Commercial Security on the National Information Infrastructure




Sunnyvale Community Center
550 East Remington Drive
Sunnyvale, California

The Hearing Panel

Assistant Secretary of Commerce and Commissioner of Patents and
Chair, Working Group on Intellectual Property, Information Infrastructure
Task Force

Chief, Information Policy/Technology Branch
Office of Management and Budget

EDventure Holdings, Inc.
Co-Chairman Mega-Project III, NII Advisory Council

President and Chief Executive Officer
Broadcast Music, Inc.
Member, NII Advisory Council

Staff Present:

Office of Legislation and International Affairs
U. S. Department of Commerce
Patent and Trademark Office


Intellectual Property Creators, Rights-Holders
and Users

Roger Schell
Senior Development Manager
Network Products Division
Novell, Inc.

Sandra Whisler
Assistant Director for Electronic Publishing
University of California Press

Pieter Bolman
Academic Press

David Leibowitz
Executive Vice President and General Counsel
Recording Industry Association of America

Al McPherson
Director of Technical Services
Warner Brothers Records

Mark Bunzel
Chief Executive Officer
AVTEX Interactive Solutions

Barbara Simons
Chair, U. S. Public Policy Committee
Association of Computing Machinery

Distributors and Technical Solution Providers

Jeffrey Sinsheimer
Director of Regulatory Affairs
California Cable Television Association

Josh Groves
Director of Current Awareness Products
Marketing Department
Dialog Information Services

Curt Schmucker
Manager, Tools and Environments
Apple Computer

William Ferguson
Vice President, Marketing and Sales
Semaphore Communications Corporation

William Sweet
Director of Marketing,
iPower Strategic Business Unit
National Semiconductor Corporation

William Krepick
Senior Vice President
MacroVision Corporation

Robert M. Rast
Vice President, HDTV Development
General Instrument Corporation

\P R O C E E D I N G S\ (9:10 a.m.)

MR. LEHMAN: We are going to begin the hearing. Our sound system is not set up yet. Can everybody hear us in the back? We are going to start, even though the sound system is not set up. We are under quite a tight time deadline, so we are going to go ahead without it. It's a fairly small room and I assume it will be operative shortly. Our court reporter can hear us well enough to transcribe the proceedings.

Good morning, everybody, and welcome here to Sunnyvale.

Let me begin, on behalf of everybody involved in this panel, in the actual Information Infrastructure Task Force, by thanking the city of Sunnyvale for providing us with this facility today. I must say, Sunnyvale has always been more than happy to help us in the Clinton Administration on any of our needs to come out here and communicate with the high-tech community and Silicon Valley. We really appreciate that.

Before I explain what our hearing today is intending to cover, I should first explain, to anybody who doesn't know in the audience, who we are and how we came to be here.

First, my name is Bruce Lehman. I am the Assistant Secretary of Commerce and Commissioner of Patents and Trademarks. I also serve as chairman of the Working Group on Intellectual Property of the Information Infrastructure Task Force, which is set up by President Clinton, as part of the Information Infrastructure Task Force and chaired by the Secretary of Commerce, Ron Brown. The Working Group on Intellectual Property is studying the challenges the information superhighway will present for our intellectual property systems in the United States, and, really, in the world.

The Working Group on Intellectual Property Rights is a part of a larger working group Intellectual Infrastructure Security Issues Forum, which is chaired by Sally Katzen, who is Deputy Director of the OMB. Actually, she asked me if I would come out here and chair this hearing today, really, not just on behalf of the working group, but on behalf of the larger Information Policy Committee of the entire Information Infrastructure Task Force.

With us today is Bruce McConnell, who is Deputy to Sally Katzen at the OMB. We also will be joined shortly, I hope, by John Cooke, who is a member of the Advisory Council on the National Information Infrastructure Task Force. We also have Esther Dyson, from the Information Infrastructure Task Force, and Frances Preston, also with us.

This Forum is studying security issues that bridge the particular topics that are being dealt within all of the various working groups of the NII, particularly the Information and Security Working Group. We also have a parallel committee in the NII Advisory Council, Mega-Project III that Ms. Dyson and Mr. Cooke and Ms. Preston sit on. So, today, we are combining, really, the Working Groups of the NII Task Force, government officials with our private sector advisors here in this single hearing. What brings us together is our common interest in ensuring that intellectual property will be protected on the information superhighway. Without clear and effective protection at both legal and functional levels, the NII simply will not become commercially viable.

There are really two aspects to the issue of protecting intellectual property. One concerns the legal systems we have that create exclusive rights in intellectual property. The second is a more functional concern; and that is: the types of systems and technologies available to protect the physical embodiments of intellectual property, and they work hand in hand, the law and the techniques for physically securing the work. Today's hearing is designed to educate us as to the second of these perspectives. What we are seeking are perspectives on how products and services based on intellectual property will be protected on the NII.

Now, our hearing notice contains four aspects to this issues that we are particularly interested in gaining a perspective on. They are: First: What kind of products and services will be made available via the National Information Infrastructure?

Second: What capacity will users of the NII be given to view, hear, retrieve, reproduce, modify or further distribute products and services? Also, What commercial threats exist and must be addressed to provide products and services via the NII, particularly to unauthorized access to or theft of products or services; and integrity or confidentiality of information delivered or retrieved via the NII?

Finally, we want to look at what kinds of technical solutions currently exist or should be developed to address these security concerns? Now, we have been lucky in gaining the cooperation of the two panels of witnesses today who will provide us with insight from various industry and user perspectives. I want to thank the individuals, all who are at the other table here, for agreeing to participate, particularly in view of the short notice we gave them.

Before we turn to my colleagues here, for whatever statement they would like to make, I would like to summarize how today's hearings will be conducted.

First, we will convene the two panels of witnesses. The first panel is going to represent perspectives of intellectual property rights holders and users. Then, the second panel is going to provide the input from distributors and technical solution providers -- what I will call technical solutions providers. Each of the individuals, who will be working with us, has been asked to review the questions that were outlines in our Federal Register notice. They will be given an opportunity to comment on any or all of these questions.

Once all of these individuals have presented their opening remarks, I will invite members of the hearing board and the witness panels to ask questions. Hopefully, this will stimulate a discussion on this particular topic. Members of the audience who wish to ask questions or present remarks can do so, also, once the panels we've asked to come forward have finished their questioning of the witnesses.

Now, Michael O'Neil is sitting right here. Will you stand up, please, Michael? If you want to ask anything, right here in the front corner of the room, anybody who wants to ask questions, I'd appreciate it if you would touch bases with him because he will do it in an orderly manner. I would also like to thank Jeff Kushan of our staff, who worked on these hearings.

I just learned that John Cooke had to go back to Los Angeles. Undoubtedly Disney is buying either MCA or CBS, or somebody, so he won't be here today.

First, I'd like to, before we ask our first panel, when they do speak, I hope the panel, since we have a limited period of time, I would like to conclude by noon, if we could -- since a number of people have to get planes back to the East Coast from San Francisco Airport -- if we could get into the meat of the questions as soon as possible.

But, first, I certainly want to give my colleagues here the opportunity to make any introductory remarks that they would like to make. Ms. Preston, would you like to say something? MS. PRESTON: Yes, thank you. I'm Frances Preston, and I'm president and CEO of Broadcast Music, Incorporated, better known as BMI.

It's a pleasure for me to be here today in Sunnyvale, and also to be a part of this morning's hearings. And of course, I've been reading about Silicon Valley for a long time, so it's been a pleasure for me to be here because not only can we hear the West Coast perspective on the NII, but a perspective from those whose technological advances are going to make the NII a reality.

I look forward to hearing of your plans for commercial and non-commercial uses on the NII and the GII and what type of intellectual property you anticipate traveling on the information superhighway. And since we've not finalized our security and privacy principles, it's important to hear what you believe will be required to protect your content. And, of course, I'm always honored to be here with the Honorable Bruce Lehman because his efforts and his dedication to this project have really been untiring and we're all very appreciative of that.

MR. LEHMAN: Thank you very much, Ms. Preston.

MS. DYSON: I'm delighted to be here. I just want to second everything that Frances said and hear what you have to say. Thank you very much.

MR. LEHMAN: All right. Finally, Bruce McConnell, Chief, Information Policy/Technology Branch of the Office of Management and Budget. And by the way, I want to say to everybody, the Office of Management and Budget might not mean very much to you, but they run Washington, D.C. They run the budget, they tell all the rest of us what to do, so I don't know if Bruce McConnell needs any more introduction than that.

MR. McCONNELL: Well, actually, the Congress also thinks they run Washington. But I just want to make two points briefly.

We really look forward -- this is the beginning of a series of hearings that we're going to conduct on the questions of security in the National Information Infrastructure, and we're hoping to learn as much concrete and specific information as we can about what the requirements are and also how those requirements might be met.

We're interested in all aspects of security, whether it be confidentiality, the integrity of the information or the reliability of the networks and systems. So we're going to be looking at that in all aspects, and in particular, today we're looking at what kinds of protections are needed for information that is intellectual property information. Later in the year, we're going to look at health information, for example. The other point I'd like to make is that the whole point of this exercise is to learn as much as possible what the industry and the public believe is important. And in particular, as we have learned in the Administrative about the ongoing debate on the question of cryptography and the clipper ship, there needs to be more -- you know, we need to listen more to the public and the industry about what is needed and what the solutions are.

So I hope today we can hear some of that, and it's also my hope that we won't spend all day discussing cryptography policy because that certainly is something that's been debated and continues to be debated. But we want to hear about all the different kinds of solutions and techniques that are available and learn about the whole variety of things. So I look forward to the discussion.

MR. LEHMAN: Thanks very much, Bruce. Now I'll turn to the panel and remind them that we have set up for questions in our public notice and I mentioned some of them in my open statement, and maybe we should just introduce everybody in the panel first.

We have Roger Schell, Senior Development Manager, Network Products Division of Novell, Incorporated; Sandra Whisler, Assistant Director for Electronic Publishing at the University of California Press; Pieter Bolman, President of Academic Press; David Leibowitz, Executive Vice President and General Counsel of the Recording Industry Association of America; Al McPherson, Director of Technical Services for Warner Brothers Records; Mark Bunzel, Chief Executive Officer of AVTEX Interactive Solutions; and finally, Barbara Simons, Chair, U.S. Public Policy Committee of the Association of Computing Machinery. So, with that, why don't we start with Mr. Schell and we'll go right down the line here. And you can sort of help us with answering these questions that we have put in the Federal Register notice.








MR. SCHELL: Mr. Assistant Secretary, my name is Roger Schell. I'm Senior Development Manager for Information Security of the Network Products Division of Novell, Incorporated. Today I'm pleased to present this statement on behalf of the Business Software Alliance, BSA. BSA represents the leading U.S. software publishers, including Novell, Apple, Autodesk, Intergraph, Lotus, Microsoft and the Santa Cruz Operation.

Let me get right to the substance of this hearing: how to ensure that commercial products and services will be made available on the NII and the computer users will entrust storing and sending their personal and confidential information in electronic form.

As Assistant Secretary Lehman recognized in the draft report, intellectual property rights are critical to the success of the NII. Therefore, without successful protection of intellectual property and sensitive content, the NII simply will not succeed.

The ease of making perfect copies and the ability to distribute innumerable copies quickly over the network necessitate technological means of protecting intellectual property. In other words, the legal framework of intellectual property rights will work hand in glove with technology. Let me give two examples from a supplier and a user perspective.

First, if you think of the hardware as the muscle of the NII, it is the software that will serve as the brains. Software helps the user navigate the ocean of digital information. It is the software that actually pulls the information through the computer's switches and wires. This advancement of technology allows us, as software providers, to provide our products in a more efficient, effective manner.

We anticipate that software publishers will be able to offer products for sale over the network. However, to offer products in such a manner, they must be protected from deliberate efforts by both users and malicious software to obtain unauthorized copies.

Encryption and trusted computer systems are two technical solutions that work and are key to providing the protection so that only the buyers who have received the keys will be able to unscramble the products that we provide and that they have purchased. Intellectual property laws and technology work together to provide security.

Encryption, the technology, allows quick, secure delivery while intellectual property laws protect the owners from misappropriation of the product by the purchaser.

Next let me mention a second point of view, that of our customers. As you move to networks connecting offices around the world, new challenges arise to successfully distinguish and protect the various classes of key information.

For this worldwide network to grow and prosper, users must know that, one, information is not subject to theft or sabotage, and two, they can verify who the information is coming from and going to and what class of access they are authorized.

Today, businesses around the world are demanding such information protection and verification capability. Stronger security methods continue to be needed against hostile users and malicious software that will inevitably be present in this sort of worldwide network.

Unfortunately, today's U.S. government policies do not allow us as U.S. software publishers to offer strong encryption capabilities and high-assurance trusted computer systems worldwide. Without the trusted ability to provide strong encryption, intellectual property will be at risk on the NII and businesses simply will not use the infrastructure for transmitting and receiving the various distinct classes of sensitive information.

The draft report recognizes the need for security through technology when it explores possible amendments to define criminal and civil offenses for technical devices or computer programs to circumvent the security of the NII. The software industry is further encouraged by Vice President Gore's July letter which outlined the basis for a key escrow encryption system which would be exportable. We've begun discussions with the Administrative regarding development of such a system, and BSA believes these discussions could be pivotal to addressing security of the NII and protection of intellectual property worldwide.

In closing, BSA members agree that trustworthy, strong security technologies are necessary to a flourishing NII. Strong encryption with trusted computer control is a proven technology. The ability to sell and use this technology on an international basis is necessary to the success of the NII.

Thank you for the opportunity to testify. I'll be happy to respond to any questions that you have.

MR. LEHMAN: Thanks. Maybe we can move right on into Ms. Whisler. (Asides.) MR. LEHMAN: Well, I think it would be better for everybody to get their views out on the table, don't you think, and then we'll have the dialogue.





MS. WHISLER: I'm Sandra Whisler. I'm the Assistant Director of the University of California Press for Electronic Publishing. We, like most university presses, and I think like scientific and technical publishers in general, are working on a wide range of pilot projects and really recognize electronic publishing over the Internet or over the NII as an essential part of our future.

