To: Ryan_P@acm.org, Rosemary McGuinness <mcguinness@hq.acm.org>
Cc: Wendy Hall <wh@ecs.soton.ac.uk>, Stuart Feldman <sif@acm.org>, 
    Peter G Neumann <neumann@CSL.sri.com>
Subject: 2007-2008 report of the ACM Committee on Computers and Public Policy

Pat and Rosemary, Please distribute this report further to whomever, as
appropriate, including newly elected folks.

The report will be on my Web site on 1 Jul 2008, with the URL noted in 
the text.

Thanks for all your past help.

Peter

=======================%CUT HERE%=========================
<HTML>
<CENTER>
                          Annual Report of the<br>
           ACM Committee on Computers and Public Policy (CCPP)<br>
              For the Period 1 July 2007 to 30 June 2008<br>
                Submitted by Peter G. Neumann, Chairman <p>
</CENTER>

Date: June 30, 2008<br>
To: Rosemary McGuinness and Pat Ryan, 
    ACM, 2 Penn Plaza, Suite 701 New York, NY 10121-0701<p>

<h2>Purpose of CCPP</h2><p>

The ACM Committee on Computers and Public Policy (CCPP) seeks to<br>
 * aid the ACM with respect to a variety of internationally relevant
   issues pertaining to computers and public policy, and<br>
 * help make the ACM even better recognized worldwide.<p>

Its most visible project is the ACM Forum on Risks to the Public in
Computers and Related Systems, established in August 1986 in response to
Adele Goldberg's ACM President's message in the February 1985 issue of
the Communications of the ACM (CACM).  It has also served as a hands-on
review board for the Inside Risks columns in the CACM, since July 1990.<p>

<h2>CCPP Personnel</h2><p>

The Chairman of the ACM Committee on Computers and Public Policy (CCPP)
is Peter G. Neumann.  During the reporting year, the committee consisted
of Steve Bellovin, Peter Denning, Virgil Gligor, Jim Horning, Nancy
Leveson, David Parnas, Jerry Saltzer, and Lauren Weinstein.  This body
exists as an expert advisory group rather than a membership
organization, and has considerable impact worldwide even though it
maintains a low profile.  I am extraordinarily grateful to them for
their continued long-standing participation and their incisive reviewing
of CACM Inside Risks columns and helping resolve occasional potentially
sticky issues relating to the ACM Risks Forum.  The intellectual memory
span and diversity of interests that they represent is extraordinary.  I
continue to value their incisive contributions on many issues that
require insight and wisdom.  Although their oversight efforts regarding
Inside Risks are often not visible to readers, some of the CACM columns
have led to intense interactions with the authors that occasionally
escalated to coauthorship.  The intellectual thoughtfulness and
expertise that they have consistently contributed have greatly improved
the quality of the Inside Risks content and kept the ACM Risks Forum on
track.<p>

It is perhaps the general success of the Inside Risks columns inside the
back cover of the CACM that has led to that space being commandeered by
the new editorial board for other uses in the future.  As of July 2008,
the Inside Risks columns are destined to appear only three or four times
a year instead of monthly (as they have without interruption for the
past 18 years).  The CCPP members seem to look on this as a mixed
blessing -- it will ease our monthly editorial burden, but it will reduce
our ability to address many critical issues.<p>

CCPP internal interactions generally involve e-mail, with occasional
telephone calls and in-person discussions.  Many constructive interchanges
have occurred during the year, as in the past.<p>

There is some overlap with other ACM committees.  For example, Horning,
and Neumann are both active members of both CCPP and USACM.  Although
there is some commonality of problem areas, the charters of CCPP and
USACM are quite different.  USACM has a specifically U.S.-centric focus,
whereas CCPP tends to consider problems within a global perspective.
For example, Neumann remains active in risks related to election
systems, which is a common interests of CCPP and USACM; Neumann and
Horning both testified before a National Research Council Computer
Science and Technology Board group on risks of voter registration databases,
which is primarily a concern of USACM -- although the issues of election
integrity are relevant worldwide.<p>

