At the Center for Information Technology Policy, dismembered voting machines are just the beginning

Harry Campbell

Just before the fall semester began, Alex Halderman ’03 *09, an assistant professor of electrical engineering at the University of Michigan, learned that one of his research collaborators had been arrested.  

In the spring, Halderman, Hari K. Prasad, and several co-authors had exposed grave flaws in the electronic-voting machines used throughout India. Indian officials, justly proud of their overall system, had deemed the machines “infallible,” with one going so far as to say that to subject them to rigorous testing would be like forcing the Hindu goddess Sita — exemplar of virtue and chastity — to submit to a virginity test. But Halderman and Prasad, an engineer in Hyderabad, found the machines easily hackable. They fashioned from readily available parts a “dishonest display board” that could be mounted inside an unguarded machine, to manipulate vote totals. In a paper, they explained that hacked voting machines were not simply an academic concern: Prasad himself had been approached by members of a local party that wanted help stealing an election.

 CITP associate director Stephen Schultze, left, and director Ed Felten in Sherrerd Hall, the center’s home.
CITP associate director Stephen Schultze, left, and director Ed Felten in Sherrerd Hall, the center’s home.
Ricardo Barros
In August, Indian police arrested Prasad, charging him with theft of the device that he and Halderman had studied. A week later, Prasad was released but was required for several weeks afterward to make the 450-mile journey from Hyderabad to Mumbai regularly, for questioning. The charge was that he had stolen the machine, “which is absolutely ridiculous,” Halderman says. He explains: “It was basically a case of whistle-blowing, where someone had concerns about the security of the machines and sought out the person best qualified to study them.”

In addition to possessing undergraduate and graduate degrees in computer science from Princeton, Halderman is a fellow this year with Princeton’s Center for Information Technology Policy (CITP), founded in 2005–06. And while the Indian arrest was unusually dramatic, it’s also emblematic of the work done by people affiliated with the center. CITP scientists venture into the wider world to point out problems with how technology is being used, and, in the process, noses sometimes get put out of joint.

Voting-machine studies are in the center’s DNA. Andrew Appel ’81, a Princeton computer-science professor, is an expert witness in a long-running lawsuit challenging New Jersey’s use of paperless voting machines, which he and others say are acutely vulnerable to manipulation. Most recently, in October, Appel helped persuade the state Superior Court to release an uncensored version of the expert report detailing the problems. A voting machine that has been hacked so that it displays a working Pac-Man video game — instead of candidates’ names — stands, like a trophy, in the center’s lounge on the third floor of Sherrerd Hall, a glass box of a building across from the engineering library.  

 Schultze and Felten ­discuss a problem with graduate students, from left, William Clarkson, Joseph Calandrino, and William Zeller.
Schultze and Felten ­discuss a problem with graduate students, from left, William Clarkson, Joseph Calandrino, and William Zeller.
Ricardo Barros
But the center’s interests extend well beyond voting machines. CITP’s director and driving force is Ed Felten, an affable, boyish-looking 47-year-old who holds joint appointments in computer science and public affairs. One of his claims to fame came in 2000, when he testified that Microsoft’s Internet Explorer Web browser could be detached from the Windows operating system, thereby assisting the U.S. government in its historic antitrust case. More recently, he and his graduate students have shaken up the computer-security world with a string of striking papers. In 2006, they demonstrated that a method Sony was using to protect its DVDs from piracy introduced security risks in users’ computers. In 2008, they showed that hackers could steal information from a laptop even when it was turned off. The conventional wisdom had been that the random access memory used in computers was erased instantly when the computer shut down — but in fact, it persists for several seconds (and, by freezing the memory chip, can be made to last hours). The so-called cold boot paper led to anxious calls from corporate IT heads across the country.

“Ed is very good at making splashes,” says Tim Lee, a computer science graduate student who chose Princeton because he had noticed that the biggest stories at the intersection of tech and policy were emanating from its campus. Susan Crawford, a former science-and-technology adviser to Presi­dent Obama and a visiting fellow this year at the center, puts a different spin on the same idea. “Ed’s graduate students are extraordinary, and they are fearless,” she says. Typically, Felten’s name has appeared last on these papers, after those of the graduate students and others he has supervised.

Befitting an interdisciplinary center, CITP embraces a range of scholarly approaches. The sociologist Paul DiMaggio is on its executive committee — he has published penetrating explorations of the digital divide, the diverging fortunes of people with and without Internet access. So is geoscientist Michael Oppenheimer, an expert in climate change and director of Princeton’s Program in Science, Technology, and Environmental Policy.

