InfoTech and Public Policy

Today the Seattle Times covered a new Microsoft product, which was certainly not surprising given Microsoft’s large Seattle presence.  However, this new device was something of a novelty for Microsoft:  it was a software toolkit designed to help law enforcement extract information from computers that had been used in crimes.  The new software, called COFEE (Computer Online Forensic Evidence Extractor), which fits on a USB flash drive, contains tools such as password crackers, memory and hard disk readers, and internet traffic analyzers.  While this is certainly a departure from Microsoft’s more traditional products, what is even more surprising is COFEE’s cost—nothing.  Microsoft is giving it away to law enforcement around the country for free. 

It’s relatively easy to see Microsoft’s motivation for doing something like this.  By giving free support to law enforcement, Microsoft is hoping that it can help decrease (or at least slow the increase in) the number and severity of computer crimes.  Since most computer crimes in the world today target Windows or other Microsoft products (such as Internet Explorer or Outlook), Microsoft is helping mainly itself by (essentially) funding law enforcement (note that many banks and other companies that are frequently attacked use Microsoft products under their own software as well).   Thus, Microsoft’s move is very sound economically. 

While it may be sound for Microsoft to help fund law enforcement (and improve computer security in general—Microsoft has a significant number of researchers and programmers in the fields of computer security and cryptography), it is unlikely that it would ever be economically sound for just about any other company to unilaterally fund law enforcement or (public) computer security research in such a way.  With the exception of possibly Google and maybe IBM, no other companies have an incentive to do so.  This is due to the free rider problem.  For instance, if Amazon.com spends a sum of money to help fund law enforcement, it will probably benefit, but Buy.com and Amazon’s other competitors will derive just as much benefit from this action.  Thus, Amazon and the vast majority of companies out there have little reason to spend money on law enforcement or publicly available research.  Companies that rely extensively on the internet do tend to do their own private research on various topics in security, but this research has only very limited benefits (Amazon’s security research probably only deals with making your Amazon transaction secure and isn’t going to help stop viruses).       

Thus, it seems to me that both law enforcement and computer security/cryptography research are not being allocated enough resources by society.  The only players in the current system that have an incentive to allocate resources to this would be monopolists or near-monopolists like Microsoft.  So, even though I typically oppose government regulation and spending, it seems to me like government spending on increased law enforcement and computer security research would be a good thing.

Near the end of class today, we discussed what we thought the best ways that government could spend money to help improve computer security (and decrease the effects of all of the problems caused by insecurity). There were several suggestions: educational programs, research, more law enforcement, bounties for catching offenders, and subsidies given to either ISPs or end users to help pay for the cost of anti-virus software (we called this last option the voucher option). While I find the first suggestions to have some merit, I personally believe that vouchers toward anti-virus software are counterproductive and would be a waste of government money.

Let’s first consider the case where the government directly subsidizes the end users. As an example of this case, the government might give out twenty dollar vouchers to all US residents with a registered internet connection that could be spent only on anti-virus software. A typical consumer wouldn’t be able to tell the difference between good and bad security software, and would likely end up buying something that cost right about twenty dollars since they wouldn’t want to waste any extra money on a product for which they cannot assess the quality. This, of course, assumes that average people would actually spend the time to buy the software and use the voucher, which many might not if it is both relatively difficult to acquire the software (say it has a long download time, which is a reasonable assumption) and if no one is requiring that they have this software. As an aside, in the past many electronics companies have offered mail-in rebates on a wide variety of products (you have probably seen these in a Best Buy or Circuit City, for instance). However, while it may seem like a bargain to the consumer, the companies tend to view it as money in the bank due to the very low response rate, despite the fact that it is “free money.” If people are too lazy to address and stamp an envelope for cash, would they be willing to use a voucher to download anti-virus software that they don’t know too much about if it is not required by the government? I doubt a government subsidy without a mandate would do much good, and, as we discussed in class, a government mandate requiring everyone to run anti-virus software of a certain quality on all of their computers would be a terrific mess.