<h2>CCPP Efforts</h2><p>

CCPP has several manifestations, including<p>

  * RISKS online: The ACM Forum on Risks to the Public in Computers as a
    newsgroup (a digest by e-mail, distributed as comp.risks via
    USENET, and Web accessible).  See Item 1 below.<p>
  * RISKS highlights in the ACM Software Engineering Notes (SEN): Edited
    and distilled from the online ACM Risks Forum.  See Item 2 below.<p>
  * The CACM Inside Risks columns.  See Item 3 below.<p>
  * RISKS: The Book, Computer-Related Risks.  See Item 4 below.<p>

Neumann has been highly visible in those efforts, but other CCPP members
have also been active participants.  Additionally, some other efforts
have been undertaken, and CCPP members have continued to be active in
ACM advisory roles and in computer policy issues, either directly
related to CCPP or otherwise.<p>

Neumann contributes many hours each week pro bono, moderating RISKS,
responding to queries, engaging in individual dialogues with readers,
and distilling the RISKS highlights for SIGSOFT's Software Engineering
Notes (SEN).  From the feedback we receive, RISKS appears to be one of
the most widely read and most useful of the moderated on-line digests
relating to computer technology.  It serves a real educational purpose.
Despite its high profile and the occasionally controversial nature of
some of the material, RISKS has been a relatively noninflammatory
operation; this reflects the fact that Neumann takes his moderator's
role quite seriously.  (The advisory members of CCPP are invoked as
informal reviewers whenever a potentially controversial contribution
must be considered.  In addition, each member of the committee has
typically played an advisory role during the year on various sensitive
issues.)<p>

CCPP represents an extraordinary collection of creative thinking ability
and resources for ACM, and its members are invoked as appropriate.<p>

<h2>Relevant Activities During the Reporting Year</h2><p>

Following is a list of CCPP-relevant activities.  Almost all were done
essentially pro-bono, and in my case with the considerable blessing and
computer support of SRI International's Computer Science Lab -- for
which I am hugely grateful.<p>

<b>Items of Immediate Relevance to CCPP</b><p> 

1.  The on-line ACM Forum on Risks to the Public in Computers and Related
    Systems.  In addition to various unofficial mirrored sites on the
    Internet, the official archives are available by anonymous ftp
    in the U.S. at ftp://ftp.sri.com/risks/ , and in a nicely formatted 
    searchable site in the U.K., courtesy of Lindsay Marshall:
<A HREF="http://catless.ncl.ac.uk/Risks/">
    http://catless.ncl.ac.uk/Risks/ </A>
    which is also accessible as
<A HREF="http://www.risks.org">
    http://www.risks.org</A><p>

    The ACM Risks Forum activity involves many tens or even hundreds of
    thousands of people around the world, some of whom are contributing
    to the CCPP effort through their RISKS submissions.  There are
    always many new first-time contributors each year.<p>

    The ACM Risks Forum continues as an institution.  Since its first
    issue on August 1, 1985, its readership continues to expand, with a
    steady flow of new direct subscribers, via USENET newsgroups as
    comp.risks, and through redistribution centers and mirrored websites
    throughout the Internet.  It reaches essentially every country that
    supports the Internet.<p>

    During the 2007-2008 ACM year, 43 issues of the Digest appeared,
    somewhat more than in the previous year, but fewer than in its peak
    years.  The number of submissions for consideration continues to be
    considerable, and the primarily limitation on the frequency of
    issues is the scarcity of my time.<p>

2.  Highlights from the on-line RISKS Forum continue to appear generally
    six times each year in the ACM SIGSOFT Software Engineering Notes.
    Neumann was SEN's founding editor in 1976.  After Will Tracz took
    over as Editor in 1995, Neumann has continued to contribute a RISKS
    section to essentially every regular issue.  Will continues the
    process of making current and back issues available online in the
    ACM Digital Archive.  (SEN's circulation is one of the larger among
    SIGs.)<p>

