Academic Freedom v. Computer-Security

 

 

“So much has been done, exclaimed the soul of Frankenstein—more, far more, will I achieve; treading in the steps already marked, I will pioneer a new way, explore unknown powers, and unfold to the world the deepest mysteries of creation” (Shelley).

How full of passion for knowledge was Victor Frankenstein—the scientist who created the hideous monster Frankenstein!  He had just discovered the secret of life and he could not contain his desire for more knowledge and new discoveries.

            Isn’t this the fundamental nature behind the quest for truth—the adage of “knowledge for the sake of knowledge?”  This passion resulting from a new found discovery ignites, revs, and propels newer discoveries.  It propels the scientist to invest more time and sweat into his or her project, excites other scientists, and promotes fresh ideas and new perspectives.  This is the modern-day scientist’s “scientific method”--a means for acquiring new knowledge to promote scientific progress.[1]   

            Yet even though Mary Shelly’s Frankenstein starts on such a hopeful journey, it ends in a story of loneliness.  Frankenstein the monster laments, “I, the miserable and the abandoned, am an abortion, to be spurned at, and kicked, and trampled on” (Shelley).

Will the scientific method  (particularly in the computer science/computer security field) fall the way of Frankenstein—spurned, kicked at, and abandoned? 

            Perhaps not, but copyright protection threatens scientific progress in computer-security research.

 

To briefly sum up in two sentences, the scientific method is a means of disciplined record keeping that allows each generation to preserve their scientific work so that future generations do not have to reinvent the wheel.  This scientific work includes precise measurements, details, and data for credible research.  Edward Felten argues in his testimony in the Felten v RIAA case that ‘synthesis’ and ‘analysis’ form the foundations for research in the computer security field.  “Computer security is built on two pillars: synthesis and analysis.  The two advance in tandem: synthesis provides ever-improving systems to be analyzed, and analysis provides the information needed to synthesize stronger systems in the future” (Felten).

Although these two pillars are necessary for the scientific method to work, they alone do not fully satisfy the requirements for scientific progress.  A third pillar is needed—the sharing of knowledge.  In almost all areas of academia, publications are the most used means of sharing knowledge.  The publications must be specific enough to wholly explain a researcher’s work and allow his or her work to be duplicated by another scientist.  David Wagner in his declaration in the Felten v RIAA case points out that “Precision in communication is often a prerequisite for progress” (Wagner).  This specificity is essential to the scientific method.  A scientific publication is arguably worthless if it merely says to “pick a bunch of these compounds and elements, combine them in a favorable way, heat it up a bit, let it cool for a while, stir it a bit, and ‘ta da!’ you’re done.”  Indeed a researcher’s publication needs to specify the exact data and conditions so that others can duplicate his or her experiment.  Otherwise, the research is of no value to anybody but the original researcher.  Matt Blaze in his statement in the Felten v. RIAA case asserts that “all scientific publications are expected to contain enough information to allow other scientists to duplicate, verify, and improve upon the results presented.  The demand for rigorous and repeatable detail is an essential part of the scientific method and is what allows progress to be made and errors to be detected” (Blaze).  All three pillars—synthesis, analysis, and publication—must all work together if the scientific method (and hence scientific progress) will succeed.  How does the system collapse if one of these pillars is removed? 

            It is relatively clear that synthesis without analysis is defunct and analysis without synthesis is useless.  Scott Craver accurately describes this circular relationship: “The relationship between those who design, and those who break, security systems is symbiotic; both are regarded as essential for scientific progress” (Craver).    Designing and implementing systems without understanding their strengths and weaknesses throws the proverbial pie in the face of progress.  “Synthesis without analysis is not great science” (Appel).  Conversely, analyzing systems without actually implementing new ones deems the analysis fruitless—what’s the point of analyzing a system if the analysis never gets incorporated a new version of the system? Analysis and synthesis must work together: “One can analogize the relationship to that between automobile manufacturers and automobile crash-testers” (Craver). 

Although Craver’s example attempts to improve the credibility of analysis in computer-security research, he actually illuminates and important problem that computer security poses that is not found in other fields of endeavor.  There is one very important difference between crashing cars and crashing computer security systems—the primary purpose of a car versus the primary purpose of a computer-security system.  A car’s crash system is designed to protect the passengers as well as it possibly can—but the crash system does not make up the primary purpose of the car—the purpose of a car is to be driven.  Publishing how to crash a car to maximize/minimize injury is a good thing to do to ensure passenger safety, but it is absurd to think that releasing such information puts the car in greater jeopardy of getting in an accident on the roadways.  In a computer security system, however, its sole purpose is to not be broken.  It serves no other purpose than to protect its data.  Full security is the goal of such systems and analyzing a security system potentially destroys it.

I believe that most businesses both recognize and admire the benefits of research analysis.  Many businesses in almost every field fund R&D (research and development), but there is a significant difference between computer security R&D and R&D in other fields.  For example, it does no harm to a pharmaceutical company to fund research on new and better medicines to fight illness—including illnesses that the pharmaceutical company already manufactures medicines to treat.  Understanding how the current medicine works—both its strong points and its harmful side effects—in no way detriments how the current medicine works.  Furthermore, sharing this knowledge to fellow researchers in academia does in no way harmfully effect how the current synthesis works.  Computer security research, however, is a completely different story.  Just as in researching medicine, a computer-security researcher needs to analyze a current implementation for its strengths and weaknesses.  Determining a security system’s weakness, however, reveals its vulnerabilities and jeopardizes the current implementation’s effectiveness.  This is a subtle but very important difference between security research and research in other fields of science. 

