November 2000 Public Policy Computer Graphics Column

Introduction

Bob Ellis

We begin this column with a review of public policy activities at SIGGRAPH 2000, which was held in New Orleans, July 23-28, 2000. Next, guest columnist Myles Losch reports on the expected availability of broadband services that may be installed by the customer instead of requiring a service call by a technician thereby potentially lowering the installation cost. We then look at the issue of consumer acceptance of new technology based on a recent CACM column by ACM Past-President Barbara Simons. We close by reprinting a short piece by Eugene Spafford, Co-Chair of USACM on the Uniform Computer Information Transactions Act and it's implications for personal and professional software purchases.

Public Policy Activities at S2000

Bob Ellis

Policy Maker Interaction

Attending our committee meeting was Jason Hutter, a staffer in the local office of Congressman Billy Tauzin. Congressman Tauzin is the Chair of the House Sub-Committee on Telecommunications. Because Mr. Hutter is not an expert on telecommunications policy, the session consisted primarily of our giving him our thoughts on the importance of broadband telecommunications to computer graphics and the impediments we see to the wide adoption of broadband. Because of the next item (see below), we also spent time discussing the issue of U.S. government support for computing and computer graphics research. Mr. Hutter was very interested in what we had to say.

An email from Mr. Hutter after the conference indicated that he had transmitted the information to Congressman Tauzin and appropriate staffers in the Washington office. It was also obvious to us that ACM has very little visibility in Washington making meetings like this an important part of our activities. I will try to get some policy maker participation in all our future committee meetings.

Prospective NRC/SIGGRAPH Study on Computer Graphics Research

In conjunction with National Research Council's (NRC) Computer Science and Telecommunications Board (CSTB) we have defined a study project entitled "Research Challenges in Computer Graphics". The SIGGRAPH Executive Committee has approved $50,000 as seed funding for this study pending a favorable review by the computer graphics research community.

Although small in number we've had some thoughtful responses to our initial solicitation for comments. The most important critical comments centered on the difficulty of getting adequate representation for all aspects of computer graphics, the almost insurmountable problem of getting computer graphics recognized as a research discipline in its own right separate from applications, the difficulty of having such studies make an impact and the overwhelming presence of the game and entertainment markets. None of the reviews said not to do the study.

Our discussion of the comments led us to the conclusion that the study should be done and the NRC is the right organization to do it. The project description will be revised to insure that the points raised in the reviews are highlighted.

Public Policy at SIGGRAPH Conferences

I observed that a number of points made in the courses and panels have strong policy side issues and that we should work at getting more visibility at future SIGGRAPH conferences. There are a number of possibilities, including having policy issues awareness added to several courses and panels, offering our own course and organizing a panel. All of these should avoid the descriptive term "public policy" because most people don't see this as a very exciting issue, particularly compared to the other content of the conference.

We decided that a course should focus on awareness and a panel should have a single topic rather than overview several issues. Subsequent discussion and thought has led me to consider proposing a two-hour course and a panel on copyrights for digital material for SIGGRAPH 2001. The course would be a two-hour course to increase the probability of acceptance of this decidedly non-mainstream topic with options to expand the course to a half or full day. The panel would consist of speakers representing the academic community, a practicing intellectual property attorney, creators of copyrighted digital material and users of copyrighted digital material representing a diverse array of positions on the relative rights of copyright holders and fair use by users of copyrighted material. One idea for a panel was to have a placeholder called something like "Hot Topics" so we could discuss last minute issues that were not active at the time the panel was accepted, but this seems unlikely to win acceptance by the conference committee.

If the proposals are going to happen, I will need considerable help. While I welcome your suggestions for content and speakers, what I really need are co-organizers for both, who can contribute to the development of the proposals. The deadline for early feedback on course proposals is October 25, 2000 with final proposals due November 29, 2000. Panel proposals are due January 17, 2001.