3.  The "Inside Risks" series inside the back cover of each CACM issue
    highlights particular topics with a broad perspective.  CCPP members
    have been very helpful in reviewing prospective columns, and in
    contributing columns.  Guest columns are solicited as appropriate,
    and proposals for contributed columns are always considered.<br>  
    The following columns either appeared or were written within the
    reporting year.<p>

  P.G. Neumann (ed).  Inside Risks.  Communications of the ACM (inside
  back cover), which began monthly in the July 1990 issue of CACM:<p>

* Jul 07. 205  The Next Catastrophe(s), Charles Perrow<br>
* Aug 07. 206  Which is Riskier: OS Diversity or OS Monopoly, Dave Parnas<br>
* Sep 07. 207  E-migrating Risks, PGN<br>
* Oct 07. 208  Toward a Safer and More Secure Cyberspace, 
            Herbert S. Lin, Alfred Z. Spector, PGN, and Seymour E. Goodman<br>
* Nov 07. 209  Risks of E-voting, Matt Bishop and David Wagner<br>
* Dec 07. 210  Internal Surveillance, External Risks,
            Steven M. Bellovin, Matt Blaze, Whitfield Diffie, 
            Susan Landau, Jennifer Rexford, Peter G. Neumann<br>
* Jan 08. 211  The Psychology of Risks, Leonard Zegans<br>
* Feb 08. 212  Software Transparency and Purity, Pascal Meunier<br>
* Mar 08. 213  Wireless Sensor Networks and the Risks of Vigilance, 
            Xiaoming Lu and George Ledin Jr<br>
* Apr 08. 214  A Current Affair, Lauren Weinstein<br>
* May 08. 215  The Physical World and the Real World, Steven M. Bellovin<br>
* Jun 08. 216  Risks of Neglecting Infrastructure, Jim Horning and PGN<p>

  We have continued to expand the diversity among the authors, which
  took a considerable leap this reporting year -- there are 19 different
  people included among this list of authors.<p>

  These columns are available online at
<A HREF="http://www.CSL.sri.com/neumann/insiderisks.html">
    http://www.CSL.sri.com/neumann/insiderisks.html</A>
For speed of access, columns since 2004 are in separate files, e.g.,
<A HREF="http://www.CSL.sri.com/neumann/insiderisks08.html">
    http://www.CSL.sri.com/neumann/insiderisks07.html</A>,
  (When appended to "insiderisks.html#', the integers above -- 205 to
  216 -- serve as indices into the Web site for the specific column.)<p>

4.  Neumann's RISKS BOOK "Computer-Related Risks" (ACM Press,
    Addison-Wesley, 1995), having transcended its fifth printing, is now
    being printed "on demand".  It is also available in a Japanese
    translation.  Unfortunately, most of the conclusions in the 
    book are still valid today.  Although the incidents described are
    becoming older, more recent source material is online in the ACM Risks
    Forum
<A HREF="http://www.risks.org">
    http://www.risks.org</A>
    and summarized in <em>SEN</em> (item 2).<p>

5.  PGN's Illustrative Risks document provides a topical index for
    SEN and RISKS.  It is updated regularly and is 
    available online as
<A HREF="http://www.CSL.sri.com/neumann/illustrative.html/">
    http://www.CSL.sri.com/neumann/illustrative.html</A>
    as well as
<A HREF="http://www.CSL.sri.com/neumann/illustrative.pdf/">
    http://www.CSL.sri.com/neumann/illustrative.pdf</A>
and
<A HREF="http://www.CSL.sri.com/neumann/illustrative.ps/">
    http://www.CSL.sri.com/neumann/illustrative.ps</A>.
    The task of maintaining the currency of this resource has become
    more daunting over time, and this index is not keeping up to date.
    However, the search engine at risks.org tends to compensate for that.<p>