Now let’s move on to the case where the government subsidizes the ISPs in some way. Rewarding the ISPs based on performance seems silly—there is no accurate or precise way to gauge this. If you look at figures of the size of botnets, the number of computers infected by given viruses/worms, or the number of spam e-mails send over a given network in a certain time period, you will notice that they are typically very, very imprecise. Since there is no accurate way to measure the performance of an ISP in terms of security, it just does not make sense to reward the ISPs monetarily based on this. Finally, requiring the ISPs to be responsible for making sure that all of their end users run anti-virus software runs into all of the same problems as the case where the government directly subsidizes the end users, except it is worse, because generally the ISPs would have less of an incentive to force the users to run a good anti-virus program than the government would due to the spillover effects of the market for computer security.

Unfortunately, the computer security market seems to be a place where the government is hamstrung and cannot effectively directly attack the problem from an economic standpoint. All it can do is fund initiatives like research or more law enforcement, which, while not ideal, still will have good results in the long run.

In class today, our discussion mainly focused on H1-B visas.  We made some assumptions about these visas:  namely, that they were used primarily by US companies looking to fill jobs in sectors like technology that do not have enough skilled workers to meet the demand of the industry, and basically all of our analysis was based on this fact.  However, according to Wikipedia (which is usually very accurate about this sort of thing, the statistics on H1-B visas do not support our main assumption, which means that we probably need to revise our thinking on these visas. 

Some surprising facts on H1-B visas:  of the ten companies that were issued the most H1-B visas in 2006, seven of them had the majority of their employees located in India, and six are headquartered outside of the United States.  In 2006, the two companies that were issued the most H1-B visas were Wipro and Infosys.  Wipro applied for 20,000 H1-B visas but only 160 green cards; Infosys applied for 20,000 H1-B visas and only 50 green cards.  While there certainly are some companies that use the H1-B visas as we had anticipated in class (Microsoft, IBM, and Oracle, for instance), it seems like these companies are in the minority. 

This information leads us to several new conclusions.  Rather than being used by US firms to fill jobs in which there are not enough native skilled workers, H1-Bs are being used by foreign firms to build up a presence in the United States.  Additionally, it would seem that, based on the number of green cards applied for, these foreigners tend not to stay in the US and much prefer to return to their home country (which is most likely India) after their H1-Bs expire.

This information has many implications for policy.  This information really doesn’t change the general opinion on the matter for people that believe in an almost completely free economy and relatively open borders (that would be me).  However, if more people were aware of this, it would make Congress much less likely to issue H1-Bs.  Instead of supporting US corporations as many would think, these H1-B workers support mostly foreign companies.  Additionally, it seems that most people with an H1-B head home after working, taking the skills and training they received in the US back with them.  So for opponents of these visas, a really simple populist argument can be made:  does the US really want foreign workers working for foreign countries taking American jobs and then going back to their home country, taking their training and education with them?  I’d be willing to bet that if this issue were polled after people heard this argument, the vast majority of Americans would support reducing or even eliminating the H1-B visa.  It looks like Bill Gates may never get his loose immigration policies after all.

In class today, we discussed how a Wikipedia-style government would be run and noted how this could affect society.  But we only took a general view of how Wikipedia itself is run into account and did not look too deeply into some of the finer points of Wikipedia protocol.  It is interesting to note how some of these finer points would affect the model of Wikipedia governance.

Wikipedia has quite a bit of information in regards to how users are supposed to approach editing the site.  Topics include criteria for creation of an article, grounds for deletion, and reliability of sources, among others.  The rules for sources are not particularly interesting because they closely resemble those rules for academic papers.  Sources need to be cited, and articles that do not have sources properly cited are either flagged as needing sources, needing a rewrite, or needing deletion.  It is a relatively simple process.  However, the rules for both creating an article and deleting an article are quite interesting and have several policy implications.  The main aspect of an article’s worthiness is “notability.”  Defined here, the notability of a topic is the sole criterion of whether an article is deleted or not.  As Wikipedia puts it, notable subjects should be included, while “non-notable subjects do not belong.”  It’s as simple as that. 

