Edward Felten is something of an accidental activist, a Caltech-trained physicist and computer science researcher at Princeton, who has evolved from technical research into a highly-visible role in public policy.
Felten has had an always fascinating, sometimes controversial journey. After becoming deeply involved in research on computer security, especially with the explosion of Internet software, he saw how technical work could impact public policy when he was recruited by the Department of Justice to testify in the Microsoft antitrust case. Then his own research team found itself threatened with prosecution by the Recording Industry Association of America under the federal Digital Millennium Copyright Act. The crime: presenting a research paper at a scientific conference, even though the research was in response to a "public challenge" issued by the recording industry.
While Felten’s group eventually was able to present their paper at a later conference, the growing dangers of these kinds of restrictions on the users of technology products led Felten to focus his work on what he calls "the freedom to tinker."
Felten will be speaking on "Whose Computer Is It, Anyway" at the U.S. 1 Technology Showcase & Princeton Chamber Business Trade Fair at the Westin Hotel, Forrestal Village, August 28, at 3 p.m. The showcase, trade fair, and Felten’s lecture are free.
His thesis confounds the experts and infuriates the music industry. "When you talk about an ordinary product," says Felten, "almost everything you buy you think of as being yours. And yet somehow there’s this mystique around technology products. There is a growing sense in public discussions that when you buy a piece of technology it’s not really yours; that it somehow still belongs to the manufacturer."
Felten, an associate professor in the Department of Computer Science at Princeton University, publishes a commentary on law and technology on his Freedom To Tinker weblog (www.freedom-to-tinker.com). He defines the freedom to tinker as "your freedom to understand, discuss, repair, and modify the technological devices you own."
After all, if you buy a product like a clock, it obviously belongs to you, and you therefore can do whatever you want with it: You can mount it on a wall, or change the exterior face, or replace the interior mechanism, or simply fiddle with it to adjust the pendulum. It would be ludicrous if you bought a clock and then found it came with a manufacturer’s notice that stated that you actually did not own it, and could be arrested for dismantling it to understand how it works, or just to repair broken parts.
Or even if you buy a sophisticated device like a car, it is still yours. The state may license it, but you can customize it with sheepskin seats, add neon running lights, cut it in half and stretch it into a limo, or even smash it to pieces in a stock car race. It would be unimaginable if you could be sent to prison for disassembling a car to see how it works, or to customize and improve it.
But somehow, with technology devices, these kinds of restrictions already have come to pass. If you buy a plastic disc with music or video stored on it, it is illegal to access that material in ways not authorized by the distributors. Or if your garage door opener is not working, or you want to buy a less expensive printer cartridge, some manufacturers are claiming that the same laws allow them to prevent anyone else from seeing how their products work. Under the federal Digital Millennium Copyright Act (DMCA), it even is illegal just to talk about how some commercial technology works, even if the technology is well known to be ineffective for its use.
Felten did not start out to be a computer guru. He was originally a physics major at the California Institute of Technology. "It was only late in my time there that I decided computers were more interesting to me," he says. "I had played around with computers as a hobby. When I was a teenager my family had a personal computer and I did some programming and playing around."
His first practical use of the computer was to help his father, the manager of a plumbing supply firm. "His company was one of the leaders in their industry in computerizing." says Felten, "so he was interested in applications of computers, in understanding what they could do."
"We had computers around, and being a technology minded kid, at the time it was a natural thing to do. My mom was a homemaker and with no particular technical background; I was the first techie in the family. My sister who was a year and a half younger got an engineering degree, and did engineering for a number of years."
Felten graduated from Caltech in 1985 with a B.S. in physics, and then went to work with the Caltech Concurrent Computing Project, in a group that was building experimental computers in the physics department.
"One of the ideas to test out this new computer design was to use it to play chess," says Felten, "which was a difficult problem. The program eventually got to be pretty good. It played in several world chess tournaments. We learned a lot about how to make computer systems actually work under pressure because there’s no tolerance for crashes or mistakes."
After working in this research group for four years, Felten moved on to graduate school at the University of Washington to earn his MS and then PhD in Computer Science and Engineering in 1993.
"At some point I decided that I wanted to do computer science, and if I was going to have the kind of job I wanted to have, I had to have a PhD," says Felten. "So I went back to grad school."
"I knew I wanted a job that involved doing research related to computers. Looking around me at the kind of people who were in that kind of job, it was clear these folks almost all had PhDs. And the track that I was in at the time, sort of a research staff position, I had been promoted really as far as I could go. I was 25 years old and could stay in that job forever and never be promoted."