<b>Other Items of Relevance to CCPP</b><p> 

6.  Numerous additional activities of PGN are enumerated in Appendix I
    below.<p>

7.  Lauren Weinstein continues his operation of the PRIVACY Forum
    under the partial aegis of CCPP.
      <A HREF="http://www.vortex.com/privacy">
      PRIVACY FORUM: http://www.vortex.com/privacy</A><p>

    Lauren's Privacy Forum, his related services from People For
    Internet Responsibility (PFIR, which he co-founded with PGN), and
    his other outreach efforts continue to provide discussions,
    information, and other services that include many areas of privacy
    and technology's impacts on individuals and society -- which
    intersect virtually every aspect of our lives.  The PRIVACY Forum,
    PFIR, and their related materials are continually referenced from
    around the world, and have been listed as major network resources in
    the links of many private, commercial, and governmental entities
    globally.  A new PFIR project that Lauren originated (late in 2007)
    and runs is the "Network Neutrality Squad (NNSquad)" -- which is
    already a major international resource regarding technical network
    neutrality concerns.  <p>
 
    As is the case with PGN, Lauren receives numerous e-mail and
    telephone contacts from all manner of media points, and continues to
    participate in newspaper and magazine articles, local and network
    radio and television interviews, and similar discussions on privacy
    and other technology topics.  He has also been a commentator for
    National Public Radio's "Morning Edition" and for "Wired News"
    regarding technology and society.  He also has been a primary
    contributor of columns for Inside Risks.<p>

8. Steven M. Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, PGN,
    and Jennifer Rexford, Risking Communications Security: Potential
    Hazards of the Protect America Act, IEEE Security & Privacy, Jan-Feb
    2008, pp. 24--33.<p>

9.  Other CCPP members have also interacted with various ACM people on
    ACM and CCPP-related issues, reviewed drafts, refereed papers, etc.<p>

10.  Other CCPP members wrote papers and gave talks that bear on
    computers and public policy.<p>

11. This CCPP report is accessible from the acm.org pages, via a link  
    to my CCPP Web page:
    <A HREF="http://www.CSL.sri.com/neumann/ccpp.html">THIS FILE:
    http://www.CSL.sri.com/neumann/ccpp.html</A><p>

12. PGN, Reflections on Trustworthy Systems, Chapter 6 in 
    Advances in Computers, Volume 70, edited by Marvin Zelkowitz,
    Academic Press imprint of Elsevier Science Publishers, 2007.<p>

13. PGN, The Future of Information Assurance, Chapter 76 of the
    Computer Security Handbook, fifth edition, Volume 2, Wiley, 2008.
    In press.<p>

<h2>Plans through 1 July 2009</h2><p>

14. Neumann will continue moderating the on-line RISKS Forum and
    contributing RISKS sections to ACM SIGSOFT's Software Engineering
    Notes.<p>

15. Neumann will continue to coordinate/edit/write the CACM Inside
    Risks, albeit at a reduced frequency as directed by the new CACM
    editorial board, but once again seeking articles on topical
    RISKS-related subjects written by members of CCPP and other
    contributors.<p>

16. CCPP members will continue to interact with USACM as appropriate.  We
    have for many years encouraged the submission of Inside Risks columns
    from the USACM community, without much success.  However, that may now
    be moot in that the inside-the-back-cover space will now be available
    for other purposes.<p>
   
<h2>Budget and Funding</h2><p>  
 
The 2007-2008 CCPP expenditures were as usual minimal, and the budget was
adequate, with only modest amounts required for computing resources and
communications.  We appreciate ACM's past support, and have been happy to
stay within budget each year.  (SRI continues to provide disk space for the
RISKS FTP archives on ftp.sri.com; the CSL.SRI.COM resources are partly
subsidized by SRI.  In addition, Lindsay Marshall at Newcastle provides the
official RISKS mirror and an extremely useful searchable risks.org archives
on a pro bono basis.)  <p>