But it is the geek-tech expertise of the center that represents its comparative advantage. Nationally, by far the best-known university-based technology ­policy center is Harvard’s Berkman Center for Internet and Society, home to such prominent scholars as Jonathan Zittrain, author of The Future of the Internet — and How to Stop It, and Lawrence Lessig (Free Culture). Berkman, however, “is dominated by lawyers and the legal mindset,” Felten says. “What we bring to the table,” he says, “is more technical horsepower, more involvement by engineers in our activities.”

Berkman is also several times larger than CITP. “We still think of ourselves as a plucky startup,” Felten says. “We think we are punching above our weight.” CITP’s annual budget for nonfaculty staff, visiting fellows, and special events is roughly $500,000, which includes seed money from Micro­soft. “Governments are rapidly developing new policies and regulations to apply to information technology,” says Brad Smith ’81, Microsoft’s general counsel. “What that really calls for is the ability to combine expertise in computer science and engineering with the issues of the day.” Microsoft is weighing another grant to CITP.

At present, the center is jointly governed by the School of Engineering and Applied Science and the Woodrow Wilson School. But the long-term plan is that it will be able to hire faculty, in partnership with other departments. This year, for the first time, the center will offer an undergraduate certificate to students whose work blends technical and policy concerns.  

Beyond professors and students, a key source of intellectual gravity is a cadre of visiting fellows who, each year, bring a fresh set of interests to campus. This year, they include such prominent figures as Fengming Liu, an associate general counsel at Microsoft who was formerly responsible for the greater China region. He is dividing his time this academic year between Harvard and Princeton, and will be studying China’s policy of requiring that the servers holding the data of Chinese citizens reside in China (China says this is important to its citizens) as well as the more general question of how to build institutions that foster respect for the rule of law.  

Susan Crawford, who became a professor at Cardozo Law School after leaving the Obama administration, is studying the implications of broadband monopolies, among other things. She is particularly concerned about a proposed merger between Comcast and NBC Universal, which in early fall was marching ahead though it had not yet gained the approval of regulators. “We are headed to the era of true convergence,” Crawford says. “All separate media — phone, TV, data — are going to be coming into homes through one connection. Having one set of actors with market power over that single natural monopoly poses risks to innovation and the country’s future.” The Comcast-NBCU merger “is as big a deal as the AT&T divestiture was in 1984,” she says, “but nobody is paying attention.”

While Crawford seeks to draw attention to that issue, another fellow, Adrian Hong, head of an organization that aims to get information to and from people in closed societies, wants to keep a lower profile. “The angle we are taking is not to raise publicity and name and shame — it is more about quietly working on the ground level,” says Hong, director of the Pegasus Project.  

CITP grew organically out of engineers’ growing interest in policy matters. Both Appel and Felten were working on Web-browser security as early as the mid-1990s. (Secure browsers, such as Internet Explorer or Firefox, are a prerequisite for any and all Internet commerce — or almost any online venture.) A particular turning point for Felten came in 2000, when he and several colleagues took on a challenge from a consortium of music and electronics companies, which had offered a prize if anyone could defeat the digital-rights-management system the companies had incorporated into their music files, to prevent piracy. Felten’s group did defeat the system, but the companies wound up suing the researchers under the Digital Millennium Copyright Act, arguing that a paper that Felten and his colleagues planned to publish amounted, itself, to a “circumvention technology.”

The group eventually dropped the suit, but Felten remained shocked by how law was being wielded as a cudgel and interfering with research. He spent the 2001–02 year at Stanford Law School, studying the history and intent of laws like the one of which he’d run afoul.  

At around the same time, other professors, including DiMaggio and the computer scientist David Dobkin, now dean of the faculty, were discussing the need for more cross-disciplinary work at the nexus of technology and society. The result of those chats was the “G.W.A.,” or Group Without Acronym, a purposely vaguely titled organization that held irregular lunches and gathered for talks.  

