October's Yale Law Review has an interesting article by Jed Rubenfeld, entitled "The Freedom of Imagination: Copyright's Constitutionality." (Disclaimer: I'm not a lawyer and not a legal scholar, so I'm not fully qualified to judge the scholarly merit of the article. What you're getting here is my semi-informed opinion.)

Rubenfeld argues, convincingly in my view, that standard claims about copyright and freedom of speech don't stand up to scrutiny. He argues that copyright as now enforced places unconstitutional limits on free speech.

He goes on to explore how copyright can be made constitutional. This involves a detour to discuss the meaning of the First Amendment, followed by the laying of a new framework for copyright. He finds that copyright's ban on literal copying is constitutional, but the rules regarding derivative works need to be adjusted.

Whether this ultimately is correct is beyond me, but I think the article is worth reading if you're interested in these issues. I would like to hear the opinions of any readers who are lawyers.

[Link credit: Kitchen Cabinet]

Orin Kerr, over at the Volokh Conspiracy, summarizes some tech-related provisions in the new Homeland Security bill.

The bill changes the sentences that can be assessed for some computer crimes. The effect of these changes is unclear but will likely be small. The widely discussed life-sentence-for-hacking provision applies only in cases when the crimes deliberately or recklessly kill people; but such crimes are already punishable under state murder statutes. There is also an increase in the penalty for intruding into people's email.

The bill also makes some changes in wiretap law, granting more power to law enforcement. I won't attempt to further compress Kerr's already-compressed explanation; read it yourself if you're interested.

UPDATE (12:49 PM): Ted Bridis points out that the life-sentence-for-hacking provision applies even to attempts to kill people. This might in some cases allow prosecutors too much leeway.

Evewy so often you discovew an onwine sewvice that you nevew knew you needed. My discovewy today is the Diawectizew, which twanswates any web page into one of eight mostwy humowous diawects. Oh, dat scwewy wabbit!

To wead the west of Fweedom to Tinkew in Ewmew Fudd diawect, cwick hewe.

The California Supreme Court has ruled that Matt Pavlovich can't be sued in California state court for posting DVD decryption software (though he can probably be sued elsewhere). Apparently, the key issue was whether Pavlovich's knowledge that his action would affect California companies was by itself enough to give California courts jurisdiction. The Court ruled that it was not.

Denise Howell at Bag and Baggage has a quickie analysis of the opinion.

I read Slashdot every day. It's one of the best sources for tech news, and it contains many nuggets of useful information and informed commentary. If anything interesting happens in the tech world, Slashdot will discuss it.

Sadly, the treasures of Slashdot are often buried in a vast wasteland of speculation, misinformation, and irrelevant blathering. For example, the commentary on yesterday's California Supreme Court ruling on the Pavlovich case includes this gem, contributed by an "Anonymous Coward:"

Livid was fully functioning as was DeCSS BEFORE nov 30th 1999.

DMCA does not cover software or hardware created BEFORE the begginning of 2000.

This is a fact.

DMCA will NEVER have any bearing on the original frozen sources of Nov 1999 Livid ...

DMCA start date was a few months too late.

Despite its emphatic tone, this posting is just wrong: the relevant portions of the DMCA went into effect in October 1998. There is nothing in the DMCA exempting programs created before 2000 or 1998 or any other date.

In theory, Slashdot's collective moderation process is supposed to weed out ill-informed postings by downgrading their scores; but in practice that doesn't happen as often as one would like. The posting I quoted above has the maximum possible moderation score (5). Worse yet, the moderators have given it the label "Informative". Readers who trust this posting will be ill-informed at best, and at worst may break the law.

(There is a response comment on Slashdot, written by "Guppy06," pointing out the inaccuracy. This response has moderation score 3, and label "Interesting." But an "Anonymous Coward," perhaps the original poster, disputes Guppy06's conclusion.)

By this point, I have probably provoked enough flamage to destroy several medium-sized cities. So let me say it again: I like Slashdot. I'm glad I can read Slashdot, and I thank its many well-informed participants for making it worth reading, despite its often depressing signal-to-noise ratio.

