Annual Report of the
ACM Committee on Computers and Public Policy (CCPP)
For the Period 1 July 2003 to 30 June 2004
Submitted by Peter G. Neumann, Chairman
Date: July 2004
The Chairman of the ACM Committee on Computers and Public Policy is Peter G. Neumann. Participants in CCPP include Peter Denning, Sy Goodman, Jim Horning, Nancy Leveson, David Parnas, Jerry Saltzer, Barbara Simons, and Lauren Weinstein. Interactions generally involve e-mail and telephone calls, with occasional in-person meetings. Various constructive interchanges have occurred during the year. I am very grateful to the committee members for their continued long-standing participation.
There is some overlap with other ACM committees. For example, Horning, Neumann, and Simons are active members of both CCPP and USACM. On the other hand, the charters of CCPP and USACM are very different.
The ACM Risks Forum activity involves many tens (hundreds?) of thousands of people around the world, few of whom are contributing to the CCPP effort through their RISKS submissions.
PURPOSE OF CCPP
CCPP seeks (1) to aid the ACM with respect to a variety of internationally relevant issues pertaining to computers and public policy, and (2) to help make the ACM more visible worldwide. The most visible project is the ACM Forum on Risks to the Public in Computers and Related Systems, established according to Adele Goldberg's President's message in the February 1985 issue of the Communications of the ACM. Amazingly, this is CCPP's 20th annual report! (Surprisingly, that now exceeds my 19 years as founding editor of SIGSOFT's Software Engineering
CCPP has several manifestations, including
* RISKS: The ACM Forum on Risks to the Public in Computers as a
newsgroup (a digest by e-mail, and distributed as comp.risks
* RISKS: The ACM Software Engineering Notes highlights, four times
* The CACM Inside Risks monthly column, and
* RISKS: The Book (see below)
Neumann has been highly visible in those efforts, but other CCPP members have also been active participants. Additionally, some other efforts have been undertaken, and CCPP members have continued to be active in ACM advisory roles and in computer policy issues, either directly related to CCPP or otherwise.
CCPP represents an extraordinary collection of creative thinking ability and resources for ACM, and its members are invoked as appropriate.
RELEVANT ACTIVITIES DURING THE REPORTING YEAR
Following is a list of activities involving CCPP members related to CCPP, RISKS, and ACM. Most of the items have specific relevance to the CCPP charter, although many were not done directly under CCPP auspices. Almost all were done essentially pro-bono, and in my case with the considerable blessing of the SRI International Computer Science Lab -- for which I am hugely grateful.
ITEMS OF IMMEDIATE RELEVANCE to CCPP
1. The on-line ACM Forum on Risks to the Public in Computers and Related
Systems. In addition to various unofficial mirrored sites on the
Internet, the official archives are available by anonymous ftp
in the U.S. at ftp://ftp.sri.com/risks/ , and in a nicely indexed
and formatted site in the U.K., courtesy of Lindsay Marshall:
which is also accessible as
The ACM Risks Forum continues as an institution. Its readership
continues to expand, with a steady flow of new direct subscribers
who receive RISKS directly from me (now in every country that
supports the Internet), or via USENET as comp.risks, or as a
newsgroup via BBOARD sites and redistribution centers throughout
the Internet. (We suspect there are well over 200,000 readers
Neumann contributes many hours each week, moderating RISKS,
responding to queries, engaging in individual dialogues with
readers, distilling the highlights for SIGSOFT's Software
Engineering Notes (SEN), deleting huge quantities of spamming
e-mail, and handling tons of rejected addresses, with many new
ones with each successive issue. From the feedback we receive,
RISKS appears to be one of the most widely read and most useful of
the moderated on-line digests. Despite its high profile and the
intrinsically controversial nature of some of the material, RISKS
has been a relatively noninflammatory operation; this reflects the
fact that Neumann takes his moderator's role quite seriously,
although a few things still slip by. (The advisory members of
CCPP are invoked as informal reviewers whenever a potentially
controversial contribution must be considered. In addition, each
member of the committee has typically played an important advisory
role during the year on various sensitive issues.)
