I think that the virus threat is just as serious for CD-ROM-based distribution as it is for Web-based distribution, in the sense that a virus could be something which undermines any protection regime that someone has put in place. To my mind, we probably won't address that seriously until we have computers that have a different approach to handling viruses. Instead of keeping a listing of all the bad genes, the viruses so to speak, it probably needs to have a way of certifying the so-called good genes—that is, knowing who you are—which is how the immune system actually works. In that case, you simply wouldn't be able to load a program that hasn't been certified as being “virus free” and doesn't disable things. That kind of a sweeping change in the way our personal computers work is going to take some cooperation between the major computer hardware and software manufacturers, and there hasn't been a big move in that direction yet.
You also asked about protection measures and the recent law about reverse engineering or breaking into systems, circumventing methods for preventing tampering. I would like to see how the law gets used as it moves forward. There have been a lot of questions about misuse of this kind of a law, if any kind of software has a legitimate use as well as use for breaking into things. I actually think that is going to end up being like an arms race. In the case of things like viruses, if someone turns loose a virus that, in fact, disables some protection regime, who is liable? How do you catch the person who turned it loose in the first place? I think that is an open question.
PARTICIPANT: I was wondering why you think that databases are less protected right now by the technology than other forms of material?
DR. STEFIK: One of the things that I might have meant is that the uses of a database, which of course is more fine grained, include things like inferential uses, and some people would like to protect those things. That is not worked out in the course of the document. You don't watch a movie and then try to tell people what to think. I mean, it is sort of analogous to using a database and merging data in a certain way. Even having ways of characterizing that thing and having intellectual controls on it is not really so well established.
The other thing about protecting some kinds of databases depends on what you are trying to protect. For example, if you had a database containing information that John Doe has AIDS and you are trying to protect that information from getting out, that is like one bit of data. There is essentially no way to keep someone from reading that off the screen and picking up the telephone and telling the wrong party that information. That is the kind of concern that comes up with databases that you wouldn't think of coming up in a copyright regime for something like a book. You can read a book and you can read anything in it and you can tell anybody anything you want. You are not as concerned about trying to protect individual facts or how individual elements of data may, in fact, be used.
Relative to the technology, there is a third possible meaning here. The kinds of technology using encryption and a variety of other kinds of technology that we are seeing in digital publishing simply haven 't been integrated in any way with database technology yet. I can't think of any reason why they couldn't be. It is just that either the research or the development hasn 't taken that path yet. So, that is all still in the future. There are some trusted systems, Oracle and a few like that, but they still tend to be pretty far behind the times relative to what they actually offer.