Annual Report of the
           ACM Committee on Computers and Public Policy (CCPP)
              For the Period 1 July 2011 to 30 June 2012
                Submitted by Peter G. Neumann, Chairman 

Date: June 30, 2012
To: Rosemary McGuinness
    ACM, 2 Penn Plaza, Suite 701 New York, NY 10121-0701

PURPOSE OF CCPP

The ACM Committee on Computers and Public Policy (CCPP) seeks to

 * aid the ACM with respect to a variety of internationally relevant
   issues pertaining to computers and public policy, and
 * help make the ACM even better recognized worldwide.

Its most visible project is the ACM Forum on Risks to the Public in
Computers and Related Systems, established in August 1986 in response to
Adele Goldberg's ACM President's message in the February 1985 issue of
the Communications of the ACM (CACM).  It has also served as a hands-on
review board for the Inside Risks articles in the CACM, since July 1990.

CCPP PERSONNEL

The Chairman of the ACM Committee on Computers and Public Policy (CCPP)
is Peter G. Neumann.  During the reporting year, the committee consisted
of Steve Bellovin, Peter Denning, Virgil Gligor, Jim Horning, Nancy
Leveson, David Parnas, Jerry Saltzer, and Lauren Weinstein.  This body
exists as an expert advisory group rather than a membership
organization, and has considerable impact worldwide even though it
maintains a relatively low profile.  I am extraordinarily grateful to
them for their continued long-standing participation and their incisive
reviewing of CACM Inside Risks columns and helping resolve occasional
potentially sticky issues relating to the ACM Risks Forum.  The
intellectual memory span and diversity of interests that they represent
is extraordinary.  I continue to value their incisive contributions on
many issues that require insight and wisdom.  Although their oversight
efforts regarding Inside Risks are often not visible to readers, some of
the CACM columns have led to intense interactions with the authors that
occasionally escalated to coauthorship.  The intellectual thoughtfulness
and expertise that they have consistently contributed have greatly
improved the quality of the Inside Risks content and kept the ACM Risks
Forum on track.

CCPP internal interactions generally involve e-mail, with occasional
telephone calls and in-person discussions.  Many constructive interchanges
have occurred during the year, as in the past.

There is some overlap with other ACM committees.  For example, Horning,
and Neumann are active members of both CCPP and USACM.  Although there
is some commonality of problem areas, the charters of CCPP and USACM are
quite different.  USACM has a specifically U.S.-centric focus, whereas
CCPP tends to consider problems within a global perspective.  For
example, Neumann remains active in risks related to election systems,
which is a common interests of CCPP and USACM; Neumann and Horning both
testified for the National Research Council Computer Science and
Technology Board on risks of voter registration databases, which is
primarily a concern of USACM.

CCPP Efforts

CCPP has several manifestations, including

  * RISKS online: The ACM Forum on Risks to the Public in Computers as a
    newsgroup (a digest by e-mail, and distributed as comp.risks via
    USENET).  See Item 1 below.
  * RISKS highlights in ACM Software Engineering Notes (SEN): Edited
    and distilled from the online ACM Risks Forum.  See Item 2 below.
  * The CACM Inside Risks tri-yearly columns.  See Item 3 below.
  * RISKS: The Book, Computer-Related Risks.  See Item 4 below.

Neumann has been highly visible in those efforts, but other CCPP members
have also been active participants.  Additionally, some other efforts
have been undertaken, and CCPP members have continued to be active in
ACM advisory roles and in computer policy issues, either directly
related to CCPP or otherwise.

Neumann contributes many hours each week pro bono, moderating RISKS,
responding to queries, engaging in individual dialogues with readers,
and distilling the RISKS highlights for SIGSOFT's Software Engineering
Notes (SEN).  From the feedback we receive, RISKS appears to be one of
the most widely read and most useful of the moderated on-line digests
relating to computer technology.  It serves a real educational purpose.
Despite its high profile and the occasionally controversial nature of
some of the material, RISKS has been a relatively noninflammatory
operation; this reflects the fact that Neumann takes his moderator's
role quite seriously.  (The advisory members of CCPP are invoked as
informal reviewers whenever a potentially controversial contribution
must be considered.  In addition, each member of the committee has
typically played an advisory role during the year on various sensitive
issues.)