2. Highlights from the on-line RISKS Forum continue to appear four
times each year in Software Engineering Notes. Neumann, the
founding editor in 1976, continues on as Associate Editor for the
RISKS section, after Will Tracz took over as Editor in 1995.
SEN's circulation is one of the larger among SIGs.
PGN's Illustrative Risks document provides a topical index for
SEN and RISKS:
as well as illustrative.pdf and illustrative.ps for print versions.
3. The "Inside Risks" series inside the back cover of each CACM
highlights particular issues with a broader perspective. CCPP
members have been very helpful in reviewing prospective columns.
Guest columns are solicited as appropriate, and proposals are always
considered. The following columns either appeared or were written
within the reporting year. As seen from the following list, we have
substantially broadened the range of authors during the past year,
including four CCPP members. In particular, within the 12-month
reporting span, Lauren Weinstein authored four columns, Neumann
three plus one coauthored, Jim Horning wrote one, and Barbara Simons
P.G. Neumann (ed). Inside Risks. Communications of the ACM (inside
back cover), which began monthly in the July 1990 issue.
157: Jul 2003. How Secure Is Secure Web Browsing?, Albert Levi
158: Aug 2003. Spam Wars, Lauren Weinstein
159: Sep 2003. Risks in Trusting Untrustworthiness, PGN
160: Oct 2003. Information System Security Redux, PGN
161: Nov 2003. Security by Insecurity, Rebecca Mercuri and PGN
162: Dec 2003. The Devil You Know, Lauren Weinstein
163: Jan 2004. The Myth of Homeland Security, Marcus J. Ranum
164: Feb 2004. Outsourced and Out of Control, Lauren Weinstein
165: Mar 2004. Risks of Monoculture, Mark Stamp
166: Apr 2004. Coincidental Risks, Jim Horning
167: May 2004. Artifical Stupidity, Peter and Dorothy Denning
168: Jun 2004. Optimistic Optimization, PGN
169: Jul 2004. Insider Risks in Elections, Paul Kocher and Bruce Schneier
170: Aug 2004. Close Exposures of the Digital Kind, Lauren Weinstein
These issues are available at
with the 2004 columns now in a separate file for speed of access:
The prefatory integers above are the indexes into the Web site
for specific columns.
4. Neumann's RISKS BOOK ("Computer-Related Risks", (ACM Press,
Addison-Wesley) is still chugging along in the fifth printing,
and is also available in a Japanese translation. Extensive
source material since 1985 is online in the Risks Forum
5. Neumann is the guest editor for the forthcoming October 2004 special
issue of the CACM on election systems, with particular attention to
electronic voting machines. The papers have all been reviewed and
are now in the hands of Tom Lambert, in the publication pipeline.
Rebecca Mercuri was particularly helpful in this connection,
bringing her long expertise in this area to bear. Neumann has of
course been actively involved in election system integrity for
almost two decades.
6. Numerous additional activities of PGN are enumerated in Appendix I
7. Lauren Weinstein continues his moderation of the PRIVACY
Forum Digest under the partial aegis of CCPP.
The Privacy Forum and related services continue to provide
discussions, information, and other services that include the many
areas of privacy -- which intersect virtually every aspect of our
lives. The PRIVACY Forum and its archive are continually referenced
from around the world, and have been listed as major network
resources in the links of many private, commercial, and governmental
Like PGN, Lauren receives numerous e-mail and telephone contacts
from all manner of media points, and continues to participate in
newspaper and magazine articles, local and network radio and
television interviews, and similar discussions on privacy topics.
He also conducts PRIVACY Forum Radio interviews regarding
a range of privacy-related issues, and has been a frequent
commentator on National Public Radio's ``Morning Edition''
regarding technology and society. In the past year, he has put
out numerous Reality Reset and Factsquad pieces:
8. Other CCPP members have also interacted with various ACM people on
ACM and CCPP-related issues, reviewed drafts, refereed papers, etc.