In 1993, Felten joined the Department of Computer Science at Princeton University, which was building a deep faculty of researchers. There he continued to work on core research topics in computer science, especially dealing with developing software that can work efficiently in systems with multiple processors.
The first shift in Felten’s career came in 1995, when he started working on computer security.
"That came sort of by accident, actually," says Felten. "One day a couple of graduate students came into my office. This was just about the time that Sun had introduced Java [a programming language for Internet systems] and it was going to be this big revolutionary thing and it was going to be completely secure. These graduate students had a late night discussion about whether this thing was as secure as it was cracked up to be. They did a little bit of investigating and found that maybe it wasn’t. Then they wanted some faculty member to work with, and they just came to me and said we can’t find anybody to work with."
"And I said sure, I’ve got a week or two to spend on this. And six months later I figured out that I was doing computer security as my new research area. That was a great time to be working on it."
In 1996 Felten became the director of a new Secure Internet Programming Laboratory at Princeton, where he has worked to explore and report security issues in Java, web browsers, and, more recently, mobile systems, and devices like smart cards.
He also published his first book in 1996, on Java security, and began serving as a security consultant to companies including Bell Communications Research and Sun Microsystems.
This was a busy time in the Internet community, as researchers and users were discovering that widely-used software had a surprising variety of security problems. The discoveries of Felten’s lab and others have helped to encourage software vendors to pay more attention to security, and to respond more effectively when problems are discovered. While such problems are still being discovered, the Internet community is clearly vastly better protected thanks to the work of the user community, and effective communication about problems and solutions.
Felten’s evolution toward public policy issues took another major step with his involvement in the Microsoft antitrust case from 1998 through 2002. Felten served as a consultant to the Antitrust Division of the U.S. Department of Justice, and testified as a government witness in a highly-publicized episode that went to the heart of Microsoft’s defense. Microsoft was claiming that its Internet Explorer browser was so deeply integrated into Windows that it could not be separated from the base operating system. Felten then demonstrated that it was in fact possible to remove Internet Explorer from Windows.
Felten has since consulted on several other cases, and has spent most of this past July in Chicago consulting on a patent lawsuit related to web browser plug-in technology, Eolas Technologies and University of California v. Microsoft. He testified as an expert witness, called by the plaintiffs, and sits in on the proceedings, helping the legal team "whenever they are talking about technology."
"It’s very interesting," he says. "Every case gets involved in different technical issues, and a lot of them touch on interesting public policy issues related to technology. The antitrust case certainly opened up all those topics for me; It’s one of the things that got me very interested in policy for technology."
But can the legal system really be an effective forum to deal with technical issues? "It’s really surprising how much a judge can understand," says Felten. "Part of it is the result of the adversary system, the way the system works — both sides show up with their arguments very finely honed. Just seeing that process of people honing their arguments — preparing the best explanation of the facts related to the case — is very educational."
Then in fall, 2000, Felten’s own group came under the threat of legal action. At the time, the recording industry was exploring technologies for preventing copying of digital music, under an effort called the Secure Digital Music Initiative (www.sdmi.org). This effort involved developing and evaluating schemes to encode and "watermark" the digital data so that only approved players could play it.
For such efforts, it is always tempting to invent a new scheme, to think you can do better than the combined efforts of the world-wide research community, and then protect your scheme by keeping the details secret. For example, there are well-known encryption algorithms that are regarded as reliable because they are open and public, and have weathered the test of time at the hands of both the research community and hackers. While such open algorithms are secure enough for the intelligence and banking communities, the DVD industry just had to develop its own secret technique, which then embarrassingly was quickly broken, and now can be cracked by a short piece of computer code that fits on the front of a T-shirt.
Similarly, the Secure Digital Music Initiative (SDMI) recording industry consortium was developing technologies to protect the playing, storing, and distributing of digital music. In September, 2000, the SDMI announced a "public challenge" to test several secret technologies that had been proposed for this purpose. The challenge included six technologies to be analyzed, and the SDMI also offered prizes for "successful hacking attempts" of up to $10,000 each.
For Felten, this was an opportunity to study technology that normally would not be available. "It was clear by that point that one of the more interesting issues related to computer security was going to be attempts to prevent people from copying copyrighted material," he says. "There are a whole bunch of interesting technology issues related to that. I was interested in them, but I wasn’t sure what the concrete research was that you could do on that topic."
"The fact that it was a challenge and that they were giving prizes was actually not all that interesting," says Felten. "The interesting part was that finally these technologies, which were usually hidden behind non-disclosure agreements, were going to be available for people to study."
Unlike real-world conditions, the challenge was structured to limit the ability to analyze the six technologies. The details of technologies themselves were not disclosed, only a small group of sample music clips was available, there was limited ability to test whether a watermark had been broken, and the SDMI provided only a three-week period to perform the analysis.