We are looking forward to offering a full range of scholarly publishing over the NII. That's journals, monographs, books with wider interest, and we want these things to be available both in their wholes or in their parts, that someone might take a particular chapter or part of a chapter. This may include print, illustrations, audio, video. We really want to be able to take full advantage of what the technology has to offer.

In the short term, we'll be offering these projects by site license to libraries, although ultimately we want to be offer access directly to individuals. And it's important to remember that these individuals are for the most part humanities and social science scholars, and so they have a different sort of level of technological sophistication and equipment availability than physicists or chemists. And we struggle with that all the time.

We're looking for a full set of capacities to be available to these users. They need to be able to view, hear, retrieve, down load, save, print all of the things that they are going to bring to this as a set of expectations.

In addition, for libraries, they also need to be able to archive locally, to mount and distribute within their own communities, and possibly to fulfill Internet library loan requests over the NII, although there are still -- that makes me anxious every time I think about that, but that's a separate problem.

Individuals are going to want to be able to find things, to down load them, to make course packs. They're going to want to be able to combine partial pieces of the work from a variety of publishers into a single offering for their classrooms. And the implication of that really is that we need a copyright observance and metering software that will really make that possible. It isn't going to be feasible to do that if you've got to somehow get permission from every publisher separately. You know, you're just not going to do it any more than they do it Xeroxing now.

In terms of the commercial threats to access or theft, we really do need to be able to secure our sites so that we can limit access to approved customers who pay. We may be a non-profit publisher, but we must survive financially the same as people who get traded on the stock exchange. And in this time of decreasing subsidies in university budgets, that becomes even more important.

And so we can't do this -- I mean, even though our ultimate goal is to disseminate information, we can't do this if there isn't enough cost recovery coming back to make it feasible. And to do cost recovery, you've got to sell, and to sell, you've got to be able to restrict access. And so we're struggling with being able to restrict the access and at the same time be able to provide the information to customers who have a very wide range of software and hardware availabilities. And so a lot of the potential technical solutions we have, you know, they work just great on Spark stations but they don't do so well on, you know, Mac II's, and we really can't exclude our audience by the fanciness of our technical solutions.

Having said that, I'm not really worried about fire walls and serious encryption and some of those kinds of things. Anyone who wants to hack their way into the electronic version of 19th century literature is more or less welcome to do so. I think there aren't going to be a lot of those people. But nevertheless, we've got to be able to make it secure enough that it isn't just there for anyone for free.

I should say that that's, you know, I suspect that's sort of a humanities and social science publisher view and that if you talk to my colleagues in scientific and technical publishing, you know, their product is worth a lot more. It's a lot more competitive. You know, that would make some difference, I suspect.

All of these problems have got to be faced in a way that allows us to control copyright and to receive some reimbursement for those partial uses. You know, if we can't have some way of getting some remuneration for people using single chapters, the whole economic basis of scholarly publishing, which is really shaky right now anyway, will, I fear, go down the tubes. We're also really concerned about being able to validate our information and assure our users that what they receive is the authentic, correct, not messed-up version of the text. I think that in the long run, one of the things that's going to encourage people to buy scholarly information from scholarly publishers rather than taking it off the preprint servers or getting it from their friend down the hall or whatever is this guarantee that the information that they get is uncorrupted.You know, one assumes that a couple of times of standing up in front of their peers and quoting a text which is no longer a valid text will encourage people to do that, but that only works if we can in fact provide them with really valid information that we're sure has not been messed up.

The most important thing we need, though, is some way to get paid, and so we're very interested in the efforts being made to make it possible to give credit card numbers or to exchange cash in some way over the net. If that doesn't happen and if it doesn't happen in a way that's easy for the end user to use and easy for us to use, you know, as easy as credit cards, we're not going to be able to succeed in this. And so there isn't anything we can do about that. We can't sort of go in the business software development ourselves, but it's really essential that that happen. And I really hope it happens in three years, but we'll see. So that's something that really isn't directly related to publishing. It's not a publishing concern, and yet if that commercial financial aspect of trading over the NII is not solved, you know, we can't move forward.

So we're really looking for a way to restrict access to paying customers, an easy way for the customers to pay, a way for them to pay for parts of the whole, some kind of metering software, and a way to guarantee the authenticity of the information we provide. The other thing that I might add as just an aside is that we're really hoping for an open pipeline environment. We don't want the distributors to be, you know, deciding what information is appropriate both because we have First Amendment concerns and because, as the providers of content, it seems more appropriate to us that we should be in the content business as opposed to the pipeline providers.

MR. LEHMAN: All right. Thanks very much. Next, Mr. Bolman.




MR. BOLMAN: Thank you. My name is Pieter Bolman. I am the president of Academic Press, which, like Sandra's, is a not-for-profit organization. We are publishing scientific, technical and medical material both in terms of books, dictionaries, and especially journals. First of all, I would like to say that I would like to see the NII within the context of an international information structure. Science and technology and medical information is truly international. Our export, shall we say, outside the United States, is more than 50 percent. And if the NII is part of an international net, shall we say, then obviously we deal with the world rather than just the United States. And I think we need to emphasize that because that has obviously also a number of, amongst other things, security issues.

As I said, we want to make all our products that we do, that we currently publish available on the NII in some shape or form. I'd like to emphasize that especially for journal publishing, we are a bit of a funny breed in the sense that in journal publishing we are really what we could the minute keepers of science. Scientists, the product of their labor, so to speak, is new information. If they do not get new information, if they don't produce new information, they are not very good scientists. And as a result, there is a sort of saying which is a bit perhaps unfriendly but it is certainly true in academic circles: publish or perish. If they do not publish, then they are not successful in their careers.

That means that we, in our behavior, very much dance along the author's cues. We want to make sure that we on the one hand make available their material as widely as possible, and in that sense authors have actually very little interest in restricting that access. At the same time, what we provide as publishers is a peer review system. We do not peer review ourselves, of course, because that's the scientist's peer, so to speak, but we make available that system for them. And from that, they get recognition. So the higher prestige a certain journal is, the more recognition that scientist gets from his peers and the more likely he is to advance in his career.

Now, that kind of system must be preserved. So whatever technology changes there are going to be, if that does not mean -- if that does not make it possible that that scientific information system is preserved, it won't work. In a way, we can say, therefore, that we do publish in our journals sworn statements of the scientist. They produce a lot of information beforehand, they talk to their colleagues, they send out preprints, and all of that is chatter, so to speak. Once they are accepted in a journal, that is the actual official statement that has been added to the archives.

That means that if we are going to be on the NII, then we need to be able to at all times offer our readers these sworn statements. Therefore, it should not be changed. It's the only article that is the true one, is the one that has been published officially in one of our or anybody else's journals, for that matter. So authentication of the information on the network is extremely important. The reader needs to know what the official contribution of the scientist is.

The scientist himself also is very worried about this because if his name or her name does not appear together with the title of the journal, i.e., the company he kept, then he will not get credit for the information he produced. We wish, therefore, to be able to permit our different users, also scientists but now readers, very different kinds of use. They need to be able to browse. They need to be able to print. They need to be able to down load, et cetera, while always preserving the authenticity, shall we say, of the article.

We want to be able to charge different prices to different users, and for different users there's a lot of ways that scientists take or use their information and hardly ever does, for instance, a scientist read an article in full, especially not if there is a lot of complicated physics or biology or mathematics involved. There's no way that a person can read it off the screen or just in one go.

The threats we see, therefore, is first of all the international one, as I said earlier. We, as all publishers, have the piracy threats of the moment in the old technology. That kind of thing becomes, of course, very much easier, especially in countries where the copyright laws are not so strict as they are in the U.S. and in Europe

We want to be able to -- so we are afraid that that kind of thing can happen unless there is a sufficient safeguard. We also are afraid of on the one hand lack of privacy. Although Sandra talked about metering software, which we think is important, we have to remember also that, especially sometimes in the pharmaceutical companies for whom we publish a lot of material, they do not want anybody else to know what kind of articles they read or study. So on the one hand, yes, we would like to know what indeed our users are using. On the other hand, there should be a safeguard that certain classes of users certainly will not be making in known what indeed they are using.

I think that is actually most of it, but the most important thing that I need to say that distinguishes, I guess, our kind of publishing from other publishing that is, you know, the publishing of books and encyclopedias, which is very similar to any other publishing.

MR. LEHMAN: Thank you very much.




MR. LEIBOWITZ: Thank you very much. My name is David Leibowitz. I'm Executive Vice President and General Counsel for the Recording Industry Association today, and I thank Commissioner Lehman and the members of the hearing board for the opportunity for me to appear here today along with my colleague, Al McPherson, to discuss the recording industry's perspective to the issues of privacy and security.The Recording Industry Association of America represents America's record companies. Our members create, manufacture or distribute over 90 percent of all legitimate sound recordings in the U.S. We have both large and small members and our industry sees both opportunities and challenges posed by the National Information Infrastructure. Let me first discuss some of the opportunities that we see emerging from it, and in fact some of them are already in an experimental stage today.

First, the NII provides a new means for our companies to reach out to their current customers, to provide them the sound recordings and with other information relating to them. It also is a means to attract new customers, those that don't like to go shop in stores or perhaps don't like to even dial an 800 number when you see those ads on television for particular works. It also could provide additional information to the interactive capability about the artists, perhaps even dialogue with them. And as I said, there already have been experiments under way. Al will be referring to those relating to Warner, but one that you might be aware of is an experiment that Geffen Records and the group Aerosmith have had with CompuServ where they allowed the down loading of one of their songs, in fact one that was not previously released for sale, to interested CompuServ subscribers. And for a while they had waived their royalty charges on it, although I don't believe CompuServ had waived their charges. At the same time with these opportunities that it does create both for the consumers and for our industry, there are many challenges that we see. I will not delve into the intellectual property issues that are being considered by the Advisory Council other than to commend Commissioner Lehman and the Intellectual Property Task Force for their work on that area, and we will have to see how continue progress can be made.

But the fact of the matter is that there has to be a seamless web of protection for sound recordings and all other works of intellectual property to make sure that the NII environment works both for the creators and for the users. We have seen already in our industry various instances where bulletin boards, both commercial and non-commercial, might have either entire sound recordings or snippets of sound recordings as well as the cover art and other graphics associated with those recordings on their bulletin boards and available for others to retrieve without the authorization or permission of the copyright owners or the other creators involved in those products. We've even seen instances where one of the commercial bulletin board services has actually encouraged that activity by giving credits of time charges for the amount of up loading into the system by individuals of particular works. That is something that obviously troubles us a great deal. We have a very active anti-piracy unit that has so far just dealt with physical product distribution, but we are actively looking at this area. And it troubles us and we hope to seek solutions both for the legal environment as well as the technical means.

Further to the technical means, I want to identify a number of the features that we feel are going to be essential for the NII to operate with respect to commercial transactions. First, there is going to be a need to have identification of each work as well as the copyright status of that work. That will be useful both for the copyright owners as well as for the bulletin board services and other on-line services so they could identify that a work is protected by copyright and perhaps should not be allowing the unfettered dissemination of that.

We have in our industry developed the International Standard Recording Code, which is a unique code for each and every track of each and every sound recording, at least with respect to those that are being -- will be released in the future, to basically serve as a license plate for that recording on the information superhighway. As some of you know, there is also a system called the Serial Copy Management System that was a byproduct of the Audio Home Recording Act, which under that system requires the sound recording copyright owner to put into their work both the copyright status as well as the generation status of that work. And we think that will be very useful as part of this copyright management system.

I would like to add in that regard, however, that because of the ubiquitous nature of the information superhighway and the equipment used on that, it may well be appropriate to have the equipment react differently to that SCMS information than, for example, digital audio recording devices used today. We also need to have technical limits set and with the flexibility that a copyright owner and the creator determine those technical limits to either allow performance or display of the work and only performance or display, or to allow copying, and if copying, whether it's a single copy or to allow multiple copying of that work, as well as to determine whether or not that work, once copied, once deciphered if it was encrypted, can be further transmitted.

And that information that I've talked about for both the limits on the types of uses and the copyright information and the identification information must be sufficiently robust that it can be retained and transmitted and retained with the work even through various data compressions systems that may be in use. We also have to ensure that there are means to protect against the manipulation of the work and to indicate the authenticity, which has certainly already been talked about and perhaps authenticity is even more important with scientific and medical materials than entertainment work, which is what our industry produces. But nevertheless, I think the customers want to know that they are receiving the genuine product and authenticity, I think, will be still desirable in that area, as well as having means to track the usage and providing pricing information and means for payments of the various types of uses that can occur on the information superhighway.

And in that regard, I think it's not just the ability of the copyright owner to identify and include that information, but the computers and other equipment must be configured to react to both those information elements as well as the technical restrictions that are built into it. And I'll be happy to, and in fact look forward to a pertinent discussion of these issues in a few moments. Thank you.

MR. LEHMAN: Great. Should we move on to Mr. McPherson, then.



MR. McPHERSON: Thank you. My name is Al McPherson, Director of Technical Services, Warner Brothers Records. We are utilizing some aspects of what would be the NII, the Internet, AOL, CompuServ and a few other formats. And things that we're currently doing are supplying audio and video samples that people can use for promotional purposes and things like that. These are things that are currently happening today, and we plan to expand those in the future because we see this as a very strong adjunct to her current marketing strategies. Some of the things that we see in the future are catalogues of our products and other merchandise relative to the types of materials that we sell. And ordering is obviously something that is very important to us so that we don't miss that side of it. We also are currently, as are a few other companies, developing systems where people can get on line and talk to the artists on a daily or weekly show, so that they can actually interact with some of these artists and get information that they may not be able to get at this point in time.

The modification to intellectual property from our standpoint is very critical to us. The artists do not want their product modified in any way normally, and the area that that gets into play is normally in the educational environment where somebody is learning to play an instrument or do something, write music. They need the right to control what they're changing. However, as a content provider, we want the ability to control when they have the right to make modifications. So if there is a product that is intended for modifications, that can be done, and if it's not, it gets transmitted in its entirety and is not modifiable. But you can view it and do what you want with it.