<h2>Summary</h2><p>

The ACM RISKS Forum, the monthly CACM Inside Risks columns, Illustrative
Risks, and the related efforts have continued to be successful in
achieving their intended goals, as well as being highly popular.  This
year we have intensively renewed our long-term involvement in the risks
of electronic voting systems.<p>

We note that several related efforts are already ongoing under the aegis
of the External Activities Board.  For example, the scientific freedom
and human rights, legal, education, and USACM committees involve issues
relevant to CCPP that frequently are discussed in the ACM Risks Forum
from the RISKS perspective.  We are happy to interact with others in
those related areas, without CCPP having to be directly in the loop, and
to offer the Inside Risks space to those efforts that have a reasonable
RISKS-relevant content.  Overall, CCPP seems to have a well-defined
niche of its own.<p>

The ACM RISKS Forum and the PRIVACY Forum span a large gamut of CCPP
issues, and involve reaching out to many thousands of people, throughout
the world, quite a few of whom are actively contributing participants.
RISKS is heavily involved in human safety, privacy, ethics, legal
responsibility, etc., and there is no shortage of public-policy related
issues!<p>

The Inside Risks column serves as a popular CACM feature, and seeks to
distill timely topics in a broadly accessible form.<p>

Continued support of existing and possibly new CCPP activities is
appropriate, and will be appreciated at essentially the same level.  We
are delighted to be a low-budget high-yield part of the ACM.<p>

In general, we always seek to broaden our scope and deepen our content.
We would be delighted to receive from ACM executive folks suggestions
for new directions relating to computers and public policy, initiatives
that we might address, suggestions for additional CCPP members who might
also be willing to be active in writing and reviewing proposed Inside
Risks columns, and ideas for making our efforts even more visibly
attributable to ACM.  The CCPP members represent a valuable
cross-section of ACM interests relating to public-policy issues.  As
noted above, all of their efforts in helping CCPP and the ACM are
greatly appreciated, even though many of those efforts are not noted
here explicitly.<p>

Respectfully submitted, <p>

Peter G. Neumann, Principal Scientist, Computer Science Laboratory, 
SRI International EL-243, Menlo Park CA 94025-3493 
Net address: Neumann@CSL.SRI.COM or pneumann@acm.org; 
Phone: 1-650-859-2375 FAX 1-650-859-2844

=============================================================

<H2>Appendix I: CCPP-Relevant Activities of Peter G. Neumann</H2>

<b>Relevant PGN Events, Second-Half 2007</b><p>

* August 6, Participated in the Electronic Voting Technology workshop,
  Boston, sponsored by ACCURATE and Usenix Security<br>

* August 7, Participated in the NSF ACCURATE PI meeting on election
  integrity, in Boston<br>

* August 8-10, Attended Usenix Security, Boston<br>

* September 11, Invited speaker for the Caf&eacute Scientifique Silicon Valley,
  Risks in Homeland Security: Privacy, Civil Liberties, and Other Issues<br>

* September 20, Can Systems and Networks Really Be Trustworthy?  Invited
  TRUST Seminar, UC Berkeley<br>

* September 25, Discussant at a RAND symposium at the Computer History
  Museum<br>

* September 28, Attended an all-day symposium at the Computer History
  Museum honoring Ron Rivest's receipt of the 2007 Marconi Award<br>

* October 6, Live appearance on The Hugh Thompson Show, AT&T Tech Channel,
  taped for airing in 2008.  The producers of this show considered this
  to be one of the best programs they have produced thus far, and are
  reportedly using it to kick off a new distribution.  However, the show
  has not yet aired because of internal reorganizations within AT&T.
  http://techchannel.att.com/site/home/index.cfm<br>