However, it is really not “as simple as that.”  Wikipedia’s notability criteria are complicated enough to have several Wikipedia articles and essays written to help editors determine what is notable and what is not.  Topics such as academics, TV shows, music, products, corporations, and many others all have individual articles written about them to help editors make the decision about whether a person, show, song, thing, or company is relevant enough to have an article on Wikipedia.  These snippets are surprisingly detailed—for instance, there is a six-step “professor test” designed to help editors determine whether academics are notable or not.  If there are disputes about an article’s notability, then there is a period of five days in which editors can debate and post comments about the subject of the article.  If at this time the dispute has still not been resolved (the article has not been classified as notable or not), then an editor of higher rank makes the decision. 

With this in mind, let’s return to the issue of Wikipedia-style government.  We discussed the issue of facts themselves—and possible ways that biases about facts could occur through special interests—but really didn’t consider the notability issue, except when we briefly discussed Digg- and Facebook-style governments later in the class.  I think that, upon further review, the people in the Wikipedia-style government who would wield the most power are not the ones providing the facts, as even powerful special interest groups are only capable of skewing the information to a controlled degree if real experts provide input.  Instead, the real gatekeepers would be the “editors” in the government who define what is notable and what is not.  Would, say, an entry on the poor condition of rural roads in Appalachia be notable enough for the hypothetical government?  Of course, this is just a rhetorical question, but how the editors answered such a question would go a long way in determining exactly how a Wikipedia-style government functioned.  In the case of government, at least, it seems that the protocols to determine what is being discussed/considered are at least as important as, if not more important than, the actual protocols for submitting data, which seems to imply that Digg/Facebook styles of government (like those mentioned in class) would be a better alternative to Wikipedia, since even in Wikipedia deciding what is important is at least as influential in shaping the opinions of people as the actual facts themselves.  

There is no doubt that Second Life is, for many, a fun and addicting game.  The emphasis, of course, is on the last word:  game.  I think that many people, including those involved with public policy today, tend to view Second Life as something other than a game.  Some of them might consider it an internet portal for tax evasion, others might think of it as a completely separate economy, and still others might have different, widely disparate opinions on what Second Life actually constitutes.  But the fact of the matter is that, at the end of the day, it is just a game, and people should think of it as such. 

Consider the way a casino works:  you start off by converting your real currency into the casino’s currency—chips.  You then proceed to walk around, playing various different games, sometimes making money, but unfortunately more often than not losing money.  At the end of the day, you convert your chips (if you have any left) back to dollars, and leave the casino.  As people familiar with Second Life will know, this is very similar to how Second Life works.  Sure, there are a few important differences, but if we extend the analogy and allow anyone who comes into the casino to set up their own poker or blackjack table or bring their own slot machines, then there really are not that many differences after all.  Thus, I don’t think it’s necessary to create special governmental rules and regulations for Second Life and other similar games when, despite what people think of them, they are not that fundamentally different from a casino.

Treating Second Life as a game makes policy considerations relatively easy.  Just like a casino, taxation is only necessary when a player generates money through Second Life and then cashes out that money in the form of dollars (or any other currency for that matter).  This money would count as income, and it would be the responsibility of the person generating the income to report it to the IRS.  Taxation in this way would be very simple and easy to implement.

One might consider the amount of casino regulation (especially in the US) to be a counterpoint to this argument.  First of all, much of the casino regulation centers upon the fact that the casino has an inherent edge over the player due to the odds of the games, and people who own casinos tend to be much richer than the people playing in (and losing money in) these casinos.  Since Second Life is not inherently biased like a casino, many of the laws about casinos would make little sense with regard to Second Life.  Of course, even with this in mind, there is always the issue of fraud.  State Gaming Control Boards are the way casinos deal with this.  These boards typically only allow people who possess “honesty, integrity, and good character” to open casinos and regulate the gaming system such that only ‘fairly biased’ games are played, and that nothing like money laundering or other non-gambling crimes occurred (the idea behind this latter part was to make it difficult for organized crime to obtain a casino for which they could use for various nefarious purposes).  Indeed, one could argue that such a federal control board for all similar online games would make sense—such a thing might have prevented the banking scandal that took place in Second Life.  I, however, disagree with both the notion of a Gaming Control Board and any governance of Second Life.  Personally, I believe that market forces can effectively regulate this sort of game—if a casino cheats or major fraud occurs in Second Life, people can switch to a different casino or different online game relatively easily.  The cheating casino or poorly designed game will go out of business or cease to exist.  Thus, the incentive not to cheat or to expend effort in ensuring that players do not cheat will be great enough for owners/game designers to do so.  This, though, is a less universal point and I concede that a reasonable argument could be made for some regulation of massively social online gaming.     