Some of the commercial threats that we're very worried about is the unauthorized access to our products. And something that becomes a fairly integral part of this is somebody down loads a piece of software from us and makes a legitimate copy of it. They can then pass that copy on to a friend. And maybe that friend is in Columbus, Ohio. He may be in Sweden. But that can be done. We're very concerned that after we've made a legitimate copy, that it's not propagated around the network in a way that we have no control over.

As far as technical solutions, there are a few things that we have currently running. David alluded to one thing called SCMS. That information, which includes the ISRC information which defines the owners, is very important to us that all that integrity be maintained with each track that would be sent out. And that could be expanded to video, which all of us are now involved in.

There are also other methods that have been developed which essentially apply a signature to the body of the work, both in the audio area and in the video area. And it's important that that information be traveled along with the product so that it doesn't get separated. So it's very important that we maintain the integrity of the data that we are sending.

And I think I'll let that go at that and maybe address some of these more specifically later.

Thank you very much.

MR. LEHMAN: Thank you. Mr. Bunzel.




MR. BUNZEL: Good morning. My name is Mark Bunzel. I'm the CEO and Creative

Director of AVTEX Interactive Media, a 15-person multi-media production company located here in Silicon Valley. We produce multi-media CD-ROM products for the children's education and entertainment markets, sports instruction and improvement and multi-media adventure games market, so we have a great deal of interest in this particular subject. But today, I'm here participating in this hearing as a member of the Board of Directors of the Interactive Multi-Media Association and as co-chairman of the IMA's Intellectual Property Committee. As background, the IMA is a trade organization headquartered in Washington. Our membership of over 300 companies represents the capture, development, transmission and distribution and the display of multi-media information. We represent a very interesting cross-section of interests that are critical to building a robust multi-media industry, including many of the companies that are represented here today.

Even though the business interests of all the IMA members are often varied, and I can assure you, sometimes very conflicting, all of us share a vital interest in the protection of the multi-media information which is the economic lifeblood of all of us participating in the products and services that are expected to be part of the information infrastructure. We want to point out today that there are differences in the shape and structure of multi-media products and services between the consumer and business markets that will be very large, and some of them have been illustrated with the other panelists. We also want to point out that there will be significant differences between on-line or connected services, the information highway, and shrink-wrap retail products. Yet we want to point out that they transmit similar types and, in theory, very often the very same multi-media content.

The IMA is concerned that while the protection of multi-media content to owners is critically important to the growth and success of the new information markets, great care must be taken to examine the differences as well as the common elements of each component of the information highway. I think the other speakers have brought this up. We believe that perhaps crafting approaches that are narrowly suitable to specific industry participants may be -- as they are not unrealistically burdensome to others. One example of this that we are tracking very, very carefully is the release of the next generation of CD-ROM players. Probably next year, users will be able to purchase -- and we've seen this coming in from off-shore companies -- economical CD-ROM players at today's prices that you can buy, capable of recording data, which means that you can now, the same as the videotape industry faced, on a low-cost, probably about $15, write-once-only CD-ROM, looking very much like this (indicating). This disk will be able to hold a tremendous amount of data because it will have eight times the capacity. And to put that into perspective, that will be five Gigabytes or enough to hold several hours of very high-quality video, hundreds of thousands of color pictures, and millions of pages of text. Over the next two years, this technology will also be recordable so that a user can erase and re-record over their disks. This wonderful technological advancement offers terrific economic possibilities, but it's also going to represent a new level of complexity of protecting the rights of the rightful intellectual property holders in all media: traditional, such as books, as we've talked; new media, and even information delivered electronically which can be down loaded once and stored onto a disk like this rather than just viewed and then erased from the system's memory.

We don't believe that control is the ultimate answer. Some classes and types of multi-media can benefit from limited distribution to responsible users who want to communicate, for example, in a limited capacity in a corporate presentation or to illustrate an educational concept in our schools, but yet still provide a reasonable economic benefit to the appropriate rights holder.

For example, when the recording industry faced similar issues and concerns with the emergence of DAT, the Digital Audio recording Tape technology, the entertainment and consumer electronics industries crafted legislation for the digital audio recording technology, or the DART legislation, that would provide the mechanism for an economic benefit for the musical artists and rights holders from the sale of blank DAT recording audio tapes.

The computer industry at that time worked very hard to make sure this legislation did not extend to the computer software and hardware industries. Basically, we don't have the benefit of clearinghouses such as BMI and ASCAP. The DART legislation may have worked well and may be working well for an inclusive body of music in the audio industry. We do not believe it will work well for a compilation of several media program or offered together into a multi-media program delivered either electronically or through high-capacity CD-ROM. In essence, we're pointing out that we believe that the information infrastructure is not just the electronic highway but high-capacity media such as that and others.

In summary, the IMA believes the protection of multi-media information is vitally important to the growth and development of this industry. We caution that there is no one-size-fits-all approach to this industry. The IMA is now actively involved with the analysis of the various segments of its membership, seeking to understand the requirements, limitations and realities of the various distribution systems that are likely to become a part of the fabric of the NII. And sessions like this are very helpful in providing information into our group to assist us in understanding the industry's needs. Specifically, we are distinguishing between stand-alone media and connected or wired services, and within the on-line community, we are clarifying the various service types. The IMA intends to eliminate the technical, economic and political issues surrounding copyright protection of new media-based services. We view this as a critical step to forming the right solutions and look forward to sharing this information with you as it develops. Thank you.

MR. LEHMAN: Thank you very much.

Finally, Ms. Simons.


MS. SIMONS: Thank you for the opportunity to speak with you today. As a representative of the computing profession, I particularly welcome the opportunity to discuss the development of the NII with the Advisory Committee. I am here today on behalf of U.S. ACM, the Association for Computing Machinery's Committee on U.S. Public Policy. ACM is non-profit educational and scientific society dedicated to the development and use of information technology and to addressing the impact information technology has on the word's major social challenges. The 85,000 members of ACM are an outstanding resource of information, and we will be very pleased to assist in any way that we can.

The ACM committee that I chair is particularly interested in policy and social issues involving network policy, including encryption, privacy, access issues and computers in education. I have brought with me several documents and I have left copies of most of them on the table in the back that are related to this issues, including an article I wrote listing questions about the NII and ACM and U.S. ACM's statements on privacy, access and the escrow encryption standard.

I have also brought a copy of our in-depth study of encryption policy in the U.S. entitled "Codes, Keys and Conflicts: Issues in U.S. Crypto Policy." Incidentally, ACM is distributing this study free of charge on the net. I would like to say that it's a best-seller, but because copies are available on several sites on the net, I really have no idea of how many people have down loaded copies.

I started using the net in the late '70s while I was still a graduate student at U.C. Berkeley, and I could not function without it. I had used the net for such dissimilar activities as writing papers and running the U.S. ACM. As an aside, even I have not met all the members of my committee. Nonetheless, we function very effectively using the Internet as our source of communication.

While I'm not quite an old-timer in the field, I've been around long enough to witness the extraordinary computer-based revolution that has changed how we store and manipulate information. This revolution has made it possible for me to accomplish a great deal more than I could have without this wonderful technology.

But at the same time, the revolution has created significant problems for industry, and we've been hearing about some of those problems this morning. A digitally stored document or program can be disseminated for very little or no cost either by shipping it over the net or by down loading it onto a floppy or maybe one of these CD-ROM's and giving it to a friend or sending it off in the mail.

Consequently, we are faced with a series of questions. Two in particular are: One, can we protect digitally stored intellectual property using technology, financial disincentives, new approaches and the law? And two, what are the trade-offs to using these different approaches?

It is not possible in the small amount of time that I have available to me to discuss any of these questions in detail, so I shall state my views very briefly.

There are a variety of technical approaches for protecting intellectual property that one can contemplate, and we've heard them touched on briefly today. While it's impossible to develop a technology that is absolutely fool-proof, I mean, you just can't do it, still there are people working on technologies using, for example, encryption that are likely to discourage the vast majority of people from stealing intellectual property.

An analogy can be made to the book publishing industry. Photocopy machines can be used to copy books, but most people don't borrow a book and stand by the copy machine and copy the whole thing. And similarly, you can have technologies which will discourage people from doing that same sort of thing with software or other forms of intellectual property.

The second point is financial disincentives. The idea behind financial disincentives is that the cost of obtaining information should not make it worth one's while to copy and distribute protected information. An efficient and inexpensive automatic billing mechanism which has already been referred to this morning on the net could be used to process transactions that cost only a few cents or even a few dollars. If the costs are sufficiently low to obtain a copy legitimately, I'm unlikely to distribute my copy to my friends.

There's, of course, material for this approach that would not be suitable, namely, things that are very, very expensive, but cheap access could be at least a partial solution that could be used in conjunction with other technologies. There's also the idea of new approaches. An interesting example of this is something that happened in India to the satellite cable company called STAR. People started buying satellite dishes for receiving STAR and illegally selling the transmission to apartment house complexes. STAR's reaction was not to go after all of these illegal small entrepreneurs, but rather to make everything free and then to turn around to the business community and say, "Look at all the people we have receiving our transmission. How would you like to buy advertising time?" And that's what they've done. It's all free now. The small entrepreneurs still sell the transmission to the apartment buildings and the cable company carries advertising.

I'm not an expert on legal issues and I do not intend to speak directly about them or about the recently issued report on intellectual property rights. However, I am concerned that the law might be used as a blunt tool out of frustration for the lack of guarantees that we have with other methods. We need to be very careful that we don't make laws that are routinely violated both because of the selective enforcement aspects of such laws and because of the contempt for the law that is engendered by laws that are by and large unenforcible. I have mentioned trade-offs to various approaches. We have to keep in mind that there are other important goals in addition to that of protecting intellectual property. In particular, there is the larger goal of promoting public access and use of the Internet and other forms of communication like that. By copyright generally, this goal also raises questions about crafting incentives that serve public interest. Much of the development on the Internet has taken place without commercial incentive. This is not to suggest that commercial incentive should be discouraged. Rather, it is to remind the Advisory Committee that there are other important incentives for Internet users that should be preserved.

For example, there is within the user community a strong belief in sharing information and ideas as much as possible, except of course where there are specific business restrictions. Many of the standards on the Internet evolved in an open, non-proprietary way. Even the popular program Mosaic has spread around the network without cost to users.

The computer science community favors sharing because it promotes innovation, cooperation and the development of good ideas. This is a spirit that you should be careful to preserve as the development of a national network moves forward.

Commercial applications of the Internet should be welcomed and encouraged, but so too should the continued growth of open and accessible networks that reach corners of our community that might otherwise be ignored. Clearly, access to the Internet alone will not solve many problems in our country. However, if we erect barriers between communities, we will move further away from the goal of a technically literate, well-trained work force.

The Constitution speaks of copyright in the context of promoting, quote, "the progress of science and useful arts," unquote. The computer science profession has already made many contributions to this spirit. We hope that the IITF Advisory Committee will continue to encourage such efforts. Thank you.

MR. LEHMAN: Thank you very much,

Ms. Simons. At this point, we're going to start having a dialogue with members on our side here and even among members of the panel themselves. So I'd like to first defer to my colleagues here if you have some specific questions of any of the panelists.

Bruce, do you want to start?

MR. McCONNELL: Sure. Thank you very much, Bruce. I would like to. I have a number of questions which came up as a result of this. Just kind of going down the list here, starting with you, Roger. You mentioned the idea that one way of handling the distribution of unauthorized copies would be to encrypt the product and then sell the keys to individual users.

Is that something that's contemplated now with existing software products, and how successful do you think that would be in promoting the -- sort of if you could explain a little bit of exactly how that would work and whether it would do anything for the subsequent redistribution and how it sort of fits in with the marketing strategy of software vendors today.

MR. SCHELL: I think that there's some similarities with our current paradigm for licensing products. Several manufacturers distribute as common a product as a CD-ROM, for example, that has the ability to offer a license to maybe five users or 40 users at a very different price. And what is actually sold is the license that enables them to use this very same body of software but use it for a given number of users or other sort of authorized use.

I think the encryption is just an extension of that same licensing notion which allows us to provide the material using the technology and yet get the financial remuneration of selling it based on how it's actually used. And encryption just provides some protection against the kind of malicious software, which I think is the problem more than the hackers trying to hack into it on an individual basis. That does not protect against sort of the lone individual hacker, as has been noted.

But it does provide probably effective protection today against the entrepreneur who would take on a mass basis the software and resell it. MR. McCONNELL: Okay.

MS. DYSON: Just to follow up, talk a little bit about the notion, and then you have a trusted computer system afterwards, so that I assume that means that you're controlling the use or monitoring the use and doing some kind of potentially either metering or at least controlling through the copies?

MR. SCHELL: The role of the computer system in the encryption I think has sometimes been overlooked. Consider the problem that you want to have an authorization for a credit card use and you have some encryption technology that you see on your screen, something that says I'm going to authorize a $100 purchase. But what actually gets sent out on the wire may be an authorization for a $1,000 purchase.

Now, the question is, if you don't have a trusted computer system, you have no way of knowing what actually went out. And furthermore, you can rather easily deny at a later point in time that you ever actually authorized that because you said, well, I don't know all the software that was here. Our products today typically have literally millions of instructions that are there. We don't know what's in them. We have no hope in terms of the technology of being able to identify or find malicious software.

What we can do is, with the trusted systems, we can establish a perimeter where we can limit how much it is we have to trust. And we can have a path directly to the user so that we can hold the user accountable for his decisions of, say, authorizing $100 or $1,000 kind of purchase.

Those are some of the things that I was referring to that have to have both the trusted systems and the cryptography together. You can't take either one and address this need.

MR. McCONNELL: On the trusted systems, you mentioned that in addition to the export controls on cryptography, there are also export controls that limit the ability of exported trusted systems. What specifically is the limitation there?

MR. SCHELL: One of the means of judging the trustworthiness of a system is the evaluation that is done by the National Computer Security Center. They provide essentially six different levels, and towards the middle of that level is a category they call Class B-II.

The regulations today prohibit the direct commodity sale of systems that are above Class B-II, yet it is exactly those systems which can provide the kind of effective protection that we're talking about. And that's a specific prohibition in the regulations today. MR. McCONNELL: Is that regulated on a munitions list or --

MR. SCHELL: Yes, it is.