Professor Andrew Appel ’81 with a symbol of the center’s work: a voting machine turned into a Pac-Man game.
Professor Andrew Appel ’81 with a symbol of the center’s work: a voting machine turned into a Pac-Man game.
Ricardo Barros
Susan Crawford
Susan Crawford
Courtesy University of Michigan Law School

Perhaps you have noticed that computers are playing a larger role in our lives? (Undergrad­u­ates have: Roughly half now take at least one ­computer science course.) Each week brings a fresh news story that underscores how thoroughly intertwined are politics and technology. In September, The New York Times reported that Russia was raiding the offices of nongovernmental groups on the pretext of searching for pirated Microsoft software. Microsoft disavowed any connection with the raids and agreed to make free software licenses available to NGOs. That same month, computer scientists demonstrated that the boasts of a technology company called Haystack, which had said it could reliably encrypt the communications of dissidents in places like Iran, far outran the soundness of the technology. The company suspended its operations, and no one knows the costs for the dissidents. CITP faculty and affiliates regularly hash out such episodes on the center’s blog, Freedom to Tinker (Freedom-to-tinker.org).

For ordinary American computer users, subtler but significant changes are afoot. For about a decade, things were stable: You had e-mail, a suite of office software, and a browser for research and shopping. In the last few years, for many people, e-mail, calendar, and contacts moved to faraway servers, via services like Gmail and Google Calendar — a process known as cloud computing. Work documents have moved to the cloud, too, thanks to services like Google Docs, Dropbox, and online supplements to Microsoft Office. So long as you have access to the Internet, you can get your virtual hands on almost anything you need. But you’ve also outsourced the job of handling sensitive information to large companies whose workings you barely understand.

In late September, Felten testified before Congress about some of the implications of cloud computing for user privacy. Speaking later in his neat, airy office, complete with an Eames-style lounge chair and massive computer monitor, he explains: “There are a bunch of dangerous scenarios. One is that a company could go broke and be forced to sell all of its assets. Personal information would be one of those assets, unless the company had made a legally binding agreement with its customers never to part with that information. If the company just says, ‘Trust us, we are good people, we have your best interests at heart’ — well, those people may not have control over the company forever. And there is seldom a detailed agreement between the user and the company. You could have unpleasant surprises.” Consumers may embrace the trade-offs of the cloud, but they are ­seldom even aware of the downside.

Browser security remains a live topic at Princeton, but the focus has changed since the long-ago days of Netscape Navigator. Few computer users realize just how privatized, decentralized, and generally chaotic is the system for deciding which websites are safe to visit. Browser makers, for instance, outsource the authority to deem a site trustworthy to an array of private entities — for-profit companies, mainly. In an odd twist, these entities in turn are allowed to bestow the right to make broad judgments about trustworthiness to third parties. It’s like a game of telephone: How trustworthy is a site at the end of such a long chain of ­transactions?

The issue flared up last winter as Mozilla, the maker of Firefox, was debating whether to grant certification authority to a Chinese entity — a prospect that alarmed some advocates of online privacy. CITP partnered with the New America Foundation for a conference Oct. 22, in Washing­ton, titled “The Emerging Threat to Online Trust.” That event and others to come mark “a natural progression from the kind of impact we’ve already had in D.C. to a more formal role in various policy discussions,” says Stephen Schultze, associate director of CITP.  

Digital-rights management — DRM — remains a ­hot-button topic, too. The worst of the DRM wars may be over: Music companies have more or less given up on putting cumbersome restrictions on the music they sell, and they haven’t targeted music-hoarding college students with hefty fines lately. Still, movie and video-game manufacturers are holding out, hoping to maintain such protections. Appel says those efforts will prove fruitless. “DRM is completely circumventable, and always will be,” he says — while it annoys lawful consumers and could create unintended security problems on their computers.  

“What we said 10 years ago was that the way to do it right is to price it right,” Appel says. “Nobody minds paying for streaming Netflix, even though they could go somewhere to find the same streaming video for free. It just wouldn’t be worth the trouble.”

But the battles over intellectual property have moved onto other terrain. “The copyright system these days often overreaches,” Felten says. “It goes beyond the core mission of creating an incentive for the creator, and becomes about companies trying to control neighboring markets.” Cable companies, he observes, long insisted that only they had the right to decode the signals coming through their wires. That gave them a monopoly on set-top boxes, whose rental to consumers provides — surprise! — a steady stream of revenue. The Federal Communications Commission intervened to allow companies like TiVo into that market, but cable companies still put stumbling blocks in their way. Similarly, he says, Apple has cited copyrighted technology as one reason it won’t open up iTunes to competing MP3 players, giving the iPod a crucial boost.