Very recently the Chinese government decided that it would not block the BBC website, marking the first time since the start of the so-called “Great Firewall” that Chinese citizens could get their news from the BBC.  In response to this, the BBC did an investigation of China’s internet policing methods and found some interesting results.  The main way that China blocks data is through simple filtering.  Chinese authorities run software programs that examine data being sent across one of the five gateways through which China is connected to the internet and check to see if any forbidden words, phrases, or IP addresses are present in the packets of data.  If anything of this sort is found, the firewall software instructs the server and client computers to halt the flow of information.  Although email is handled differently (the BBC believes China to have 30,000 people who regularly scan email), this is the general way in which the firewall works.

However, the “Great Firewall” can be broken relatively easily, as people with experience in computer security will guess at this point.  Proxy servers, coupled with even very simple encoding schemes, can get around such a firewall, and indeed the BBC has reported that this has been the case in China.  The difficult part of this process for Chinese citizens has been finding proxy servers in other countries—while they are quite numerous and new ones spring up all of the time, Chinese authorities block proxy servers that they know citizens are using to access forbidden data.  Additionally, specialized software—written for the specific purpose of cracking the firewall—can allow Chinese unfettered access to otherwise forbidden websites.  In times of peak internet usage, the servers running the filtering software cannot seem to keep up with the traffic, and forbidden websites sometimes are not blocked in this instance as well.

But the “Great Firewall” is not the only, or the most potent, way Chinese authorities censor the internet.  Search for “democracy” on Google in China and you will get a different set of results than you would in the US.  Post a blog entry on your Microsoft blog service with the words “human rights” in the title, and Microsoft will not allow you to submit the post if you are posting from China.  Google, Microsoft, Yahoo, and many other big names in the software industry censor information on behalf of the Chinese government in a capacity that seems to far exceed what the government itself is currently doing.  All of these companies have determined that the opportunity to do business in China outweighs the potential backlash in Europe and (especially) the US that such censorship might bring.  However, I think that these companies might be underestimating a different sort of backlash:  what if China someday becomes democratic and the people see these companies as agents of the former communist government?  It would certainly have a pretty big impact on business down the line.  Additionally, I am disappointed that at least one of the companies did not refuse to censor data (and thus be blocked by the Chinese government).  One would think that if, say, Yahoo decided not to censor data, even though it would be blocked, it would gain a very high status amongst Chinese people due to its integrity and would be far more popular than any companies that did censor if the “Great Firewall” ever was dropped.  It’s too bad no one decided to take this gamble.             

The opponents that the recording industry has faced in the past have been small companies or individuals who had produced popular file-sharing software.  These were relatively easy targets:  they typically did not make any extra effort to ensure that their software was legal (and if they did so, they negated this with other boneheaded decisions, like Grokkster’s marketing, for instance), they did not have nearly the legal resources of the recording industry, and they never organized into a cohesive group to fight the recording industry off.  Unfortunately for the recording industry, I think that this is about to change.