MR. McCONNELL: Has there been any study of foreign availability of this class of computer above B-II?

MR. SCHELL: I don't know of any systematic study. I believe that in this area, we're beginning to see an emerging demand, and so I wouldn't expect today a large availability. But the existence of those kind of restrictive policies tend to discourage U.S. manufacturers from producing those. And there's no doubt that the U.S. is a technology leader, and if we're discouraged, others will not likely go and meet that need either.

MR. LEHMAN: Ms. Preston, do you --

MS. PRESTON: Not of Mr. Schell.

MR. LEHMAN: In the FCC, we have a -- just to follow up on this point -- for years has certified receiving equipment, that someone is meeting certain standards and so on and so forth.


MR. LEHMAN: Do you think that either they or some other entity ought to have that kind of regulatory authority to deal with these issues?

MR. SCHELL: I think, as an industry, we do not look so much to regulatory authority but as a service that can be provided, the ability to rate a system such as the National Computer Security Center does, and to distinguish a Class C from a Class B-III system, for example, is a valuable service to a customer.

I think that it should be left to the industry to decide how to use those ratings. Once there's an objective rating, if I'm going to accept an electronic credit card from somebody for a purchase, I might choose to essentially have a grade on the data -- on the digital signature. And I'd say, well, you have to have a grade B-II signature before I will accept a purchase of more than $1,000, for example. And that does not require any sort of regulation but does benefit very much from the existence of an objective evaluation which the government can uniquely do.

I think another unique role the government can serve in that evaluation is uncoupling the liability aspects, which is very important. MR. LEHMAN: Could you elaborate on that. MR. SCHELL: If a given vendor asserts that their product provides a certain level of protection and they do that on their own behalf, they are then potentially liable for a mistake which they may have made in a non-malicious way.

On the other hand, if the government has provided an evaluation and has published a rating just as in some sense we do with things like Underwriter Labs and other things in terms of the FCC Class A, Class B that I think you were referring to in terms of emanations, the individual supplier is not really responsible for the evaluation that is rendered. He's responsible for providing the information so that the judgment can be made, and the government can, without really liability, say this is rated at this level in our belief based on this evidence, and they hopefully publish the basis for arriving at that.

This then allows the customers to have the benefit of knowing how good it is, whether it's a cryptographic algorithm or whether it's a trusted system, without the vendor having to be liable for having made those claims, which might discourage him from actually giving the information that the customers need.

MS. DYSON: This is sort of pushing towards policy, but are there any studies of how consumers react to their use of software being monitored to -- you know, if they're notified you're now being charged $2 a minute to do this? What's the reaction to emotional notion of renting the use in reality as opposed to purchasing the software even if you're only purchasing a license?

MR. SCHELL: I think that that area has not matured completely, and I don't know of any systematic studies. However, within the industry, there are active efforts today to provide the licensing means on a group basis so that you might have a network, for example, which might have hundreds of users but which you could license some smaller number of, say, ten copies at a time that would be accessible. And those kind of licensing capabilities and license servers, as they're sometimes called, are being actively worked on. And the belief is that that's an acceptable means to users for paying for the services that are provided.

MR. LEHMAN: Ms. Preston, you had a question of another member of the panel? MS. PRESTON: Yes, for Sandra. I was glad to hear that you recognize the right to compensate creators and copyright owners. But I would like to ask you about a related matter, and that is control.

Do you believe that the creator or the owner has the right not to grant access to his work? And if so, how do you see that we might technologically prevent access?

MS. WHISLER: Well, I think we have to think of that in the context of the way things work in the print work. In scholarly publishing, we basically almost always take the copyright and we administer the copyright as the publisher, and we do not by and large pay the scholars. It's just the whole -- the whole enterprise of scholarly publishing is based on a huge amount of sort of free volunteer contribution to the greater good at the level of the creators and even at the level of the editors.

So I'm not convinced that there's enough money in the system to change that in the electronic world, unless it turns out that there is just bezillions of more uses because of ease of access. And it's certainly too early to say that. At the same time, I think we're already coming up against this problem in the licensing arrangements we're signing with secondary publishers like, you know, Magazine Index and University Microfilms and people who are providing compilations of material now. And it's really a problem because there are articles that we do not have the rights on, and there isn't right now a systematic way of being able to flag those.

And it would be great in this metering software that I'm still wishing for, and so I can put all sorts of functions in it since I'm just wishing for it, that there certainly needs to be some way there to sort of say these articles are not available, you know, you can't do that. Right now, it works very imperfectly.

MS. PRESTON: You mentioned a partial use of an author's work to be copied and made part of a larger work. Should an author have this right that he does not want any of his work to be separated from the whole and to be made a part of another work, and how do you prevent it with the technology that we have today?

MS. WHISLER: I think that -- does the author have that right? Boy, I don't know. Again, that's not a right we recognize now in the print world. If someone contacts us directly to use a single chapter from a book in a course pack, or indeed we license to the Copyright Clearance Center and we don't even find out about it until, you know, a year later when they pay us, that happens now.

What I think happens now also is that there is a lot of use of individual chapters that is essentially invisible. If someone goes to the library and reads a single out of a book, nobody ever knows about that. And so, you know, this technology offers us a chance to start making that kind of use visible.

You know, I think you have to remember that scholarly publishing is in incredibly dire financial circumstances because of the collapse of the library budget, that, you know, a book that sold 1,500 copies 15 years ago now sells 500 copies. And the number is going down, down, down, down. And so those things are already -- you know, a commercial publisher would not be publishing those things now. We're already losing money on those books. And so having some tiny avenue of bringing some money back in from partial uses, it's not as if we're getting rich. We're just sort of hoping to be able to continue providing access. MR. LEHMAN: Do you think that the existing technology of photocopying has affected that, that the capacity of photocopying the scholarly articles has resulted in the -- obviously, all publications are --

MS. WHISLER: I think that's certainly been -- MR. LEHMAN: -- money pressure, but then they have another outlet. They can sell, well, we don't have to buy the book. We'll spend it on a new room or something in the library instead because we can -- you know, we don't need as many books because we can photocopy. MS. WHISLER: That's certainly a factor. And I think it gets to be more a factor as scholarship becomes more interdisciplinary. You end up with more works which have only parts of them that are of interest to particular people. So the books are getting more expensive, there's less in the book that a particular scholar wants, and it's easy to Xerox. And all of those things come together in a nasty way.

MR. LEHMAN: Well, this gets back a little bit to the point that Ms. Simons made earlier that actually the capacity of the technology to provide for economic transactions in the use of the work does not necessarily imply less access, it seems to me, because what you have is a market at work. In theory, the market can result in wider use but at lower per cost uses.

MS. WHISLER: That's right.

MR. LEHMAN: And therefore, you know, more people have it available, but at the same time there's a mechanism for small monetary transactions that will support a group like yours, academic publishers.

MS. WHISLER: That's right, we hope.

MS. PRESTON: You talked about user friendly a while ago. Collective licensing may act as a clearinghouse. Do you believe that such a methodology would be user friendly?

MS. WHISLER: Well, it all depends on, you know, how ubiquitous it is and how easy it is. I mean, if you ended up with something like BMI, that would be terrific. I mean, the office would like that, we'd like that, everyone would be happy. I think that's a formidable task, to create that now as opposed to having created it back when.

And I also feel there's a lot more authors than there are recorded musicians in the world, I think, and keeping track of all of those people and being able to manage that in a centralized thing, I mean, it's one of those things that's theoretically possible but I would be really surprised if it happened. I don't see where the organizational will in the society is going to come from to mount that massive --

MR. LEHMAN: Well, you already have the CCC. You have the Copyright Clearance Center. MS. WHISLER: If it doesn't work any better than CCC, it won't work.

MR. LEHMAN: Well, that is, in effect, a collective licensing society --

MS. WHISLER: Yes, right.

MR. LEHMAN: -- already.

MS. WHISLER: But that's not going to creators. That's going to publishers. And to make that next step so that you're actually recompensating the actual creators through that centralized task is a big task.

MR. LEHMAN: I just want to put a footnote in here just to make it clear about this issue of authors' rights vis-a-vis a publisher. Obviously, when your publisher comes to you -- when your author comes to you, you have standard agreements that are signed which in your case would provide, generally speaking, for the ceding of most of the rights to the publisher. So obviously as you move into these new technologies, the authors' rights and your rights are obviously going to initially be determined by these agreements which probably ought to be revisited in view of this potential new technology.

MS. WHISLER: That's right.

MR. LEHMAN: And obviously, the nature of those licensing agreements right now, the kind of deal that you sign with an author, is considerably different than what Simon and Schuster signs when they pay somebody, you know, a $500,000 advance and do a major trade book deal.

MS. WHISLER: That's right. This is a field that's really in a lot of flux right now because the library community and the university administration community are both pushing to get the faculty to insist on maintaining their rights as a solution to -- they think a solution to the hegemony of the European scientific publishers' control over scientific information. And so we're in a sense in a situation where the sort of usual way of doing things is really up for grabs in our world. And so even though that's the way it works, I don't know if that's the way it's going to keep working.

MS. DYSON: But I guess the fundamental point is right now that the authors actually -- and this is especially, as Mr. Bolman said as well -- the authors are looking more for prestige recognition, a rise in salary rather than direct compensation for the property they produce. MS. WHISLER: That's right.

MR. LEHMAN: But those are -- I think it's important to understand those are academic authors that you're referring to largely, or scientific and technical. The two of you basically represent scientific and technical publishing and basically these are people that look to their university salary or maybe their consulting deal with, you know, a local Silicon Valley company or whatever for their primary needs of compensation.

MS. WHISLER: That's right.

MR. LEHMAN: As opposed to the people that ms. Preston represents, for example, who look to the royalty check that they receive the exploitation of a copyright as their primary means of compensation.

MS. WHISLER: That's right.

MR. McCONNELL: Continuing on your point about the copyright observance and metering software, have you or have the presses or are you aware of any systematic attempt to at least list what all the features are that -- as you say, it's easy since it doesn't exist as a commercial product at the moment, but is there a list of what the requirements are for all those things in any detail that you're aware of?

MS. WHISLER: Not that I know of that's coming from the publishers. We're watching very carefully the Netville experiment at Carnegie Mellon, which is I think going to -- you know, it's 90 percent of the way to actually being a usable thing. It's a little too library based right now. It's assuming that the effective owners of the right and the people who will be recompensed are the libraries and that doesn't quite work.

But it's really easy to imagine that model pushing to the next step. That would be an interesting task to take before AAP and to ask them to work on that. MR. McCONNELL: We would encourage you to do that, then.

MS. DYSON: I'd actually like to say something sort of as a witness in the sense that I publish a newsletter and I am now -- it's now available on line through Information Access Company. And the way we're compensated is, I believe, we get a check based on -- they get total sales for the disk or for electronic access, and then they look at what percentage of the total number of bytes my newsletter is. And so they assume that everything on that service is accessed at the same rate and they give me a teeny-weeny percentage of it.

Since I don't really take this all really seriously yet anyway, I'm not terribly exorcised about it. But I could imagine in the future feeling very strongly that I would like to know, you know, whether my newsletter is looked at more often than other stuff. And so I'm still dealing with whether I believe in this concept at all, but if I do, I would certainly like much better metering procedures in order to know how much my stuff is seen as opposed to somebody else's. And that certainly doesn't cover the copies that are made of it once it gets down loaded the first time.

MS. WHISLER: You know, I think that price model comes out of the CD-ROM world and for lack of any better model, that's sort of what they're using now. But I don't think it works once you get real metering software.

MR. LEHMAN: This gets to the issue of the differences between different uses and different industries that are reflected here. I mean, the record industry is vastly different from academic publishing, newsletter publishing and so on. And even within something like newsletter publishing, there are different kinds of angles and different kinds of newsletters and ways that people market and receive their compensation and so on.

So one of the questions I would like to sort of ask anybody on the panel that wants to respond is: Is there a common base line of features that we see, or are we going to see ultimately considerably different mechanisms in different industries? For example, maybe blanket licensing for some things, on the other hand high levels of encryption for others and strict metering? And is there, as a matter of policy, any role for anything other than the marketplace, for the government in creating those different standards?

Yes, Ms. Simons?

MS. SIMONS: Well, actually, I have a comment I'd like to make about this metering discussion. Of course, it's something I was advocating in my statement, but I also want to point out that there are policy issues related to that, namely, who owns the information about who is getting -- who is subscribing to what. And as our life moves more and more onto the net, as it becomes more and more electronic, I think the issues of privacy protection become increasingly important.

I personally would like to see some kind of legal protection whereby people or whoever has access to the information is not allowed to disemminate it without the specific permission of the user, of the person who ordered it. MR. McCONNELL: We are looking exactly at those kinds of issues with the Advisory Council in connection with our work on privacy, and that question of consent, informed consent for the release of information about yourself, about personal information. It's related in a way to the comment that Mr. Bolman made about the pharmaceutical companies not wanting their activities known as to what journals or what articles they're reading. So there's a commercial privacy aspect, as well, and I think that's important.

MS. SIMONS: And I think it's important that it apply not only to the government, because there already are laws restricting what the government can do, but that it also applies to private industry.

MR. LEHMAN: Well, you know, there are interesting copyright implications here because we had -- you know, a couple of years ago, we had a big fight where book publishers, for example, wanted a more -- basically wanted a fair use right to publish from unpublished works. You know, in other words, if I wanted to look at -- yeah, exactly, if I wanted to look at Truman's private memoirs that had never been published, I could use that.

So we see a conflict there, even on the part of a group that's normally very pro-proprietary and pro-copyright, saying, well, I want less copyright protection so I can get somebody else's private stuff. So there's a really interesting -- the electronic environment is going to expand those kinds of questions tremendously, and you'll find different people taking different positions, I suspect, from where they happen to -- you know, what they want at that given moment.

We have the other panel, and I'm trying to, even though I realize we originally said 12:30, I realize a number of people have to get to the airport, which is quite a ways away. So what I was hoping we could do is shorten the break, continue until about 20 minutes to 10:00 and then maybe take about a five-minute break and then come back for the next panel.