Given that CITP is taking money from some sizable corporate players, can its independence on issues like these be trusted? “I guess there are several answers to that,” Felten says. “One is that we just stand on the quality of the work. The papers that we publish go through peer review. We lay out the conclusions that we reach in some detail. Ultimately, the work will succeed or fail in the scholarly community based on the arguments we make.”

A signature issue for CITP has been increasing governmental transparency — basically, making it easier for citizens to figure out what’s going on in Washington. One of these projects was born out of a talk that Schultze gave at CITP in February 2009, before he was hired, when he was still affiliated with Harvard’s Berkman Center. He had been researching a First Amendment issue and was amazed to find that the government charged 8 cents a page to download a document electronically, which added up fast. “I couldn’t believe how the system worked — charging fees,” he says. “I thought I must be mistaken.” Plus, the website and search engine were dreadful, he says.

In his Princeton talk, he lamented the situation. After the talk, two computer-science graduate students, Tim Lee and Harlan Yu, said they had an idea for a piece of software that might help. “I said, ‘That’s great. Why don’t you go work on it?’” Schultze says, laughing. A month later they came back with a prototype.

The program, an add-on for the Firefox browser, is called RECAP (a reversal of the acronym for Public Access to Court Electronic Records, the government program Schultze had lamented). The key to RECAP is that court documents are, in fact, public, so after you’ve paid for them once, you are free to distribute them. RECAP uploads the documents the people purchase to a public server, maintained by a nonprofit group in Northern California; from there, future users can download them free of charge. At the same time, the program alerts users when a document they are seeking is already freely available. So far, more than 10,000 people have installed the software, and the repository contains 2 million-plus documents.

RECAP, however, also created — or raised the salience of — privacy issues. Lawyers and courts, it turned out, were failing in their duty to delete certain private details from many documents that they had made public: names of minors, Social Security numbers, home addresses, and so on. That hardly mattered when the data were barely accessible, but Princeton was helping disseminate it. Tim Lee saw a chance for a research project: He is “training” computers to identify the documents most likely to contain inappropriate private information, and, if possible, to pinpoint where it exists. He already has produced algorithms that have had notable success. “I used the documents that had already been redacted by a human being as a training set,” he says. RECAP presented no weighty intellectual issues, but the privacy work may evolve into his dissertation.

“In the long run, it would be good to have the courts doing this,” Lee says. Indeed, the government has taken notice of RECAP and other nimble open-government projects, like GovTrack.us, started by Joshua Tauberer ’04. In July, the National Archives unveiled a revamped version of the creaky old Federal Register, dubbed the Federal Register 2.0. (Schultze’s predecessor as associate director, David Robinson ’04, a Rhodes scholar now studying at Yale Law School, has argued that government should concentrate on producing superb universal databases rather than comprehensive websites: Outside activists then could use the underlying data to create polished sites, guided by market demand for information.)  

Yet another civic-minded tool has been produced by Matthew Salganik, an assistant professor of sociology and a CITP affiliate. All Our Ideas (Allourideas.org) builds on research Salganik has done on how social media influence opinion. At its core, All Our Ideas is an opinion poll, but an interactive one. Users can make their own suggestions about the problems or issues they’re being quizzed about. Sub­sequent users of the site then are queried about both the original and the new proposals. “One thing we’re seeing is that the information that is uploaded by users is more powerful than things provided by the organizer,” Salganik says. The site “helps you figure out what you don’t know.”

Unlike most online polls, this one prevents you from knowing which ideas other people favor, because Salganik has found that this tends to create “cascades” of peer-pressure that mask true preferences. All Our Ideas — which was called, at the time, “Which Do You Want More?” — was first deployed by the Princeton Undergraduate Student Govern­ment in fall 2008 to see which issues students thought most important. (“Lower textbook prices” came in first, and a free Netflix-style movie service came in second. Alas, neither idea got far: The USG does rent movies, but it won’t mail them to you.) Today, it’s being used by the Organization for Economic Cooperation and Development (OECD), and the New York City Department of Parks and Recreation, to set ­priorities.

CITP has a busy year ahead of it. In the early fall, Felten and several graduate students were preparing to publish a paper explaining how cloud-computing providers might offer many of the benefits they currently do while keeping users’ private information shielded even from their own servers. The Oct. 22 conference in Washington was to be followed by others, on campus — one on the privacy risks and archival challenges posed by massive online databases, another on China’s Internet policies.  

Christopher Shea ’91 writes the “Week in Ideas” column for the Review section of The Wall Street Journal.­