The others not specifically having their activities described here
were presumably too busy or too modest to report on those
activities. Many requests from media personnel were fielded in the
past year. Special kudos in the past year go to Jim Horning for his
many valuable interactions, although several others were also
9. Other CCPP members wrote papers and gave talks that bear on
computers and public policy.
10. This CCPP report is accessible from the acm.org pages, via a link
to my CCPP Web page:
11. P.G. Neumann, U.S. Computer Insecurity Redux, *The World & I*, The
Washington Times Corporation (adapted from Issues in Science and
Technology, The National Academies, Summer 2003), February 2004,
12. P.G. Neumann, Attaining Robust Open-Source Software, Chapter X,
Perspectives on Free and Open Source Software, Joseph Feller, Brian
Fitzgerald, Scott A. Hissam, and Karim R. Lakhani, editors, MIT Press,
13. P.G. Neumann, Network Security and Privacy, in *The Computer Science
and Engineering Handbook, 2nd edition*, (A.B. Tucker, editor), CRC
Press, Inc., 2004.
PLANS THROUGH 1 JULY 2005
14. At the pleasure of the new ACM President, Neumann will continue as
as Chairman of the ACM Committee on Public Policy.
14. Neumann will continue moderating the on-line RISKS Forum and
contributing RISKS sections to ACM SIGSOFT's Software Engineering
16. Neumann will continue to coordinate/edit/write the CACM Inside
Risks, seeking some more invited pieces on topical RISKS-related
subjects written by members of CCPP and other contributors, to
17. We will continue productive interactions between CCPP and USACM,
largely as a result of the overlapping membership. We have in the
past offered occasional Inside Risks columns to USACM, although
there has been no recent impetus on the part of USACM to use that
avenue. This is not necessarily a bad thing, in that the Inside
Risks space always tries to have an international perspective rather
than a national perspective.
BUDGET AND FUNDING
The 2003-2004 CCPP expenditures were as usual minimal, and the budget was adequate, with only modest amounts required for computing resources and communications. (SRI continues to provide free disk space for the RISKS FTP archives on ftp.sri.com; the CSL.SRI.COM resources are partly subsidized by SRI. In addition, Lindsay Marshall at Newcastle provides the searchable risks.org archives on a pro bono basis, which is a very valuable resource.) We appreciate ACM's past support, and have been happy to stay within budget each year.
The ACM RISKS Forum, the monthly CACM Inside Risks columns, Illustrative Risks, and their related efforts have continued to be successful in achieving their intended goals, as well as being highly popular. This year we have intensively renewed our long-term involvement in the risks of electronic voting systems.
We note that several closely related efforts are already ongoing under the aegis of the External Activities Board. For example, the scientific freedom and human rights, legal, education, and USACM committees involve issues relevant to CCPP that frequently are discussed in the ACM Risks Forum. Consequently, we are happy to interact with others in those related areas, without CCPP having to be directly in the loop. But CCPP seems to have a well-defined niche of its own.
The ACM RISKS Forum and the PRIVACY Forum span a large gamut of CCPP issues, and involve reaching out to many thousands of people, throughout the world, quite a few of whom are actively contributing participants. Certainly RISKS is heavily involved in human safety, privacy, ethics, legal responsibility, etc., and there is no shortage of public-policy related issues!
The Inside Risks column serves as an outlet for CCPP, not just narrowly as highlights of the ACM RISKS Forum. We expect to continue that approach for selected topics in the future.
Continued support of existing and possibly new CCPP activities is appropriate, and will be appreciated at essentially the same level. We are delighted to be a low-budget high-yield part of the ACM.
In general, we continue to broaden our scope and involvement, subject to the limitations of personal availability. We would be delighted to receive from ACM executive folks suggestions for new directions relating to computers and public policy, initiatives that we might address, and ideas for making our efforts even more visibly attributable to ACM. The CCPP members represent a valuable cross-section of ACM interests relating to public-policy issues. I greatly appreciate all of their efforts in helping CCPP and the ACM, even though many of those efforts are not noted here explicitly.
