing will focus on the consumer provisions of the bill. There probably won't be much discussion of the much-needed research exemption.

Frank Field offers an interesting analogy:

DRM is a folding chair – specifically, it’s one of those folding chairs that people use after shoveling out the snow from a parking space that they use to claim it after they drive away.

For those of you who don’t have to cope with snow, I know that sounds incredible (it was to me when I moved here from South Carolina), but this is a real problem in cities with limited parking and poor snow removal. People who shovel out their cars will have a ratty old folding chair or an old street cone or, if they’re feeling really aggressive, an old kid’s toy that they will plant squarely in the middle of the shoveled-out parking space. This object "marks" the spot, and everyone knows what it means – this is my spot: park here and you will suffer the consequences.

This struck me, in part, because it echoes an example I like to use. When teaching about the theory of property, I start with a class discussion about whether there should be a property right in shoveled-out parking spaces. It's a helpful example because everybody understands it, few people have a predisposition one way or the other, and it exposes most of the tradeoffs involved in creating a new form of property.

As Frank describes it, "ownership" of a Cambridge parking space is effected not by any legal right but by the threat that noncompliant cars will be vandalized. This is a key distinction. Typically, some of my students end up endorsing a limited property right in shoveled-out parking spaces, but my guess is that they would feel differently about a system created by private decree and "enforced" by vandalism.

This is where the analogy to DRM gets complicated. DRM systems don't trash the computers of noncompliant users, so they don't rely on the same kind of intimidation that Frank's folding-chair owners use.

But Frank's analogy does work very nicely in one dimension. DRM developers, like Cambridge folding-chair owners, are trying to establish a social norm that people should keep out of the territory they claim. Such claims should be evaluated on their merits, and not just taken for granted.

Japanese police have arrested the author of Winny, a peer-to-peer application popular in Japan, according to a story on ABC News's Australian site. (Reportedly, a more detailed article is available in Japanese.) Isamu Kaneko, a 33 year old Computer Engineering "guest research associate" at Tokyo University, was arrested for conspiracy to infringe copyright. If convicted, he faces a maximum penalty of three years in prison. Winny's author had previously been known only by the online moniker "47," but police apparently used the records of some kind of online bulletin board to identify him.

UPDATE (10:20 AM): Corrected Mr. Kaneko's job title. I originally wrote "graduate student" based on the ABC article, but Seth Finkelstein pointed me to an authoritative page at Tokyo University with the accurate title.

The U.S. is losing its dominance in science and technology, according to William J. Broad's article in the New York Times earlier this week. The article looked at the percentage of awards (such as Nobel Prizes in science), published papers, and issued U.S. patents that go to Americans, and found that the U.S. share had declined significantly.

Although the trend is real, the article does oversell it. For example, the graph that appears at the top shows the number of papers published in physics journals, by the author’s country of origin. Classifying based on country of origin undercounts American scientists, many of whom were born in other countries. Bear in mind, too, that the U.S. lead is smaller in mature fields like physics than it is in developing fields like computer science, so focusing mainly on mature fields will make the U.S. position look worse than it really is.

Yet even by more careful measures, the consensus seems to be that the overall U.S. lead is narrowing. What are the implications of this for Americans?

It all depends on whether you see science and technology as a zero-sum game. If you view science and technology as instruments of national power (both hard military power and soft cultural power), then technical advancement is a zero-sum game and what matters most is how we compare to other countries. But if you see science and technology as creating knowledge and prosperity that diffuse out to the population as a whole, then technical advancement is not a zero-sum game, and you should welcome the flow of knowledge across borders – in both directions. Both views have some validity.

The clash between these two views seems most extreme in immigration policy. As I noted above, immigration has been a big contributor to the quality of U.S. science. But now, more than any time I can remember, U.S. immigration policy is suspicious of foreigners, and especially those who want to work in technical fields. Regardless of the wisdom of this policy – and I think it is tilted too far toward suspicion – we have to recognize the price we pay by adopting it (not to mention the price paid by the overwhelming majority of would-be immigrants from whom we have nothing to fear). Overseas applications to U.S. graduate schools in computer science and other technical fields seem to have dropped sharply this year; and that's a very bad sign.

