ACM Washington Update, Vol. 9.11 (November 30, 2005)

By David
December 1, 2005


[1] Newsletter Highlights
[2] USACM Writes to Virginia Policymakers on E-voting
[3] Data Security Bills Progressing, but Passage Unlikely by Year End
[4] House Committees Investigate “Fair Use” and the “Analog Hole”
[5] R&D Programs Weather Tough Budget Climate (So Far)
[6] Sony Rootkit Stirs Controversy, While Senate Spyware Bill Advances
[7] ICANN Retains Internet Governance Position
[8] Turing Award Winners Earn Nation’s Highest Civilian Award
[9] Events in December
[10] About USACM

[An archive of all previous editions of Washington Update is available here.]


Below are highlights of the top stories for November; there’s more detail on each below, as well as on our weblog at

* USACM reaches out to to special committee of Virginia policymakers and technical experts considering e-voting system standards; the committee defers a decision on whether to include paper trails on e-voting systems.

* Congress starts moving data security legislation, but final agreement isn’t likely until next year.

* Two congressional committees — seemingly approaching the matter from different perspectives — take time this month to look at copyright issues surrounding “fair use” and the “analog hole.”

* Science agency research funding weathers tough budget climate, but the potential for an across-the-board cut remains.

* Researcher reveals that many newer Sony/BMG music CDs install “rootkit” like software on unknowing users’ computers in an attempt at copyright protection (although that is only the beginning of the tale), while a technology-centered spyware bill makes it out of a Senate committee.

* The United States’ prominent role in Internet governance will continue, but U.S. and other stakeholders agree on the creation of a U.N. administered Internet Governance Forum.

* 2004 ACM Turing Award winners Vint Cerf and Bob Kahn receive the Presidential Medal of Freedom.


USACM sent a letter to Virginia Delegate Tim Hugo, chair of the Joint Subcommittee Studying the Certification, Performance, and Deployment of Voting Equipment, regarding the issue of voter-verified paper records and electronic voting machines. The letter came just days before the committee was scheduled to hold an important hearing on the issue.

In the letter, USACM outlines the e-voting position that ACM adopted last year. That position calls for, among other things, “all voting systems–particularly computer-based electronic voting systems–[to] embody careful engineering, strong safeguards, and rigorous testing in both their design and operation,” as well as enabling “each voter to inspect a physical (e.g., paper) record to verify that his or her vote has been accurately cast and to serve as an independent check on the result produced and stored by the system.” In April, USACM sent a similar letter to policymakers in Hawaii:

However, according to a recent article in the Richmond Times-Dispatch, the Virginia committee “deferred a decision … on whether to recommend paper audit trails on new voting equipment” for the state following testimony from the secretary of the State Board of Elections who “cautioned members to wait before adopting new technology.” The article does not mention a timeframe for the deferral — see the following URL for the full article:

The full USACM letter and more background information are available at


The Senate Judiciary Committee this month approved Senator Arlen Specter’s “Personal Data Privacy and Security Act” (S. 1789), adding to a growing field of bills vying to address increased concerns regarding data security and privacy this year following a number of high-profile data breaches. S. 1789 represents a significant revision of Specter’s original bill, S. 1332, that was introduced in June. Most notably, the new version does not contain S. 1332’s provisions related to increasing the protections for Social Security numbers. Complete information about S. 1789 is available at

In October, the Judiciary Committee also advanced Senator Jeff Sessions’ (R-AL) “Notification of Risk to Personal Data Act” (S. 1326). Sessions’ bill contains the three main components that characterize many of the pending data security bills: data breach notification, data security requirements for organizations, and preemption of similar state laws. The full text and status information on S. 1326 is available at

Meanwhile, at the other end of the Capitol, the major House data security bill, Sen. Cliff Stearns’ (R-Fla.) “Data Accountability and Trust Act” (H.R. 4127), also made progress this month, advancing from Stearns’ subcommittee to the full Energy and Commerce Committee. Stears’ bill contains the three major provisions mentioned above, but it also includes special rules for data brokers and somewhat more detailed guidance on using encryption techniques to secure data. Complete information about H.R.4127 is available from

As you can see, there are a number of similar bills making good progress in Congress, and it is difficult at this time to say which bill has the best chance. However, it does seem fair to say — given the late date — that it will be next year before we see any resolution of the situation. Indeed, much work remains to be done toward crafting a data security package that can garner enough support to pass both houses of Congress.