Who might be the next enemies of the recording industry?  Consider the following (which was mentioned in class on Tuesday, but is brought up in much more detail here):  the Microsoft Zune, which is Microsoft’s portable music player, while generally knocked for being just an imitation of the iPod, has one groundbreaking feature:  a wireless card.  Zune users in the same physical area can swap songs back and forth with only a few restrictions.  Unprotected music, which can either be legally unprotected or copyrighted music that has had protection schemes stripped, can be swapped without any restrictions.  Music that has a DRM protection scheme can only be played three times before being erased from the Zune.  But here is the caveat:  since Microsoft’s online music store is not particularly popular, the vast majority of Zune users have either imported their music from CDs (meaning that it is unprotected) or have had to strip the DRM from music bought from other online music stores, since, for instance, Apple’s DRM scheme will not allow songs bought from iTunes to be played on any portable music player other than the iPod.  Thus, although there really haven’t been any studies done to support this, it seems that the vast majority of files transferred through the Zune would be of the illegal variety.  This, of course, would seem to put the Zune in a similar place legally as KaZaa or Grokkster, as it would be a device that had a mostly illegal sharing feature.  The only differences would be that the Zune would have a legitimate purpose as a portable music player, and that the transfer of illegal files would take place in a different medium than the internet.  If Grokkster had implemented a front end similar to iTunes and marketed itself as a Windows Media Player-type application, it would seem to be in a similar position legally as the Zune.  However, it also might not have been sued out of existence if it had taken these actions.  Even J Allard, the Microsoft VP in charge of the Zune, has hinted that Microsoft will attempt to “open up” the recording industry and get them to give more concessions.  How this happens, of course, is probably only known to Microsoft executives as this point, but at some time it seems certain that Microsoft will start going after the recording industry  (or vice versa).

While Microsoft may eventually challenge the recording industry, other software titans already have.  Consider the cases of Google.  Google, through its acquisition of YouTube, immediately put itself under fire from the recording industry.  One could take the recording industry perspective and argue that YouTube is just a video version of Napster:  most of the most popular content is illegal, and YouTube clearly knows this and makes no effort to do anything about it, so therefore YouTube should be shut down just like Napster.  Of course, YouTube will argue that it is cleverly using the so-called “safe harbor” in the law and that it responds promptly to any complaints filed against it, but it seems like only a trial at this point will reveal the full details.  One thing is certain, though—the recording industry’s fight with YouTube will be much tougher than that with file sharing software companies like Napster.  For one thing, YouTube has aimed to protect itself from suits like this and minimize possible damage certainly since Google acquired it, and even before then.  Google will certainly have considerable legal resources to throw at the recording industry, as well as PR agents and lobbyists in Washington.  YouTube has been gearing up for this copyright fight since day one, and the recording industry is not going to enjoy attacking YouTube one bit.

If the recording industry thought it faced a difficult road in the past, then it should look to the future.  It is about to come in contact with the software giants (including Apple, which was not even mentioned here) which could collectively threaten the industry’s entire existence.  Whether or not this is a good thing is a matter of personal opinion, but it sure seems like the software titans have come to play ball and aren’t going away anytime soon. 

Last week, the EU fined Microsoft a record amount—$1.35 billion—for not complying with previously instituted sanctions.  Even though Microsoft had changed its pricing structure for licensing its patents and protocols for interacting with its software, the EU regulators decided that it was not enough.  In less reported news, about three weeks ago, the EU conducted an antitrust raid on Intel’s European offices in anticipation of a hearing in a few days where Intel will face charges that it dropped prices below cost in order to corner the market and eliminate its only main rival, AMD.  Of course, most people are familiar with Google’s somewhat controversial purchase of DoubleClick, which is by no means out of the woods yet, as it has not been cleared by the EU (which has a much tougher reputation when it comes to antitrust issues than the US).  Although the rumors that are circulating seem to indicate that the EU will approve the deal, in all likelihood this is just the beginning of antitrust issues for Google, which will likely be subject to the same scrutiny as Microsoft in the future.