Slate, a smart online magazine that normally urges citizen involvement in politics, published today a commentary by Paul Boutin, urging citizens who happen to be geeks not to participate in the political process.

Boutin argues (as others have before) that geeks should stick to writing code -- that freedom is a Simple Matter of Programming. This was true back when the law ignored technology. Now the danger is different. A ban on broad classes of technology, or on entire areas of development, cannot be programmed around.

Boutin's argument is especially mystifying when it is applied -- as it is by Boutin -- to DARPA's now-famous Total Information Awareness program. According to press accounts, this program would accumulate information about Americans' commercial transactions, for wide-ranging analysis by law enforcement agencies If you don't like this program, you can't stop it by writing code.

It's easy to make fun of clueless geeks' pathetic attempts to exert political muscle, like the campaign for Rep. Coble's libertarian-blogger opponent. It's clear that we geeks can't go toe-to-toe with their adversaries. But that isn't to say that we should just resign themselves to whatever Washington dishes out. The right argument, presented in the right way, can still make a difference.

Boutin is right about one thing: political muscle isn't the answer. Let's face it, muscle has never been our strong suit. What we need is to do what we do best: to use our brains.

[Footnote for non-geeks: The phrase "Simple Matter of Programming" is an ironic geek in-joke that geeks like to use to refer to notoriously unsolvable problems. By analogy, the eradication of poverty is a "simple matter of economics," or achieving world peace is a "simple matter of international relations."]

Lots of buzz lately about the DarkNet paper written by four Microsoft Research people.

The paper makes a three-part argument. First, there is really no way to stop file sharing, as long as people want to share files. Second, in the presence of widespread file sharing, a copy-prevention technology must be perfect, for the presence in a file sharing environment of even a single uncontained copy of a work enables anyone who wants to infringe its copyright to do so. (This is what I call the "break once, infringe anywhere" model.) Finally, there is little if any hope that a copy-prevention (or "DRM") technology can be strong enough to prevent the creation of single uncontained copies of works. So the conclusion is that the current DRM approach will not work.

This paper has gotten attention in the policy community because it is well written and makes a compelling argument. But its argument is far from new. Indeed, the paper's claims have been the consensus of independent security experts for a few years already. You can see this, for instance, in Bruce Schneier's writing on DRM.

So why has the DarkNet paper gotten this much attention? My guess is that there are two reasons. First, the paper was written by guys from Microsoft Research, and Microsoft has previously taken a pro-DRM position. The paper includes a standard disclaimer saying that it is the opinion of the authors and not of Microsoft. But still it reflects a change. In past years, conference presentations from industrial researchers, both at Microsoft and elsewhere, have shied away from anti-DRM statements, so as to keep their employers happy (although vigorous anti-DRM language could often be heard at dinner afterwards). So non-techies will put more weight on the paper because of its authors' affiliation.

The second reason for the buzz around this paper is that the "DarkNet" terminology has a certain persuasive power, evoking a subterranean world of illicit activity, a sort of criminal underground of the Net. Although compelling, the "DarkNet" concept is misleading, if it is understood as implying that one can draw a neat line between the "legitimate Net" and the illegal "DarkNet".

In practice, the same technologies are used to conceal both legal and illegal activity. You can use a safe to lock up either criminal plans or business data. You can use encryption to conceal either copyright infringement or love letters. You can use "sneakernet" (which is a DarkNet technology, according to the paper) to share software illegally with your neighbor, or to give baby pictures to grandparents. Attempts to regulate or ban the DarkNet often affect legitimate networking. Examples of this include both the Hollings CBDTPA, which would have regulate many innocuous devices (as documented in Fritz's Hit List), and the Berman-Coble "P2P Hacking" bill, which would affect ordinary websites.

On balance, the DarkNet paper will be valuable not because it breaks new ground technically but because of its persuasive power. If it can move the policy debate forward, and onto sounder technical ground, that will be a major achievement.

According to The Capital, which appears to be a local newspaper in Annapolis, officials at the Naval Academy have seized the computers of nearly 100 midshipmen (i.e., students at the Academy) because of suspected file sharing activity.