CCPP represents an extraordinary collection of creative thinking ability
and resources for ACM, and its members are invoked as appropriate.

RELEVANT ACTIVITIES DURING THE REPORTING YEAR

Following is a list of CCPP-relevant activities.  Almost all were done
essentially pro-bono, and in my case with the considerable blessing and
computer support of SRI International's Computer Science Lab -- for
which I am hugely grateful.

ITEMS OF IMMEDIATE RELEVANCE to CCPP 

1.  The on-line ACM Forum on Risks to the Public in Computers and
    Related Systems.  In addition to various unofficial mirrored sites
    on the Internet, including a new feed at panix.com for comp.risks on
    USENET as of May, 2011, the official archives are available by
    anonymous ftp in the U.S. at ftp://ftp.sri.com/risks/ , and in a
    nicely formatted searchable site in the U.K., courtesy of Lindsay
    Marshall:

    which is also accessible as

    The ACM Risks Forum activity involves many tens or even hundreds of
    thousands of people around the world, some of whom are contributing
    to the CCPP effort through their RISKS submissions.  There are
    always many new first-time contributors each year.

    The ACM Risks Forum continues as an institution.  Since its first
    issue on August 1, 1985, its readership continues to expand, with a
    steady flow of new direct subscribers, via USENET newsgroups as
    comp.risks, and through redistribution centers and mirrored websites
    throughout the Internet.  It reaches essentially every country that
    supports the Internet.

    During the 2011-2012 reporting year, 41
    issues of the Digest appeared (RISKS-26.49 to 26.89).  The
    number of submissions for consideration continues to be
    considerable, and the primarily limitation on the frequency of
    issues is the scarcity of my time (and having to delete hundreds
    of spam messages daily that are not caught by our filters).

2.  Highlights from the on-line RISKS Forum continue to appear six times
    each year in the ACM SIGSOFT Software Engineering Notes.  Neumann
    was SEN's founding editor in 1976.  After Will Tracz took over as
    Editor in 1995, Neumann has continued to contribute a RISKS section
    to essentially every regular issue.  Will continues the process of
    making current and back issues available online in the ACM Digital
    Archive.  (SEN's circulation is one of the larger among SIGs.)

3. P.G. Neumann (ed).  Inside Risks began in July 1990 as a monthly one-page
   item, originally inside the back cover of the CACM for 18 years.  It is
   now slated for three longer articles each year.  We continue to seek
   diversity among the authors.  The following articles appeared during the
   reporting year, as Inside Risks Viewpoints:

Oct 11.225  Modernizing the Danish Democratic Process, Carsten Schürmann 
Feb 12.226  Yet Another Technology Cusp: Confusion, Vendor Wars, and 
            Opportunities, Don Norman
Jun 13.227  The Cybersecurity Risk: Increased attention to cybersecurity
            has not resulted in improved cybersecurity, Simson Garfinkel, 
            Simson Garfinkel

Inside Risks articles are available online at

4.  Neumann's RISKS BOOK ("Computer-Related Risks", ACM Press and
    Addison-Wesley, 1995), having transcended its fifth printing, is now
    being printed "on demand", and is now available online as well.  It
    is also available in a Japanese translation.  More recent source
    material is online in the ACM Risks Forum

    and summarized in SEN (item 2).

5.  PGN's Illustrative Risks document provides a topical index for
    SEN and RISKS.  It used to be updated periodically, but is fairly
    complete up to a point.  It is available online as

    as well as

and

.
    The task of maintaining the currency of this resource has become more
    daunting over time, and this index is not up to date.  However, the
    search engine at risks.org tends to compensate for that.

6.  Numerous additional activities of PGN are enumerated in Appendix I
    below.

7.  Lauren Weinstein continues his operation of the PRIVACY Forum and
    the Network Neutrality Squad under the partial aegis of CCPP.
      