I'm glad to see that the health of our technical communities is starting to become more of a national priority. In today's climate, national competitiveness will be an increasingly effective argument against over-regulation of technology. And after nearly a decade of seeing parts of my technical field turned into legal and regulatory minefields, I would like nothing more than to have the tide turn so that policymakers think about how to make technologists' jobs easier rather than harder.

Looks like I missed the significance of this story last week (by Kim Zetter at Wired News). California Secretary of State Kevin Shelley decertified all touch-screen voting machines, not just the Diebold systems whose decertification had been recommended by the state's voting-systems panel.

Some counties may be able to get their machines recertified if they can meet a set of security requirements: the machines must be certified by the Federal government, provide a voter-verified paper trail, have a security plan that meets certain criteria, have source code disclosed to the Secretary of State and his designees (subject to reasonable confidentiality provisions), have a documented development process, no be modified at the last minute, have no network connections (including Internet, wireless, or phone connections), and a few other requirements.

Shelley condemned Diebold's actions in California, calling them "despicable" and "deceitful tactics". He referred evidence of possible fraud by Diebold to the state Attorney General's office.

In a related story, Ireland recently decided not to use e-voting in their next election, due to security concerns.

Ernest Miller at CopyFight has an interesting response to my discussion yesterday of the Broadcast Flag. I wrote that the Flag is bad regulation, being poorly targeted at the goal of protecting TV broadcasts from Internet redistribution. Ernie replies that the Flag is actually well-targeted regulation, but for a different purpose:

[Y]ou'd have to be an idiot to think that the broadcast flag would prevent HDTV content from making it onto the internet. Since I don't believe that the commissioners are that stupid, I can only conclude that the FCC is acting quite cynically in support of an important constituency of theirs, the broadcasters *cough*regulatorycapture*cough*.

In other words, the purported purpose of the broadcast flag (to prevent HDTV from getting onto the internet) is not the real purpose of the broadcast flag, which appears to be to give content providers more control over the average citizen's ability to make use of media.

Ernie's theory, that the movie industry and the FCC are using "content protection" as a smokescreen to further a secret agenda of controlling media technology, fits the facts pretty well. And quite a few experienced lobbyists seem to believe it. Still, I don't think it's right to argue against the Broadcast Flag on that basis.

First, even if you believe the theory, it's often a useful debating tactic to pretend that the other side actually believes what they say they believe. It's hard to prove that someone is lying about their own beliefs and motivations; it can be much easier to prove that their asserted beliefs don't justify their conclusions. And proving that the official rationale for the Flag is wrong would do some good.

Second, if Ernie's theory is right, the fix is in and there's not much we can do about future Broadcast Flag type regulation. If we want to change things, we might as well act on the assumption that it matters whether the official rationale for the Flag is right.

And finally, I am convinced that at least some people in the movie industry, and at least some people at the FCC, actually believe the official rationale. I think this because of what these people say in private, after a few (literal or metaphorical) beers, and because of how they react when the official rationale for the Flag is challenged. Even in private, industry or FCC people often react to criticism of the official rationale with real passion and not just with platitudes. Either these (non-PR) people are extraordinarily good at staying on-message, or they really believe (as individuals) what they are saying.

So although Ernie's theory is very plausible, I will dare to be na

The Union for the Public Domain is asking for help in surveying national governments about their (the governments') positions on the WIPO Broadcast Treaty. The UPD is looking for volunteers who are willing to contact the appropriate representatives of their national government, ask the representatives a series of questions provided by the UPD, record the answers, and submit them to the UPD. The UPD will collate the results and create a handy summary of where each government stands on the Treaty.