March 22, 2006: Features
Who’s afraid of Alex Halderman ’03?
By Merrell Noden ’78
(Photographs: Creatas Images, Beverly Schaefer; Photo illustration by Steven Veach)
With his wire-rimmed glasses, slender build, and soft voice, Alex Halderman ’03 does not look like the sort of young man who would strike fear in the hearts of corporate boardrooms. Yet for the past few years, Halderman has been doing just that. He has been a pit bull among computer security watchdogs, giving huge companies fits by uncovering serious flaws in the copy-protection technologies used on millions of CDs. In January, as a direct result of research done by Halderman, Princeton computer science professor Edward Felten, and others, Sony BMG agreed to settle a class-action lawsuit by giving those who had purchased its copy-protected CDs cash refunds, free downloads, or both.
“I’ve always been interested in the practical side of computers, how they interact with the real world,” says Halderman, who is now a Ph.D. candidate in the University’s computer science department. “And security is one area of computer science where the problems we’re trying to solve impact the real world in a myriad of different places far away from where we started. If there’s a vulnerability in a particular piece of software that’s widely used, that may affect many millions of people instantly and directly.”
Halderman, who came to Princeton from tiny Rushland, Pa., where his father is a corporate lawyer and his mother an amateur naturalist, does not think of himself as a fiery crusader. His own hobby is a quiet one, photography, and he was one of the organizers of Princeton’s Art of Science competition, which collected photographs taken by scientists in the course of their work. When he finishes his dissertation, he hopes to find a position that allows him to “look at technical questions and public policy,” he says. “I think I can do the most in that area, from within academia.”
His interest in copy-protection technology began with a junior paper he wrote on the first generation of such technology, which used what is now known as “passive” protection: By changing the way data were laid out on a disc, the technology aimed to confuse the computer used to make copies, but not a conventional CD player. Felten, the director of a new Princeton research center on information-technology policy, believes that Halderman was the first person to study this technology, and he did so quite brilliantly. Halderman’s paper “was really first-rate, publishable,” says Felten, who not only advises Halderman but also provides him a soapbox in the form of Freedom to Tinker, the blog Felten maintains.
Just months after Halderman graduated — summa cum laude and Phi Beta Kappa — the next generation of copy-protection technology appeared. Developed by SunnComm and called MediaMax, it was released with much fanfare. “Light-years beyond encryption,” claimed SunnComm in a boast that could not help but get Halderman’s attention. Testing that claim meant performing highly technical analysis plus doing some basic detective work — such as running around campus to play the CD on as many different computers as possible, looking for patterns in how each computer responded, and then extrapolating how MediaMax worked. Halderman, whose own musical tastes run to opera, bought a copy of Comin’ From Where I’m From by soul artist Anthony Hamilton and began playing it wherever he could find an empty hard drive.
Halderman’s eureka moment came on the second floor of Quadrangle Club, where he discovered two computers that appeared to be identical in every way but one: When he put the CD into one computer, the software on the CD automatically popped up a licensing-agreement screen; when he put it in the other, the software didn’t run because the computer had the autorun feature disabled. “I found I could copy the CD on the computer with autorun disabled,” he says, “but not on the one where it ran.” From that, he deduced that MediaMax was using a new “active” protection technology in which software on the CD interfered with “ripping” a copy — converting an audio CD to a compressed format so that it can be shared on a peer-to-peer network or transferred to a portable music player. But he also found a huge loophole: A user could circumvent the copy-protection system simply by holding down the “shift” key while inserting the disc.
“They had really been hyping this product, and even if they were telling the record companies [about the loophole], they were not coming clean with the public,” says Halderman. “It was especially harmful to investors in SunnComm and to policy-makers who had to decide how copyright law should be shaped. They might think: ‘If we have technology that’s so effective, maybe we don’t have to do as much on the legal front, or maybe we should make this technology mandatory.’”
Talk about real-world consequences: The day after Halderman posted his findings on the Internet, SunnComm’s stock price dropped by 25 percent. The company issued a press release calling him nasty names and threatening a $10 million lawsuit. To Halderman’s surprise, the dispute drew national coverage, landing him on the front page of USA Today.