 

    The Privacy Forum and related services from People For Internet
    Responsibility (PFIR, which he co-founded with PGN), and his other
    outreach efforts continue to provide discussions, information, and
    other services that include the many areas of privacy -- which
    intersect virtually every aspect of our lives.  The PRIVACY Forum,
    Network Neutrality Squad, and his other archives are continually
    referenced around the world, and have been listed as major network
    resources in the links of many private, commercial, and governmental
    entities globally.
 
    As is the case with PGN, Lauren receives numerous e-mail and telephone
    contacts from all manner of media points, and continues to participate
    in newspaper and magazine articles, local and network radio and
    television interviews, and similar discussions on privacy and related
    technology topics.  He has also been a commentator for National Public
    Radio's ``Morning Edition'' and for "Wired News" regarding technology
    and society.

8.  Other CCPP members have also interacted with various ACM people on
    ACM and CCPP-related issues, reviewed drafts, refereed papers, etc.

9.  Other CCPP members wrote papers and gave talks that bear on
    computers and public policy.

10. This CCPP report is accessible from the acm.org pages, via a link  
    to my CCPP Web page:
    

PLANS THROUGH 1 JULY 2013

11. Neumann hopes to continue moderating the on-line RISKS Forum and
    contributing RISKS sections to ACM SIGSOFT's Software Engineering
    Notes.

12. Neumann will continue to coordinate/edit/write the CACM Inside Risks
    columns. seeking articles on topical RISKS-related subjects written by
    members of CCPP and other contributors.  Please contact me if you think
    you might have an appropriate RISKS-relevant Viewpoints article.

13. CCPP members will continue to interact with USACM as appropriate.
    We have been encouraging the submission of more Inside Risks columns
    from the USACM community, without much success.  Perhaps in the
    future that will change.   
   
BUDGET AND FUNDING  
 
The 2011-2012 CCPP expenditures were as usual minimal, and the budget was
adequate, with almost no expenses for computing resources and
communications.  (SRI continues to provide free disk space for the RISKS FTP
archives on ftp.sri.com; the CSL.SRI.COM resources are partly subsidized by
SRI.  In addition, Lindsay Marshall at Newcastle provides the extremely
useful searchable risks.org archives on a pro bono basis.  I use my cell
phone and free home phone extensively.)  We appreciate ACM's past support,
and have been happy to stay within budget each year.

SUMMARY

The ACM RISKS Forum, the monthly CACM Inside Risks columns, Illustrative
Risks, and the related efforts have continued to be successful in
achieving their intended goals, as well as being highly popular.  This
year we have intensively renewed our long-term involvement in the risks
of electronic voting systems.

We note that several related efforts are already ongoing under the aegis
of the External Activities Board.  For example, the scientific freedom
and human rights, legal, education, and USACM committees involve issues
relevant to CCPP that frequently are discussed in the ACM Risks Forum
from the RISKS perspective.  We are happy to interact with others in
those related areas, without CCPP having to be directly in the loop, and
to offer the Inside Risks space to those efforts that have a reasonable
RISKS-relevant content.  Overall, CCPP seems to have a well-defined
niche of its own.

The ACM RISKS Forum and the PRIVACY Forum span a large gamut of CCPP
issues, and involve reaching out to many thousands of people, throughout
the world, quite a few of whom are actively contributing participants.
RISKS is heavily involved in human safety, privacy, ethics, legal
responsibility, etc., and there is no shortage of public-policy related
issues!

The Inside Risks column serves as a popular CACM feature, and seeks to
distill timely topics in a broadly accessible form.

Continued support of existing and possibly new CCPP activities is
appropriate, and will be appreciated at essentially the same level.  We
are delighted to be a low-budget high-yield part of the ACM.

DIVERSITY

As noted above, CCPP (as opposed to USACM, for example) is explicitly
international in its outlook and content.  In general, we always seek to
broaden our scope and deepen the incisiveness of our content in Inside
Risks columns and RISKS issues.  Also, the risks relating to computers
that we address span a wide range of requirements and application areas.