Third On-Line Survey

We have some initial results from the survey. Although there have been only 23 responses to date some early trends are emerging. Over 80% of the respondents are U.S. residents, with four other countries having one respondent each. Surprisingly, freedom of speech has emerged as the respondents' top policy issue facing computer graphics. Also of interest is the fact that there is considerable support for all aspects of SIGGRAPH and ACM work in policy, ranging from providing information to the computer graphics community and policy makers to taking positions on issues. The only caution comes on financing these activities with an extremely strong response that funding not be diverted from other activities such as publications and conference support.

We discussed the value of doing these surveys because the respondents are self-selected and not representative of any community except that of respondents to our surveys. Some concern was expressed that these surveys are not particularly exciting, but the majority of the committee favored continuing them because they do represent the opinion of those who care enough about the issues we raise to take to time to respond.

Public Policy BOF

As usual the BOF was not particularly well attended, but one university affiliated attendee presented a situation where one of their new research grants requires a public policy component. We had a long and interesting discussion about how we could help them by being an information resource.

Self-Installation of (Wired) Residential Broadband Internet Access

Myles Losch

Among the obstacles to widespread home adoption of both DSL and cable modem services, has been the typical need for expert onsite technical skills furnished by service providers' field crews. Past attempts to let consumers self-install [in industry jargon, "self-provision"] such broadband links (as they would a dial-up telephone modem) fared poorly, due to technical and standardization problems.

But better technology, combined with quickly growing demand, have prompted new efforts to cut labor costs and delays by offering the customer an "out-of-box experience." Broadband access providers, with equipment makers and retailers, have developed (and cautiously begun to deploy) a new generation of streamlined industry standards for self-installation.

The research consortium Cable Television Laboratories (www.cablelabs.org) developed, and tests hardware compliance with, the DOCSIS (Data Over Cable Service Interface Specification) standard for cable modems. Phone companies' corresponding initiative for ADSL service, once called "G.lite," was standardized by the International Telecommunication Union (http://www.itu.int) as Recommendation G.992.2. This standard is being overseen by a new deployment consortium, OpenDSL (http://www.opendsl.org).

Retail packaging of both types of broadband access device is expected to take two forms: kits for use with separately purchased computers, and inboard versions pre-installed in both computers and fixed function "Internet appliances" such as Microsoft's Web TV terminals.

Industry analysts expect that such products, if successful, will do much to speed public acceptance of broadband Internet access. In future columns, we hope to assess the results.

Consumer Acceptance as an Aspect of Policy Issues

Bob Ellis

In the "From the President" column in the May 1999 issue of Communications of the ACM ("To DVD or Not to DVD", CACM, Vol. 42, No. 5) then President Barbara Simons discusses the issue of digital copy protection for DVD movies. The column was prompted by the publication of (and subsequent legal battles over) the code to decrypt the Content Scrambling System (DeCSS). In the column Barbara discusses some of the policy issues surrounding this action. For more information on the DeCSS trial see (http://eon.law.harvard.edu/openlaw/DVD/). For a copy of Barbara's deposition for the DeCSS trial see (http://www.eff.org/IP/Video/MPAA_DVD_cases/20000708_ny_simons_dep.html).

I believe the real answer to the question asked in the title depends on whether consumers will accept the first consumer device for the playback of pre-recorded content that from its introduction did not permit full-quality copying. CDs aren't copy protected - copying just had to wait for popularly priced CD writers. Digital Audio Tape (DAT) failed at least in part because of the lack of ability to make multiple generations of digital copies. DiVX failed not so much for lack of copy capability but because of the control exercised over consumers' playback options. And VCR copy protection came after the devices were widely deployed. By the way, it will be interesting to see what happens as consumers begin to realize this. Public demand has led, in large areas of Europe, East Asia and elsewhere, to the commercial availability of DVD players that, contrary to the industry's technology licenses, allow playback of discs from multiple movie-distribution regions of the world.

For example, DVD movie players are down to around $150. If you buy one of these and don't buy, but rent, DVD titles, what do you care about whether or not you can copy a DVD and the potential loss of your capital investment? If it is useful for 5 years, the DVD player has only cost you $30 per year. Of course this argument does not take into account what is called "fair use" copying.