And, you know, we can talk all day. It's really such a shame, but this is the beginning of a dialogue and maybe we can all correspond with one another on the Internet about it. (Asides.)

MR. LEHMAN: Oh, there's somebody from the audience that wants to ask something, too, but why don't we --

MS. DYSON: I just want to offer, I will stick around later and I'll help pass on any further comments people might have to my esteemed, honorable colleagues.

MR. LEHMAN: Well, also, everything here is being transcribed, of course, too.

MR. McCONNELL: Well, if it would be possible, Mr. Chairman, if we could, obviously I certainly won't have time to ask all the questions that I have. If it would be all right with the panel, if I could submit questions to some of you for the record, if those could be incorporated in the record, that would be very helpful. MR. LEHMAN: I'm sure everybody would be happy to do that.

MR. McCONNELL: That would be great. I just had one question for Mr. Leibowitz, which is the International Standard Recording Code which you mentioned, does that provide all the kinds of information about copyright status, generation status, terms and conditions at this point? Is that a robust thing for all manner of intellectual property?

MR. LEIBOWITZ: Well, there are a combination of codes. The International Standard Recording Code is really an identifier of the particular sound recording track which will identify the owner of it and, with the numbers, identify the particular recording. The other information about the copyright status and the generation status are part of the Serial Copy Management System information. The pricing information and the other elements that I discussed are not part of that, and that would have to, you know, be built upon. Let me respond, since nobody did get a chance to respond to the question you had a moment ago about the issue of whether we should have some single means of standards. I think on the one hand it's very important that there be flexibility to allow the individual content providers to determine their own types of systems and approaches. But at the same time, to the extent that we want -- and certainly our industry wants the equipment to be able to react to those, I think there is a valid role for the government or standard setting body to play in trying to develop that sort of feature so that it doesn't increase the costs unnecessarily of the equipment or the transmission services themselves.

MS. PRESTON: I have a question I would like to ask of David Leibowitz. When you have the performance right in sound recording, what type of --

MR. LEIBOWITZ: -- lips to God's ears. MS. PRESTON: What type of security do you envision that will enable you to determine that an album has been performed? For example, Mary Sue has the new Madonna album and she decides that she wants to play that album over the NII for her friends to listen. She calls up everybody in the neighborhood and says, "Have you heard this? Take a listen." How will you know that that has been performed? MR. LEIBOWITZ: Well, there are very frightening aspects of the Internet system today which doesn't allow us to make those determinations. I think the part of issues -- and first of all, for clarity, to the extent that the copyright law is expanded to give sound recording owners the same right of public performance that all other content providers enjoy, it's limited to public performances. And the question then becomes whether that's public or not.

Other characteristics that you would have to look at is whether or not it's being transmitted in a way that is audible in real time or is it transmitted to be down loaded in faster than real time?

MS. PRESTON: Now, we're talking about just listening.

MR. LEIBOWITZ: Well, if it's just being transmitted for listening, those are going to be performances. Whether or not -- certainly today, we don't have the capability to address that, which is why we need the additional information and allowing the equipment to also react to that information.

MR. LEHMAN: Well, we would ask the same question of you, Ms. Preston, that -- MS. PRESTON: I was asking for that same reason.

MR. LEHMAN: I mean, that's a performance that's being listened to. MS. PRESTON: We have the same problem. MR. LEHMAN: Though I think it is important to realize that certainly the copyright law has never captured every single use of work. I mean, you just have to recognize that there are going to be unauthorized uses. Right now, there's just a vast wealth of information out there on the Internet by and large which are communications or which are public domain material which people put on there, and they basically don't -- they may be technically copyrighted works but there's no attempt to enforce the copyright.

I mean, just because you have a copyright right doesn't mean that you have to run around enforcing it or anything like that. Yes, Ms. Simons.

MS. SIMONS: Well, I just wanted to express a little concern about the scenario you just described. In order to be able to capture that kind of information, it might imply the ability to capture all kinds of other information, such as political dialogues. And I just think it's a very risky business.

It's true that the Internet doesn't now have the capability to find out is she's sending this record around, but we also have to keep in mind what the trade-offs are to introducing new mechanisms and how they might be used in ways we don't intend them to be used. MR. LEHMAN: This is such an exciting discussion with this panel that we could probably go on. We should have arranged for a full day of hearings, and maybe two, but we learn as we go along. But we did promise the audience a chance, and we do have a person from the audience, so maybe we should move on to that.

Could you come forward, please, and identify yourself.

MS. NYCOM: My clients represent both sides of the Internet, if you will, or the NII. And they're traveling together, but they have differing interests.

Some of them are people who are providing intellectual property, and they, like Sandra, would like to find a way to make sure they're paid for it. Others on the other hand are the distributors, and they neither want nor are they interested in knowing anything about the content or let alone being held responsible for it. So I have two questions, one for the testifying panel, and then if I might, one for your panel. For the testifying panel, the question really is: Are you speaking with each other? For example, David, your group, and Mark, your group, are you keeping each other informed so that you don't solve yesterday's problems as the technology advances? And I see this is a great opportunity to work together so that the true protection can be had without the distributor somehow being liable.

Now, for this panel, the question is: Have you looked at, as a National Academy of Science panel did a couple years ago, the notion of providing possibly the status of a common carrier for some of the distribution channels, and of course with the aspects that that brings up along with it?

Thank you very much.

MR. LEHMAN: Well, let me answer, just to move things along, the second question first because I think I know both what the working group has done and what the Advisory Committee has done, and the short answer is no, we haven't looked at any common carriers yet.

MR. BUNZEL: In terms of the first answer of coordinating with other organizations, we have just redefined our strategic plan for an Intellectual Property Committee, and I can tell you that a key part of that plan is, on all issues, is identifying other interested parties as well as, as we begin to develop a position, the positions of other parties that may have impact on policy or legislation that will be developed. We are already developing lines of communication on the ratings situation with the SPA and the other organizations. So, yes, it's a very key part of going forward.

MR. LEIBOWITZ: And I would just like to add that although Bruce and I haven't met, I believe I do serve on some advisory panels for the IMA and I do receive literature from them. And I suspect we will be working more closely together, as we just alluded to, the CD-ROM recorders and there was an article in this week's Information World about Sony introducing the CD-ROM recorder for $1,500 retail that can go right into a slot into your computer. So those are very troubling elements. As far as the notion of on-line services being common carriers, while we can talk about that for a long time, my reaction is that that's an outrageous concept.

MR. LEHMAN: We really have to move along, and one other person wants to ask a question of the panel. So hopefully, we can take that question and then -- (Asides.)

MR. LEHMAN: Why don't you just go to the microphone here, and if it doesn't come through on the transcript, it doesn't come through and I'll try to repeat the question.

(Question from audience, not on audio tape.)

MR. LEHMAN: In the interest of -- that was sort of more of a statement, I think, which was more that the AAP, the Association of American Publishers, is working on this problem. They are particularly interested in and concerned about equipment that enables unauthorized use and is anybody looking at that problem. I would just say that the working group's screen paper does indeed address that problem to some degree. But maybe if somebody has a very quick response or if somebody, you know, is about to publishing something or put a new Intellectual Property Coproduct on the market that relates to this, you might let us know on the panel.

Finally, I want to -- Ms. Dyson has one more question.

MS. DYSON: Yeah, this is just kind of a sense of the panel. I'm assuming that you all feel that what you're trying to do is have deterrence to copying, that you have no notion that there's going to be 100 percent protection. Is that correct? Okay.

MR. LEHMAN: The answer is no. I mean, just for the record, we're getting an answer that, no, people don't have an expectation of 100 percent security against unauthorized copying.

MR. LEIBOWITZ: 99 percent would be good.

MS. WHISLER: I'd settle for 70.

MR. LEHMAN: You know, maybe what we could do is, if people would just indulge us a little bit, the members, is bring up the new panel and we can start right away, you know, as soon as they get in place. And if anybody here has to leave the dais for a moment, they can come right back. That way, we'll move right along and save ourselves 15 minutes.

MR. McCONNELL: How will we get the additional questions from the panelists? MR. LEHMAN: We have their name and address we will provide that to all of us, and you will be able to write to them or Internet. I think we may even have Internet addresses for some of them. But we need that for our records. (Asides.)

MR. LEHMAN: Yeah, if you want to do it formally through the record, you can send it to Michael O'Neil here in our office and he will see that they get forwarded. Then we'll have it in the official record.

I assume what we're going to do in these hearings is the same thing as we've done with others in our working group, and that is that the transcripts are available for public consumption and they will be available in about two weeks time as part of the process here so that we'll stimulate discussion for other people. (Whereupon, a brief recess was taken.)

MR. LEHMAN: I hate to be rude, but unfortunately time is limited this morning, so we really do need to get on with our business. So I'd like to welcome our second panel. I want to thank our first panel. We could have gone on for a solid day and more, I'm sure, following up on that. But it does indicate, since the questions were very timely, that we're on the right track.

Our next panel consists of distributors and technical solution providers. Maybe I would just ask the people in the back of the room if they could have their conversations out in the hall or what have you. It would help us. The panel consists of Jeffrey Sinsheimer, Director of Regulatory Affairs in the California Cable Television Association; Josh Groves, Director of Current Awareness Products, Marketing Department of Dialog Information Services; Curt Schmucker, Manager, Tools and Environments of Apple Computer; William Ferguson, Vice President of Marketing and Sales of Semaphore Communications

Corporation; William Sweet, Director of Marketing of iPower Strategic Business Unit of National Semiconductor Corporation; William Krepick, Senior Vice President of MacroVision Corporation; and Robert Rast, Vice President, HDTV Development of General Instrument Corporation.

This panel will show us why it's important for us to be right here in Sunnyvale in the heart of Silicon Valley where most of these people. You've had the benefit of seeing the earlier format, so why don't we start out with Mr. Sinsheiner. And to the extent that we can obviously leave as much time for the dialogue, the better, so we'd like to welcome you, Mr. Sinsheimer.








MR. SINSHEIMER: Thank you. Assistant Secretary Lehman, Mr. McConnell, Ms. Dyson, Ms. Preston and members of the public, thank you for the opportunity to make a presentation before this hearing board on the issues of commercial security and intellectual property on the National Information Infrastructure. My name is Jeffrey Sinsheimer. I am Director of Regulatory Affairs for the California Cable Television Association. CCTA is a trade association in the state of California representing cable television operators servicing over six million California residents, cable television programmers and equipment suppliers. As Director of Regulatory Affairs, my responsibilities include advising members on signal security issues including legislation and its enforcement.

My role here today is to put into context the two questions posed by this panel from the point of view of the cable television industry. First, what are the system security needs of intellectual property providers? And, second, what are the technical solutions and system designs currently being studied or developed by the private sector to deliver products and services via the NII?

Specifically, my comments today will relate to the third question posed in the notice. In considering these questions, CCTA's comments revolve around three basic themes. First, security of intellectual property rights is currently endangered by illegal theft of cable television service which is over $4.7 billion -- that's billion with a "b" -- dollars annually nationwide and growing.

Second, public policy makers and law enforcement officials must act to stop the current theft crisis. And third, government solutions that protect intellectual property interests should encourage investment in upgrading the NII and use of these new and improved networks by consumers.

Theft of cable television service is a major problem in this country. While many in the public may view theft of cable television service as a technical challenge, it is in fact a crime. It is a felony both under federal and state law, but also it deprives creators of their intellectual property rights to be compensated for the use of their works.

Section 633 of the Communications Act on the federal level gives power to U.S. attorneys to prosecute in this area. The CCTA sponsored passage of Penal Code Section 593(d), which provides criminal penalties and civil damages and remedies for theft of cable television service, and will sponsor amendments to increase these crimes from misdemeanors to felonies, with strong support from the motion picture studios, broadcasters and others who distribute their works on cable television systems.

The Office of Cable Signal Theft at the National Cable Television Association estimates that people tapping illegally into cable television lines or descrambling encoded signals steal approximately $4.7 billion dollars annually from revenues that would otherwise go to intellectual property creators and cable television operators.

This figure is somewhat understated, given the fact that it does not include theft of signals for pay-per-view and other more transactional services that cable television operators have begun to provide only in the last few years. Cable theft deprives revenues not only to cable television operators who are distributing signals, but also a wide variety of people and institutions which would otherwise be entitled to a portion of that amount.

Outside the intellectual property area, since cable television operators are required to pay local franchise fees, the loss of these revenues deprives local government of nearly $250 million dollars annually in franchise fees for the use of public rights-of-way. It also forces legal subscribers to pay for theft and degrades signal quality in cable television systems. In the realm of intellectual property theft, the $4.7 billion dollars includes copyright royalties which would otherwise be distributed to the producers of broadcast programming through mandatory copyright payments that cable television operators make. It also represents diminution of the amounts of revenues to which basic cable television programmers and premium programmers, such as HBO, Showtime and the Disney Channel, would otherwise be entitled.

Cable television operators construct their systems in an encrypted manner to protect revenue streams, to enhance signal quality and to ensure the integrity of their contracts with program suppliers. This guarantees that creators receive compensation for their works for which they are entitled when their creations are distributed.

However, the marketers of computer chips to defeat those encrypted systems and boxes which contain illegal chips have had some success in convincing some elected officials that their behavior is benign. Local law enforcement officials, who for the most part are strapped financially, have had limited success shutting down these types of operations. Ironically, the thirst for illegal descrambling devices has made its way from advertisements in popular electronic magazines to advertisements in magazines of more general circulation, such as Parade Magazine, which is included in tens of millions of homes across America each Sunday. Now we travel fast forward through Cyberspace and onto the Internet, where participants in certain forums advertise how to construct your own cable descrambler and how to defeat encryption systems, and how to program a chip to provide free access to otherwise scrambled signals. As an example of this type of information being distributed on the Internet, one of the four major suppliers of set-top adjustable boxes has had its microcode disassembled and distributed on one of the Internet forums. This makes it possible for theft of all forms of intellectual property transmitted on systems having those boxes.

This distribution of information is to literally hundreds of thousands of people on the Internet, who tend to be the most technically literate people. Internet distribution of microcode and the publication of the availability of chips and methods to defeat encryption systems is easily comprehended by this audience. This creates the potential for a dramatic new increase in theft of intellectual property.