The House Energy and Commerce Committee held a hearing this month titled “Fair Use: Its Effects on Consumers and Industry.” Ostensibly, the point of the hearing was to explore what might be some benefits of the fair use doctrine on technology development. However, unofficially, it appears likely that the hearing was an effort to push back on the House Judiciary’s efforts to restrict fair use, such as that committee’s proposal to close the so-called “analog hole,” often a point where DRM-protected content is transmitted in the clear and can be copied for reconversion into digital format (e.g., capturing the signal between a CD player and its speakers, or simply recording the output of a television with a camcorder).

Witnesses for the Energy and Commerce Committee hearing included Peter Jaszi (American University), Gary Shapiro (Consumer Electronics Association), Prudence Adler (Association of Research Libraries), Jonathan Band (NetCoalition), and Gigi Sohn (Public Knowledge). More information about the hearing, including the archived webcast and full witness list with links to their prepared testimony, is available at

Meanwhile, the Judiciary Committee’s Subcommittee on Courts, the Internet, and Intellectual Property held an oversight hearing recently entitled “Content Protection in the Digital Age: The Broadcast Flag, High-Definition Radio, and the Analog Hole.” Witnesses included such notable figures as Dan Glickman (MPAA), Mitch Bainwol (RIAA),
Gigi Sohn (Public Knowledge), and Michael Petricone (CEA). Complete information about this hearing, including links to the archived webcast, witness testimony, and related discussion drafts, is available at


In early November we warned that the funding outlook for science agencies this year looked to be worsening, but some new technology programs were in play; see

Shortly after, Congress proved us partially wrong by increasing funding for the National Science Foundation (NSF) above what Congress was proposing at the beginning of the year. But Congress’ work isn’t finished for the year. Capitol Hill and the White House are actively discussing an across-the-board cut to everything that has been approved earlier this year. Rumors put the percentage cut at around 1 percent, but some have said it could be up to three percent. We won’t know the final number until Congress comes back in the beginning of December. Here are the funding figures so far:

NSF $5,643,193,934 $5,473,000,000 3.11
DOE Office of Science $3,633,000,000 $3,600,000,000 0.92
NIST Labs $399,389,157 $379,000,000 5.38
NASA (top line) $16,427,177,760 $16,100,000,000 2.03
Cyber Security Research $16,700,000 $18,000,000 -7.22

We will update the final numbers once Congress decides whether to apply an across-the-board cut and, if so, how much. For a more detailed analysis, visit the Computing Research Association’s Research Policy weblog at

It is pretty shocking that Congress actually increased NSF above what either the House or Senate approved at the beginning of the year. It is even more surprising considering that the budget climate actually got much worse over that same time period. This might be the untold story of this year. Certainly one significant factor has been the tremendous drumbeat in the media and from many members of Congress about the role that research funding plays in supporting America’s global competitiveness. Tom Friedman’s book “The World is Flat” is a best seller, and Congress realizes that the American public is beginning to understand that their future is tied to innovation and the next technology breakthroughs that drive economic growth.


Sony BMG Music Entertainment became a center of attention this month when it was revealed by security researcher Mark Russinovich that the content-protection mechanism used on many of the company’s newest music CDs was behaving rather like something called a “rootkit” in computing jargon. According to a related Washington Post article, a rootkit consists of “software tools that hackers can use to maintain control over a computer system once they have broken in.” Other characteristics of rootkits include hidden files and other means to ensure that the rootkit code itself cannot be uninstalled easily. The full Post article on the rootkit is available at

In his full analysis, Russinovich points out that the rootkit was responsible for a “hidden directory, several hidden device drivers, and a hidden application” on the machine where he discovered it. His complete and fairly technical analysis is available here

Following the uproar in the technical community, which was concerned about the potential for virus writers or malicious hackers to take advantage of the vulnerabilities created by the rootkit, Sony promptly released a software update intended to address the problem. However, the story does not end there. It was soon discovered that the unintaller released by Sony might actually cause more problems than it solves by opening a major security hole in users’ computers.