* October 16, Participated in the ITTC meeting, chaired a panel, and
  arranged for Steve Lipner's talk<br>

* October 23, Participated in the U.S. Secret Service meeting<br>

* November 7, Attended the Computer History Meeting event, Internetworking
   and the Early Internet: A 30th anniversary celebration of the first
   three-network transmission (packet radio, packet satellite, ARPANET),
   with Bob Kahn, Vint Cerf, Don Nielson, and many others.  (I was the
   penultimate brief speaker from the audience, before Jake Feinler,
   former SRI NIC director, got the last word from the floor.)<br>

* November 29-30, Invited speaker at a Computer Science and Technology
   Board Workshop on Voter Registration Databases, on Risks of VRDBs<br>

* December 3-7, Attended a workshop on the National Cybersecurity
   Initiative, Naval Postgraduate School in Monterey.  This meeting was
   attended by Carl Landwehr (IARPA), Karl Levitt (NSF), Doug Maughan
   (DHS), and Roy Pettis (representating the Director of National
   Intelligence), and was organized by Sami Saydjari and Cynthia Irvine.
   The purpose of the meeting was to create a research agenda for
   anticipated cybersecurity funding.  My workshop position paper is
   online: ~neumann/ncdi07<br>

* December 12-13, Attended ACSAC, Miami Beach<p>

<b>Relevant PGN Events, First-Half 2008</b><p>

* March 10, Hosted Peter Denning's Great Principles workshop at SRI<br>

* March 20, Attended premiere of Dorothy Fadiman's film, Stealing America:
    Vote by Vote<br>

* March 27, Invited seminar: Computer-Related Risks of Untrustworthiness in
    Life, Liberty, and the Pursuit of Happiness, Lockheed-Martin, Palo Alto<br>

* April 11, Talk: A Short Personal History of Mathematical Beauty in Computer
    Science, Harvard Computer Society, Harvard University<br>

* May 7, NSF Cybersecurity Summit 2008 Arlington VA, keynote address:
    Holistic Approaches to Trustworthiness, Security, and Privacy
    http://www.csl.sri.com/neumann/nsf08sum.pdf<p>

I am on the editorial board of the IEEE Security and Privacy journal.  I
serve on the board of the Electronic Privacy Information Center, and am on
several advisory boards.  I was an unpaid resourcer for Dorothy Fadiman's
film, Stealing America, One Vote at a Time.  I am on the Advisory Board for
the PREDICT effort (Protected Repository for the Defense of Infrastructure
Against Cyber Threats).<p>

PGN, 30 June 2008<p>

=======================================================================

<H2>
Appendix II: Current CCPP Web and Internet Addresses
</H2>

<A HREF="http://www.CSL.sri.com/neumann"> (Peter G. Neumann) </A>
  Neumann@CSL.sri.com and pneumann@acm.org <br>
<A HREF="http://www.columbia.cs.edu/~smb"> (Steve Bellovin) </A>
  smb@columbia.cs.edu <br>
<A HREF="http://cs.gmu.edu/cne/denning"> (Peter J. Denning) </A>
  pjd@nps.edu <br>
<A HREF="http://www.eng.umd.edu/~gligor"> (Virgil Gligor) </A>
  gligor@andrew.cmu.edu <br>
<A HREF="http://www.horning.net"> (Jim Horning) </A>
  horning@acm.org <br>
<A HREF="http://sunnyday.mit.edu/leveson.html"> (Nancy Leveson) </A>
  leveson@mit.edu <br>
<A HREF="http://www.sqrl.ul.ie/"> (David Parnas)</A><br>
<A HREF="http://web.mit.edu/Saltzer/"> (Jerry Saltzer) </A>
  saltzer@mit.edu <br>
<A HREF="http://www.vortex.com/privacy.html">(Lauren Weinstein) </A>
  lauren@vortex.com <p>
============================================================================
</HTML>