This situation leads also to the deployment of equipment that runs afoul of FCC standards and of boxes which have lost their U.L. certification.

The FCC has been considering these questions as part of its docket on equipment compatibility pursuant to the 1992 Cable Act. Under the auspices of the FCC, the Electronics Industry Association and the National Cable Television Association are participating in the Consumer Cable Compatibility Advisory Group, which is working on different types of systems that will meet the industry's different needs and deal with the issues of theft of intellectual property and theft of cable television service. Finally, while many of these solutions may be technical in form, two important factors must be taken into account.

First, computer and video thieves have demonstrated their ability and propensity to decipher encrypted code to gain illegal access to intellectual property of others, and the market for these mechanisms will never disappear. And, second, technology brings with it a cost which one hopes will not discourage deployment of the NII. The upgrade of cable television systems to full service networks that can offer protection to intellectual property will force cable television operators into new relationships with the people who create video and interactive products. Creators of intellectual property expect revenue for the distribution of their product. The distribution cycle must provide some sort of revenue incentive for network builders so that they will upgrade their networks to enhance security.

This is not an inexpensive proposition, and the marketplace may provide some solutions.

Creators may have to think about the distribution cycle in a new way, providing for earlier day and date release of video offerings, particularly on transactional and pay-per-view systems, in order to create incentives for secure networks to be built.

Thank you very much for your time, and if you have any questions, I will be happy to answer them.

MR. LEHMAN: We will proceed right on to Mr. Groves and then we can all have a dialogue together.






MR. GROVES: Thank you. My name is Josh Groves, and I'm with Dialog Information Services.

First, I'd like to say that Dialog is very grateful for the opportunity to be invited to this panel. Dialog is the largest provider of commercial on-line data bases to the business, scientific, research and academic communities. We have more sources than any other service. We have over six karabytes of data covering over 450 files.

As the leading provider of high-quality electronic data that is relied upon by businesses throughout the world, both large and small, we feel that it's critical that the NII does not compromise the integrity and security of our data both at our site and once it's distributed to our customers throughout the world.

We believe that the security of electronic intellectual property is critical to the commercial success of the National Information Infrastructure. We believe that private industry will produce and select the most effective safeguards, both hardware and software, to ensure this security.

We also believe that the government can play a significant enabling role by providing technology test beds, by promoting technology exchanges and by helping define the current, sometimes murky legal areas of the electronic copyright protection.

And finally, we believe that the government can help define the requirements of what it means to contract electronically through on-line means. We would also be happy to answer any questions when time allows.

MR. LEHMAN: Thanks very much.

Next, Mr. Schmucker.




MR. SCHMUCKER: Good morning. My name is Curt Schmucker, and I am in Apple's Advanced Technology Group, Department Manager.

Apple is a company that produces mass market personal computer hardware and software and distributes these desk top, notebook and personal digital assistant devices worldwide. I am delighted to be here today to speak on behalf of Apple. What I'd like to do is sort of make one major point, and that is to talk about the interaction between the technical means for achieving privacy controls and the business reality of worldwide marketing.

There exists several cryptographic means of enciphering data that are usable on personal computers. In addition to being trusted and efficient and usable to non-specialists, these means have to be cost-effective. And to be cost-effective, they have to be easily exportable. By easily exportable, I don't mean that it's possible to obtain an individual validated license after months of negotiation with commerce, state and defense. Months of negotiation might be reasonable if what you are trying to export is a multi million dollar computer system. It's not so reasonable if what you're trying to export is a $500 Newton that fits in your pocket and sells as a commodity device.

I'd like to tell you of one sort of anecdote that sort of brought this home to me, of the difficulties worldwide companies currently face.

A company here in Silicon Valley needed to protect its business communication data between its headquarters here and its worldwide subsidiaries. And so they tried to obtain a license to export to their subsidiaries some U.S. crypto gear, and they were unable to do so.

So having this dilemma in their business situation, what they ended up doing was purchasing Russian crypto gear because there's no law on the import of such equipment, and they use that now for their worldwide business communications.

I'd like very much for this sort of thing to remain an isolated incident as opposed to becoming a common practice. And to do so, we need to make changes in the export controls for mass market devices as the NII becomes more and more of a reality.

Thank you very much.

MR. LEHMAN: Thank you.

personal computeNext, Mr. William Ferguson.





MR. FERGUSON: Thank you, Mr. Chairman. My name is Bill Ferguson. I'm the Vice President of Marketing for Semaphore Communications Corporation. We're a young company located in Santa Clara that develops secure digital transmission systems and software for global markets.

I have prepared notes that you can get on the outside, and rather than read from them straight, I will kind of paraphrase as I go through. Sometimes it's useful after hearing other speakers, to add some comments that reflect on the reality of the situation. Our products are used to secure communications across all aspects of the Global Information Infrastructure. And every time I see something that reflects on the National Information Infrastructure, somebody's got to give somebody a sharp poke in the eye and let them know that it's growing a hell of a lot faster outside the United States than it's growing inside the United States. And when I have to come to panels like this and meet with people who haven't even had new stamps in their passport in the last six months for doing business, it's really frustrating to try and get people to understand the scope of the business that's going on outside of this country with relationship to secure communications.

It is a booming business outside of this country, and it's going to stay a booming business. And it's going to be driven by foreign companies, not United States based companies, unless something can be done to affect the laws that allow U.S. companies to compete fairly and openly for global business.

Our products use standard, globally-accepted technology such as DES and RSA. We can't get either one of those out of the country without an export license for each device and each single destination. My global competitors can ship this stuff around, just like my friend from Apple suggested, without any provisions for licensing whatsoever. And to make it even more absurd, it takes me anywhere from three weeks to three months to get an export license and then once I've gotten the export license, even with the new federal provisions for getting the export licenses in three days, as I pointed out to people from the Department of State, they do the courtesy of mailing it back to me by third class mail so it takes two weeks to get it back to my office.

So there's kind of a sense of urgency for reacting to this kind of requirement on a -- more urgency than we see the federal government moving right now. I've attended these panels for 18 months and we're discussing the very same things and nothing is moving.

I see a mark in the sand being drawn at one meeting. I see the mark being erased at the next meeting and a new line being drawn in the sand closer to the goal line, your goal line, than the 50 yard line so that we can have a level playing field for dealing with these issues on a global basis.

The products that we make are transparent to the content providers. They are transparent such that they will secure any material reaching the superhighway. And they will keep any unauthorized access or any compromise of the data on the network.

I have a lot of sympathy for the cable industry, but every time we try to approach the cable industry with solutions, they go back to their preferred suppliers. Their preferred suppliers are developing proprietary solutions which are for the cable industry only, so we've got a diversion of the application of technology that's going on right now. And the further we get away from each other, the less the user is going to be able to have a transparent device available to him in his home or at his office or in his home and his office that will be able to be used across all services.

The issue of globalization is really important. At a forum in Baltimore only about two and a half weeks ago, one of the speakers was making comments to the effect that they had catalogued 400 companies around the globe that were involved in security related product development. Somebody in the audience from Sweden jumped up and said, "Sorry, we know of 1,200." So the 125 companies that are in this business in the United States are small by comparison, and it's clear that having been a leader in this market only five years ago, United States companies are being severely hampered in the globalization issue, as my friend from Apple pointed out, simply because of laws where we have our head in the sand.

A number of us in the audience and some of us on the panel were at a conference in Washington in June when, in the middle of the afternoon, we asked one of the speakers about internationalization issues. We asked the panelists and people from the National Security Agency if they had made any attempts to try and get foreign governments to accept Clipper technology in their environments for use in their countries. You're all familiar with Clipper? People from the National Security Agency stood up and said even though it's been since April of 1993 that they announced Clipper, that they had made no direct initiatives to foreign governments with regard to the acceptability of Clipper technology being imported into their countries.

That is a terrible, terrible dilemma for an industry that is under control of federal agencies and the federal agencies are hampering our ability to be involved in international commerce. Clearly, these issues cross all borders. The industry acknowledges the need for the law enforcement and national security communities to have their requirements served, and industry has stood up to the line right there with them and said,"Okay, let's resolve some issues. Let's get on with it. What do you want us to do. How can we do it?" Okay? It's 18 months later, folks, and nobody is doing anything. Here in the United States, you have a group of innovators. They are young companies and some very mature companies, such as National Semiconductor, that are developing products which could put the United States' industry in a leadership position globally to provide for secure communications. We hope that the government will narrow its focus so that we can address these issues, you know, a single time, not repeat times before different fragmented groups looking at these issues. And we look forward to that, and we as a market and technology innovator, want to stay involved at every step. It puts a strain on us to do it, but we've made a commitment to do it.

Our global partners are eager for accommodation on these standards, as well, because, as I pointed out, it is a global issue. It's not just a domestic issue only.

As a young company with only 25 employees, I can tell you that I have partnerships already established with British Telecom, with the Swiss PTT, with Cable and Wireless Dutch, Swedish PTT's, and I have invitations from the French and Japanese to participate in co-development projects with them, only to have those rejected by the United States government.

So we're kind of in a dilemma. We're confused between do we stay here or do we move our operations off-shore, like to Russia, Switzerland, Sweden, Finland, Norway, Japan, India, Israel, I mean, places that would welcome a technologically innovative company. We hope that industry can see a cooperative spirit expand and have this government lead the global partnerships and the global expansion of this business. Thank you very much.

MR. LEHMAN: Thank you, Mr. Ferguson. You referred to National Semiconductor, and now we have William Sweet from National Semiconductor Corporation here.

Mr. Sweet, do you want to proceed.






MR. SWEET: My name is Bill Sweet. I am the Director of Marketing for the unit within National called the iPower, little "i" for "information." We're a business unit that has come up with a new thing -- I'm not quite sure what to call it; the crypto folks call it a token -- designed to facilitate security in moving digital files from point A to point B over any network, secured or unsecured, through any mail system, secured or unsecured.

We're currently building two flavors of these. One is a flavor built upon RSA data security, which is not escrow. There's another one we're building for the U.S. government, which is now called the FortizzaCard. It used to be called the PersonaCard, which is the escrowed system. And for those of you in the audience who aren't sure what a token is, I assure you that you carry them around with you pretty much most of the time. I have here one of mine, except it isn't mine; it turns out to be my wife's. It's her ATM card. And this is a two-factor security token. To make it work, you need two things: something you have, the token, and something you know, the PIN number.

Two-factor security devices are much more secure than single-factor security devices like a regular credit card where all you need to know is the credit card number and away you go.

These are relative new tokens. Here is one. It's built on a PCMCAA card format. It has a little computer, crypto engines, and some memory in it. We have designed these things to be impenetrable, or another word people like to use is tamper-proof, meaning the secret data that's inside the chip here that we manufacture cannot be extracted. In particular, the thing we're protecting is the private key in the public/private key fair that's used in key exchange and digital signature.

What this little gadget gives you is the ability to authenticate over a 3,000-mile wire who you are via digital certificates, the ability to sign things -- I'm talking digital signatures -- which means if you change one bit in that thing you signed, the signature catches it, it's invalid. The ability to make messages private through block encryption of your choice, presumably DES although BEST or IDEA or something else is fine with us. It's up to the user. The ability to verify the message through cacheting algorithms, message digests, and a place to store transactions data.

Now, this is a card that you can use to send secret messages and attach digital file. And that digital file that you attach can be anything from a two-line memo to a two-hour movie. We also anticipate these cards being used for electronic commerce. If you want to buy a program or any piece of intellectual property over several thousand miles of wire, this is the thing you plug, it proves who you are. You can have your credit card accounts built right into the thing. If someone at the other end has one -- and by the way, these are like modems, you need two, one on either end. If someone on the other end has it, you can conduct electronic commerce. I can buy, you can sell, and vice versa, all in relatively bullet-proof security, which brings me to Bill's point.

Since this is strong encryption technology, we can't export it but we can sell it and it can be utilized around the country. I am assured by my government associates that we can export the FortizzaCard, which is fair since the government will have its fees. Our position at this point is we're going to build both kinds of cards and it will be up to the customers as to which one they want to use. Primarily, the market we're chasing in the near term is what we call data security and electronic commerce. There's another one that we'll be chasing in another year, which we refer to as metering. And that's the concept of being able to enable people to ship encrypted files out in mass media forms such as CD-ROM or, for that matter, down the information superhighway and to be able to exchange keys in a secure environment so people can purchase things like movies on demand, for example. The difference between basic data security and metering is simply that the metering has much more sophisticated transaction processing capability that sits on top of the basic security. But my role in coming here today was to let you know that this stuff is coming. The FortizzaCards are shipping today. The PersonaCard, which is the RSA compatible version, we'll start shipping in January. And I hope all of you that are concerned about security will buy at least a dozen of them over the next ten years.

MR. LEHMAN: That's very helpful. I'm sure we'll have a lot of questions. Thank you very much.

Mr. Krepick.




MR. KREPICK: Thank you, Mr. Chairman.

Thanks for the opportunity to be here.

Macrovision Corporation is a private company.

We're a small company. We're engaged in the business of providing intellectual property protection to a broad range of copyright proprietors, namely the Hollywood studios, small, independent video producers, digital set-top decoder manufacturers, semiconductor companies, even some government agencies. We sell hardware. We sell video encryption systems and some pay TV scrambling type products. But mostly we license our technology and we license video cassette anti-copy systems as well as theatrical video security systems and pay-per-view copy protection systems.

We're not directly involved with any delivery of Internet type services today, but we do have a kind of unique technology oriented solution for the companies that distribute video programs and movies, whether it's in a pre-recorded manner or whether it's over electronically transmitted media, for example, cable or telephone company or direct broadcast satellite media.

We think that our primary contribution to copyright security in the NII environment will actually be in the are of protecting digital video programs from being copied onto analog equipment, which are the existing 400 plus million VCR's that are in the world today. You may not think that this is important, but if you talk with the studios in Hollywood and you talk with independent video producers, what they are really concerned about is not only digital-to-digital copying, which certainly is important because everyone knows you can get a perfect master of a video program if you go digital-to-digital, but they are also concerned over the fact that if you have a digital VCR or a digital video disk player, most of that equipment is going to have not only a digital output cord on it, but it's also going to have an analog output cord on it.