USACM member Ed Felten has been following the developments in this still-unfolding case very closely on his weblog (with the help of J. Alex Halderman) — see the following URL for a good starting point:

Meanwhile, in related news, the Senate Committee on Commerce, Science, and Transportation recently advanced Sen. Conrad Burns’ (R-MT) SPY BLOCK Act (S. 687), which focuses on regulating the technological aspects of spyware in an attempt to protect consumers’ computers. Among other things, the bill would make it a crime to cause the unauthorized installation of software on a person’s computer in a manner that conceals the fact of installation from the user or prevents the user from knowingly granting or withholding consent. The full text of S. 687 is available at

Readers may recall that we’ve also been tracking the progress of the two major House spyware bills — more information on them is available at

Spyware legislation also made good progress through both houses of Congress last year; however, the effort failed as policymakers could not reconcile the two distinct approaches to combating spyware embodied by the different pieces of legislation (i.e., regulating the technology itself or criminalizing the behavior of those responsible for spyware). A similar situation may be unfolding in Congress this year.


In a fairly last-minute deal before the start of November’s much-heralded and controversial World Summit on the Information Society (WSIS) event in Tunis, Tunisia, the U.S. and other international stakeholders reached an agreement that ensures the continuation of the United States’ leading role in Internet governance (through it’s relationship with ICANN, the Internet Corporation for Assigned Names and Numbers) while at the same time creating a broad-based U.N. forum for the discussion of Internet issues. Readers may recall that we reported last month on the substantial push-back in Congress against any U.N. involvement with Internet governance:

The new agreement taps the U.N. Secretary-General to create an Internet Governance Forum with a mandate to address, among other things, “public policy issues related to key elements of Internet Governance in order to foster the sustainability, robustness, security, stability and development of the Internet.”

The full text of the agreement is available at the following URL (see item 72 for the Internet Governance Forum provisions):

For more information and perspective, see the recent CNET article at


November also saw Bob Kahn and Vinton Cerf awarded the Presidential Medal of Freedom for their pioneering work on Internet protocols. Established by Executive Order 11085 in 1963, the Medal may be awarded by the President “to any person who has made an especially meritorious contribution to (1) the security or national interests of the United States, or (2) world peace, or (3) cultural or other significant public or private endeavors.”

In its announcement, the White House notes that the two “have been at the forefront of a digital revolution that has transformed global commerce, communication, and entertainment.” The award caps a big year for the research team. As we reported in this space previously, the pair won ACM’s 2004 A.M. Turing Award, which is often considered the Noble Prize for computing:

Kahn and Cerf received the award along with a 12 other winners at a White House ceremony on November 9. The winners are quite a diverse selection. Among the winners are Muhammad Ali, Alan Greenspan, General Richard B. Myers, Jack Nicklaus, and Frank Robinson. Following the ceremony Cerf and Kahn participated in an interactive online forum — a full transcript is available at

The full White House announcement regarding the award is available here


Nov. 30 – December 4: ICANN meeting, Vancouver, Canada.

December 1: Deadline for submitting comments on the U.S. Copyright Office’s DMCA-mandated rulemaking on exempting certain classes of works from the prohibition against circumvention of technological measures that control access to copyrighted works.

December 3: “Regulating Search: A Symposium on Search Engines, Law, and Public Policy,” sponsored by the Yale Law School, New Haven, Conn.

December 6: Meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, Washington, D.C.


USACM is the U.S. Public Policy Committee of the Association for Computing Machinery (ACM). ACM is widely recognized as the premier organization for computing professionals, delivering resources that advance the computing and IT disciplines, enable professional development, and promote policies and research that benefit society. ACM hosts the computing industry’s leading Digital Library and Guide to Computing Literature, and serves its 80,000 global members and the computing profession with journals and magazines, conferences, workshops, electronic forums, and its Career Resource Centre and Professional Development Centre. For more information about USACM and ACM, see


For earlier editions of the ACM Washington Update, see


To subscribe to ACM’s Washington Update newsletter, send an e-mail to with “subscribe WASHINGTON-UPDATE ‘First Name’ ‘Last Name'” (no quotes) in the body of the message.

To unsubscribe, simply include the “SIGNOFF WASHINGTON-UPDATE” command in an email to


Should you have questions, comments, or suggestions regarding this newsletter, public policy issues, or USACM activities, please contact the ACM’s Washington, D.C., Office of Public Policy by email at or by calling 202-659-9711.