Even so, Felten’s group apparently successfully defeated all four of the watermarking technologies available for complete study, and analyzed possible weaknesses in the other two technologies.
Felten’s group then wrote a paper on their research results, which was accepted for presentation at an academic conference in April, 2001. Then two weeks before the conference Felten received a strongly-worded letter from the Recording Industry Association of America threatening that "any disclosure of information gained from participating in the Public Challenge" would then "subject your research team to enforcement actions under the Digital Millennium Copyright Act (DMCA) and possibly other federal laws." In the RIAA’s view, public discussion of a public challenge, which even included some technologies publicly disclosed in previous patent filings, was illegal under the Digital Millennium Copyright Act.
Under threats against the paper authors, the conference organizers, and their respective employers, Felten withdrew the paper from the conference. In a statement read at the conference, he said that: "We remain committed to free speech and to the value of scientific debate to our country and the world. We believe that people benefit from learning the truth about the products they are asked to buy. We will continue to fight for these values, and for the right to publish our paper."
Looking back on the experience, Felten says "we wanted to be in a position where we were not risking horrible consequences if we did not win the lawsuit. In fact, even having the accusation of illegal behavior against you, and having a lawsuit filed against you, has consequences. People could have lost their jobs."
upported by the academic community and by Princeton University, Felten continued to seek to publish the paper, and filed a lawsuit in early June asking a federal court to rule that the publication of the scientific paper would be legal (see sidebar).
The recording industry then relented, and gave permission for the paper to be published at a conference in mid-August, 2001. The lawsuit continued, however, because the recording industry continued to insist on veto power over the group’s ongoing work and future publications. But the judge eventually dropped the suit as moot.
"On the whole it turned out well," says Felten. "Eventually we were able to publish our paper, and we focused a lot of attention on the impact of laws that restrict the discussion of technologies. What we didn’t succeed in doing was actually getting that law declared unconstitutional."
"That was one of the biggest events that focused me on the issue of people’s freedom to use technology and talk about technology," says Felten. "There’s been a trend in recent years toward restrictions on the use of technology, restrictions on people modifying or reverse engineering technology. And later, proposals were floated in Washington to regulate the design of computers."
Felten then spent the 2001-’02 year on sabbatical at the Center for Internet and Society at Stanford to focus on these public policy issues. He also was working on a book, tentatively titled "Freedom To Tinker," and started his Freedom To Tinker website.
A lot of the effort Felten might have put into the book is going to the website instead. "I think that is positive," he says, "I have a regular readership. The site is timely, and I do occasionally write a piece that talks about a bigger perspective using some current event as a hook." Felten expects to get back to the book this fall.
The interesting issue for Felten at Princeton is how a computer science researcher can do work on public policy in an academic setting. "It’s a bit of a challenge to figure out," says Felten, "because the way computer science research is organized. It’s different from how the public policy community works."
"I’ve started to figure it out," he says. "I understand how I can do this work, but the challenge is to figure out how to build a community, how to get students involved, because the traditional model is that students are paid for by research grants."
"The department and the people here have been supportive," he says. "Computer scientists everywhere are starting to get interested in these issues, because of the sense that’s starting to grow that the profession is facing some degree of threat from these things. Its now getting to the point that when I go to a professional conference it’s hard for me to have a conversation that’s about technology; I always end up discussing policy."
Felten also continues to work and publish in traditional computer science, "maybe 40 percent of my research time," and also advise students. "I’ve gotten more interested in research issues related to privacy," he says. "Privacy is an important issue, but I don’t know what we should be doing. I know in the technology area there are ways we can contribute, and give people tools to protect privacy."
The other challenge for Felten is to understand how best to express his ideas, to make them seem relevant. "These issues are sometimes a real challenge to explain," he says, "because they involve technology, and because the effects of policy choices are often very indirect. If there is anything I wish I could do better, it is to explain to non-technologists why we should pay attention to these issues."
The original purpose of concepts like copyrights and patents was to help protect new ideas, so that their developers would not have to keep them secret. As a result, the developers could profit more from their ideas, by accepting a government-enforced but limited period of exclusive use, in exchange for openly revealing their work to allow society to learn and grow from it. But laws like the DMCA cancel this balance by allowing manufacturers to prevent any public discussion or even private study of technological security measures. In this new world, you are not permitted to have any outside verification that the devices you own work as advertised (or are not carrying out other unauthorized activities), or even that your vote is recorded correctly on your county’s voting machine.