So what that means is that two or three years from now, people will be able to take their digital VCR's and they will be able to capture a digitally transmitted program or they can take a digital cassette or a digital disk and they'll be able to put out onto any old analog VCR a perfect production quality copy of a movie. Now, that scares to death anybody who is producing video programs because, again, the threat is not just digital to digital.

The other fact that people understand is that those 400 million analog VCR's that are in the marketplace today throughout the world, they are going to continue to grow. They will not be thrown out overnight, so there will always be an analog kind of hardware for at least the next ten years in which to capture this video information. There will be analog TV sets for the next ten years which will display the video information.

We think that the copyright holders will not be satisfied if their intellectual property is only protected in the digital domain. We also, as a company, we believe that consumers, however, do have the right to time shift free broadcast TV or to copy non-copyrighted material. So we think that that provision needs to exist in the NII. I think that most people who are in the video industry are aware of the 1984 Supreme Court decision which allowed consumers the right to time shift free broadcast TV. It was the so-called Sony Betamax case.

However, as we go forward into this new digital world, we believe that the copyright holders have the right to copy protect electronically any transmitted pay-per-view type programs or events, or any pre-recorded material. We believe that that's absolutely the right of the copyright proprietor.

In answer to two questions that were posed in the NII paper, what are the video security needs of our customers -- and again, our customers are the intellectual property proprietors -- I think we can categorize seven kind of distinct needs.

First of all, they require that copyright protection be available for digital-to-digital, digital-to-analog and even analog-to-digital situations which may arise over the NII. And that's, again, whether it's pre-recorded or whether it's in transmitted form.

We believe that they want to prevent in the United States the 200 plus million analog VCR's from making production quality copies of NII digital that comes from NII connected digital hardware that has analog output ports. If you take this on a worldwide basis, again, that's 400 million VCR's.

The third thing that we think that the copyright owners want is an economic and an accessible means of invoking copyright protection technology and that they, the copyright proprietors, should have the right to decide whether they want the material copy protected or not.

The fourth thing that we think is important is that there should not be copyright protection implemented which involves taxes or levies on the hardware or on the blank media. This actually has been instituted in other countries. It was part of the Audio Home Recording Act of 1992 in this country. And we believe that that presents an undue burden on the consumer, on the hardware manufacturer and on the software provider.

What you are looking at are taxes that range anywhere between two percent and six percent of the value of the equipment or the media, and then that gets divvied out somehow amongst the copyright proprietors, amongst the authors and the creative people. That is a tax plain and simple that we think the consumer shouldn't have to bear, and we know of technical solutions that would reduce that tax from the two to six percent range down to about one quarter of one percent.

So we think that copyright protection is a matter of economics as well as technology. We think also that the copyright owner wants to be able to implement a system which is compatible with today's technology as well as future technology. And one very important thing that is required -- and this where I think it's a combination of technology and government intervention -- and that is that any copyright protection circumvention should be made by law illegal. And this gets a little bit into the situation with cable set-top converters, that people who make these devices, I mean, that should not be under the copyright law. That should be under the federal law which makes it a crime, a federal crime to do that.

And the last thing that obviously is important for the copyright owner is that any of this technology be implemented and it does not interfere with the quality of the picture that's delivered to the individual's TV set. So what is our solution for copyright security on the NII? Five points.

First, we believe that on an economic basis that we can deploy proprietary analog copy protection system generators, tiny generators that are chips inside of digital hardware. These little generators would add copy protection that would protect the rights owner's property in the analog environment.

Secondly, we believe that this proprietary technology should be made available on an affordable basis to all involved communities, both the hardware and the software communities. We're prepared to do that, and again, I think if one looks at the alternatives of the costs of this, that our solution is probably an order of magnitude less expensive than any other legislative solution.

We will allow through our technology that the copyright owner can make the decision on when and if to apply copy protection technology. The network operator or the digital hardware itself will respond according to the wishes of the copyright owner and activate the appropriate copy protection technology.

Fourth, we will limit our technology to only pay-per-view programs. It will not be licensed to be used in broadcast or subscription pay TV. So there, the consumer, we believe, has the right to do time shifting and copying.

And the last thing is that we are in the process right now of working with hardware companies, leading hardware companies, major software companies, trying to develop a comprehensive technical solution. And we're also investigating what kind of legal policy, legal doctrine could be wrapped around that, and possibly doing something which is a take-off of the Audio Home Recording Act of 1992.

So, we believe that there is a role for government in this. We believe that there is a role for technology. We believe that industry participants need to work together to make this happen. Thank you.

MR. LEHMAN: Thank you. Maybe we can move right on. Mr. Rast is our last presenter.




MR. RAST: I'm Bob Rast. I'm with General Instrument Corporation. We're a leading supplier in the broad band communications industry. We're a leading supplier in cable, and we relate to Mr. Sinsheimer's remarks. And we're also a leading supplier of technology in the satellite industry that scrambles video signals for delivery to cable systems as well as direct to home. And those experiences give us the basis for the remarks we want to make.

In addition, we're a leader in HDTV and digital video, so digital television as it's emerging is of great interest to us, and that's going to be very important to the NII. And in fact, at a conference sponsored in part by the IITF, on a workshop on digital video in May, there were two findings.

One is -- two of the findings were that digital video is likely to set the maximum bit rate requirement for the NII, and it agreed to a goal that video should be carried on the NII as easily as the telephone network now carries voice. So from these experience and our interests, we'd like to say that, first, no matter how strong a security system is, it's going to be compromised if it is protecting material of high value. And certainly, the value relates to the size of the audience.

The security must be renewable. And just by virtue of being renewable, that helps to inhibit attempts at signal theft. Government policy must not hamper the development of numerous sponsors to signal theft, and the goal is to respond quickly to signal theft and the deployment of new forms and methods of security.

We believe that a single, uniform national security standard is dangerous. It weakens securities because it aggregates the properties in one place and gives attackers a single target. We also think it stifles innovation that is needed to stay ahead of the attackers.

We believe that published open security systems tend to weaken security, and any unbundling or open interface requirements should be limited to functions that pose no threat to the intellectual property of the programmers and information providers.

We want to say that we believe the decisions on security technology are best made by the people with the most incentive to protect the intellectual property, and those are the rights owners rather than government agencies. While software based security may be adequate for some applications, hardware based security may be needed for others.

Our experiences in the satellite industry were somewhat humbling to us. There was a point in time in which perhaps as much as 70 percent of the home satellite dish systems had been modified to steal programming, and it took us years to overcome that problem by switching out the security and going to what is now a renewable system and it cost us tens of millions of dollars. So we really urge everybody to be very cautious about your assumptions.

There's been discussions about other areas in which pirating is rampant. There's no question that's a problem. We make an observation that the international nature of all this helps to contribute to the problem partly because of U.S. export control laws, but also in the area of programming, recognizing that rights are sold on a country-by-country basis. And so when you beam satellite signals down to U.S. households, those beams spill over into adjacent countries. And if the rights aren't available, the only way those people can get those signals is to steal them, and there's a tremendous economic incentive on their part to break your system. We've got to learn about that.

So we're concerned about the significant profits that can be made from illegal interception of intellectual property, and we know from experience there's some very sophisticated attackers out there.

We want to caution you all that security is not a one-size-fits-all product. Different techniques are needed for different types of products. We're a little bit concerned that in the NII, some people will think bits are bits and that one solution is adequate. We don't believe that at all. We think that the solutions have to relate to the type of product and the size of the audience.

I will point out to you that broadcasting of entertainment videos is fundamentally different than point-to-point transfer of data files. The mass audience creates a very high incentive for piracy and justifies a higher level of security. Further observe that the communication systems are built in layers and we need to think about security at different layers and it's not necessarily a single security system on a single layer. It provides for the whole system. And along the lines of concern about government intervention, we would just observe that we have some experience with the FCC, that we feel that those concerns are valid. The FCC is talking now, for example, about prohibiting scrambling of something called a basic tiering cable. While that may seem to be in the consumer's interest, if you're an intellectual property holder and if that leads to an increase in piracy, was that a good idea or would that be a good idea? And is that the kind of thing that the government really ought to be trying to do? Should it get involved in how the security of intellectual property flows like that by restricting the ability to provide that security? Some of that intervention seems to almost get trivial to us because we're involved in a situation where there's a discussion of providing limits on remote controls, but in fact a remote control itself only costs $20. I mean, we're not talking about something that's really expensive for consumers, but perhaps that's getting into too much detail.

So with that, I'd like to summarize just by making the points that we believe that security is critically important in the NII if intellectual property owners are going to be induced to offer their products. And that's the key. Will they offer their products and will the security justify it?

The security is going to have to be able to be improved over time. It's going to have to be renewed, and it will be under attack. Any standardization of security testing weakens it, so we should be careful about that. And we're concerned about the unintended consequences, unintended negative consequences of government intervention. Thank you.

MR. LEHMAN: Thank you very much.

Now we can open it up to questions, and why don't we start this time with Ms. Preston. MS. PRESTON: Thank you. We've talked about tracking usage along the network. Will we be able to in the future track content? MR. FERGUSON: From what perspective?

MS. PRESTON: Suppose that you have a book out there and it's really compiled by several authors. And you know that someone is down loading that book, but do you know what part of it that they're down loading, the content that they would be down loading? MR. SWEET: That's possible if you encrypt the book in separate segments and put a number on each segment. Then you can sell access to those segments, or the decryption keys, if you will, segment by segment. It depends on how you parse your product.

MR. FERGUSON: You've got to be able to identify it at the level of granularity that you want to identify it. And once you set up that level, you can control distribution of content down to a single word. I mean, they do it now with credit card PIN numbers. It can be as big or small as you want to, as long as you can define, put a boundary around what it is you want them to be able to have access to. MS. PRESTON: One of you spoke about tracking video signals. Can that same be applied to audio?

MR. FERGUSON: It's going to be digital. By the time all this stuff works, it's all going to be digital signals and it will all be the same. And you can track it and you can license it in those same parcel segments. We don't care whether it's video or data or voice. Once they're digital signals, they're digital signals and you can treat them with similar technology.

MS. PRESTON: I would also like to say that I was very much concerned with Mr. Ferguson's comments and I hope that they're being forwarded to the proper authorities, because -- MR. FERGUSON: Oh, we talk to them an awful lot.

MS. PRESTON: Maybe Mr. Lehman can put some power behind it.

MR. LEHMAN: Well, let me say, you know, the Department of Commerce has historically, even in previous administrations, been a very strong proponent to reduce export controls, and we are also in this administration also. And we're fighting that battle. Unfortunately, the permanent National Security establishment in the United States seems to think they know what's best for all of us.

MR. FERGUSON: We got the Cantwell Amendment to the Export Administration Act through the subcommittee, okay, only to have it go to the House Intelligence Committee where the House Intelligence Committee stripped it off after they had a closed-door hearing with the National Security Agency, only to have the people who attended the House Intelligence Committee come back to us and say that, "We were told that you guys in industry were lying." Okay?

MR. LEHMAN: Well, we don't -- this is an issue, it's interesting. I think the twist here in this hearing is that it even has an relationship to intellectual property. So we certainly can take -- I think we can all follow up on that and see what we can't do to look at it in this context. It's just another element. Do you have something you wanted to say? MS. PRESTON: No, nothing further. MR. LEHMAN: Ms. Dyson.

MS. DYSON: Yeah, I just want to follow up on this one bit more, although it's probably not our major focus, which is those of you who are developing encryption technologies, are you actually starting up operations overseas in order to do the development there and will you then license it back to the U.S.? Bill, you mentioned that, sort of, in National Semi and so forth.

MR. SWEET: At this stage of the game, all of our development is domestic. And frankly, we're not -- we don't know how, having once invented it here, we can legally export the technology. It's not only prohibited to export the product, but you can't export the technology either.

MS. DYSON: But couldn't you start new development overseas?

MR. SWEET: Certainly, we could, although there is a presumption of -- I'm not sure what the right word is, but I'm told that if we develop -- let's say we had a subsidiary in Scotland or some other place. If they were to develop the technology --

MS. DYSON: Too similar.

MR. SWEET: -- that were controlled and were similar, there's a presumption of leakage, which means that we're not too motivated to do that because we may end up right back in the same problem we're in now.

MS. DYSON: So is this like Russia where somebody would not be allowed to emigrate because he might be carrying not state secrets but munitions secrets?MR. SWEET: Well, it's worse than that in one sense, and that is that there are no prohibitions to importing this stuff. There are only prohibitions on exporting it. And only if it works.

MR. FERGUSON: And you never know until you have undertaken the effort and you have made the investment because until it's there for them to take act on, okay, their list isn't complete enough with Customs and Immigration to know that Bill Ferguson is leaving the country and he may be leaving with secrets. Once they start to see development going on over there, they will say, "Oh, Bill Ferguson is developing secrets. Let's go get Bill Ferguson and throw him in prison and fine him so that he can't develop secrets anymore." Okay? So it's post facto, no pre facto that the implications come down on you.

MR. LEHMAN: If I could just define how that issue relates to this. I think what we're saying is that the marketplace -- we're hearing testimony that the marketplace is likely to produce a situation in which encryption devices now presently prohibited from export under export control regulation will be increasingly demanded by content providers in this country, and that to the extent that those export controls remain, that, one, either content providers will not have the encryption that they need to fully maximize the use of the information superhighway, or two, they will contract to foreign providers for that technology. Is that a fair characterization?

MR. FERGUSON: That's correct. The other thing that we're doing, Bruce, is we're developing the technology that can recognize what the receiver has for capability, and we will then take and bring it down to the lowest common denominator and allow that to happen so that we aren't violating export laws and he can have something that he acquired in a foreign location. And therefore, we haven't broken the laws in either country, okay, but we've given him access to the technology that's available in each of those countries. We have to do that in order to simply survive in our business.

MR. SWEET: Bruce, I'd like to add a comment, and that is the encryption technology that we're building, RSA and DES, aren't exactly secret. They're published, they're in textbooks, they're known around the world. So we're not -- as far as I can see, we're not really protecting anything by these export laws.