Some people paint this as an "RIAA goes after the Navy" story. But based on the newspaper article, it looks like a "Naval Academy goes after its students" story. It appears that the RIAA sent the Naval Academy the same letter that it sent to many universities, and the Academy then decided on its own to take this action.

Will this put pressure on other universities to do the same thing? Perhaps not, because of the special status of the Naval Academy. Students are members or quasi-members of the Navy and hence have less privacy and autonomy than most students do; and the computers in question arguably belong to the Navy anyway. In any case, it will be interesting to see how the Navy proceeds.

I saw my first blog-comment spam today. David Weinberger's posting on open spectrum had one comment: a standard-issue Nigerian scam message. How much longer before we see Trackback spam?

Declan McCullagh at news.com reports that "Technology and entertainment lobbyists will sit down at the negotiating table [today] to seek a resolution to the long-running political spat over digital copyright."

The article makes the alarming but unstated assumption that the last Congress's refusal to pass any "anti-piracy" bills is actually a problem. When Congress rejects bad bills, that's not an "impasse," that's democracy at work. We should all hope that Congress continues to reject any bad bills that are put before it.

It's a classic error to assume that every social problem can best be solved by passing new laws. Copyright infringement is a difficult problem, but so far I haven't seen any convincing argument that passing laws can do much to address it.

Clarification (added at 11:30 AM): Declan is one of the last people I would expect to make the "classic error" of assuming that all problems require government action. I suspect the hand of an editor at work here.

I swear I'm not making this up.

DSLReports observes that the RIAA's new anti-infringement website, UnitedMusic, contained material copied without permission from a page at the University of Chicago. The RIAA has now removed the apparently infringing material.

Cory Doctorow points to a new tool, GetContentSize, that evaluates what portion of a Web site is content, as opposed to formatting and other junk. When applied to this site, here is GetContentSize's report:

http://www.freedom-to-tinker.com

Total page size: 32939 bytes (not including images, attached scripts or style sheets)

...

[NO CONTENT]

UPDATE (1:00 PM): Adrian Holovaty, the author of GetContentSize, writes that he has fixed the bug that caused this site to be labeled as content-free. Now the site rates as 38.7% text content. Now that it's fixed, GetContentSize looks pretty useful in diagnosing sites that have too much baggage and too little content.

Today's issue of the Daily Princetonian, our student newspaper, reports on file sharing issues on campus.

(Note that the article has its facts wrong about the Napster case. Napster was not found to have violated the DMCA. Napster's legal problems had to do with contributory and vicarious copyright infringement.)

Yesterday I attended the ACM "Digital Rights Management" Workshop in Washington DC. There were about 100 attendees, most of them computer scientists, with a few lawyers and Washington policy types thrown in. Papers from the workshop are available online.

My main impression was that the speakers were more openly skeptical about DRM than at past conferences. I don't think this represents any real change in opinion. The real cause, in my view, is that industrial researchers are now starting to say in public what they would only say in private before.

The skepticism about watermarking was especially strong. One speaker described a simple attack that apparently can defeat essentially all state-of-the-art watermarking methods. Another speaker's paper says

Proposals for systems involving mandatory watermark detection in rendering devices try to impact the effectiveness of [file sharing systems].... In addition to severe commercial and social problems, these schemes suffer from several technical deficiencies, which, in the presence of an effective [file sharing system], lead to their complete collapse. We conclude that such schemes are doomed to failure.

I still remember the first time I saw a newspaper that had a technology section. It seemed to herald the arrival of technology in the mainstream of American life, and to offer the public a chance to understand how life was about to change.

Lately I have begun to wonder whether the technology section is a good idea. Don't get me wrong; straightforward, down-to-earth discussion of technology is needed now more than ever. The problem is that that isn't what technology news means anymore.

More and more, our "technology news" isn't about technology at all. It's about stock prices, earnings reports, lawsuits, and executive hiring and firing. In short, it's an annex to the business page, reporting on companies that just happen to make high-tech products. This seems to be true at all of the major newspapers I have seen.