Perhaps the copyright businesses should then actively support and help expatiate computer security research until the researches develop a 100% secure system.  But is there such a thing as full security?  Edward Felten himself says that “ It is worth repeating that there is no such thing as perfect security. This is true for any system on the Internet, not just systems using Java... In the real world, all you can expect is reasonable security. The solution to this conundrum is finding an acceptable tradeoff between functionality and security” (Interesting).  Publishing how to crack a security system instantaneously renders that security system not secure.  Perhaps it can still be considered “highly secure” or “sort of secure” but it is not “100% secure.”

This reality—that there is no such thing as 100% security—drives the fierce battle on whether or not cracks to a security system should be publishable.  The main disparity between the two parties involved--the researchers advocating academic freedom and the advancement of computer security technologies versus the businesses who rely on security (particularly the RIAA for copyright protection of music) for profit—is where to draw the line for the “acceptable tradeoff between functionality and security.”  They have two competing goals…one that “works” and one that “works best.”    Arguably, academia’s expectation of “reasonable security” is when a security system is unbelievably hard to crack.  Obviously the copyright-utilizing businesses will want the system that “works best” but they can’t afford to sit idle for years (and possibly decades) until academia finds an “acceptable tradeoff between functionality and security.” 

If analysis can never produce a 100% secure system (as Felten himself states), then perhaps stifling analysis can ensure security—a sort of “don’t tell, don’t ask” policy to computer security.  If everybody is prohibited from trying to break into it, then ideally no one would break into it, and thus it would be wholly secure.  As improbable as this sounds on the surface, this argument does hold some water, for if nobody attempts to analyze a security system, then no one will be able to break it.

Is it possible that outlawing the analysis of security systems actually makes the computer-security world more secure?  The Australian Port Arthur Gun Laws provide an interesting example of this seemingly un-common-sense logic.  In 1996 there was a terrible massacre in Port Arthur where 35 people were killed.  Australia quickly enacted much tougher gun-laws, called the Port Arthur Gun Laws, which made all semi-automatic handguns illegal.  Representatives of many pro-gun lobby groups protested against the changes arguing that such laws will place restrictions on “law-abiding citizens and not the ‘lunatic fringe’ that procured their firearms illegally” (Bellamy).  They argued that restricting non-criminals would not do anything to lower the gun-homicide rate in Australia but merely disable the innocent from protecting themselves.  If only criminals had guns, the gun-lobbyists asked, what’s there to stop them from doing anything they please?  Although the verdict on the effectiveness of the Port Arthur gun laws is still to be seen, only three years after their enactment there was a significant drop in gun deaths. “Stricter gun laws over the past decade have seen the annual number of gun deaths reduced from almost 700 down to 450. Stricter gun laws have thus saved many hundreds of lives” (Port Arthur).  As opposed to popular belief, the Port Arthur Gun Laws were highly effective in reducing gun-related deaths.

Can this same logic be applied to computer-security?  Perhaps not because it takes a “worse criminal” to commit murder than for a “criminal” to hack into mp3-protection software, but much of the “copyright-infringement” is committed by the so-called innocent, decent citizens.  Could this be the compromise between functionality and security?  Perhaps ignorance is bliss in this particular situation.  For non-life threatening cases such as copyright protection, this may be a workable solution for computer security.

 

 

Bibliography

 

Appel, Andrew W. “Declaration of Andrew W. Appel in Felten v. RIAA (Aug. 13, 2001).”  13 Aug 2001.  www.eff.org/IP/DMCA/Felten_v_RIAA/ 20010813_appel_decl.html (13 Sep 2002).

 

Bellamy, Patrick. “The Port Aruth Massacre: A Killer Among Us.”

            http://www.crimelibrary.com/serial/bryant/2.htm (13 Sep 2002).

 

Blaze, Matt.  “Declaration of Matt Blaze in Felten v. RIAA (Aug 13, 2001)”.  13 Aug 2001. http://www.eff.org/IP/DMCA/Felten_v_RIAA/20010813_blaze_decl.html (13 Sep 2002).

 

Craver, Scott.  “Supplemental Declaration of Scott Craver.” 13 Aug 2001. http://www.eff.org/IP/DMCA/Felten_v_RIAA/20010813_craver_decl.html (13 Sep 2002).

 

Felten, Edward.  “Declaration of Edward Felten in Felten v. RIAA (Aug 13, 2001)”.  13 Aug 2001. http://www.eff.org/IP/DMCA/Felten_v_RIAA/20010813_felten_decl.html

 (13 Sep 2002).

 

“Interesting quotes from the experts.” www.kumite.com/myths/opinion/goodquot.htm (13 Sep 2002).

 

 

“Port Arthur – We Are Three Years Wiser.” (28 April 1998) http://www.guncontrol.org.au/n_pa.html (13 Sep 2002).

 

Shelley, Mary Wollstonecraft. Frankenstein.  13 Sept 2002. http://pd.sparknotes.com/lit/frankenstein/

 

Wagner, David. “Declaration of David Wagner in Felten v. RIAA (Aug 13, 2001)”.  13 Aug 2001.  http://www.eff.org/IP/DMCA/Felten_v_RIAA/20011022_wagner_decl.pdf  (13 Sep 2002).