MR. RAST: Yeah, I just think you have to expand that a little bit and also add that to the extent that the failure to be able to export the technology inhibits intellectual property providers from making that property available because of inadequate security in other countries, that encourages piracy because they then want to attack the system you have in the U.S. And it makes the security not last as long, and so it actually comes back around and hurts. MR. FERGUSON: What you're finding is some of the major computer and communication companies sourcing the technology outside of the United States right now and integrating it into their products because they can invent and use it over there and invent and use it over here and it's the same technology. And they don't have to worry about it crossing borders, hence no export issue.

MR. LEHMAN: Did you have something? MR. McCONNELL: I'd like to get some discussion going on the point Mr. Rast made about how that published, open security systems lower security because one of the problems, obviously, that's arisen with respect to the algorithms used by the government proposed security is that those are secret algorithms. So there's no way for anyone to validate other than some mathematicians who looked at it but then couldn't tell you anything about what they saw, how solid the security was.

So how do you reconcile this ability of -- if you have secret or proprietary security mechanisms, how do you convince the customer that it's strong security? And, Mr. Rast, if you have other comments, I'd be interested in hearing them.

MR. RAST: Sure. First, I just would comment that it's one of a number of factors and you have to weigh all the factors when you make your decision. So it certainly may be appropriate in some cases that one make it open, but that weakens it by doing it.

Now, the issue of how you convince your customers relates somewhat to your reputation and your ability to demonstrate the security. But the question is, do you hand the blueprints to people when you invite them to attack your system? And our answer is you don't hand the blueprints to people because you just made your situation more difficult.

MR. McCONNELL: Do you take liability responsibility for the security that you develop so that people are protected in that way? Do you give them more confidence in doing that? MR. RAST: Well, that's one of the big issues, and clearly we do take liability in the case of the satellite industry. We took the liability of replacing all the hardware.

You know, you can get into the issue of what is the liability for the lost revenue on the property, on the content, and I don't know that that's ever been resolved.

But the whole issue of who should be liable, you know, if the government sets their standard, what is government's liability then for breakage of that standard? We think that's an issue that ought to be addressed. You know, certainly we have to address the issue with our customers.

MR. SWEET: I'd like to comment on that issue, too. There is currently a raging debate within the industry on the question of published security algorithms versus secret ones, and I would characterize the schism as the cable folks like the unpublished algorithms and the computer folks like standardized algorithms.

So I would disagree with Mr. Rast on that. I can understand that it may be more secure from the point of view of the guy who invented it to not let anybody know how it works, but if we're going to have an information superhighway and electronic commerce as a way of life for millions of people, it seems to me there's going to have to be a standard. And if there's a standard, it's going to have to be a standard that thousands of companies understand and use. And I don't know how you can do that and have it be a secret at the same time.

So I think the computer industry is going to push for standard published algorithm, and I can't speak for the cable industry, but I understand where they're coming from. MR. FERGUSON: Let me give you, if I could -- Bill Ferguson again -- let me give you a sense of proportion.

When they invented the data encryption standard, that which is now accepted by bank and financial institutions around the world, what their computations showed them was that if you could do a million calculations a second, that you could break a DES key in 222 years. Okay?

Now, there have been developed numbers of ways to attack it since that time, but there has been no repeatable mathematical formulation that will always give you -- so now with super computers and multiple processors and things like that, they can break them pretty fast, three, three and a half weeks. So the quality of your -- or the information that you're trying to keep private is pretty important.

And if you take and extend the key length -- we're limited, that's with a 56-bit key. If you extend the key length, you can take and you can exponentially increase the length of time that it would take to break that key.

Now, the skipjack algorithm that was supposedly 16 million times stronger than DES, that was only the difference between a 56-bit key and an 80-bit key. So all this issue by the government saying, "Hey, we just invented something that's 16 million times stronger than DES," is just that much BS, because when DES was originally created it had a double-length key, or 112 key. But the government, the National Security Agency only allow it to build products using a 56-bit key.

And DES is published -- I mean, I'll give you an example. We build products that use standard off-the-shelf DES chips from VLSI. We have just built our own that's five times faster than that chip, okay? So the technology is there and it's ready to use.

There is software published on the Internet from all over the world that is available and you can put into products and ship it if you can get approved. But one of our business partners went to the National Security Agency with one that they had pulled down off the Internet that was from Russia, and the National Security Agency refused to let them take that version of DES done in software and implement it in a hardware product because of the methodology it used to do the DES processing.

So, I mean, you've got these widely diverging points of view in the government intervening, okay, on the same technology, and it seems to be without a lot of discipline.

MR. LEHMAN: I'd like to ask a question directly going to intellectual property and its interface with encryption technology. And that is that we've heard the discussion about what I would call electronic enveloping, that is, encrypting the work so that it can only be opened with the kind of key that we heard Mr. Sweet describe.

We've heard discussions of what I would call metering of the uses of works. But one of the big concerns to intellectual property rights owners is the concern that really is reflected in the digital audiotape legislation. And that is that there is sometimes a need -- and it was also reflected to some degree in Ms. Preston's discussion. That is, once an authorized copy of a work has been delivered to a given user, and let's say that they have one of Mr. Sweet's keys and they have opened the envelope and then they continue to use it.

What is the capacity or is there any technological capacity at that point to then somehow or another limit the right of that person to get right back on the Internet with that work and then distribute it to their 2,000 closest friends? Or at the moment that the key is used, does then the work become available to anybody? Is it possible to monitor its use? Are you completely in the public domain area at that point?

MR. SWEET: Well, I think we have a partial solution. We can't prevent people from republishing -- I'm not sure what the right word is, but --

MR. LEHMAN: That's a good enough word. MR. SWEET: Okay. In order for them to consume it, they're going to have to have it in a form that's usable. So we can't -- I don't know how we're going to be able to keep them from republishing it.

But remember, digital files all have headers. And in that header information there's a lot of data about this file that comes right behind the header, including whose it is. And there have been a number of folks who have suggested that we can put fingerprints in the headers such that maybe at best we'll get an audit trail, so that if it gets republished, unless the republisher is technically very swift and knows how to strip all of that out, if it's a casual republisher, Mr. Average Consumer, we ought to be able to have an audit trail to find out where that thing started out.

And if we build the metering software schemes properly, we could add -- at each step of the transaction, we could add the identity of each of the members of the distribution chain. In other words, the wholesaler, the retailer, et cetera. But that infrastructure has yet to be built. It is technically possible to build it, however.

MR. FERGUSON: We do something called authentication, and it's possible in the proprietary part of the authentication message gram, whether it could be retransmitted or not. And then to have the technology that's interpreting it to flow back on the network to see that this is not retransmittable and hence drop it on the floor and not let them push it out the door. That is very possible to do.

MR. KREPICK: Bruce, I think the point is, though, on that, I think it does require what's probably called a bilateral technical solution where the hardware itself has to meet a certain standard and so, you know, there is some sort of check and balance between the hardware and software.

And I think that's -- that's the problem that's always been wrestled with, at least in our narrow portion of the business on video cassettes, that, you know, the hardware manufacturers in the video industry have never, at least up until now, been willing to cooperate to that extent.

We have a very interesting position in the industry because, you know, our customers are the intellectual property providers, but our technology has to work with the hardware. And in many cases in the past, it's benefited by certain design standards that the hardware people have implemented.

But what we're seeing is that there is at least now a growing recognition on the part of the hardware manufacturers that they have to play this game. And I mean, this is where the government, I think, as much as many of us may have reservations about what the government can accomplish, that if there are standards that are set for the hardware to accommodate some of these software designs, I think that then there may be a solution. But I don't think you can do it just with software alone. I think you're going to have to have those standards implemented in the hardware side.

MR. LEHMAN: We have a couple of people in the audience who would like to ask questions, and maybe it would be a good to take a little break and ask them to come forward at this point. Not a break in the proceedings, but why don't you come forward. (Asides.)

MR. LEHMAN: Oh, I think we have two people that have -- and we're going to have to -- what I'd like to do is to conclude the hearing about 12:15 because I know at least two other people besides myself have to get to the airport. I'll risk missing the plane, but I can't ask my colleagues to do that.

I guess the two people don't have questions, or they do?

MS. CAPELL: I'm Joyce Capell, and I'm a network security engineer for Lockheed Missiles & Space Company here in Sunnyvale. And we're users of the NII. Not only that, but we're looking at high-speed networking and the kinds of applications that we, as a provider, are going to be using.

I am the project leader of an ATM trial under the CALRAN project through Pac Bell. We're going to be showing applications at ATM networks.

We're very concerned about protection of data as it traverses these high-speed networks. Part of the CALRAN project is dealing with imaging for medical, and everybody knows that that's an area in aerospace but it's also an area -- we're doing distributed interactive simulation over an ATM network.

We're actually going to be testing two prototype encryptors as part of that. And one is proprietary data and the other one is an MSA prototype for ATM encryption.

Encryption is really a concern of ours, but we look at the proprietary areas as being the big question mark because of the issues raised today. And we want to know if there's going to be some standards that industry can follow. We want to know if the type of encryption technology that we'll be encrypting high-speed networks is going to be something that we can count on in the future.

Should we produce it? If we produce it, what kind of standards can we adhere to? This seems to be a whole area of questions. And we also want to know how this kind of technology will be integrated into firewalls. Currently, we protect our networks with firewalls. We don't see any integration of encryption technology, intrusion detection and other systems being incorporated into something that gives a unified approach to network security.

MR. LEHMAN: Do some of the panelists -- that's quite a heavy-duty list of questions. MR. FERGUSON: We certainly are empathetic to your need and your testing an ATM. What capacity ATM lines are you planning to use? (Speaker away from microphone.)

MR. FERGUSON: I'm sorry? 155 megabyte. Yeah, one of the problems you have is that encryption technology right now has a difficulty running that fast, and except for our main competitor, the National Security Agency, okay, having product available, and we certainly compliment them on their inventiveness. Companies like -- (Speaker away from microphone.)

MR. FERGUSON: Yeah, we've noticed that, okay. But one of the issues we run into is this capacity issue.

And some of the other points that you've made is, yes, the vendors are working very diligently in the communications equipment business. We have all heard all of those messages. Our development cycles are about 18 months long and we've got problems beyond the standardization on encryption technology.

We've got problems with standardizing on the electronics which allows us to interconnect to those devices because most of that stuff is individual right now. Company A's products are only used by a very small group, but Company B's by another small group.

And somehow we've got to have standard chip sets available for interconnecting this stuff. Otherwise, what we do could be limited to only being used with this test thing and then when it gets out into the marketplace, we'd have to go back and reengineer it.

So, that is kind of a problem we're facing right now. And with the band widths going up as rapidly as they're going up, we've got a lot of work in the silicon area that will get devices that will work that fast, because we have to have a lot of intelligence in our devices so that means we need very fast processors available in addition to just being able to process the encryption very quickly.

MS. CAPELL: Yeah, but there's an additional problem, and that is that if you're talking about encryption over traditional networks, you know, in a packet switch environment, that's one thing. When you go to switch virtual circuits on ATM networks and you want to have key agile devices that can actually take, you know, a switch virtual circuit and encrypt it at a different level, you know, I mean, these are some of the issues.

So I think that --MR. FERGUSON: What you should do is give me your card, okay, and we'll be happy to talk to you about how we're approaching those kind of subjects, because our customers and our partners are some of the biggest carriers in the world and they have all asked us to address those issues.

And it's going to be a serial process of getting there on these high-speed networks, but we are starting to address them on low-speed networks.

MR. LEHMAN: Perhaps we can take the next question now because we're losing more than one person on our panel. But this is a sort of forum where we can exchange our business cards and we can communicate and Internet addresses, if necessary.

MR. TUCKER: My name's Rich Tucker, and I have concerns sort of the opposite. If there's a great focus on being able to track everything, is there also a recognition there's lots of stuff which we should not be capable of tracking?

To me, that's critical because if someone publishes, say, an article or posts an article that's, say, critical of the Gulf War, can I go back and track everyone who searches or reads that and put them on a public enemy list, or potential public enemy, and go back and find out how many articles that person or that group of people have been checking out so that if we have another problem like the Vietnam War, that I can have the government go through and guarantee that we can track down every one of these individuals.

I mean, an aspect of why the anti-war process in the Vietnam War was successful is that many people in that didn't even have driver's licenses and the government did not know who they were. And this technology will put a complete end to that.

MR. LEHMAN: The issue is the relationship of privacy to this technology, but I'd just try to characterize this as an intellectual property connection as well because presumably at the outset, when a person has -- the author of any work has the -- you know, whether it's an article that you wrote or anything else, starts out writing it themselves, presumably in their own handwriting or on their own PC or what have you, then they would presumably be able to select the electronic pathway that it would take, which could be a pathway that would permit tracking or not.

That would be my impression as to what is going on here, and perhaps the panelists can answer that. One pathway might be a fiber pathway; another pathway might be a different kind of a pathway.

MR. SWEET: I don't think there's anything in the technology that will compel people to identify themselves. And there ought to always be, in any of these mechanisms, an anonymous, to-whom-it-may-concern addressing capability. It seems to me this is more of a political problem than a technical one because in order to force people to identify themselves, we're now out of technical and into something else.

MR. TUCKER: The point I'd like to make is that if there is a focus and a concentration on the needs of people to have complete tracking, they don't realize that the law of unintended consequences says that, for all intents and purposes, you have destroyed right of private personal association and innumerable things like that.

MR. FERGUSON: Well, free speech, I mean, it's a First Amendment issue, clearly. MS. DYSON: I just want to comment. On the full council, we're looking at this very carefully and we're well-aware of this unintended -- or intended consequence. And I'd be happy to talk to you later.

MR. LEHMAN: Since we -- are there any other questions that we have? I really want to thank the panel. This is a really good panel. I think that we've got some experts we can come back to and discuss things as we move along, and I really appreciate it.

I want to again thank the City of Sunnyvale for providing us with this facility. And I think the excellence of this panel shows how much brain power we have right here in this Silicon Valley to deal with these important issues that we're struggling with. Thanks a lot.

(Whereupon, the public hearing was concluded at 12:15 o'clock p.m.)

Last Modified: February 1995