Humane hacker

Felton cracks Internet security cases, driven by a broader concern for the social and moral dimensions of technology

Steven Schultz


Edward Felten is participating in an interdisciplinary research project on the preferences and perceptions of computer users. He and two colleagues are designing a model system that takes into account human values.


Some people know Princeton computer scientist Edward Felten for his pivotal testimony in the Microsoft antitrust trial.

Others know him for his role in discovering many of the early flaws in Internet security.

And recently, he's received attention for defeating the security technology that the music industry developed for protecting digital recordings.

But long-time friend Avi Rubin prefers to tell about the time Felten was a sore loser. The two had a long-standing rivalry over their favorite college football teams, Rubin for Michigan, Felten for Wisconsin. One year, they made a bet that the loser would have to write a poem praising the opponent's team and denigrating his own.

When Felten lost, he did not write the poem. Instead, he programmed grammar-generating software to craft Michigan-lauding poems for him, and posted the program to a Web site for Rubin to access.

"It generated the poem -- a different one every time -- and then played the Michigan fight song. And after that, it crashed my computer," said Rubin, a principal research scientist at AT&T. "It's something no one else could do."

Felten's prank, said Rubin, exemplifies his approach to computer science: creative, cunning, but always benevolent. As co-director, with Andrew Appel, of Princeton's Secure Internet Programming Laboratory, Felten is something of a professional hacker. Since 1995, Felten and colleagues have discovered a continuing stream of security flaws in Internet software, particularly the language called Java, which allows Web browsers to run small programs at the behest of sites that are being visited.

The researchers' announcements of these discoveries often generated considerable attention, especially in the early years when Felten credits the group's work with raising the public's consciousness of security issues on the Web.

"There was a period of what you might call 'irrational exuberance' about the security of Web software," said Felten. "I think people now have a more realistic view."

Privacy attacks

Felten received his first computer training at Cal Tech, where he majored in physics as an under-graduate, then worked for four years as a senior computing analyst. He went on to the University of Washington, where he received a 1993 Ph.D. in computer science and engineering. He came to Princeton as an assistant professor that same year and was promoted to associate professor in 1999.

Recently, Felten has focused on the aspect of computer security having to do with privacy issues -- looking for methods that would allow individual or corporate hackers to gather private data from Web users without permission. In his latest discovery, Felten and a graduate student found a way in which a snooping Web site designer could probe the computers of visitors and keep track of other sites they have visited (see accompanying story). This privacy invasion could happen without leaving a trace and could circumvent nearly every countermeasure.

In fact, Felten showed that this sort of attack outsmarts a privacy tool developed by Rubin. "He did it in a nice way," said Rubin. "He came to me and asked if I thought it was a successful defeat of my idea, and I had to say, 'Yes.' A lot of guys would have just published it."

The way in which he publishes his findings has always been important to Felten. With so much attention being paid to anything related to the Internet, he works to avoid being inflammatory or confrontational in announcing the discovery of a problem.

"We need to think carefully about what kind of public discussion ought to happen," said Felten. "We want to make sure we behave in a way that will lead to a substantive public debate."

Social and moral dimensions

Indeed, thinking about public perceptions of Internet issues has become the focus of an interdisciplinary research collaboration between Felten, Helen Nissenbaum, an ethicist at the Center for Human Values, and Batya Friedman, an authority on human-computer interactions at the University of Washington. With a three-year grant from the National Science Foundation, the three are investigating the preferences and perceptions of computer users and designing a model system that takes such human values into account.

"You'd like the tech-nology to be designed so that the users get an accurate idea of what's happening and that the available options make sense to them," said Felten. There is an inevitable tension, he said, between a highly paternalistic system that protects the user from all possible risks and one that imposes no restraints unless the user requests them.

Very preliminary results from scores of in-depth interviews indicate that people think their computers are providing them more security than is the case, said Felten. While Nissenbaum and Friedman continue their analysis of those interviews, Felten is developing a browser that incorporates a combination of new security technologies and better explanations about security. He expects to release a prototype in the spring.

"Ed is deeply interested in the social and moral dimensions of the technical work he does," said Nissenbaum, who is spending this year at the Institute for Advanced Study. "That is a really special combination of interests and is something that is not so common, even though our society is so affected by these issues."

From Microsoft to gadgets

Over the past couple years, Felten also gained insights into the computer industry from a very different perspective. As a key witness for the U.S. Department of Justice in its antitrust suit against the Microsoft Corp., Felten said he learned a lot about the economics of the software industry and was surprised about the extent to which business and economic incentives outweigh technical considerations when developing software. Felten's testimony focused on software he wrote to remove Microsoft's Web browser from its operating system.

With the significant time demands of the trial over, Felten is starting a new research project to improve the security and privacy of hand-held devices and other computerized gadgets. These devices pose a new range of problems that are both technically interesting and socially important, he said.

On the ceiling of Felten's office, for example, a small white sensor, slightly bigger than a smoke detector, tracks the location of a specially encoded card that can be attached to a piece of equipment or placed in a person's pocket. The device, created by a company founded by 1969 Princeton alumnus Tom Pirelli, is installed throughout the Computer Science Building and could be useful for keeping track of people or things.

It also raises thorny questions. How, asks Felten, could the system be programmed so that only the person carrying the card controls who has access to the tracking information?

Like a Houdini of electronics, Felten finds such conundrums hard to pass up. In recent months he and colleagues took up a challenge posed by the music recording industry to try to defeat several proposed electronic tricks for protecting the copyrights of digital recordings. The industry proposed several types of "watermarks" -- soundless signals embedded in the recording that prevent it from being copied. Felten's group successfully removed all the watermarks without significantly harming the music quality.

"There is always the problem of the moment," Felten said. It is not surprising that he has been thinking lately about elections and whether an electronic system could avoid problems such as those experienced in the presidential race in Florida, but maintain strict secrecy and security. How would people try to foil the system?

"I can't stop myself from thinking about this stuff," said Felten. "If it still seems interesting in a few weeks, maybe I'll make a research project out of it."

See related story

December 11, 2000
Vol. 90, No. 12
previous   archives   next


Page 1
Humane hacker
Researchers find Internet glitch that puts privacy at serious risk
Class project brings community history to life

Page 2
Bowen honored for groundbreaking book
United Way campaign update
Spotlight / Obituary

Page 3
Joint studio with Asian universities inspires students

Page 4-5
Calendar of events

Page 7
University lends support to new public library
Discussions under way with Oxford

Page 8
Nassau notes
Health plans cover breast reconstruction
ERISA information provided

The Bulletin is published weekly during the academic year, except during University breaks and exam weeks, by the Office of Communications, Princeton University, Princeton, NJ 08544. Permission is given to adapt, reprint or excerpt material from the Bulletin for use in other media.

Deadline. In general, the copy deadline for each issue is the Friday 10 days in advance of the Monday cover date. The deadline for the Bulletin that covers Jan. 8-28 is Friday, Dec. 29. A complete publication schedule is available at deadlines or by calling (609) 258-3601.

Subscriptions. The Bulletin is distributed free to faculty, staff and students. Others may subscribe to the Bulletin for $24 for the academic year (half price for current Princeton parents and people over 65). Send a check to Office of Communications, Stanhope Hall, Princeton University, Princeton, NJ 08544.

Editor: Ruth Stevens
Staff writer: Yvonne Chiu Hays
Calendar editor: Carolyn Geller
Contributing writers: Karin Dienst, Marilyn Marks, Steven Schultz
Photographer: Denise Applewhite
Design: Mahlon Lovett,
Laurel Masten Cantor
Web edition: Mahlon Lovett