With all of these antitrust issues swirling around some of the largest and most well-known tech firms, one has to wonder why, in particular, high-tech companies tend to be able to create a monopoly (or at least the perception of one) at a much higher rate than traditional companies.  In some cases, for instance, that of Intel, this is relatively clear:  the cost of the fabrication plants, which are used to manufacture microprocessors, is quite massive, and the industry itself is going to tend toward a small number of firms due to the very high startup costs.  The same is true for the current oligopoly in the cellular phone industry:  the cost of building your own network is far too high for many players to be involved.  But this argument doesn’t hold any water at all for software firms, like Google or Microsoft.  Any smart programmer with a cheap computer can build software, and anyone who can assemble a group of talented programmers can likely start some form of successful software company.  So on the surface there do not appear any major barriers to entry in the software industries that Google and Microsoft control, although most computer scientists know that this is far from the case.  In order to see why this is so, it’s useful to look at how these companies became so powerful.

Back in the late 1980’s and early 1990’s, Microsoft had one product that was admittedly very good compared to the competition:  Windows.  As the company started to branch out into different areas, it found that its products were in many cases not as good as those of other software companies that were already present in those particular areas.  However, Microsoft had one big advantage that it could leverage:  it could make its programs interact with Windows and each other in ways that its competitors could not.  There were even allegations made that Microsoft sabotaged Windows so that its competitors products would work poorly, although this has never been proven.  Thus, Microsoft was able to virtually eliminate such companies such as Novell and Netscape as it branched out into more and more different areas of software.  Google, many believe, has taken the first steps down this road, as it seems to have cornered the online advertising markets by leveraging its advantage in internet search in the same way as Microsoft initially bullied competitors.

It should be clear that both Google and Microsoft have a competitive advantage due to their established leads in certain product areas.  Additionally, from this analysis, it seems like the best way to go about eliminating this monopolistic competitive advantage is for the regulatory committees to focus on requiring such “monopolies” to disclose their APIs to competitors.  This would allow, say, Novell to interact with Windows to nearly the same degree that programmers working on Office could and would significantly reduce Microsoft’s ability to use Windows to help sell Office.  Thus, on a personal level, I find the EU’s recent action much more reasonable than previous issues over bundling Windows with products such as Windows Media Player or Internet Explorer.  In my opinion, antitrust regulations in the software industry should focus on API disclosure, which would reduce monopolistic advantages, rather than bundling, which does not to nearly the same degree—most users will download or buy the programs that they want to use anyway, especially if they are free (most of the bundling antitrust issues have been based on free programs).  This will be discussed more at a later date.

In today’s class discussion on identity theft, one of the main points was centered upon how a person could be asked to identify himself or herself to an authority (say, for the purposes of getting a credit report or background check) without being exposed to an unnecessarily high risk of identity theft in the process.  In the course of the discussion, people brought up the possibility of using smartcards or adding smartcard capabilities to drivers’ licenses as a possible solution.  Ideally, it would be difficult, if not impossible, for a third party to emulate a person over the internet without the information from the appropriate smart card, which should be difficult to forge, modify, or extract data from in any unintended way.  However, today’s smartcards are far from this ideal.  As this technical report indicates, it is not difficult for even unskilled criminals to crack smartcards and thus be able to assume the identity of the card’s owner.  Additionally, most of the security flaws that the authors of the report exploited were very easy to fix, either caused by poor design or the desire to cut costs and use less expensive (and less secure) protocols.  But the authors do, however, point out there are more serious flaws in the way that smartcards and credit cards are designed and that more care should be given to smartcard protocols in the future.

So then, what would be a good smartcard protocol?  This topic has been active in cryptography, and most cryptographers agree that one of the best ways to do this is to use something called zero knowledge proofs (lecture notes on this topic, which unfortunately are rather technical, can be found here).  Zero knowledge proofs are based on hard problems, and generally work as follows:  suppose I am trying to authenticate myself to you.  I have the solution to a problem that is very difficult or impossible to solve, and I publicly distribute the problem itself (meaning that you have it) but I keep the solution to myself.  The idea of the zero knowledge proof is that I can convince you that, with high probability, I know the answer to the problem without actually giving you any information about what my solution to the problem is, and no one else (without the solution to my problem) can do this, so therefore I can authenticate myself to you.  This sounds very counterintuitive, and it is, but it does work out and has very nice applications to identity-based problems like this.  For instance, if a smartcard is implemented this way, there is no need for a central database of secret information, as the secrets need only be stored on the smartcards.  This means that the only way a crook could get their hands on the secret information, if the protocol was implemented correctly, would be to physically access the smartcard.  The data on the smartcard could require a PIN or password to use, as well, meaning that it would be difficult to use stolen smartcards too.  This, of course, would be a good system to have in place.