Consider the technology page of today's New York Times online. It highlights these five stories:

1. A shareholder lawsuit against Homestore.com alleges financial improprieties at AOL Time Warner.

2. A brokerage firm changes its advice to its customers about whether to invest in Intel stock.

3. Executives at Citigroup bribe New York's 92nd Street Y to admit one of their children to the Y's preschool.

4. Workers at a Canadian phone company vote to go on strike.

5. A court approves the bankruptcy plan of a telecom company.

This is all about finance and labor relations. You could write the same stories about bathtub manufacturers or fast-food chains. The only connection to technology is that each story mentions a company that sells high-tech products.

Story number 3 is a particularly extreme example. To the extent that it's even about a company, the company involved is Citigroup, which isn't a tech firm. This is an eye-opening story that belongs in the newspaper -- just not on the tech page.

For a long time I bemoaned this not-really-tech-news phenomenon but thought of it as basically harmless. What's the big deal, I thought, if some newsworthy material is mislabeled?

But lately I've started to wonder whether this mislabeling is having insidious effects. What if the editors of these newspapers think they are educating their readers about technology, because they publish a tech section? What if readers think they are learning about technology because they read the tech section? What if lawmakers think that this stuff is what technology is really about?

Yes, I know. Too many pure technology stories are boring. It's a rare writer who can make a real tech story clear and compelling. If the tech section were really about tech, it would have to be much smaller.

That's fine with me. In an ideal world, today's non-tech "technology" stories would still run, but they would be put in the business section where they belong. The tech section would run less often, and would actually talk about technology; think of it as a cousin of the science section, which might run once a week at a big-budget paper. Like science writers, technology writers would be fewer and would have the rare talent required to write tech stories that people actually wanted to read.

The first time I see that kind of tech section, I'll really know the world really has changed.

Rob Lemos at news.com reports on a new "greeting card" virus that protects its author by using a EULA (End User License Agreement):

The FriendGreetings electronic greeting card has all the hallmarks of a mass-mailing computer virus.

The e-mail misleads a victim into downloading an application--ostensibly to view a Web card--and then sends itself to every e-mail address in the victim's Outlook contacts file. At least a few systems administrators have complained in Usenet postings that the mass-mailing e-card was to blame for swamping their network.

Yet the creators--Permissioned Media, a company apparently based in Panama--will be hard to prosecute: The viral card is protected by a license agreement that tricks unsuspecting users into clicking "Yes" and consenting to have the program send itself to all their e-mail contacts.

This exploits the well-known fact that people don't actually read EULAs, but just click "I Accept."

The theory underlying the validity of long, hard-to-read EULAs (if indeed they are valid) is that companies that use misleading EULAs will get bad publicity -- if BadCorp's EULAs are evil, somebody will notice this, and when this information is spread BadCorp will lose business. This is all well and good when BadCorp is a company that wants to do business for an extended period.

This virus-with-a-EULA is a challenge to that theory. The virus spreads so rapidly that it does all of its damage before the news about the bad EULA can spread. And the virus's author is a company that nobody has ever heard of. Having spread the virus, the author-company can close up shop, so the damage to its reputation doesn't matter.

If the law says that this kind of EULA actually makes a virus legal, then we're in a tough spot. We can ask every user to read, understand, and evaluate every EULA he sees. But that's not going to happen. People can decide not to accept EULAs, except those from well-known companies. That isn't a very satisfying answer either. Or people can settle on a few standardized EULAs, and we can rely on software tools to recognize non-standard EULAs so that we can reject them.

This recapitulates a debate that the research community had about mobile code security. The problem there is that little programs are arriving on people's computers, and somebody has to decide what those programs are allowed to do. One approach is just to ask the user to decide in every case; but users get "dialog box fatigue" and start agreeing to everything without reading it. Another method is to apply a standardized one-size-fits-all policy to all programs, but that policy is either too restrictive for legitimate programs, or too lax for malicious programs, or both. In the end, no fully satisfactory solution was found, but everybody agreed that a well-engineered system would limit the harm that bad programs could do. How to apply that lesson to the EULAs isn't immediately clear.

The website statistics program I use (webalizer) lets me see what search strings people are using when they find this site via the usual search engines. November's report is amusing.