"There are a lot of benefits that come from having open and flexible technology that people take for granted," Felten says, "and when people lose those things they don’t even necessarily notice. It’s hard when you see a new technology and you don’t know what the alternatives could have been. A lot of the cost is in the missed opportunities, things that don’t happen."
Felten deliberately chose to use the "freedom to tinker" term to summarize his concept to avoid other terms that were already loaded with associated meanings in the public policy, legal, or technical domains. For example, "reverse engineering," referring to taking apart a product to understand how it works, can sometimes take on the overtone of stealing other people’s ideas.
One way that Felten has worked on expressing his ideas is to talk about innovations that come from users of technology, "the idea that something is open to customers to figure out new ways to use it."
One example Felten uses comes from writer Edward Tenner — the typewriter keyboard (U.S. 1, June 11). When the keyboard was invented, it was designed for hunt-andpeck typing, and it actually was the users of the device who figured out the touch typing method that we use today, where you type without looking.
"There are lots of examples like this," says Felten, "where the people who were using something figured out there was a better way to use it. There even have been some formal scholarly studies, comparing competing products where one is open to customization and one is not."
Another example is the phone system and its transition from the monolithic closed system to the more open system we have now. You can combine machinery from different vendors, communicate with all kinds of devices that can talk to each other, and even extend to cell phones and wireless. "All of that becomes possible when you open up the telecommunications system," says Felten, "it then becomes a space for innovation."
The same trend is shown in the history of the software industry. "The computer is sold so that people can come up with new uses for it," says Felten. "It’s not designed to do any one thing in particular. Almost all the innovation that has taken place in software is because the basic technology is open and can be programmed by anybody." And much the same is true with the Internet. "The Internet is just designed to send whatever kind of data people want to send over it," he says, "so that then becomes a platform on which people can build all kinds of things."
But these are positive examples, "the negative ones are harder to come up with," says Felten, "because you have to talk about what would have happened."
Felten seems optimistic that his efforts are bearing fruit. "I think more people are starting to see the importance of this issue," he says, "that the attempts to control and lock down technology are starting to touch the lives of regular people to a limited extent, and people are becoming aware of this."
"So-called copy protected CDs are an early example of that. People just hate it when they buy a CD and it won’t play in their car and won’t play in their computer because somebody was trying to be too clever about preventing them from using it. Most people think that if they get a CD, they should be able to do whatever they want."
"Certainly in your own home," says Felten, "most people think that if you bought it, you should be able to use it as you see fit."
#h#Felten on The Cost of Speaking Out#/h#
In 2001, recording industry organizations threatened to sue Ed Felten and seven of his colleagues if they published a paper that discussed certain technology. They argued that publishing the paper would violate the Digital Millennium Copyright Act. Felten and his team withdrew the paper, temporarily, and filed a lawsuit, asking the court to rule on the question of whether publishing the paper would be legal.
"After we filed our lawsuit, the recording industry parties conceded our right to publish our paper, which was the main result we sought," writes Felten in his weblog (www.freedom-to-tinker.com). "Once we had the right to publish the paper, the constitutional challenge to the DMCA was dismissed as moot."
On Felten’s weblog he defends his decision to initially withdraw the paper, pointing out the case was not "just an abstract topic for speculation" to those named in the suit. "Let me assure you cases like this look much different if you are Felten (or any of the other would-be defendants: Bede Liu, Scott Craver, Min Wu, Dan Wallach, Ben Swartzlander, Adam Stubblefield, and Drew Dean)."
"I am happy to admit that if we had gone ahead and published the paper without any lawsuit, the odds were only 50/50 that we would have been sued, and we probably would have won the lawsuit.
"Probably, I would have kept my house.
"Probably, I would have kept my job.
"When it’s not your house on the line, when it’s not your job, the probably may be enough. To those who had nothing personally at risk, a lawsuit would have been no more than a scholarly conversation piece.
"For me and my colleagues, probably wasn’t enough. Even a 99 percent chance of getting to keep our houses and savings wasn’t enough. Nor should it be. I am still outraged when [critics] suggest that it’s not a problem if researchers have to put so much at risk just to write or speak on certain topics of public interest."
Edward W. Felten, Associate Professor Dept. of Computer Science Princeton University 609-258-5906 firstname.lastname@example.org www.cs.princeton.edu/~felten
Secure Digital Music Initiative (SDMI) www.sdmi.org
SDMI Paper Status www.cs.princeton.edu/sip/sdmi/ FAQ www.cs.princeton.edu/sip/sdmi/faq.html
ACM declaration www.acm.org/usacm/copyright/felten_declaration.html
Electronic Frontier Foundation www.eff.org/sc/felten
Douglas Dixon www.manifest-technology.com