Also as noted above, CCPP is somewhat unusual within ACM in that it
tends to act as an editorial and advisory board rather than a membership
organization.  We welcome suggestions for additional CCPP members who
might also be willing to be active in writing and reviewing proposed
Inside Risks columns.  We note that the makeup of CCPP has always been
intentionally diverse in the areas of expertise that it encompasses.  At
the moment, David Parnas is the only non-US member, and Nancy Leveson is
the only woman.  Although we currently represent significant topical
longevity, we would be delighted to add some younger folks who have the
appropriate experiential breadth and depth, and will renew that quest in
the coming reporting year.  However, the small size of the group with
deep commitments to the purposes noted above is beneficial to the end
results, so we are not seeking a major expansion.

The CCPP members represent a valuable cross-section of ACM interests
relating to public-policy issues.  All of their efforts in helping CCPP
and the ACM are greatly appreciated, even though many of those efforts
are not noted here explicitly.

We would be delighted to receive further suggestions for new directions
relating to computers and public policy, internationally relevant
initiatives that we might address beyond the ACM Risks Forum and the CACM
Inside Risks columns, and ideas for making our efforts even more visibly
attributable to ACM without compromising the special role of CCPP.

Respectfully submitted, 

Peter G. Neumann, Principal Scientist, Computer Science Laboratory, 
SRI International EL-243, Menlo Park CA 94025-3493 
Net address: Neumann@CSL.SRI.COM or pneumann@acm.org; 
Phone: 1-650-859-2375 FAX 1-650-859-2844

=============================================================

APPENDIX I: CCPP-Relevant Activities of Peter G. Neumann


NOTE: This year was lighter than usual, largely due to extensive project
commitments.

RELEVANT PGN EVENTS, July 2011 -- June 2012

August 8-9, Participated in EVT/WOTE in San Francisco. 

August 10-12, Participated in the 20th USENIX Security in San Francisco.

August 16-18, Participated in Inconsistency Robustness11 workshop at
Stanford, run by Carl Hewitt.  I was the program committee and now am on the
steering committee of a supporting organization for future efforts.

October 1, Attended the 25th Anniversary workshop, Election Integrity --
Past, Present, and Future, at MIT and sponsored by the MIT-Caltech voting
project, commemorating the very first workshop on electronic voting
integrity.  I chaired the opening panel on The Past, which included Doug
Kellner -- now a member of the New York State election board.

December 5-6, Attended the Layered Assurance Workshop in Orlando, served on
the program committee, and was panel moderator and panel speaker on the
Future of High Assurance, with Greg Sullivan (BAE), Rance DeLong
(LinuxWorks), Mark Vanfleet (NSA), and Howie Shrobe (DARPA).

December 7-9, Attended ACSAC 2011 in Orlando; panel organizer and moderator
on the subject of identity management, with Jeremy Grant (NIST NSTIC),
Cormac Herley (Microsoft), Susan Landau (at Harvard and the Radcliffe
Institute for the academic year), and Matt Blaze (UPenn).

2012:

February 5-8, Attended  NDSS San Diego

February 29 to March 10, Attended the RESoLVE workshop and ASPLOS 
at The Royal Society in London; co-author of a RESoLVE paper (not
cited above).

April 28, participated in the Computer History Museum fellows evening in
Mountain View CA.

May 22-25, participated in two DARPA PI meetings, for the CRASH and MRC
programs in Boston.

June 15-16, attended the ACM Turing Centenary celebrations in San
Francisco.  This was perhaps the most remarkable event ACM has ever held,
bringing together an awesome collection of past Turing Laureates and many
other notables.
 
See http://turing100.acm.org  
 for details.
<\PRE>

=======================================================================


APPENDIX II: 

Current Web and Internet Addresses for CCPP Members


 (Peter G. Neumann) 
  Neumann@CSL.sri.com and pneumann@acm.org 

 (Steve Bellovin) 
  smb@columbia.cs.edu 

 (Peter J. Denning) 
  pjd@nps.edu 

 (Virgil Gligor) 
  virgil@andrew.cmu.edu 

 (Jim Horning) 
  horning@acm.org 

 (Nancy Leveson) 
  leveson@mit.edu

 (David Parnas)

 (Jerry Saltzer) 
  saltzer@mit.edu 

(Lauren Weinstein) 
  lauren@vortex.com 


============================================================================