Andrew Conway's and Peter Eckersley's Viewpoint "When Does Law Enforcement's Demand to Read Your Data Become a Demand to Read Your Mind?" (Sept. 2017) was an important contribution to the ongoing debate over electronic backdoors, whereby a backdoor is a means for accessing and exfiltrating user information not specifically authorized in advance by users. Here, I would like to outline several key aspects of that debate that also need to be addressed.
Although Conway and Eckersley did discuss the possibility that law enforcement could gain access to our most private thoughts, they did not mention a crucial near-term technology through which this exfiltration could happen. Within the next 10 years, "hologlasses," or holographic glasses, are projected by Apple, Facebook, Google, Microsoft, and Samsung, along with numerous startups, to become almost as common as cellphones are today, as reflected in the scale of their investment in its development. A backdoor in hologlasses could enable a "we see and hear what you see and hear" capability that would provide extraordinary insight into what users are thinking, as well as how they are behaving online and even in the physical world.
Also not mentioned was a legislative proposal that could facilitate mandatory backdoors for Internet of Things devices. In 2016, Senators Richard Burr (R., North Carolina) and Dianne Feinstein (D., California) introduced legislationThe Compliance with Court Orders Actin the U.S. Senate to mandate providers of information products and services also provide unencrypted information on IoT devices to the government pursuant to court order. The result could be "Nothing is Beyond Our Reach," or no information is beyond the reach of law enforcement, likewise pursuant to court order. Similar legislation has been adopted in Australia, France, Germany, the U.K., and other countries but so far has had only limited effect because these countries are not sufficiently powerful individually to enforce sanctions against large multinational foreign-domiciled IT providers. However, if Burr-Feinstein does indeed become law, then these countries might be more able to pursue mass surveillance domestically, as IT companies could lose much of the legal grounds they would need to resist.
Conway and Eckersley also did not mention a near-term technology that might be used to implement highly secure backdoors in IoT devices by requiring that each device have a different public key that could enable government security services to take over the device.1 Even if hackers penetrated the security of a government-installed virtual machine for a device, they would gain no lasting advantage hacking additional devices.
Finally and most important, no mention was made of a technology proposal1 that could ameliorate some of the negative effects of mass surveillance, whereby citizens' most sensitive information is stored on their own devices, provided personal IoT devices include protection against self-incrimination. By storing sensitive information on these devices, that information could be protected from the kind of efforts Conway and Eckersley identified.
Carl Hewitt, Palo Alto, CA
We generally agree with Hewitt who offers definite specific instances of the general issues we covered. Virtual reality, in particular, is, as he implies, a valuable window into the mind that also involves important technical and legislative dynamics. What to do about it is a complex question we did not attempt to answer in our Viewpoint beyond framing its context for a wider societal discussion we consider essential.
Andrew Conway, Melbourne, Australia, and Peter Eckersley, San Francisco, CA
We agree with Vinton G. Cerf's advice in his Cerf's Up column "Take Two Aspirin and Call Me in the Morning" (Sept. 2017) that we all practice better "cyber-hygiene" but must quarrel with the continued use of public health as a metaphor for cyber security. If we as computing professionals intend to improve the cybersecurity of our critical infrastructures, rather than merely tolerate their current "diseased" state, we must think differently. We thus propose a return to an older metaphor for software, likening its structures to physical structures and its architecture to the architecture of physical buildings. Such thinking suggests we consider how to build software that will not fall over when attacked or build it from weak materials unable to bear expected stress.
Software we rely on for critical functions (such as controlling medical devices, delivering electrical power to households, and guiding automobiles) must conform to an appropriate set of constraints, just as physical structures conform to building codes before they can be occupied. A third party must be able to certify conformance to these constraints, just as building inspectors certify buildings.
These codes are best developed by those who build the systems, not by government, though governments might use them once they are in place. An industry-consensus building code, with third-party assessment of conformance, can help the marketplace reward those who build systems with fewer vulnerabilities.
Over the past few years, with support from the IEEE's Cybersecurity Initiative and the National Science Foundation, workshops have been held to begin to develop such building codes for medical-device software and for power-system software.2,3 In addition to these draft codes, related promising developments include Consumers Reports' collaboration with the Cyber Independent Testing Laboratory (http://cyber-itl.org/) to develop methods for publicly rating software products, and UL's (http://www.ul.com) development and use of a standard for certifying cybersecurity assurance of products.
Treating software security as a public health problem is not likely to lead past the decades-old ideas of aftermarket vaccines, antivirus, and quarantine. Providing evidence that software is at least free of specified classes of vulnerabilities covered by an appropriate building code can yield a more effective market incentive for companies to produce the cyberinfrastructures we all needand that are up to code.
