Disobedient machines
Despite politicians' hopes, technology can't enforce public policy.

By Annalee Newitz

BASED ON WHAT lawmakers are saying these days, you'd think technology could solve all of our national conflicts. If we could just get some kind of national ID-card system up and running, we'd never see terrorism on United States soil again. Meanwhile, if Sens. Ernest Hollings (D-S.C.) and Dianne Feinstein (D-Calif.) have their way, new legislation will lead us to a glorious world where nobody can copy DVDs and CDs because digital copyright management tools are built into every piece of hardware and software that plays media.

There's even a bizarre thread of this conservative techno-utopianism running through the USA-PATRIOT Act, which is aimed at stamping out criminal activities through technological intervention. How do we deal with suspected terrorists and criminals? Put them under electronic surveillance, of course. If we can just monitor enough data on computers, then we've got them – whoever they are – by the balls.

But there's a problem with all of this – a very practical problem. Policy makers often have only a hazy understanding of how high technology works. Some argue for laws based on nonexistent technology. Others attempt to make already existing systems do things that aren't within their capabilities.

The truth is, it's not always easy to make machines conform to ever-shifting policies and laws. Computers are as disobedient and hard to organize as humans are.

As people attending mid April's Computers, Freedom and Privacy Conference in San Francisco kept pointing out, we don't need better technology to regulate U.S. citizens – we need better public policies.

A little problem at the border

Over the past several months we've heard from Oracle CEO Larry Ellison and from the California Department of Motor Vehicles about the need for a national ID-card system, implicitly one that would be machine-readable, or at least supported by a national identity-tracking network. The cards might be issued by the DMV or some other institution and would include biometric data, as well as information about everything from where you've traveled to your arrest records. But would such an ID card really help achieve the goal many of its supporters have touted: stopping crime and terrorism? According to Privacy Foundation fellow Andrew Schulman, the answer is absolutely not.

At the conference, Schulman delivered a blow to national ID advocates. Schulman unveiled the results of his research into one of the only machine-readable biometric ID cards currently in use: the U.S.-Mexico Border Crossing Card, often deployed by the Immigration and Naturalization Service to monitor people who regularly make short trips across the Mexican border into the United States. Manufactured by Drexler Technologies, the BCC is advertised as the "most secure card" available.

What Schulman discovered was that the BCC cards work just fine. The problem is, nobody can read them. The INS simply doesn't have the budget, or enough of a skilled labor force, to implement the technology required to read the cards at every border crossing. So there are literally no machines to read the cards. This problem, Schulman points out, would be increased a thousandfold if machine-readable national ID cards became the norm.

An even more pressing issue is how the cards would be issued. Obtaining identification depends on providing identification, after all: you need a birth certificate to get a driver's license. But birth certificates are one of the easiest documents to fake and are often stored haphazardly in small city or county courthouses. "Until we can solve the problem of breeder papers, we can't expect to have a foolproof national ID-card system," Schulman wryly commented.

Just scribble it out

Under the infamous Electronic Communications Privacy Act – now modified by the PATRIOT Act – the government has the right to monitor your electronic communications under various circumstances as long as it furnishes a warrant or a subpoena. As Department of Justice attorney Mark Eckenwiler explained at the conference, the ECPA places limits on what kinds of monitoring the feds can do and when. But it's difficult to limit monitoring when the tools the feds are using to do it – such as data sniffers – are generally indiscriminate, sucking up everything in a data stream and leaving it to humans to sort out which bits are OK for the feds to look at and which aren't.

Let's look at a specific example. Say, for instance, the feds get a warrant to monitor your e-mail. Typically the ECPA limits them to collecting only noncontent information from it. That is, they can look at who you are writing to, but they can't look at the subject headers in your e-mail or the content of what you've actually written.

So how does the law keep the wrong information from reaching the feds? Mostly it does so by allowing the feds to go to digital middlemen like AOL and Hotmail and letting those companies sort it out. At this point, ISPs and e-mail companies are on their own. They can craft any policy they like to regulate how they get the appropriate information to the government. They can choose to demand warrants for surveillance, or they can hand it over voluntarily. More disturbingly, when they do hand over noncontent information, they can cull and present it however they like.

One large Internet provider, for example, uses a fairly privacy-sensitive system, deploying machines to look at the monitored person's e-mail, strip off the headers, put them in a file, and hand them over to the feds. However, another provider prints the e-mails out and has a human being physically redact – that is, scribble out – all the content-related passages that the feds aren't supposed to read.

The feds generally try to make it seem as if their surveillance techniques are regulated not only by policies like the ECPA but also by the impartial minds of computers. And indeed, it's technically possible to create tools that allow for maximum privacy in the context of limited surveillance, but as long as corporate privacy policies remain unregulated, you send e-mail at your own risk.

Legal patches?

One of the biggest debates in Congress and in the media industry is the question of digital rights management, a blanket term for any kind of technology that enforces copyright on a piece of media – for example, it might prevent you from making illegal copies of a DVD. Lawyers, corporate executives, and policy makers are debating whether it's possible to create DRM technologies that will work in a litigious society like the United States, where fair-use exemptions to copyright laws change from day to day.

What if, for instance, you possess a document whose status under fair-use laws changes while you own it? Your DRM technology has been programmed to allow you one personal-use copy under the old laws, but under new laws you're permitted to make as many copies as you like. Now your DRM technology is essentially useless. Or what if you're a professor and therefore are permitted to make copies of a DVD under a fair-use exemption, while a typical consumer is not? Since the Digital Millennium Copyright Act makes it illegal to circumvent digital copyright protection, it's possible a professor who has the right to copy a piece of software could be arrested for using circumvention technology to get around DRM and make his or her perfectly legal copies.

Barbara Fox, a Microsoft developer who works on DRM-related software, suggested that one solution to this would be "legal patches," bits of code that vendors could release to keep a DRM up-to-date with current laws. Or perhaps companies could sell "fair-use software packages" to professors that would bypass DRM. The point is, software just isn't set up to be flexible in the same way that the law can be.

Fred von Lohmann, a staff attorney at the Electronic Frontier Foundation, pointed out that there are distinct social and economic advantages to having vague fair-use laws. Their vagueness leads to freedom and unfettered innovation. But that vagueness just can't be built into technology – at least, not right now. As von Lohmann joked, "It's as if we're asking how we can put federal judges on microchips." Sadly, as much as the wonks may wish it, we just can't fabricate judges who are that tiny yet.

E-mail Annalee Newitz at annalee@techsploitation.com.