The same argument applies to UCITA (see below). People buy and install software all the time without reading the End User License Agreements. And they give it to their kids, etc., without bothering to get the publishers permission. If restrictions become really onerous and enforced, consumers just won't buy the products. This strategy has obvious limitations; you can't really not buy certain software where the vendor has a monopoly in the market. But you can search for alternatives and delay upgrading as long as possible in the hopes that the worst features of the license agreements will go away before you need to move to the new versions of the software. Even in these situations, the effects of an informal boycott could work wonders.

An Illustration of Why Security is More Than Technology

Eugene H. Spafford, Purdue University CERIAS

Originally published in IEEE Cipher, August 2000. (Reprinted with Permission)

The biggest threats in the next decade to information security may not be malicious hackers and viruses. They are going to be bad law, passed by ill-informed legislators, and pushed by greedy and unscrupulous commercial interests with lots of money with which to lobby. Those companies are going to seek to further expand (bad) law protecting intellectual property, curtailing consumer rights, and further protecting them from consequence for their production of bad software.

You don't believe it? If you live in the US, consider the following scenario: You buy some shrink-wrapped software for use in your business or at home. As part of that purchase:

• You are bound by a license inside the box that you cannot read until you make the purchase.
• The license can be changed by the vendor simply by posting an update at the vendor's WWW site or sending you email, and you are legally bound by the changes.
• You are required to open your firewall to allow the vendor access to a "backdoor" in the software to allow the vendor to monitor license compliance and remotely disable the software at the vendor's option.
• The vendor can sue you if you reverse-engineer the code or protocol to find out exactly what information the software is collecting and sending out.
• If the software fails catastrophically because of clear and obvious negligence, you can't sue the vendor.
• If you decide to publish a review of the software noting your bad experiences, you can be sued by the vendor for not obtaining prior review and permission by the vendor.

Sounds absurd, doesn't it? Impossible, perhaps? Unfortunately not -- it is currently embodied in state law in both Maryland and Virginia, and will soon be considered by the state legislatures in the other 48 states. If a vendor chooses to write any of the above-mentioned provisions into a software license, state contract law will allow and support it.

The vehicle for this travesty is UCITA -- the Uniform Computer Information Transactions Act. Ostensibly an update of the Uniform Commercial Code in each state, the process of drafting the act was co-opted by some of the largest entertainment and software firms. The result is something that is opposed by a Who's Who of the computing and consumer-rights milieu -- including the IEEE, ACM, MPAA, ALA, Consumer's Union, and the FTC. [Note also that about half of all the U.S. state attorneys general are formally opposed - Ellis] (See http://www.badsoftware.com/oppose.htm [site currently under renovation - Ellis] for an incomplete list of opponents.)

Why is UCITA such a threat when it is so obviously bad for consumers and the IT industry (and security people in particular)? Mainly because of the complexity of the issue and the money involved. The draft act is several hundred pages of dense legalese that is beyond the ability of most state legislators to analyze. So, they are depending on the word of knowledgeable experts to understand the impact. Unfortunately, the companies that stand to gain the most are also lobbying the most strongly on this issue. The mantra heard in MD and VA from these lobbyists was that if the states didn't pass UCITA then they would not be able to complete for high-tech jobs and dollars. This is persuasive to legislators who don't otherwise understand the issues. How would it play in the halls of your state capitol?

So, what can *you* do? Well, first of all, educate yourself about the issues. Start with Barbara Simons' editorial "Shrink-Wrapping Our Rights" in the Inside Risks column of CACM (Vol. 8, August 2000); also available at http://www.csl.sri.com/neumann/insiderisks.html. You can also find articles about UCITA and its impact at http://www.ucita.org.

Then, you need to communicate with your state legislators about the problems this law would bring to your state if passed, and your opinion thereto.

Remember -- the insider threat is not simply from employees. The software you use may well be the biggest threat, along with its vendor. What good is security technology when the law doesn't let you protect yourself?