SunnComm’s action raised fascinating First Amendment questions: How was Halderman’s discovery different from the restaurant critic who writes that the soup is too salty? What complicated Halderman’s position was that in 1998 Congress had passed the Digital Millennium Copyright Act, which created a whole new class of liabilities for the Digital Age, among them making it actionable either to distribute a technology designed to circumvent a copy-protection measure or to actually circumvent one yourself. More interesting questions: When Halderman hit the “shift” button at Quad Club, did he violate the latter? Could his paper itself be considered a circumvention device? Halderman thought not, reassuring himself with the knowledge that academic papers are accorded particularly strong First Amendment protection. Of course, there’s nothing like the words “$10 million lawsuit” to give one second thoughts, especially if one happens to be a grad student on a grant.
It did not take SunnComm long to back off from its threats. But the company did not stop pursuing a technological fix. In the meantime, Sony had begun using a second copy-protection technology. This one was called XCP, and was developed by an English company, First4Internet. Last fall security expert Mark Russinovich discovered that XCP was employing a particularly devious species of software called a “rootkit.” A rootkit burrows deeply into your computer and hides itself there, then conceals an attacker’s activity. The problem, as Halderman and others pointed out, was that, quite apart from the dubious ethics of clandestinely installing software on a user’s computer, the XCP rootkit opened a door for hackers or virus writers to enter.
A few weeks later, SunnComm was back in the news with its own revamped copy-protection system. It was not a rootkit but a technology that could be similarly hijacked. Alerted to this new vulnerability, SunnComm issued an “uninstaller” to remove the software from computers. It took Halderman and Felten one day to prove that the cure was far worse than the disease: The uninstaller exposed a user’s computer to what is called a “remote code-execution attack,” in which cyber-trespassers operate inside a user’s computer. “It’s possible for someone to run whatever instructions he likes on your computer — say, to search for credit card numbers and to send them to someone in Thailand,” Halderman says.
Halderman and Felten felt giddy delight when they made this discovery. There were howls of indignation when they announced it: “If these criminals [i.e., Sony and SunnCom execs] are not sent to jail, we need to go after them with pitchforks and shotguns,” someone calling himself Torpid posted last November. “How much do you think Sony BMG dislikes Alex Halderman?” began a piece in Techdirt, the online technology newsletter.
Part of the problem, of course, is that this really is a brave new world. It’s hard for the law to keep up with digital-copying technology — not that that’s anything new. “It’s often been the case that it takes a while to figure out how a technology will be used,” says Felten, citing the telephone as his favorite example of this lag. “Early on, people thought that you’d certainly never use [a telephone] for something as frivolous as chatting to your friends and family. They thought the telephone would be a point-to-point line between, say, the Hoboken and Manhattan branches of a particular company. It took a long time to figure out how the telephone was going to be used. Once that happened, the whole architecture of the economy reorganized itself.”
We are in such a period of reorganization today, Felten says. The record companies are trying to figure out how to deal with this rapidly evolving technology and its threat to their old way of doing business. The company that develops a successful copy-protection technology stands to make a bundle of money.
But Halderman and Felten both question that whole approach. To begin with, they can’t imagine a purely technological fix succeeding. Once a film or a piece of music has leaked out onto the digital black market — what some call the “Dark Net” — it’s gone, available for download all over the world. And trying to plug every hole that could lead to a leak strangles the spirit of innovation that makes digital technology so exciting, they say.
Second, even if the technology were to work — indeed, especially if it were to work — it would shut down many legitimate uses. “The thing about these CDs is that they don’t just prevent you from doing what you’re not supposed to do,” says Halderman. “They also prevent you from doing a lot more: You aren’t able to copy the music to your own iPod. You’re not able to make a perfect backup of the CD you could use if the original disc is stolen.”
Halderman and Felten both urge record companies to use carrots to woo music fans, not threaten them with sticks, and some artists are getting their message. The rock band Bon Jovi, for instance, issued CDs imprinted with a randomly generated 13-digit number, which could be used on the band’s Web site to get first crack at concert tickets and other premiums.
Indeed, says Felten, the irony of copy-protection technology is that the people who are inconvenienced are those who have decided to honor the system by paying for the content. “The fear is that there could be a kind of meltdown in the copyright world where people increasingly decide that only saps pay for this stuff, and it becomes more and more respectable to abandon the system,” he says. “The goal is finding a way to make being the paying customer cool again.”
Merrell Noden ’78, a freelance writer, is a frequent PAW contributor.