So why has something like this not been put in place by the credit card companies, for instance?  Cost is the driving factor.  Smartcards with the capabilities described in the previous paragraph would be quite a bit more expensive than most of those in use today, and companies just don’t want to pay for it.  However, I think this will change eventually as the cost of identity theft to credit card companies and merchants increases to the point where it makes financial sense to spend more money on better cards and protocols.  Hopefully this point will come sooner rather than later, but, as with all technology, you just never can tell for sure.

Jon Lech Johansen, more commonly known as “DVD Jon,” has already made a name for himself in the computer security, music, and film industries, and has even gotten some attention from the international media, mostly over his release of DeCSS, a program that he wrote to decrypt content of a DVD disc that had been encrypted using the CSS (Content-Scrambling System) which was and still is used to “protect” the majority of DVDs today.  While DVD Jon’s newest development—a media application called DoubleTwist that lets users transfer media across platforms, stripping any DRM (digital rights management) protections in the process—is no surprise coming from him, his attitude about making money has changed completely.  In the past, DVD Jon has released all of his software tools online independently.  However, “DoubleTwist” is both the name of his application and the name of the startup that DVD Jon co-founded, and while the software is currently free, one can only expect that he will someday hope to make some money through it.      

In 1999, Johansen released DeCSS to a mailing list, and it became very popular.  Ironically, one of the reasons that DeCSS was relatively easy to crack was a US government regulation banning the export of even moderately strong cryptographic protocols (40-bit keys were the maximum allowed), but this is a theme for another post.  In 2002 and 2003, Johansen twice successfully defended himself from the Norwegian government after complaints from the Motion Picture Association.  DVD Jon’s successful defense was based on the following main premise:  he never did anything illegal because he only used DeCSS to make copies of his own DVDs for his own personal use.  Under Norwegian law, this is perfectly legal.  The Norwegian government could not refute this argument and, in the process of it all, DVD Jon became well known to many in computer security, and this court case is still one of the most famous in digital copyright issues today.

Now, however, DVD Jon is entering new territory.  His startup company is currently located in San Francisco, meaning that the US government can prosecute him if it decides he is aiding copyright infringement.  Finally, if DoubleTwist does ever start making substantial amounts of money, it will become a very attractive target for someone in the recording industry or digital music industry to sue.  Personally, I think that it is inevitable that DoubleTwist will get sued within the next few years, but the legal situation is still an interesting issue to consider.  The first stated function of DoubleTwist according the company’s website is to “sync media with your favorite devices.”  This step involves getting rid of any copyright protection that any media that you have on your computer may contain.  Obviously Apple, Microsoft, and the recording industry are not too keen about this happening, although Microsoft may not really care given the sharing-based features of the Zune and its lack of a large share of the online music industry (some would argue that the Zune would be much more popular if DRM protection were eliminated due to its wireless sharing capability).  However, this function of DoubleTwist is remarkably similar to DeCSS in that both simply unlock files.  It would probably be difficult for DoubleTwist to be sued (and lose) for this feature alone.

The second stated function of DoubleTwist, though, is to “share media with friends and family.”  This is where the lawyers start getting excited.  Wouldn’t a software program that strips copyright information and acts as a file sharing protocol be roughly equivalent to Kazaa on steroids?  Rather than having to rely on one technically competent person to strip the DRM protection and then make the songs/videos from the newest release available in his or her shared files, now even non-technical people can share protected files.  This would seem to me like a nightmare for the established players in the music and movie industries.  While I tend to agree with DVD Jon on many of his positions about digital copyright issues, I think that this time he might have been a little bit too aggressive.  I hope that his luck continues, but I’m afraid that the industry will win this time.