Robert K. Cunningham, Lexington, MA, Tom Haigh, Minneapolis, MN, Carl Landwehr, New Buffalo, MI, and Alfonso Valdes, Urbana, IL
It is always a pleasure to hear from Carl Landwehr with whom I have had a long acquaintance and for whom I have great respect. An interesting challenge with his building/architecture metaphor relates to the way software is often constructed these days by incorporating (vast) libraries of code reflecting, perhaps, uncertain provenance. There is also the uncertainty of software interactions across the network that may never have been tested until a chance encounter leads to a breach. None of this invalidates the building-code metaphor but might make it more difficult to establish that the ensemble meets the desired code standards and properties. I am, in fact, very interested in the development of programming aids that will do a much better job of assessing source code against desirable properties of attack resistance and identifying potential sources of weakness. Until we have reliable ways of producing the kind of code Landwehr et al. and I likely agree we need and want, we may also want to argue that infected or vulnerable devices ought not to be naively tolerated and that owners (and suppliers) bear at least some responsibility for observing diligent software hygiene.
Vinton G. Cerf, Mountain View, CA
Leo Corry's article "Turing's Pre-War Analog Computers: The Fatherhood of the Modern Computer Revisited" (Aug. 2017) described the Turing machine as a purely mathematical notion. While Corry's argument was persuasive, there is indeed a direct connection from Turing's construction of the Turing machine to the Electronic Discrete Variable Automatic Computer (EDVAC) in the 1940s via the McCulloch-Pitts model of the brain. For example, during the discussion portion of a 1951 talk by John von Neumann, neuroscientist Warren S. McCulloch described the influence of Turing's original 1936 paper, saying:
"... I came, from a major interest in philosophy and mathematics into psychology with the problem of how a thing like mathematics could ever arisewhat sort of a thing it was . The attempt to construct a theory in a field like [neurophysiology], so that it can be put to any verification, is tough ... it was not until I saw Turing's paper that I began to get going the right way around, and with [logician Walter] Pitts' help formulated the required logical calculus. What we thought we were doing (and I think we succeeded fairly well) was treating the brain as a Turing machine."4
McCulloch's and Pitts's 1943 paper emphasized the equivalence of artificial neuron nets to Turing machines, saying:
"It is easily shown: first, that every [neuron] net, ... can compute only such numbers as can a Turing machine . This is of interest as affording a psychological justification of the Turing definition of computability and its equivalents, Church's -definability and Kleene's primitive recursiveness."
Moreover, in the first draft of the design for the EDVAC, von Neumann explicitly tied the computing elements for the EDVAC to McCulloch's and Pitts's model of a neuron, saying:
"Following W. Pitts and W.S. MacCulloch  ... we ignore the more complicated aspects of neuron functioning ... It is easily seen, that these simplified neuron functions can be imitated by telegraph relays or by vacuum tubes ... We propose to use them accordingly for the purpose described there: as the constituent elements of the devices, for the duration of the preliminary discussion ... The element which we will discuss, to be called an E-element ... which receives the excitatory and inhibitory stimuli, and emits its own stimuli along a line attached to it. ... In all this we are following the procedure of W. Pitts and W.J. MacCulloch."5
Since McCulloch and Pitts had shown that neuron nets are universal computing machines in the sense of the Church-Turing thesis, the same connection to universal computing machines would apply to the EDVAC.
Brad Barber, Arlington, MA
My entire argument was about Alan Turing's own views prior to the war, not about his influence on later developments. But a more general point I wanted to make was that scientific and technological ideas develop historically and that what happens later sometimes misleads us when we try to understand what happened earlier on. This may also be the case with McCulloch's very interesting, retrospective testimony, which by all means deserves a critical eye.
Leo Corry, Tel Aviv, Israel
1. Hewitt, C. Islets protect sensitive IoT information: Verifiably ending use of sensitive IoT information for mass surveillance can foster (international) commerce and law enforcement. Social Science Research Network WP 2836282; https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2836282
2. Haigh, T. and Landwehr, C. A Building Code for Medical Device Software Security. Technical Report. IEEE Computer Society, Mar. 2015; https://www.computer.org/cms/CYBSI/docs/BCMDSS.pdf
3. Landwehr, C.E. and Valdes, A. Building Code for Power System Software Security. Technical Report. IEEE Computer Society, Mar. 2017; https://www.computer.org/cms/CYBSI/docs/BCPSSS.pdf
5. von Neumann, J. First Draft of a Report on the EDVAC (June 30, 1945). Reprinted as a chapter in Papers of John von Neumann on Computing and Computer Theory, W. Aspray and A. Burks, Eds. MIT Press, Cambridge, MA, 1987, 1782.
Communications welcomes your opinion. To submit a Letter to the Editor, please limit yourself to 500 words or less, and send to email@example.com.
©2017 ACM 0001-0782/17/11
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from firstname.lastname@example.org or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2017 ACM, Inc.
No entries found