Peter G. Neumann, Principal Scientist, Computer Science Laboratory,
SRI International EL-243, Menlo Park CA 94025-3493
Net address: Neumann@CSL.SRI.COM ;
Phone: 1-650-859-2375 FAX 1-650-859-2844
APPENDIX I: CCPP-Relevant Activities of Peter G. Neumann
2003 RELEVANT EVENTS by PGN
July 24, visit from U.S. House Committee on Appropriations Surveys and
Investigations Staff, Margaret R. Owens and Gail O Burton
August 15, KRON-TV, interviewed by Dan Kerman on electronic voting machines
August 20, Lehrer News Hour, interviewed by Spencer Michel
August 27, interviewed by the U.S. General Accounting Office's Nabajyoti
Barkakati and Lon Chin
September 9, keynote talk, A RISKS-Oriented View of Security Requirements,
for the Reliable High-Assurance Systems workshop (RHAS 2003), organized by
Connie Heitmeyer, Monterey
September 11, invited talk, Social and Technical Implications of Nonproprietary Software, BSDCON '03, San Mateo
September 15, interview and call-in respondent, KNX, Los Angeles, Bob McCormick
September 15, appeared in Lehrer News Hour segment on electronic voting
September 24-26, Multilevel security workshop (CLASSIFIED), Institute for
Defense Analysis, Alexandria VA (organized by Sami Saydjari)
October 8, Interviewed for much of the day by Ronnie Dugger for an article
on electronic voting (Dugger authored the major article in *The New
Yorker,* Nov 7 1988, on that subject, quoting me and many others.)
October 28, Invited speaker,
Security Policies and Risks of Implementing Them, workshop on
Intellectual Property Protection: Implementing Security Policies to
Mitigate Financial and Legal Risk, organized by Cisco in San Jose
November 16-19, attended ACM Grand Challenges and led a breakout session
November 20-21, participated in an NSF Career Awards review panel for
December 4, Council for Excellence in Government West Conference, San Diego,
Talk on Risks of Technology in session on Emerging Technologies for Cyber
December 10-12, attended 19th Annual Computer Security Applications
Conference (ACSAC 2003), Las Vegas, Nevada, and presented the
PSOS Revisited paper  in the Classic papers track; the talk
was followed by a half-hour open discussion led by me and Gene Spafford.
2004 RELEVANT EVENTS by PGN
January 14, spoke for the Valley Study Group at the Castlewood
Country Club in Pleasanton CA, on Risks in the Use of Computers, and
Especially Electronic Voting Systems. This group consists largely
of LLNL alumni.
January 21-23, attended Accelerating Trustworthy Internetworking
February 9-10, Vanguard Conference on Security and Privacy, Austin, Texas,
Talk: A Risks-Oriented View of Security and Privacy
February 15, AAAS Seattle, panelist,
Voting Technology: Current Assessment and Future Prospects
April 8, NSS2 conference on Trustworthy Software, Naval Postgraduate
School, Monterey: lecture on building trustworthy systems
April 12, taught Eric Roberts's annual class on Computers, Ethics, and
Social Responsibility, Stanford University
April 19-20, attended and spoke at National Research Council workshop
on Certifiably Dependable Software, Georgetown Conference Center
April 20, briefed staffers of the House Committee on Science, House Committee
on Rules and Administration, and a Senate committee, with Doug Jones
April 22-23, attended Harvard/Radcliffe-Institute conference on
Privacy and Security: Technology, Policy, and Society;
Talk: Risks and Remedies in Electronic Voting Systems
May 11-12, attended my GAO Executive Committee on Information Management
and Technology, Washington DC
June 10-11, Acccountable Network roundtable, Cardozo Law School
June 23, Norwich University, Vermont, Keynote speaker for a conference
on Information Assurance: talk entitled Computer Systems, Networks,
and Applications: Security Risks and What To Do About Them; also
commencement speaker for the Master of Science in Information
Current Web and Internet Addresses for CCPP Members
(Peter G. Neumann)
Neumann@CSL.sri.com and email@example.com
(Peter J. Denning)