The most common search string that led to the site is "tinker." No surprise there. Number two, though, was "fart noises." (That matches a Fritz's Hit List entry, in case you're wondering.)

This raises important questions that merit future research. Is this site known primarily for its material on fart noises? Or are there lots of people out there searching for "fart noises" and then stumbling onto this site? Readers are invited to submit explanations.

("Fart noises" ranked highly in October, too, behind only "tinker," "freedom to tinker," and "fritz's hit list".)

Also interesting is the fact that more people found this site by searching for "ed felton" (with my last name spelled incorrectly) than for "ed felten" (the correct spelling). The misspelling appears nowhere on this site, so it must be that people link to the site using the misspelled name, or that some search engines are smart enough to correct for the misspelling.

In a related story, click here for an explanation of how Eugene Volokh's serious, non-porn site was a search result for "kazakh girls nude".

If you want to understand what the whole Palladium/LaGrande/"trusted computing" issue is about, you should read Seth Schoen's recent writing. His analysis is insightful, technically sound, independent, and hype-free. For the latest example, click here, scroll down to "Trusted Computing," and read the next several sections.

Ted Bridis at AP confirms, based on an internal investigation by court staff, that the early release to the Web of Judge Kollar-Kotelly's rulings in the Microsoft case was just a mistake by someone on the staff.

Simson Garfinkel has an interesting reaction to Kevin Mitnick's recent book.

Mitnick, "the most famous computer hacker of our time," claims to have operated mainly by social engineering, that is, by conning people into giving him restricted information. Garfinkel describes how Mitnick-type attacks can be mitigated by wisely-designed technology.

London was fabulous, though Northwest Airlines did give us an extra "bonus" day at Gatwick airport on the return trip.

Posting will resume later today, once I've crawled out from under the pile in my inbox.

You won't find anything new here until Tuesday morning.

I'll be in London, secure beneath the watchful eyes.

Update (8:42 PM): The item below, which I am leaving here only to maintain a complete record, was INCORRECT. It was based on an inaccurate report from a reader, which was discovered when I asked the reader a few more questions. At this point, although the ruling was put on the Court's website early, there is no evidence that the Court's email was also released early.

======

[INCORRECT ITEM:]

Earlier I wrote about Friday's Microsoft ruling being available at a hidden URL on the Court's site at 2:40 PM, about two hours before the official release time.

Reader [name deleted] reports receiving the Court's emailed release of the ruling at about 3:15 PM, more than an hour before the scheduled release. (I received it about about 5:00 PM, but the message was listed as sent at 3:15 PM.)

Previous rulings in the case had been released after the stock market closed on a Friday, and this ruling was announced to follow that schedule. It's not clear why it was released early. It seems unlikely that the judge changed her mind about when to release it. Perhaps the plan was to release it at 4:30, but once it was clear that the information had leaked from the website, somebody decided to release the email.

Any other theories?

As of today, Fritz's Hit List is going on hiatus. It's not that I have run out of examples for the list. I have many good ones left, and a few great ones like a musical chip-and-dip bowl. It's just that I have made my point and I'm tired of having to write a new entry every day.

I'll revive Fritz's Hit List if the Hollings CBDTPA gets any closer to passage, or if a new bill with the same shortcomings is introduced. Until then, the first 29 entries are available in the archives.

Declan McCullagh reports that his Politech server has been blacklisted by SpamCop -- for the third time. Longtime readers may recall this site being wrongly blacklisted by SpamCop in its early days. The scary part is that SpamCop is apparently one of the more responsible spam blacklisters.

Amy Wohl reports being on another blacklist.

UPDATE (3pm): Seth Finkelstein thinks he has diagnosed Amy's Wohl's problem.

Ted Bridis at the Associated Press reports that Friday's rulings on the Microsoft case put on the Court's website at 2:40 PM, about two hours before their official release. As in the Intentia/Reuters incident, the documents were put on the website in a guessable location, but without any links to them being released.

Slashdot published the news about the rulings' availability at 3:30 PM, still about an hour before they were to be released. At this point, even the DOJ and Microsoft had not seen the rulings. The markets were still open at this point, and the trading price of Microsoft stock predictably went up.